A wide-area network (WAN) is a network that covers a geographical area that is larger than what a LAN covers and that can span states, provinces, countries, or even the world.
A WAN can span a very large geographical area, whereas a metropolitan-area network (MAN) is a midsize network that can span an area the size of a city. Local-area networks (LANs) are smaller than either WANs or MANs and are restricted to a single building, a group of buildings, or even a single room. WANs are often composed of MANs or LANs.
A centralized WAN, sometimes referred to as a "hub and spoke" network, consists of a central computer or network plus other computers or networks that are connected to it. WAN connections are typically slower than LAN connections
A distributed
WAN consists of interconnected computers in many locations and is commonly
called an "enterprise WAN." A network that links corporate
Different WAN designs meet different network needs. Three typical WAN designs include
leased-line WAN,
Frame Relay WAN, and
Asynchronous Transfer Mode (ATM) WAN.
Traditionally, enterprises have used leased lines to connect remote sites, creating a private WAN network. A leased-line WAN has several disadvantages. Leased-line private networks are costly. Additionally, leased lines do not scale well and they 616i85g cannot be changed easily with business bandwidth needs.
Many organizations consider Frame Relay an alternative to leased lines because it is efficient and flexible, and it can be more cost-effective than leased lines. In fact, it requires fewer WAN links overall.
Asynchronous Transfer Mode (ATM) is a WAN technology that supports real-time data, voice, and video. Major Internet service providers (ISPs), telecom carriers, and large private enterprises with mission-critical backbones deploy ATM because of its inherent quality of service (QoS) features, which enable these different traffic types to be handled concurrently over the same WAN medium.
The backbone is the part of a network that handles the major traffic. It employs the highest-speed transmission paths in the network and may also run the longest distance. Smaller networks are attached to the backbone. The edge is the part of a network that is located on the periphery of a centralized network and that feeds the central network. Edge devices are the connective devices between component networks.
Some WAN components create a network backbone, while others are edge or access devices. WANs are typically composed of routers and switches that link campuses and remote offices, but WANs may also use other edge devices that are specific to WAN environments, including access servers and gateways.
A router is a device that determines the optimal path along which network traffic should be forwarded. Routers forward packets from one network to another based on Internet Protocol (IP) addresses. Smaller enterprise or branch office WANs use routers on the edges, as do Internet service providers (ISPs) in their outlying Internet data centers. ISPs also use routers in the backbone of the WAN to transport data to the appropriate edge devices.
When used in a WAN, a switch is an intelligent backbone device that connects routers that are positioned at the edges of the network. Switches that are used in WANs are typically high-end devices that Internet service providers use.
Access servers and gateways are similar edge devices that act as entry and exit points to a network. Access servers typically function as concentration points for dial-in and dial-out connections. Gateways perform protocol conversion between different types of networks or can act as a go-between for two or more networks that use the same protocols
Access servers capabilities:
Network entry and exit points
concentration points for dial-in and dial-out connection
Gateways capabilities:
Network entry and exit points
protocol conversion between different types of networks
go-between for two or more networks that use the same protocols
Cisco offers several router products for companies with Frame Relay networks. Typically, smaller remote sites can use Cisco routers from the 1800, 2800, and 3800 series, depending on the number of users that require service at each site. Larger offices need the Cisco 7000 Series higher-end routers. Cisco routers for WANs work in tandem with Cisco Internetwork Operating System (IOS) software for a variety of capabilities, including quality of service (QoS).
Cisco high-end routers for large enterprises include the 10000 Series. The 10000 Series supports Frame Relay, ATM, and leased lines in a single platform, allowing customers to provide multiple types of services to end users without having to maintain multiple edge devices
The Cisco 12000 Series is the premier high-end routing platform for service-provider backbone and edge applications that supports DS3 for Frame Relay.
The Cisco 7600 Series Router delivers robust, high-performance IP/Multiprotocol Label Switching (MPLS) features for service provider edge applications. The Cisco 7600 Series provides integrated Ethernet, private line, and subscriber aggregation capabilities.
