Page 592

560 Chapter 15: Network Security Technologies

Good Security

A good security solution reduces the total cost of a network's implementation and operation.
The CCDP's challenge can be to consolidate a company's many different security technologies
so that there are just a few. This saves the company personnel training costs by limiting the
devices on which those personnel need to be trained. It also reduces ongoing administrative
costs of needing people to monitor logs and so on. Another advantage is that applications once
considered unsafe can be implemented, enabling extranet-type applications to link the company
more closely with partners and suppliers. The Internet will be a more accessible global
access medium.

Firewall Design

There is no "best" firewall. Which one is best depends on the situation in which the firewall is
required. At least three different types of firewalls are commonly used in today's networks:

Packet-filter routers (Cisco IOS serves as a packet filter in a router)

Dual-homed gateways (application proxies)

Stateful filters

Each of the three are discussed in detail in this section. Network Address Translation is also
discussed.

Packet-Filter Routers

If you configure routers with packet filters, traffic can be allowed in or out of the perimeter
routers. A perimeter router is the router that interfaces with the Internet, or the exit point from
a customer's network, as shown in Figure 15-5.

87200333.book Page 560 Wednesday, August 22, 2001 1:41 PM