ccna 6.0 cn sic chapter 3

ccna 6.0 cn sic chapter 3.The LAN-to-network boundary security policy is based on the idea that no amount of security precautions can protect a network if users do not impose security measures on their desktop operations. Many network administrators roll out their LAN-to-network boundary security policies from the network boundary toward the LAN. Other administrators roll out their network security policies from the LAN toward the network boundary. Regardless of the approach, there are two areas that must be focused on protecting, the endpoints and the network infrastructure.The LAN is made up of network endpoints. An endpoint or host is a separate computer system or device that acts as a network client. Common endpoints are laptops, desktops, tablets, smartphones, and IP phones. Servers can also be endpoints.Network infrastructure is another area of concern for protecting LANs. This includes protecting non-endpoint intermediate LAN devices such as switches, wireless devices, IP telephony devices, and SAN devices. Another aspect of protecting the infrastructure is mitigating LAN attacks. These attacks include MAC address spoofing attacks, STP manipulation attacks, MAC address table overflow attacks, LAN storm attacks, and VLAN attacks.6.1 Endpoint Security 1476.1.L2SecureX ArchitectureIn the past, company employees worked inside a well-defined perimeter, and data resources were stored inside this perimeter. This perimeter was protected by a firewall located at the boundary (border). Employees typically used company-issued computers to connect to the company LANo Today, the proliferation of more consumer-grade devices (such as iPhones, Android devices, and ultrabooks) has blurred the boundaries of the network. And it is increasingly common for major business resources (including data centers, applications, endpoints, and users) to be located outside the traditional business boundaries. Cisco calls this the borderless network. In this new borderless network, users can use a variety of connectivity methods to initiate access to resources from many locations and across various types of endpoint devices.In addition to the concept of a borderless network, cloud computing also affects the boundaries of the network. Cloud computing allows organizations to use services (such as data storage or cloud-based applications) to expand their capacity or capabilities without adding infrastructure. By its very nature, the cloud also sits outside of the traditional network perimeter. Therefore, an organization may encounter situations where the data center is located inside or outside of the traditional network perimeter.Traditional network security consists of two main components: a dense (heavy) endpoint protection suite (e.g., antivirus software, personal firewalls, etc.) and perimeter-based network scanning devices (e.g., firewalls, Web proxies, and email gateways). This architecture works well when the devices in the LAN and behind the firewall are primarily high-performance PCs. However, the model does not work when mobile users use personal devices to access the network from different locations.Traditional endpoint antivirus suites also do not work well with these new network endpoint devices. These new devices are lighter and more portable. In addition, as network boundaries become blurred, there are multiple entry points into the network. Thus, the network perimeter ceases to exist. The challenge now is how to allow these heterogeneous devices to securely connect to enterprise resources. To address these issues, Cisco has created the SecureX architecture.In the SecureX security architecture for use in borderless networks, endpoints now point to a network scan element somewhere in the Cisco Security Cloud. These scan elements are capable of scanning more layers than individual endpoints, which includes 5 layers of malware signatures, data loss prevention and acceptable use policies, content scanning, and more.