The Cisco 10000 Series is the only edge router in the industry that delivers consistent, high performance features for carriers deploying IP/MPLS services to broadband and private line customers.
The Cisco Carrier Routing System (CRS-1) is the first carrier routing system in the industry that offers continuous system operation, unprecedented service flexibility, and system longevity for IP next-generation network service provider backbones.
Cisco offers a router solution for every customer application, from the
1800, 2800, and 3800 series for branch office networks, to the
7000 Series for enterprise networks, to the
high-end 10000 and 12000 series and CRS-1 for ISP networks.
Internet service providers use Cisco AS5400 and AS5850 access servers and universal gateways to connect their customers to integrated services and to the Internet. Together with these devices, the Cisco Any Service, Any Port (ASAP) solution allows service providers to offer bundled data, voice, fax, and mobile wireless services to customers at a competitive price and still make a profit
It is important
for account managers to recognize how WANs can benefit customers. Consider the
networking needs of a new and growing Internet hosting company with Internet
data centers in North America,
Consider a midsize enterprise organization that is migrating to a converged network for its intranet to save costs and address user needs for voice, video, and data. The enterprise consists of a headquarters location and three branch offices that must communicate with one another using voice, video, and data and that must connect to the Internet over the PSTN.
IP Telephony
Designers at a
manufacturing firm in
A company that develops computerized control systems for manufacturing processes has engineers at three service centers to help customers install and maintain the software. The traditional system currently routes all calls to a single agent who creates a trouble report and then attempts to identify the engineer who is best qualified to help resolve the problem. The company wants to:
streamline the phone system
to reduce customer wait times
and improve employee productivity.
Traditionally, organizations have used separate voice and data networks for their communications needs. These separate networks require separate staffs to maintain them, were not designed to allow easy mobility, and do not always take full advantage of more sophisticated applications, such as call routing. IP telephony over a converged network provides a solution for all of these needs
Throughout the world today there are essentially two types of networks: voice networks and data networks. Traditional voice networks often use analog telephones that connect to the public switched telephone network (PSTN). These voice traffic networks are circuit-switched systems that provide a single dedicated path through the network. Data transfer rates are constant to ensure that signals remain intact, without pauses or lost segments.
Data networks connect computers and use packet-switched systems. Data packets may follow multiple paths through the network to get to the destination. Because each packet contains the IP address that identifies the source and the destination, network devices such as routers know where to send the packets. Because data does not need to arrive intact, data transfer rates are variable. The Internet is the largest packet-switched network.
Many organizations today still maintain two separate networks. Telephones connect to switching equipment such as a private branch exchange (PBX), which the company owns or leases, or Centrex, which the telephone company owns. Switching equipment provides telephone features such as voice messaging, call transfers, and call forwarding, and also connects the company to the public switched telephone network (PSTN).
Most organizations also have local-area networks (LANs) for their data networks. These LANs are connected to routers that are connected to wide-area networks (WANs). LANs and individual computers at other locations are also connected to the WAN. The Internet is a public WAN. Many organizations also have private WANs called intranets.
Organizations want to converge their separate voice and data networks into a single network for several reasons. This single network is easier to maintain and simpler to manage, scales easily to include new users, and can be upgraded to handle new, sophisticated applications that handle voice and data communications. Designed from the ground up for converged network environments, IP telephony can dramatically enhance communications flexibility and effectiveness.
IP telephony uses IP addressing to enable two-way transmission of voice traffic over a packet-switched Transmission Control Protocol/Internet Protocol (TCP/IP) network.
IP networks typically handle data traffic that does not need to arrive within a specified time frame. Also, if a data packet is lost, it is simply retransmitted. However, packets that carry telephone conversations over IP networks should arrive quickly and sequentially, and with no lost data. Quality of service (QoS) ensures that voice packets are given priority throughout the network so that conversations arrive intact.
