Local Area Network Security Good Practice Guideline

Size: px
Start display at page:

Download "Local Area Network Security Good Practice Guideline"

Transcription

1 Programme NPFIT Document Record ID Key Sub-Prog / Project Infrastructure Security NPFIT-FNT-TO-IG-GPG Prog. Director Mark Ferrar Status Approved Owner James Wood Version 1.0 Author Mike Farrell Version Date 18/09/2009 Local Area Network Security Good Practice Guideline Crown Copyright 2009

2 Amendment History: Version Date Amendment History /08/2006 First draft for comment /09/2006 Second draft including comments and amendments /10/2006 Third draft including comments and amendments /03/2007 Fourth draft to place document in new template /06/2009 Document refreshed /07/2009 Incorporating changes suggested by CfH Infrastructure Security Team /07/2009 Incorporating changes suggested by Matt Ballinger /09/2009 Incorporating changes suggested by James Wood. Approved for issue Forecast Changes: Anticipated Change When Annual Review Nov 2010 Reviewers: This document must be reviewed by the following: Name Signature Title / Responsibility Date Version Infrastructure Security Team Matt Ballinger Deployment Support Officer - Technology Office Approvals: This document must be approved by the following: <author to indicate approvers> Name Signature Title / Responsibility Date Version James Wood Head of IT Security 1.0 Distribution: NHS Connecting for Health Information Governance Website Crown Copyright 2009 Page 2 of 23

3 Document Status: This is a controlled document. Whilst this document may be printed, the electronic version maintained in FileCM is the controlled copy. Any printed copies of the document are not controlled. Related Documents: These documents will provide additional information. Ref no Doc Reference Number Title Version 1 NPFIT-SHR-QMS-PRP Glossary of Terms Consolidated.doc 13 2 NPFIT-FNT-TO-INFR-SEC-0001 Glossary of Security Terms 1 Glossary of Terms: List any new terms created in this document. Mail the NPO Quality Manager to have these included in the master glossary above [1]. Term Acronym Definition Crown Copyright 2009 Page 3 of 23

4 Contents 1 About this Document Purpose Audience Content Disclaimer Introduction Background Overview of Local Area Networks Network Access Protection (NAP) Network Admission Control (NAC) x Port-based Access Control Quality of Service (QoS) Key Aspects of a Local Area Network Infrastructure A Modular and Layered Network Topology Resilience and Redundancy Security Intelligent Services Management The Hierarchical Modular Layered Network Model Access Layer Recommendations Core and Distribution Layer Recommendations Server Layer Recommendations Network Infrastructure Availability Physical Resilience and redundancy Equipment Level Redundancy Software resilience and redundancy Security Policy Management Wide Area Network Link Considerations Environmental Factors Crown Copyright 2009 Page 4 of 23

5 1 About this Document 1.1 Purpose The purpose of this guide is to address the major challenges associated with creating and maintaining secure Local Area Networks (LANs) connected to the New NHS Network (N3) or other network infrastructures such as Community of Interest Networks (CoINs), partner networks, or the Internet. The following information covers all environments anticipated to interact with the NHS Care Records Service (NCRS). It includes information on suitable measures and controls for the most secure solutions that are in conformance with the Information Governance Statement of Compliance (IGSoC). It is however recommended that a full assessment of both threat and impact levels of potential security breaches be performed. This should incorporate partnering networks, including N3, in line with the electronic Government Interoperability Framework (e- GIF) recommendations. 1 The information contained in this document should be used as an informed assessment of technologies that support LAN security. However it is the sole responsibility of network owners to ensure that any LAN solutions that they deploy are sufficiently secure to fully satisfy their own risk assessment. 1.2 Audience This document has been written for readers who have a good level of experience and familiarity with firewalls, switches, routers and secure local area networking practices. 1.3 Content This document comprises this following sections / topics: - Introduction Overview of Local Area Networks Key aspects of a Local Area Network Infrastructure The Hierarchical Modular Layered Network Model Network Infrastructure Availability Security Policy Management Wide Area Network Link Considerations Environmental Factors 1 See the GovTalk Schemas and Standards Website: Crown Copyright 2009 Page 5 of 23

6 1.4 Disclaimer Reference to any specific commercial product, process or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by National Health Service Connecting for Health (NHS CFH). The views and opinions of authors expressed within this document shall not be used for advertising or product endorsement purposes. Any party relying on or using any information contained in this document and/or relying on or using any system implemented based upon information contained in this document should do so only after performing a risk assessment. It is important to note that a risk assessment is a prerequisite for the design of effective security countermeasures. A correctly completed risk assessment enables an NHS organisation to demonstrate that a methodical process has been undertaken which can adequately describe the rationale behind any decisions made. Risk assessments should include the potential impact to live services of implementing changes. This means that changes implemented following this guidance are done so at the implementers risk. Misuse or inappropriate use of this information can only be the responsibility of the implementer. Crown Copyright 2009 Page 6 of 23

7 2 Introduction The following information provides a knowledge-based framework that will help maintain good practice values within an organisation. The guidance within this document is written to reflect good practice, and, by following it, some of the consequences of non-compliance should be avoided. The reader will find good practice guidance for the design and use of Local Area Networks within a network infrastructure. This includes: - Minimum standards for LAN Security. The methods by which a LAN infrastructure can be supported efficiently and safely. Guidance to ensure maximum network uptime and reliability. Procedures and mechanisms for the control of access to LANs in an NHS or other healthcare environment. 2.1 Background N3 is a private Wide Area Network (WAN) and access is therefore strictly limited to authorised endpoints. Any organisation wishing to connect to N3 is responsible for ensuring that their N3 connection does not compromise the security measures already in place within the WAN. N3 is a private network accommodating thousands of PCs, servers, printers and other items of equipment all acting as the nodes or endpoints within the network. The confidentiality of sensitive information transmitted unencrypted within N3 is not assured. However all National Applications encrypt data using Transport Layer Security (TLS) 2 or an equivalent security standard. It is therefore advisable that the appropriate measures are taken with existing systems to ensure that sensitive data is secure before connecting to N3. N3 faces numerous potential threats to security, possibly from inadequately protected partner networks, or connections to uncontrolled external networks such as the Internet. These threats are continually evolving in both strength and frequency. Therefore ongoing vigilance against these threats, and the maintenance of strict security standards, are essential to the continuing success of N3. 2 See Approved Cryptographic Standards GPG at Crown Copyright 2009 Page 7 of 23

