Information Technology Reference
In-Depth Information
topology and device configurations from routers, switches, firewalls, and IPS devices.
MARS also can model packet flows on the network.
Cisco NAC Manager
is an appliance that manages the Cisco NAC servers. NAC Man-
ager has a web-based interface for managing security policies and online users that
are part of the NAC infrastructure. Cisco NAC Manager acts as an authentication
proxy using Cisco ACS or Microsoft AD.
■
System Administration Host
provides a centralized host used to stage configuration,
software images, and implement network changes.
■
Network Time Protocol (NTP) ser ver
provides time synchronization to NTP clients
such as routers and switches. Time synchronization is crucial in the analysis of event
correlations.
■
Configuration and Software Archive Host
serves as a repository to backup device
configurations and software images.
■
Security Management Network
The SAFE architecture design incorporates a management network module dedicated to
carrying network management and control plane traffic such as NTP, SSH, SNMP,
TAC AC S , V P N , s y s lo g , a nd Ne t F low rep or t i n g . Two pr i m a r y te c h nolo g ie s a re u s e d i n t he
management module: Cisco IOS routers acting as terminal servers and a management
VLAN or separate network segment. Together, these technologies provide configuration
management to nearly all network devices. The management VLAN provides the primary
access method for devices using SSH and HTTPS. Hardened terminal servers provide con-
sole access and command-line interface (CLI) using reverse Telnet functions. It is a best
practice to configure your network devices to send network management traffic such as
NTP, SSH, SNMP, TACACS, syslog, and NetFlow traffic back to the dedicated network
management VLAN.
Network management can be implemented in both in-band (IB) management and out-of-
band (OOB) management configurations designed to provide secure management of net-
work devices within the enterprise. OOB management is typically located at the
headquarters and uses dedicated Ethernet ports on the devices connected to the OOB
VLAN or network segment. These Ethernet ports are intended to be used for management
and monitoring functions of the network devices. The OOB management network can be
a separate LAN or by using an isolated VLAN. The in-band management is used for re-
mote devices such as branch site routers and the access is provided through a firewalled
data path through the core network.
In some cases, console access to the network equipment is needed, and that functionality
can be provided using an OOB console server.
Figure 13-7 illustrates the SAFE management network using both IB and OOB networks
for c ar r y ing cont rol and management plane t raffic. The firewall cont rols the s ec ur it y be -
tween the IB and OOB networks.