Some enterprises choose to implement a converged network methodically to leverage an existing infrastructure and become familiar with the new technology. For example, a company may install several IP telephones and call management hardware and software that interface with its PBX to explore the benefits of IP telephony - which include easier network management; reduced toll charges; and simplified moves, adds, and changes - without radically changing its existing network.
A complete IP telephony solution consists of hardware and software elements that fit into four categories: clients, which are end-user devices such as IP telephones; infrastructure, which includes switches, routers, and other network devices; call management, which is the hardware and software that provide standard telephony call processing; and voice applications, which provide advanced call handling, such as IP-based audioconferencing.
Cisco client device offerings include the Cisco IP Phone 7900 Series that supports traditional telephone functions and specialized IP telephony functions. The Cisco IP SoftPhone is a Windows-based application for the PC that allows additional functions, including the integration of contact directories and a drag-and-drop interface for conference calling.
Cisco offers a wide range of scalable hardware to support IP telephony functions in the network infrastructure. The Catalyst 3560 for small office/branch office applications and the Catalyst 6500 Series modular, multilayer switches for enterprise applications connect IP clients to the network. Call-processing software that resides in a 7800 Series Media Convergence Server (MCS) is a primary call-handling solution for enterprise networks.
At the edge of an IP telephony infrastructure are Cisco voice gateways that connect analog devices to an IP network. For example, the Cisco VG248 Analog Phone Gateway and the Analog Telephone Adapter 180 Series connect traditional communication systems - including voice mail, analog telephones, and fax machines - to an IP network
Many other Cisco infrastructure devices, such as the 1700 Series through 7200 Series routers, offer gateway capabilities. When installed in Cisco routers, Cisco voice interface modules and high-density voice modules give enterprises the ability to directly connect their traditional telephony equipment to the IP network.
Cisco CallManager is the component of an IP telephony solution that provides standard call processing such as signaling and connection services for Cisco IP phones and softphones. CallManager also includes applications that support services such as voice mail and audioconferencing. The CallManager application is installed on a network server.
Cisco Call Manager Express is a feature of Cisco IOS software that provides call processing for up to 240 Cisco IP phones. Cisco CallManager Express allows customers to scale IP telephony to a small site or branch office with a feature-rich solution that is very simple to deploy, administer, and maintain. It also supports centralized and decentralized deployments
Survivable Remote Site Telephony (SRST) is an emergency planning feature for enterprise networks that allows IP phones at remote sites to continue to function in the event of a central CallManager server shutdown or a WAN failure. SRST enables Cisco 1800, 2800, 3800, and 7200 routers at remote sites to temporarily assume the CallManager role to enable basic IP telephony functions, including calls to the backup connection through the PSTN.
In addition to the suite of integrated voice applications that are included in CallManager, Cisco offers a variety of interoperable, network-based voice applications that allow network operators to expand IP telephony functions on the network. For example, Cisco MeetingPlace (CMP) is an IP-based audioconferencing solution that provides a web-based interface for meeting participants and increased security for sensitive discussions.
The Cisco IP Contact Center (IPCC) Enterprise Edition is an integrated solution that enables companies to rapidly deploy a distributed contact center. The software segments customers, monitors resource availability, and delivers each contact to the most appropriate resource anywhere in the enterprise. The IPCC offers a clear migration strategy from traditional time-division multiplexing (TDM) automated call distribution (ACD) deployments by allowing customers to leverage their current investment and migrate to IP at their own pace.
Cisco IPCC Express Edition meets the needs of departmental, enterprise branch, or small- to medium-size companies planning to deploy an entry-level or mid-market contact center solution. IPCC Express integrates into Cisco CallManager and delivers sophisticated call routing, contact management, and administration features. Cisco IPCC Express offers ease of installation, configuration, and application hosting, and can support up to 200 agents and 72 supervisor positions.
Cisco Unity is a Unified Communications Solution that helps enterprises improve customer service and productivity by allowing employees to manage messages and calls from anywhere, at anytime, regardless of access device or media type. Cisco Unity integrates with desktop applications such as Microsoft Outlook and Lotus Notes.
