Cisco Cisco ASA 5585-X Adaptive Security Appliance 백서
Cisco and Public Sector Cyberdefense
16
Response and
Recovery in the
Data Center
Recovery in the
Data Center
Detection in the Data Center
One common design element in some data center architectures is to
route all critical traffic (or, depending on traffic volumes, all traffic) through
a
route all critical traffic (or, depending on traffic volumes, all traffic) through
a
services switch
6
. Typically this would be a Cisco Catalyst 6500 Series
switch, with multiple services modules.
In addition to the FWSM (discussed above), some other capabilities
supplied by the services switch might include:
supplied by the services switch might include:
•
Network Analysis Module (NAM): provides traffic monitoring
services for visibility into network and application usage, helping
network managers troubleshoot delivery issues, improve the utilization
of network resources, and ease the deployment of new network
services. It includes an embedded, web-accessible Traffic Analyzer
interface that presents both configuration menus and real-time and
historical reports. It also offers web-based captures and decodes for
anytime, anywhere troubleshooting.
services for visibility into network and application usage, helping
network managers troubleshoot delivery issues, improve the utilization
of network resources, and ease the deployment of new network
services. It includes an embedded, web-accessible Traffic Analyzer
interface that presents both configuration menus and real-time and
historical reports. It also offers web-based captures and decodes for
anytime, anywhere troubleshooting.
•
Application Control Engine (ACE) Module: Although more often
thought of as an application acceleration tool, the ACE module can also
serve a security purpose. First, by acting as a front end for a server
farm, it effectively hides the true IP addresses of the servers from both
internal and external clients in the network. Second, its server load-
balancing capabilities, as well as off-load application acceleration,
provide greater levels of resiliency to the server farm.
thought of as an application acceleration tool, the ACE module can also
serve a security purpose. First, by acting as a front end for a server
farm, it effectively hides the true IP addresses of the servers from both
internal and external clients in the network. Second, its server load-
balancing capabilities, as well as off-load application acceleration,
provide greater levels of resiliency to the server farm.
•
Secure Sockets Layer Service Module (SSL-SM): offloads
processor-intensive tasks related to securing traffic, increasing the
number of secure connections supported by a website, and reducing
the operational complexity of high-performance web server farms. The
SSL-SM simplifies security management while encrypting user data to
the web servers, providing privacy, confidentiality, and authentication
using a wide range of certificates, including Netscape and VeriSign.
processor-intensive tasks related to securing traffic, increasing the
number of secure connections supported by a website, and reducing
the operational complexity of high-performance web server farms. The
SSL-SM simplifies security management while encrypting user data to
the web servers, providing privacy, confidentiality, and authentication
using a wide range of certificates, including Netscape and VeriSign.
•
Encapsulated Remote Switched Port Analyzer (ERSPAN): is
an embedded capability within the Cisco Catalyst 6500 Switch that
mirrors traffic across the network to a central location, where it can be
analyzed. Because the mirrored traffic is encapsulated in IP, it can cross
an embedded capability within the Cisco Catalyst 6500 Switch that
mirrors traffic across the network to a central location, where it can be
analyzed. Because the mirrored traffic is encapsulated in IP, it can cross
Layer 3 boundaries and be directed anywhere in the network. This
can significantly increase the speed and flexibility of troubleshooting
security problems. This technology can also be used to redirect traffic
to security devices such as intrusion detection systems (IDSs).
can significantly increase the speed and flexibility of troubleshooting
security problems. This technology can also be used to redirect traffic
to security devices such as intrusion detection systems (IDSs).
The Cisco SAFE blueprint for network security also provides detailed
configuration guidance on how to provide a security architecture using
Cisco standalone security appliances. In many cases, operational
administration of security within an IT department is a separate role
from network operations. For this and other reasons, customers have the
flexibility to deploy security as an integrated service within the switches/
routers, as a standalone appliance, or as a hybrid of the two approaches.
Some of the most commonly deployed Cisco security appliances include:
configuration guidance on how to provide a security architecture using
Cisco standalone security appliances. In many cases, operational
administration of security within an IT department is a separate role
from network operations. For this and other reasons, customers have the
flexibility to deploy security as an integrated service within the switches/
routers, as a standalone appliance, or as a hybrid of the two approaches.
Some of the most commonly deployed Cisco security appliances include:
•
The Cisco ASA 5500 Series Adaptive Security Appliances: The
Cisco ASA 5500 Series converges best-in-class firewall, IPS, network
antivirus, and VPN services to deliver application security, user- and
application-based access control, worm/virus mitigation, spyware
protection, and remote user/site connectivity. This convergence of
market-proven technologies provides a proactive threat mitigation
that stops attacks before they spread through the network, controls
network activity and application traffic, and delivers flexible VPN
connectivity. Intrusion protection can be integrated with the firewall
and VPN functionality or be separated out through the deployment of
the
Cisco ASA 5500 Series converges best-in-class firewall, IPS, network
antivirus, and VPN services to deliver application security, user- and
application-based access control, worm/virus mitigation, spyware
protection, and remote user/site connectivity. This convergence of
market-proven technologies provides a proactive threat mitigation
that stops attacks before they spread through the network, controls
network activity and application traffic, and delivers flexible VPN
connectivity. Intrusion protection can be integrated with the firewall
and VPN functionality or be separated out through the deployment of
the
Cisco IPS 4200 Series Sensors.
•
Cisco ACE 4700 Series Application Control Engine Appliance:
Manages up to 4 Gbps of application traffic in a one-rack-unit (1RU)
form factor and is upgradable through software licenses. Its innovative
virtualization and role-based access control capabilities enable
IT to provision and deliver a broad range of multiple applications
from a single Cisco ACE appliance, bringing increased scalability
for application provisioning to the data center. The Cisco ACE 4710
greatly improves server efficiency through highly flexible application
traffic management and the offloading of CPU-intensive tasks such as
Secure Sockets Layer (SSL) encryption and decryption processing,
HTTP compression, and TCP session management. The Cisco ACE
Manages up to 4 Gbps of application traffic in a one-rack-unit (1RU)
form factor and is upgradable through software licenses. Its innovative
virtualization and role-based access control capabilities enable
IT to provision and deliver a broad range of multiple applications
from a single Cisco ACE appliance, bringing increased scalability
for application provisioning to the data center. The Cisco ACE 4710
greatly improves server efficiency through highly flexible application
traffic management and the offloading of CPU-intensive tasks such as
Secure Sockets Layer (SSL) encryption and decryption processing,
HTTP compression, and TCP session management. The Cisco ACE
6
There are many options for
designing a services switch.
For design considerations,
including advice on optimal
traffic redirection and high
availability, see
designing a services switch.
For design considerations,
including advice on optimal
traffic redirection and high
availability, see
Continue
Previous