8 3 Overview of Local Area Networks A LAN is a network of computers and other components located relatively close together in a limited area. LANs operate at layer-2 of the Open Systems Interconnect (OSI) model, and can vary widely in size. They can consist of only two computers in a home office or small business, or include hundreds of computers in a large corporate or healthcare environment. Various LAN types are available, such as Ethernet, Token Ring, ARC Net and FDDI. The Ethernet-based technologies are by far the most prevalent within the modern network. This is partly due to the low cost of the technology, coupled with the performance it offers, and the general ease of deployment and maintenance in comparison to some of the legacy technologies. The guidance within this document covers good practice for implementing LANs comprising multiple layers and components. All organisations should endeavour to apply the generic good practice detailed in Sections 2, 3, 6 and 8 of this document. The information in Sections 4 and 5 is aimed at larger infrastructures, and is therefore broken down into distinct network layers or components. Smaller organisations, such as GP Surgeries and Clinics, may find that only the guidance within the Access Layer and Server Layer sections apply to their network infrastructure. 3.1 Network Access Protection (NAP) Network Access Protection 3 (NAP) is a policy enforcement platform, built into the Microsoft Windows Vista, forthcoming Windows 7 and Windows Server 2008 operating systems, which allows an organisation to better protect network assets, by enforcing compliance with system health requirements. NAP allows the creation of customised health policies to validate computer health before allowing access or communication. Automatic update of non-compliant computers is used to ensure ongoing compliance, with optional confinement of noncompliant computers to a restricted network until they become compliant. Administrators can configure Internet Protocol Security (IPSec) enforcement, IEEE 802.1X enforcement, virtual private network (VPN) enforcement, Dynamic Host Configuration Protocol (DHCP) enforcement, or all four, depending on their network needs. 3 Crown Copyright 2009 Page 8 of 23

9 3.2 Network Admission Control (NAC) A Network Admission Control (NAC) solution compares the security state of a device, which is attempting to connect to a network, to a set of policy attributes that define what security conditions must be met to allow network access. The scope of a NAC solution must encompass external and internal network connections by managed and unmanaged devices. Examples of unmanaged devices include rogue systems and servers that are deployed outside central Information Technology (IT) management control, in addition to contractor PCs and employees' home machines. The NAC solution should cover the following network connection scenarios: VPN IPsec and Secure Sockets Layer (SSL) LAN wired and wireless connectivity Dial-in via remote access servers Any NAC solution should ensure that when a system does not meet the criteria of the policy controls, it is added to a quarantine network and remedial action is taken. This could include the application of patches and anti-x updates, 4 or simply the restriction of device access to other parts of the network infrastructure. The quarantine network should be separate from the rest of the internal infrastructure, and should be connected to a firewall with a restrictive access policy. The quarantine network should only allow the minimum access required to apply patches and updates from the centralised management servers x Port-based Access Control IEEE 802.1X 5 is a standard for port-based Network Access Control and is part of the IEEE group of protocols. It provides authentication to devices attached to LAN ports, establishing a point-to-point connection or preventing further access from that port if authentication fails. It is based on the Extensible Authentication Protocol (EAP) X functionality is available on enterprise grade network switches from most vendors, and can be configured to authenticate host systems that are equipped with supplicant software, denying unauthorized access to the network at the data link layer. This means that only 802.1x frames can be transmitted through the switch port, and all other data frames are dropped until the connection is successfully authenticated. 4 Anti-X refers to the anti-virus, anti-spyware, anti-spam and anti-phishing solutions EAP, RFC Crown Copyright 2009 Page 9 of 23

10 This 802.1x authentication can be bound to a number of authentication services, such as Active Directory (AD), Remote Authentication Dial-In User Service (RADIUS) service or Lightweight Directory Access Protocol (LDAP) directory of the organisation. 3.4 Quality of Service (QoS) Quality of Service (QoS) is a traffic engineering term, which is based on the concept that transmission rates, error rates and other characteristics can be measured, improved and guaranteed prior to transmission. The application of QoS functionality is often a requirement for the use of Voice over IP (VoIP), Video Streaming and other protocols sensitive to latency, jitter and timing issues. The use of QoS is particularly important for production and non-stop networks, as it provides predictive performance and availability. This functionality can be useful for providing assured access to clinical applications during all network conditions. For example during busy periods during the working day, such as lunchtime, or extended periods of high throughput resulting from network based data backup. The N3 QoS architecture 7 is outside the scope of this document. 7 Crown Copyright 2009 Page 10 of 23

11 4 Key Aspects of a Local Area Network Infrastructure The key aspects of a secure and robust network infrastructure design are described in the following subsections. 4.1 A Modular and Layered Network Topology The benefits of a modular approach to network design are: - Improved scalability with deterministic service delivery. Reduced operational costs. Ease of maintenance. A modular approach also allows the allocation of network services to specific modules of the network infrastructure, enabling organisations to focus their network infrastructure expenditure where most appropriate. 4.2 Resilience and Redundancy There is increasing reliance on distributed IT based solutions within the NHS for the delivery of clinical care. The availability of clinical applications can have a direct impact on patient care and safety. The importance of minimising all single points of failure within cable plant, power systems, environmental and network infrastructure equipment is discussed in terms of expenditure against risk, or cost and benefit realisation. Recommendations for network level protocol design good practice, specifically for optimising network convergence times under failure conditions, are also provided. 4.3 Security A layered approach to security is recommended. This approach provides a defence in depth posture, which reduces the scope of any security breaches. The recommendations will also assist organisations in meeting the Department of Health Information Governance (IG) requirements for the protection of Person Identifiable Data (PID) whilst in transit, and the requirements of the Confidentiality NHS Code of Practice Crown Copyright 2009 Page 11 of 23

12 4.4 Intelligent Services The networking industry has converged on standard processes for creating quality of service policies for enforcement by network infrastructure devices. An organisation s investment in a network infrastructure can be maximised through the use of these network based intelligent services, whilst ensuring that the shared resources are allocated according to the organisation s business requirements. 4.5 Management Increasing the intelligence of a device generally increases its complexity. To reduce the complexity of management, suitable tools are required for device management, fault diagnosis, device configuration, performance management, and to aid with the relatively complex tasks of deploying consistent network-wide QoS and security policies. Crown Copyright 2009 Page 12 of 23

13 5 The Hierarchical Modular Layered Network Model This model uses a layered architecture of distinct modules or building blocks, with each layer responsible for a specific role in the support of the end-to-end delivery of information. The benefits of a layered architecture are: - Scalability. Ease of implementation. Ease of troubleshooting. Predictability. Manageability. Each of the layers supports distinct functionality or requirements. Layers can be added to the model to support additional functionality. As an example, an Internet or public access layer can be added to complement an existing layered infrastructure. The hierarchical network design model is comprised of four basic layers: - Core Layer: Distribution Layer: Access Layer: This provides high-speed IP connectivity between the distribution, access and server layer LAN switches via two or more high availability core switches. This layer is where elements such as security and QoS policies are enforced to control how the network will service individual information flows. This layer can be a physically separate layer of switches, or a logical layer located within the core switches. This will be dependent on the size of an organisation s network infrastructure. This layer provides connectivity for systems such as end user workstations and printers. The access layer enforces admission and control policies, and provides the logical segmentation of devices into groups Virtual LANs (VLANs) which share common functional requirements. The access layer also provides a trust boundary where application traffic can be identified and classified for appropriate servicing by the distribution and core layers. Server Layer/Module: This layer provides high-performance connectivity and resilience, and secures access to the application servers. The server module is distinct from an access layer module because of the differing requirements between user and server connectivity. For example, availability is much more of an issue within the server module than typically within access modules supporting general network users. Crown Copyright 2009 Page 13 of 23