Cisco Unity Express is a network module for the Cisco 2600XM, 2691, 2800, 3700, and 3800 series access routers. This module provides integrated, entry-level voice mail and automated attendant services for the branch office. Operating under Cisco CallManager or CallManager Express control and interworking with Cisco Unity, it offers a cost-effective voice-mail solution for up to 100 users working in an enterprise small branch office or in a small business with one or more locations.
Account managers must recognize how Cisco IP Telephony solutions can benefit their customers. For example, a fast-growing mortgage company currently routes calls to its global customer service centers over the PSTN, which is a cumbersome and expensive process. The company wants to streamline operations, improve customer service, and increase the number of transactions without adding new facilities or staff.
A large steel
manufacturer with headquarters in
Security and VPN
Disgruntled employees at a consulting firm have attempted to access confidential human resources (HR) and payroll records, sometimes with success. The company needs to find a way to block unauthorized internal users who might attempt to access and exploit sensitive data.
An
architectural firm that is based in
Both companies could benefit from forms of network security. The consulting firm could circumvent internal security threats by implementing internal firewalls and installing access control servers. Should an unauthorized user breach the firewall, the access control server would refuse to authenticate the user and would record the attempts to access secure data. For the architectural firm, virtual private networking offers a cost-effective solution for protecting sensitive data.
Network security refers to steps that are taken to protect network resources and services from unauthorized actions. These actions include modifying or destroying data, stealing or disclosing proprietary information, and disrupting normal network operations. Network security is a necessity, not an option. Damage that results from a security breach can be extensive. In addition to recovery costs, unprotected organizations risk legal liability, lost revenue, and lost customer confidence.
Possible security breach:
destruction of data
information theft
network disruption
Damage to security breaches cause:
recovery costs
legal liability
lost revenue
reduce customer confidence
In addition to protecting networks against possible threats, businesses also need secure and cost-effective ways to provide external users access to network resources. A Virtual Private Network (VPN) creates an encrypted tunnel through a shared public network infrastructure, such as the Internet, to provide a secure connection between remote users and a private network
Internal users without authorized access to certain network resources may launch network attacks. An external attacker who is taking advantage of a vulnerability in the network may also launch an attack. In either case, threats to network security take three common forms:
network service attacks,
data theft and interception,
software-based viruses and worms
The most common form of network service attack is denial of service (DoS). DoS occurs when a string of unnecessary commands or requests is sent to a network device with the intent of removing the device from service. For example, an attacker may create and launch a utility that floods a network router with unnecessary requests that require a response, until the router is too busy to respond. A DoS attack effectively shuts down the router and disrupts the flow of network traffic.
DdoS attacks paralyze Internet systems by overwhelming servers, network links, and network devices (routers, firewalls, etc.) with bogus traffic. As with a DoS attack, distributed DoS attempts to render a network unavailable to legitimate users, but the distributed DoS attack originates from many locations or devices. Distributed DoS attacks are successful because of previously compromised hosts, and they occur more frequently due to Internet gaming and auctioning websites.
A "virus" is typically a malicious program that is attached to an e-mail and is disguised to appear harmless. When activated, a virus infects the host machine before attaching to outgoing e-mail and attacking other unsuspecting recipients. A "worm" is a destructive program that resides in system memory. It ties up resources and slows down processing.
Data theft may be as basic as an intruder taking a file that contains confidential information for the purpose of using that information for profit or some other malicious purpose. Data may also be intercepted during transmission, allowing information to be viewed and possibly altered. A large percentage of data theft occurs from within an organization
As the role of data networks has expanded, increasing amounts of information have been transmitted and stored on networks. The growth of e-business combined with an increased demand for flexible access to network resources has resulted in more money being spent on security. Industries such as healthcare and finance also face legal mandates for securing data. New threats emerge daily, so the demand for security solutions will continue to increase.
Even the most expensive equipment will not protect a network without an effective and applied security policy. For example, network users leave their computers unattended with screens showing sensitive information. They may also write passwords on notes attached to a computer or share a password with a coworker or office visitor. Regardless of the security systems that are in place, an effective and applied security policy is necessary to reduce the risk of attack.
