 |
| Mission Critical Internet Security |
anyone responsible for protecting their network.”
—Mike Flannagan, Network Consulting Engineer
Cisco Systems, Inc
Technical Editor and Contributor
Stace Cunningham (CMISS, CCNA, MCSE, CLSE, COS/2E, CLSI, COS/2I, CLSA, MCPS, A+) is a security consultant currently located in San Antonio, TX. He has assisted several clients, including a casino, in the development and implementation of network security plans for their organizations. He held the positions of Network Security Officer and Computer Systems Security Officer while serving in the United States Air Force. While in the Air Force, Stace was heavily involved in installing, troubleshooting, and protecting long-haul circuits, ensuring the appropriate level of cryptography necessary to protect the level of information traversing the circuit as well the circuits from TEMPEST hazards. This included American equipment as well as equipment from Britain and Germany while he was assigned to Allied Forces Southern Europe (NATO). Stace has been an active contributor to The SANS Institute booklet “Windows NT Security Step by Step.” In addition, he has co-authored or served as the Technical Editor for over 30 books published by Osborne/McGraw-Hill, Syngress Publishing, and Microsoft Press. He has also written articles for “Internet Security Advisor” magazine. His wife Martha and daughter Marissa have been very supportiveof the time he spends with the computers, routers, and
firewalls in the “lab” of their house.
Contents
Chapter 1 Securing Your Internetwork
Introduction to Internetworking Security 2
Why the Change of Heart Toward Network Security? 2
Differentiating Security Models and Attacks 3
Hackers and Attack Types 5
What Do Hackers Do? 5
Attack Types 6
Types of Defenses 8
Education 8
Application Security 8
Physical Security 9
Firewalls, Proxy Servers, and NAT 9
Designing a Site Scenario 11
Ensuring Host Security 13
Characteristics of Network Security 15
Availability 16
Integrity 17
Confidentiality 17
Customizing Access Control 18
Authentication 19
Authorization 20
Accounting 21
Network Communication in TCP/IP 21
Application Layer 23
Transport Layer 23
TCP 23
TCP Connection 25
UDP 26
Internet Layer 27
IP 27
ICMP 27
ARP 28
Network Layer 28
Security in TCP/IP 28
Cryptography 29
Symmetric Cryptography 29
Asymmetric Cryptography 30
Hash Function 31
Public Key Certificates 31
Application Layer Security 32
Pretty Good Privacy (PGP) 32
Secure Hypertext Transport Protocol (S-HTTP) 32
Transport Layer Security 33
Secure Sockets Layer (SSL) and
Transport Layer Security (TLS) 33
Secure Shell (SSH) 33
Filtering 34
Network Layer Security 34
IP Security Protocols (IPSec) 34
Filtering (Access Control Lists) 36
Data-Link Layer Security 37
Authentication 37
Terminal Access Controller Access
System Plus (TACACS+) 37
Remote Dial-In User Service (RADIUS) 38
Kerberos 38
Summary 39
FAQs 40
Chapter 2 Internetwork Security Concepts
Introduction 44
User Authentication Methods 45
Encryption 46
Authentication Methods 48
Authentication Pitfalls 49
Social Engineering 49
Password Management 51
Proxy Server Functionality 51
When Would You Need a Proxy Server? 55
Best-Selling Proxy Servers 55
Pros and Cons of Proxy Servers 58
Firewall Functionality 58
When Do You Need a Firewall? 60
Best-Selling Firewalls 61
Pros and Cons of Firewalls 64
Setting Up a Demilitarized Zone (DMZ) 64
Dead Zones and Protocol Switching 65
Implementing Port and Packet Filtering 66
Design Pitfalls 68
Design Scenario 69
Design Scenario Solution 69
