larger cover

Add To My Wish List

Register your product to gain access to bonus material or receive a coupon.

End-to-End Network Security: Defense-in-Depth

eBook

  • Description
  • Sample Content
  • Updates
  • Copyright 2008
  • Pages: 480
  • Edition: 1st
  • eBook
  • ISBN-10: 1-58705-482-5
  • ISBN-13: 978-1-58705-482-2

End-to-End Network Security

Defense-in-Depth

Best practices for assessing and improving network defenses and responding to security incidents

Omar Santos

Information security practices have evolved from Internet perimeter protection to an in-depth defense model in which multiple countermeasures are layered throughout the infrastructure to address vulnerabilities and attacks. This is necessary due to increased attack frequency, diverse attack sophistication, and the rapid nature of attack velocity—all blurring the boundaries between the network and perimeter.

End-to-End Network Security is designed to counter the new generation of complex threats. Adopting this robust security strategy defends against highly sophisticated attacks that can occur at multiple locations in your network. The ultimate goal is to deploy a set of security capabilities that together create an intelligent, self-defending network that identifies attacks as they occur, generates alerts as appropriate, and then automatically responds.

End-to-End Network Security provides you with a comprehensive look at the mechanisms to counter threats to each part of your network. The book starts with a review of network security technologies then covers the six-step methodology for incident response and best practices from proactive security frameworks. Later chapters cover wireless network security, IP telephony security, data center security, and IPv6 security. Finally, several case studies representing small, medium, and large enterprises provide detailed example configurations and implementation strategies of best practices learned in earlier chapters.

Adopting the techniques and strategies outlined in this book enables you to prevent day-zero attacks, improve your overall security posture, build strong policies, and deploy intelligent, self-defending networks.

“Within these pages, you will find many practical tools, both process related and technology related, that you can draw on to improve your risk mitigation strategies.”

—Bruce Murphy, Vice President, World Wide Security Practices, Cisco

Omar Santos is a senior network security engineer at Cisco®. Omar has designed, implemented, and supported numerous secure networks for Fortune 500 companies and the U.S. government. Prior to his current role, he was a technical leader within the World Wide Security Practice and the Cisco Technical Assistance Center (TAC), where he taught, led, and mentored many engineers within both organizations.

  • Guard your network with firewalls, VPNs, and intrusion prevention systems
  • Control network access with AAA
  • Enforce security policies with Cisco Network Admission Control (NAC)
  • Learn how to perform risk and threat analysis
  • Harden your network infrastructure, security policies, and procedures against security threats
  • Identify and classify security threats
  • Trace back attacks to their source
  • Learn how to best react to security incidents
  • Maintain visibility and control over your network with the SAVE framework
  • Apply Defense-in-Depth principles to wireless networks, IP telephony networks, data centers, and IPv6 networks

This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.

Category: Networking: Security

Covers: Network security and incident response

Table of Contents

Foreword xix

Introduction xx

Part I

Introduction to Network Security Solutions 3

Chapter 1

Overview of Network Security Technologies 5

Firewalls 5

Network Firewalls 6

Network Address Translation (NAT) 7

Stateful Firewalls 9

Deep Packet Inspection 10

Demilitarized Zones 10

Personal Firewalls 11

Virtual Private Networks (VPN) 12

Technical Overview of IPsec 14

Phase 1 14

Phase 2 16

SSL VPNs 18

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) 19

Pattern Matching 20

Protocol Analysis 21

Heuristic-Based Analysis 21

Anomaly-Based Analysis 21

Anomaly Detection Systems 22

Authentication, Authorization, and Accounting (AAA) and Identity Management 23

RADIUS 23

TACACS+ 25

Identity Management Concepts 26

Network Admission Control 27

NAC Appliance 27

NAC Framework 33

Routing Mechanisms as Security Tools 36

Summary 39

 

