Managing Cisco Network Security

Author: Mike Wenstrom
Pages: 789
Publisher: Cisco Press
ISBN: 1578701031


This book presents all the topics covered in the instructor-led certification preparation course with the same name – Managing Cisco Network Security (MCNS). The goal of this book is to help readers implement Cisco supported network security technologies as well as design networks that are more secure. Does it deliver? Read on to find out.

About the author

Mike Wenstrom is an education specialist at Cisco Systems, Inc., where he designs, develops, and delivers training on Cisco’s virtual private network and network security products. Wenstrom has over 19 years of experience in many facets of technical training, having been an instructional designer, course developer, technical instructor and project manager. Wenstrom worked for Cisco Systems, Aspect Communications, Siemens, IBM, ROLM, Tymnet, NCR and the U.S. Navy.

Inside the book

The book starts with an evaluation of potential threats to an enterprise network. The author shows us that there are three primary reasons for security issues: technology weaknesses, configuration weaknesses and policy weaknesses. Wenstrom moves on by getting into the mind the intruder and identifying some of their motives and characteristics. When it comes to network security threat types, the author describes the following categories: reconnaissance, unauthorized access, denial of service and data manipulation.

Moving on Wenstrom writes about the evaluation of a network security policy. You’ll learn why you should create a network security policy, what it should contain and how it should be tested with a security audit. To help you understand different levels of network security policy the book contains three case studies.

What follows is a synopsis on how to configure Cisco IOS Routers and Ethernet switches to protect the campus infrastructure. The author identifies the potential threats to the campus network and, of course, teaches us about what can be done to alleviate those threats. Wenstrom addresses also physical security of network equipment.

Since one of the prime attack points are the administrative interfaces for Cisco Routers, Ethernet switches and network access servers, you’re going to learn how to secure them. What’s covered here is information about securing console access, using password encryption, setting multiple privilege levels, controlling telnet access, etc.

As some types of router-to-router communications are vulnerable to eavesdropping, data manipulation and other attacks, Wenstrom teaches us how to secure those communications. Also presented here is a lot of information on how to configure network security features on Cisco Catalyst series Ethernet switches. At the end of this chapter you’ll find a case study on how to implement what you’ve learned so far in a hypothetical company.

What’s next is an overview of the Cisco Authentication, Authorization and Accounting (AAA) architecture. Illustrated here are access password technologies, authentication over PPP, the capabilities of the various server types, and more. The author will also teach you how to configure a Cisco Network Access Server (NAS) for AAA security. Examples are provided to help you understand the process of configuration of NAS for AAA.

Wenstrom goes forward by exploring the CiscoSecure Access Control Server (ACS) software for Windows NT and Unix. Among other things, you’ll learn how to configure CiscoSecure ACS for Windows NT to perform AAA functions and to configure the ACS. To allow AAA processes to use a Terminal Access Control Access Control System (TACACS)+ remote security database. The case study at the end of the chapter provides an insightful look at how things are done.

Perimeter security is the intelligent selection and deployment of networking technologies to secure the edge of a network from intruders. The author shows us how to create a security perimeter system using a Cisco router. Some of the things you’ll discover are: how to control TCP/IP services, prevent rerouting attacks, control access, protect from denial of service and more.

Now the attention turns over to the Cisco IOS firewall. Wenstrom introduces its features, how to configure it and see if it works properly. Explored in detail here is the Context-Based Access Control (CBAC) feature of the Cisco IOS firewall.

The following topic is the PIX firewall. We learn about its components, features and configuration options. There’s a lot of detail in this part of the book, which PIX users will appreciate. Among other things you’ll learn how to test and verify basic PIX firewall operation, configure its multiple interfaces, configure it to allow secure access from the outside, and a whole lot more. When it comes to the advanced features the author provides a lot of material – he explains how to configure a PIX firewall to protect a network even where Network Address Translation (NAT) is not needed.

Wenstrom moves on to discuss Cisco Encryption Technology (CET). Here we see how encryption works, what are the alternatives to encryption and there’s also an overview of the Cisco IOS Cryptosystem. The author shows on which platforms CET runs on, how you can us it, implement and troubleshoot it.

At this point the book turns to present an overview of IP security and the IPSec protocols available in Cisco products that are used to create a VPN. You’ll learn to configure basic IPSec in Cisco IOS software using preshared keys and several encrypted nonces for authentication. An overview of the Cisco IOS commands used to configure IPSed is presented as well as a description of things you have to do in order to configure IPSec.

The configuration of IPSec in the PIX firewall is also covered with the explanation of the configuration steps and commands. The last chapter depicts the configuration of Cisco IPSec networks consisting of Cisco routers and PIX firewalls. Among other things Wenstrom shows us how to configure Certification Authority (CA) support so that Rivest, Shamir and Adleman (RSA) digital signatures can be used for Internet Key Exchange (IKE) authentication.

The book ends with four appendixes that offer a case study scenario, an example of a network security policy, access list configuration and answers to all the review questions presented through the book.

My 2 cents

During the entire book, in the same fashion as all Cisco Press titles, we are presented with numerous tables, figures and examples that greatly facilitate the apprehension of the presented topics. Also, at the end of each chapter you find review questions, which you can use to test your understanding of the material.

This book is an excellent guide into the World of Cisco Network Security. Whether you’re preparing for a Cisco exam or just want to sharpen your security skills, you’ll find this book to be pure gold.

Don't miss