Summary

Security professionals and administrators now have access to one of the most valuable resources for learning best practices for network perimeter security. Inside Network Perimeter Security, Second Edition is your guide to preventing network intrusions and defending against any intrusions that do manage to slip through your perimeter. This acclaimed resource has been updated to reflect changes in the security landscape, both in terms of vulnerabilities and defensive tools. Coverage also includes intrusion prevention systems and wireless security. You will work your way through fortifying the perimeter, designing a secure network, and maintaining and monitoring the security of the network. Additionally, discussion of tools such as firewalls, virtual private networks, routers and intrusion detection systems make Inside Network Perimeter Security, Second Edition a valuable resource for both security professionals and GIAC Certified Firewall Analyst certification exam candidates.

Author Biography

Stephen Northcutt is a graduate of Mary Washington College. Before entering the field of computer security, he worked as a Navy helicopter search and rescue crewman, whitewater raft guide, chef, martial arts instructor, cartographer, and network designer. Stephen is author/coauthor of Incident Handling Step-by-Step, Intrusion Signatures and Analysis, Inside Network Perimeter Security, 2nd Edition, IT Ethics Handbook, SANS Security Essentials, SANS Security Leadership Essentials, and Network Intrusion Detection, 3rd Edition. He was the original author of the Shadow Intrusion Detection System before accepting the position of Chief for Information Warfare at the Ballistic Missile Defense Organization. Stephen currently serves as Director of the SANS Institute.

Lenny Zeltser's work in information security draws upon experience in system administration, software architecture, and business administration. Lenny has directed security efforts for several organizations, co-founded a software company, and consulted for a major financial institution. He is a senior instructor at the SANS Institute, having written and taught a course on reverse-engineering malware. Lenny is also a coauthor of books such as SANS Security Essentials and Malware: Fighting Malicious Code. He holds a number of professional certifications, including CISSP and GSE, and is an incident handler at SANS Internet Storm Center. Lenny has earned a bachelor of science in engineering degree from the University of Pennsylvania and a master in business administration degree from MIT. More information about Lenny's projects and interests is available at http://www.zeltser.com.

Scott Winters has been working in all aspects of networking and computer security for over 14 years. He has been an Instructor, Network Engineer, and Systems Administrator and is currently employed as a Senior Consultant for Unisys at the Commonwealth of Pennsylvania Enterprise Server Farm. He has SANS GIAC Firewalls and Incident Handling certifications, as well as MCSE, CNE, Cisco CCNP, CCDP, and other industry certifications. Other accomplishments include authoring and editing of SANS GIAC Training and Certification course content, as well as exam content. He was a primary author of the first edition of Inside Network Perimeter Security and a contributing author for SANS Security Essentials with CISSP CBK. He has also been involved in the SANS GIAC Mentoring program and has served on the SANS GCFW Advisory Board.

Karen Kent is an Associate with Booz Allen Hamilton, where she provides guidance to Federal agencies on a broad range of information assurance concerns, including incident handling, intrusion detection, VPNs, log monitoring, and host security. Karen has earned a bachelor's degree in computer science from the University of Wisconsin-Parkside and a master's degree in computer science from the University of Idaho. She holds the CISSP certification and four SANS GIAC certifications. Karen has contributed to several books, including Intrusion Signatures and Analysis, published numerous articles on security, and coauthored several publications for the National Institute of Standards and Technology (NIST), including NIST Special Publication 800-61: Computer Security Incident Handling Guide.

Ronald W. Ritchey has an active interest in secure network design and network intrusion techniques. He gets to exercise this interest regularly by conducting penetration testing efforts for Booz Allen Hamilton, where he has had the opportunity to learn firsthand the real-world impact of network vulnerabilities. He is also an active researcher in the field with peer-reviewed publications in the area of automated network security analysis. Ronald has authored courses on computer security that have been taught across the country, and he periodically teaches graduate-level courses on computer security. Ronald holds a masters degree in computer science from George Mason University and is currently pursuing his Ph.D. in information technology at their School of Information Technology and Engineering. His doctoral research involves automating network security analysis.

About the Technical Editors

Todd Chapman has 10+ years of experience delivering IT services as varied as systems management, security, networking, clustering, Perl programming, and corporate development and training. Currently, Todd is a consultant for gedas USA, Inc., in Auburn Hills, Michigan, where he provides security consulting services for Volkswagen/Audi of America. For the last three years Todd has been an active member of the SANS GCFW advisory board and has written SANS certification exam questions in a number of disciplines. Todd's certifications include Red Hat Certified Engineer (RHCE), Microsoft Certified Systems Engineer (MCSE), GIAC Certified Firewall Analyst (GCFW), GIAC Certified Intrusion Analyst (GCIA), and GIAC Systems and Network Auditor (GSNA).

