End-to-End Network Security 99
Ben Rothke writes "One of the mistakes many organizations make when it comes
to information security is thinking that the firewall will do it all. Management often replies incredulously to a
hacking incident with the thought "but don't we have a firewall". Organizations need to realize a single appliance alone
won't protect their enterprise, irrespective of what the makers of such
appliances suggest and promise. A true strategy
of security defense in depth is required to ensure a comprehensive level of
security is implemented. Defense in
depth uses multiple computer security technologies to keep organizations risks
in check. One example of defense in
depth is having an anti-virus and anti-spyware solution both at the user's
desktop, and also at the gateway." Read on for the rest of Ben's review.
End-to-End Network Security: Defense-in-Depth provides an in-depth look at the
various issues around defense in depth.
Rather than taking a very narrow approach to security, the book focuses
on the comprehensive elements of designing a secure information security
infrastructure that can really work to ensure an organization is protected
against the many different types of threats it will face on a daily basis.
End-to-End Network Security: Defense-in-Depth | |
author | Omar Santos |
pages | 480 |
publisher | Cisco Press |
rating | 9 |
reviewer | Ben Rothke |
ISBN | 1587053322 |
summary | Excellent and comprehensive look at how to secure a Cisco infrastructure |
The books 12 chapters provide a broad look at the various ways in which to secure a network. Aside from a minor mistake in chapter 1 where the author confuses encryptions standards and encryption algorithms (but then again, many people make the same mistake), the book provides a clear and to the point approach to the topic at hand. After reading the book, one will have a large amount of the information needed to secure their Cisco-based network.
While it is not in the title, the book is completely centered on Cisco hardware, software, and Cisco IOS. It is a Cisco Press title written by a Cisco employee, as you would expect, it has a heavy Cisco slant. For those that do not work in a Cisco environment, the information in the book will likely be far too Cisco centric for their needs. A review of the index shows that the book provides a near A-Z overview of information security. One of the only missing letters is 'J', but then again, that would require writing about Juniper.
Chapter 1 starts off with a detailed overview of the fundamentals of network security technologies. Chapter 2 details the various security frameworks and methodologies around securing network devices. The six-step methodology that the author writes of is comprised of preparation, identification, classification, traceback, reaction and postmortem.
The author mistakenly writes that manual analysis of complex firewall policies is almost impossible because it is very time-consuming. The truth is that the time-consuming aspect does not make it impossible. It can be done, but the author is correct that the use of automated tools makes such analysis much quicker and easier.
Chapters 5 and 6 provide an excellent overview of reacting to information security incidents. The chapters cover all of the necessary details, from laws, log finals, postmortem and more.
Chapter 9 provides and extensive overview of the various elements of IPT security. It includes various ways to protect the many parts of a Cisco IPT infrastructure. In this chapter and the others, the author does a very good job of detailing the various configurations steps necessary to secure a Cisco device, both at the graphical level and also at the ISO command line level.
Chapter 12 concludes the book with 3 case studies of using defense in depth a small, medium and large enterprise networks. Different size networks have different requirements and constraints and are not secured in the same manner.
Overall, End-to-End Network Security: Defense-in-Depth is an excellent and comprehensive book on how to secure a Cisco infrastructure. It details the many threats such an environment will face, and lists countermeasures to mitigate each of those threats. Anyone involved in securing Cisco-based networks will find this book to be quite helpful in their effort to secure their network.
Ben Rothke is a security consultant with BT INS and the author of Computer Security: 20 Things Every Employee Should Know.
You can purchase End-to-End Network Security from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Re:Or, just get a Mac/Linux? (Score:3, Interesting)
I remember reading on slashdot several years ago about a network security idea to scrap all this firewall gateway etc stuff and just implement a secure desktop
That's all well and good so long as you can really trust each individual machine. Also, you'll probably want to wait after the move to IPv6, or else you'll probably want to have some kind of gateway w/NAT. Even if you had all that, I wouldn't mind having a firewall anyway, just as an added layer of security.
Re:Let me be one of the first to say (Score:4, Interesting)
This is, is it not, pretty elementary stuff?
It really depends on who you are...
I suppose someone who has a Ph.D. in physics would say that quantum mechanics is pretty elementary stuff. The problem here is that you are assuming everyone who is in charge of a network has the knowledge, background and experience to understand security. Most don't. Many who think they do - don't. There is so much to keep track of that it's a full-time job just to keep up with the attackers. If you have a lot of other work to do, you probably aren't keeping current in every area you need to. That's why there are security experts who get paid a lot of money to help secure systems and networks.
Human Factors (Score:4, Interesting)
I used to do tech support at a major US university. I'd show up at the user's desk, flip the keyboard upside down
-kgj
Well, yes... (Score:3, Interesting)
Active NIDS is usually discouraged when placed in serial with the network, as it usually can't block the network when in parallel. But if the NIDS server can log onto the managed switch or router, it can disable the connection on an intrusion being detected. If it's sniffing the packets on the regular network only (ie: not providing any service to the network), it can't be seen or disabled.
If servers on the network aren't intended for outside use, make them IPv6-only and either make the router an IPv4/IPv6 gateway or use IPv6 tunnels to the extranets of interest. You can't crack what you can't connect to, putting those servers out of reach.
PAM supports OPIE and S/KEY, so you can always make passwords MUCH harder to obtain or crack. Kerberos V is also good for that.
Banning open protocols and .rhosts, requiring SSH or SSL/TLS-based protocols would likely do wonders for security as well. Even if passwords are technically encrypted, you can learn a huge amount from the rest of a session if it's not encrypted. Ergo, mandate encryption.
Next, as far as possible, servers should use mandatory access controls (to limit the use of any bugs for escalation) and software that has been as audited as possible (to minimize the risks of such bugs existing in the first place). The greater the risk of holes, the less the value of protecting all the other avenues that could be used for attack.
Finally, password files and other authentication data should be protected by means of strong encryption or strong cryptographic hashes according to requirements. That way, if a service ends up proving exploitable or some other hole is discovered, an attacker can't use such data to access the system with greater rights.
Sure, this is (a) imperfect, (b) clock-cycle expensive and (c) costly if done right, but it WILL be better than any firewall on its own, no matter how good the firewall.