14 Fig 1 below shows the recommended modular design for larger organisations. Connectivity Module Connectivity Module Access Layer Distribution Layer Si Si Si Si Core Layer Si Si Si Si Server Layer Server Module Fig 1 - Modular Design for Larger Organisations Larger organisations are typified by a combination of a large numbers of users, and many buildings and departments within a large campus or geographically dispersed campus sites. Access layer switches should be connected with dual up-links to separate distribution layer switches, providing resilience against link or distribution switch failure. Distribution switches should be deployed in pairs, in order to provide resilient paths to different core switches. The core layer should consist of inter-connected high availability switches, to provide resilience against any single core layer link or switch failure. The use of modules within the network architecture enables additions, moves and changes to be less disruptive and more deterministic. It creates a coalition between the connectivity requirements of the organisation and the infrastructure bandwidth required to support that connectivity. As the network connectivity requirements increase, additional connectivity modules can be added to the infrastructure, scaling the bandwidth in line with connectivity growth. It also modularises a large infrastructure into smaller domains, aiding fault diagnosis and fault containment. Crown Copyright 2009 Page 14 of 23

15 Fig 2 below shows the recommended modular design for small and medium sized organisations. This design collapses the core and distribution layers into an aggregate layer more suited to smaller user populations, fewer buildings and departments and smaller campuses. Access Layer Collapsed Distribution and Core Layers Si Si Server Layer Fig 2 - Modular Design for Small and Medium Sized Organisations As connectivity modules are added to the small / medium size design, it naturally scales into a larger design when a physically separate layer of distribution switches are implemented. The functionality provided by the distribution layer is then migrated from the core switches onto the physically separate distribution layer switches. 5.1 Access Layer Recommendations Physical locations and wiring closets for active equipment deployment should be physically secured against unauthorised access. The network devices should support 10/100Mb switched Ethernet connectivity, with 10/100/1000Mb switched Ethernet being desirable. Equipment level redundancy and redundant / backup power should be provided to access layer devices that are supporting critical clinical areas and users. Crown Copyright 2009 Page 15 of 23

16 The network devices should support the provisioning of 802.3af Power over Ethernet (PoE). 9 The access layer should use at least two resiliently configured fibre or copper uplink trunk connections to two separate distribution / core layer locations. The access layer should provide the organisational boundary for the classification / marking of application traffic for subsequent prioritisation and scheduling across the organisation s network infrastructure. The network devices should support intelligent security services and features to help maintain the confidentiality of PID whilst in transit. The network devices should support intelligent security services and features to help mitigate unauthorised connections to the network infrastructure. The access layer should include comprehensive management tools for device, fault and performance management. In particular the tools should support network-wide software and configuration updates, and network-wide deployment of QoS and security policies. The network devices should support secure management protocols such as Hypertext Transfer Protocol Secure (HTTPS), Simple Network Management Protocol Version 3 (SNMPv3), Secure File Transfer Protocol (SFTP) and Secure Shell (SSH). 5.2 Core and Distribution Layer Recommendations The Core and Distribution layers should support Ethernet connectivity at speeds up to 1Gbps, with 10Gbps being desirable. Distribution and Core inter-switch links should be a minimum speed of 1Gbps. Core / Distribution Layer inter-switch links (trunks) should be logically bundled for additional resilience and performance. It is preferable to utilise bundling and channelling technologies that are transparent to the link and network layer protocols. Links or trunks between core and distribution switches should be controlled by a layer 3 routing protocol. The Layer 3 protocol controlling network convergence should be tailored to minimise failover times, and hence minimise application interruption. The Distribution layer should provide the capability to enforce the organisational QoS policy through intelligent queuing, scheduling and congestion avoidance mechanisms. The Distribution layer should support intelligent security services and features to help maintain the confidentiality of PID whilst in transit. 9 Crown Copyright 2009 Page 16 of 23

17 The Distribution layer should support intelligent security services and features to help mitigate against unauthorised connections to the Network Infrastructure. The Core and Distribution layers should provide comprehensive management tools for device, fault and performance management. Specifically the tools should support network-wide software and configuration updates, and network-wide deployment of Quality of Service and security policies. The Core and distribution layer should support secure management protocols such as HTTPS, SNMPv3, SFTP and SSHv Server Layer Recommendations The availability of Server resources is often critical to large organisations, and the design of the server layer should therefore reflect the higher level of resilience and performance that is required. It is recommended that: - The Server layer should support 1Gbps Ethernet connectivity. It is desirable that the infrastructure offers support for 10Gbps Ethernet where possible. The infrastructure should utilise equipment level redundancy, and offer redundant or backup power services. Support should be provided for dual attaching servers. Note this may not be possible with some operating systems and some applications, therefore dialogue with server and application suppliers is essential. The server layer should utilise dual uplink connections to the Core layer. The server layer should provide the organisational boundary for application traffic, and should support the capability to classify and mark application traffic for subsequent prioritisation. Intelligent security services and features should be provided to help maintain the confidentiality of PID whilst in transit. Intelligent security services and features should be utilised to help mitigate against unauthorised connections to the Network Infrastructure. Comprehensive management tools for device, fault and performance management should support the server layer. In particular the tools should support network-wide software and configuration updates, and network-wide updates for QoS and security policies. The Server layer should support secure management protocols such as HTTPS, SNMPv3, SFTP and SSHv2. Crown Copyright 2009 Page 17 of 23

18 6 Network Infrastructure Availability High availability can be achieved by the use of a well-designed network infrastructure to support the enforcement of a strong security policy, and the implementation of resilience and redundancy features within the network infrastructure components. The resilience features can be grouped into two basic categories Physical resilience and Software resilience. The supporting infrastructure, cable plant, physical environment and active component all fall into the physical category. Network control plane features, such as layer two and layer three routing protocols, DHCP, and Domain Name System (DNS) services fall into the software category. 6.1 Physical Resilience and redundancy It is essential that fundamental knowledge of the physical layout of the network is known and documented. Node points for the Core and Distribution elements of the network should be identified, in addition to wiring closet locations for distribution to network endpoints. Distances between network locations should be determined before laying cables - both for fibre-optic cabling and structured copper wiring. The measured distance for fibre optic cabling may dictate the mode of cable used, whilst structured copper wiring has a fixed maximum distance. It is recommended that multi-core single mode fibre-optic cable is used between core layer switch sites, and between uplinks from wiring closets to distribution layer / core layer switches, as a minimum standard. It is recommended that fibre-optic cable connecting Core layer infrastructure components should be laid within diverse routing paths. Such connections may be bundled together to create aggregated links. It is recommended that cables are laid from wiring closets to a minimum of two distribution / core layer switch locations. 6.2 Equipment Level Redundancy 10 The provision of redundant or load sharing equipment in a network is a trade off between budget constraints and pragmatism over the likelihood of an outage. The financial impact of such measures has often dictated that specific areas of the network are prioritised for redundancy. However as the IP network becomes the single vehicle for delivery of local and national healthcare applications, greater emphasis should be placed upon providing heightened levels of redundancy across the whole of the network infrastructure. 10 See Business Continuity and Disaster Planning GPG at Crown Copyright 2009 Page 18 of 23

