I have been working on Cisco Products for a while and have been looking at the direction Cisco is going with Network Security. I would like to put together some stuff and see what other people on the NPC forums thought they should be going to. In the future I would like to see Cisco IOS support some type of host checking or security function in their network devices.
1.When a user connects to the network and has the Host Based IDS loaded it "checks in" with a master security server (VMS).
2.After this the IOS device verifies with the server that MAC address on that port has the required security (Host Based IDS) loaded and its business as usual for that user.
3.If the user doesn't have the required security for the network then it is either cut off or assigned to a "unsecured VLAN" or tag that port as a posiblie issue that might not have all the functionality of a secured user. Maybe even at
this point give the user the option of loading the HIDS if they "opt in".
4.The VMS servers can also do periodical checks to make sure that
someone hasn't shut off the IDS on the host.
5.From the VMS satiation you can send out alert levels to your network and if their is a DDOS flooding the network the VMS station can instruct IOS devices to shut off all unsecured host and not allow back on till verified by an administrator.
6. You can even have Trusted Segments of your network that has unrestricted access to the say server farms and Untrusted Segments that have only access to limited areas of the network and do this with dynamic access list on the cisco routing and switching devices.
Pull this all into the wireless, VOIP, and VPN security
platforms and drive network security for a while like this.
Glad to see other people are thinking about the future of security and how Cisco can take people there!! :-)
Without responding directly to each of the toipics, I would prefer to perhaps point you in a direction where you can help drive the future of security with Cisco products. Please use your account team. Your Cisco account team can take these requests and turn them into reality, for those items not already implemented. For the items that are on the horizon, or for more information on what is available to address some of your concerns, they can give you detailed information about the solutions and products.
The account team is a great resource for this and I have seen many new features in Cisco products because of the efforts of customers discussing concerns like these with their local account team.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...