Cisco DNCS System Release 2.7 3.7 4.2 디자인 가이드
4000358 Rev B
Security Recommendations for the DBDS Network in a DOCSIS Environment
3-21
DBDS Network Security,
Continued
Data Path 8: Communication Between Server Farm and the DBDS Network
The physical connection of the Element Management System (EMS) server to both
the DBDS network and to the cable service provider’s network will be dependent on
the cable service provider. It is assumed that the server will be multi-homed, but the
cable service provider may ultimately choose to do otherwise. If multi-homed, then
no traffic originated from the cable service provider is expected to cross Router 1.
Therefore, you must apply security filters on Router 1 to deny any traffic originating
from the cable service provider. If single-homed, then in addition to Router 1, the
cable service provider should install some stateful inspection devices to filter at the
application layer all traffic originated by the cable service provider.
# 390
Configure Router 1 to deny any IP and ICMP traffic between the DBDS network and
# 390
Configure Router 1 to deny any IP and ICMP traffic between the DBDS network and
any server (DOCSIS and non-DOCSIS) for the cable service provider.
Data Path 9: DBDS Network – DMZ
DMZ, sometimes called a perimeter network, is defined as a segment or network
added between a protected network and an external network, in order to provide an
additional layer of security without compromising services. Cable service providers
should keep the external untrusted side separate from the internal trusted side of
their network.
The cable service provider can use the DMZ to connect hosts that need to have
The cable service provider can use the DMZ to connect hosts that need to have
external access to the Internet. Examples of hosts that can be connected to a DMZ are
Web servers and public mail servers.
# 400
Configure Router 1 to deny any IP and ICMP traffic between the DBDS network and
# 400
Configure Router 1 to deny any IP and ICMP traffic between the DBDS network and
the DMZ segment.
Data Path 10: End-User Device – DMZ
# 410
Configure Router 3 or the cable service provider’s firewall to deny IP and ICMP
Configure Router 3 or the cable service provider’s firewall to deny IP and ICMP
traffic between the DMZ network and any end-user device with a private IP address.