You are previewing Designing Network Security Second Edition.
O'Reilly logo
Designing Network Security Second Edition

Book Description

A practical guide to creating a secure network infrastructure

  • Understand basic cryptography and security technologies

  • Identify the threats and common attacks to a network infrastructure

  • Learn how to create a security policy

  • Find out how to recover from a security breach

  • Study specific implementation scenarios for securing your network environment

  • Learn about advances in security technologies

  • Designing Network Security, Second Edition, is a practical guide designed to help you understand the fundamentals of securing your corporate network infrastructure. This book takes a comprehensive look at underlying security technologies, the process of creating a security policy, and the practical requirements necessary to implement a corporate security policy.

    You will gain a thorough understanding of basic cryptography, the most widely deployed security technologies, and key emerging security technologies. You will be able to guide the architecture and implementation of a security policy for a corporate environment by knowing possible threats and vulnerabilities and understanding the steps required to perform a risk management assessment. Through the use of specific configuration examples, you will learn about the features required in network infrastructure equipment to implement the given security policy, including securing the internal corporate infrastructure, Internet access, and the remote access environment.

    This new edition includes coverage of new security features including SSH on routers, switches, and the PIX(r) Firewall; enhancements to L2TP and IPSec; Cisco(r) LEAP for wireless networks; digital certificates; advanced AAA functionality; and Cisco Intrusion Detection System features and products. Additional practical examples include current security trends using VPN, wireless, and VoIP networking examples.

    This book is part of the Networking Technology Series from Cisco Press(r), which offers networking professionals valuable information for constructing efficient networks, understanding new technologies, and building successful careers.

