Home Page Icon
Home Page
Table of Contents for
III. Practical Implementation
Close
III. Practical Implementation
by Merike Kaeo
Designing Network Security Second Edition
Copyright
Dedication
About the Author
About the Technical Reviewers
Acknowledgments
Introduction
Objectives
Audience
Organization
Part I, “Security Fundamentals”
Part II, “The Corporate Security Policy”
Part III, “Practical Implementation”
Part IV, “Appendixes”
Cisco Systems Networking Icon Legend
Command Syntax Conventions
I. Security Fundamentals
1. Basic Cryptography
Cryptography
Symmetric Key Encryption
DES
3DES
RC-4
IDEA
AES
Asymmetric Encryption
Hash Functions
Digital Signatures
Authentication and Authorization
Methods of Authentication
Trust Models
Namespace
Key Management
Creating and Distributing Secret Keys
Creating and Distributing Public Keys
Digital Certificates
Certificate Authorities
Key Escrow
The Business Case
The Political Angle
The Human Element
Summary
Review Questions
2. Security Technologies
Identity Technologies
Secure Passwords
S/Key Password Protocol
Token Password Authentication Schemes
PPP Authentication Protocols
PPP Password Authentication Protocol
PPP Challenge Handshake Authentication Protocol
PPP Extensible Authentication Protocol
PPP Authentication Summary
Protocols Using Authentication Mechanisms
The TACACS+ Protocol
TACACS+ Authentication
TACACS+ Authorization
TACACS+ Accounting
TACACS+ Transactions
The RADIUS Protocol
RADIUS Authentication
RADIUS Authorization
RADIUS Accounting
RADIUS Transactions
The Kerberos Protocol
Kerberos Terminology
Kerberos Authentication Request and Reply
Kerberos Application Request and Response
Reuse of Credentials
Practical Considerations
The Distributed Computing Environment
FORTEZZA
IEEE 802.1x
Application Layer Security Protocols
SHTTP
S/MIME
Transport Layer Security Protocols
The Secure Socket Layer/Transport Layer Security Protocol
The Secure Shell Protocol
The SOCKS Protocol
Network Layer Security
The IP Security Protocol Suite
Authentication and Encryption Services
Security Associations
Key Management
IKE PHASE 1
IKE PHASE 2
IKE Extensions
IKE's Future
Link-Layer Security Technologies
The Layer 2 Forwarding Protocol
A Sample Scenario
The Point-to-Point Tunneling Protocol
Decoupling Traditional NAS Functionality
Protocol Overview
The Control Connection
The IP Tunnel Using GRE
The Layer 2 Tunneling Protocol
Protocol Overview
The Control Connection
The Data Channel
A Sample Scenario
PPPoE
Protocol Overview
Public Key Infrastructure and Distribution Models
Functions of a PKI
A Sample Scenario Using a PKI
Certificates
The X.509 Standard
X.509v3 Certificate
X.509v2 CRL
Certificate Distribution
Lightweight Directory Access Protocol
Summary
Review Questions
3. Applying Security Technologies to Real Networks
Virtual Private Networks (VPNs)
VPN Deployment Models
Site-to-Site VPNs
Client-to-Site VPNs
VPN Security
Tunneling Protocols
IPsec
NAT/PAT
Point-to-Point Tunneling Protocol (PPTP)
Layer 2 Tunneling Protocol (L2TP)
L2TP/IPsec
Authentication
Differences Between IKE and PPP Authentication
Certificate Authentication
VPN Security Application
Access VPNs
Intranet/Extranet VPNs
Wireless Networks
Types of Wireless Technology
Wireless LAN Components
Wireless LAN Deployment Models
Peer-to-Peer WLAN
Infrastructure Mode WLAN
802.11 Physical Layer Basics
Direct Sequencing Spread Spectrum (DSSS)
Frequency-Hopping Spread Spectrum (FHSS)
Orthogonal Frequency-Division Multiplexing (OFDM)
802.11 Media Access Control
Wireless LAN Roaming
Mobile IP
Wireless LAN Security
Basic Security
