Wednesday, 14 March 2012

This document presumes that you already

This document presumes that you already have a security policy in place. Cisco Systems does not recommend deploying
VPNs or any security technology without an associated policy. It presumes you are aware of what data is sensitive in your
network so that it can be properly protected when transported through the Internet. Although the topic of network security
is mentioned in this document, it is not described in detail. Security within this document is always mentioned as it pertains
to VPN technology. Readers interested in more information on network security should look to the SAFE security documents
for detailed design guidance: http://www.cisco.com/go/safe.
Following the guidelines in this document does not guarantee a secure environment, nor does it guarantee that you will
prevent all penetrations. Absolute security can be achieved only by disconnecting a system from the network, encasing it in
concrete, and putting it on the bottom floor at Fort Knox. Your data will be very safe, though inaccessible. However, you
can achieve reasonable security by establishing a good security policy, following the guidelines in this and the SAFE security
documents, staying up-to-date on the latest developments in the hacker and security communities, and maintaining and
monitoring all systems with sound system administration practices.
Though this document contains a large amount of detail on many aspects of VPN technologies, it is not exhaustive in its
discussion. In particular, several technologies that relate to VPNs are not covered. First, certificate-authority (CA)
deployment is not discussed. Identity strategies are addressed, including X509 V3 digital certificates, as well as other identity
technologies. Best practices for deployment of CAs in an enterprise are not discussed. CAs and their associated deployment
issues require a level of focus that this document cannot provide and still adequately address all the other relevant areas of
identity and VPN. Also, because most networks have yet to deploy fully functional CA environments, it is important to
discuss how to securely deploy networks without them. Second, the VPN designs in this paper assume the VPN gear exists
on the customer premises and is managed by the customer. Though these topologies may not change significantly if the VPN
is managed by a service provider, the management and provisioning of that type of network would be very different. As such,
this document can be used to evaluate the VPN offerings of a service provider, but should not be used as best-practice
recommendations for outsourced VPNs. Third, a detailed analysis of the issues surrounding maintaining QoS in in VPNs is
not addressed in this document. QoS is an essential component in delivering differentiated service levels and ensuring reliable
throughput of mission-critical data across the VPN. This paper addresses many other essential design considerations.
However, analysis of these issues alone exhausted the allocated resources for the first release of this paper

No comments:

Post a Comment

Note: only a member of this blog may post a comment.