Sample Diagram

(Dedicated Circuits)
VPN to Municipalities via Internet
WWW CSA Other
See Figure C-1-D in CJIS Policy
Municipalities

Remote
Admin? Other Relationships:
Internet Intrusion • Fiber to other Facilities
Router • SAN Storage (CJI ?)
Detection • Regional Provider
Extranet (CSA approved)

Router/Firewall/VPN AA Server

CAD System (CJI)

LE 128-bit TLS
Non-LE
• CAD Client w/AA VLANs
VLAN (see following slide)
• TLS Web App. hosted
by State with AA Other Department
• See following slide workstations/Local 802.11X LAN
for more examples CAD Clients
TLS Web App.
hosted by State
What we would like to see
 (Dedicated Circuits)
VPN to Municipalities via Internet
WWW CSA Other
(See Figure C-1-D in CJIS Policy)
Municipalities

Remote
Admin? Other Relationships:
CISCO IBM • Fiber to other Facilities
2800 • SAN Storage (CJI ?)
IOS v6.1 Proventia • Regional Provider
CISCO 2800/v6.1 (CSA approved)

CISCO ASA 5505 AA Server (RSA)

RMS System (CJI)
TriTech Perform
Netmotion
Mobility XE CAD System (CJI) Tritech
LE Perform 128-bit TLS
Non-LE
• CAD Client w/AA (RSA) VLANs
VLAN (see following slide)
• TLS Web App. hosted
by State with AA Other Department
• See following slide CAD Clients workstations/Local 802.11X LAN
for more examples TLS Web App. (if 802.11X used for CJI see CJIS
hosted by State (Name of Policy 5.5.7)
State System)
 VLANS
5.5.7.1 All 802.11x Wireless Protocols

Segregate, virtually (e.g. virtual local area network (VLAN) and ACLs) or
physically (e.g. firewalls), the wireless network from the operational wired infrastructure.
Limit access between wireless networks and the wired network to only operational
needs.

5.10.1.4 Voice over Internet Protocol

VoIP can be installed in-line with an organization’s existing Internet Protocol

(IP) services. Among VoIP’s risks that have to be considered carefully are: myriad security
concerns, cost issues associated with new networking hardware requirements, and
overarching quality of service (QoS) factors.
In addition to the security controls described in this document, the following additional
controls shall be implemented when an agency deploys VoIP within a network that
contains unencrypted CJI:
1. Establish usage restrictions and implementation guidance for VoIP technologies.
2. Change the default administrative password on the IP phones and VoIP switches.
3. Utilize Virtual Local Area Network (VLAN) technology to segment VoIP traffic from
data traffic.
VLANs
Mobility XE examples
Source: http://discover.netmotionwireless.com/rs/netmotionwireless/images/NetMotion-Wireless_Security-Wireless-Networks_WP.pdf
Source: http://discover.netmotionwireless.com/rs/netmotionwireless/images/NetMotion-Wireless_Security-Wireless-Networks_WP.pdf
More Examples from CJIS Policy
ICONS
 Icons: Cisco Products
Router-
Color and 100BaseT
subdued Workgroup Server Hub
Router Director with
PC Router uBR910
w/Silicon Switch
Si Cable DSU

Network Software- CDDI/

Wavelength
Management Based Router on FDDI
Router
Appliance File Server Concentrator

Protocol PC Router PC Adapter

Translator Card TransPath Card

CiscoWorks Cisco Bridge Small Hub

Workstation Hub (10BaseT
Workgroup Hub)
Switch
Color/Subdued
Access NetFlow Terminal
Server Router Workgroup Server
Switch
Voice-Enabled
 Icons: Cisco Products (Cont.)
Route/Switch PC with PC with ATM Cisco CA
Processor Router-Based Software Switch
Si with and Software
without Si

Switch LAN2LAN MicroWeb

PXF Processor Switch Server

IP Transport
Concentrator Label
Switch Router
ISDN
ASIC General Switch
VIP
Processor Processor BBSM

Content Cisco Multi-

5500 Switch ATA
Engine
Family Device V

Management Broadband
ITP
Engine Router
(ME 1100) ITP
Icons: Cisco Products (Cont.)
Program Switch
NetRanger IP
Standard System
and Old Controller
(Some Prefer) Router
Cisco 6920
RateMux with TDM
Voice-
Enabled
NetSonar Access Server
ADM ADM
Cisco
7505 Cisco
Directory
Server Data Switch
Cisco 1000 Cisco Processor
7507
Voice-
Cisco Enabled
7500 Router
Edge Label Switch (7513)
Router
Cisco 4310 End
Multilayer Switch, Office System
Edge Label
Switch Si Si with and without Text
Router and Subdued
with NetFlow
 Icons: Cisco Products (Cont.)
Centri
Firewall
IOS Firewall MS MGX 8220

