Medianet Reference Guide - Cisco
Medianet Reference Guide - Cisco
Medianet Reference Guide - Cisco
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Solution<br />
Chapter 1<br />
<strong>Medianet</strong> Architecture Overview<br />
For these restricted access video scenarios, network virtualization technologies can be deployed to<br />
isolate the endpoints, servers, and corresponding media applications within a logical network partition,<br />
enhancing the security of the overall solution. <strong>Cisco</strong> Catalyst switching products offer a range of network<br />
virtualization technologies, including Virtual Routing and Forwarding (VRF) Lite and Generic Route<br />
Encapsulation (GRE), that are ideal for logical isolation of devices and traffic.<br />
Securing Media in the Campus<br />
As previously discussed, a layered and integrated approach to security provides the greatest degree of<br />
protection, while at the same time increases operational and management efficiency. To this end, campus<br />
network administrators are encouraged to use the following tactics and tools to secure the Campus<br />
medianet:<br />
Basic security tactics and tools:<br />
• Access-lists to restrict unwanted traffic<br />
• Separate voice/video VLANs from data VLANs<br />
• Harden software media endpoints with Host-based Intrusion Protection Systems (HIPS), like <strong>Cisco</strong><br />
Security Agent (CSA)<br />
• Disable gratuitous ARP<br />
• Enable AAA and roles based access control (RADIUS/TACACS+) for the CLI on all devices<br />
• Enable SYSLOG to a server; collect and archive logs<br />
• When using SNMP, use SNMPv3<br />
• Disable unused services<br />
• Use SSH to access devices instead of Telnet<br />
• Use FTP or SFTP (SSH FTP) to move images and configurations around and avoid TFTP when<br />
possible<br />
• Install VTY access-lists to limit which addresses can access management and CLI services<br />
• Apply basic protections offered by implementing RFC 2827 filtering on external edge inbound<br />
interfaces<br />
Intermediate security tactics and tools:<br />
• Deploy firewalls with stateful inspection<br />
• Enable control plane protocol authentication where it is available (EIGRP, OSPF, HSRP, VTP, etc.)<br />
• Leverage the <strong>Cisco</strong> Catalyst Integrated Security Feature (CISF) set, including:<br />
– Dynamic Port Security<br />
– DHCP Snooping<br />
– Dynamic ARP Inspection<br />
– IP Source Guard<br />
Advanced security tactics and tools:<br />
• Deploy Network Admission Control (NAC) and 802.1x<br />
• Encrypt all media calls with IPSec<br />
• Protect the media control plane with Transport Layer Security (TLS)<br />
• Encrypt configuration files<br />
1-28<br />
<strong>Medianet</strong> <strong>Reference</strong> <strong>Guide</strong><br />
OL-22201-01