Assignment 2 Task C

Security Protect options (layered defenses).

Name Tech. Specifications

STP Protection 1. BPDU Guard 2. Root Guard (put interfaces
into untrust mode)

SPAN and RSPAN Monitored Traffic, SPAN or RSPAN source port you
can monitor source ports or VLANs for
traffic in one or both directions.

TACACS+ or RADIUS for AAA Controlling access to who can login to a network
implementation device console, telnet session, secure shell (SSH)
session, or other method

SSH Ensure confidentiality by using secure protocols.

Communication between the client and server is
encrypted in using SSH.

Port security and port access Disable unused access lines

Implement exec-timeouts
Assign management port for authorized user
Propogate authorized network

PVST PVST maintains a spanning tree instance for each

VLAN configured in the network.

Trunking Trunk port can have two or more VLANs configured

on the interface; it can carry traffic for several VLANs
simultaneously

DMZ A sub-network that is behind the firewall but that is

open to the public. By placing your public services on
a DMZ, you can add an additional layer of security to
the LAN
Description of Security Protection Notes
1. Prevent one Swicth port from receiving and trusting BPDU Enable it on the switch ports
messages. 2. Prevent one Switch port from trusting new Root that are facing to open
Bridge's superior BPDUs. In case of either case, the port is set in environment.
ErrDisable state

SPAN copies traffic from one or more source ports in any VLAN or Monitor packets received by
from one or more VLANs to a destination port for analysis. RSPAN the VLAN before any
enabling remote monitoring of multiple switches across your modification or processing is
network performed by the switch.
Designed to enable authentication and authoriation per user or per Implement AAA server across
service. After logging into a system, the user may try to issue network
commands. The authorization process determines whether the user
has the authority to issue such commands.
The user authentication mechanisms supported for SSH are RADIUS, Enable encrypted connection
TACACS+ and the use of locally stored user names and passwords. to a Cisco router
SSH allows a strong encryption to be used with the Cisco IOS
software authentication.

Configuring basic router port security. OOB can deliver serial Implement a dedicated
console access, primarily for internetworking devices such as management interfaces and
switches, firewalls, load balancers and routers. securing port interfaces

Having a separate instance of STP per VLAN makes the network Use PVST to reduce the scope
more resilient to attacks against spanning tree. If a problem occurs in of possible damage.
one VLAN, the effects are contained in that VLAN, shielding the rest
of the network.
Trunking feature can easily be abused to set up an illegitimate Disable Vlan Dynamic
trunk. Dynamic trunking should be disabled on all ports connecting Configuration on user ports,
to end users. use MD5 instead and Use a
dedicated VLAN ID for all
trunk ports
The interface that sits between a trusted network segmentand an Isolating all unknown Internet
untrusted network segment, providing physical isolation between requests to the servers on the
the two networks enforced by a series of connectivity rules within DMZ and no longer allowing
the firewall. them into your internal
network
Assignment 2 Task D
Service High Availability

Name
Internet Multihoming

Redundant connections

QoS

Triangle Topologies

Spanning-tree protocol

Link aggregation
Stateful NAT
Tech. Specifications Description of HA
1. Failover (in case one ISP connection is down) 2. Connecting to Two ISPs to avoide
Load Balancing (Utilize multiple routes to forward packets from the single point failure
and to Internet)

Redundant connections to the core for fastest convergence and redundant connection eliminate
to avoid black holes. Redundancy LAN by installing two switches network downtime caused by a
and making them the default gateway single point of failure and enhance
reliability.

Prioritization of mission-critical network traffic. you can use QoS Access switches require QOS for
to reduce the priority of unwanted traffic Appropriate trust policies, marking
policies and queing policies

For layer 3 build triangles not squares for deterministic If a device goes down the network
convergence has to rely on flooding of updates
before it can converge. Using
triangle, there are already dual
paths so losing one won’t affect
convergence and the other route

STP lets the network deterministically block interfaces and is already in the FIB so traffic can
provide a loop-free topology in a network with redundant links keep flowing.

EtherChannel implementation that uses Port Aggregation Making multiple physical

Protocol (PAgP) and IEEE 802.3ad standard Link Aggregation connections to switch units as a
Control Protocol (LACP) single logical link
allows two or more NAT to function as a translation group One member of the translation
group handles traffic requiring
translation of IP address
information while informs the
backup translator of active flows as
they occur.
Notes
There are four
Internet
Multihoming
options for design
consideration. (See
P. 155)

You can have ports

on standby using
LACP not available
with PagP, the
switch with the
highest LACP
priority control the
ether-channel and
chose which port
should be in based
on port-priority or
number
In case, if the active
translator is
hindered by a
critical failure, the
traffic can rapidly
be switched to the
backup
Assignment 2 Task E
Edge System Policies

Name Tech. Specifications Description of the polocy Notes

NAT for 1. Static NAT or PAT for 1. Static NAT or PAT for NAT polices makes
Internet Access Internet Servers Access Internet Servers Access Internet accessible for
2. Dynamic PAT (helping Internet users to local clients, also helps
for clients address the services) to prevent servers IP
2. Dynamic PAT Traceability from
(helping HQ local users to Internet hackers and
access Internet) attackers.

Wired Security Secure device access by Disable Telnet and HTTP; Enforce basic edge
limiting accessible ports, allow SSH and HTTPS. Make system proper security
authentication for access, use of MD5 authentication. configurations.
specifying policy for Enable Netflow and NTP
permitted action and proper
logging of events.

Remote Access Implemented SSL or IPsec Provide secure access to Access control policies
VPN VPN with access clients. remote workers may also be enforced
to limit access to only
the necessary
resources and
according to the user's
role.

DMZ DMZ by restricting incoming Firewalls provide stateful These firewall are
access to the public services access control and deep configured to enforce
and by limiting outbound packet inspection access policies and
access from DMZ resources keep track of
out to the Internet. connection status to
protect the network.

Border router Border router route traffic This is the first line of border router will be
between the organization's defense against external configured to block the
network and the Internet. attacks. most obvious traffic
Primary to protect inside and forward the rest to
devices. their respective point
devices inside the
enterprise DMZ