Summary 70
FAQs 71
Chapter 3 IPSec
Introduction 74
Comparing IPv4 and IPv6 75
An IPv4 Overview 75
IP Addressing 75
IPv4 Header 76
An IPv6 Overview 78
Expanded Addressing 79
Simplified Header 80
Improved Support for Extension and Option 81
Flow and Flow Labeling 81
IPv6 Header 82
Pros and Cons 83
Security Association (SA) 84
SA Functionality 85
Concentrated ISAKMP 87
Authentication Header (AH) 89
Authentication Header Format 90
Understanding the ICV 91
Packet Processing 92
Encapsulating Security Payload (ESP) 93
ESP Header Placement 95
ESP Encryption and Authentication 95
Practical Usage 98
External VPNs 98
Internal VPNs 99
IPSec Security Issues 99
The Encryption Starts Here 99
Who’s Knocking? 100
He Sent Us What? 101
Who Has the Certificate? 101
Summary 102
FAQs 102
Chapter 4 Internet Security Applications
Introduction 106
Integration of Internet Security Applications 106
Security Concerns 107
Security Services 108
Cryptography 108
Keys 109
Secret Key Cryptography 109
Public Key Cryptography 109
Key Management and the Key Distribution Problem 110
Hash Functions 111
Key Length 111
Using Digital Signatures 112
How Does a Digital Signature Add Security? 113
Potential Security Risks with Digital Signatures 113
Acquiring Digital Certificates 114
The X.509 Standard 114
Certificate Authority (CA) and
Public Key Infrastructure (PKI) 116
How to Acquire a Digital Certificate 116
Potential Security Risks with Digital Certificates 117
Understanding SSL 118
How SSL Is Related to HTTP 119
How Does SSL Work? 120
Performance Issues with SSL 122
Potential Security Risks with SSL 123
Understanding SSH 125
Authentication and General Use 127
SSH1 128
SSH2 128
Encryption Algorithms Used 129
What SSH Can and Can’t Protect You From 129
Potential Security Risks with SSH 130
Understanding PGP 131
Using PGP 132
The Web of Trust 133
Potential Security Risks with PGP 134
Understanding S/MIME 135
Additions to MIME 136
How S/MIME Works 137
Potential Security Risks with S/MIME 138
Understanding Kerberos 138
Kerberos Components 139
How Kerberos Works 139
Comparing Kerberos and Windows 2000 141
Potential Security Risks with Kerberos 142
Summary 143
FAQs 144
Chapter 5 Attacks That Await Your Network
Introduction 148
Types of Attacks 148
Poor Network Perimeter/Device Security 149
Network Sniffers 149
Scanner Programs 150
Network Topology 151
Unattended Modems 151
Poor Physical Security 152
Application and Operating Software Weaknesses 152
Software Bugs 152
Web Server/Browser-Based Attacks 152
Getting Passwords: Easy Ways and
Cracking Programs 153
Human Failure 154
Poorly Configured Systems 154
Leakage of Information 154
Malicious Users 155
Weaknesses in the IP Suite of Protocols 155
Layer 7 Attacks 159
Layer 5 Attacks 161
Layer 3/4 Attacks 162
Specific Attacks and How to Protect Yourself from Them 169
Back Orifice and NetBus 170
Protection 170
Melissa, Love Letter, and Life Stages 170
Protection 171
The World of Intrusion Detection 172
Why Was it Developed? 172
What Intrusion Detection Can Do for You 172
Network IDS 172
Host IDS 174
What Can’t IDSs Do? 175
Deploying in a Network 175
Network Vulnerability Analysis Tools 177
Intrusion Detection Packages 177
ICEpac Security Suite 177
Cisco Secure Intrusion Detection System (Secure IDS) 178
The Sensor 179
The Director 179
The Post Office 180
General Operation 182
Cisco IOS Firewall Intrusion Detection System 183
Cisco Secure Integrated Software (Firewall Feature Set) 184
CBAC (Context-based Access Control) 185
CyberCOP Intrusion Detection Package 185
