Presentation is loading. Please wait.

Presentation is loading. Please wait.

Module 2: Configure Network Intrusion Detection and Prevention

Published byDelilah Pearson Modified over 6 years ago

Similar presentations

Presentation on theme: "Module 2: Configure Network Intrusion Detection and Prevention"— Presentation transcript:

1 Module 2: Configure Network Intrusion Detection and Prevention
Network Security 2 Module 2: Configure Network Intrusion Detection and Prevention

2 Module 2: Configure Network Intrusion Detection and Prevention
Lesson 2.1 Cisco IOS Intrusion Prevention System

3

4 Traditional network design uses a three-layer hierarchical model
Traditional network design uses a three-layer hierarchical model. The model provides a modular framework that allows flexibility and makes implementation and troubleshooting easy. This graphic shows how the hierarchical model divides networks or their modular blocks into the access, distribution, and core layers. Each layer has specific features: Access layer: The access layer grants local or remote users access to network devices. In a networked campus, the access layer most often uses switched LAN devices with ports that provide connectivity to workstations and servers. In the WAN environment, the access layer at remote sites provides access to the corporate network across WAN technology. Distribution layer: The distribution layer aggregates the wiring closets using switches to segment workgroups and isolate network problems in a campus environment. Similarly, the distribution layer aggregates WAN connections at the edge of the campus and provides policy-based connectivity. Core layer: The core layer or backbone design switches packets as fast as possible. Because the core layer is critical for connectivity, this layer must provide a high level of availability and adapt to changes very quickly. Network designers can apply the hierarchical model to any network type including LANs, WANs, wireless LANs (WLANs), metropolitan-area networks (MANs), and virtual private networks (VPNs) and to any modular block of the Cisco networking model.

5

6 The hierarchical layered approach to network design divides networks into access, distribution, and core layers. This approach treats the campus and the WAN as separate entities. However, over the years, enterprise networks have become more critical to business operations and their structures are more complex. The Cisco Enterprise Architecture, shown, integrates the entire network—campus, data center, branches, teleworkers, and WAN. This integration provides secure access to all tools, processes, and services across all sectors of the company. Cisco Enterprise Architecture helps companies protect, optimize, and grow their infrastructure to support business processes. From an information technology (IT) staff point of view, the model facilitates planning, designing, implementing, operating, and troubleshooting (PDIOT) networks by focusing on network elements and on relations between those elements.

7

8

9 The hierarchical layered approach to network design divides networks into access, distribution, and core layers. This approach treats the campus and the WAN as separate entities. However, over the years, enterprise networks have become more critical to business operations and their structures are more complex. The Cisco Enterprise Architecture, shown, integrates the entire network—campus, data center, branches, teleworkers, and WAN. This integration provides secure access to all tools, processes, and services across all sectors of the company. Cisco Enterprise Architecture helps companies protect, optimize, and grow their infrastructure to support business processes. From an information technology (IT) staff point of view, the model facilitates planning, designing, implementing, operating, and troubleshooting (PDIOT) networks by focusing on network elements and on relations between those elements.

10

11

12

13 A company with multiple sites that vary in size needs a remote network to connect the various locations to each other. In such a network, a large central site is often the corporate headquarters or a major office. Regional offices, small offices/home offices (SOHOs), and mobile workers may need to connect to the central site for data and information. Because users may access the central site via multiple WAN technologies, it is important that the central site accommodate many types of WAN connections from remote locations. The central site is often referred to as headquarters, the enterprise, or the corporate site. Remote locations include these sites: Branch office: The branch office generally accommodates employees who have a reason to be located away from the central site. A regional sales office is an example. Branch office users must be able to connect to the central site to access company information. Remote site and remote office are other names for a branch office. Branch offices can benefit from high-speed Internet access, virtual private network (VPN) connectivity to corporate intranets, telecommuting capabilities for work-at-home employees, video conferencing, and economical public switched telephone network (PSTN)-quality voice and fax calls over the managed IP networks. SOHO and teleworker sites: The SOHO has a small office with one to several employees or is the home office of a telecommuter. Telecommuters may also be mobile users; that is, users who need access while traveling or who do not work at a fixed company site. Depending on the amount of use and the WAN services available, telecommuters working from home tend to use a dialup connection and broadband services. Mobile worker sites: Mobile users tend to access the company network using an asynchronous dialup connection through the telephone company or access the corporate intranet using broadband Internet service and the VPN client software on their laptops. Teleworkers working from home can also use a VPN tunnel gateway router for encrypted data and voice traffic to and from the company intranet. These solutions provide simple and safe access for branch offices or SOHOs to the corporate network site according to the needs of the users at the sites.