Part II

Security Lifestyle: Frameworks and Methodologies 41

Chapter 2

Preparation Phase 43

Risk Analysis 43

Threat Modeling 44

Penetration Testing 46

Social Engineering 49

Security Intelligence 50

Common Vulnerability Scoring System 50

Base Metrics 51

Temporal Metrics 51

Environmental Metrics 52

Creating a Computer Security Incident Response Team (CSIRT) 52

Who Should Be Part of the CSIRT? 53

Incident Response Collaborative Teams 54

Tasks and Responsibilities of the CSIRT 54

Building Strong Security Policies 54

Infrastructure Protection 57

Strong Device Access Control 59

SSH Versus Telnet 59

Local Password Management 61

Configuring Authentication Banners 62

Interactive Access Control 62

Role-Based Command-Line Interface (CLI) Access in Cisco IOS 64

Controlling SNMP Access 66

Securing Routing Protocols 66

Configuring Static Routing Peers 68

Authentication 68

Route Filtering 69

Time-to-Live (TTL) Security Check 70

Disabling Unnecessary Services on Network Components 70

Cisco Discovery Protocol (CDP) 71

Finger 72

Directed Broadcast 72

Maintenance Operations Protocol (MOP) 72

BOOTP Server 73

ICMP Redirects 73

IP Source Routing 73

Packet Assembler/Disassembler (PAD) 73

Proxy Address Resolution Protocol (ARP) 73

IDENT 74

TCP and User Datagram Protocol (UDP) Small Servers 74

IP Version 6 (IPv6) 75

Locking Down Unused Ports on Network Access Devices 75

Control Resource Exhaustion 75

Resource Thresholding Notification 76

CPU Protection 77

Receive Access Control Lists (rACLs) 78

Control Plane Policing (CoPP) 80

Scheduler Allocate/Interval 81

Policy Enforcement 81

Infrastructure Protection Access Control Lists (iACLs) 82

Unicast Reverse Path Forwarding (Unicast RPF) 83

Automated Security Tools Within Cisco IOS 84

Cisco IOS AutoSecure 84

Cisco Secure Device Manager (SDM) 88

Telemetry 89

Endpoint Security 90

Patch Management 90

Cisco Security Agent (CSA) 92

Network Admission Control 94

Phased Approach 94

Administrative Tasks 96

Staff and Support 96

Summary 97

Chapter 3

Identifying and Classifying Security Threats 99

Network Visibility 101

Telemetry and Anomaly Detection 108

NetFlow 108

Enabling NetFlow 111

Collecting NetFlow Statistics from the CLI 112

SYSLOG 115

Enabling Logging (SYSLOG) on Cisco IOS Routers and Switches 115

Enabling Logging Cisco Catalyst Switches Running CATOS 117

Enabling Logging on Cisco ASA and Cisco PIX Security Appliances 117

SNMP 118

Enabling SNMP on Cisco IOS Devices 119

Enabling SNMP on Cisco ASA and Cisco PIX Security Appliances 121

Cisco Security Monitoring, Analysis and Response System (CS-MARS) 121

Cisco Network Analysis Module (NAM) 125

Open Source Monitoring Tools 126

Cisco Traffic Anomaly Detectors and Cisco Guard DDoS Mitigation

Appliances 127

Intrusion Detection and Intrusion Prevention Systems (IDS/IPS) 131

The Importance of Signatures Updates 131

The Importance of Tuning 133

Anomaly Detection Within Cisco IPS Devices 137

Summary 139

Chapter 4

Traceback 141

Traceback in the Service Provider Environment 142

Traceback in the Enterprise 147

Summary 151

Chapter 5

Reacting to Security Incidents 153

Adequate Incident-Handling Policies and Procedures 153

Laws and Computer Crimes 155

Security Incident Mitigation Tools 156

Access Control Lists (ACL) 157

Private VLANs 158

Remotely Triggered Black Hole Routing 158

Forensics 160

Log Files 161

Linux Forensics Tools 162

Windows Forensics 164

Summary 165

Chapter 6

Postmortem and Improvement 167

Collected Incident Data 167

Root-Cause Analysis and Lessons Learned 171

Building an Action Plan 173

Summary 174

Chapter 7

Proactive Security Framework 177

SAVE Versus ITU-T X.805 178

Identity and Trust 183

AAA 183

Cisco Guard Active Verification 185

DHCP Snooping 186

IP Source Guard 187

Digital Certificates and PKI 188

IKE 188

Network Admission Control (NAC) 188

Routing Protocol Authentication 189

Strict Unicast RPF 189

Visibility 189

Anomaly Detection 190

IDS/IPS 190

Cisco Network Analysis Module (NAM) 191

Layer 2 and Layer 3 Information (CDP, Routing Tables, CEF Tables) 191

Correlation 192

CS-MARS 193

Arbor Peakflow SP and Peakflow X 193

Cisco Security Agent Management Console (CSA-MC) Basic

Event Correlation 193

Instrumentation and Management 193

Cisco Security Manager 195

Configuration Logger and Configuration Rollback 195

Embedded Device Managers 195

Cisco IOS XR XML Interface 196

SNMP and RMON 196

Syslog 196

Isolation and Virtualization 196

Cisco IOS Role-Based CLI Access (CLI Views) 197

Anomaly Detection Zones 198

Network Device Virtualization 198

Segmentation with VLANs 199

Segmentation with Firewalls 200

Segmentation with VRF/VRF-Lite 200

Policy Enforcement 202

Visualization Techniques 203

Summary 207

 

