Designing Network Security 2/e
Author: Merike Kaeo
Publisher: Cisco Press
Available for download is chapter 5 entitled “Threats in an Enterprise Network”.
“Designing Network Security” is a comprehensive guide which will help you understand the fundamentals of securing your network infrastructure. Beside theoretical knowledge, the book contains a large number of practical implementations examples so it’s helpful for designing and maintaining security services for corporate network infrastructure. This book is part of the Networking Technology Series from Cisco press.
About the author
Merike Kaeo is a consultant focusing primarily on security-related products and network design solutions. From 1993 to 2000, Merike was employed by Cisco Systems where she worked primarily on technical issues relating to router performance, network routing protocols, network design, and network security. She was a lead member of the Cisco security initiative, has acted as a technical advisor for security start-up companies, and has been an instructor and speaker at a variety of security-related conferences.
Inside the book
The book is organized into four parts. Part one explains security fundamentals, part two focuses on how to create security policy, part three explains practical implementation, and part four includes five appendixes.
The book starts with basic cryptography concepts and in the first chapter three basic cryptographic functions are explored. All of the functions are described and demonstrated through simple figures so you can be able to ensure authentication, integrity and confidentiality of corporate data. Beside encryption, authentication and authorization are discussed followed by key management and the significance of humans in this process – we naturally always represent a weakness.
The author continues by writing about security technologies commonly used to establish identity, secure network access and data transport. Here you get a basic understanding of how they can be implemented in corporate networks. The described technologies are grouped as follows: identity technologies, application layer security protocols, transport layer security protocols, network layer security, link-layer security technologies, the public key infrastructure and distribution models. Through these groups, many security related technologies are detailed and security protocols are described with their strengths and weaknesses.
The most important thing for a great number of companies these days is to have dedicated, secure communications while using VPNs, WLANs, and VoIP networks. This is why the following part of the book explains the way to apply security to real networks. Kaeo discusses specific network scenarios and protocols that provide effective security services.
What follows is an introduction to the routing protocols used in deploying IP routing architectures: RIP, EIGRP, OSPF, IS-IS, and BGP. The author starts with routing basics and routing protocol security, and then moves on to some explicit details on configurable security provisions built in to each of the protocols. Kaeo explains the authentication process for each protocol whether it’s a plaintext password or a cryptographic authentication scheme.
Every corporation has a problem to solve – threats in an enterprise network. In chapter five Kaeo discusses three types of threats: unauthorized access, impersonation, and Denial of Service. Each one is presented through some theory and sketched within specific networking scenarios pertaining to VPN, WLAN, and VoIP networks.
Creating a corporate security policy should be one of the most important tasks for every corporation. Thereby the nature of business processes should dictate the security policy. Chapter six brings the way which can be a sample of how to start the process of defining a corporate security policy. For a start it’s necessary to determine appropriate security measures which present a part of risk management. Kaeo details the process which will result with a security policy and will include security services of identity, integrity, confidentiality, availability and auditing.
When the process of assets identification and classification has been cleared, the next step is to design and implement the corporate security policy. You learn which areas must be considered before designing the security policy. Beside theoretical descriptions of needed areas, Kaeo also includes a sample security policy for each one of them. The whole process of implementing the policy ends with an emphasis on employees training where you see why security awareness is crucial.
Just the existence of a security policy isn’t enough. Every corporation must build an incident response team. The author shows you how to deal with security incidents, how to determine whether some suspicious system or user behavior is an incident, how to restore control of the system and assure that the business process is not interrupted.
The following chapter explains how to secure the network infrastructure by using equipment provided by Cisco. The content can be seen as some sort of matrix which illustrates sample configurations for Cisco IOS routers, switches, and the PIX firewall to incorporate identity, integrity, data confidentiality, network availability, and audit as the elements of the security architecture. Some of these elements are detailed and some are briefly described.
Another practical implementation of security brought forward in this book is how to secure Internet access. The general architecture for securing Internet access is followed by two implementation scenarios whose intention is to present a practical design and configuration of a Cisco IOS Firewall and a PIX Firewall.
Furthermore, many corporation permits remote access environments. This includes VPN networks, wireless networks and dial-in connections. Kaeo brings you the knowledge on how to secure the remote dial-in access. It also includes establishing proper authentication and authorization. These two processes are shown through examples of configuration of the corporate access router, and branch routers. Authorization methods are also described. A good example of remote branch offices attempting to gain access to resources in the main corporate network is given, so you can learn how to configure a home gateway router and a remote branch router.
After a few security technologies described in previous chapters, the last chapter provides comprehensive examples for securing VPN, WLAN, and VoIP networks. Each of these network types is described encompassing identity, integrity, confidentiality, availability, and audit.
As the last part of the book, five appendixes are brought. Those are sources of technical information (A), reporting and prevention guidelines (B), port numbers from IANA (C), mitigating distributed DoS attacks (D), and answers to review questions (E).
Starting with basic security knowledge, followed by the architecture and implementation of a security policy, enlarged with the use of specific configuration examples and finished with a few appendixes, this book presents a good practical guide for designing network security.
A multitude of security technologies have been discussed. All of the presented is in function to identity, integrity, data confidentiality, network availability, and audit as the elements of security architecture. A great part of the book brings a practical implementation and configuration of Cisco products, but some of these examples can be used with products by other vendors.
Every chapter ends with a review questions so the reader of this book can verify the level of understanding the content. This is a great addition and together with the appendix containing the answers it creates a simple, but good knowledge base.