It is first the responsibility of the account manager to ensure that customers use their security policies. If an account manager sells a customer the security hardware and software it needs, that customer may blame the account manager when the network goes down as a result of an attack, even if the attacker succeeded by stealing a password from an employee desk.
Security is a strategy, not a product. There is no single device or solution that can protect networks against an ever-changing variety of security threats. Rather, it is a process of developing a policy, securing the network, monitoring network activities, testing for vulnerabilities, and making improvements as needed. When properly implemented, these five elements of a successful network security strategy create a single, integrated solution.
Because many network vulnerabilities can be traced to human error, ignorance, or indifference, developing a clear and consistent set of policy guidelines is at the core of a network security strategy. Applying an effective security policy requires a balance between protecting the network without interfering with the ability of users to carry out tasks. Developing a security policy could involve establishing passwords and determining which users have which authorizations.
After a security policy is in place, the next step is to implement barriers around the network that serve as both physical and virtual protections against possible threats. Security barriers include
firewalls,
authentication products,
access-control products,
tunneling and encryption techniques that support VPN connections for remote network users.
A "firewall" is software or a device with software that enforces a security policy at network gateways by blocking unwanted connections and content. Firewalls can protect a network from both external threats and internal threats.
Authentication refers to products that validate the identity of users who connect to the network, much like a code entry system or a passport.
Access control products limit the availability of network resources by defining the access privileges of authorized users. Access control software can be used with devices such as a firewall, a router, or an access control server (ACS). An Access Control List (ACL) is a set of data associated with the protected device or resource that defines the permissions that users, groups, or devices have for accessing it.
Virtual Private Network (VPN) tunneling protocols create virtual connections between remote users and a private network. There are two types of VPNs: site-to-site VPN for connecting multiple users at one site to another site and remote-access VPN for connecting a single remote user. Encryption techniques encode the data that passes through these tunnels.
When network security has been established, the next step is to deploy products that enable continuous monitoring of the activities within the network. Intrusion detection systems scan the network and sound the alarm upon discovery of potential policy violations. For example, the system might detect a potential intruder who has made several failed password attempts.
Routinely testing network security systems is the best way to evaluate the effectiveness of overall protections and to identify new vulnerabilities. Testing provides an opportunity to experiment with the strategies that attackers use and to see the potential impact of such attacks. There are two primary methods for testing network security systems: using software to scan for vulnerabilities and using consultants to stage intrusions that identify security holes.
In addition to analyzing test results and log reports that devices within a network generate, information that has been obtained from actual attacks should be routinely examined to determine ways to improve network protections. Possible improvements that result from analysis include new countermeasures, updated training, or refinements to existing security policies.
The Cisco security strategy allows organizations to increase their productivity by letting them take advantage of all that networking technology offers in a safe and secure manner. This approach provides the three critical requirements for securing the productivity of an organization:
collaboration between IP networking and security technologies;
flexible, customizable deployment;
comprehensive coverage.
Point products serve as a good incubator for cutting edge security technologies, but as those technologies mature, they should be integrated throughout the network fabric. Building network security based solely on single-purpose appliances is no longer practical. Because of this, Cisco has developed several different phases of its Self-Defending Network security strategy.
Cisco security strategy:
Integrated security
Collaborative security systems
Adaptive threat defense
The technology components of ATD are considered the building blocks that get "converged" into new services with new applications:
firewall (FW),
Cisco Intrusion Prevention System (IPS),
network intelligence
These components offer a new class of services that can be integrated throughout the network fabric.
To counter the evolving threats, organizations can deploy three basic security technologies within an integrated security system. These technologies include
secure connectivity, which protects traffic as it travels across untrusted domains such as the Internet;
threat defense, which defends against both known and unknown threats;
identity and trust management, which grants access rights to network and computing resources and provides a management system that provides configuration and control of all elements of the security system while providing event analysis and monitoring.
