A “campus” network uses a mix of technologies, products, and applications, and serves a large user population. The campus network presents a challenging security picture because of the diversity of elements to protect:
• Servers, including departmental servers for user access and file sharing, central application servers such as finance and databases, and Web servers for either public Web or Intranet applications.
• Operating systems, typically multiple versions of multiple OS’s running on servers and clients.
• Network devices, including routers, Layer 4-7 load-balancing switches, Layer 3 core switches, Layer 2 distribution switches, and wireless LAN access points.
• Security devices, such as firewalls, VPN gateways, intrusion-detection and anti-virus servers, SSL accelerators, authentication servers, and content filtering servers.
Layer 2 switching security. VLANs based on IEEE 802.1Q standard and Ethernet switches segregate traffic for greater security and manageabilityWith the general availability of the 802.1x authentication standard, Ethernet switches offer embedded capabilities to apply security at every node in the network, providing an effective framework for authenticating and controlling user traffic to a protected network. 802.1x ties a protocol called EAP (Extensible Authentication Protocol, originally developed for PPP) to LAN media and supports multiple authentication methods, such as token cards, Kerberos, one-time passwords, certificates, and public key authentication. It enables enforcement of client authorization on corporate authentication servers like RADIUS.
Layer 3 switching and routing security. Network address translation (NAT) enables an organization to present a public IP address to the world and hide internal addresses from public view. Processing NAT in hardware with a switch is an innovative strategy making routing and firewall solutions highly efficient. Proper design and use of routing and Layer 3 switching enhance the survivability of the campus network. Access control lists, IP segmentation and sub-netting, redundancy protocols such as Virtual Router Redundancy Protocol (VRRP), and fast convergence routing using OSPF (Open Shortest Path First) all contribute to a more survivable infrastructure. Routers and routing switches secure the data path using IP filters that drop undesirable packets. Routing can be further secure by implementing route policies, encryption and authentication of OSPF and BGP route updates with MD5, and broadcast/multicast rate limiting. Last but not least is the innovative Secure Routing Technology (SRT), which enables dynamic routing over secure IPsec tunnels for RIP and OSPF.
Securing remote communication via IPsec VPNs and SSL VPNs. Typically, the campus network also supports VPNs to connect with branch offices and remote users—carrying private network traffic within a secure, encrypted “tunnel” carried over a public network. Robust and secure central site solutions that support both remote access and remote office IP-VPNs and firewalls are key elements of the campus network. For more information, see “Securing the Perimeter Network” and “Securing Remote Access,”.
BTC Networks has partnered with the following vendors to offer best of breed campus security solutions.
Internet Security Systems (ISS)