Hi Fabian,
the recommended way of deploying a VCS-E is to ensure that the management services of the VCS-E (http, https, ssh, telnet etc) are not directly accessible from public networks. This is normally achieved by placing a firewall in front of the VCS-E blocking off access to the ports associated with these management services.
Additionally, the VCS-E supports being deployed in a private DMZ with a private IP address (With the use of the 'Dual network interfaces' option key) using static NAT, which will further help protect the VCS from unauthorised outside access
NAT itself is not a real security measure but deploying the VCS using static NAT means that you will have a router/firewall in front of the VCS-E which will enable you to block access to your VCS-E for http, https,ssh and so forth from public networks.
Another thing worth noting is that for the upcoming X7.2 release for the VCS, we are looking at including a basic built-in firewall on the VCS itself which could also be used to only permit access to certain services from certain hosts or subnets. It is however not currently certain whether or not this feature will actually make it into X7.2, so you will just have to wait and see.
Finally, even if/when the VCS(-E) has built-in firewall capabilities, we would always recommend having a dedicated firewall protecting the VCS(-E) from unauthorised external user access from public networks whenever possible.
Hope this helps!
- Andreas
.jpg "Cisco Employee"){kind=icon}
