Maximizing C-I-A
The main goal in all domains is to deploy and maintain controls that support all of the C-I-A properties of security for your data. The WAN Domain contains several components that play critical roles in providing secure access to your organization’s data. Maintaining that security requires diligence and the right controls.
WAN Service Availability SLAs
Each WAN service contract includes specific promises of stated levels of service called service level agreements (SLAs). SLAs state what your WAN service provider promises to deliver in terms of various types of services. Most WAN service provider SLAs address the availability property of data security. You should subscribe to a WAN service that guarantees the level of availability your organization requires to conduct business.
Availability SLA terms depend on the type of service you purchase. Most WAN service providers offer customers a choice of service guarantees for different costs to meet different customers’ needs. Table 12-2 shows a sample list of availability service choices. Note that the levels of service differ based on the reliability or recovery options selected.
TABLE 12-2 Availability service choices.
| Service | Availability | Comment |
|---|---|---|
| Dual routers/dual circuits | 100% | Redundant hardware and connections provide uninterrupted service. |
| Single router with backup | 99.95% | Backup hardware can replace the primary router with very little downtime. The estimated annual downtime is 4.4 hours. |
| Single router | 99.5% | A single router is a single point of failure— and you must replace failed hardware. The estimated annual downtime is 43.8 hours. |
The level of availability you choose will dictate the cost and hardware requirements for your WAN service. Examine the impact of expected or scheduled annual downtime and select the level of service that fits your organization.
WAN Traffic Encryption/VPNs
SLAs define levels of service that protect the availability property of data. Additional concerns when sending data across any WAN include integrity and confidentiality. The main type of control you can use to ensure the integrity and confidentiality of your data is encryption. One of the more common types of encryption in use in the WAN Domain is encrypted traffic over a VPN.
A VPN is a persistent connection between two endpoints, commonly created over a WAN. Although not limited to WANs, VPNs make it easy to establish what appears to be a dedicated connection over a shared-access WAN. VPNs work well in creating persistent connections, also called tunnels, over the Internet or other types of WANs. Many VPNs also encrypt the traffic in the tunnel, making it an attractive option for WAN traffic that may contain sensitive data. Encrypted VPNs are also called secure VPNs. Even though others might be able to see the traffic as it travels through the WAN, no one can read it or change it without being detected because the data are encrypted.
Today’s networks often support multiple VPN protocols. Consult your WAN service provider for information on which VPN protocols your WAN supports. Use VPNs anytime you need to ensure integrity and confidentiality when sending data over a WAN. Table 12-3 lists some of the more common VPN protocols in use today.
TABLE 12-3 Common VPN protocols.
| Protocol | Description |
|---|---|
| Layer 2 Tunneling Protocol (L2TP) | This common tunneling protocol defines a connection between two endpoints. You need another protocol, such as Internet Protocol Security (IPSec), to provide encryption services. |
| Point-to-Point Tunneling Protocol (PPTP) | This Layer 2 protocol defines a tunnel between two endpoints. PPTP is older and generally less secure than L2TP. |
| Secure Sockets Layer/ Transport Layer Security (SSL/TLS) | This common protocol is used to transport encrypted Hypertext Transfer Protocol (HTTP) traffic. It can also be used to create an encrypted tunnel. |
| Datagram Transport Layer Security (DTLS) | This protocol is used by Cisco hardware to create a generic VPN that works well in most network architectures. |
| Secure Socket Tunneling Protocol (SSTP) | SSTP works at the Transport Layer to provide a VPN that works with most firewalls. |