WEP Encryption
Cryptographic Authentication
Security Enhancements
Temporal Key Integrity Protocol (TKIP)
802.1X “Network Port Authentication”
EAP-Transport Layer Security (EAP-TLS)
EAP-Tunneled TLS (EAP-TTLS)
EAP-Cisco Wireless (LEAP)
Protected EAP (PEAP)
Wireless VPN Security
Voice over IP (VoIP) Networks
IP Telephony Network Components
IP Telephony Deployment Models
VoIP Protocols
H.323
H.323 Components
H.323 Protocol Suite
H.323 Protocol Operation
Media Gateway Control Protocol (MGCP)
Session Initiation Protocol (SIP)
SIP Components
SIP Protocol Operation
SIP and H.323 Interaction
VoIP Security Protocols
H.323 Protocol Security
RAS Signaling Authentication
Call Setup (H.225/Q.931) Security
Call Control (H.245) Security
Media Stream Privacy
SIP Protocol Security
HTTP Digest Authentication
S/MIME Authentication and Encryption
Transport and Network Layer Security
TLS
IPsec
VoIP Security Solution
Summary
Review Questions
4. Routing Protocol Security
Routing Basics
Routing Protocol Classification
Interior Gateway Protocols
Exterior Gateway Protocols
Routing Protocol Security
Authenticating Routing Protocol Updates
Plaintext Authentication
MD5 Authentication
IPsec and Routing Protocols
Routing Protocol Security Details
RIP
RIP Authentication
Plaintext Authentication
Cryptographic Authentication
RIPv2 and IPv6
EIGRP
Underlying Technologies
EIGRP Routing Concepts
Neighbor Tables
Topology Tables
Route States
Route Tagging
EIGRP Packet Types
EIGRP Authentication
OSPF
OSPF Authentication
Null Authentication
Simple Password Authentication
Cryptographic Authentication
OSPF and IPv6
Authentication
Confidentiality
Authentication and Encryption Algorithms
Key Management
Replay Protection
IS-IS
IS-IS Authentication
Authentication Type 1 - Simple Password
Cryptographic Authentication
BGP-4
BGP-4 Authentication
BGP Security Futures
Summary
Review Questions
II. The Corporate Security Policy
5. Threats in an Enterprise Network
Types of Threats
Unauthorized Access
Internet Access
Reachability Checks
Port Scanning
Tapping into the Physical Wire
Remote Dial-In Access
Wireless Access
Impersonation
Denial of Service
DDoS
Motivation of Threat
Common Protocol Vulnerabilities
The TCP/IP Protocol
TCP/IP Connection Establishment
TCP/IP Sequence Number Attack
TCP/IP Session Hijacking
TCP SYN Attack
The Land.c Attack
The UDP Protocol
The ICMP Protocol
The Ping of Death
Smurf Attack
The Teardrop.c Attack
The DNS Protocol
The NNTP Protocol
The SMTP Protocol
Spam Attack
The FTP Protocol
The Remote Procedure Call (RPC) Service
The NFS/NIS Services
X Window System
Common Network Scenario Threats and Vulnerabilities
Virtual Private Networks
Unauthorized Access
Impersonation
Denial of Service
Wireless Networks
Unauthorized Access
Impersonation
Denial of Service
WEP Insecurity
Voice over IP Networks
Unauthorized Access
Impersonation
Denial of Service
SIP Application Layer Insecurity
HTTP Digest
S/MIME
Transport Layer Security (TLS)
Privacy
Routing Protocols
Social Engineering
Summary
Review Questions
6. Considerations for a Site Security Policy
Where to Begin
Risk Management
Risk Assessment
Identify Network Assets
Value of Assets
Threats and Vulnerability
Data Compromise
Loss of Data Integrity
Unavailability of Resources
Evaluating Risk
Risk Mitigation and the Cost of Security
A Security Policy Framework
Components of an Enterprise Network
Elements of a Security Architecture
Identity
Integrity
Confidentiality
Availability
Audit
Additional Considerations
Summary
Review Questions
7. Design and Implementation of the Corporate Security Policy