Only Cisco can offer comprehensive, end-to-end solutions that address the needs of the customer. Common security concerns of a customer include
confidentiality,
integrity,
vailability
Some of the key networking issues facing organizations today include simplification and cost reduction, application and service optimization, and most importantly security. Not only are customers looking for ways to resolve their pain points with security threats, theft, loss, and response time, but they are also looking for solutions that will align to their business goals.
Cisco offers the broadest security portfolio in the industry, with a comprehensive range of security services and flexible deployment that provides complete security coverage for the corporation. Customers will be equipped with management and analysis tools that can report on and validate threats, create network-wide and device-level security policies, and configure and manage one or thousands of security devices. The security devices that make up the infrastructure are protected and secured against attack. Cisco also offers supporting services that help customers design, deploy, configure, and manage security.
Cisco network security solutions
The Cisco SAFE Blueprint is an in-depth guide for determining the security requirements of all networks, regardless of size or capacity. Cisco SAFE meets various needs throughout the security cycle. It focuses on threats that are anticipated for various types of network architectures and identifies the Cisco products and services that can best mitigate those threats. The result is a layered approach where the failure of one security system is not likely to result in network resources being compromised.
The Cisco VPN/Security Management Solution (VMS) provides powerful software tools that allow customers to centrally manage their network security policies. Centralized control eliminates the costly and time-consuming practice of implementing security commands on a device-by-device basis. VMS also supports the management of VPN connections
Cisco offers a wide variety of scalable products that can be deployed as barriers to secure the network for small, medium, and enterprise-level networks. Network security products include software-based and hardware-based firewalls, firewall services modules, and access control servers with built-in authentication services.
Cisco 500 Series PIX firewalls are dedicated, hardware-based solutions for any size network. They were specifically designed for content filtering and other gateway security functions. The Cisco Firewall Services Module (FWSM) for Catalyst 6500 switches is a line card based on Cisco PIX Firewall technology that offers large enterprises and service providers the same security and reliability as the PIX family of firewall devices.
The Cisco IOS Firewall is a software-based solution, which, when installed on any Cisco IOS-capable router, offers an alternative to firewall devices. Smaller customers may opt to use the Cisco IOS Firewall solution with a router for a single device that serves multiple purposes.
When describing the value of a Cisco IOS Firewall with a customer, remember to stress how IOS Firewall combines with Cisco IOS technology heritage. It is an integrated security solution that provides embedded intrusion prevention and spans the entire Cisco router family. It provides a low total cost of ownership (TCO) by leveraging current Cisco installed equipment more securely. Its ubiquitous network security presence means you can position it at the network perimeter and aggregation points.
Integrated security solution
Enable intrusion prevention
Spans the entire Cisco router family
Low TCO (total cost of ownership)
Leverages current Cisco installed equipment more securely
ubiquitous network security presence
position at the network perimeter and aggregation points
The Cisco Integrated Services Routers leverage the intelligence of the Cisco router. They offer a compelling combination of proven security software functionality, and hardware that is designed to run security services as part of its standard operations. The Cisco Integrated Services Routers support Trust and Identity Management, network infrastructure protection, secure connectivity, and threat defense
Working in concert with Cisco Guard DdoS mitigation appliances, Cisco Traffic Anomaly Detectors detect the presence of a potential DdoS attack, divert traffic destined for the targeted device, and identify and block malicious traffic in real time, without affecting the flow of legitimate, mission-critical transactions. As a result, business operations of targeted organizations continue running, even while under attack, ensuring critical corporate assets are always protected.
Cisco Network Admission Control (NAC) is a unique approach to prevent vulnerable and non-compliant hosts from impacting enterprise resilience, and it enables customers to leverage their existing network and infrastructure. There are four components of the NAC system: endpoint security software and the Cisco Trust Agent, network access devices, policy server, and management system
Cisco Clean Access is an easily deployed software solution that can automatically detect, isolate, and clean infected or vulnerable devices that attempt to access your network. It identifies whether networked devices such as laptops, personal digital assistants, even game consoles are compliant with customer network security policies and repairs any vulnerabilities before permitting access to the network.