    Table of Contents

    1. Copyright
      1. Dedication
    2. About the Author
    3. About the Technical Reviewers
    4. Acknowledgments
    5. Introduction
      1. Objectives
      2. Audience
      3. Organization
        1. Part I, “Security Fundamentals”
        2. Part II, “The Corporate Security Policy”
        3. Part III, “Practical Implementation”
        4. Part IV, “Appendixes”
      4. Cisco Systems Networking Icon Legend
      5. Command Syntax Conventions
    6. I. Security Fundamentals
      1. 1. Basic Cryptography
        1. Cryptography
          1. Symmetric Key Encryption
            1. DES
            2. 3DES
            3. RC-4
            4. IDEA
            5. AES
          2. Asymmetric Encryption
          3. Hash Functions
          4. Digital Signatures
        2. Authentication and Authorization
          1. Methods of Authentication
          2. Trust Models
        3. Namespace
        4. Key Management
          1. Creating and Distributing Secret Keys
          2. Creating and Distributing Public Keys
            1. Digital Certificates
            2. Certificate Authorities
        5. Key Escrow
          1. The Business Case
          2. The Political Angle
          3. The Human Element
        6. Summary
        7. Review Questions
      2. 2. Security Technologies
        1. Identity Technologies
          1. Secure Passwords
            1. S/Key Password Protocol
            2. Token Password Authentication Schemes
          2. PPP Authentication Protocols
            1. PPP Password Authentication Protocol
            2. PPP Challenge Handshake Authentication Protocol
            3. PPP Extensible Authentication Protocol
            4. PPP Authentication Summary
          3. Protocols Using Authentication Mechanisms
            1. The TACACS+ Protocol
              1. TACACS+ Authentication
              2. TACACS+ Authorization
              3. TACACS+ Accounting
              4. TACACS+ Transactions
            2. The RADIUS Protocol
              1. RADIUS Authentication
              2. RADIUS Authorization
              3. RADIUS Accounting
              4. RADIUS Transactions
            3. The Kerberos Protocol
              1. Kerberos Terminology
              2. Kerberos Authentication Request and Reply
              3. Kerberos Application Request and Response
              4. Reuse of Credentials
              5. Practical Considerations
            4. The Distributed Computing Environment
            5. FORTEZZA
            6. IEEE 802.1x
        2. Application Layer Security Protocols
          1. SHTTP
          2. S/MIME
        3. Transport Layer Security Protocols
          1. The Secure Socket Layer/Transport Layer Security Protocol
          2. The Secure Shell Protocol
          3. The SOCKS Protocol
        4. Network Layer Security
          1. The IP Security Protocol Suite
            1. Authentication and Encryption Services
            2. Security Associations
            3. Key Management
              1. IKE PHASE 1
              2. IKE PHASE 2
              3. IKE Extensions
              4. IKE's Future
        5. Link-Layer Security Technologies
          1. The Layer 2 Forwarding Protocol
            1. A Sample Scenario
          2. The Point-to-Point Tunneling Protocol
            1. Decoupling Traditional NAS Functionality
            2. Protocol Overview
              1. The Control Connection
              2. The IP Tunnel Using GRE
          3. The Layer 2 Tunneling Protocol
            1. Protocol Overview
              1. The Control Connection
              2. The Data Channel
            2. A Sample Scenario
          4. PPPoE
            1. Protocol Overview
        6. Public Key Infrastructure and Distribution Models
          1. Functions of a PKI
          2. A Sample Scenario Using a PKI
          3. Certificates
          4. The X.509 Standard
            1. X.509v3 Certificate
            2. X.509v2 CRL
          5. Certificate Distribution
            1. Lightweight Directory Access Protocol
        7. Summary
        8. Review Questions
      3. 3. Applying Security Technologies to Real Networks
        1. Virtual Private Networks (VPNs)
          1. VPN Deployment Models
            1. Site-to-Site VPNs
            2. Client-to-Site VPNs
          2. VPN Security
            1. Tunneling Protocols
              1. IPsec
            2. NAT/PAT
              1. Point-to-Point Tunneling Protocol (PPTP)
            3. Layer 2 Tunneling Protocol (L2TP)
              1. L2TP/IPsec
            4. Authentication
              1. Differences Between IKE and PPP Authentication
              2. Certificate Authentication
            5. VPN Security Application
          3. Access VPNs
          4. Intranet/Extranet VPNs
        2. Wireless Networks
          1. Types of Wireless Technology
          2. Wireless LAN Components
          3. Wireless LAN Deployment Models
            1. Peer-to-Peer WLAN
            2. Infrastructure Mode WLAN
          4. 802.11 Physical Layer Basics
            1. Direct Sequencing Spread Spectrum (DSSS)
            2. Frequency-Hopping Spread Spectrum (FHSS)
            3. Orthogonal Frequency-Division Multiplexing (OFDM)
            4. 802.11 Media Access Control
            5. Wireless LAN Roaming
              1. Mobile IP
          5. Wireless LAN Security
            1. Basic Security
            2. WEP Encryption
            3. Cryptographic Authentication
            4. Security Enhancements
            5. Temporal Key Integrity Protocol (TKIP)
            6. 802.1X “Network Port Authentication”
              1. EAP-Transport Layer Security (EAP-TLS)
              2. EAP-Tunneled TLS (EAP-TTLS)
              3. EAP-Cisco Wireless (LEAP)
              4. Protected EAP (PEAP)
            7. Wireless VPN Security