Anton Chuvakin, Ph.D., GCIA, GCIH, is a Security Strategist with netForensics, a security information management company, where he is involved with designing the product, researching potential new security features, and advancing the security roadmap. His areas of infosec expertise include intrusion detection, UNIX security, forensics, honeypots, and more. He is the author of the book Security Warrior (O'Reilly, January 2004) and a contributor to "Know Your Enemy II" by the Honeynet Project (AWL, June 2004) and "Information Security Management Handbook" (CRC, April 2004). In his spare time he maintains his security portal http://www.info-secure.org website.

Dan Goldberg recently created MADJiC Consulting, Inc., to provide network design and architecture reviews, intrusion detection and response, and vulnerability assessments in Central Virginia. He also works on research and writing projects for the SANS Institute and as technical director for Global Information Assurance Certification (GIAC). When not occupied by these activities, you may find him riding a mountain bike in the Blue Ridge Mountains.

John Spangler is a freelance Network Systems Engineer. Having over 10 years of experience, he has worked on everything from small office systems to large enterprise and ISP networks. John has worked as a technical editor for Cisco certification manuals.

Introduction

(6)

Who Should Read This Book

(1)

Why We Created This Book's Second Edition

(1)

Overview of the Book's Contents

(1)

Conventions

(4)

I The Essentials of Network Perimeter Security

1 Perimeter Security Fundamentals

(16)

Terms of the Trade

(3)

The Perimeter

(1)

Border- Routers

(1)

Firewalls

(1)

Intrusion Detection Systems

(1)

Intrusion Prevention Systems

(1)

Virtual Private Networks

(1)

Software Architecture

(1)

De-Militarized Zones and Screened Subnets

(1)

Defense in Depth

(10)

Components of Defense in Depth

(9)

Case Study: Defense in Depth in Action

(1)

Summary

(1)

2 Packet Filtering

(32)

TCP/IP Primer: How Packet Filtering Works

(1)

TCP and UDP Ports

(1)

TCP's Three-way Handshake

(1)

The Cisco Router as a Packet Filter

(1)

An Alternative Packer Filter: IPChains

(1)

The Cisco ACL

(2)

Rule Order

(1)

Cisco IOS Basics

(1)

Effective Uses of Packet-Filtering Devices

(7)

Filtering Based on Source Address: The Cisco Standard ACL

(7)

Egress Filtering

(1)

Tracking Rejected Traffic

(3)

Filtering by Port and Destination Address: The Cisco Extended ACL

(1)

The Cisco Extended ACL

(3)

Problems with Packet Filters

(7)

Spoofing and Source Routing

(1)

Fragments

(1)

Opening a "Hole" in a Static Packet Filter

(1)

Two-way Traffic and the established Keyword

(2)

Protocol Problems: Extended Access Lists and FTP

(2)

Dynamic Packet Filtering and the Reflexive Access List

(6)

FTP Problems Revisited with the Reflexive Access List

(1)

Reflexive ACLs with UDP and ICMP Traffic: Clearing Up DNS Issues

(1)

Trouble in Paradise: Problems with Reflexive Access Lists

(2)

Cisco IPv6 Access Lists

(1)

Summary

(1)

References

(2)

3 Stateful Firewalls

(32)

How a Stateful Firewall Works

(1)

The Concept of State

(13)

Transport and Network Protocols and State

(5)

Application-Level Traffic and State

(7)

Stateful Filtering and Stateful Inspection

(17)

Stateful Firewall Product Examples

(16)

Summary

(1)

References

(1)

4 Proxy Firewalls

(18)

Fundamentals of Proxying

(4)

Pros and Cons of Proxy Firewalls

(3)

Advantages of Proxy Firewalls

(2)

Disadvantages of Proxy Firewalls

(1)

Types of Proxies

(5)

Web Proxies

(2)

Reverse Proxies

(1)

Anonymizing Proxies

(2)

Tools for Proxying

100

(3)

Firewall Toolkit (FWTK)

100

(1)

SOCKS

101

(1)

Squid

102

(1)

Summary

103

(2)

5 Security Policy

105

(20)

Firewalls Are Policy

105

(8)

Active Policy Enforcement

106

(1)

Unenforceable Policy

107

(6)

How to Develop Policy

113

(6)

Identify Risks

113

(1)

Communicate Your Findings

114

(1)

Create or Update the Security Policy as Needed

114

(1)

Determine Policy Compliance

115

(1)

Sound Out the Organization's Rules and Culture

115

(2)

Elements of Policy

117

(1)

