Home > Articles > Security Through Network Fundamentals

Security Through Network Fundamentals

Contents

  1. Introduction to Network Security
  2. Segmentation
  3. Micro Segmentation
  4. Secure Network Access
  5. Security Features
  6. Continuous Monitoring
  7. Summary
  8. Additional Resources

Chapter Description

In this sample chapter from Practical Cisco Unified Communications Security, you will explore the dependencies that Unified Communications (UC) systems have on a network while also highlighting the security features that can be implemented to provide additional security to the UC environment.

From the Book

Practical Cisco Unified Communications Security

$69.99

In this chapter, we discuss the dependencies that Unified Communications (UC) systems have on the network while also highlighting the security features that can be implemented to provide additional security to the UC environment. In its most simple form, a network’s purpose is to help connect things. In the case of most organizations, these things include personal computers, printers, phones, and mobile devices. To enhance a network’s capabilities, various features can be enabled to help simplify the user experience. In this case, there must be a balance to make sure that the process of how the different types of devices connect to the network is not oversimplified. Otherwise, it is security that is often left out.

A sophisticated attacker understands how an organization’s critical services are built and also understands how to leverage weaknesses in the architecture to launch attacks. While implementing various protocols and features, Cisco provides many enhancements that can be beneficial to network security as well as Unified Communications security. By the end of this chapter, you should have an increased understanding of how the network can be used to safeguard against the most common threats used against the various protocols that exist within a Unified Communications environment. This chapter also provides a fundamental approach for increasing the amount of security on the network to protect against common threats and different types of attacks.

WORKING WITH ACME’S NETWORK TEAM

A recent network audit has determined that ACME has failed to maintain compliance with the Mechanized Equipment Specifications and Standards. ACME leadership considers this a serious issue. If the company is unable to resolve network issues in 90 days, it could be penalized financially, and it could possibly lose some of its existing customers to competitors.

ACME’s Chief Operating Officer (COO), Dr. Nicholas Fury, has invited all of the IT leaders to a series of meetings to determine the options that they can take to gain compliance to industry standards in a short and operationally effective way. Dr. Fury has also invited leaders from business units to a series of meetings to develop a list of requirements and priorities so that the IT leaders can develop a strategy for modernization efforts that will help business units increase sales and productivity to meet ACME’s growth targets. Business unit leadership wants to take advantage of this opportunity by deploying additional security solutions that would allow the company to collaborate with business partners and integrators in a secure fashion.

Network leadership seems to be interested in implementing both network virtualization and network access control solutions to improve the ability to segment the network and strengthen the security at the edge of the network. Fortunately, several members from the UC team have a network background and have established good working relationships with the network and data center teams, so they are willing to work together if doing so means getting back into compliance in a more streamlined fashion.

ACME’s newly hired UC administrator, Anthony Starke, is responsible for articulating the network requirements for the UC environment and making recommendations to get back into compliance. Anthony is a bit overwhelmed with this challenge because he does not have a lot of real-world experience with network security, so he has scheduled a series of planning meetings with the network team to collect details about the proposed security enhancements. Anthony believes that this will help him understand which security enhancements are being proposed, allow him to recommend specific features for ACME’s UC environment, and develop a better relationship with the network team members.

After an interview with the manager of the network team, Anthony has discovered that not only has ACME failed a recent network audit but that ACME’s network was hacked. As part of the network audit, ACME decided to hire a team of penetration testers to discover how much security the network had in place. One of the penetration testers was able to gain access to the network through MAC address spoofing. According to the reports, a MAC address was obtained from the IP phone located in the lobby of the building. After changing the MAC address of his laptop, unplugging the IP phone, and plugging his laptop into the same network port, the penetration tester had access to the entire voice VLAN.

According to network team members, they had only recently implemented Cisco Identity Service Engine (ISE), so they were in the initial stages of deploying 802.1x to a portion of ACME’s network. To make sure that the UC environment was functional, they temporarily decided to use MAC Authentication Bypass (MAB) until they were ready to roll out 802.1x for the UC environment. Anthony has been asked to prepare a briefing that helps the network team understand how to further prevent MAC spoofing attacks and to provide a status update for which IP phones support 802.1x, what methods can be used to support 802.1x, and where IP phones are located across ACME’s network.

Informally, Anthony is wondering whether MAC spoofing attacks will continue to be a risk that he needs to worry about until he can get funding to replace the older IP phones. In the meantime, he decides to go back to his UC team to figure out what challenges he should expect to encounter when ACME’s IP phones will use 802.1x authentication to join the network.

Questions that you should ask:

  1. 1. What network security is currently in place to protect the UC environment?

  2. 2. What network features help increase the availability of the UC environment?

  3. 3. What mechanisms exist to provide continuous monitoring of the network?

  4. 4. What authentication and authorization policies are in place for UC endpoints?