19 It is recommended that the organisation s network infrastructure should have two or more core switch node locations. Each wiring closet / Distribution layer switch should have at least two uplinks to separate Core / Distribution layer switches. Core switches should be deployed with redundant management engines, switching fabrics and power supplies. Where there is a heightened level of dependency on one core switch, e.g. where cable plant restrictions result in distribution / wiring closet uplinks being terminated by a single core switch, the distribution of the uplinks across separate line cards within the core switch should be considered essential. It is recommended that where a single chassis is utilised in the wiring closets, the uplinks are distributed across line cards within the chassis in order to decrease the risk of an outage in the event of a failure of any one card in the chassis. It is recommended that where stackable switches are used in the wiring closets, these should be stacked together to create a single logical access layer switch. This should be achieved either through the uplink ports or optimally via dedicated bus connections if available. The uplinks from the switch stack to core / distribution node locations should be via separate switches in the stack wherever possible. Where stackable switches are used, the insertion and removal of switches in the stack without disruption to network traffic is desirable. 6.3 Software resilience and redundancy Software features within the infrastructure devices to converge around physical failures perform a vital role in ensuring an application s availability. For example, the capability to create one logical link from two or more physical links, and hide individual link failures from higher layer networking protocols, enables the infrastructure to re-route traffic around link failures transparently to the end user / application. The use of layer three routing protocols enables a more scalable approach to alternative path switching around failures. When considering the choice of Layer 3 routing protocol, flexibility, convergence capabilities, and scalability should be considered. Link state protocols, such as Open Shortest Path First (OSPF) 11 and Intermediate System-to-Intermediate System (IS-IS), 12 are the preferred options. OSPF is found to be the most common protocol in use and has the added advantage of being an accepted industry standard suitable for multi-vendor networks. Both OSPF and IS-IS offer enhanced security features. Passwords can be set to prevent unauthorized routers from forming adjacencies with routers in the network, and MD5 Authentication is an option Crown Copyright 2009 Page 19 of 23

20 Some vendors support proprietary layer 3 routing protocols such as Cisco s Enhanced Interior Gateway Routing Protocol (EIGRP), 13 which are often less complex and are able to provide faster convergence times. These protocols should only be considered for single vendor networks or if the vendor also provides layer 3 routing protocol intercommunication capabilities. This is usually achieved through route re-distribution between the layer three routing protocols. The transfer of routing information between routing processes should be treated as an autonomous boundary point in terms of security posture. For example, route re-distribution should be secured against unauthorised route injection and spoofing. At the layer 3 / layer 2 boundaries, a first-hop routing protocol should be used to provide a virtual default gateway. The standards based first-hop routing protocol is 14 Virtual Router Redundancy Protocol (VRRP). Vendors who provide proprietary first-hop routing protocols can provide enhancements such as awareness of upstream network events and active / active uplinks concurrently. Vendor proprietary solutions should only be considered where the first hop routing protocol is intended to be utilised between devices from a single vendor that are performing the virtual default gateway function. Whilst Layer 3 is recommended for the network core, it may be necessary for Layer 2 traffic to traverse the network to support legacy non-routable protocols. Whilst some vendors have introduced their own proprietary enhancements to the Spanning Tree Protocol (STP), 15 there are two standards based enhancements to STP available: - The IEEE 802.1s standard allows several VLANs to be mapped to a reduced number of spanning-tree instances. The IEEE 802.1w standard provides the mechanisms to allow faster spanning tree convergence after a topology change Crown Copyright 2009 Page 20 of 23

Secure Use of the New NHS Network (N3): Good Practice Guidelines

Secure Use of the New NHS Network (N3): Good Practice Guidelines Programme NPFIT Document Record ID Key Sub-Prog / Project Information Governance NPFIT-FNT-TO-IG-GPG-0003.01 Prog. Director Mark Ferrar Status Approved Owner Tim Davis Version 1.0 Author Phil Benn Version

More information

Site to Site Virtual Private Networks (VPNs):

Site to Site Virtual Private Networks (VPNs): Site to Site Virtual Private Networks Programme NPFIT DOCUMENT RECORD ID KEY Sub-Prog / Project Information Governance NPFIT-FNT-TO-IG-GPG-0002.01 Prog. Director Mark Ferrar Owner Tim Davis Version 1.0

More information

Network Address Translation (NAT) Good Practice Guideline

Network Address Translation (NAT) Good Practice Guideline Programme NPFIT Document Record ID Key Sub-Prog / Project Infrastructure Security NPFIT-FNT-TO-IG-GPG-0011.06 Prog. Director Chris Wilber Status Approved Owner James Wood Version 2.0 Author Mike Farrell

More information

Proxy Services: Good Practice Guidelines

Proxy Services: Good Practice Guidelines Programme NPFIT DOCUMENT RECORD ID KEY Sub-Prog / Project Information Governance Prog. Director Mark Ferrar Owner Tim Davis Version 1.0 Author James Wood Version Date 26/01/2006 Status APPROVED Proxy Services:

More information

Use of tablet devices in NHS environments: Good Practice Guideline

Use of tablet devices in NHS environments: Good Practice Guideline Use of Tablet Devices in NHS environments: Good Practice Guidelines Programme NPFIT Document Record ID Key Sub-Prog / Project Technology Office Prog. Director Chris Wilber Status APPROVED Owner James Wood

More information

Best Practices for Outdoor Wireless Security

Best Practices for Outdoor Wireless Security Best Practices for Outdoor Wireless Security This paper describes security best practices for deploying an outdoor wireless LAN. This is standard body copy, style used is Body. Customers are encouraged

More information

Secure Remote Access Solutions Balancing security and remote access Bob Hicks, Rockwell Automation

Secure Remote Access Solutions Balancing security and remote access Bob Hicks, Rockwell Automation Secure Remote Access Solutions Balancing security and remote access Bob Hicks, Rockwell Automation Rev 5058-CO900C Agenda Control System Network Security Defence in Depth Secure Remote Access Examples

More information

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015 NETWORK ACCESS CONTROL AND CLOUD SECURITY Tran Song Dat Phuc SeoulTech 2015 Table of Contents Network Access Control (NAC) Network Access Enforcement Methods Extensible Authentication Protocol IEEE 802.1X

More information

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance White Paper Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance Troy Herrera Sr. Field Solutions Manager Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA

More information

Network Virtualization Network Admission Control Deployment Guide

Network Virtualization Network Admission Control Deployment Guide Network Virtualization Network Admission Control Deployment Guide This document provides guidance for enterprises that want to deploy the Cisco Network Admission Control (NAC) Appliance for their campus

More information

IP Telephony Management

IP Telephony Management IP Telephony Management How Cisco IT Manages Global IP Telephony A Cisco on Cisco Case Study: Inside Cisco IT 1 Overview Challenge Design, implement, and maintain a highly available, reliable, and resilient

