21.

1 Planning for Security Services

Introduction 

As a network solutions architect, you need to stay sharp on all your skills. You feel you need
to know more about security services. Your colleague has passed on some documentation
regarding Cisco modular network architecture, security zoning, and Cisco next-generation
security. Go through the documentation to begin updating your knowledge about Cisco
network security.

Choose an option:

 Review one or more topics:

o Network Security Zoning
o Cisco Modular Network Architecture
o Cisco Next-Generation Security
 There is no Challenge for this section. Once you are done with this section, proceed to
the next section.
21.2 Planning for Security Services

Network Security Zoning 

To restrict access between different parts of the network, the concept of zoning is used.

Network security zoning concepts:

 Restrict access between different parts of the network to only those flows that are
defined by security policy.

 Zone interface points are used to separate zones.

 Examples of most typical zones:

1. Public zone

2. Public access zone

3. Restricted zone

Zoning is used to mitigate the risk of an open network by segmenting infrastructure services
into logical groupings that have the same communication security policies and security
requirements. It is a design approach that is used to restrict communication to only those
flows that are defined by security policy. The zones are separated by zone interface points.
The zone interface point provides a network interface between a zone and another zone. The
zone interface point is implemented with network security devices. Each zone interface point
can be accomplished using a single component or a combination of the components.

Many types of zones can exist in the network. The most typical zones are the following:

 Public zone: This zone is external and not under the control of the organization.
Public services are located in this zone.

 Public access zone: This zone hosts public services of the organization, and it is often
called a DMZ. These services can be accessed from the public zone. Typical services
are email proxy service, web proxy service, reverse proxy service, remote access
service, and so on.

 Restricted zone: This zone is internal, and it hosts the most critical data services for
the organization. Usually this zone is the most secured zone and access to it should be
limited.

Note

These are the examples of the most typical zones. Many additional zones can usually exist in
modern networks.

To limit access between different zones, network security devices use the concept of filtering.
So the traffic that is not allowed to flow from one zone to another is filtered at the zone
interface points. Security policy is used to control which traffic is allowed and which is not.
21.3 Planning for Security Services

Cisco Modular Network Architecture 

The Cisco modular network architecture positions Cisco products and capabilities throughout
the network and provides collaborative capabilities between the platforms. A wide range of
security technologies is deployed in multiple layers. Products and capabilities are positioned
where they deliver the most value, while facilitating collaboration and operation.

Architecture principles:

 Defense in depth

 Modularity and flexibility

 Service availability and resiliency

 Regulatory compliance

 Striving for operational efficiency

 Auditable implementations

 Global information sharing and collaboration

The Cisco modular network architecture follows these principles:

 Defense in depth: Security is embedded throughout the network by following a
defense-in-depth approach. For enhanced visibility and control, a rich set of security
technologies and capabilities is deployed in multiple layers and with a common
strategy and administrative control.

 Modularity and flexibility: All components are described by functional roles. The
overall network infrastructure is divided into functional modules, such as the campus
and the data center. Functional modules are then subdivided into more manageable
and granular functional layers and blocks, such as the access layer, edge distribution
layer, and so on. The modular designs result in added flexibility, which allows a
phased implementation when it comes to deployment, selection of the best platforms,
and their eventual replacement as technology and business need to evolve. Finally, the
modularity also accelerates the adoption of new services and roles.

 Service availability and resiliency: Several layers of redundancy can eliminate

single points of failure and maximize the availability of the network infrastructure.

 Regulatory compliance: Security practices and functions, which are commonly

required by regulations and standards, can help to achieve regulatory compliance.

 Striving for operational efficiency: Designs are conceived with simplicity in order
to accelerate provisioning and to help troubleshoot and isolate problems quickly,
effectively reducing operative expenditures.

 Auditable implementations: The Cisco modular network architecture designs

accommodate a set of tools to measure and verify the operation and the enforcement
of safeguards across the network.

 Global information sharing and collaboration: Information sharing and

collaborative capabilities are available on the products and platforms. Logging and
event information that is generated from the devices in the network is centrally
collected, trended, and correlated for maximum visibility.
The Cisco modular network architecture consists of several modules:

 Enterprise Core

 Intranet Data Center

 Enterprise Campus

 Enterprise Internet Edge

 Enterprise WAN Edge

 Enterprise Branch

 Management

Each module can be further subdivided into more manageable and granular functional layers
and blocks, each serving a specific role in the network.

There are several design modules:

 Enterprise Core: The core infrastructure is the main part of the network, which
connects all other modules. It is a high-speed infrastructure, whose objective is to
provide reliable and scalable Layer 2 and Layer 3 transport.
 Intranet Data Center: The objective of the Intranet data center is to host many
systems for serving applications and storing significant volumes of data. The data
center also hosts network infrastructure that supports applications, including routers,
switches, load balancer, application acceleration, and so on. The intranet data center is
designed to serve internal users and applications.

 Enterprise Campus: The enterprise campus provides network access to the users and
devices. It may span over several floors or buildings on the same geographical
location. The Cisco modular network architecture includes a campus design that
allows users to securely access any internal or external resource.

 Enterprise Internet Edge: The Internet edge is the network architecture that
provides connectivity to the Internet. It includes the public services DMZ, corporate
Internet access, and remote-access VPN.

 Enterprise WAN Edge: The WAN edge is the part of the network infrastructure that
aggregates the WAN links that connect geographically distant branch offices to a
central site or regional hub site. The objective of the WAN is to provide to users at the
branches the same network services that campus users at the central site receive. The
Cisco modular network architecture includes a WAN edge design that allows
branches and remote offices to securely communicate over a private WAN.