Part III

Defense-In-Depth Applied 209

Chapter 8

Wireless Security 211

Overview of Cisco Unified Wireless Network Architecture 212

Authentication and Authorization of Wireless Users 216

WEP 216

WPA 218

802.1x on Wireless Networks 219

EAP with MD5 221

Cisco LEAP 222

EAP-TLS 223

PEAP 223

EAP Tunneled TLS Authentication Protocol (EAP-TTLS) 224

EAP-FAST 224

EAP-GTC 225

Configuring 802.1x with EAP-FAST in the Cisco Unified Wireless Solution 226

Configuring the WLC 226

Configuring the Cisco Secure ACS Server for 802.1x and EAP-FAST 229

Configuring the CSSC 233

Lightweight Access Point Protocol (LWAPP) 236

Wireless Intrusion Prevention System Integration 239

Configuring IDS/IPS Sensors in the WLC 241

Uploading and Configuring IDS/IPS Signatures 242

Management Frame Protection (MFP) 243

Precise Location Tracking 244

Network Admission Control (NAC) in Wireless Networks 245

NAC Appliance Configuration 246

WLC Configuration 255

Summary 259

Chapter 9

IP Telephony Security 261

Protecting the IP Telephony Infrastructure 262

Access Layer 266

Distribution Layer 273

Core 275

Securing the IP Telephony Applications 275

Protecting Cisco Unified CallManager 276

Protecting Cisco Unified Communications Manager Express (CME) 277

Protecting Cisco Unity 281

Protecting Cisco Unity Express 287

Protecting Cisco Personal Assistant 289

Hardening the Cisco Personal Assistant Operating Environment 289

Cisco Personal Assistant Server Security Policies 291

Protecting Against Eavesdropping Attacks 293

Summary 295

Chapter 10

Data Center Security 297

Protecting the Data Center Against Denial of Service (DoS) Attacks and Worms 297

SYN Cookies in Firewalls and Load Balancers 297

Intrusion Prevention Systems (IPS) and Intrusion Detection Systems (IDS) 300

Cisco NetFlow in the Data Center 301

Cisco Guard 302

Data Center Infrastructure Protection 302

Data Center Segmentation and Tiered Access Control 303

Segmenting the Data Center with the Cisco FWSM 306

Cisco FWSM Modes of Operation and Design Considerations 306

Configuring the Cisco Catalyst Switch 309

Creating Security Contexts in the Cisco FWSM 310

Configuring the Interfaces on Each Security Context 312

Configuring Network Address Translation 313

Controlling Access with ACLs 317

Virtual Fragment Reassembly 322

Deploying Network Intrusion Detection and Prevention Systems 322

Sending Selective Traffic to the IDS/IPS Devices 322

Monitoring and Tuning 325

Deploying the Cisco Security Agent (CSA) in the Data Center 325

CSA Architecture 325

Configuring Agent Kits 326

Phased Deployment 326

Summary 327

Chapter 11

IPv6 Security 329

Reconnaissance 330

Filtering in IPv6 331

Filtering Access Control Lists (ACL) 331

ICMP Filtering 332

Extension Headers in IPv6 332

Spoofing 333

Header Manipulation and Fragmentation 333

Broadcast Amplification or Smurf Attacks 334

IPv6 Routing Security 334

IPsec and IPv6 335

Summary 336

Part IV

Case Studies 339

Chapter 12

Case Studies 341

Case Study of a Small Business 341

Raleigh Office Cisco ASA Configuration 343

Configuring IP Addressing and Routing 343

Configuring PAT on the Cisco ASA 347

Configuring Static NAT for the DMZ Servers 349

Configuring Identity NAT for Inside Users 351

Controlling Access 352

Cisco ASA Antispoofing Configuration 353

Blocking Instant Messaging 354

Atlanta Office Cisco IOS Configuration 360

Locking Down the Cisco IOS Router 360

Configuring Basic Network Address Translation (NAT) 376

Configuring Site-to-Site VPN 377

Case Study of a Medium-Sized Enterprise 389

Protecting the Internet Edge Routers 391

Configuring the AIP-SSM on the Cisco ASA 391

Configuring Active-Standby Failover on the Cisco ASA 394

Configuring AAA on the Infrastructure Devices 400

Case Study of a Large Enterprise 401

Creating a New Computer Security Incident Response Team (CSIRT) 403

Creating New Security Policies 404

Physical Security Policy 404

Perimeter Security Policy 404

Device Security Policy 405

Remote Access VPN Policy 405

Patch Management Policy 406

Change Management Policy 406

Internet Usage Policy 406

Deploying IPsec Remote Access VPN 406

Configuring IPsec Remote Access VPN 408

Configuring Load-Balancing 415

Reacting to a Security Incident 418

Identifying, Classifying, and Tracking the Security Incident or Attack 419

Reacting to the Incident 419

Postmortem 419

Summary 420

Index

422

Cisco Press Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Cisco Press and its family of brands. I can unsubscribe at any time.

Overview

Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Cisco Press products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@ciscopress.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security

Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children

This site is not directed to children under the age of 13.

Marketing

Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out

Users can always make an informed choice as to whether they should proceed with certain services offered by Cisco Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.ciscopress.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links

This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020