Security Design Guide

Unanswered Question
Dec 23rd, 2007


I studying computer science and working as a system engineer / it-consultant. At the moment I am helping a customer (200 employees) to secure his network. He is afraid of attacks from the internet. Specially he is afraid of hackers which could break into the corporate network and steal secret documents like CAD data and then fabricate imitations.

Now I am looking for a Design Guide which covers all aspects of defending such threats. The customer has an ids and a firewall. So I think we should focus more on the security inside the corporate network. My idea is to separate the CAD-network from the whole corporate network, using vlan, port security ...

Because I am new to cisco there are certainly many more aspects I could consider in making this network more secure. So I am looking for some Cisco Design Guides or other help to secure this network.

best regards and merry xmas


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JORGE RODRIGUEZ Sun, 12/23/2007 - 07:43

Benjamin, your idea is good if indeed you want to protect cad network from the rest. We do the same in isolating one ouf our departments which holds sensitive servers thus requering access which is granted by request,we do this by firewalling it. You could also consider Private vlan, personally I have not used PVLANs but from what I have read it has few limitations, for example PVLAN provides protection at L2 but you can use VACL in conjunction with PVLANs to truly overcome this limitation thus providing L3 control when using PVLAN.

We use PIX506 for isolating this particular network, stright forward design with two interfaces inside/outside from within the network. I have been looking into ASA5505 for taking advantage of new features firewall code 7.x/8.x since it provides for more flexibility, for example you could provide timed access-list which means you can grant a host access to a CAD server and you may choose for the access list to expire in certain amount of time say if you wan the access-list to last 5 days the ASA firewall will disable the access list. You may want to take a look at ASA5500 as well.


You may want to check this link, there are several white papers here, you may find usefull design guidelines and tips in protecting your corporate network from within.

Hope I have provided you with usefull information.



mhellman Wed, 12/26/2007 - 07:37

There are entire books dedicated to this subject;-)

There are so many layers to consider. Internal segmentation is one of them, but may do nothing when an internal machine is compromised. Even if well configured (often not the case), a firewall and IDS is pretty much the bare minimum anymore, but perhaps you didn't mention the other controls.

The firewall should not allow ANY Internet initiated traffic to internal address space. Use a DMZ for that. The IDS must be tuned and monitored, or it's pointless.

I would argue that if you're firewall is well configured then the next best step is to take a good look at the security of the workstation environment. There is a definite trend towards attacks targeting end-user machines. Make sure outbound user traffic is limited to only those ports required (80,443,etc). Proxy as much outbound user traffic as possible. Make sure there are good patching processes and Anti-virus. Consider SMTP/FTP/WEB gateway anti-virus and/or malware protection and/or URL filtering.

bauti1428 Wed, 12/26/2007 - 09:04

You can also use access list without the use of a firewall. Allowing ONLY the VLAN that has access to the CAD servers and deny the rest.

cisco24x7 Thu, 12/27/2007 - 10:49

1- place a firewall separating the public

network and your corp network,

2- place an IDS, SourceFire or Juniper IDP,

in-line on the inside interface of network

so you can watch for traffics in and out of

your network to/from Internet,

3- place a layer-2 firewall between the

your CAD network and everything else on

your network. That way, you will not have

to redesign your network. Layer-2 firewall

will make your network transparent.

4- Export your firewall and IDS logs to

Arcsight or NetForensics for real-time



This Discussion