Showing results for 
Search instead for 
Did you mean: 
Community Manager

Ask The Expert:Things I Can Do to Protect My Network from Getting Hacked

Read the bioWith Jazib Frahim

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn from Cisco subject matter expert Jazib Frahim why enterprise network segments get compromised despite their state-of-the-art network security technologies and products that are deployed. Do they get compromised because of product or technology limitations or are there other factors that cause the network infrastructure to be exposed to attackers? Jazib (CCIE 5459) is a technical leader in the Worldwide Security Services Practice of Cisco's Advanced Services for Network Security. He was previously a technical leader for Cisco's Technical Assistance Center (TAC) Security team, leading engineers in resolving complicated security and VPN technologies. He holds two CCIE certifications, one in routing and switching and the other in security. He has presented at Cisco Live on multiple occasions and has written numerous technical documents and books, including Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance (1st and 2nd editions);Cisco Network Admission Control, Volume II; and Cisco SSL VPN Solutions.

Jazib holds a bachelor's degree in computer engineering from the Illinois Institute of Technology and a master of business administration (MBA) degree from North Carolina State University.

Remember to use the rating system to let Jazib know if you have received an adequate response.

You can also read the questions he answered during the live event in this  FAQ Document. You can also review the    Live Webcast video with Jazib gave a presentation on this topic.

Jazib might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the, discussion forum shortly after the event. This event lasts through September 23, 2011. Visit this forum often to view responses to your questions and the questions of other community members.


Hi Jazib

Thank you for a good reply.

Sorry for the late reply.

1) Thank you. It is getting all to complex and takes too long as it is today. It would be one thing if it took a couple of hours but in general 5 working days from order placement to actually beeing able to send in the "paperwork" for key generation is to long when it is this complex.

2) I know the Anyconnect is the way Cisco wants to go, but I just cant bear myself to like it or trust it. The ipsec client feels better and have prooven itself.

Thank you for the answer.

3) I did not know this, Great information and link ! Thank you.

4) I think the question was a little misunderstood. I was talking about knowing what actually is let through and testing rulebases and that sort of things. ie that the total of the configuration does what i think it should do.

I agree with the automation process, but I also test with fx portscanners that the configuration does what I think it should do when it comes to access-lists and Nat ing and so on.

I would love to have the EEM in all switches routers and firewalls. It is one of the best tools out there!

you can do so much for security with it.

5) New question:

What are the main areas that you think is overlooked in securing a small "LAN" style network and why ?

(small company 1-500 users localized)

What are the main areas that you think is overlooked in securing a large "WAN" style network and why ?

(large corporation 10K+ users wide spread over many locations)



Hi Hobbe,

4) I completely agree about EEM. It provides you with so much flexibility that it becomes almost a required tool like NetFlow in an organization.

Talking specifically about the Firewalls and rules, one things that I talk about in most of my presentations is the need to config/rule auditing (via tools or other methods). All rules should have a business justification and an expiration date so you know to delete the rule after those have been added in the configs.. I see so many examples where IT/support staff has no idea why the rules were added and they are scared to delete them since they do not know the repercussions.

5) In small LANs, since the enterprises have limited budgets (and staff), they typically do not develop any processes/procedures and things are done on ad-hoc basis. In large enterprises,  even thought they usually have decent budget and processes/procedures developed, they still do not follow them and rely on the products to secure the infrastucture


Content for Community-Ad