        3. Voice over IP (VoIP) Networks
          1. IP Telephony Network Components
          2. IP Telephony Deployment Models
          3. VoIP Protocols
            1. H.323
              1. H.323 Components
              2. H.323 Protocol Suite
              3. H.323 Protocol Operation
          4. Media Gateway Control Protocol (MGCP)
          5. Session Initiation Protocol (SIP)
            1. SIP Components
            2. SIP Protocol Operation
            3. SIP and H.323 Interaction
          6. VoIP Security Protocols
            1. H.323 Protocol Security
              1. RAS Signaling Authentication
              2. Call Setup (H.225/Q.931) Security
              3. Call Control (H.245) Security
              4. Media Stream Privacy
            2. SIP Protocol Security
              1. HTTP Digest Authentication
              2. S/MIME Authentication and Encryption
              3. Transport and Network Layer Security
              4. TLS
              5. IPsec
          7. VoIP Security Solution
        4. Summary
        5. Review Questions
      4. 4. Routing Protocol Security
        1. Routing Basics
          1. Routing Protocol Classification
            1. Interior Gateway Protocols
            2. Exterior Gateway Protocols
          2. Routing Protocol Security
            1. Authenticating Routing Protocol Updates
              1. Plaintext Authentication
              2. MD5 Authentication
            2. IPsec and Routing Protocols
        2. Routing Protocol Security Details
          1. RIP
            1. RIP Authentication
              1. Plaintext Authentication
              2. Cryptographic Authentication
            2. RIPv2 and IPv6
          2. EIGRP
            1. Underlying Technologies
            2. EIGRP Routing Concepts
              1. Neighbor Tables
              2. Topology Tables
              3. Route States
              4. Route Tagging
            3. EIGRP Packet Types
            4. EIGRP Authentication
          3. OSPF
            1. OSPF Authentication
              1. Null Authentication
              2. Simple Password Authentication
              3. Cryptographic Authentication
            2. OSPF and IPv6
              1. Authentication
              2. Confidentiality
              3. Authentication and Encryption Algorithms
              4. Key Management
              5. Replay Protection
          4. IS-IS
            1. IS-IS Authentication
              1. Authentication Type 1 - Simple Password
              2. Cryptographic Authentication
          5. BGP-4
            1. BGP-4 Authentication
            2. BGP Security Futures
        3. Summary
        4. Review Questions
    7. II. The Corporate Security Policy
      1. 5. Threats in an Enterprise Network
        1. Types of Threats
          1. Unauthorized Access
            1. Internet Access
              1. Reachability Checks
              2. Port Scanning
            2. Tapping into the Physical Wire
            3. Remote Dial-In Access
            4. Wireless Access
          2. Impersonation
          3. Denial of Service
          4. DDoS
        2. Motivation of Threat
        3. Common Protocol Vulnerabilities
          1. The TCP/IP Protocol
            1. TCP/IP Connection Establishment
            2. TCP/IP Sequence Number Attack
            3. TCP/IP Session Hijacking
            4. TCP SYN Attack
            5. The Land.c Attack
          2. The UDP Protocol
          3. The ICMP Protocol
            1. The Ping of Death
            2. Smurf Attack
            3. The Teardrop.c Attack
          4. The DNS Protocol
          5. The NNTP Protocol
          6. The SMTP Protocol
            1. Spam Attack
          7. The FTP Protocol
          8. The Remote Procedure Call (RPC) Service
          9. The NFS/NIS Services
          10. X Window System
        4. Common Network Scenario Threats and Vulnerabilities
          1. Virtual Private Networks
            1. Unauthorized Access
            2. Impersonation
            3. Denial of Service
          2. Wireless Networks
            1. Unauthorized Access
            2. Impersonation
            3. Denial of Service
            4. WEP Insecurity
          3. Voice over IP Networks
            1. Unauthorized Access
            2. Impersonation
            3. Denial of Service
            4. SIP Application Layer Insecurity
              1. HTTP Digest
              2. S/MIME
              3. Transport Layer Security (TLS)
              4. Privacy
        5. Routing Protocols
        6. Social Engineering
        7. Summary
        8. Review Questions
      2. 6. Considerations for a Site Security Policy
        1. Where to Begin
        2. Risk Management
          1. Risk Assessment
            1. Identify Network Assets
            2. Value of Assets
            3. Threats and Vulnerability
              1. Data Compromise
              2. Loss of Data Integrity
              3. Unavailability of Resources
            4. Evaluating Risk
          2. Risk Mitigation and the Cost of Security
        3. A Security Policy Framework
          1. Components of an Enterprise Network
          2. Elements of a Security Architecture
            1. Identity
            2. Integrity
            3. Confidentiality
            4. Availability
            5. Audit
          3. Additional Considerations
        4. Summary
        5. Review Questions
      3. 7. Design and Implementation of the Corporate Security Policy
        1. Physical Security Controls
          1. Physical Network Infrastructure
            1. Physical Media Selection
            2. Network Topography
          2. Physical Device Security
            1. Physical Location
            2. Physical Access
            3. Environmental Safeguards
          3. Sample Physical Security Control Policy
        2. Logical Security Controls