Cisco Secure ACS is a software-based user access control solution that offers centralized command and control for all user authentication, authorization, and accounting. Cisco Secure ACS distributes controls to all access gateways in a network and manages and administers user access for Cisco IOS routers, VPNs, and firewalls.
Cisco offers a variety of network-based and host-based security monitoring solutions. A network-based intrusion prevention system (IPS) monitors activities on an entire network segment. A host-based IPS resides on an individual end-user device.
Over time, intrusion detection systems have evolved into intrusion prevention systems. IDS are capable of detecting many types of network attacks, but they have limited ability to prevent attacks from succeeding. However, IPS provide a comprehensive and expanded range of detection and mitigation techniques.
|
IDS |
IPS |
|
Reports events |
Stop events |
|
Promiscuous |
In-Line |
|
Sees data from multiple sensors |
Sees data flowing into IPS |
|
Event data management - forensic capabilities |
Limited data management |
|
Alerts of attacks that pass through |
Provides increased level of protection against attacks compared to simple stateful packet firewall |
|
Constant alerts of possible attacks |
Limited user interaction required |
|
Does not effect network performance |
Adds latency to network traffic |
Cisco provides a variety of scalable, integrated solutions for the VPN platform, including VPN routers for site-to-site connections, VPN concentrators to connect individual remote users to offices, and the VPN Services Module for Catalyst 6500 Series switches.
CiscoWorks Security Information Management Solution (SIMS) is a solution that collects, analyzes, and correlates security event data from across the enterprise. CiscoWorks SIMS helps identify and respond to more threats more effectively, without adding additional staff
Cisco Security Monitoring, Analysis and Response System (CS-MARS) enhances the management, monitoring, and mitigation capabilities of the Cisco portfolio of security products. CS-MARS transforms raw network and security data into actionable intelligence used to subvert real security incidents, as well as maintain corporate compliance. It provides traditional security information management functions, including security event/log capture, consolidation, centralization, correlation, prioritization, visualization, investigation, escalation, and compliance reporting.
It is important for account managers to recognize how Cisco Security and VPN solutions can benefit customers. For example, a traditional retailer of custom car parts decides to start offering its customers online ordering. The car parts retailer requires scalability for future growth, and its customers will demand reliable performance for smooth and secure online shopping experiences. An integrated Cisco Network Security solution supports both requirements.
Business needs
a satisfying customer experience
scalability for future growth
maximum uptime to reduce lost sales and ensure customer satisfaction
Cisco solutions
firewalls
IPS
VPN
Management and encryption for secure financial transactions
A large accounting firm was recently attacked by an employee who wanted to sell information from confidential customer files. The recovery process was slow and difficult, resulting in a significant loss of productivity and competitive advantage. Rather than suggest a single-component solution such as an IDS, the account manager should position the benefits of a complete Cisco security strategy to prevent future attacks and to secure the enterprise.
Business needs: maintain productivity by minimizing network service disruption
Cisco solutions: firewall and IPD are a quick fix, the account manager should position the benefits of a complete Cisco security strategy to prevent future attacks and to secure the enterprise
A growing financial consulting firm wins two large contracts and needs to increase its staffing immediately. Remote contractors need to access network resources. Clients need access to the corporate extranet. Three new branch offices are also seeking an efficient way to connect to the network.
Business needs:
Secure remote access
Worker mobility
Flexible access
Cisco solution: a choice of
VPN routers
VPN concentrators
VPN service module for 6500
Network Management
With smaller budgets and IT staffs, more complex networks, and an increased need for security, many organizations need a solution that will consolidate and automate common network management tasks. Network management software allows for the monitoring of active communications networks to diagnose problems and gather statistics for administration and "fine tuning."
