Iso network levels

You will need to bear in mind that the auditor will be looking to see these implemented controls are effective and managed appropriately, including the use of formal change management procedures. Security mechanisms, service levels and management requirements of all network services need to be identified and included in network services agreements, whether these services are provided in-house or outsourced.

Put into simple terms, the organisation should include all the various security measures it is taking in order to secure its network services, in its network services agreements.

Your auditor will want to see that the design and implementation of networks takes into account both the business requirements and security requirements, achieving a balance that is adequate and proportionate to both.

They will be looking for evidence of this, along with evidence of a risk assessment. Groups of information services, users and information systems should be segregated on networks. The network design and control must align to and support information classification policies and segregation requirements. The objective in this Annex is to maintain the security of information transferred within the organisation and with any external entity e.

Formal transfer policies, procedures and controls must be in place to protect the transfer of information through the use of all types of communication facilities. Whatever type of communication facility is in use, it is important to understand the security risks involved in relation to the confidentiality, integrity and availability of the information and this will need to take into account the type, nature, amount and sensitivity or classification of the information being transferred.

It is especially important to implement such policies and procedures when information is being transferred out of or into the organisation from third parties. Different but complementary controls may be required to protect information being transferred from interception, copying, modification, mis-routing and destruction and should be considered holistically when identifying which controls are to be selected.

Information may be transferred digitally or physically and agreements must address the secure transfer of business information between the organisation and any external parties. Formal transfer policies procedures and technical controls should be selected, implemented, operated, monitored, audited and reviewed to ensure ongoing effective security protection.

Often, communications and transfer systems and procedures are put in place, without a real understanding of the risks involved which therefore creates vulnerabilities and possible compromise. ISO touches on implementation considerations including consideration of notifications, traceability, escrow, identification standards, chain of custody, cryptography, access control and others.

Any information that is involved in any form of electronic messaging needs to be appropriately protected. Put in simple terms, when using electronic messaging, it should be protected to ensure no unauthorised access can be gained The organisation should create a policy which sets out which forms of electronic messaging should be used for the different types of information being transferred, e.

Request demo Learn more. Article's content. Latest Blogs. Application Security Application Delivery Data Security. Erez Hasson , Bruce Lynch. Application Delivery Application Security. Application Delivery.

Pamela Weaver. Bruce Lynch. Eyal Gur. Erez Hasson. DDoS Mitigation Grainne McKeever. Latest Articles. App Security Edge Security DDoS Essentials. Attack Tools Essentials Threats. Connection Optimization Essentials. The security feature of Essentials can be used to perform authentication on configuration changes. A change audit log is available to track changes and the user name of individuals issuing changes.

For configuration changes on multiple devices, two options are available: the web-based NetConfig in the current version of CiscoWorks Essentials or the cwconfig script. Configuration files can be downloaded and uploaded using CiscoWorks Essentials utilizing the predefined or user-defined templates.

These functions can be accomplished with the configuration management tools in CiscoWorks Essentials:. Push configuration files from the Essentials configuration archive to a device or multiple devices. The discovery function of most network management platforms is intended to provide a dynamic listing of devices found in the network.

Discovery engines such as those implemented in network management platforms should be utilized. An inventory database provides detailed configuration information on network devices.

Common information includes models of hardware, installed modules, software images, microcode levels, and so on. All these pieces of information are crucial in completing tasks such as software and hardware maintenance. The up-to-date listing of network devices collected by the discovery process can be used as a master list to collect inventory information using SNMP or scripting. A device list may be imported from CiscoWorks Campus Manager into the inventory database of CiscoWorks Essentials to obtain an up-to-date inventory of Cisco Catalyst switches.

A successful upgrade of Cisco IOS images on network devices requires a detailed analysis of the requirements such as memory, boot ROM, microcode level, and so on.

The requirements are normally documented and available on Cisco's web site in the form of release notes and installation guides. The process of upgrading a network device running Cisco IOS includes downloading a correct image from CCO, backing up the current image, making sure all hardware requirements are met, and then loading the new image into the device. The upgrade window to complete device maintenance is fairly limited for some organizations. In a large network environment with limited resources, it might be necessary to schedule and automate software upgrades after business hours.

The procedure can be completed either using scripting language such as Expect or an application written specifically to perform such a task. Changes to software in network devices such as Cisco IOS images and microcode versions should be tracked to assist in the analysis phase when another software maintenance is required. With a modification history report readily available, the person performing the upgrade can minimize the risk of loading incompatible images or microcode into network devices.

A service level agreement SLA is a written agreement between a service provider and their customers on the expected performance level of network services. The SLA consists of metrics agreed upon between the provider and its customers.

The values set for the metrics must be realistic, meaningful, and measurable for both parties. Various interface statistics can be collected from network devices to measure the performance level. These statistics can be included as metrics in the SLA. Statistics such as input queue drops, output queue drops, and ignored packets are useful for diagnosing performance-related problems.

At the device level, performance metrics can include CPU utilization, buffer allocation big buffer, medium buffer, misses, hit ratio , and memory allocation. The performance of certain network protocols is directly related to buffer availability in network devices. Measuring device-level performance statistics are critical in optimizing the performance of higher-level protocols. Different performance metrics at the interface, device, and protocol levels should be collected on a regular basis using SNMP.

