Cisco Blogs


Cisco Blog > Perspectives

DMZ Basics

Lately I made the change from deep technical consultant to a more high-level architect like kind of consultant. I now do my work on the turning point between business and technique. One of my first jobs is to make my customer ready for an audit to use the dutch official authentication method, which is called DigID.

There are several requirements, which have to be fulfilled before the customer can make use of the DigID authentication method. One of these requirements is that all the internet facing systems are placed in a DMZ. I tried to explain the importance of a well functioning DMZ. For us as network specialists this fact is obvious, but a lot of people don’t understand the meaning and working of a DMZ. This blog is about the essentials of which a DMZ has to consist.

First we need to understand what we are trying to achieve with a DMZ
• Separation and identification of network areas
• Separation and isolation of internet facing systems
• Separation of routing and security policies

After understanding the achievements, there is another point of interest. Are you gonna build your DMZ with dedicated switches, firewall’s and ESX hosts (physical) or do u use a separate vlan (virtual). There is no clear answer; fact is that bigger organizations build physical DMZ’s more often than smaller ones. Besides the technical aspect, there is off course a financial aspect. Resulting out of the physical/virtual debate comes the debate whether to use two physical firewalls or one physical firewall with several logical interfaces. Equally to the physical/virtual debate there is not just one answer.

For me personally one physical firewall with several logical interfaces with tight configured ACL’s is as good as two physical firewalls. One could dispute this with the argument that if a hacker gains access to one firewall he gains access to the whole network. Personally I don’t think this isn’t a valid argument, because when two physical firewalls are used they are often from the same vendor and use the same firmware with the same bugs and exploits. So if the hacker’s trick works on one firewall, it will often also work on the second one.

Some images to make the above a little more concrete.

A single firewall DMZ:

DMZ Basics

Read More »

Tags: , , , ,

Security for an Application-Centric World

Organizations are migrating to the cloud because it dramatically reduces IT costs as we make much more efficient use of resources (either ours or by leveraging some cloud provider’s resources at optimal times). When done right, cloud also increases business agility because applications and new capacity can be spun up quickly on demand (on-premises or off), network and services configurations can be updated automatically to suit the changing needs of the applications, and, with enough bacon, unicorns can fly and the IT staff can get home at a reasonable hour.

Whenever you ask a CIO-type at any of these organizations what’s holding them back from all this cloud goodness, though, more often than not the answer has something to do with security: “Don’t trust the cloud…”, “Don’t trust the other guy in the cloud…”, “Cloud’s not compliant…”.  You have to be something of a control freak to be a CIO/CISO these days, and, well, isn’t “cloud” all about giving up some control, after all (in return for efficiency and agility)?

Even if you overcome your control issues and you find a cloud you can trust (even if it’s your own private cloud – we can take baby steps here…), if we are going to achieve our instant on-demand application deployment, network provisioning and cost-efficient workload placement process, it turns out all the security stuff can throw another obstacle in our way. Cloud security isn’t like old-fashioned data center security where you could just put a huge firewall in front of the data center and call it good. For secure multi-tenancy and a secure cloud overall, virtually every workload (or “every virtual workload”?) needs to be secured from every other (except for the exceptions we want to make). Some folks call this “microsegmentation”, a fancy word for an old concept, but, a fundamental requirement that cloud deployments need to address. (Spoiler alert: ACI does this very well.) Read More »

Tags: , , ,

Application Centric Infrastructure (ACI) Includes Strong Ecosystem for Security and Network Services

partnersWhen Cisco designed the concept of an Application Centric Infrastructure, we knew it wouldn’t reach its full potential without drawing in a very comprehensive ecosystem in a number of areas. Perhaps the most impressive aspect of our announcement was the breadth, quality and scope of the data center infrastructure vendors that we aligned so quickly with our ACI vision and that contributed their perspectives to the launch, and will be contributing key solutions to Cisco’s infrastructure-wide vision.

Yesterday, I blogged about the role of application controllers, network monitoring solutions, WAN optimization, firewalls, etc. have in setting up application networks, provisioning applications, and how the ACI policy model incorporates these security and services solutions. I wanted to follow up that post with some highlights from the support we received from some of our ACI ecosystem vendors in this area, that incorporate ACI policy support into their security, application delivery controller, load balancing and other solutions.

Read More »

Tags: , , , , , , ,

How Cisco IT Delivers Teleworker Services

What does it actually take to enable the 89 percent of Cisco employees who do at least some of their work remotely? For Cisco IT, this challenge means supporting products and services on both sides of the connection: in the teleworker’s home (and on their mobile devices) and in the Cisco corporate network.

Cisco Teleworkers Solutions in Employee Homes

We currently support three solutions to meet the teleworking needs of our mobile and remote employees:

  • Cisco AnyConnect Secure Mobility Client: Installed on the employee’s laptop or mobile device, this software client provides a secure VPN connection to the Cisco network. It is available to any Cisco employee and we currently support 30,000 users.
  • Cisco OfficeExtend: This solution includes a wireless access point that secures connectivity for the employee’s laptop and Cisco Unified IP Phone 9971 over a home network while reducing congestion, wireless interference, and security risks from other devices. We use this solution primarily for contact center agents, contractors, and employees who don’t require the HD-quality video of Cisco TelePresence for their work.
  • Cisco Virtual Office: This solution uses a Cisco 881 Integrated Services Router in the home to connect an employee’s laptop and Cisco Unified IP Phone 9971 to the Cisco network over an encrypted VPN. It also delivers HD video for the Cisco Jabber Video for TelePresence client or a separate Cisco EX 90 personal video endpoint. Cisco Virtual Office is used by employees who telework extensively and we currently support over 26,000 users.

The diagram below shows how these solutions connect to the Cisco network via the employee’s residential broadband Internet access service.

Read More »

Tags: , , , , ,

Bring Your Own Margarita (I Mean Device) – Architectures, Design, and Operation

Mobility allows the expansion of Information Technology (IT) resources and application availability at anytime, anywhere, and in any possible way. Historically, many thought that “the movement” of bring your own device (BYOD) was simply a marketing tactic. However, BYOD is definitely a reality that has become crucial when trying to improve efficiency in the workplace.

Every single day a new mobile gadget is released to the market (for example, tablets, mobile phones, and many other mobile systems) and we all live in a connected world 24 hours a day 7 days a week. All these devices and social applications are introducing many security risks for enterprises and public sector organizations. These risks include threats of data theft, not only with very sophisticated attacks, but also with incidents as simple as just stealing mobile devices. Many of these devices can contain private and corporate information.

The question now is, how can we provide the benefits of  improving user productivity and flexibility without compromising network security? The Cisco AnyConnect Secure Mobility client and the Cisco ASA 5500 Adaptive Security Appliances allow users to connect to their corporate network from any device based on comprehensive secure access policies. The Cisco AnyConnect Secure Mobility Client can work in conjunction with the Cisco IronPort Web security appliances and provides integration with ScanSafe.

Read More »

Tags: , , , , , ,