Cisco understands the importance of network security and its implications for the critical infrastructures on which developed nations depend. After setting appropriate policies, an organization must methodically consider security as part of normal network operations. This could be as simple as configuring routers not to accept unauthorized addresses or services, or as complex as installing firewalls, intrusion detection systems (IDSs), centralized authentication servers, and encrypted virtual private networks (VPNs). After developing a security policy, you can secure your network using a variety of products. Before you can secure your network, however, you need to combine your understanding of users, the assets needing protection, and the network topology. The process of developing and securing your network can be illustrated in a diagram like Figure 5-3, called a security wheel.Figure 5-3 shows that network security is a continuous process built around a security policy. Securing your network is like a never-ending story. Security improvements are always necessary. Hackers continually find new ways to attack your network. Let's look at Figure 5-3 more carefully. In the Secure phase shown in the figure, the person or department responsible for an organization's security implements security solutions to stop or prevent unauthorized access and to protect information by using the following methods:
Authentication This method is the recognition and the mapping to the policy of each individual user's identity, location, and the exact time logged on to the system. Authentication also encompasses the authorization of network services granted to users and what functions they are authorized to perform on the network. Authentication is discussed in more detail in Chapter 11, "Remote Access."
Encryption Encryption is a method for ensuring the confidentiality, integrity, and authenticity of data communications across a network. There are several encryption methods available, and some of them, such as DES, 3DES, and AES, are described in Chapter 4, "Cryptography."
Firewalls A firewall is a set of related services, located at a network gateway, that protects the resources of a private network from users from other networks. Firewalls can also be standalone devices or can be configured on most routers. More information on firewalls can be found in Chapter 9, "Firewalls."
Vulnerability patching This method entails the identification and patching of possible security holes that could compromise a network and the information available on that network. This was fully discussed in Chapter 2.
After a network is secure, it has to be monitored to ensure that it stays secure (see Figure 5-3). Network vulnerability scanners can proactively identify areas of weakness, and IDSs can monitor and respond to security events as they occur. Using these security monitoring solutions, organizations can obtain unprecedented visibility into the network data stream and the security posture of the network.
As shown in Figure 5-3, after the monitoring phase comes the testing phase. Testing security is as important as monitoring it. Without testing the security solutions in place, it is impossible to know about existing or new attacks. The hacker community is an ever-changing environment. An organization can perform the testing itself, or it can be outsourced to a third party such as the Cisco Advanced Services for Network Security (ASNS) group. Monitoring and testing provides the data necessary to improve network security. Administrators and engineers should use the information from the monitoring and testing phase to make improvements to the security implementation. They should also adjust the security policy as vulnerabilities and risks are identified.
NOTE
For more information on the ASNS, you can check the following web page:
http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns267/networking_solutions_packag175