MGX 8240
Cisco Security
Manager
Router with
Firewall MGX 8260

Data Center Switch PIX Firewall

Right and Left Voice-Enabled ATM
Switch

Cisco CallManager
Optical Transport
Data Center Switch,
Reversed
IP Telephony
Router
Cisco 6732 Access
Server

DSLAM
Cisco 6705 Access
Server Cisco 6701
Icons: Cisco Products (Cont.)
Cisco
VN 2900
IP DSL VPN Concentrator Cisco 15200
Switch

Cisco
CSS 11000 VN 5900
CDM
(Content
H.323
Distribution
Manager)
Cisco
Cisco 15800 VN 5902
IAD Router

Access BTS 10200

Gateway Content Cisco
Router Softswitch
Storage
Router
ICM
ICS 7750 Content
Generic
Switch
Softswitch
Icons: Cisco Products (Cont.)
Handheld DWDM Network Line
DWDM Filter

DWDM Ring
PC Card

Wireless
Transport

AccessPoint

Scanner
Wireless
Connectivity,
Different
Orientations

EtherClient Tablet
Icons: Cisco Products, Optical (Cont.)
Optical Services
Automatic Router
WDM
Protection
Switching
Voice- Enabled
Optical Fiber Communications
Server

Channelized
ONS15104 Voice-
Pipe
Enabled
Router

SONET MUX
Program Switch
Concatenated
Payload

Optical Router
Amplifier with TDM

Optical Cross-
Connect Digital Cross-Connect Cisco 10700
Icons: Cisco Products, Optical (Cont.)

Protected Optical

Unprotected Optical

Metro 1500

ONS 15540
 Icons: Cisco Products (Cont.)
SC2200 Signaling
Controller IP/TV Server

VSC3000 Virtual
Switch Controller IP/TV Broadcast
Server

VSC3000 or
SC2200 Host

BTS 10200 Generic

Softswitch Softswitch
 Icons: IBM
IBM Cluster Controller/3174
Mainframe (Desktop Model, Not
Used Much)

IBM IBM Mini

Mainframe (AS400)
with FEP

FEP Cluster Controller/

(Front End 3274 or 3174
Processor) (Most Common
Type)
 Icons: WAN
DSU/CSU Network Distributed
(Add Text in Cloud, Director
PowerPoint) Dark

WAN
Network Local Director
Cloud,
Gold
MUX

Network
Cloud,
White
PBX/ PBX
Switch (Small)
Network
Cloud,
Standard
Color
Hub
Gray and Blue
DPT Ring

NAT
 Icons: LAN
Workstation Printer ATM/FastGb Web
(Sun) Etherswitch Server

PC Laptop HP Mini Web

Browser

Mac File Super- Repeater

Server computer

Newton

Terminal Monitor LAN2LAN

Mini or Web
VAX/VMS Cluster Intelligence
with DECnet Engine 2100
Series
 Icons: Media
Token Rings, with
Token and without Text
Ring and Subdued

Line: Serial (Use Thicker where There Is Space)

FDDI Rings, with

and without Text,
Vertical and
Line: Circuit-Switched
FDDI Horizontal
(Use Thicker where There Is Space)

FDDI
Line: Ethernet
(Use Thicker where There Is Space)
 Icons: Buildings

Government Headquarters,
Regular, Subdued,
and Blue

UNIVERSITY
University
House, Regular and
Blue
Medium Building,
Regular, Subdued,
and Blue
Small Telecommuter
Business House (Color and
Subdued)

Branch MDU
Office, Home Office
Regular, Subdued,
and Blue
 Icons: People

Symbol Woman, Various Colors

Man Woman
Symbol Man, Various Colors

End User Male, End User Female,

Left and Right Left and Right

Running Man Running Woman End User,

(Color and CiscoWorks
Subdued)
Icons: Multimedia/Voice/Phone
Phone
Camera Set Top BBFW
PC/Video Box (STB)

Phone-
Appliance Television
BBFW
Camera Media
Fax/ PC/Video
Phone
Speaker
Phone
Feature
Cell Phone
Microphone Class 4/5
Switch
Phone 2
Fax
Phone Headphones
Ethernet Hoot and
Holler
Pager Phone

IP Phone Phone Turret

Polycom
 Icons: Miscellaneous
Firewall, Satellite
Horizontal and Dish
Vertical, File Cabinet
Subdued

Satellite
Lock

Breakout Box UPS, RPS

Key

Host
MAU
Lock and Key Database,
Relational
PAD
Car Modem

Diskette
BBS
(3.5" Floppy)
(Bulletin
Board
Truck System)