Inside Network Perimeter Security, 2nd Edition
©2005 |Sams Publishing |
Ronald W. Ritchey
©2005 |Sams Publishing |
Security professionals and administrators now have access to one of the most valuable resources for learning best practices for network perimeter security. Inside Network Perimeter Security, Second Edition is your guide to preventing network intrusions and defending against any intrusions that do manage to slip through your perimeter. This acclaimed resource has been updated to reflect changes in the security landscape, both in terms of vulnerabilities and defensive tools. Coverage also includes intrusion prevention systems and wireless security. You will work your way through fortifying the perimeter, designing a secure network, and maintaining and monitoring the security of the network. Additionally, discussion of tools such as firewalls, virtual private networks, routers and intrusion detection systems make Inside Network Perimeter Security, Second Edition a valuable resource for both security professionals and GIAC Certified Firewall Analyst certification exam candidates.
Sample chapter is available for download in PDF format.
This material is protected under all copyright laws, as they currently exist. No portion of this material may be reproduced, in any form or by any means, without permission in writing from the publisher.
Who Should Read This Book.
Why We Created This Book’s Second Edition.
Overview of the Book’s Contents.
I. THE ESSENTIALS OF NETWORK PERIMETER SECURITY.
1. Perimeter Security Fundamentals.
Terms of the Trade.
Intrusion Detection Systems.
Intrusion Prevention Systems.
Virtual Private Networks.
De-Militarized Zones and Screened Subnets.
Defense in Depth.
Components of Defense in Depth.
Case Study: Defense in Depth in Action.
2. Packet Filtering.
TCP/IP Primer: How Packet Filtering Works.
TCP and UDP Ports.
TCP’s Three-way Handshake.
The Cisco Router as a Packet Filter.
An Alternative Packet Filter: IPChains.
The Cisco ACL.
Cisco IOS Basics.
Effective Uses of Packet-Filtering Devices.
Filtering Based on Source Address: The Cisco Standard ACL.
Tracking Rejected Traffic.
Filtering by Port and Destination Address: The Cisco Extended ACL.
The Cisco Extended ACL.
Problems with Packet Filters.
Spoofing and Source Routing.
Opening a “Hole” in a Static Packet Filter.
Two-way Traffic and the established Keyword.
Protocol Problems: Extended Access Lists and FTP.
Dynamic Packet Filtering and the Reflexive Access List.
FTP Problems Revisited with the Reflexive Access List.
Reflexive ACLs with UDP and ICMP Traffic: Clearing Up DNS Issues.
Trouble in Paradise: Problems with Reflexive Access Lists.
Cisco IPv6 Access Lists.
3. Stateful Firewalls.
How a Stateful Firewall Works.
The Concept of State.
Transport and Network Protocols and State.
Application-Level Traffic and State.
Stateful Filtering and Stateful Inspection.
Stateful Firewall Product Examples.
4. Proxy Firewalls.
Fundamentals of Proxying.
Pros and Cons of Proxy Firewalls.
Advantages of Proxy Firewalls.
Disadvantages of Proxy Firewalls.
Types of Proxies.
Tools for Proxying.
Firewall Toolkit (FWTK).
5. Security Policy.
Firewalls Are Policy.
Active Policy Enforcement.
How to Develop Policy.
Communicate Your Findings.
Create or Update the Security Policy as Needed.
Determine Policy Compliance.
Sound Out the Organization’s Rules and Culture.
Elements of Policy.
Hallmarks of Good Policy.
Real-world Operations and Policy.
Rules of the Road.
II. FORTIFYING THE SECURITY PERIMETER.
6. The Role of a Router.
The Router as a Perimeter Device.
Secure Dynamic Routing.
The Router as a Security Device.
The Router as a Part of Defense in Depth.
The Router as a Lone Perimeter Security Solution.
Locking Down Administration Points.
The Console Port.
TFTP and FTP.
Configuration Management Tricks with TFTP and Scripts.
Simple Network Management Protocol.
Disable Unneeded Services.
Configure NTP and NTP Authentication.
Cisco TCP Keepalives Services.
Unicast Reverse Path Forwarding.
Internet Control Message Protocol Blocking.
Spoofing and Source Routing.
Automatic Securing and Auditing of Cisco Routers.
7. Virtual Private Networks.
Basic VPN Methodology.
Advantages and Disadvantages of VPNs.
Benefits of a VPN.
Disadvantages of VPN.
IPSec Protocol Suite.
IPSec Security Protocols AH and ESP.
IPSec Configuration Examples.
Other VPN Protocols: PPTP and L2TP.