14 Typical considerations for setting up a remote-site WAN connection include:
Multiple access options: Remote users connect to the branch site using various media. Branch site WANs must allow for multiple media options and simultaneous access by multiple users. The branch office must also have connectivity to the central or small home/small office (SOHO) site. Although a remote site may have a variety of equipment, the site does not require the same level of complexity as the central site requires. Examples of WAN technologies that are used to connect a remote site to the central site include: Leased line Broadband services (cable or DSL) Multiprotocol Label Switching MPLS Frame Relay Virtual private network (VPN) ISDN (still in use but becoming a legacy technology) Cost: Depending on the traffic types and connectivity requirements, designers typically consider various connectivity options including permanent or on-demand, public and private networks, and other options as required. Access control: To prevent unauthorized traffic, routers and firewalls use a set of rules that permit or deny certain traffic. IT staff apply access control to router interfaces and configure them to control which data sessions pass and which sessions fail. Secure connectivity: Remote sites and mobile workers can gain secure access to corporate intranets by using VPN solutions, such as IPsec VPN or MPLS VPN. Authentication: The remote site must be able to authenticate itself to the central site. Redundancy: In internetworking, duplicate devices, services, or connections can perform the work of original devices, services, or connections in the event of a failure. Branch offices typically require more redundancy than SOHOs or mobile teleworkers. Infrastructure availability: Service providers may not offer certain WAN services in some regions. This consideration generally becomes more critical as sites are set up in more remote locations.

15 This topology shows an example of a converged network with integrated services. Many companies have upgraded their remote connections using modems and dial up access and now use digital subscriber line (DSL) and cable as advanced physical layer technologies. They also use MPLS VPNs and IPsec VPNs as two of the advanced secured connectivity technologies. Broadband technology uses existing telephone and cable television infrastructures to provide high-speed access to the Internet. Generally, a speed of 128 kbps is adequate for most users. However, while there is no universal definition of broadband, Cisco uses the U.S. Federal Communications Commission (FCC) definition of advanced telecom or high speed to be 200 kbps or greater. Broadband allows remote office staff and SOHO users to connect to the central site at higher data rates than are available with traditional on-demand technologies. High-speed broadband access to the Internet through a broadband point of presence (PoP) and then to corporate networks using secure VPNs is a reality for many users in the networked world today. This broadband access has the potential to improve employee productivity and to provide a foundation for new voice and video business services over the Internet. Many corporations and educational institutions have instituted broadband solutions for access by suppliers, customers, and staff. The use of the Internet for secure site-to-site connectivity using VPNs is increasing, especially for less critical traffic.

16 The Cisco vision of the future IIN encompasses these features:
Integration of networked resources and information assets that have been largely unlinked: The modern converged networks with integrated voice, video, and data require that Information Technology (IT) departments more closely link the IT infrastructure with the network. Intelligence across multiple products and infrastructure layers: The intelligence built into each component of the network is extended network-wide and applies end-to-end. Active participation of the network in the delivery of services and applications: With added intelligence, the IIN makes it possible for the network to actively manage, monitor, and optimize service and application delivery across the entire IT environment. With the listed features, the IIN offers much more than basic connectivity, bandwidth for users, and access to applications. The IIN offers end-to-end functionality and centralized, unified control that promotes true business transparency and agility.

17 Cisco SONA is an architectural framework that guides the evolution of enterprise networks to an IIN. The Cisco SONA framework provides several advantages to enterprises, such as the following: Outlines the path towards the IIN Illustrates how to build integrated systems across a fully converged IIN Improves flexibility and increases efficiency, which results in optimized applications, processes, and resources.

18 The Cisco SONA framework shows how integrated systems can both allow a dynamic, flexible architecture, and provide for operational efficiency through standardization and virtualization. It brings forth the notion that the network is the common element that connects and enables all components of the IT infrastructure. Cisco SONA outlines these three layers of the IIN: Network infrastructure layer: This layer is where all the IT resources are interconnected across a converged network foundation. The IT resources include servers, storage, and clients. The network infrastructure layer represents how these resources exist in different places in the network, including the campus, branch, data center, WAN and Metropolitan Area Network (MAN), and teleworker. The objective for customers in this layer is to have anywhere and anytime connectivity. Interactive services layer: This layer enables efficient allocation of resources to applications and business processes that are delivered through the networked infrastructure. This layer comprises these services: Voice and collaboration services Mobility services Security and identity services Storage services Computer services Application networking services Network infrastructure virtualization Services management Adaptive management services Application layer: This layer includes business applications and collaboration applications. The objective for customers in this layer is to meet business requirements and achieve efficiencies by leveraging the interactive services layer.