The polling engine in a network management system can be utilized for data collection purposes. Most network management systems are capable of collecting, storing, and presenting polled data. Various solutions are available in the marketplace to address the needs of performance management for enterprise environments. These systems are capable of collecting, storing, and presenting data from network devices and servers. The web-based interface on most products makes the performance data accessible from anywhere in the enterprise.

Some of the commonly deployed performance management solutions include:. InfoVista VistaView. An evaluation of the above products will determine if they meet the requirements of different users. Some vendors support integration with network management and system management platforms. Each product has a different pricing model and capabilities with the base offering.

Concord has recently added support for Cisco's WAN switches that can be used to collect and view performance data. A source router configured with CSAA configured is capable of measuring the response time to a destination IP device that can be a router or an IP device. The response time can be measured between the source and the destination or for each hop along the path.

SNMP traps can be configured to alert management consoles if the response time exceeds the predefined thresholds. Overview of IPM. Service Assurance Agent. User traffic has increased significantly and has placed a higher demand on network resources. Network managers typically have a limited view on the types of traffic running in the network. User and application traffic profiling provides a detailed view of the traffic in the network.

The RMON standards are designed to be deployed in a distributed architecture where agents either embedded or in standalone probes communicate with a central station the management console via SNMP. RMON2 enables network administrators to continue their deployment of standards-based monitoring solutions to support mission-critical, server-based applications.

Protocol Distribution Statistics for each protocol. Network Layer Host Statistics for each network layer address on the segment, ring, or port. Network Layer Matrix Traffic statistics for pairs of network layer addresses. Application Layer Host Statistics by application layer protocol for each network address. Application Layer Matrix Traffic statistics by application layer protocol for pairs of network layer addresses.

Address Mapping MAC-to-network layer address bindings. Configuration Group Agent capabilities and configurations. NetFlow The Cisco NetFlow feature allows detailed statistics of traffic flows to be collected for capacity planning, billing, and troubleshooting functions. NetFlow can be configured on individual interfaces, providing information on traffic passing through those interfaces. The following types of information are part of the detailed traffic statistics:.

NetFlow data gathered on network devices is exported to a collector machine. The collector performs functions such as reducing the volume of data filtering and aggregation , hierarchical data storage, and file system management.

Versions 2 through 4 and Version 6 were either not released or are not supported by FlowCollector. In all three versions, the datagram consists of a header and one or more flow records.

The goal of security management is to control access to network resources according to local guidelines so that the network cannot be sabotaged intentionally or unintentionally. A security management subsystem, for example, can monitor users logging on to a network resource, refusing access to those who enter inappropriate access codes.

Security management is a very broad subject; therefore this area of the document only covers security as related to SNMP and basic device access security. Increasing Security on IP Networks. A good security management implementation starts with sound security policies and procedures in place. It is important to create a platform-specific minimum configuration standard for all routers and switches that follow industry best practices for security and performance. There are various methods of controlling access on Cisco routers and catalyst switches.

Some of these methods include:. TACACS is an authentication mechanism that is used to authenticate the identity of a device seeking remote access to a privileged database. Authentication can be configured for login control or to authenticate individual commands. Authentication is the process of identifying users, including login and password dialog, challenge and response, and messaging support.

Authentication is the way a user is identified prior to being allowed access to the router or switch. There is a fundamental relationship between authentication and authorization.

The more authorization privileges a user receives, the stronger the authentication should be. Authorization provides remote access control, including one-time authorization and authorization for each service that is requested by the user. On a Cisco router, the authorization level range for users is 0 to 15 with 0 being the lowest level and 15 the highest.

Accounting allows for the collecting and sending of security information used for billing, auditing, and reporting, such as user identities, start and stop times, and executed commands. Accounting enables network managers to track the services that users are accessing as well as the amount of network resources they are consuming. Refer to the Authentication, Authorization, and Accounting Commands document for more in-depth commands. For more information on how to configure AAA to monitor and control access to the command-line interface on the Catalyst enterprise LAN switches, refer to the Controlling Access to the Switch Using Authentication, Authorization, and Accounting document.

Proper security measures should be configured on network devices to prevent unauthorized access and change via SNMP. Community strings should follow the standard password guidelines for length, characters, and difficulty of guessing. It is important to change the community strings from their public and private defaults. Cisco IOS and Cisco Catalyst software provides security features that ensure that only authorized management stations are allowed to perform changes on network devices.

This feature limits the types of operations that a management station can have on a router. The RO level only allows a management station to query the router data. It does not allow for configuration commands such as rebooting a router and shutting down interfaces to be performed. Only the RW privilege level can be used to perform such operations. This feature limits specific information that can be retrieved from routers by management stations.

The encryption and authentication features in SNMPv3 ensure high security in transporting packets to a management console. The ACL can be applied on incoming or outgoing interfaces on routers.

Syslog messages and SNMP traps are supported to notify a management system when a violation or unauthorized access occurs. A combination of the Cisco IOS security features can be used to manage routers and Catalyst switches. A security policy needs to be established that limits the number of management stations capable of accessing the switches and routers.