More information

Disaster Recovery Design Ehab Ashary University of Colorado at Colorado Springs

Disaster Recovery Design Ehab Ashary University of Colorado at Colorado Springs Disaster Recovery Design Ehab Ashary University of Colorado at Colorado Springs As a head of the campus network department in the Deanship of Information Technology at King Abdulaziz University for more

More information

Universal Network Access Policy

Universal Network Access Policy Universal Network Access Policy Purpose Poynton Workmens Club makes extensive use of network ed Information Technology resources to support its research and administration functions and provides a variety

More information

Network Security Guidelines. e-governance

Network Security Guidelines. e-governance Network Security Guidelines for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S/L Type

More information

ehealth Ontario EMR Connectivity Guidelines

ehealth Ontario EMR Connectivity Guidelines ehealth Ontario EMR Connectivity Guidelines Version 1.3 Revised March 3, 2010 Introduction Ontario s new ehealth strategy includes the use of commercially-available high-speed Internet to meet Electronic

More information

Huawei One Net Campus Network Solution

Huawei One Net Campus Network Solution Huawei One Net Campus Network Solution 2 引 言 3 园 区 网 面 临 的 挑 战 4 华 为 园 区 网 解 决 方 案 介 绍 6 华 为 园 区 网 解 决 方 案 对 应 产 品 组 合 6 结 束 语 Introduction campus network is an internal network of an enterprise or organization,

More information

TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS

TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS Mestrado em Engenharia de Redes de Comunicações TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 2008-2009 Exemplos de Projecto - Network Design Examples 1 Hierarchical Network Design 2 Hierarchical

More information

Network Access Control ProCurve and Microsoft NAP Integration

Network Access Control ProCurve and Microsoft NAP Integration HP ProCurve Networking Network Access Control ProCurve and Microsoft NAP Integration Abstract...2 Foundation...3 Network Access Control basics...4 ProCurve Identity Driven Manager overview...5 Microsoft

More information

Recommended IP Telephony Architecture

Recommended IP Telephony Architecture Report Number: I332-009R-2006 Recommended IP Telephony Architecture Systems and Network Attack Center (SNAC) Updated: 1 May 2006 Version 1.0 SNAC.Guides@nsa.gov This Page Intentionally Left Blank ii Warnings

More information

Chapter 1 Reading Organizer

Chapter 1 Reading Organizer Chapter 1 Reading Organizer After completion of this chapter, you should be able to: Describe convergence of data, voice and video in the context of switched networks Describe a switched network in a small

More information

Layer 3 Network + Dedicated Internet Connectivity

Layer 3 Network + Dedicated Internet Connectivity Layer 3 Network + Dedicated Internet Connectivity Client: One of the IT Departments in a Northern State Customer's requirement: The customer wanted to establish CAN connectivity (Campus Area Network) for

More information

Migrate from Cisco Catalyst 6500 Series Switches to Cisco Nexus 9000 Series Switches

Migrate from Cisco Catalyst 6500 Series Switches to Cisco Nexus 9000 Series Switches Migration Guide Migrate from Cisco Catalyst 6500 Series Switches to Cisco Nexus 9000 Series Switches Migration Guide November 2013 2013 Cisco and/or its affiliates. All rights reserved. This document is

More information

The Cisco ASA 5500 as a Superior Firewall Solution

The Cisco ASA 5500 as a Superior Firewall Solution The Cisco ASA 5500 as a Superior Firewall Solution The Cisco ASA 5500 Series Adaptive Security Appliance provides leading-edge firewall capabilities and expands to support other security services. Firewalls

More information

Secure SCADA Network Technology and Methods

Secure SCADA Network Technology and Methods Secure SCADA Network Technology and Methods FARKHOD ALSIHEROV, TAIHOON KIM Dept. Multimedia Engineering Hannam University Daejeon, South Korea sntdvl@yahoo.com, taihoonn@paran.com Abstract: The overall

More information

Networking Technology Online Course Outline

Networking Technology Online Course Outline Networking Technology Online Course Outline Introduction Networking Technology Introduction Welcome to InfoComm University About InfoComm International About Networking Technology Network Technology Course

More information

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,

More information

ICANWK613A Develop plans to manage structured troubleshooting process of enterprise networks

ICANWK613A Develop plans to manage structured troubleshooting process of enterprise networks ICANWK613A Develop plans to manage structured troubleshooting process of enterprise networks Release: 1 ICANWK613A Develop plans to manage structured troubleshooting process of enterprise networks Modification

More information

Chapter 3. Enterprise Campus Network Design

Chapter 3. Enterprise Campus Network Design Chapter 3 Enterprise Campus Network Design 1 Overview The network foundation hosting these technologies for an emerging enterprise should be efficient, highly available, scalable, and manageable. This

More information

Local Area Networking technologies Unit number: 26 Level: 5 Credit value: 15 Guided learning hours: 60 Unit reference number: L/601/1547

Local Area Networking technologies Unit number: 26 Level: 5 Credit value: 15 Guided learning hours: 60 Unit reference number: L/601/1547 Unit title: Local Area Networking technologies Unit number: 26 Level: 5 Credit value: 15 Guided learning hours: 60 Unit reference number: L/601/1547 UNIT AIM AND PURPOSE Learners will gain an understanding

More information

IPv6 SECURITY. May 2011. The Government of the Hong Kong Special Administrative Region

IPv6 SECURITY. May 2011. The Government of the Hong Kong Special Administrative Region IPv6 SECURITY May 2011 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without the express

More information

Chapter 9 Firewalls and Intrusion Prevention Systems

Chapter 9 Firewalls and Intrusion Prevention Systems Chapter 9 Firewalls and Intrusion Prevention Systems connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the to establish

More information

Brocade Solution for EMC VSPEX Server Virtualization

Brocade Solution for EMC VSPEX Server Virtualization Reference Architecture Brocade Solution Blueprint Brocade Solution for EMC VSPEX Server Virtualization Microsoft Hyper-V for 50 & 100 Virtual Machines Enabled by Microsoft Hyper-V, Brocade ICX series switch,

More information

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction Policy: Title: Status: 1. Introduction ISP-S12 Network Management Policy Revised Information Security Policy Documentation STRATEGIC POLICY 1.1. This information security policy document covers management,

More information

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity SSL-VPN Combined With Network Security Introducing A popular feature of the SonicWALL Aventail SSL VPN appliances is called End Point Control (EPC). This allows the administrator to define specific criteria

More information

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief ForeScout CounterACT Device Host and Detection Methods Technology Brief Contents Introduction... 3 The ForeScout Approach... 3 Discovery Methodologies... 4 Passive Monitoring... 4 Passive Authentication...

