book

Designing Network Security Second Edition

Name: Designing Network Security Second Edition
Author: Merike Kaeo
ISBN: 9781587051173

by Merike Kaeo

October 2003

Intermediate to advanced

768 pages

18h 59m

English

Cisco Press

Read now

Unlock full access

Copyright
Dedication
About the Author
About the Technical Reviewers
Acknowledgments
Introduction
ObjectivesAudienceOrganizationPart I, “Security Fundamentals”Part II, “The Corporate Security Policy”Part III, “Practical Implementation”Part IV, “Appendixes”Cisco Systems Networking Icon LegendCommand Syntax Conventions
I. Security Fundamentals
1. Basic Cryptography
CryptographySymmetric Key EncryptionDES3DESRC-4IDEAAESAsymmetric EncryptionHash FunctionsDigital SignaturesAuthentication and AuthorizationMethods of AuthenticationTrust ModelsNamespaceKey ManagementCreating and Distributing Secret KeysCreating and Distributing Public KeysDigital CertificatesCertificate AuthoritiesKey EscrowThe Business CaseThe Political AngleThe Human ElementSummaryReview Questions
2. Security Technologies
Identity TechnologiesSecure PasswordsS/Key Password ProtocolToken Password Authentication SchemesPPP Authentication ProtocolsPPP Password Authentication ProtocolPPP Challenge Handshake Authentication ProtocolPPP Extensible Authentication ProtocolPPP Authentication SummaryProtocols Using Authentication MechanismsThe TACACS+ ProtocolTACACS+ AuthenticationTACACS+ AuthorizationTACACS+ AccountingTACACS+ TransactionsThe RADIUS ProtocolRADIUS AuthenticationRADIUS AuthorizationRADIUS AccountingRADIUS TransactionsThe Kerberos ProtocolKerberos TerminologyKerberos Authentication Request and ReplyKerberos Application Request and ResponseReuse of CredentialsPractical ConsiderationsThe Distributed Computing EnvironmentFORTEZZAIEEE 802.1xApplication Layer Security ProtocolsSHTTPS/MIMETransport Layer Security ProtocolsThe Secure Socket Layer/Transport Layer Security ProtocolThe Secure Shell ProtocolThe SOCKS ProtocolNetwork Layer SecurityThe IP Security Protocol SuiteAuthentication and Encryption ServicesSecurity AssociationsKey ManagementIKE PHASE 1IKE PHASE 2IKE ExtensionsIKE's FutureLink-Layer Security TechnologiesThe Layer 2 Forwarding ProtocolA Sample ScenarioThe Point-to-Point Tunneling ProtocolDecoupling Traditional NAS FunctionalityProtocol OverviewThe Control ConnectionThe IP Tunnel Using GREThe Layer 2 Tunneling ProtocolProtocol OverviewThe Control ConnectionThe Data ChannelA Sample ScenarioPPPoEProtocol OverviewPublic Key Infrastructure and Distribution ModelsFunctions of a PKIA Sample Scenario Using a PKICertificatesThe X.509 StandardX.509v3 CertificateX.509v2 CRLCertificate DistributionLightweight Directory Access ProtocolSummaryReview Questions
3. Applying Security Technologies to Real Networks
Virtual Private Networks (VPNs)VPN Deployment ModelsSite-to-Site VPNsClient-to-Site VPNsVPN SecurityTunneling ProtocolsIPsecNAT/PATPoint-to-Point Tunneling Protocol (PPTP)Layer 2 Tunneling Protocol (L2TP)L2TP/IPsecAuthenticationDifferences Between IKE and PPP AuthenticationCertificate AuthenticationVPN Security ApplicationAccess VPNsIntranet/Extranet VPNsWireless NetworksTypes of Wireless TechnologyWireless LAN ComponentsWireless LAN Deployment ModelsPeer-to-Peer WLANInfrastructure Mode WLAN802.11 Physical Layer BasicsDirect Sequencing Spread Spectrum (DSSS)Frequency-Hopping Spread Spectrum (FHSS)Orthogonal Frequency-Division Multiplexing (OFDM)802.11 Media Access ControlWireless LAN RoamingMobile IPWireless LAN SecurityBasic SecurityWEP EncryptionCryptographic AuthenticationSecurity EnhancementsTemporal Key Integrity Protocol (TKIP)802.1X “Network Port Authentication”EAP-Transport Layer Security (EAP-TLS)EAP-Tunneled TLS (EAP-TTLS)EAP-Cisco Wireless (LEAP)Protected EAP (PEAP)Wireless VPN SecurityVoice over IP (VoIP) NetworksIP Telephony Network ComponentsIP Telephony Deployment ModelsVoIP ProtocolsH.323H.323 ComponentsH.323 Protocol SuiteH.323 Protocol OperationMedia Gateway Control Protocol (MGCP)Session Initiation Protocol (SIP)SIP ComponentsSIP Protocol OperationSIP and H.323 InteractionVoIP Security ProtocolsH.323 Protocol SecurityRAS Signaling AuthenticationCall Setup (H.225/Q.931) SecurityCall Control (H.245) SecurityMedia Stream PrivacySIP Protocol SecurityHTTP Digest AuthenticationS/MIME Authentication and EncryptionTransport and Network Layer SecurityTLSIPsecVoIP Security SolutionSummaryReview Questions
4. Routing Protocol Security
Routing BasicsRouting Protocol ClassificationInterior Gateway ProtocolsExterior Gateway ProtocolsRouting Protocol SecurityAuthenticating Routing Protocol UpdatesPlaintext AuthenticationMD5 AuthenticationIPsec and Routing ProtocolsRouting Protocol Security DetailsRIPRIP AuthenticationPlaintext AuthenticationCryptographic AuthenticationRIPv2 and IPv6EIGRPUnderlying TechnologiesEIGRP Routing ConceptsNeighbor TablesTopology TablesRoute StatesRoute TaggingEIGRP Packet TypesEIGRP AuthenticationOSPFOSPF AuthenticationNull AuthenticationSimple Password AuthenticationCryptographic AuthenticationOSPF and IPv6AuthenticationConfidentialityAuthentication and Encryption AlgorithmsKey ManagementReplay ProtectionIS-ISIS-IS AuthenticationAuthentication Type 1 - Simple PasswordCryptographic AuthenticationBGP-4BGP-4 AuthenticationBGP Security FuturesSummaryReview Questions