Physical Security Controls
Physical Network Infrastructure
Physical Media Selection
Network Topography
Physical Device Security
Physical Location
Physical Access
Environmental Safeguards
Sample Physical Security Control Policy
Logical Security Controls
Subnet Boundaries
Routing Boundaries
VLAN Boundaries
Logical Access Control
Control and Limit Secrets
Authentication Assurance
System Greeting Messages
Remember the Human Factor
Sample Logical Security Control Policy
Infrastructure and Data Integrity
Firewalls
Direction of Traffic
Traffic Origin
IP Address
Port Numbers
Authentication
Application Content
Network Services
Authenticated Data
Routing Updates
Common Attack Deterrents
Attacks Against Any Random Host Behind the Firewall
Attacks Against Exposed Services
Attacks Against Internal Client Hosts
Spoofing Attacks
Sample Infrastructure and Data Integrity Policy
Data Confidentiality
Sample Data Confidentiality Policy
Security Policy Verification and Monitoring
Vulnerability Scanners
Accounting
Secure Management
Intrusion Detection
Sample Verification and Monitoring Section
Policies and Procedures for Staff
Secure Backups
Equipment Certification
Use of Portable Tools
Audit Trails
What to Collect
Storing the Data
Legal Considerations
Sample Policies and Procedures for Staff
Security Awareness Training
Social Engineering
Summary
Review Questions
8. Incident Handling
Building an Incident Response Team
Establishing the Core Team
Detecting an Incident
Keeping Track of Important Information
Intrusion Detection Systems
Intrusion Detection Issues in Switched Networks
Network Intrusion Detection System Limitations
Handling an Incident
Prioritizing Actions
Assessing Incident Damage
Reporting and Alerting Procedures
Incident Vulnerability Mitigation
Responding to the Incident
Keep Accurate Documentation
Real-World Example Scenarios
Scenario 1: Maliciously Internal Compromised Hosts
Scenario 2: Violation of Acceptble-Use Policy
Scenario 3: Random Network Interloping
Recovering from an Incident
Summary
Review Questions
III. Practical Implementation
9. Securing the Corporate Network Infrastructure
Identity - Controlling Network Device Access
Basic Versus Privileged Access
Cisco IOS Devices
Passwords
Scalable Password Management
Multiple Privilege Levels
Cisco Switches
Cisco PIX Firewall
Multiple Privilege Levels
Line Access Controls
Cisco IOS
Console Ports
Auxiliary Ports
Virtual Terminal Ports
Cisco Switches
Cisco PIX Firewall
Password Management
SNMP Security
HTTP Security
Cisco IOS Devices
Cisco PIX Firewall
Integrity
Image Authentication
Secure Workgroup
Routing Authentication
Route Filters and Routing Believability
Data Confidentiality
Network Availability
Redundancy Features
Cisco IOS
Cisco Switches
Cisco PIX Firewall
Common Attack Deterrents
Spoofed Packets
Fragmentation Attacks
Broadcast Attacks
TCP SYN Attack
Audit
Configuration Verification
Monitoring and Logging Network Activity
Syslog Management
Intrusion Detection
Cisco IOS
PIX Firewall
Network Forensics
Implementation Examples
Summary
Review Questions
10. Securing Internet Access
Internet Access Architecture
External Screening Router Architecture
Cisco IOS Filters
Standard IP Access Control Lists
Extended Access Control Lists
Turbo Access Control Lists
Named Access Lists
Reflexive Access Lists
Advanced Firewall Architecture
Advanced Packet Session Filtering
TCP Protocol Traffic
UDP Protocol Traffic
Application Content Filtering
World Wide Web
Java Applets
URL Filtering/Blocking
E-mail and SMTP
Other Common Application Protocols
Application Authentication/Authorization
