Cisco Security
Setup & Configuration:
Part 1 –
a Layered Approach
1-800-COURSES
www.globalknowledge.com
Expert Reference Series of White Papers
Introduction
This paper is the first in a three-part series of white papers, each of which focuses on a functional area of
securing your network. The three papers work together to create a complete picture of how to configure your
network appliances for complete corporate security. It will discuss a starting point for network security, sug-
gested technology types, ideal points for securing your network using a layered approach, and secure ways to
manage your new or existing network.
This first paper in the series introduces concepts to get started on network security and begin the process of
securing your network at the switch level.
Security Policy: Start at the Beginning
Security is one of the fastest growing branches within the networking industry, and current trends point to a
steady increase in growth over the years to come. This is largely due to the integration of so many critical data
types over a single network and the increased realization by companies as to just how vulnerable their net-
works can be. With security becoming such a focal point of networks, it is increasingly important to understand
how to integrate security into a network.
As with any new project, you must start with some direction. I’m sure you have heard the adage, “If you fail to
plan, then you plan to fail.” This is never more true than when planning network security. Create your security
policy to serve as a starting point and future road map for securing your corporation.
A security policy, originally defined in request for comment (RFC) 2196 and now updated in RFC 3704, con-
tains the whys, whats, and hows of securing your corporate environment.
Isaac A. Valdez, Global Knowledge Instructor, CCSI, CCSP, CCNP, CCDP
Cisco Security Setup & Configuration:
Part 1 – a Layered Approach
Copyright ©2006 Global Knowledge T
raining LLC. All rights reserved.

To create a baseline of your current
security configuration.
Statement of authority and scope. Use the very documents that govern
your day-to-day business operation.
For example, your physical site secu-
rity regulations or corporate accept-
able use policy.
To define allowed and not-allowed
behaviors.
Identification and authentication
policy.
Use standards such as SOx, HIPPA,
VISA, International Standards
Organization (ISO) 27001, etc.
To help determine necessary tools
and procedures.
Internet use policy. Reference web sites for assistance:
• www.computersecuritynow.com
• www.sans.org/resources/policies/
#primersecurity.berkeley.edu/pols.html
To help define roles and
responsibilities.
Campus access policy.
To state the consequences of
misuse.
Remote access policy.
To define how to handle security
incidents (social & technical).
Incident handling procedure.
To provide a process for continuing

Sample uses: Stateful inspection, Virtual Private Network (VPN) tunnel termination,
advanced protocol handling, deep packet inspection and Network Address Translation
(NA
Tting).
Copyright ©2006 Global Knowledge T
raining LLC. All rights reserved.
Page 4
Ex. Cisco 1841,
3845, 7206
Ex. Cisco Catalyst
3750, 4506, 6513
Ex. Cisco PIX 525,
ASA 5540
VPN Concentrator: A security device used to connect (terminate) VPN sessions from
Remote Access, Web Clients, and Site-to-Site locations.
Sample uses: High volume termination of Remote Access and Clientless VPN sessions.
Offering extensive control over the VPN sessions of the connecting device.
Intrusion Detection or Prevention System (IDS/IPS) Sensor: A device that gener-
ally detects unwanted manipulations to communication systems (individual and streams
of packets) and is required to detect all types of malicious network traffic.
Sample uses: As a device that inspects traffic/communications on all critical entry and
exit points to a corporate network.
Host-based Intrusion Pr
evention System (HIPS)
: An agent CSA installed on host
stations that provides security against malicious activity between applications on the
host and communications from the host.
Used to enforce a company’s security policy at the end-station level.
Sample uses: Install on critical end-stations and servers to protect them from access to
local or network resources that do not follow the security policy.