Annex C: Architecture Taxonomy

application server— Provides application services directly or indirectly for enterprise end users. Services can include work-flow, general office, and security applications.

firewall (stateful)— Stateful packet filtering device that maintains state tables for IP-based protocols. Traffic is only allowed to cross the firewall if it conforms to the access-control filters defined, or if it is part of an already established session in the state table.

host intrusion detection system (HIDS)— HIDS is a software application that monitors activity on an individual host. Monitoring techniques can include validating operating system and application calls, checking log files, file system information and network connections.

network intrusion detection system (NIDS)— Typically used in a nondisruptive manner, this device captures traffic on a LAN segment and tries to match the real-time traffic against known attack signatures. Signatures range from atomic (single packet and direction) signatures to composite (multipacket) signatures requiring state tables and Layer 7 application tracking.

IOS firewall— A stateful packet-filtering firewall running natively on Cisco IOS.

IOS router— A wide spectrum of flexible network devices that provide many routing and security services for all performance requirements. Most devices are modular and have a range of LAN and WAN physical interfaces.

Layer 2 switch— Provides bandwidth and VLAN services to network segments at the Ethernet level. Typically these devices offer 10/100 individual switched ports, gigabit Ethernet uplinks, VLAN trunking, and Layer 2 filtering features.

Layer 3 switch— Provides similar high throughput functions of a Layer 2 switch with added routing, QoS, and security features. These switches often have the capability of special function processors.

management server— Provides network management services for the operators of enterprise networks. Services can include general configuration management, monitoring of network security devices, and operation of the security functions.

SMTP content filtering server— An application typically running on an external SMTP server that monitors the content (including attachments) of incoming and outgoing mail. It decides whether that mail is authorized to be forwarded as is, altered and forwarded, or dropped.

URL filtering server— An application typically running on a standalone server that monitors URL requests forwarded to it by a network device and informs the network device whether the request should be forwarded on to the Internet. This allows an enterprise to implement a security policy dictating what categories of Internet sites are unauthorized.

VPN termination device— Terminates IPSec tunnels for either site-to-site or remote-access VPN connections. The device should provide additional services to offer the same network functionality as a classic WAN or dial-in connection.

workstation or user terminal— Any device on the network that is used directly by the end user. This includes PCs, IP phones, wireless devices, and so forth.