Summary 186
FAQs 187
Chapter 6 Microsoft RAS and VPN for Windows 2000
Introduction 190
What’s New in Windows 2000 191
Problems and Limitations 193
What Is the Same? 195
Windows 2000 Distributed Security Services 197
Active Directory and Security 198
Advantages of Active Directory Account Management 199
Managing Security via Object Properties 201
Managing Security via Group Memberships 202
Active Directory Object Permissions 203
Relationship between Directory and Security Services 207
Domain Trust Relationships 208
The Great Link: Kerberos Trusts between Domains 209
Extensible Authentication Protocol (EAP) 211
Remote Authentication Dial-in User Service (RADIUS) 211
Internet Protocol Security (IPSec) 212
Building an IPSec Policy 212
Building an IPSec MMC Console 213
Security Policies 215
Rules 216
Walkthrough 218
Set Up IPSec Conversation between Two Computers 218
Enabling Auditing of Logons 219
Create a Custom IPSec Policy 220
Configuring Microsoft RAS and VPN for Windows 2000 226
Tunneling Basics 226
VPN Definitions and Terminology 226
How Tunneling Works 229
IP Addressing 230
Security Issues Pertaining to VPNs 230
Encapsulation 231
User Authentication 231
Data Security 231
Windows 2000 Security Options 232
Common Uses of VPNs 235
Remote User Access over the Internet 235
Connecting Networks over the Internet 236
Sharing a Remote Access VPN Connection 237
Using a Router-to-Router Connection 237
Connecting Computers over an Intranet 239
Tunneling Protocols and
the Basic Tunneling Requirements 240
Windows 2000 Tunneling Protocols 240
Point-to-Point Tunneling Protocol (PPTP) 240
Layer 2 Tunneling Protocol (L2TP) 241
Using PPTP with Windows 2000 241
How to Configure a PPTP Device 242
Using L2TP with Windows 2000 243
How to Configure L2TP 243
How L2TP Security Differs from that of PPTP 247
Interoperability with Non-Microsoft VPN Clients 248
Possible Security Risks 248
Summary 249
FAQs 249
Chapter 7 Securing Your Network with Microsoft Proxy Server 2.0
Introduction 254
Components of Microsoft Proxy Server 2.0 254
Web Proxy Service 254
Winsock Proxy Service 256
SOCKS Proxy Service 257
Reverse Proxy 257
Reverse Hosting 257
Setting Up Proxy Server 2.0 258
Access Control 269
Authentication Types 270
MS Proxy Client Setup 271
Enabling Reverse Proxy 274
Troubleshooting Proxy Server 2.0 275
Alerts 278
Monitoring and Performance 279
Transaction Log Files 281
Applications 282
Distributed Caching 282
Demilitarized Zone (DMZ) 284
Reverse Proxy 284
Security Issues 285
Microsoft IIS Security 286
Proper LAT Configuration 286
Microsoft Security Bulletins 286
Configuration Lab 287
Problem 287
Solution 287
Real-World Problems and Work-Arounds 288
Summary 291
FAQs 292
Chapter 8 Traffic Filtering on Cisco IOS
Introduction 296
Access Lists 296
Access List Operation 298
Types of Access Lists 300
Standard IP Access Lists 301
Source Address and Wildcard Mask 303
Keywords any and host 306
Keyword log 306
Access Lists 307
Extended IP Access Lists 308
Protocol 311
Source Address and Wildcard Mask 312
Destination Address and Wildcard Mask 312
Source and Destination Port Number 312
The Established Option 313
Named Access Lists 317
Editing Access Lists 317
Problems with Access Lists 319
Lock and Key Access Lists 320
Reflexive Access Lists 326
Building Reflexive Access Lists 328
Applying Reflexive Access Lists 331
Reflexive Access List Example 331
The Control-Based Access Control Process 335
Configuring Control-Based Access Control 335
Inspection Rules 338
Applying the Inspection Rule 338
Configuring Port to Application Mapping 340