          1. Subnet Boundaries
            1. Routing Boundaries
            2. VLAN Boundaries
          2. Logical Access Control
            1. Control and Limit Secrets
            2. Authentication Assurance
            3. System Greeting Messages
            4. Remember the Human Factor
          3. Sample Logical Security Control Policy
        3. Infrastructure and Data Integrity
          1. Firewalls
            1. Direction of Traffic
            2. Traffic Origin
            3. IP Address
            4. Port Numbers
            5. Authentication
            6. Application Content
          2. Network Services
          3. Authenticated Data
            1. Routing Updates
          4. Common Attack Deterrents
            1. Attacks Against Any Random Host Behind the Firewall
            2. Attacks Against Exposed Services
            3. Attacks Against Internal Client Hosts
            4. Spoofing Attacks
          5. Sample Infrastructure and Data Integrity Policy
        4. Data Confidentiality
          1. Sample Data Confidentiality Policy
        5. Security Policy Verification and Monitoring
          1. Vulnerability Scanners
          2. Accounting
          3. Secure Management
          4. Intrusion Detection
          5. Sample Verification and Monitoring Section
        6. Policies and Procedures for Staff
          1. Secure Backups
          2. Equipment Certification
          3. Use of Portable Tools
          4. Audit Trails
            1. What to Collect
            2. Storing the Data
            3. Legal Considerations
          5. Sample Policies and Procedures for Staff
        7. Security Awareness Training
          1. Social Engineering
        8. Summary
        9. Review Questions
      4. 8. Incident Handling
        1. Building an Incident Response Team
          1. Establishing the Core Team
        2. Detecting an Incident
          1. Keeping Track of Important Information
          2. Intrusion Detection Systems
            1. Intrusion Detection Issues in Switched Networks
            2. Network Intrusion Detection System Limitations
        3. Handling an Incident
          1. Prioritizing Actions
          2. Assessing Incident Damage
          3. Reporting and Alerting Procedures
        4. Incident Vulnerability Mitigation
        5. Responding to the Incident
          1. Keep Accurate Documentation
          2. Real-World Example Scenarios
            1. Scenario 1: Maliciously Internal Compromised Hosts
            2. Scenario 2: Violation of Acceptble-Use Policy
            3. Scenario 3: Random Network Interloping
        6. Recovering from an Incident
        7. Summary
        8. Review Questions
    8. III. Practical Implementation
      1. 9. Securing the Corporate Network Infrastructure
        1. Identity - Controlling Network Device Access
          1. Basic Versus Privileged Access
            1. Cisco IOS Devices
              1. Passwords
              2. Scalable Password Management
              3. Multiple Privilege Levels
            2. Cisco Switches
            3. Cisco PIX Firewall
              1. Multiple Privilege Levels
          2. Line Access Controls
            1. Cisco IOS
              1. Console Ports
              2. Auxiliary Ports
              3. Virtual Terminal Ports
            2. Cisco Switches
            3. Cisco PIX Firewall
              1. Password Management
            4. SNMP Security
            5. HTTP Security
              1. Cisco IOS Devices
              2. Cisco PIX Firewall
        2. Integrity
          1. Image Authentication
          2. Secure Workgroup
          3. Routing Authentication
          4. Route Filters and Routing Believability
        3. Data Confidentiality
        4. Network Availability
          1. Redundancy Features
            1. Cisco IOS
            2. Cisco Switches
            3. Cisco PIX Firewall
          2. Common Attack Deterrents
            1. Spoofed Packets
            2. Fragmentation Attacks
            3. Broadcast Attacks
            4. TCP SYN Attack
        5. Audit
          1. Configuration Verification
          2. Monitoring and Logging Network Activity
            1. Syslog Management
          3. Intrusion Detection
            1. Cisco IOS
            2. PIX Firewall
          4. Network Forensics
        6. Implementation Examples
        7. Summary
        8. Review Questions
      2. 10. Securing Internet Access
        1. Internet Access Architecture
        2. External Screening Router Architecture
          1. Cisco IOS Filters
            1. Standard IP Access Control Lists
            2. Extended Access Control Lists
            3. Turbo Access Control Lists
            4. Named Access Lists
            5. Reflexive Access Lists
        3. Advanced Firewall Architecture
          1. Advanced Packet Session Filtering
            1. TCP Protocol Traffic
            2. UDP Protocol Traffic
          2. Application Content Filtering
            1. World Wide Web
            2. Java Applets
          3. URL Filtering/Blocking
          4. E-mail and SMTP
          5. Other Common Application Protocols
          6. Application Authentication/Authorization
          7. Encryption
          8. Network Address Translation
            1. Public Versus Private IP Addresses
            2. NAT Functionality
        4. Implementation Examples
          1. Cisco IOS Firewall
            1. Content-Based Access Control
            2. Sample Cisco IOS Firewall Configuration
          2. PIX Firewall
            1. Controlling Inbound Access
            2. Controlling Outbound Access
            3. Cut-Thru-Proxy Feature
            4. Advanced Features
            5. Sample Configuration of PIX Firewall with Screening IOS Router
        5. Summary
        6. Review Questions
      3. 11. Securing Remote Dial-In Access
