written 5.2 years ago by |
This section describes the components of the Enterprise Edge and explains the importance of each module. The Enterprise Edge infrastructure modules aggregate the connectivity from the various elements outside the campus—using various services and WAN technologies as needed, typically provisioned from service providers—and route the traffic into the Campus Core layer. The Enterprise Edge modules perform security functions when enterprise resources connect across public networks and the Internet. As shown in Figure 2.2.4 and in the following list, the Enterprise Edge functional area is composed of four main modules:
■ E-commerce module: The E-commerce module includes the devices and services necessary for an organization to provide e-commerce applications.
■ Internet Connectivity module: The Internet Connectivity module provides enterprise users with Internet access.
■ Remote Access and VPN module: This module terminates VPN traffic and dial-in connections from external users.
■ WAN and MAN and Site-to-Site VPN module: This module provides connectivity between remote sites and the central site over various WAN technologies.
Figure: Enterprise Edge Functional Area
These modules connect to the Campus Core directly or through an optional Edge Distribution module. The optional Edge Distribution module aggregates the connectivity from the various elements at the enterprise edge and routes the traffic into the Campus Core layer. In addition, the Edge Distribution module acts as a boundary between the Enterprise Campus and the Enterprise Edge and is the last line of defense against external attacks; its structure is similar to that of the Building Distribution layer.
The following sections detail each of the four main Enterprise Edge modules.
E-commerce Module
The E-commerce module enables enterprises to successfully deploy e-commerce applications and take advantage of the opportunities the Internet provides. The majority of traffic is initiated external to the enterprise. All e-commerce transactions pass through a series of intelligent services that provide scalability, security, and high availability within the overall e-commerce network design. To build a successful e-commerce solution, the following network devices might be included:
■ Web servers: Act as the primary user interface for e-commerce navigation
■ Application servers: Host the various applications
■ Database servers: Contain the application and transaction information that is the heart of the e-commerce business implementation
■ Firewalls or firewall routers: Govern communication and provide security between the system’s various users
■ Network Intrusion Detection System/Network Intrusion Protection System (NIDS/ NIPS) appliances: Monitor key network segments in the module to detect and respond to attacks against the network
■ Multilayer switch with Intrusion Detection System/Intrusion Protection System (IDS/IPS) modules: Provide traffic transport and integrated security monitoring
■ Host-Based Intrusion Protection Systems: Deployed on sensitive core application servers and on dedicated appliances to provide real-time reporting and prevention of attacks as an extra layer of defense
Internet Connectivity Module
The Internet Connectivity module provides internal users with connectivity to Internet services, such as HTTP, FTP, Simple Mail Transfer Protocol (SMTP), and DNS. This module also provides Internet users with access to information published on an enterprise’s public servers, such as HTTP and FTP servers. Internet session initiation is typically from inside the enterprise toward the Internet. Additionally, this module accepts VPN traffic from remote users and remote sites and forwards it to the Remote Access and VPN module, where VPN termination takes place. The Internet Connectivity module is not designed to serve e-commerce applications. Major components used in the Internet Connectivity module include the following:
■ SMTP mail servers: Act as a relay between the Internet and the intranet mail servers.
■ DNS servers: Serve as the authoritative external DNS server for the enterprise and relay internal DNS requests to the Internet.
■ Public servers (for example, FTP and HTTP): Provide public information about the organization. Each server on the public services segment contains host-based intrusion detection systems (HIDS) to monitor against any rogue activity at the operating system level and in common server applications including HTTP, FTP, and SMTP.
■ Firewalls or firewall routers: Provide network-level protection of resources, provide stateful filtering of traffic, and forward VPN traffic from remote sites and users for termination.
■ Edge routers: Provide basic filtering and multilayer connectivity to the Internet.
Remote Access and VPN Module
The Remote Access and VPN module terminates remote access traffic and VPN traffic that the Internet Connectivity Module forwards from remote users and remote sites. It also uses the Internet Connectivity module to initiate VPN connections to remote sites. Furthermore, the module terminates dial-in connections received through the public switched telephone network (PSTN) and, after successful authentication, grants dial-in users access to the network. Major components used in the Remote Access and VPN module include the following:
■ Dial-in access concentrators: Terminate dial-in connections and authenticate individual users
■ Cisco Adaptive Security Appliances (ASA): Terminate IPsec tunnels, authenticate individual remote users, and provide firewall and intrusion prevention services
■ Firewalls: Provide network-level protection of resources and stateful filtering of traffic, provide differentiated security for remote access users, authenticate trusted remote sites, and provide connectivity using IPsec tunnels
■ NIDS appliances: Provide Layer 4 to Layer 7 monitoring of key network segments in the Module.
WAN and MAN and Site-to-Site VPN Module
The WAN and MAN and Site-to-Site VPN module uses various WAN technologies, including siteto- site VPNs, to route traffic between remote sites and the central site. In addition to traditional media (such as leased lines) and circuit-switched data-link technologies (such as Frame Relay and ATM), this module can use more recent WAN physical layer technologies, including Synchronous Optical Network/Synchronous Digital Hierarchy (SDH), cable, DSL, MPLS, Metro Ethernet, wireless, and service provider VPNs. This module incorporates all Cisco devices that support these WAN technologies, and routing, access control, and QoS mechanisms. Although security is not as critical when all links are owned by the enterprise, it should be considered in the network design.
Enterprise Edge Guidelines
Follow these guidelines for creating the modules within the Enterprise Edge functional area:
Step 1 Create the E-commerce module (for business-to-business or business-tocustomer scenarios) when customers or partners require Internet access to business applications and database servers. Deploy a high-security policy that allows customers to access predefined servers and services yet restricts all other operations.
Step 2 Determine the connections from the corporate network into the Internet, and assign them to the Internet Connectivity module. This module should implement security to prevent any unauthorized access from the Internet to the internal network. Public web servers reside in this module or the E-commerce module.
Step 3 Design the Remote Access and VPN module if the enterprise requires VPN connections or dial-in for accessing the internal network from the outside world. Implement a security policy in this module; users should not be able to access the internal network directly without authentication and authorization. The VPN sessions use connectivity from the Internet Connectivity module.
Step 4 Determine which part of the edge is used exclusively for permanent connections to remote locations (such as branch offices), and assign it to thWAN and MAN and Site-to-Site VPN module. All WAN devices supporting Frame Relay, ATM, cable, MPLS, leased lines, SONET/SDH, and so on, are located here.
KEY POINT
The WAN and MAN and Site-to-Site VPN module does not include the WAN connections or links; it provides only the interfaces to the WAN.