The WAN module in the medium-sized network blueprint is included only when connections to re-mote locations are desired or needed over a private network and QoS requirements cannot be met through the use of IPSec VPNs. Another factor in determining whether a WAN module is needed is the cost of migrating to IPSec VPNs when existing legacy WAN connections exist. The key device in the WAN module is the router, which provides connectivity to the remote locations.
Security in this module is provided through the use of ACLs and additional Cisco IOS security features. Inbound ACLs restrict what traffic is permitted into the medium-sized network Campus module from the remote locations, and outbound ACLs determine what traffic from the medium-sized Campus module is permitted to reach the remote networks. Some of the additional Cisco IOS security features include the firewall feature set, which provides firewall capabilities within the router, inline IDS capabilities, TCP SYN flood attack mitigation, and IPSec VPN tunnel termination.
Foundation Summary 59
Foundation Summary
The “Foundation Summary” section of each chapter lists the most important facts from the chapter.
Although this section does not list every fact from the chapter that will be on your CCSP exam, a well-prepared CCSP candidate should at a minimum know all the details in each “Foundation Summary” section before taking the exam.
The Cisco SAFE Implementation exam uses the SAFE SMR blueprint as the basis of the network design in the exam. The medium-sized network consists of three primary modules:
■ The Corporate Internet module
■ The Campus module
■ The WAN module
Table 4-4 summarizes the various modules in both the medium-sized and small network blueprints.
The SAFE small network blueprint consists of only two modules:
■ The Corporate Internet module
■ The Campus module
Table 4-5 shows the key devices that are used in the Campus module for both small and medium-sized networks.
Table 4-4 SAFE SMR Modules
Module Name
Medium-Sized Network
Blueprint Small Network Blueprint
Campus module X X
Corporate Internet module X X
WAN module X
Table 4-6 lists the key devices that are used in the Corporate Internet module in small and medium-sized networks.
Table 4-5 Key Devices in the Campus Module
Key Devices Functions
Medium-Sized Network
Small Network Layer 2 switch Includes private VLAN support and
provides network access to the end devices
X X
Corporate servers Provide DNS, e-mail, file, and print services to end devices
X X
User workstations Provide data and network services to users
X X
Management hosts Provide management for network devices; typically use SNMP
X X
Layer 3 switch Provides distribution services to the Layer 2 switches and routes production and management traffic within the Campus module
X
NIDS management host Provides alarm aggregation and analysis for all NIDS appliances throughout the Campus and Corporate Internet modules
X
Syslog host Aggregates firewall, router, and NIDS logs
X
Access control server Provides authentication services to network devices such as NASs
X
OTP server Provides for authorization of OTP authentication relayed from the access control server
X
Sysadmin host Provides for configuration, software, and content changes on network devices
X
NIDS appliance Provides for deep packet inspection of traffic traversing various segments of the network
X
Foundation Summary 61
Table 4-6 Key Devices in Corporate Internet Module
Key Devices Functions
Medium-Sized Network
Small Network Hosts for small and
medium-sized networks
DNS Server: Provides authoritative external DNS resolution; relays internal requests to the Internet.
FTP Server: Provides public interface for file exchange between Internet users and the corporate network; can be combined with the HTTP server to reduce cost.
HTTP Server: Provides public information about the enterprise or the organization; can be combined with the FTP server to reduce cost.
SMTP Server: Provides e-mail service for the enterprise by relaying internal e-mail bound for external addresses;
can inspect content as well.
X X
Firewall Provides network-level protection of resources through stateful filtering of traffic. Can provide remote IPSec tunnel termination for users and remote sites. Also provides differentiated access for remote-access users.
X X
ISP router Provides connectivity from the ISP to the network.
X
Dial-in server Authenticates remote dial-in users and terminates their dial-up connection.
X
Layer 2 switches Provides for Layer 2 connectivity within the Corporate Internet module.
Can also provide support for private VLANs.
X
Internal router Provides routing within the module. X NIDS appliance Provides for deep packet inspection of
traffic traversing various segments of the network.
X
continues
The public services segment houses the publicly accessible servers, which provide such services as FTP, DNS, SMTP, and web services, and should be protected using host intrusion detection.
The NIDS appliances are deployed in two locations, allowing for traffic inspection and analysis in two critical junctions of the blueprint:
■ In the public services segment
■ In the internal segment between the firewall’s private interface and the internal router Edge router Provides for connectivity to the
Internet and rudimentary filtering through ACLs.
X X
VPN concentrator Authenticates remote users and terminates their IPSec tunnels.
X Table 4-6 Key Devices in Corporate Internet Module (Continued)
Key Devices Functions
Medium-Sized Network
Small Network
Q&A 63
Q&A
As mentioned in the introduction, “All About the Cisco Certified Security Professional Certification,”
you have two choices for review questions. The questions that follow next give you a bigger challenge than the exam itself by using an open-ended question format. By reviewing now with this more difficult question format, you can exercise your memory better and prove your conceptual and factual knowledge of this chapter. The answers to these questions are found in Appendix A.
For more practice with exam-like question formats, including questions using a router simulator and multiple choice questions, use the exam engine on the CD-ROM.
1. What is the purpose of the ISP router in the SAFE medium-sized network blueprint? What features does this device provide for traffic control?
2. What management devices are found in the Campus module of the SAFE medium-sized network blueprint?
3. What are the functions provided by the Layer 3 switch in the medium-sized network Campus module?
4. What is the primary function of the Layer 2 switches in the Campus and Corporate Internet modules of the SAFE design?
5. What is the function of the internal router in the Corporate Internet module of the SAFE medium-sized network blueprint?
6. Where are the NIDS appliances located in the Corporate Internet module of the SAFE medium-sized network blueprint?
7. What are the key network devices in the Corporate Internet module of the SAFE small network blueprint and what are their functions?
8. The firewall in the SAFE medium-sized network blueprint divides the Corporate Internet module into four segments. What are they?
9. What are some of the precautions to take when placing a NIDS appliance outside of the firewall in the Corporate Internet module of the SAFE medium-sized network blueprint?
10. What authentication protocol is recommended at the NAS of the Corporate Internet module in the SAFE medium-sized network blueprint?
Part II covers the following Cisco CSI exam topics:
■ Need for Network Security
■ Network Security Policy
■ Security Wheel
■ Network Attack Taxonomy
■ Management Protocols and Functions