Medianet Reference Guide - Cisco

More documents

Recommendations

Info

An Introduction to Securing a Medianet Chapter 5 Medianet Security Design Considerations Web Security The web is increasingly being used to distribute malware and, whilst malicious sites continue to operate as one key delivery method, the majority of today’s web-based threats are delivered through legitimate websites that have been compromised. Add to this the threats posed by spyware, traffic tunneling, client usage of unauthorized sites and services, and the sharing of unauthorized data, and it is easy to see why web security is critical to any organization. Cisco offers four web security options: • Cisco Ironport S-Series Web Security Appliance (WSA) An on-premise, dedicated appliance offering high performance web-based threat mitigation and security policy enforcement. The WSA provides web usage controls, known and unknown malware protection through multiple scanning engines and reputation filtering, data loss prevention, URL filtering, protocol tunneling protection and malware activity monitoring. • Cisco ScanSafe Hosted web security (SaaS) offering web-based malware protection in the cloud. ScanSafe provides real-time scanning of inbound and outbound web traffic for known and unknown malware, as well as monitoring of malware activity. • Cisco ASA 5500 Series Content Security and Control Security Services Module (CSC-SSM) Service module for the Cisco ASA 5500 Series providing comprehensive antivirus, anti-spyware, file blocking, anti-spam, anti-phishing, URL blocking and filtering, and content filtering. • Cisco IOS Content Filtering Integrated web security in Cisco IOS platforms offering whitelist and blacklist URL filtering, keyword blocking, security rating, and category filtering For more information about Cisco Ironport WSA, ScanSafe, and Cisco IOS security, see Medianet Security Reference Documents, page 5-12. E-mail Security E-mail is one of the primary malware distribution methods, be it through broad phishing attacks, malware in attachments or more sophisticated, targeted E-mail attacks. E-mail spam is a major revenue generator for the miscreant community, and E-mail is one of the most common methods for unauthorized data exchange. Consequently, E-mail security is critical to an enterprise. Cisco offers E-mail security through the Ironport C-Series E-mail Security Appliance (ESA), providing spam filtering, malware filtering, reputation filtering, data loss prevention (DLP) and E-mail encryption. This is available in three deployment options: • On-premise appliance enforcing both inbound and outbound policy controls. • Hybrid Hosted service offering an optimal design that features inbound filtering in the cloud for spam and malware filtering, and an on-premise appliance performing outbound control for DLP and encryption. • Dedicated hosted E-mail security service (SaaS) offering the same rich E-mail security features but with inbound and outbound policy enforcement being performed entirely in the cloud. For more information on Cisco Ironport ESA, see Medianet Security Reference Documents, page 5-12. 5-6 Medianet Reference Guide OL-22201-01
Chapter 5 Medianet Security Design Considerations An Introduction to Securing a Medianet Network Access Control User Policy Enforcement Secure Communications With the pervasiveness of networks, controlling who has access and what they are subsequently permitted to do are critical to network and data security. Consequently, identity, authentication and network policy enforcement are key elements of network access control. Cisco Trusted Security (TrustSec) is a comprehensive solution that offers policy-based access control, identity-aware networking, and data confidentiality and integrity protection in the network. Key Cisco technologies integrated in this solution include: • Cisco Catalyst switches providing rich infrastructure security features such as 802.1X, web authentication, MAC authentication bypass, MACSec, Security Group Tags (SGT), and a selection of dynamic policy enforcement mechanisms and deployment modes. • Cisco Secure Access Control System (ACS) as a powerful policy server for centralized network identity and access control. • Cisco Network Access Control (NAC) offering appliance-based network access control and security policy enforcement, as well as posture assessment. For more information about Cisco TrustSec, see Medianet Security Reference Documents, page 5-12. User policy enforcement is a broad topic and, based on the defined security policy, may include: • Acceptable Use Policy (AUP) Enforcement For example, restricting web access and application usage, such as P2P applications and adult content. This can be achieved through Cisco IOS Content Filtering and Ironport WSA Web Usage Controls (WUC). • Data Loss Prevention (DLP) DLP is often required for regulatory purposes and refers to the ability to control the flow of certain data, as defined by security policy. For example, this may include credit card numbers or medical records. DLP