19 Traditional network design uses a three-layer hierarchical model.
Access layer: The access layer grants local or remote users access to network devices. In a networked campus, the access layer most often uses switched LAN devices with ports that provide connectivity to workstations and servers. In the WAN environment, the access layer at remote sites provides access to the corporate network across WAN technology. Distribution layer: The distribution layer aggregates the wiring closets using switches to segment workgroups and isolate network problems in a campus environment. Similarly, the distribution layer aggregates WAN connections at the edge of the campus and provides policy-based connectivity. Core layer: The core layer or backbone design switches packets as fast as possible. Because the core layer is critical for connectivity, this layer must provide a high level of availability and adapt to changes very quickly. Remote sites include: Branch office — A remote location that accommodates employees who have a reason to be located away from the central site. A branch office is also called a remote site or remote office. SOHO site — A small office with one to several employees or the home office of a telecommuter. Mobile workers sites — Remote locations for mobile users who tend to access the company network using an asynchronous dialup connection or access the corporate intranet using broadband Internet service. Examples of WAN technologies that are used to connect a remote site to the central site include: Leased line Broadband services (cable or DSL) Multiprotocol Label Switching MPLS Frame Relay Virtual private network (VPN) ISDN (still in use but becoming a legacy technology) Cisco SONA outlines these three layers of the IIN: Network infrastructure layer: This layer is where all the IT resources are interconnected across a converged network foundation. Interactive services layer: This layer enables efficient allocation of resources to applications and business processes that are delivered through the networked infrastructure. Application layer: This layer includes business applications and collaboration applications.

20

21

22

23

24

25

26

27

28 Q and A

29

Download ppt "Module 2: Configure Network Intrusion Detection and Prevention"

Similar presentations

M A Wajid Tanveer http://www.IctDirector.com Infrastructure M A Wajid Tanveer http://www.IctDirector.com.

M A Wajid Tanveer Infrastructure M A Wajid Tanveer
Virtual Private Networks COSC541 Project Jie Qin & Sihua Xu October 11, 2014.

Virtual Private Networks COSC541 Project Jie Qin & Sihua Xu October 11, 2014.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialBCMSN 1 - 1 1 BCMSN Module 1 Lesson 1 Network Requirements.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialBCMSN BCMSN Module 1 Lesson 1 Network Requirements.
Chapter 7: Intranet LAN Design

Chapter 7: Intranet LAN Design
Introducing Campus Networks

Introducing Campus Networks
Module 5 - Switches CCNA 3 version 3.0 Cabrillo College.

Module 5 - Switches CCNA 3 version 3.0 Cabrillo College.
Chapter VI Data Communication: Delivering Information Anywhere and Anytime By: AP CHEN P. JOVER BSIT - III.

Chapter VI Data Communication: Delivering Information Anywhere and Anytime By: AP CHEN P. JOVER BSIT - III.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 2: Teleworker Connectivity.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 2: Teleworker Connectivity.
Ch.6 - Switches CCNA 3 version 3.0.

Ch.6 - Switches CCNA 3 version 3.0.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Services in a Converged WAN Accessing the WAN – Chapter 1.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Services in a Converged WAN Accessing the WAN – Chapter 1.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 1 Remote Network Connectivity Requirements.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 1 Remote Network Connectivity Requirements.
© 2006 Cisco Systems, Inc. All rights reserved. Lesson 1.2: Describing Converged Network Requirements Module 1: Converged Network Connectivity Requirements.

© 2006 Cisco Systems, Inc. All rights reserved. Lesson 1.2: Describing Converged Network Requirements Module 1: Converged Network Connectivity Requirements.
1 © 2004, Cisco Systems, Inc. All rights reserved. WAN Technologies Based on CCNA 4 v3.1 Slides Compiled & modified by C. Pham.

1 © 2004, Cisco Systems, Inc. All rights reserved. WAN Technologies Based on CCNA 4 v3.1 Slides Compiled & modified by C. Pham.
© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—1-1 Planning Routing Services Assessing Complex Enterprise Network Requirements.

© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—1-1 Planning Routing Services Assessing Complex Enterprise Network Requirements.
Data Centers and IP PBXs LAN Structures Private Clouds IP PBX Architecture IP PBX Hosting.

Data Centers and IP PBXs LAN Structures Private Clouds IP PBX Architecture IP PBX Hosting.
Virtual Private Network

Virtual Private Network
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential 1 MAP Value Proposition.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential 1 MAP Value Proposition.
Virtual Private Network prepared by Rachna Agrawal Lixia Hou.

Virtual Private Network prepared by Rachna Agrawal Lixia Hou.
Selecting a WAN Technology Lecture 4: WAN Devices &Technology.

Selecting a WAN Technology Lecture 4: WAN Devices &Technology.

Similar presentations

Ads by Google