[ Pobierz całość w formacie PDF ]
.A list ofsuggestions for implementing the outside filter router follows:" Turn off Telnet access (no virtual terminals defined)." Use static routing only." Do not make it a TFTP server." Use password encryption." Turn off proxy ARP service." Turn off finger service." Turn off IP redirects." Turn off IP route caching." Do not make the router a MacIP server (MacIP provides connectivity for IP overAppleTalk by tunneling IP datagrams inside AppleTalk).Cisco PIX FirewallTo provide stalwart security, hardware firewall devices can be used in addition to or instead ofpacket-filtering routers.For example, in the three-part firewall system illustrated earlier inFigure 4-10, a hardware firewall device could be installed on the isolation LAN.A hardwarefirewall device offers the following benefits:" Less complex and more robust than packet filtersCH01.book Page 119 Friday, January 7, 2000 5:35 PMLAN Types 119" No required downtime for installation" No required upgrading of hosts or routers" No necessary day-to-day managementCisco s PIX Firewall is a hardware device that offers the features in the preceding list, as wellas full outbound Internet access from unregistered internal hosts.IP addresses can be assignedfrom the private ranges, as defined in RFC 1918 (available at http://info.internet.isi.edu/in-notes/rfc/files/rfc1918.txt).The PIX Firewall uses a protection scheme called Network AddressTranslation (NAT), which allows internal users access to the Internet while protecting internalnetworks from unauthorized access.Further details on the PIX Firewall are available on Cisco s web site at www.cisco.com/warp/public/cc/cisco/mkt/security/pix/.The PIX Firewall provides firewall security without the administrative overhead and risksassociated with UNIX-based or router-based firewall systems.The PIX Firewall operates on asecure real-time kernel, not on UNIX.The network administrator is provided with completeauditing of all transactions, including attempted break-ins.The PIX Firewall supports data encryption with the Cisco PIX Private Link, a card that providessecure communication between multiple PIX systems over the Internet using the dataencryption standard (DES).The PIX Firewall provides TCP and UDP connectivity from internal networks to the outsideworld by using a scheme called adaptive security.All inbound traffic is verified for correctnessagainst the following connection state information:" Source and destination IP addresses" Source and destination port numbers" Protocols" TCP sequence numbers (which are randomized to eliminate the possibility of hackersguessing numbers)LAN TypesThe CCDA objective covered in this section is as follows:14 Draw a topology map that meets the customer s needs and includes a high-level view of internetworking devices and interconnecting media.Local-area networks can be classified as a large building LAN, campus LAN, or small/remoteLAN.The large building LAN contains the major data center with high-speed access and floorcommunications closets; the large building LAN is usually the headquarters in largerCH01.book Page 120 Friday, January 7, 2000 5:35 PM120 Chapter 4: Network Topologies and LAN Designcompanies.Campus LANs provide connectivity between buildings on a campus; redundancyis usually a requirement.Small/remote LANs provide connectivity to remote offices with asmall number of nodes.It is important to remember the Cisco hierarchical approach of network design.First, build ahigh-speed core backbone network.Second, build the distribution layer, where policy can beapplied.Finally, build the access layer, where LANs provide access to the network end stations.Large Building LANsLarge building LANs are segmented by floors or departments.Company mainframes andservers reside in a computing center.Media lines run from the computer center to the wiringclosets at the various segments.From the wiring closets, media lines run to the offices andcubicles around the work areas.Figure 4-12 depicts a typical large building design.Figure 4-12 Large Building LAN DesignFloor SwitchesTo Other Buildingsand/or WANL3 SwitchingServerEach floor may have more than 200 users.Following a hierarchical model of access,distribution, and core, Ethernet and Fast Ethernet nodes may connect to hubs and switches inthe communications closet.Uplink ports from closet switches connect back to one or two (forredundancy) distribution switches.Distribution switches may provide connectivity to serverfarms that provide business applications, DHCP, DNS, intranet, and other services.CH01.book Page 121 Friday, January 7, 2000 5:35 PMLAN Types 121Campus LANsA campus LAN connects two or more buildings located near each other using high-bandwidthLAN media.Usually the media (for example, copper or fiber) is owned.High-speed switchingdevices are recommended to minimize latency.In today s networks, Gigabit Ethernet campusbackbones are the standard for new installations.In Figure 4-13, campus buildings areconnected by using Layer 3 switches with Gigabit Ethernet media.Figure 4-13 Campus LANsBuilding BBuilding ABuilding CBuilding DEnsure that a hierarchical design is implemented on the campus LAN and that network layeraddressing is assigned to control broadcasts on the networks.Each building should haveaddressing assigned in such a way as to maximize address summarization.Apply contiguoussubnets to buildings at the bit boundary to apply summarization and ease the design.Campusnetworks can support high-bandwidth applications such as video conferencing.Although mostWAN implementations are configured to support only IP, legacy LANs may still be configuredto support IPX and AppleTalk.Small/Remote Site LANsSmall/remote sites usually connect back to the corporate network via a small router(Cisco 2500)
[ Pobierz całość w formacie PDF ]