can be enforced at multiple levels, including on a host, through the use of Cisco Security Agent (CSA), in E-mail through integration of the Ironport ESA and via web traffic through integration of the Ironport WSA. The confidentiality, integrity, and availability of data in transit is critical to business operations and is thus a key element of network security. This encompasses the control and management, as well as data planes. The actual policy requirements will typically vary depending on the type of data being transferred and the network and security domains being transited. This is a reflection of the risk and vulnerabilities to which data may be subject, including unauthorized access, and data loss and manipulation from sniffing or man-in-the-middle (MITM) attacks. For example, credit card processing over the Internet is governed by regulatory requirements that require it to be in an isolated security domain and encrypted. A corporate WLAN may require the use of WPA2 for internal users and segmented wireless access for guests. Secure communications is typically targeted at securing data in transit over WAN and Internet links that are exposed to external threats, but the threats posed by compromised internal hosts is not to be overlooked. Similarly, sensitive data or control and management traffic transiting internal networks may also demand additional security measures. OL-22201-01 Medianet Reference Guide 5-7
Page 1 and 2:
Medianet Reference Guide Last Updat
Page 3:
About the Authors Solution Authors
Page 6 and 7:
Contents Application Intelligence a
Page 8 and 9:
Contents The Globalization of the W
Page 10 and 11:
Contents NetFlow Collector Consider
Page 12 and 13:
Contents viii Medianet Reference Gu
Page 14 and 15:
Business Drivers for Media Applicat
Page 16 and 17:
Business Drivers for Media Applicat
Page 18 and 19:
Challenges of Medianets Chapter 1 M
Page 20 and 21:
Challenges of Medianets Chapter 1 M
Page 22 and 23:
Solution Chapter 1 Medianet Archite
Page 24 and 25:
Page 26 and 27:
Page 28 and 29:
Page 30 and 31:
Page 32 and 33:
Page 34 and 35:
Page 36 and 37:
Page 38 and 39:
Page 40 and 41:
Page 42 and 43:
Page 44 and 45:
Page 46 and 47:
Conclusions Chapter 1 Medianet Arch
Page 48 and 49:
Related Documents Chapter 1 Mediane
Page 50 and 51:
Related Documents Chapter 1 Mediane
Page 52 and 53:
Measuring Bandwidth Chapter 2 Media
Page 54 and 55:
Packet Flow Malleability Chapter 2
Page 56 and 57:
Shapers Chapter 2 Medianet Bandwidt
Page 58 and 59:
Shapers versus Policers Chapter 2 M
Page 60 and 61:
Shapers versus Policers Chapter 2 M
Page 62 and 63:
Converged Video Chapter 2 Medianet
Page 64 and 65:
Bandwidth Over Subscription Chapter
Page 66 and 67:
Capacity Planning Chapter 2 Mediane
Page 68 and 69:
Load Balancing Chapter 2 Medianet B
Page 70 and 71:
EtherChannel Chapter 2 Medianet Ban
Page 72 and 73:
Bandwidth Conservation Chapter 2 Me
Page 74 and 75:
Summary Chapter 2 Medianet Bandwidt
Page 76 and 77:
Network Availability Chapter 3 Medi
Page 78 and 79:
Network Availability Chapter 3 Medi
Page 80 and 81:
Device Availability Technologies Ch
Page 82 and 83:
Device Availability Technologies Ch
Page 84 and 85:
Network Availability Technologies C
Page 86 and 87:
Page 88 and 89:
Page 90 and 91:
Page 92 and 93:
Page 94 and 95:
Page 96 and 97:
Page 98 and 99:
Page 100 and 101:
Page 102 and 103:
Page 104 and 105:
Operational Availability Technologi
Page 106 and 107:
Summary Chapter 3 Medianet Availabi
Page 108 and 109:
Drivers for QoS Design Evolution Ch
Page 110 and 111: Drivers for QoS Design Evolution Ch
Page 122 and 123: Cisco QoS Toolset Chapter 4 Mediane
Page 136 and 137: Enterprise Medianet Strategic QoS R
Page 152 and 153: References Chapter 4 Medianet QoS D
Page 154 and 155: References Chapter 4 Medianet QoS D
Page 156 and 157: An Introduction to Securing a Media
Page 166 and 167: Medianet Security Reference Documen
Page 168 and 169: Medianet Security Reference Documen
Page 170 and 171: Network-Embedded Management Functio
Page 180 and 181: Cisco Network Analysis Module Chapt
Page 210 and 211:
Cisco Network Analysis Module Chapt
Page 212 and 213:
Page 214 and 215:
Page 216 and 217:
Page 218 and 219:
Page 220 and 221:
Page 222 and 223:
Page 224 and 225:
Page 226 and 227:
Page 228 and 229:
Page 230 and 231:
Page 232 and 233:
Page 234 and 235:
Application-Specific Management Fun
Page 236 and 237:
Page 238 and 239:
Page 240 and 241:
Page 242 and 243:
Page 244 and 245:
Page 246 and 247:
Page 248 and 249:
Page 250 and 251:
Summary Chapter 6 Medianet Manageme
Page 252 and 253:
Auto Smartports Chapter 7 Medianet
Page 254 and 255:
Page 256 and 257:
Page 258 and 259:
Page 260 and 261:
Page 262 and 263:
Page 264 and 265:
Page 266 and 267:
Page 268 and 269:
Page 270 and 271:
Page 272 and 273:
Page 274 and 275:
Page 276 and 277:
Location Services Chapter 7 Mediane
Page 278 and 279:
Summary Chapter 7 Medianet Auto Con
Page 280:
References Chapter 7 Medianet Auto
show all

Medianet Reference Guide - Cisco

Create successful ePaper yourself

Delete template?

Save as template?