Hallmarks of Good Policy

118

(1)

Perimeter Considerations

119

(3)

Real-world Operations and Policy

119

(3)

Rules of the Road

122

(1)

Summary

122

(1)

References

122

(3)

II Fortifying the Security Perimeter

6 The Role of a Router

125

(36)

The Router as a Perimeter Device

125

(5)

Routing

126

(2)

Secure Dynamic Routing

128

(2)

The Router as a Security Device

130

(10)

The Router as a Part of Defense in Depth

130

(5)

The Router as a Lone Perimeter Security Solution

135

(5)

Router Hardening

140

(18)

Operating System

140

(1)

Locking Down Administration Points

140

(2)

SSH

142

(2)

The Console Port

144

(1)

TFTP and FTP

144

(1)

Configuration Management Tricks with TFTP and Scripts

145

(1)

Simple Network Management Protocol

145

(4)

Disable Unneeded Services

149

(2)

Configure NTP and NTP Authentication

151

(1)

Cisco TCP Keepalives Services

152

(1)

Unicast Reverse Path Forwarding

153

(1)

Internet Control Message Protocol Blocking

153

(2)

Spoofing and Source Routing

155

(1)

Router Logging

155

(2)

Automatic Securing and Auditing of Cisco Routers

157

(1)

Summary

158

(3)

7 Virtual Private Networks

161

(40)

VPN Basics

161

(4)

Basic VPN Methodology

162

(3)

Advantages and Disadvantages of VPNs

165

(5)

Benefits of a VPN

166

(2)

Disadvantages of VPN

168

(2)

IPSec Basics

170

(23)

IPSec Protocol Suite

171

(2)

IKE

173

(4)

IPSec Security Protocols AH and ESP

177

(6)

IPSec Configuration Examples

183

(10)

Other VPN Protocols: PPTP and L2TP

193

(5)

PPTP

193

(1)

L2TP

194

(1)

Comparison of PPTP, L2TP, and IPSec

195

(1)

PPTP and L2TP Examples

195

(3)

Summary

198

(1)

References

199

(2)

8 Network Intrusion Detection

201

(22)

Network Intrusion Detection Basics

201

(9)

The Need for Intrusion Detection

202

(1)

Anomaly Detection

203

(1)

Signature Detection

204

(1)

False Positives and False Negatives

205

(2)

Alerting, Logging, and Reporting

207

(1)

Intrusion Detection Software

208

(1)

Intrusion-Related Services

209

(1)

The Roles of Network IDS in a Perimeter Defense

210

(3)

Identifying Weaknesses

210

(1)

Detecting Attacks from Your Own Hosts

211

(1)

Incident Handling and Forensics

211

(1)

Complementing Other Defense Components

212

(1)

IDS Sensor Placement

213

(4)

Deploying Multiple Network Sensors

213

(1)

Placing Sensors Near Filtering Devices

213

(1)

Placing IDS Sensors on the Internal Network

214

(1)

Working with Encryption

215

Processing in High-traffic Situation,

213

(2)

Configuring Switches

215

(1)

Using an IDS Management Network

216

(1)

Maintaining Sensor Security

216

(1)

Case Studies

217

(5)

Case Study 1: Simple Network Infrastructure

217

(1)

Case Study 2: Multiple External Access Points

218

(2)

Case Study 3: Unrestricted Environment

220

(2)

Summary

222

(1)

9 Host Hardening

223

(22)

The Need for Host Hardening

223

(2)

Removing or Disabling of Unnecessary Programs

225

(7)

Controlling Network Services

225

(5)

Removing Extraneous Software Components

230

(2)

Limiting Access to Data and Configuration Files

232

(1)

Controlling User and Privileges

233

(5)

Managing Unattended Accounts

233

(1)

Protecting Administrative Accounts

234

(1)

Enforcing Strong Passwords

235

(2)

Controlling Group Membership

237

(1)

Maintaining Host Security Logs

238

(2)

Windows Logging and Auditing

238

(1)

UNIX Logging and Auditing

238

(2)

Applying Patches

240

(1)

Additional Hardening Guidelines

241

(2)

Automating Host-Hardening Steps

241

(1)

Common Security Vulnerabilities

242

(1)

Hardening Checklists

242

(1)

Summary

243

(2)

10 Host Defense Components

245

(28)

Hosts and the Perimeter

245

(4)

Workstation Considerations

246

(2)

Server Considerations

248

(1)

Antivirus Software

249

(3)

Strengths of Antivirus Software

249

(1)

Limitations of Antivirus Software

250

(2)

Host-Based Firewalls

252

(9)

Firewalls for Workstations

253

(3)

Firewalls for Servers

256

(5)

Host-Based Intrusion Detection

261

(7)

The Role off-lost-Based IDS

261

(1)

Host-Based IDS Categories

262

(6)

Challenges of Host Defense Components

268

(3)

Defense Components on Compromised hosts

269

(1)

Controlling Distributed Host Defense Components

269

(2)

Summary

271

(1)

References

271

(2)

11 Intrusion Prevention Systems

273

(28)

Rapid Changes in the Marketplace

273

(1)

What Is IPS?

