CCSP SelfStudy CCSP CSI: Exam Certification Guide, Second Edition [Electronic resources] نسخه متنی

a, b, e

a, b, d, e, f, h

b, d, e, f

a, b

c

b

c

c, f, h

d

c

b, f, g

c, d, e

a, d

d

b, c, f

What is the purpose of the Cisco IOS router/firewall in the Management module of the SAFE Enterprise blueprint?

The primary role of the Cisco IOS router/firewall in the Management module is to provide the filtering of traffic from the rest of the enterprise blueprint modules. It allows for syslog information back to the syslog management hosts and also Telnet, SNMP, and SSH, if these protocols are initiated from inside the Management module.

What function do the terminal servers provide in the Management module?

The terminal servers are Cisco IOS routers that use reverse Telnet to provide access to the console of other network devices throughout the blueprint. This provides for secure, out-of-band communication with routers, firewalls, switches, and other network devices in the design. Additionally, access to the console port provides for access to the ROM monitor mode of these devices, in case a problem arises that requires "near-physical" access.

Name two methods of managing devices in the SAFE Enterprise blueprint. What are their benefits and drawbacks?

The two methods of managing devices in the SAFE Enterprise blueprint are in-band and out-of-band management. In-band management utilizes communication channels over the managed network. These channels should be encrypted using either IPSec, SSH, or some other encrypted means. Out-of-band management provides for secure access to a dedicated device interface that is not accessible from the managed network. This could be through the use of console terminal servers to access serial consoles on devices or through a dedicated network interface that is on a separate IP network. The main benefit of in-band management is simplicity. The primary drawback is the use of the managed IP network as a transport medium. The benefits of out-of-band management are assured security and, in the case of serial consoles, access to the device ROM/BIOS modes for "near-physical" access. The primary drawback of an out-of-band network is the need for a separate IP address space/network.

What is the primary function of the Layer 3 switches in the Building Distribution module?

The primary function of the Layer 3 switches is to provide wire rate filtering of traffic for access control and switching. This access control can prevent the unwanted access to sensitive data by unauthorized individuals and providing antispoofing capabilities within the network infrastructure. Additionally, the switches provide for isolation of Voice over IP (VoIP) traffic by defining dedicated voice VLANs that route voice traffic to the CallManager.

What are the three layers of the E-Commerce module, and how is traffic controlled between them?

The E-Commerce module is subdivided into three components: web servers, application servers, and database servers. Traffic among the various layers is enforced through the policies configured on the firewall pairs. Similarly, the firewalls enforce the communication outbound from the various layers. For example, typically the database servers and the application servers do not need to browse the Internet. As such, only approved communications outbound from the database or application servers to the application or web servers, respectively, are allowed through the firewalls.

What are some of the key security devices located in the E-Commerce module of the SAFE Enterprise blueprint, and what are their functions?

The key security devices located in the E-Commerce module of the SAFE Enterprise blueprint are given in this table:

What are the key network devices in the Corporate Internet module of the SAFE Enterprise blueprint, and what are their functions?

The key network devices in this module and their functions are shown in this table:

What sort of filtering is provided by the ISP routers in the Corporate Internet module?

The ISP routers provide egress filtering as specified in RFC 2827 and filtering of RFC 1918 address spaces from the ISP cloud to the Corporate Internet module.

What are the access devices in the VPN and Remote Access module, and what are their functions?

The VPN and Remote Access Module contains three primary access devices:

VPN concentrators, for authenticating and providing access for remote users

VPN routers, to provide site-to-site IPSec VPN connectivity

Dial-in access servers, to provide connectivity for remote users over the PSTN

What authentication protocol is recommended at the network access server (NAS) of the VPN and the Remote Access module in the SAFE Enterprise blueprint?

Authentication using the three-way Challenge Handshake Authentication Protocol (CHAP) and a one-time password is recommended.

What is the function of the NIDS director in the Management module?

The NIDS director provides alarm aggregation and analysis for all network IDS appliances throughout the campus and Corporate Internet modules.

What protocols are used for remote-access VPN tunnels addressed to the VPN concentrators in the VPN and Remote Access module?

IKE, ESP, and UDP 10000

What is the purpose of the WAN module in the SAFE Enterprise blueprint?

The WAN module is used to provide connections to remote locations or extranet partner networks. Frame Relay encapsulation is used, and traffic is routed between the remote and central sites.