ccna 200-301 pdf torrent

ccna 200-301 pdf torrent.One side of the firewall is connected to the production network. The reason for providing connectivity to the production network is to enable management hosts using carefully selected Internet access, and to provide limited in-band management traffic within the production network by allowing encryption of management traffic from pre-defined hosts. In-band management is only used when the hypervisor cannot use 00B, or when the managed Cisco device does not have sufficient physical interfaces to support regular connectivity to the management network c If a device must send data within the production network to contact a management host, then the traffic should be transmitted securely using a dedicated encrypted tunnel or VPN tunnel. This tunnel should be pre-configured to allow only the traffic required for management and reporting of these devices to pass through. The channel should be locked so that only the appropriate hosts can initiate and terminate the tunnel. The Cisco 10S firewall should be configured to allow only syslog messages into the management network segment. In addition. the Telnet. SSH and SNMP services should also be released if they are initiated by the management network in the first place.The other end of the firewall connects to all management hosts and Cisco I0S routers and then acts as a terminal server. The terminal server is directly connected to the 00B of the device that needs to be managed in the production network. Most devices should be connected to the management network segment and configured using the 00B management connection.Because the management network has management access to almost every area of the network, this makes it the most attractive target for hackers. The management module on the firewall has several techniques built in to mitigate this risk. The primary threat is a hacker trying to gain access to the management network, which can be accomplished with a compromised management host (which the management device must be able to access). To mitigate the threat posed by compromised devices, access controls must be tightened on the firewall and every other device. In addition, the management device should be set up to prevent it from using a separate LAN segment or VLAN to connect directly to other hosts on the same management subnet.2.3.2.3 In-Band and Out-of-Band AccessAs a general rule, it is appropriate to use 00B management in large enterprise networks for security purposes. However, it is not always desirable. Whether or not to use 00B management depends on the type of application running and the type of protocol to be monitored. For example, consider a scenario where two core switches are to be managed and monitored using a 00B network. If a critical link between two core switches on the production network fails, the application monitoring these devices can never determine if the link has failed and alert the administrator. This is because the 00B network makes it look like all devices are connected to a single 00B management network, and the 00B management network is not affected by the failed link. Management of this type of application is best done in a secure manner by running the management software in-band.In-band management is recommended in small networks as a cost-effective solution for secure deployments. In such an architecture, management traffic flows in-band in all cases. In-band management improves security by using secure protocols instead of insecure ones, such as SSH instead of Telneto another option is to use a protocol like IPSec to establish a secure channel for management traffic. If management access is not necessary all the time, then temporary channels can be opened on the firewall only while management functions are performed. This technique should be used with care and should be turned off as soon as the management task is completed.Finally, if using in-band remote management tools, be wary of security vulnerabilities in the management tools themselves. For example, SNMP managers are often used to perform troubleshooting and configuration tasks in the network, but SNMP should be treated with caution because the underlying protocol has its own security vulnerabilities.2.3.3 Using System Logs for Network Security2.3.3.1 Introduction to System LoggingImplementing logging capabilities is an important part of any network security policy. When certain events occur in the network, networked devices must have trusted mechanisms to notify administrators of detailed system messages. These messages can be non-critical or critical. Network administrators have multiple options for storing, interpreting, and displaying these messages, as well as options to generate alerts for those messages that impact the network infrastructure to the greatest extent possible.