Managing Cisco Network Security
eBook - ePub

Managing Cisco Network Security

  1. 752 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Managing Cisco Network Security

Book details
Book preview
Table of contents
Citations

About This Book

An in-depth knowledge of how to configure Cisco IP network security is a MUST for anyone working in today's internetworked world

"There's no question that attacks on enterprise networks are increasing in frequency and sophistication..." -Mike Fuhrman, Cisco Systems Manager, Security Consulting

Managing Cisco Network Security, Second Edition offers updated and revised information covering many of Cisco's security products that provide protection from threats, detection of network security incidents, measurement of vulnerability and policy compliance and management of security policy across an extended organization. These are the tools that network administrators have to mount defenses against threats. Chapters also cover the improved functionality and ease of the Cisco Secure Policy Manger software used by thousands of small-to-midsized businesses and a special section on the Cisco Aironet Wireless Security Solutions.

  • Security from a real-world perspective
  • Key coverage of the new technologies offered by the Cisco including: 500 series of Cisco PIX Firewall, Cisco
  • Intrusion Detection System, and the Cisco Secure Scanner
  • Revised edition of a text popular with CCIP (Cisco Certified Internetwork Professional) students
  • Expanded to include separate chapters on each of the security products offered by Cisco Systems

Frequently asked questions

Simply head over to the account section in settings and click on ā€œCancel Subscriptionā€ - itā€™s as simple as that. After you cancel, your membership will stay active for the remainder of the time youā€™ve paid for. Learn more here.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Both plans give you full access to the library and all of Perlegoā€™s features. The only differences are the price and subscription period: With the annual plan youā€™ll save around 30% compared to 12 months on the monthly plan.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weā€™ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes, you can access Managing Cisco Network Security by Syngress in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Syngress
Year
2002
ISBN
9780080479057
Edition
2
Topic
Computer Science
Subtopic
Cyber Security
Index
Computer Science
Chapter 1

Introduction to IP Network Security

Introduction

This book is intended to help people implement IP network security in a Cisco environment. It will provide the language, architectural framework, technical insight, technical configuration, and practical advice to ensure best practice security implementation. Successfully digesting the material presented in this book will allow you to protect your environment and client services using a wide array of Cisco security technologies and equipment.

What Role Does Security Play in a Network?

This book is about IP network security. Though you probably already know something about networking, weā€™ll go over some of the language to be sure we are all working from the same concepts. Letā€™s begin by discussing what we are trying to accomplish with IP network security.

Goals

The goals of security usually boil down to three things, represented by the acronym CIA:
ā–  Confidentiality Confidentiality protects sensitive information from unauthorized disclosure or intelligible interception. Information should only be seen by the intended parties in a conversation, not by eaves-droppers.
ā–  Integrity Integrity ensures that information or software is complete, accurate, and authentic (in other words, it isnā€™t altered without authorization) . We want to ensure mechanisms are in place to protect against accidental or malicious changes, and may wish to produce documented trails of which communications have occurred.
ā–  Availability Availability ensures that information and services are accessible and functional when needed and authorized. There is a related concept of trust. The formal definition of trust concerns the extent to which someone who relies on a system can have confidence that the system meets its specifications (that is, the system does what it claims to do and does not perform unwanted functions).
Different systems and businesses will place differing levels of importance on each of these three characteristics. For example, while Internet service providers (ISPs) may be concerned with confidentiality and integrity, they will be more concerned with protecting availability for their customers. The military, by contrast, places more emphasis on confidentiality, with its system of classifications of information, and the clearances for people who need to access it. Most businesses must be concerned with all three elements, but will be concerned primarily with the integrity of their data.

Confidentiality

Confidentiality protects sensitive information from unauthorized disclosure or intelligible interception. Cryptography and access control are used to protect confidentiality. The effort applied to protecting confidentiality depends on the sensitivity of the information and the likelihood of it being observed or intercepted.
Damage & Defenseā€¦
Cleartext Passwords
Passing passwords in cleartext that permits administrative access to systems is a severe security risk. Use access control mechanisms, and where possible, encryption controls (such as SSH) to communicate with infra-structure devices. Many Cisco devices will support SSH with a modern image.
Network encryption can be applied at any level in the protocol stack. Applications can provide end-to-end encryption, but each application must be adapted to provide this service. Encryption at the transport layer is used frequently today. Virtual private networks (VPNs) can be used to establish secure channels of communication between two sites or between an end user and a site. (VPNs are covered in more detail in Chapter 5.) Encryption can be used at the OSI data-link layer, but doesnā€™t scale easily; every networking device in the communication pathway would have to participate in the encryption scheme. Datalink layer encryption is making a comeback in the area of wireless security, such as in IEEE 802.11. Physical security, meanwhile, is used to prevent unauthorized access to network ports or equipment rooms. One of the risks at the physical level is violation of access control through the attachment of promiscuous packet capture devices to the network, particularly with the widespread use of open source tools such as Ethereal (www.ethereal.com) and tcpdump (www.tcpdump.org) that permits nearly any host to become a packet decoder.

