لطفا منتظر باشید ...
Foundation Summary
The "Foundation Summary" section of each chapter lists the most important facts from the chapter. Although this section does not list every fact from the chapter that will be on your CSI exam, a well-prepared CSI candidate should at a minimum know all the details in each "Foundation Summary" section before taking the exam.The following three components are the major networked devices that can be used within the small SAFE network:
- ISP router
- Cisco IOS Firewall router
- PIX Firewall
Technically, the ISP router is not part of the small network design, but it plays a major role in the overall design. The functionality of the ISP router can be integrated in some circumstances within the Cisco IOS Firewall router, thus eliminating it from the design. The primary purpose of the ISP router is to provide the following:
- Connectivity from the small network to a provider's network
- Mitigation against DDoS attacks and IP address spoofing attacks.
The Cisco IOS Firewall router provides all the required functionality of the small network in a single device that includes the following:
- A stateful firewall
- IDS services
- Filtering
- WAN connectivity
The primary features and configuration examples presented in this chapter include
- Cisco IOS Firewall configuration
- IDS configuration
- VPN configuration
- Internal traffic filtering
- Public services traffic filtering
- Public traffic filtering
For a PIX Firewall in the small network standalone model, WAN connectivity is provided by an ISP-supplied device.The primary features and configuration examples of the PIX Firewall covered in this chapter include
- Outside interface filtering
- Inside interface filtering
- DMZ interface filtering
- IDS configuration
- VPN configuration
If the small network is considered a branch of a larger network, the implementation of the small network in this design scenario is then slightly different. These differences are as follows:
- Corporate resources are normally centralized at the corporate headquarters; therefore, the use of a local public services segment is redundant. All related configuration is removed under this circumstance.
- To provide site-to-site connectivity between offices, IPSec over GRE is used. This requires the amendment of cryptographic parameters to allow the use of IPSec transport mode and the modification of associated filtering.
- Remote users normally terminate at the corporate headquarters rather than on the small network. All related configuration is removed under this circumstance.