        1. Dial-In Security Concerns
        2. Authenticating Dial-In Users and Devices
          1. Simple Dial-In Environments
          2. Complex Dial-In Environments
            1. TACACS+ and RADIUS Authentication
              1. Defining a Method List
              2. Linking the Method List to a Line or Interface
        3. Authorization
          1. TACACS+ and RADIUS Authorization
            1. Service Types
              1. Reverse Telnet
            2. Authorization Methods
            3. Sample TACACS+ Database Syntax
        4. Accounting and Billing
          1. TACACS+ and RADIUS Accounting
          2. Centralized Billing
        5. Using AAA with Specific Features
          1. The Lock-and-Key Feature
            1. Lock-and-Key Authentication
            2. Lock-and-Key Operation
            3. Lock-and-Key Examples
          2. Double Authentication/Authorization
            1. Automated Double Authentication
        6. Encryption for Virtual Dial-In Environments
          1. GRE Tunneling and CET
            1. GRE Tunneling
            2. Cisco Encryption Technology (CET)
          2. IPsec
            1. Configuring IPsec
          3. L2TP with IPsec
        7. Summary
        8. Review Questions
      4. 12. Securing VPN, Wireless, and VoIP Networks
        1. Virtual Private Networks
          1. Identity
            1. Authentication
            2. What Do You Authenticate
            3. How Do You Authenticate
              1. Device Authentication Methods
              2. Addressing Issues
              3. User Authentication Methods
              4. Application Authentication Methods
            4. Additional Authentication Considerations
            5. Access Control
              1. Where Do You Provide Access Control
              2. How Do You Provide Access Control
          2. Integrity
          3. Confidentiality
          4. Availability
          5. Audit
          6. VPN Design Examples
        2. Wireless Networks
          1. Identity
            1. Authentication
            2. Access Control
          2. Integrity
          3. Confidentiality
          4. Availability
          5. Audit
          6. Wireless Network Design Examples
        3. Voice over IP Networks
          1. Identity
            1. Authentication
            2. Access Control
              1. Firewall for SIP
              2. Tokenless Call Authentication
              3. Binding Specific Gateway Interfaces for MGCP
              4. Binding Specific Gateway Interfaces for SIP
          2. Integrity
          3. Confidentiality
          4. Availability
          5. Audit
          6. VoIP Network Design References
        4. Summary
        5. Review Questions
    9. IV. Appendixes
      1. A. Sources of Technical Information
        1. Cryptography and Network Security Books
        2. Firewall Books
        3. Intrusion Detection Books
        4. IETF Working Groups and Sites for Standards and Drafts on Security Technologies Developed Through the IETF
        5. Documents on the Scope and Content of Network Security Policies
        6. Incident Response Teams
        7. Other Useful Sites for Security-Related Information
        8. Cisco Security Product Information
      2. B. Reporting and Prevention Guidelines: Industrial Espionage and Network Intrusions
        1. For Immediate Problems
        2. Reporting Options
        3. Conducting an Investigation
        4. Workplace Philosophy
        5. Written Plan
        6. Law and the Legal Process
        7. Computer and Network Systems
        8. Employees
        9. Methods of Safeguarding Proprietary Material
        10. Document Control
        11. Foreign/Competitor Contacts
        12. Managers and Supervisors
        13. Reporting Process—Rewards
        14. Intelligence-Gathering Methods
        15. Look for Weak Links
        16. California State Laws
        17. United States Code
        18. Examples of Cases in Santa Clara County (Silicon Valley)
      3. C. Port Numbers
      4. D. Mitigating Distributed Denial-of-Service Attacks
        1. Understanding DoS/DDoS Attacks
        2. The Filtering and/or Rate-Limiting Issue
        3. Steps to Take Before a DDoS Attack Happens
          1. Network Ingress/Egress Filtering
            1. Example 1: Simple Filtering
              1. Branch Routers
              2. NAS Router
              3. Internet Router
            2. Example 2: Advanced Filtering
              1. Branch Routers
              2. NAS Router
              3. Internet Router
          2. Rate Limit Some Network Traffic
            1. Rate Limiting ICMP Packets
            2. Rate Limiting TCP SYN Packets
          3. IP Unicast Reverse Path Forwarding (uRPF)
        4. Steps to Take During a DDoS Attack
          1. Capturing Evidence and Contacting Law Enforcement
          2. Tracing
            1. Tracing with log-input
            2. SYN Flood
            3. Smurf Attacks
            4. Tracing Without log-input
            5. Issues to Look Out for with Access List Logging
        5. Monitoring DoS Attacks with the VIP Console and NetFlow v1.0
          1. Introduction
          2. Caveat
          3. Credits
          4. The VIP Console
          5. Monitoring a DoS Attack
          6. Conclusion
        6. Tracking Spoofed IP Addresses Version 2.0
          1. Introduction
          2. Router Configuration
          3. Test Topology
          4. The Game Begins
          5. Limitations
          6. Conclusion
        7. Additional DOS Information
      5. E. Answers to Review Questions
        1. Chapter 1
        2. Chapter 2
        3. Chapter 3
        4. Chapter 4
        5. Chapter 5
        6. Chapter 6
        7. Chapter 7
        8. Chapter 8
        9. Chapter 9
        10. Chapter 10
        11. Chapter 11
        12. Chapter 12
      6. Glossary