More information

Solutions Guide. Resilient Networking with EPSR

Solutions Guide. Resilient Networking with EPSR Solutions Guide Resilient Networking with EPSR Introduction IP over Ethernet is now a well-proven technology in the delivery of converged services. Ethernet-based Triple-Play services have become an established

More information

Enabling Multiple Wireless Networks on RV320 VPN Router, WAP321 Wireless-N Access Point, and Sx300 Series Switches

Enabling Multiple Wireless Networks on RV320 VPN Router, WAP321 Wireless-N Access Point, and Sx300 Series Switches print email Article ID: 4941 Enabling Multiple Wireless Networks on RV320 VPN Router, WAP321 Wireless-N Access Point, and Sx300 Series Switches Objective In an ever-changing business environment, your

More information

CCNP SWITCH: Implementing High Availability and Redundancy in a Campus Network

CCNP SWITCH: Implementing High Availability and Redundancy in a Campus Network CCNP SWITCH: Implementing High Availability and Redundancy in a Campus Network Olga Torstensson SWITCHv6 1 Components of High Availability Redundancy Technology (including hardware and software features)

More information

IP Networking. Overview. Networks Impact Daily Life. IP Networking - Part 1. How Networks Impact Daily Life. How Networks Impact Daily Life

IP Networking. Overview. Networks Impact Daily Life. IP Networking - Part 1. How Networks Impact Daily Life. How Networks Impact Daily Life Overview Dipl.-Ing. Peter Schrotter Institute of Communication Networks and Satellite Communications Graz University of Technology, Austria Fundamentals of Communicating over the Network Application Layer

More information

HANDBOOK 8 NETWORK SECURITY Version 1.0

HANDBOOK 8 NETWORK SECURITY Version 1.0 Australian Communications-Electronic Security Instruction 33 (ACSI 33) Point of Contact: Customer Services Team Phone: 02 6265 0197 Email: assist@dsd.gov.au HANDBOOK 8 NETWORK SECURITY Version 1.0 Objectives

More information

NEWT Managed PBX A Secure VoIP Architecture Providing Carrier Grade Service

NEWT Managed PBX A Secure VoIP Architecture Providing Carrier Grade Service NEWT Managed PBX A Secure VoIP Architecture Providing Carrier Grade Service This document describes the benefits of the NEWT Digital PBX solution with respect to features, hardware partners, architecture,

More information

Juniper / Cisco Interoperability Tests. August 2014

Juniper / Cisco Interoperability Tests. August 2014 Juniper / Cisco Interoperability Tests August 2014 Executive Summary Juniper Networks commissioned Network Test to assess interoperability, with an emphasis on data center connectivity, between Juniper

More information

MOC 6435A Designing a Windows Server 2008 Network Infrastructure

MOC 6435A Designing a Windows Server 2008 Network Infrastructure MOC 6435A Designing a Windows Server 2008 Network Infrastructure Course Number: 6435A Course Length: 5 Days Certification Exam This course will help you prepare for the following Microsoft exam: Exam 70647:

More information

Designing Cisco Network Service Architectures ARCH v2.1; 5 Days, Instructor-led

Designing Cisco Network Service Architectures ARCH v2.1; 5 Days, Instructor-led Designing Cisco Network Service Architectures ARCH v2.1; 5 Days, Instructor-led Course Description The Designing Cisco Network Service Architectures (ARCH) v2.1 course is a five-day instructor-led course.

More information

CTS2134 Introduction to Networking. Module 8.4 8.7 Network Security

CTS2134 Introduction to Networking. Module 8.4 8.7 Network Security CTS2134 Introduction to Networking Module 8.4 8.7 Network Security Switch Security: VLANs A virtual LAN (VLAN) is a logical grouping of computers based on a switch port. VLAN membership is configured by

More information

Information Technology Security Guideline. Network Security Zoning

Information Technology Security Guideline. Network Security Zoning Information Technology Security Guideline Network Security Zoning Design Considerations for Placement of s within Zones ITSG-38 This page intentionally left blank. Foreword The Network Security Zoning

More information

Expert Reference Series of White Papers. Planning for the Redeployment of Technical Personnel in the Modern Data Center

Expert Reference Series of White Papers. Planning for the Redeployment of Technical Personnel in the Modern Data Center Expert Reference Series of White Papers Planning for the Redeployment of Technical Personnel in the Modern Data Center info@globalknowledge.net www.globalknowledge.net Planning for the Redeployment of

More information

Top-Down Network Design

Top-Down Network Design Top-Down Network Design Chapter Five Designing a Network Topology Copyright 2010 Cisco Press & Priscilla Oppenheimer Topology A map of an internetwork that indicates network segments, interconnection points,

More information

HP ATA Networks certification

HP ATA Networks certification Certification guide HP ATA Networks certification Introduction In today s business environment, the lack of skills to execute IT technologies and cloud solutions is a roadblock for many companies trying

More information

Deploying Firewalls Throughout Your Organization

Deploying Firewalls Throughout Your Organization Deploying Firewalls Throughout Your Organization Avoiding break-ins requires firewall filtering at multiple external and internal network perimeters. Firewalls have long provided the first line of defense

More information

Injazat s Managed Services Portfolio

Injazat s Managed Services Portfolio Injazat s Managed Services Portfolio Overview Premium Managed Services to Transform Your IT Environment Injazat s Premier Tier IV Data Center is built to offer the highest level of security and reliability.

More information

Virtual Local Area Networks (VLANs) Good Practice Guideline

Virtual Local Area Networks (VLANs) Good Practice Guideline Programme NPFIT Document Record ID Key Sub-Prog / Project Infrastructure Security NPFIT-FNT-TO-IG-GPG-0006.05 Prog. Director Mark Ferrar Status Approved Owner James Wood Version 2.0 Author Mike Farrell

More information

Voice Over IP. MultiFlow 5048. IP Phone # 3071 Subnet # 10.100.24.0 Subnet Mask 255.255.255.0 IP address 10.100.24.171. Telephone.

Voice Over IP. MultiFlow 5048. IP Phone # 3071 Subnet # 10.100.24.0 Subnet Mask 255.255.255.0 IP address 10.100.24.171. Telephone. Anritsu Network Solutions Voice Over IP Application Note MultiFlow 5048 CALL Manager Serv # 10.100.27 255.255.2 IP address 10.100.27.4 OC-48 Link 255 255 25 IP add Introduction Voice communications over

More information

Microsoft Windows Server System White Paper

Microsoft Windows Server System White Paper Introduction to Network Access Protection Microsoft Corporation Published: June 2004, Updated: May 2006 Abstract Network Access Protection, a platform for Microsoft Windows Server "Longhorn" (now in beta

More information

This chapter covers the following topics: Network admission control overview NAC Framework benefits NAC Framework components Operational overview

This chapter covers the following topics: Network admission control overview NAC Framework benefits NAC Framework components Operational overview This chapter covers the following topics: Network admission control overview NAC Framework benefits NAC Framework components Operational overview Deployment models C H A P T E R 6 Implementing Network

More information

IINS Implementing Cisco Network Security 3.0 (IINS)

IINS Implementing Cisco Network Security 3.0 (IINS) IINS Implementing Cisco Network Security 3.0 (IINS) COURSE OVERVIEW: Implementing Cisco Network Security (IINS) v3.0 is a 5-day instructor-led course focusing on security principles and technologies, using