Integrity

Integrity ensures that information or software is complete, accurate, and authentic. We want to keep unauthorized people or processes from making any changes to the system, and keep authorized users from making changes that exceed their authority. These changes may be intentional or unintentional, and similar mechanisms can protect a system from both.
For network integrity, we need to ensure that the message received is the same message that was sent. The content of the message must be complete and unmodified, and that the link is between a valid source and destination nodes. Connection integrity can be provided by cryptography and routing control. Simple integrity assurance methods to detect incidental changes, like adding up all the bytes in a message and recording that as an element in the packet, are used in everyday IP flows. More robust approaches, such as taking the output from a hash function like message digest (version) 5 (MD5) or secure hash algorithim (SHA) and adding that to the message, as is used in IPSec, can detect attempted malicious changes to a communication.
For host integrity, cryptography can also come to the rescue. Using a secure hash can identify whether an unauthorized change has occurred. However, of fundamental importance are careful use of audit trails to determine what changed, when the change occurred, and who made the change. Sound security design includes a centralized log server, and policy and procedure around safe handling of audit data.
Integrity also extends to the software images for network devices that are transporting data. The images must be verified as authentic, and that they have not been modified or corrupted. Just as a transported IP packet has a checksum to verify it wasnā€™t accidentally damaged in transit, Cisco provides a checksum for IOS images. When copying an image into flash memory, verify that the checksum of the bundled image matches the checksum listed in the README file that comes with the upgrade.

Availability

Availability ensures that information and services are accessible and functional when needed. Redundancy, fault tolerance, reliability, failover, backups, recovery, resilience, and load balancing are the network design concepts used to assure availability. If systems arenā€™t available, then integrity and confidentiality wonā€™t matter. Build networks that provide high availability.
Your customers or end users will perceive availability as being the entire systemā€”application, servers, network, and workstation. If they canā€™t run their applications, then it is not available. To provide high availability, ensure that security processes are reliable and responsive. Modular systems and software, including security systems, need to be interoperable.
Denial of service (DoS) attacks are aimed at crippling the availability of networks and servers, and can create severe losses for organizations. In February, 2000, large Web sites such as Yahoo!, eBay, Amazon, CNN, ZDNet, E*Trade, Excite, and Buy.com were knocked offline or had their availability reduced to about 10 percent for many hours by distributed denial of service attacks (DDoS). The attacks were not particularly sophisticatedā€”they were launched by a teenagerā€”but were disastrously effective.
Note
Having a good inventory and documentation of your network is important for day-to-day operations, but in a disaster, you can't depend on having it available. Business Continuity/Disaster Recovery is an important aspect of security design. Store the configurations and software images of network devices offsite with your backups from servers, and keep them up to date. Include documentation about the architecture of your network. All of this documentation should be available in printed form because electronic versions may be unavailable or difficult to locate in an emergency. Such information will save valuable time in a crisis.
Cisco makes many products designed for high hardware availability. These devices are characterized by a long mean time between failure (MTBF) with redundant power supplies, and hot-swap...

Table of contents

  1. Cover image
  2. Title page
  3. Table of Contents
  4. Copyright page
  5. Acknowledgments
  6. Contributors
  7. Technical Reviewer
  8. Technical Editor
  9. Foreword
  10. Chapter 1: Introduction to IP Network Security
  11. Chapter 2: What Are We Trying to Prevent?
  12. Chapter 3: Cisco PIX Firewall
  13. Chapter 4: Traffic Filtering in the Cisco Internetwork Operating System
  14. Chapter 5: Network Address Translation/Port Address Translation
  15. Chapter 6: Cryptography
  16. Chapter 7: Cisco LocalDirector and DistributedDirector
  17. Chapter 8: Virtual Private Networks and Remote Access
  18. Chapter 9: Cisco Authentication, Authorization, and Accounting Mechanisms
  19. Chapter 10: Cisco Content Services Switch
  20. Chapter 11: Cisco Secure Scanner
  21. Chapter 12: Cisco Secure Policy Manager
  22. Chapter 13: Intrusion Detection
  23. Chapter 14: Network Security Management
  24. Chapter 15: Looking Ahead: Cisco Wireless Security
  25. Index