I studying computer science and working as a system engineer / it-consultant. At the moment I am helping a customer (200 employees) to secure his network. He is afraid of attacks from the internet. Specially he is afraid of hackers which could break into the corporate network and steal secret documents like CAD data and then fabricate imitations.
Now I am looking for a Design Guide which covers all aspects of defending such threats. The customer has an ids and a firewall. So I think we should focus more on the security inside the corporate network. My idea is to separate the CAD-network from the whole corporate network, using vlan, port security ...
Because I am new to cisco there are certainly many more aspects I could consider in making this network more secure. So I am looking for some Cisco Design Guides or other help to secure this network.
Benjamin, your idea is good if indeed you want to protect cad network from the rest. We do the same in isolating one ouf our departments which holds sensitive servers thus requering access which is granted by request,we do this by firewalling it. You could also consider Private vlan, personally I have not used PVLANs but from what I have read it has few limitations, for example PVLAN provides protection at L2 but you can use VACL in conjunction with PVLANs to truly overcome this limitation thus providing L3 control when using PVLAN.
We use PIX506 for isolating this particular network, stright forward design with two interfaces inside/outside from within the network. I have been looking into ASA5505 for taking advantage of new features firewall code 7.x/8.x since it provides for more flexibility, for example you could provide timed access-list which means you can grant a host access to a CAD server and you may choose for the access list to expire in certain amount of time say if you wan the access-list to last 5 days the ASA firewall will disable the access list. You may want to take a look at ASA5500 as well.
There are entire books dedicated to this subject;-)
There are so many layers to consider. Internal segmentation is one of them, but may do nothing when an internal machine is compromised. Even if well configured (often not the case), a firewall and IDS is pretty much the bare minimum anymore, but perhaps you didn't mention the other controls.
The firewall should not allow ANY Internet initiated traffic to internal address space. Use a DMZ for that. The IDS must be tuned and monitored, or it's pointless.
I would argue that if you're firewall is well configured then the next best step is to take a good look at the security of the workstation environment. There is a definite trend towards attacks targeting end-user machines. Make sure outbound user traffic is limited to only those ports required (80,443,etc). Proxy as much outbound user traffic as possible. Make sure there are good patching processes and Anti-virus. Consider SMTP/FTP/WEB gateway anti-virus and/or malware protection and/or URL filtering.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...