 Enterprise Branch: The branch provides connectivity to users and devices at a

remote location. One or more LANs can connect to central sites via a private WAN or
an Internet connection. The Cisco modular network architecture includes several
branch designs that allow users and devices to securely access the network services.

 Management: The architecture design includes a management network. The

management network combines OOB and in-band management. The objective of the
management network is to carry control and management plane traffic such as NTP,
SSH, SNMP, syslog, and so on.

 An example of the Cisco modular network architecture:

The figure illustrates the security technologies and products in a network, which is based on
the modular network architecture design principles.

The Cisco modular network architecture must include several security zones. Some of the
zones and the location of these zones are described below.

 Public zone: The public zone is the zone outside of the organization and is located in
the Enterprise Internet Edge.

 Public access zone: This zone hosts public services of the organization, and it
provides secure access for the enterprise users to the public zone. It is located in the
Enterprise Internet Edge.

 Operations zone: This zone hosts support services for internal users and services.
The zone is usually located in the Intranet Data Center functional module.

 Restricted zone: This zone hosts the most critical data services, and access should be
limited to only necessary traffic. The zone is located in the Intranet Data Center
module.

 Management restricted zone: This zone provides management for the network and
other infrastructure. It should be secured to limit access to the management resources.
The zone is hosted in the Intranet Data Center module.

The following products and technologies can provide a secure network design:

 Secure network access: Organizations today use a complex and diverse set of
endpoints, both wired and wireless. The endpoints are located in the Enterprise
Campus and Enterprise Branch modules in the Cisco modular network architecture.
 The main objectives of those two functional modules are to provide secure network
access and to protect endpoints from data loss, data theft, and privacy invasions.

 VPN technologies: To provide connectivity to the central site, organizations usually

use network access such as Internet or ISP WAN services, which are not secure.
Therefore, VPN technologies must be used to provide secure access to the central site.
VPN technologies are mainly used in the Enterprise WAN Edge and Enterprise
Branch modules. To allow remote workers to connect to resources within an
organization, the remote-access VPN technologies are used at the Enterprise Internet
Edge.

 Firewalls/IPS: Firewalls and IPS provide access control between different points of
the network. These technologies are typically used in the Enterprise Internet Edge to
control traffic between different security zones. Firewall and IPS are also used in
Intranet Data Center to control traffic between different functional modules for
applications and application stacks.

 Infrastructure protection: To provide high-level security for the organizational

network, infrastructure must be protected, and access to the devices must be limited to
authorized devices and employees only. The infrastructure protection services should
be taken into consideration in all functional modules of the Cisco modular network
architecture.

 Content and application security: Organizations can be vulnerable to attacks on

data and content. Spam and phishing through email and web content attacks have all
been used to provide access to attackers. To protect users against application layer
attacks, an organization should deploy products like email or web security appliances.
These devices are usually deployed in the Enterprise Internet Edge module.

 Network and security management: Network and security management tools are
usually located in the Management functional module. These tools provide central
network and security management. It helps organizations to automate and simplify
network management to reduce operational cost.
21.4 Planning for Security Services

Cisco Next-Generation Security 

To protect against threats, Cisco offers products like the Cisco Adaptive Security Appliance
(ASA) 5500-X Series Next-Generation Firewall and the Cisco FirePOWER Next-Generation
IPS.

Cisco ASA 5500-X Series Next-Generation Firewall main features:

 Stateful firewall with advanced clustering

 Cisco AnyConnect remote access

 Granular Cisco AVC

 Cisco FirePOWER Next-Generation IPS

 URL filtering

 Cisco AMP

The Cisco ASA 5500-X Series Next-Generation Firewall helps you to balance security
effectiveness with productivity. The solution offers the following highlighted features:

 Stateful firewall with advanced clustering

 Cisco AnyConnect remote access

 Granular Cisco Application Visibility and Control (AVC) to support more than 3000
application layer and risk-based controls

 Cisco FirePOWER Next-Generation IPS, which provides threat prevention and

contextual awareness

 Filters for millions of URLs in more than 80 categories

 Discovery and protection against advanced malware and threats

The Cisco ASA can be deployed in various ways. The smallest appliance is the Cisco ASA
5506-X for small businesses and small branch offices, and it offers up to 250 Mbps of
throughput. The Cisco ASA 5512-X through Cisco ASA 5555-X models are intended for
small to medium enterprises, with throughput ranging from 300 Mbps to 1.75 Gbps. The
Cisco ASA 5585-X products with the SSP can offer up to 15 Gbps of throughput per device
and is intended for large Internet edge and data center networks.

The Cisco FirePOWER Next-Generation IPS solution integrates real-time contextual

awareness, full-stack visibility, and intelligent security automation to deliver security,
performance, and a lower cost of ownership. Threat protection can be expanded with optional
subscription licenses that provide Cisco Advanced Malware Protection (AMP) and Cisco
AVC.

The Cisco FirePOWER Next-Generation IPS can be deployed as a physical appliance. The
8000 Series appliances can provide from 15 Gbps to 60 Gbps of IPS throughput, while the
7000 Series can provide from 50 Mbps to 1.25 Gbps of IPS throughput. The Cisco
FirePOWER Next-Generation IPS can also be deployed as a virtual appliance or as an ASA
with FirePOWER Services.