II. The Corporate Security Policy
5. Threats in an Enterprise Network
Types of ThreatsUnauthorized AccessInternet AccessReachability ChecksPort ScanningTapping into the Physical WireRemote Dial-In AccessWireless AccessImpersonationDenial of ServiceDDoSMotivation of ThreatCommon Protocol VulnerabilitiesThe TCP/IP ProtocolTCP/IP Connection EstablishmentTCP/IP Sequence Number AttackTCP/IP Session HijackingTCP SYN AttackThe Land.c AttackThe UDP ProtocolThe ICMP ProtocolThe Ping of DeathSmurf AttackThe Teardrop.c AttackThe DNS ProtocolThe NNTP ProtocolThe SMTP ProtocolSpam AttackThe FTP ProtocolThe Remote Procedure Call (RPC) ServiceThe NFS/NIS ServicesX Window SystemCommon Network Scenario Threats and VulnerabilitiesVirtual Private NetworksUnauthorized AccessImpersonationDenial of ServiceWireless NetworksUnauthorized AccessImpersonationDenial of ServiceWEP InsecurityVoice over IP NetworksUnauthorized AccessImpersonationDenial of ServiceSIP Application Layer InsecurityHTTP DigestS/MIMETransport Layer Security (TLS)PrivacyRouting ProtocolsSocial EngineeringSummaryReview Questions
6. Considerations for a Site Security Policy
Where to BeginRisk ManagementRisk AssessmentIdentify Network AssetsValue of AssetsThreats and VulnerabilityData CompromiseLoss of Data IntegrityUnavailability of ResourcesEvaluating RiskRisk Mitigation and the Cost of SecurityA Security Policy FrameworkComponents of an Enterprise NetworkElements of a Security ArchitectureIdentityIntegrityConfidentialityAvailabilityAuditAdditional ConsiderationsSummaryReview Questions
7. Design and Implementation of the Corporate Security Policy
Physical Security ControlsPhysical Network InfrastructurePhysical Media SelectionNetwork TopographyPhysical Device SecurityPhysical LocationPhysical AccessEnvironmental SafeguardsSample Physical Security Control PolicyLogical Security ControlsSubnet BoundariesRouting BoundariesVLAN BoundariesLogical Access ControlControl and Limit SecretsAuthentication AssuranceSystem Greeting MessagesRemember the Human FactorSample Logical Security Control PolicyInfrastructure and Data IntegrityFirewallsDirection of TrafficTraffic OriginIP AddressPort NumbersAuthenticationApplication ContentNetwork ServicesAuthenticated DataRouting UpdatesCommon Attack DeterrentsAttacks Against Any Random Host Behind the FirewallAttacks Against Exposed ServicesAttacks Against Internal Client HostsSpoofing AttacksSample Infrastructure and Data Integrity PolicyData ConfidentialitySample Data Confidentiality PolicySecurity Policy Verification and MonitoringVulnerability ScannersAccountingSecure ManagementIntrusion DetectionSample Verification and Monitoring SectionPolicies and Procedures for StaffSecure BackupsEquipment CertificationUse of Portable ToolsAudit TrailsWhat to CollectStoring the DataLegal ConsiderationsSample Policies and Procedures for StaffSecurity Awareness TrainingSocial EngineeringSummaryReview Questions
8. Incident Handling
Building an Incident Response TeamEstablishing the Core TeamDetecting an IncidentKeeping Track of Important InformationIntrusion Detection SystemsIntrusion Detection Issues in Switched NetworksNetwork Intrusion Detection System LimitationsHandling an IncidentPrioritizing ActionsAssessing Incident DamageReporting and Alerting ProceduresIncident Vulnerability MitigationResponding to the IncidentKeep Accurate DocumentationReal-World Example ScenariosScenario 1: Maliciously Internal Compromised HostsScenario 2: Violation of Acceptble-Use PolicyScenario 3: Random Network InterlopingRecovering from an IncidentSummaryReview Questions