Network management decisions most directly affect the operations staff of enterprise organizations. IT departments must cope with conflicting goals. One goal is to attempt to contain costs. Other goals are to plan for both a future of increased network design complexity and to meet the daily organizational demands of maintenance, operational support, and security. These goals are further complicated by the fact that multiple groups within the IT department are responsible for various portions of the converged network.
As network management becomes increasingly complex, operational staffs will find themselves continually adding and moving devices, configuring changes to software and hardware, and monitoring and troubleshooting problems with devices. A network management solution can automate these repetitive tasks, saving time and money and reducing the chances of network outage that human error causes.
When creating annual business plans, network administrators specifically consider long-term capacity planning and critical maintenance issues that affect customer satisfaction levels. A network management solution can assist with:
traffic management,
analysis of usage trends,
quick response to network alerts.
Organizations are increasingly challenged to enforce security policies and authenticate user access to the network. Security is particularly important if the organization hosts Virtual Private Networks (VPNs), engages in e-commerce, or has users who log on from global workstations or extranets. Network management helps to protect a network in these circumstances and also protects the network against hostile threats from the Internet:
The hospital system and the global enterprise will have to continue to resolve network problems and maintain their networks as they grow and change. However, each risks failure, frustration, lost time, and high costs if it continues to rely on manual methods of troubleshooting or accepts substandard reliability. Both organizations could implement a network management solution to recognize and diagnose problems, gather statistics for administration, update devices network wide, and use automation to increase efficiency and reduce human errors.
Basic network management concepts and components include:
Simple Network Management Protocol (SNMP),
Management Information Base (MIB),
Remote Monitoring (RMON),
Network Management System (NMS),
Network Management Console..
There are three types of network management:
device,
element,
enterprise
The CiscoWorks family of products provides solutions that are targeted at wide-area and local-area networks. Tools within CiscoWorks for large companies include the
Wireless LAN Solution Engine (WLSE),
IP Telephony Monitor (ITEM),
LAN Management Solution (LMS),
Cisco Security Management for converged networks.
The CiscoWorks LAN Management Solution is the best selling Cisco management application. It allows network managers to manage Cisco Enterprise devices through a variety of tools including
centralized real-time device management,
inventory management,
configuration change control,
fault monitoring,
performance monitoring,
traffic management,
device software management,
third-party application integration.
The CiscoWorks LMS meets the needs of IT departments that work with routed LANs, especially at the enterprise level and at branch offices. It supports their maintenance and security needs by
helping them monitor traffic,
troubleshoot performance "bottlenecks,"
authenticate user access, and configure use across network links.
The LMS solution comprises five applications:
Internet Performance Monitor (IPM),
Device Fault Manager (DFM),
Campus Manager,
Resource Manager Essentials (RME),
CiscoView
Cisco provides a suite of security management products that cover the four key functional areas.
Provisioning involves policy definition, configuration deployment, and enforcement for configuration compliance.
Monitoring involves collection, storage, viewing, and reporting on real-time security information from diverse sources.
Analysis involves intelligent translation and correlation of information into actionable events and recommendations.
Response provides automated actions to eliminate security threats.
The Cisco Security Management Portfolio includes three solutions:
CiscoWorks Virtual Private Network (VPN)/Security Management Suite (VMS),
Cisco Security Monitoring, Analysis and Response System (CS-MARS)
Cisco Security Auditor.
CiscoWorks ITEM monitors Cisco voice elements in the IP telephony network and alerts personnel to potential problems. ITEM provides real-time health monitoring, traffic simulation and fault notification, key network and application layers monitoring, and a centralized collection of performance and capacity data for device sources.
CiscoWorks WLSE is a centralized, systems-level solution for managing the entire Cisco Aironet WLAN infrastructure. It includes auto-configuration and radio frequency (RF) monitoring, and extensive security features such as detecting unauthorized WLAN components, such as rogue access points and ad-hoc networks.
It is important
for account managers to recognize how network management applications can
benefit customers. Consider the network management needs of a
Business needs:
reduced network downtime
reduced costs associated with network changes, problem diagnostic and maintenance
Cisco solutions: LMS Campus Manager and Resource Manager
|
