Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Security on Cisco Catalyst 6800 Series At-A-Glance

advertisement 
At-A-Glance
Security on Cisco Catalyst 6800 Series
ENABLING AN INTELLIGENT CAMPUS SELF-DEFENDING NETWORK
Needs in Campus Networks Security Today
With the rise of bring your own device (BYOD), mobility, and smart devices, customers
need to support different kinds of devices, such as personal smartphones, laptops, and
tablets, in their corporate networks today. With the proliferation of devices connecting
to the campus network, customers need a solution that helps them meet their security
policies when these devices use network resources. The study by Cisco IBSG in Figure 1
shows security is now the top challenge for BYOD adoption for enterprise customers.
Figure 1. Percentage of Companies That Find Security the Top BYOD Challenge
38%
23%
The complete security solution in the campus network with Cisco Catalyst 6800 Series
Switches in the core and distribution provides the following advantages:
• Lowers security risks by providing comprehensive visibility of who and what are
connecting to the wired or wireless network
• Offers exceptional control over activity of network users accessing physical or
cloud-based IT resources
• Provides a growing mobile and complex workforce with appropriate and more
secure access from any device
36%
33%
26%
solutions with the Cisco Catalyst 6800 at core and distribution can address the campus
security needs brought by BYOD and other technologies.
• Reduces total cost of ownership through centralized, highly secure access policy
management and scalable enforcement mechanisms
25%
• Integration with Cisco SecureX Architecture® to allow end-to-end use of networkbased identity context for full context-aware firewalling and policy enforcement
22%
19%
17%
14%
Comprehensive Security Solutions with Cisco Catalyst 6800
Series Switches
The Cisco Catalyst 6880-X and 6807-XL switches help secure networks and provide
secure access through the following primary feature categories:
Total
U.S.
U.K. Germany France Russia
China
India
Mexico
Source: Cisco IBSG, 2012
Brazil
N = 4,892
Campus networks must establish the minimum security baseline that any device must
meet to be connected the corporate network, including Wi-Fi security, VPN access,
and additional software to protect against malware. In addition, because of the wide
range of devices, it is critical to be able to identify each device connecting to the
network and authenticate both the device and the person using it.
Benefits of Cisco Campus Security Solutions
Cisco® Catalyst® 6500 Series Switches are the industry leader in advanced security
solutions in the campus network space. The successor, the Cisco Catalyst 6800 Series
Switches, build on top of that foundation and do more. The Cisco Campus Security
Solution with Cisco Catalyst 6800 Series Switches centers around Cisco TrustSec®
security, ASA firewall service module, First Hop Security (FHS) (IPv4 and IPv6),
hardware rate limiting, and control plane policing (COPP). End-to-end campus network
Cisco TrustSec
Cisco TrustSec enables role-based policy definitions in a centralized policy engine
(ISE) and the distributed enforcement of those policies in the network infrastructure
independent of network architecture. This provides the ability to define granular
policies based on user role, device, location, and posture while making policy definition
and change management operationally efficient. The Cisco Catalyst 6800 supports full
Cisco TrustSec capabilities with hardware acceleration for security group tag (SGT)
imposition and IEEE 802.1AE MACsec at wire-speed rates. Security group access
control lists (SGACLs) can be used to control the operations that users can perform
based on the security group assignments of users and destination resources.
Single Consistent Security Policy with Instant Access
Instant access provides a single consistent security policy across the instant access
system because the security policies are applied on the single extended switch. IT can
stay compliant with regulations cost effectively. It enables supporting a wide range of
authentication options at the access, including 802.1x for managed devices and users,
web authentication for guests or non-802.1x users, and MAC authentication bypass
for unmanaged or non-802.1x devices.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.
Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
At-A-Glance
IP Source Guard and Dynamic ARP Inspection
IP Source Guard provides source IP address filtering on a Layer 2 port to prevent a
malicious host from impersonating a legitimate host by assuming the legitimate host’s
IP address. Dynamic ARP Inspection (DAI) is a security feature that validates Address
Resolution Protocol (ARP) packets in a network. DAI intercepts, logs, and discards ARP
packets with invalid IP-to-MAC address bindings. This capability protects the network
from some man-in-the-middle attacks.
Cisco ASA Firewall Service Module
Installed inside a Cisco Catalyst 6800 Series Switch, the ASA Services Module allows
any port on the device to operate as a firewall port and integrates firewall security
inside the network infrastructure. The ASA Services Module can handle up to 16 Gbps
of traffic, providing unsurpassed performance to meet future requirements. It works
in tandem with other modules in the chassis to deliver robust security throughout the
entire chassis, effectively making every port in the switch a security port.
Catalyst 6500 has additional security features highlighted below which further secures
the campus network:
• IPv4 FHS: Cisco Catalyst switches offer Cisco Integrated Security Features, an
industry-leading solution that provides superior Layer 2 threat defense capabilities
for mitigating man-in-the-middle attacks (such as MAC, IP, and ARP spoofing).
Delivering powerful, easy-to-use tools to effectively prevent the most common and
potentially damaging Layer 2 security threats, Cisco Integrated Security Features
provide robust security throughout the network.
• IPv6 FHS: IPv6 raises a number of FHS concerns that were not present in IPv4.
Those concerns stem from the protocol’s unique manner in which it performs router
and neighbor discovery, address assignment, and address resolution using Neighbor
Discovery Protocol (NDP). These mechanisms could allow an attacker to deploy
attacks such as traffic interception, denial of service (DoS), or man in the middle.
Figure 2 shows the end to end security Cisco Trustsec enables in the Campus with
802.1X, SGT, SGACL and ISE working in conjunction with each other.
• COPP: The CoPP feature increases security on the switch by protecting the RP
from unnecessary or DoS traffic and giving priority to important control plane and
management traffic. CoPP provides filtering and rate-limiting capabilities for the
control plane packets to protect the control and management planes and makes
sure of routing stability, reachability, and packet delivery.
Figure 2. How Cisco Trustsec Works in the Campus
For More Information
Cisco Catalyst 6800 End-to-End Security
www.cisco.com/go/6800
www.cisco.com/go/security
Where
What
Who
When
APP
SGACL Enforcement
How
Cisco Catalyst 6800
IDENTITY
Security
Group
Tagging and
Forwarding
SGT
SGT
SGT
SGT
SGT
cts role-based permissions from
100 to 42
permit tcp dst eq 443
permit tcp dst eq 80
deny ip
SG
T
RADIUS Session
SG
T
T
SG
Network Device Authentication
IP Address
SGT
10.1.1.1
100
10.1.1.2
110
10.1.1.3
42
Cisco Catalyst 6800
SXP
Session
1x, MAB, Web Auth
Identity
Service
Engine
Cisco
TrustSec Domain
IP Address
SGT
10.1.1.1
100
10.1.1.2
110
10.1.1.3
42
Identity
Services
with SXP
for SGT
Mapping
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.
Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
C45-729471-00 09/13
Related documents
WWW+Internet+networking - Edulink
WWW+Internet+networking - Edulink
Open Source Used In Unified Screen and
Open Source Used In Unified Screen and
Cisco Customer Outcome Enablement Program Terms Pilot Phase Updated: 10/05/2015
Cisco Customer Outcome Enablement Program Terms Pilot Phase Updated: 10/05/2015
Download
advertisement