More information

Secure Networks for Process Control

Secure Networks for Process Control Secure Networks for Process Control Leveraging a Simple Yet Effective Policy Framework to Secure the Modern Process Control Network An Enterasys Networks White Paper There is nothing more important than

More information

CPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS

CPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS CPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS MARCH 2011 Acknowledgements This Viewpoint is based upon the Recommended Practice: Configuring and Managing Remote Access

More information

TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS

TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS Mestrado em Engenharia de Redes de Comunicações TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 2009-2010 Projecto de Rede / Sistema - Network / System Design 1 Hierarchical Network Design 2 Hierarchical

More information

Upon completion of this chapter, you will be able to answer the following questions:

Upon completion of this chapter, you will be able to answer the following questions: CHAPTER 1 LAN Design Objectives Upon completion of this chapter, you will be able to answer the following questions: How does a hierarchical network support the voice, video, and data needs of a small-

More information

Service Definition. Internet Service. Introduction. Product Overview. Service Specification

Service Definition. Internet Service. Introduction. Product Overview. Service Specification Service Definition Introduction This Service Definition describes Nexium s from the customer s perspective. In this document the product is described in terms of an overview, service specification, service

More information

Implementing Cisco IOS Network Security

Implementing Cisco IOS Network Security Implementing Cisco IOS Network Security IINS v3.0; 5 Days, Instructor-led Course Description Implementing Cisco Network Security (IINS) v3.0 is a 5-day instructor-led course focusing on security principles

More information

ICTTEN6172A Design and configure an IP- MPLS network with virtual private network tunnelling

ICTTEN6172A Design and configure an IP- MPLS network with virtual private network tunnelling ICTTEN6172A Design and configure an IP- MPLS network with virtual private network tunnelling Release: 1 ICTTEN6172A Design and configure an IP-MPLS network with virtual private network tunnelling Modification

More information

Remote Access Good Practice Guideline

Remote Access Good Practice Guideline Programme NPFIT Document Record ID Key Sub-Prog / Project Infrastructure Security NPFIT-FNT-TO-IG-GPG-0021.10 Prog. Director Mark Ferrar Status Approved Owner James Wood Version 2.0 Author Mike Farrell

More information

State of Texas. TEX-AN Next Generation. NNI Plan

State of Texas. TEX-AN Next Generation. NNI Plan State of Texas TEX-AN Next Generation NNI Plan Table of Contents 1. INTRODUCTION... 1 1.1. Purpose... 1 2. NNI APPROACH... 2 2.1. Proposed Interconnection Capacity... 2 2.2. Collocation Equipment Requirements...

More information

Course Contents CCNP (CISco certified network professional)

Course Contents CCNP (CISco certified network professional) Course Contents CCNP (CISco certified network professional) CCNP Route (642-902) EIGRP Chapter: EIGRP Overview and Neighbor Relationships EIGRP Neighborships Neighborship over WANs EIGRP Topology, Routes,

More information

Lecture 10: Virtual LANs (VLAN) and Virtual Private Networks (VPN)

Lecture 10: Virtual LANs (VLAN) and Virtual Private Networks (VPN) Lecture 10: Virtual LANs (VLAN) and Virtual Private Networks (VPN) Prof. Shervin Shirmohammadi SITE, University of Ottawa Prof. Shervin Shirmohammadi CEG 4185 10-1 Virtual LANs Description: Group of devices

More information

Information security controls. Briefing for clients on Experian information security controls

Information security controls. Briefing for clients on Experian information security controls Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face

More information

The evolution of data connectivity

The evolution of data connectivity Leveraging the Benefits of IP and the Cloud in the Security Sector The CCTV and alarm industry has relied on analogue or Integrated Services Digital Network (ISDN) communications to provide data connectivity

More information

E-Mail, Calendar and Messaging Services Good Practice Guideline

E-Mail, Calendar and Messaging Services Good Practice Guideline E-Mail, Calendar and Messaging Services Good Practice Guideline Programme NPFIT Document Record ID Key Sub-Prog / Project Information Governance NPFIT-FNT-TO-IG-GPG-0017.01 Prog. Director Mark Ferrar Status

More information

Cisco Certified Network Professional - Routing & Switching

Cisco Certified Network Professional - Routing & Switching Cisco Certified Network Professional - Routing & Switching Information Course Price 5,265 No. Vouchers: Course Code 0 Vouchers CCNP-RS No. Courses: 3 1/9 Implementing Cisco IP Routing Information Length:

More information

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection. A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. Firewalls can be categorized by their location on the network: A network-based

More information

ADDENDUM 12 TO APPENDIX 8 TO SCHEDULE 3.3

ADDENDUM 12 TO APPENDIX 8 TO SCHEDULE 3.3 ADDENDUM 12 TO APPENDIX 8 TO SCHEDULE 3.3 TO THE Overview EXHIBIT T to Amendment No. 60 Secure Wireless Network Services are based on the IEEE 802.11 set of standards and meet the Commonwealth of Virginia

More information

The Internet of Things (IoT) and Industrial Networks. Guy Denis gudenis@cisco.com Rockwell Automation Alliance Manager Europe 2015

The Internet of Things (IoT) and Industrial Networks. Guy Denis gudenis@cisco.com Rockwell Automation Alliance Manager Europe 2015 The Internet of Things (IoT) and Industrial Networks Guy Denis gudenis@cisco.com Rockwell Automation Alliance Manager Europe 2015 Increasingly Everything will be interconnected 50 Billion Smart Objects

More information

Intrusion Detection and Prevention Systems (IDS/IPS) Good Practice Guide

Intrusion Detection and Prevention Systems (IDS/IPS) Good Practice Guide Programme NPFIT Document Record ID Key Sub-Prog / Project Infrastructure Security NPFIT-FNT-TO-INFR-0068.01 Prog. Director Mark Ferrar Status Approved Owner James Wood Version 2.0 Author Jason Alexander

More information

Cisco ASA 5500 Series Firewall Edition for the Enterprise

Cisco ASA 5500 Series Firewall Edition for the Enterprise Solution Overview Cisco ASA 5500 Series Firewall Edition for the Enterprise Threats to today s networks continue to grow, with attacks coming from both outside and within corporate networks. These threats

More information

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD005.001. Effective Date: April 7, 2005

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD005.001. Effective Date: April 7, 2005 State of New Mexico Statewide Architectural Configuration Requirements Title: Network Security Standard S-STD005.001 Effective Date: April 7, 2005 1. Authority The Department of Information Technology

More information

ULH-IM&T-ISP06. Information Governance Board

ULH-IM&T-ISP06. Information Governance Board Network Security Policy Policy number: Version: 2.0 New or Replacement: Approved by: ULH-IM&T-ISP06 Replacement Date approved: 30 th April 2007 Name of author: Name of Executive Sponsor: Name of responsible

More information

Chapter 1 The Principles of Auditing 1

Chapter 1 The Principles of Auditing 1 Chapter 1 The Principles of Auditing 1 Security Fundamentals: The Five Pillars Assessment Prevention Detection Reaction Recovery Building a Security Program Policy Procedures Standards Security Controls