III. Practical Implementation
9. Securing the Corporate Network Infrastructure
Identity - Controlling Network Device AccessBasic Versus Privileged AccessCisco IOS DevicesPasswordsScalable Password ManagementMultiple Privilege LevelsCisco SwitchesCisco PIX FirewallMultiple Privilege LevelsLine Access ControlsCisco IOSConsole PortsAuxiliary PortsVirtual Terminal PortsCisco SwitchesCisco PIX FirewallPassword ManagementSNMP SecurityHTTP SecurityCisco IOS DevicesCisco PIX FirewallIntegrityImage AuthenticationSecure WorkgroupRouting AuthenticationRoute Filters and Routing BelievabilityData ConfidentialityNetwork AvailabilityRedundancy FeaturesCisco IOSCisco SwitchesCisco PIX FirewallCommon Attack DeterrentsSpoofed PacketsFragmentation AttacksBroadcast AttacksTCP SYN AttackAuditConfiguration VerificationMonitoring and Logging Network ActivitySyslog ManagementIntrusion DetectionCisco IOSPIX FirewallNetwork ForensicsImplementation ExamplesSummaryReview Questions
10. Securing Internet Access
Internet Access ArchitectureExternal Screening Router ArchitectureCisco IOS FiltersStandard IP Access Control ListsExtended Access Control ListsTurbo Access Control ListsNamed Access ListsReflexive Access ListsAdvanced Firewall ArchitectureAdvanced Packet Session FilteringTCP Protocol TrafficUDP Protocol TrafficApplication Content FilteringWorld Wide WebJava AppletsURL Filtering/BlockingE-mail and SMTPOther Common Application ProtocolsApplication Authentication/AuthorizationEncryptionNetwork Address TranslationPublic Versus Private IP AddressesNAT FunctionalityImplementation ExamplesCisco IOS FirewallContent-Based Access ControlSample Cisco IOS Firewall ConfigurationPIX FirewallControlling Inbound AccessControlling Outbound AccessCut-Thru-Proxy FeatureAdvanced FeaturesSample Configuration of PIX Firewall with Screening IOS RouterSummaryReview Questions
11. Securing Remote Dial-In Access
Dial-In Security ConcernsAuthenticating Dial-In Users and DevicesSimple Dial-In EnvironmentsComplex Dial-In EnvironmentsTACACS+ and RADIUS AuthenticationDefining a Method ListLinking the Method List to a Line or InterfaceAuthorizationTACACS+ and RADIUS AuthorizationService TypesReverse TelnetAuthorization MethodsSample TACACS+ Database SyntaxAccounting and BillingTACACS+ and RADIUS AccountingCentralized BillingUsing AAA with Specific FeaturesThe Lock-and-Key FeatureLock-and-Key AuthenticationLock-and-Key OperationLock-and-Key ExamplesDouble Authentication/AuthorizationAutomated Double AuthenticationEncryption for Virtual Dial-In EnvironmentsGRE Tunneling and CETGRE TunnelingCisco Encryption Technology (CET)IPsecConfiguring IPsecL2TP with IPsecSummaryReview Questions
12. Securing VPN, Wireless, and VoIP Networks
Virtual Private NetworksIdentityAuthenticationWhat Do You AuthenticateHow Do You AuthenticateDevice Authentication MethodsAddressing IssuesUser Authentication MethodsApplication Authentication MethodsAdditional Authentication ConsiderationsAccess ControlWhere Do You Provide Access ControlHow Do You Provide Access ControlIntegrityConfidentialityAvailabilityAuditVPN Design ExamplesWireless NetworksIdentityAuthenticationAccess ControlIntegrityConfidentialityAvailabilityAuditWireless Network Design ExamplesVoice over IP NetworksIdentityAuthenticationAccess ControlFirewall for SIPTokenless Call AuthenticationBinding Specific Gateway Interfaces for MGCPBinding Specific Gateway Interfaces for SIPIntegrityConfidentialityAvailabilityAuditVoIP Network Design ReferencesSummaryReview Questions