Introduction to Network Security

After physical security, the second layer of defense for the UC infrastructure is the network. Following the Open Systems Interconnection (OSI) model, the various layers include Data Link, Network, and Transport. To best secure connectivity across these layers, experts have traditionally recommended use of defense-in-depth principles. The recommendation is no different when securing UC applications inside an organization. Cisco recommends that security be implemented at the edge of the network, starting at the access layer. From the access layer, organizations can continue to extend security into the distribution layer or layer on additional security features across the rest of the network and at the network perimeter. When the system is secured properly, organizations can seamlessly and securely connect to services in a cloud environment or allow remote teleworkers to connect to local resources. We address these topics in more detail in Chapters 11, “Securing the Edge,” and 12, “Securing Cloud and Hybrid Cloud Services.”

Using the access layer as a starting point for implementing security allows organizations to minimize the attack surface without encroaching on the availability of the UC applications, which reside in the data center. A methodology and practical approach for implementing security in the network for UC involves a three-step approach that involves

  1. 1. Segmentation (logical)

  2. 2. Secure network access

  3. 3. Security features

This security approach enables an organization to secure the environment while maintaining optimal performance. The idea is to develop a modular approach, which allows for the addition of security anywhere in the network while minimizing complexity and not interfering with operations. Extending security into the rest of the network is based on the existing network architecture and which types of network devices are used to support the different layers in the network, such as in the distribution layer, and also the devices used to support server infrastructure, which typically resides in the data center.

2. Segmentation | Next Section
vceplus-200-125    | boson-200-125    | training-cissp    | actualtests-cissp    | techexams-cissp    | gratisexams-300-075    | pearsonitcertification-210-260    | examsboost-210-260    | examsforall-210-260    | dumps4free-210-260    | reddit-210-260    | cisexams-352-001    | itexamfox-352-001    | passguaranteed-352-001    | passeasily-352-001    | freeccnastudyguide-200-120    | gocertify-200-120    | passcerty-200-120    | certifyguide-70-980    | dumpscollection-70-980    | examcollection-70-534    | cbtnuggets-210-065    | examfiles-400-051    | passitdump-400-051    | pearsonitcertification-70-462    | anderseide-70-347    | thomas-70-533    | research-1V0-605    | topix-102-400    | certdepot-EX200    | pearsonit-640-916    | itproguru-70-533    | reddit-100-105    | channel9-70-346    | anderseide-70-346    | theiia-IIA-CIA-PART3    | certificationHP-hp0-s41    | pearsonitcertification-640-916    | anderMicrosoft-70-534    | cathMicrosoft-70-462    | examcollection-cca-500    | techexams-gcih    | mslearn-70-346    | measureup-70-486    | pass4sure-hp0-s41    | iiba-640-916    | itsecurity-sscp    | cbtnuggets-300-320    | blogged-70-486    | pass4sure-IIA-CIA-PART1    | cbtnuggets-100-101    | developerhandbook-70-486    | lpicisco-101    | mylearn-1V0-605    | tomsitpro-cism    | gnosis-101    | channel9Mic-70-534    | ipass-IIA-CIA-PART1    | forcerts-70-417    | tests-sy0-401    | ipasstheciaexam-IIA-CIA-PART3    | mostcisco-300-135    | buildazure-70-533    | cloudera-cca-500    | pdf4cert-2v0-621    | f5cisco-101    | gocertify-1z0-062    | quora-640-916    | micrcosoft-70-480    | brain2pass-70-417    | examcompass-sy0-401    | global-EX200    | iassc-ICGB    | vceplus-300-115    | quizlet-810-403    | cbtnuggets-70-697    | educationOracle-1Z0-434    | channel9-70-534    | officialcerts-400-051    | examsboost-IIA-CIA-PART1    | networktut-300-135    | teststarter-300-206    | pluralsight-70-486    | coding-70-486    | freeccna-100-101    | digitaltut-300-101    | iiba-CBAP    | virtuallymikebrown-640-916    | isaca-cism    | whizlabs-pmp    | techexams-70-980    | ciscopress-300-115    | techtarget-cism    | pearsonitcertification-300-070    | testking-2v0-621    | isacaNew-cism    | simplilearn-pmi-rmp    | simplilearn-pmp    | educationOracle-1z0-809    | education-1z0-809    | teachertube-1Z0-434    | villanovau-CBAP    | quora-300-206    | certifyguide-300-208    | cbtnuggets-100-105    | flydumps-70-417    | gratisexams-1V0-605    | ituonline-1z0-062    | techexams-cas-002    | simplilearn-70-534    | pluralsight-70-697    | theiia-IIA-CIA-PART1    | itexamtips-400-051    | pearsonitcertification-EX200    | pluralsight-70-480    | learn-hp0-s42    | giac-gpen    | mindhub-102-400    | coursesmsu-CBAP    | examsforall-2v0-621    | developerhandbook-70-487    | root-EX200    | coderanch-1z0-809    | getfreedumps-1z0-062    | comptia-cas-002    | quora-1z0-809    | boson-300-135    | killtest-2v0-621    | learncia-IIA-CIA-PART3    | computer-gcih    | universitycloudera-cca-500    | itexamrun-70-410    | certificationHPv2-hp0-s41    | certskills-100-105    | skipitnow-70-417    | gocertify-sy0-401    | prep4sure-70-417    | simplilearn-cisa    |
http://www.pmsas.pr.gov.br/wp-content/    | http://www.pmsas.pr.gov.br/wp-content/    |