Security Architecture
The Cisco Self-Defending Network

In today's environment, where Internet worms spread across the world in a matter of minutes or seconds, security systems must react instantly. A security system that is fully integrated into all aspects of the network can recognize potential suspicious activity, identify threats, react appropriately, isolate infections, and respond to attacks in a coordinated way.

The Cisco Self-Defending Network strategy allows organizations to use their existing investments in routing, switching, wireless, and security platforms to create a system that will help to identify, prevent, and adapt to both known and unknown security threats.

The strategy consists of three systems, or pillars, each with a specific purpose.

  • Secure Connectivity safely transports applications across different network environments.
  • Threat Defense protects against both known and unknown threats.
  • Trust and Identity Solutions supply the contextual identity required for entitlement and trust.

Secure Connectivity
Ensuring the privacy and integrity of all information is vital to businesses. As companies use the flexibility and cost effectiveness of the Internet to extend their networks to branch offices, telecommuters, customers, and partners, security is paramount. Not only must organizations protect external communications, but they must help ensure that the information transported across an internal wired and wireless infrastructure remains confidential. Similarly, companies must secure voice and video as they use their existing network infrastructure to provide new business-enhancing services .

The following solutions are included in Cisco Secure Connectivity :

  • Site-to-Site VPNs
  • Remote Access VPNs
  • Voice Security
  • Wireless Security
  • Solution Management and Monitoring

Threat Defense
The Cisco Threat Defense System brings together security solutions and intelligent networking technologies to identify and mitigate both known and unknown threats from inside and outside an organization. This systems-based approach protects the network through flexible, customizable deployment of security and network services.

The elements that comprise a threat-defense system include the following features and products :

  • Endpoint Security
  • Integrated Firewalls
  • Network Intrusion Prevention
  • Content Security
  • Intelligent Networking and Security Services
  • Management and Monitoring

Trust and Identity Solutions
Businesses need to effectively and securely manage who and what can access the network, as well as when, where, and how that access can occur. Cisco Trust and Identity Management Solutions can turn virtually every network device into an integral part of an overall security strategy.

Deploying a complete Trust and Identity Management solution lets enterprises secure network access and admission at any point in the network, and it isolates and controls infected or unpatched devices that attempt to access the network. Businesses can streamline the security management of remote network devices while taking full advantage of existing security and network investments.

With the Trust and Identity Management Solutions, the following essential security functions are provided :

  • Enforcement – Authenticates entities and determines access privileges based on policy.
  • Provisioning – Authorizes and controls network access, and pushes access policy enforcement to network devices using VLANs and access control lists (ACLs).
  • Monitoring – Accounting, auditing, and forensic tools allow administrators to track the who, what, when, where, and how of network activity.

The Cisco Trust and Identity Management technology is comprised of three solution categories:

  • Identity Management – Guarantees the identity and integrity of every entity on the network and applies appropriate access policy. Identity Management also secures the centralized management of remote devices and provides Authentication, Authorization, and Accounting (AAA) functionality across all network devices.
  • Identity Based Networking Services (IBNS) – Expands network security by using 802.1x to automatically identify users requesting network access and route them to a VLAN domain with an appropriate degree of access privilege based on policy. IBNS also prevents unauthorized network access from rogue wireless access points.
  • Network Admission Control (NAC) – Allows network access only to trusted endpoint devices that can verify their compliance to network security policies, such as having a current antivirus image, OS version, or patch update. NAC can permit, deny, or restrict network access to any device as well as quarantine and remediate non-compliant devices.

Web Links