IV. Appendixes
A. Sources of Technical Information
Cryptography and Network Security BooksFirewall BooksIntrusion Detection BooksIETF Working Groups and Sites for Standards and Drafts on Security Technologies Developed Through the IETFDocuments on the Scope and Content of Network Security PoliciesIncident Response TeamsOther Useful Sites for Security-Related InformationCisco Security Product Information
B. Reporting and Prevention Guidelines: Industrial Espionage and Network Intrusions
For Immediate ProblemsReporting OptionsConducting an InvestigationWorkplace PhilosophyWritten PlanLaw and the Legal ProcessComputer and Network SystemsEmployeesMethods of Safeguarding Proprietary MaterialDocument ControlForeign/Competitor ContactsManagers and SupervisorsReporting Process—RewardsIntelligence-Gathering MethodsLook for Weak LinksCalifornia State LawsUnited States CodeExamples of Cases in Santa Clara County (Silicon Valley)
C. Port Numbers
D. Mitigating Distributed Denial-of-Service Attacks
Understanding DoS/DDoS AttacksThe Filtering and/or Rate-Limiting IssueSteps to Take Before a DDoS Attack HappensNetwork Ingress/Egress FilteringExample 1: Simple FilteringBranch RoutersNAS RouterInternet RouterExample 2: Advanced FilteringBranch RoutersNAS RouterInternet RouterRate Limit Some Network TrafficRate Limiting ICMP PacketsRate Limiting TCP SYN PacketsIP Unicast Reverse Path Forwarding (uRPF)Steps to Take During a DDoS AttackCapturing Evidence and Contacting Law EnforcementTracingTracing with log-inputSYN FloodSmurf AttacksTracing Without log-inputIssues to Look Out for with Access List LoggingMonitoring DoS Attacks with the VIP Console and NetFlow v1.0IntroductionCaveatCreditsThe VIP ConsoleMonitoring a DoS AttackConclusionTracking Spoofed IP Addresses Version 2.0IntroductionRouter ConfigurationTest TopologyThe Game BeginsLimitationsConclusionAdditional DOS Information
E. Answers to Review Questions
Chapter 1Chapter 2Chapter 3Chapter 4Chapter 5Chapter 6Chapter 7Chapter 8Chapter 9Chapter 10Chapter 11Chapter 12
Glossary

Content preview from Designing Network Security Second Edition

Chapter 5. Threats in an Enterprise Network

Today, there is an ever-growing dependency on computer networks for business transactions. With the free flow of information and the high availability of many resources, managers of enterprise networks have to understand all the possible threats to their networks. These threats take many forms, but all result in loss of privacy to some degree and possibly malicious destruction of information or resources that can lead to large monetary losses.

Knowing which areas of the network are more susceptible to network intruders and who is the common attacker is useful. The common trend in the past has been to trust users internal to the corporate network and to distrust connections originating from the Internet ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Network Protocols for Security Professionals

Publisher Resources

ISBN: 1587051176Purchase book

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Designing Network Security Second Edition

by Merike Kaeo

Chapter 5. Threats in an Enterprise Network

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.