Cisco Systems Data Center: Securing Server Farms March, 2003 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http:www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 € re XSWARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIK APPLICATION OF ANY PRODUCTS, SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. If YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE (OK LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY, ‘Toe Cisco inplemestarion of TCP header compression i an sapasion of program developed bythe Users of California Berkeley (UCB spa of UCBs pu Sorat version of he UNIX operating system. Al gh eserved Copytigh © 178, Repel of tbe Unive Caer [NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS° WITH [ALL FAULTS ISCO AND THE ABOVENAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT |NVNO EVENT SHALL CISCO OR ITS SUPPLIERS HE LIABLE FOR ANY INDIRECT. SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, (ORTTS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, [Cia es ei! seme pn Che Cin 08 pCa ren, on Ses, Chen Sp Cpl Ce Ss geen aes Cn: Baan ey eve Sy iSocaa Gt 08 T aee geWN [esas Seat tem MUX MICA, he Neweer ng, Nuri enemy New Rg Pr FDR oming een. eb Copyright © 2004 Cisco stems. ne, Al igh eeePreface Document Organization i Document Conventions i warren 1 Securing Intranet Server Farms: Overview 1 Data Center Security 1-4 The Need for Intranet Security 1-2 Security Technologies 1-8 Data Center Security Topologies 1.8 Deploying Layer 2 Security in Server Farms 18 Deploying Private VLANs in the Data Center 1-4 Security Considerations in the Intranet Data Center 1-5 Deploying Network-Based Intrusion Detection 16 Deploying Host-Based Intrusion Detection 1-7 Data Center Networking Architecture 1-8 Network Infrastructure 18 Cisco Storage Networking 18 Application Optimization 1-10 Business Continuance Networking 1-10 cuarren 2 Data Center Security Topologies 21 Topologies 2-4 Packet Filtering: Aggrogation Layer 23 Als 2a Appliance Firewalls 24 integrated Firewalls 246 Packet Filtering: Access Layer 27 Security for Mult-Tier Server Farms 2-8 Intrusion Detection Sensors 2.10 Notwork IDS: Access Layer 241 Host iOS 242 cnarren 3 Deploying Layer 2 Security in Server Farms 341 Overview 34