Information Technology Reference
In-Depth Information
untrusted. The firewall also performs stateful packet inspection (SPI), which keeps
track of the state of each TCP/UDP connection. SPI permits ingress traffic if the traf-
fic originated from a higher security interface, such as the inside.
Cisco Network Admission Control (NAC) Appliance:
Protects the network from
security threats by enforcing security compliance on all devices attempting to access
the network.
■
802.1X:
An IEEE media-level access control standard that permits and denies admis-
sion to the network and applies traffic policy based on identity.
■
Cisco Identity-Based Network Services (IBNS):
Based on several Cisco solu-
tions integrated to enable authentication, access control, and user policies to secure
network infrastructure and resources.
■
Cisco Security Control Framework Model
To t a l V i s i b i l i t y
Complete Control
Identify, Monitor, Collect, Detect and
Classify Users, Traffic, Applications, and
Protocols
Harden, Strengthen Resiliency, Limit
Access, and Isolate Devices, Users,
Traffic, Applications, and Protocols
Identify
• Identify,
Classify, and
Assign Trust
Levels to
Subscribers,
Services, and
Traffic
Monitor
Correlate
Harden
• Harden
Devices,
Transport,
Services and
Applications
• Strengthen
Infrastructure
Resiliency,
Redundancy,
and Fault
To l e r a n c e
Isolate
Enforce
• Monitor
Performance,
Behaviours,
Events, and
Compliance
with Policies
• Identify
Anomalous
Traffic
• Collect,
Correlate, and
Analyze
System-Wide
Events
• Identify,
Notify, and
Report on
Significant
Related
Events
• Isolate
Subscribers,
Systems, and
Services
• Contain and
Protect
• Enforce
Security
Policies
• Migrate
Security
Events
• Dynamically
Respond to
Anomalous
Event
Figure 13-2
Cisco Security Control Framework
The following sections cover some of these trust and identity technologies in more detail.
Firewall ACLs
Firewalls control access to and from the Internet and to provide interaction with cus-
tomers, suppliers, and employees. But because the Internet is unsecure, firewalls need to
use ACLs to permit and deny traffic flowing through it. Firewalls use security zones to de-
fine trust levels that are associated with the firewall's interfaces. For example, the trusted
zone is associated with an interface connected to the internal network, and the untrusted
zone is associated with an interface connected to outside of the firewall. Common secu-
rity zones include the inside, outside, and demilitarized zone (DMZ), but others can be
created as needed.
