Lately I made the change from deep technical consultant to a more high-level architect like kind of consultant. I now do my work on the turning point between business and technique. One of my first jobs is to make my customer ready for an audit to use the dutch official authentication method, which is called DigID.
There are several requirements, which have to be fulfilled before the customer can make use of the DigID authentication method. One of these requirements is that all the internet facing systems are placed in a DMZ. I tried to explain the importance of a well functioning DMZ. For us as network specialists this fact is obvious, but a lot of people don’t understand the meaning and working of a DMZ. This blog is about the essentials of which a DMZ has to consist.
First we need to understand what we are trying to achieve with a DMZ
• Separation and identification of network areas
• Separation and isolation of internet facing systems
• Separation of routing and security policies
After understanding the achievements, there is another point of interest. Are you gonna build your DMZ with dedicated switches, firewall’s and ESX hosts (physical) or do u use a separate vlan (virtual). There is no clear answer; fact is that bigger organizations build physical DMZ’s more often than smaller ones. Besides the technical aspect, there is off course a financial aspect. Resulting out of the physical/virtual debate comes the debate whether to use two physical firewalls or one physical firewall with several logical interfaces. Equally to the physical/virtual debate there is not just one answer.
For me personally one physical firewall with several logical interfaces with tight configured ACL’s is as good as two physical firewalls. One could dispute this with the argument that if a hacker gains access to one firewall he gains access to the whole network. Personally I don’t think this isn’t a valid argument, because when two physical firewalls are used they are often from the same vendor and use the same firmware with the same bugs and exploits. So if the hacker’s trick works on one firewall, it will often also work on the second one.
Some images to make the above a little more concrete.
A single firewall DMZ:
Read More »
Tags: #ciscochampion, ACL, Cisco ASA, DMZ, firewall
Security is hot topic on everyone’s mind and for IT it is a constant challenge to stay ahead of the latest threats and vulnerabilities that their organizations face on a daily basis. Take a quick look at the news and it won’t take you long to find an article talking about the latest cyber attack that resulted in the leak of personal data. So what can organizations and more specifically IT teams do to protect themselves from threats and vulnerabilities. Personally I don’t think you can protect yourselves from all threats and vulnerabilities. Cyber threats will continue to exist and cyber criminals will continue to develop increasingly sophisticated attacks to evade even the most robust security barriers. Even if you were to isolate your network from the internet an intruder could overcome your physical security and launch an attack from within your organization.
So what can you do to protect yourself? I view security as a way to reduce your exposure to threats and you should at a minimum make sure you have the appropriate security measures in place to reduce your exposure to threats and vulnerabilities. While you may never be able to stay one step ahead of cyber attacks you should be in a position to detects threats and be able to mitigate them as fast as possible to reduce your exposure.
Read More »
Tags: Advanced Malware Protection, AMP, Cloud web security, CWS, DMVPN, firewall, IDS, IPS, ISR 4000, ISR4k, IWAN, routers, security
Cisco ASA with FirePOWER Services has redefined the next-generation firewall (NGFW) as an adaptive, threat-focused platform, delivering superior, multi-layered protection, unparalleled visibility, and reduced security costs and complexity.
This innovative new solution addresses three strategic imperatives—being visibility-driven, threat focused, and platform-based. In this post, we will examine the necessity of a foundation of full contextual awareness and visibility—to see everything in an environment, detect multi-vector threats and eliminate the visibility gaps in traditional defenses comprised of disparate point technologies that sophisticated attackers exploit.
In an aptly titled recent post from Joseph O’Laughlin, “You Cannot Protect What You Can’t See,” he discusses why visibility (and subsequent control) into only applications and users is no longer enough to protect today’s dynamic environments and outlines how visibility into the network enables better network protection. This core concept of visibility into the network is at the heart of Cisco ASA with FirePOWER Services (and our Next-Generation Intrusion Prevention Systems too) that sets it apart from all other network security competitors. Read More »
Tags: ASA, FirePOWER, firewall, indicators of compromise, next generation firewall, NGFW, security
Cisco is a strong proponent for shifting the mindset regarding the capabilities a Next-Generation Firewall (NGFW) must provide to stay relevant in a world that is dealing with dynamic threats. While nothing is technically wrong with legacy NGFWs, much is wrong with their approach.
To meet current and future needs, a NGFW must now provide full visibility and contextual awareness across applications, hosts, and the network, address dynamic threats, quickly correlate and identify multi-vector threats and deliver the dynamic controls organizations now require to combat advanced threats. It must do all of this while reducing complexity. These capabilities are crucial for enabling continuous protection across the attack continuum—before, during and after an attack.
Read More »
Tags: ASA, elektra, firewall, next generation firewall, NGFW, security
It’s always been important to remote workers to have a solution that provides both secure connectivity to their corporate network and simple user experience.With the recent Summer Blockbuster release of the Cisco Wireless Release 8.0, using the OfficeExtend 600 Series Access Points (OEAP-600) just got better. Here are a few of the enhancements that come to OEAP-600 with Release 8.0:
- Firewall for personal networking – Provides port/application protection for personal network traffic that can be controlled by the end user. While the corporate firewall is protecting your corporate data traffic, you now have the capability to make your personal network traffic more secure also with this feature.
- Split-tunnel for Internet traffic – Enables corporate clients to reach the Internet directly through the WAN instead of tunneling the data traffic through the corporate network. Provides the IT administrator the flexibility to configure the level of split-tunnel capability needed for their network. Together with the existing Split-tunnel for Printer feature the OEAP-600 provides maximum flexibility for printing and managing data traffic between the remote & corporate office.
- QOS Enhancements for Voice traffic – Assigns high priority for voice packets for remote workers using the OEAP-600 and a VOIP solution in their home or remote office to enhance the remote workers voice call experience. Read More »
Tags: access point, admin, administrator, business, call, Cisco, client, connection, corporate, data, employee, End User, enhancement, experience, firewall, flex-work, flexible, internet, ip, IT, Manage, network, office, OfficeExtend, phone, QoS, quality, release 8.0, remote, remote worker, secure, security, services, solution, split-tunnel, telephony, teleworker, traffic, Voice, voice packets, vpn, WAN, wi-fi, wifi, wireless, WLC, workforce