Comparison of PPTP, L2TP, and IPSec.
PPTP and L2TP Examples.
8. Network Intrusion Detection.
Network Intrusion Detection Basics.
The Need for Intrusion Detection.
False Positives and False Negatives.
Alerting, Logging, and Reporting.
Intrusion Detection Software.
The Roles of Network IDS in a Perimeter Defense.
Detecting Attacks from Your Own Hosts.
Incident Handling and Forensics.
Complementing Other Defense Components.
IDS Sensor Placement.
Deploying Multiple Network Sensors.
Placing Sensors Near Filtering Devices.
Placing IDS Sensors on the Internal Network.
Working with Encryption.
Processing in High-traffic Situations.
Using an IDS Management Network.
Maintaining Sensor Security.
Case Study 1: Simple Network Infrastructure.
Case Study 2: Multiple External Access Points.
Case Study 3: Unrestricted Environment.
9. Host Hardening.
The Need for Host Hardening.
Removing or Disabling of Unnecessary Programs.
Controlling Network Services.
Removing Extraneous Software Components.
Limiting Access to Data and Configuration Files.
Controlling User and Privileges.
Managing Unattended Accounts.
Protecting Administrative Accounts.
Enforcing Strong Passwords.
Controlling Group Membership.
Maintaining Host Security Logs.
Windows Logging and Auditing.
UNIX Logging and Auditing.
Additional Hardening Guidelines.
Automating Host-Hardening Steps.
Common Security Vulnerabilities.
10. Host Defense Components.
Hosts and the Perimeter.
Strengths of Antivirus Software.
Limitations of Antivirus Software.
Firewalls for Workstations.
Firewalls for Servers.
Host-Based Intrusion Detection.
The Role of Host-Based IDS.
Host-Based IDS Categories.
Challenges of Host Defense Components.
Defense Components on Compromised Hosts.
Controlling Distributed Host Defense Components.
11. Intrusion Prevention Systems.
Rapid Changes in the Marketplace.
What Is IPS?
An IPS Must Be Fast.
An IPS Must Keep State.
An IPS Must Be Accurate and Up to Date.
An IPS Must Have the Ability to Nullify an Attack.
An Excuse to Ignore Sound Practice.
An IPS Simply Buys You Time.
How Chokepoint NIPS Work.
Switch NIPS Deployment Recommendations.
Host-Based Intrusion Prevention Systems.
Real-world Defense Scenarios.
Dynamic Rule Creation for Custom Applications.
Monitoring File Integrity.
Monitoring Application Behavior.
More HIPS Challenges.
III. DESIGNING A SECURE NETWORK PERIMETER.
12. Fundamentals of Secure Perimeter Design.
Gathering Design Requirements.
Determining Which Resources to Protect.
Determining Who the Potential Attackers Are.
Defining Your Business Requirements.
Design Elements for Perimeter Security.
Firewall and Router.
Firewall and VPN.
13. Separating Resources.
A Single Subnet.
Common Design Elements.
Jumping Across VLANs.
Firewalls and VLANs.
14. Wireless Network Security.
Securing Wireless Networks.
Hardening Access Points.
Defense in Depth for Wireless Networks.
Auditing Wireless Security.
Auditing the Wireless Network Design.
Case Study: Effective Wireless Architecture.
15. Software Architecture.
Software Architecture and Network Defense.
The Importance of Software Architecture.
The Need to Evaluate Application Security.
How Software Architecture Affects Network Defense.
Firewall and Packet-Filtering Changes.
Web Services and Interapplication Communications.
Conflicts with Network Configuration.
Performance and Reliability.
Atypical Operating System.
Software Component Placement.
Administrator Access to Systems.
Applications for Internal Users Only.
Identifying Potential Software Architecture Issues.
Software Evaluation Checklist.
Sources of Application Information.
How to Handle an Unsecurable.
Network Configuration and Security.
Network Defense Design Recommendations.
Case Study: Customer Feedback System.
Case Study: Web-Based Online Billing Application.
16. VPN Integration.
Standard SSH Connections.
Secure Sockets Layer.
SSL Standard Connections.
SSL Proxy Servers.
Remote Desktop Solutions.
IPSec Client Integration.
IPSec Server Integration.
IPSec Perimeter Defense Adjustments.
Other VPN Considerations.
Proprietary VPN Implementations.
Compromised or Malicious VPN Clients.
VPN Design Case Study.
Case Study: Home Users and Multiple Applications.
17. Tuning the Design for Performance.
Performance and Security.
Understanding the Importance of Performance in Security.
Network Security Design Elements That Impact Performance.
