background image
586 Chapter 15: Network Security Technologies
Scenario Answers
Answer to Scenario 1
The requirements placed on the CCDP can be met by turning off CDP broadcasts at the serial
interface on the perimeter router. Because no DMZ area or choke router will be in place, it would
be a good idea to place access lists that permit only certain traffic (ports) through to the servers
inside. Another idea would be to deny unnecessary traffic. Permitting only established sessions
from the Internet to enter the inside network meets the Telnet requirement. See Figure 15-19.
Figure 15-19
Scenario 1 Suggested Solution
Answer to Scenario 2
By implementing CBAC and the TCP Interceptor tool that comes with it, you can prevent DoS
attacks from entering the customer's network. By installing the choke router behind the
perimeter router, anyone trying to compromise the DMZ will be denied access through the
choke router. By implementing the NAT feature on the perimeter router, the CCDP can meet
the RFC 1918 requirement. See Figure 15-20.
Answer to Scenario 3
Figure 15-21 shows a suggested solution for Scenario 3.
Cloud
Desktop
Server
Disable CDP broadcasts
Apply access filters here
Disable NTP
87200333.book Page 586 Wednesday, August 22, 2001 1:41 PM