Cisco Cisco IPS 4360 Sensor 백서
8
Firewall
August 2012 Series
8
Firewall
Business Overview
The Internet edge is the point where the organization’s network connects
to the Internet. This is the perimeter of the network, where a line is drawn
between the public Internet and the private resources contained with an
organization’s network. Worm, virus, and botnet infiltrations pose substantial
threats to network performance, availability, and data security. To add to
these problems, an organizations’ Internet connection can contribute to
employee productivity loss and leakage of confidential data.
to the Internet. This is the perimeter of the network, where a line is drawn
between the public Internet and the private resources contained with an
organization’s network. Worm, virus, and botnet infiltrations pose substantial
threats to network performance, availability, and data security. To add to
these problems, an organizations’ Internet connection can contribute to
employee productivity loss and leakage of confidential data.
Internet-based attackers are a threat to an organization’s network infra-
structures and data resources. Most networks connected to the Internet
are subject to a constant barrage of worms, viruses, and targeted attacks.
Organizations must vigilantly protect their network, user data, and customer
information. Additionally, most network addresses must be translated to
an Internet-routable address, and the firewall is the logical place for this
function.
structures and data resources. Most networks connected to the Internet
are subject to a constant barrage of worms, viruses, and targeted attacks.
Organizations must vigilantly protect their network, user data, and customer
information. Additionally, most network addresses must be translated to
an Internet-routable address, and the firewall is the logical place for this
function.
Network security, as applied at the firewall, must assure that the organiza-
tion’s data resources are protected from snooping and tampering, and it
must prevent compromise of hosts by resource-consuming worms, viruses,
and botnets. Additionally, the firewall policy must establish the appropri-
ate balance in order to provide security without interfering with access to
Internet-based applications or hindering connectivity to business partners’
data via extranet VPN connections.
tion’s data resources are protected from snooping and tampering, and it
must prevent compromise of hosts by resource-consuming worms, viruses,
and botnets. Additionally, the firewall policy must establish the appropri-
ate balance in order to provide security without interfering with access to
Internet-based applications or hindering connectivity to business partners’
data via extranet VPN connections.
Firewall security is an integral part of every Internet edge deployment, as it
protects information while meeting the need for secure, reliable networks
and enforces policy in order to maintain employee productivity. Where
industry regulations apply, firewalls play a crucial role in an organization’s
ability to address regulatory compliance requirements. Regulatory require-
ments vary by country and industry; this document does not cover specific
regulatory compliance requirements.
protects information while meeting the need for secure, reliable networks
and enforces policy in order to maintain employee productivity. Where
industry regulations apply, firewalls play a crucial role in an organization’s
ability to address regulatory compliance requirements. Regulatory require-
ments vary by country and industry; this document does not cover specific
regulatory compliance requirements.
Technology Overview
The Cisco ASA firewall family sits between the organization’s internal
network and the Internet and is a fundamental infrastructural component
that minimizes the impact of network intrusions while maintaining worker
productivity and data security.
network and the Internet and is a fundamental infrastructural component
that minimizes the impact of network intrusions while maintaining worker
productivity and data security.
This design uses Cisco ASA 5500-X Series for Internet edge firewall
security. They are configured in an active/standby pair for high availability
in order to ensure that Internet access is minimally impacted by firewall
software maintenance or hardware failure. The Cisco ASAs are configured
in routing mode. They apply Network Address Translation (NAT) and firewall
policy, and they host intrusion prevention system modules to detect and
mitigate malicious or harmful traffic.
security. They are configured in an active/standby pair for high availability
in order to ensure that Internet access is minimally impacted by firewall
software maintenance or hardware failure. The Cisco ASAs are configured
in routing mode. They apply Network Address Translation (NAT) and firewall
policy, and they host intrusion prevention system modules to detect and
mitigate malicious or harmful traffic.
Two deployment options are discussed to address Internet access require-
ments for high availability and to meet operational requirements for device-
level separation between remote-access VPN and firewall.
ments for high availability and to meet operational requirements for device-
level separation between remote-access VPN and firewall.
One firewall design uses a single Internet connection and integrates the
remote-access VPN function in the same Cisco ASA pair that provides the
firewall functionality.
remote-access VPN function in the same Cisco ASA pair that provides the
firewall functionality.
Figure 4 - Single ISP topology
3002
Outside
Switches
DMZ
Switches
Internet
Servers
Distribution
Cisco ASA 5525-X
with IPS
Internal
Network
Internet
Router