Encryption
Network Address Translation
Public Versus Private IP Addresses
NAT Functionality
Implementation Examples
Cisco IOS Firewall
Content-Based Access Control
Sample Cisco IOS Firewall Configuration
PIX Firewall
Controlling Inbound Access
Controlling Outbound Access
Cut-Thru-Proxy Feature
Advanced Features
Sample Configuration of PIX Firewall with Screening IOS Router
Summary
Review Questions
11. Securing Remote Dial-In Access
Dial-In Security Concerns
Authenticating Dial-In Users and Devices
Simple Dial-In Environments
Complex Dial-In Environments
TACACS+ and RADIUS Authentication
Defining a Method List
Linking the Method List to a Line or Interface
Authorization
TACACS+ and RADIUS Authorization
Service Types
Reverse Telnet
Authorization Methods
Sample TACACS+ Database Syntax
Accounting and Billing
TACACS+ and RADIUS Accounting
Centralized Billing
Using AAA with Specific Features
The Lock-and-Key Feature
Lock-and-Key Authentication
Lock-and-Key Operation
Lock-and-Key Examples
Double Authentication/Authorization
Automated Double Authentication
Encryption for Virtual Dial-In Environments
GRE Tunneling and CET
GRE Tunneling
Cisco Encryption Technology (CET)
IPsec
Configuring IPsec
L2TP with IPsec
Summary
Review Questions
12. Securing VPN, Wireless, and VoIP Networks
Virtual Private Networks
Identity
Authentication
What Do You Authenticate
How Do You Authenticate
Device Authentication Methods
Addressing Issues
User Authentication Methods
Application Authentication Methods
Additional Authentication Considerations
Access Control
Where Do You Provide Access Control
How Do You Provide Access Control
Integrity
Confidentiality
Availability
Audit
VPN Design Examples
Wireless Networks
Identity
Authentication
Access Control
Integrity
Confidentiality
Availability
Audit
Wireless Network Design Examples
Voice over IP Networks
Identity
Authentication
Access Control
Firewall for SIP
Tokenless Call Authentication
Binding Specific Gateway Interfaces for MGCP
Binding Specific Gateway Interfaces for SIP
Integrity
Confidentiality
Availability
Audit
VoIP Network Design References
Summary
Review Questions
IV. Appendixes
B. Reporting and Prevention Guidelines: Industrial Espionage and Network Intrusions
For Immediate Problems
Reporting Options
Conducting an Investigation
Workplace Philosophy
Written Plan
Law and the Legal Process
Computer and Network Systems
Employees
Methods of Safeguarding Proprietary Material
Document Control
Foreign/Competitor Contacts
Managers and Supervisors
Reporting Process—Rewards
Intelligence-Gathering Methods
Look for Weak Links
California State Laws
United States Code
Examples of Cases in Santa Clara County (Silicon Valley)
C. Port Numbers
E. Answers to Review Questions
Chapter 1
Chapter 2
Chapter 3
Chapter 4
Chapter 5
Chapter 6
Chapter 7
Chapter 8
Chapter 9
Chapter 10
Chapter 11
Chapter 12
Glossary
Search in book...
Toggle Font Controls
Playlists
Add To
Create new playlist
Name your new playlist
Playlist description (optional)
Cancel
Create playlist
Sign In
Email address
Password
Forgot Password?
Create account
Login
or
Continue with Facebook
Continue with Google
Sign Up
Full Name
Email address
Confirm Email Address
Password
Login
Create account
or
Continue with Facebook
Continue with Google
Prev
Previous Chapter
8. Incident Handling
Next
Next Chapter
9. Securing the Corporate Network Infrastructure
Part III. Practical Implementation
Add Highlight
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click
here
login for view all page.
Day Mode
Cloud Mode
Night Mode
Reset