The Performance Impacts of Network Filters.
Case Studies to Illustrate the Performance Impact of Network Security Design Elements.
Impact of Encryption.
Understanding Encryption at the Network and Transport Layers.
Using Hardware Accelerators to Improve Performance.
Case Studies to Illustrate the Performance Impact of Encryption.
Using Load Balancing to Improve Performance.
Problems with Load Balancing.
Layer 4 Dispatchers.
Layer 7 Dispatchers.
Mitigating the Effects of DoS Attacks.
18. Sample Designs.
Review of Security Design Criteria.
Case Study 1: Telecommuter Who Is Using a Broadband Connection.
Case Study 2: A Small Business That Has a Basic Internet Presence.
Case Study 3: A Small E-Commerce Site.
Case Study 4: A Complex E-Commerce Site.
IV. MAINTAINING AND MONITORING PERIMETER SECURITY
19. Maintaining a Security Perimeter.
System and Network Monitoring.
Big Brother Fundamentals.
Establishing Monitoring Procedures.
Security Considerations for Remote Monitoring.
General Response Guidelines.
Responding to Malicious Incidents.
Automating Event Responses.
Fundamentals of Change Management.
Implementing Change-Management Controls.
20. Network Log Analysis.
The Importance of Network Log Files.
Characteristics of Log Files.
Purposes of Log Files.
Log Analysis Basics.
Getting Started with Log Analysis.
Automating Log Analysis.
Analyzing Router Logs.
Cisco Router Logs.
Other Router Logs.
Analyzing Network Firewall Logs.
Cisco PIX Logs.
Check Point FireWall-1 Logs.
Analyzing Host-Based Firewall and IDS Logs.
Norton Personal Firewall.
21. Troubleshooting Defense Components.
The Process of Troubleshooting.
Reviewing Recent Changes.
Forming a Hypothesis.
Testing the Hypothesis.
Analyzing the Results.
Repeating If Necessary.
Troubleshooting Rules of Thumb.
Make Only One Change at a Time.
Keep an Open Mind.
Get a Second Opinion.
Stay Focused on Fixing the Problem.
Don’t Implement a Fix That Further Compromises Your Security.
The Obvious Problems Are Often Overlooked.
Document, Document, Document!.
The Troubleshooter’s Toolbox.
Application Layer Troubleshooting.
Other Useful Utilities.
Transport Layer Troubleshooting.
Network Layer Troubleshooting.
Link Layer Troubleshooting.
22. Assessment Techniques.
Roadmap for Assessing the Security of Your Network.
Network Service Discovery.
ISS Internet Scanner.
Verification of Perimeter Components.
Preparing for the Firewall Validation.
Verifying Access Controls.
VPNs and Reverse Proxies.
Results Analysis and Documentation.
23. Design Under Fire.
The Hacker Approach to Attacking Networks.
GIAC GCFW Student Practical Designs.
Practical Design 1.
Practical Design 2.
24. A Unified Security Perimeter: The Importance of Defense in Depth.
Castles: An Example of Defense-in-Depth Architecture.
Hard Walls and Harder Cannonballs.
Hiding in the Mist.
Defense on the Inside.
Defense in Depth with Information.
The Problem of Diffusion.
Cryptography and Defense in Depth.
Appendix A. Cisco Access List Sample Configurations.
Complete Access List for a Private-Only Network.
Complete Access List for a Screened Subnet Network That Allows Public Server Internet Access.
Example of a Router Configuration as Generated by the Cisco Auto Secure Feature.
Appendix B. Crypto 101.
Shared Key: Symmetric.
Public—Private Key: Asymmetric.
Digital Signatures and Hash Algorithms.
Pearson offers special pricing when you package your text with other student resources. If you're interested in creating a cost-saving package for your students, contact your Pearson rep.
Stephen Northcutt is a graduate of Mary Washington College. Before entering the field of computer security, he worked as a Navy helicopter search and rescue crewman, whitewater raft guide, chef, martial arts instructor, cartographer, and network designer. Stephen is author/coauthor of Incident Handling Step-by-Step, Intrusion Signatures and Analysis, Inside Network Perimeter Security, 2nd Edition, IT Ethics Handbook, SANS Security Essentials, SANS Security Leadership Essentials, and Network Intrusion Detection, 3rd Edition. He was the original author of the Shadow Intrusion Detection System before accepting the position of Chief for Information Warfare at the Ballistic Missile Defense Organization. Stephen currently serves as Director of the SANS Institute.