Configuring PAM 340
Protecting a Private Network 341
Protecting a Network Connected to the Internet 341
Protecting Server Access Using Lock and Key 342
Protecting Public Servers Connected to the Internet 342
Summary 343
FAQs 344
Chapter 9 Configuring and Securing the Cisco PIX Firewall
Introduction 346
Overview of the Security Features 347
Differences between IOS 4.x and 5.x 351
Initial Configuration 353
Installing the PIX Software 354
Basic Configuration 354
Installing the IOS over TFTP 357
Command Line Interface 359
IP Configuration 361
IP Address 361
Configuring NAT and NAPT 364
Security Policy Configuration 368
Security Strategies 368
Deny Everything That Is Not Explicitly Permitted 369
Allow Everything That Is Not Explicitly Denied 369
Identify the Resources to Protect 370
Demilitarized Zone (DMZ) 371
Identify the Security Services to Implement 373
Authentication and Authorization 373
Access Control 373
Confidentiality 374
URL, ActiveX, and Java Filtering 374
Implementing the Network Security Policy 375
Authentication Configuration in PIX 375
Access Control Configuration in PIX 377
Securing Resources 379
URL, ActiveX, and Java Filtering 381
PIX Configuration Examples 384
Protecting a Private Network 384
Protecting a Network Connected to the Internet 385
Protecting Server Access Using Authentication 388
Protecting Public Servers Connected to the Internet 389
Securing and Maintaining the PIX 395
System Journaling 395
Securing the PIX 397
Summary 399
FAQs 399
Chapter 10 Axent Technologies Raptor Firewall 6.5
Introduction 402
Configuring Axent Raptor Firewall 6.5 402
Installing Raptor Firewall 6.5 403
Configuring Raptor Firewall 6.5 407
QuickStart Configuration Wizard 408
SMTP Configuration Wizard 412
DNS Configuration 415
Creating DNS Host Entries 417
Network Interface Configuration 418
External NIC Configuration 421
Creating Network Entities 423
Applying the Firewall to Your Security Model 428
Basic Deployment 428
Deployment with a DMZ 428
Deployment of Multiple Raptor Firewall Systems 430
Avoiding Known Security Issues 431
Connectivity 431
Setting Up a DDoS Filter 431
Summary 434
FAQs 434
Chapter 11 Check Point Software’s Check Point FireWall-1
Introduction 438
FireWall-1 Features 438
Access Control 440
Stateful Inspection 440
Content Security: Anti-Virus, URL, and
Java/ActiveX Screening 442
User Authentication 443
RSA Security 446
Network Address Translation (NAT) 447
Virtual Private Networks (VPNs) 448
Auditing, Reporting, and Logs 448
LDAP-based User Management 449
Malicious Activity and Intrusion Detection 450
Requirements and Installation 450
System Requirements 451
Installing Check Point FireWall-1 453
Installing the Reporting Module 457
Upgrade Issues 457
After Installation 457
FireWall-1 Configuration 458
Configuring FireWall-1 458
Content Security 462
Access Control 463
Network Address Translation Configuration 464
LDAP Account Management 465
Configuring the Reporting Module 465
Troubleshooting 466
Reports, Auditing, and Malicious Activity Alerts 467
Viruses 467
User Interface License Error 468
Performance Monitor and FireWall-1 468
Dedicated Firewall versus a Firewall Running
on a Server Used for Other Purposes 469
Possible Security Issues 469
Summary 470
FAQs 471
Index 473
● Screenshot ●
Purchase Now !
Just with Paypal
Just with Paypal
Product details
Price
|
|
|---|---|
File Size
| 4,012 KB |
Pages
|
529 p |
File Type
|
PDF format |
ISBN
| 1-928994-20-2 |
Copyright
|
2001 by Syngress Publishing, Inc
|
●▬▬❂❂▬▬●
●▬❂▬●
●❂●
═════● ●═════