More information

CPNI VIEWPOINT 02/2007 ENTERPRISE VOICE OVER IP

CPNI VIEWPOINT 02/2007 ENTERPRISE VOICE OVER IP ENTERPRISE VOICE OVER IP AUGUST 2007 Abstract Voice over IP (VoIP) is the term used for a set of technologies that enable real time voice or video conversations to take place across IP networks. VoIP devices

More information

Increase Simplicity and Improve Reliability with VPLS on the MX Series Routers

Increase Simplicity and Improve Reliability with VPLS on the MX Series Routers SOLUTION BRIEF Enterprise Data Center Interconnectivity Increase Simplicity and Improve Reliability with VPLS on the Routers Challenge As enterprises improve business continuity by enabling resource allocation

More information

APPLICATION NOTE. Benefits of MPLS in the Enterprise Network

APPLICATION NOTE. Benefits of MPLS in the Enterprise Network APPLICATION NOTE Benefits of MPLS in the Enterprise Network Abstract As enterprises evolve to keep pace with the ever-changing business climate, enterprises networking needs are becoming more dynamic.

More information

Intelligent Infrastructure & Security

Intelligent Infrastructure & Security SYSTIMAX Solutions Intelligent Infrastructure & Security Using an Internet Protocol Architecture for Security Applications White Paper July 2009 www.commscope.com Contents I. Intelligent Building Infrastructure

More information

Local-Area Network -LAN

Local-Area Network -LAN Computer Networks A group of two or more computer systems linked together. There are many [types] of computer networks: Peer To Peer (workgroups) The computers are connected by a network, however, there

More information

Solution Brief. Secure and Assured Networking for Financial Services

Solution Brief. Secure and Assured Networking for Financial Services Solution Brief Secure and Assured Networking for Financial Services Financial Services Solutions Page Introduction To increase competitiveness, financial institutions rely heavily on their networks to

More information

MPLS: Key Factors to Consider When Selecting Your MPLS Provider Whitepaper

MPLS: Key Factors to Consider When Selecting Your MPLS Provider Whitepaper MPLS: Key Factors to Consider When Selecting Your MPLS Provider Whitepaper 2006-20011 EarthLink Business Page 1 EXECUTIVE SUMMARY Multiprotocol Label Switching (MPLS), once the sole domain of major corporations

More information

Policy Management: The Avenda Approach To An Essential Network Service

Policy Management: The Avenda Approach To An Essential Network Service End-to-End Trust and Identity Platform White Paper Policy Management: The Avenda Approach To An Essential Network Service http://www.avendasys.com email: info@avendasys.com email: sales@avendasys.com Avenda

More information

Network System Design Lesson Objectives

Network System Design Lesson Objectives Network System Design Lesson Unit 1: INTRODUCTION TO NETWORK DESIGN Assignment Customer Needs and Goals Identify the purpose and parts of a good customer needs report. Gather information to identify network

More information

EVOLVING ENTERPRISE NETWORKS WITH SPB-M APPLICATION NOTE

EVOLVING ENTERPRISE NETWORKS WITH SPB-M APPLICATION NOTE EVOLVING ENTERPRISE NETWORKS WITH SPB-M APPLICATION NOTE EXECUTIVE SUMMARY Enterprise network managers are being forced to do more with less. Their networks are growing in size and complexity. They need

More information

Power over Ethernet technology for industrial Ethernet networks

Power over Ethernet technology for industrial Ethernet networks Power over Ethernet technology for industrial Ethernet networks Introduction Ethernet networking has grown beyond office and home usage to become a very successful protocol suite used in many industrial

More information

Chapter 5. Data Communication And Internet Technology

Chapter 5. Data Communication And Internet Technology Chapter 5 Data Communication And Internet Technology Purpose Understand the fundamental networking concepts Agenda Network Concepts Communication Protocol TCP/IP-OSI Architecture Network Types LAN WAN

More information

Voice over IP Networks: Ensuring quality through proactive link management

Voice over IP Networks: Ensuring quality through proactive link management White Paper Voice over IP Networks: Ensuring quality through proactive link management Build Smarter Networks Table of Contents 1. Executive summary... 3 2. Overview of the problem... 3 3. Connectivity

More information

Leased Line + Remote Dial-in connectivity

Leased Line + Remote Dial-in connectivity Leased Line + Remote Dial-in connectivity Client: One of the TELCO offices in a Southern state. The customer wanted to establish WAN Connectivity between central location and 10 remote locations. The customer

More information

FlexNetwork Architecture Delivers Higher Speed, Lower Downtime With HP IRF Technology. August 2011

FlexNetwork Architecture Delivers Higher Speed, Lower Downtime With HP IRF Technology. August 2011 FlexNetwork Architecture Delivers Higher Speed, Lower Downtime With HP IRF Technology August 2011 Page2 Executive Summary HP commissioned Network Test to assess the performance of Intelligent Resilient

More information

Designing a Windows Server 2008 Network Infrastructure

Designing a Windows Server 2008 Network Infrastructure Designing a Windows Server 2008 Network Infrastructure MOC6435 About this Course This five-day course will provide students with an understanding of how to design a Windows Server 2008 Network Infrastructure

More information

Community College LAN Design Considerations

Community College LAN Design Considerations Considerations LAN Design The community college LAN design is a multi-campus design, where a campus consists of multiple buildings and services at each location, as shown in Figure 1. Figure 1 Community

More information

This chapter covers four comprehensive scenarios that draw on several design topics covered in this book:

This chapter covers four comprehensive scenarios that draw on several design topics covered in this book: This chapter covers four comprehensive scenarios that draw on several design topics covered in this book: Scenario One: Pearland Hospital Scenario Two: Big Oil and Gas Scenario Three: Beauty Things Store

More information

Deploying secure wireless network services The Avaya Identity Engines portfolio offers flexible, auditable management for secure wireless networks.

Deploying secure wireless network services The Avaya Identity Engines portfolio offers flexible, auditable management for secure wireless networks. Table of Contents Section 1: Executive summary...1 Section 2: The challenge...2 Section 3: WLAN security...3 and the 802.1X standard Section 4: The solution...4 Section 5: Security...4 Section 6: Encrypted

More information

VPN. Date: 4/15/2004 By: Heena Patel Email:hpatel4@stevens-tech.edu

VPN. Date: 4/15/2004 By: Heena Patel Email:hpatel4@stevens-tech.edu VPN Date: 4/15/2004 By: Heena Patel Email:hpatel4@stevens-tech.edu What is VPN? A VPN (virtual private network) is a private data network that uses public telecommunicating infrastructure (Internet), maintaining

More information

Data Networking and Architecture. Delegates should have some basic knowledge of Internet Protocol and Data Networking principles.

Data Networking and Architecture. Delegates should have some basic knowledge of Internet Protocol and Data Networking principles. Data Networking and Architecture The course focuses on theoretical principles and practical implementation of selected Data Networking protocols and standards. Physical network architecture is described

More information