Lenny Zeltser's work in information security draws upon experience in system administration, software architecture, and business administration. Lenny has directed security efforts for several organizations, co-founded a software company, and consulted for a major financial institution. He is a senior instructor at the SANS Institute, having written and taught a course on reverse-engineering malware. Lenny is also a coauthor of books such as SANS Security Essentials and Malware: Fighting Malicious Code. He holds a number of professional certifications, including CISSP and GSE, and is an incident handler at SANS Internet Storm Center. Lenny has earned a bachelor of science in engineering degree from the University of Pennsylvania and a master in business administration degree from MIT. More information about Lenny's projects and interests is available at http://www.zeltser.com.
Scott Winters has been working in all aspects of networking and computer security for over 14 years. He has been an Instructor, Network Engineer, and Systems Administrator and is currently employed as a Senior Consultant for Unisys at the Commonwealth of Pennsylvania Enterprise Server Farm. He has SANS GIAC Firewalls and Incident Handling certifications, as well as MCSE, CNE, Cisco CCNP, CCDP, and other industry certifications. Other accomplishments include authoring and editing of SANS GIAC Training and Certification course content, as well as exam content. He was a primary author of the first edition of Inside Network Perimeter Security and a contributing author for SANS Security Essentials with CISSP CBK. He has also been involved in the SANS GIAC Mentoring program and has served on the SANS GCFW Advisory Board.
Karen Kent is an Associate with Booz Allen Hamilton, where she provides guidance to Federal agencies on a broad range of information assurance concerns, including incident handling, intrusion detection, VPNs, log monitoring, and host security. Karen has earned a bachelor's degree in computer science from the University of Wisconsin-Parkside and a master's degree in computer science from the University of Idaho. She holds the CISSP certification and four SANS GIAC certifications. Karen has contributed to several books, including Intrusion Signatures and Analysis, published numerous articles on security, and coauthored several publications for the National Institute of Standards and Technology (NIST), including NIST Special Publication 800-61: Computer Security Incident Handling Guide.
Ronald W. Ritchey has an active interest in secure network design and network intrusion techniques. He gets to exercise this interest regularly by conducting penetration testing efforts for Booz Allen Hamilton, where he has had the opportunity to learn firsthand the real-world impact of network vulnerabilities. He is also an active researcher in the field with peer-reviewed publications in the area of automated network security analysis. Ronald has authored courses on computer security that have been taught across the country, and he periodically teaches graduate-level courses on computer security. Ronald holds a masters degree in computer science from George Mason University and is currently pursuing his Ph.D. in information technology at their School of Information Technology and Engineering. His doctoral research involves automating network security analysis.About the Technical Editors
Todd Chapman has 10+ years of experience delivering IT services as varied as systems management, security, networking, clustering, Perl programming, and corporate development and training. Currently, Todd is a consultant for gedas USA, Inc., in Auburn Hills, Michigan, where he provides security consulting services for Volkswagen/Audi of America. For the last three years Todd has been an active member of the SANS GCFW advisory board and has written SANS certification exam questions in a number of disciplines. Todd's certifications include Red Hat Certified Engineer (RHCE), Microsoft Certified Systems Engineer (MCSE), GIAC Certified Firewall Analyst (GCFW), GIAC Certified Intrusion Analyst (GCIA), and GIAC Systems and Network Auditor (GSNA).
Anton Chuvakin, Ph.D., GCIA, GCIH, is a Security Strategist with netForensics, a security information management company, where he is involved with designing the product, researching potential new security features, and advancing the security roadmap. His areas of infosec expertise include intrusion detection, UNIX security, forensics, honeypots, and more. He is the author of the book Security Warrior (O'Reilly, January 2004) and a contributor to "Know Your Enemy II" by the Honeynet Project (AWL, June 2004) and "Information Security Management Handbook" (CRC, April 2004). In his spare time he maintains his security portal http://www.info-secure.org website.
Dan Goldberg recently created MADJiC Consulting, Inc., to provide network design and architecture reviews, intrusion detection and response, and vulnerability assessments in Central Virginia. He also works on research and writing projects for the SANS Institute and as technical director for Global Information Assurance Certification (GIAC). When not occupied by these activities, you may find him riding a mountain bike in the Blue Ridge Mountains.
John Spangler is a freelance Network Systems Engineer. Having over 10 years of experience, he has worked on everything from small office systems to large enterprise and ISP networks. John has worked as a technical editor for Cisco certification manuals.
We're sorry! We don't recognize your username or password. Please try again.
The work is protected by local and international copyright laws and is provided solely for the use of instructors in teaching their courses and assessing student learning.
You have successfully signed out and will be required to sign back in should you need to download more resources.