274

(3)

An IPS Must Be Fast

276

(1)

An IPS Must Keep State

276

(1)

An IPS Must Be Accurate and Up to Date

276

(1)

An. IPS Must Have the Ability to Nullify an Attack

277

(1)

IPS Limitations

277

(2)

An Excuse to Ignore Sound Practice

278

(1)

An IPS Simply Buys You Time

278

(1)

NIPS

279

(14)

How Chokepoint NIPS Work

280

(5)

Switch-Type NIPS

285

(6)

Switch NIPS Deployment Recommendations

291

(2)

Host-Based Intrusion Prevention Systems

293

(5)

Real-world Defense Scenarios

293

(1)

Dynamic Rule Creation for Custom Applications

294

(1)

Monitoring File Integrity

294

(1)

Monitoring Application Behavior

295

(1)

HIPS Advantages

295

(1)

HIPS Challenges

296

(1)

More HIPS Challenges

296

(1)

HIPS Recommendations

297

(1)

Summary

298

(3)

III Designing a Secure Network Perimeter

12 Fundamentals of Secure Perimeter Design

301

(24)

Gathering Design Requirements

302

(13)

Determining Which Resources to Protect

302

(4)

Determining Who the Potential Attackers Are

306

(3)

Defining Your Business Requirements

309

(6)

Design Elements for Perimeter Security

315

(8)

Firewall and Router

315

(3)

Firewall and VPN

318

(2)

Multiple Firewalls

320

(3)

Summary

323

(1)

References

323

(2)

13 Separating Resources

325

(28)

Security Zones

325

(9)

A Single Subnet

326

(3)

Multiple Subnets

329

(5)

Common Design Elements

334

(12)

Mail Relay

334

(4)

Split DNS

338

(5)

Client Separation

343

(3)

VLAN-Based Separation

346

(4)

VLAN Boundaries

346

(1)

Jumping Across VLANs

347

(1)

Firewalls and VLANs

348

(1)

Private VLANs

349

(1)

Summary

350

(1)

References

351

(2)

14 Wireless Network Security

353

(22)

802.11 Fundamentals

353

(1)

Securing Wireless Networks

354

(13)

Network Design

355

(4)

Wireless Encryption

359

(4)

Hardening Access Points

363

(3)

Defense in Depth for Wireless Networks

366

(1)

Auditing Wireless Security

367

(2)

Auditing the Wireless Network Design

367

(1)

Auditing Encryption

368

(1)

Case Study: Effective Wireless Architecture

369

(4)

Summary

373

(1)

References

373

(2)

15 Software Architecture

375

(20)

Software Architecture and Network Defense

375

(2)

The Importance of Software Architecture

376

(1)

The Need to Evaluate Application Security

377

(1)

How Software Architecture Affects Network Defense

377

(5)

Firewall and Packet-Filtering Changes

378

(1)

Web Services and Interapplication Communications

378

(2)

Conflicts with Network Configuration

380

(1)

Encrypting Connections

381

(1)

Performance and Reliability

382

(1)

Atypical Operating System

382

(1)

Software Component Placement

382

(3)

Single-System Applications

383

(1)

Multitier Applications

383

(1)

Administrator Access to Systems

383

(1)

Applications for Internal Users Only

384

(1)

Identifying Potential Software Architecture Issues

385

(2)

Software Evaluation Checklist

385

(1)

Sources of Application Information

386

(1)

How to Handle an Unsecurable Application

387

(1)

Software Testing

387

(2)

Host Security

387

(1)

Network Configuration and Security

388

(1)

Network Defense Design Recommendations

389

(1)

Case Study: Customer Feedback System

389

(2)

Deployment Locations

390

(1)

Architecture Recommendation

391

(1)

Case Study: Web-Based Online Billing Application

391

(3)

Deployment Locations

393

(1)

Architecture Recommendation

394

(1)

Summary

394

(1)

References

394

(1)

16 VPN Integration

395

(24)

Secure Shell

395

(5)

Standard SSH Connections

396

(2)

SSH Tunnels

398

(2)

Secure Sockets Layer

400

(5)

SSL Standard Connections

400

(3)

SSL Tunnels

403

(2)

SSL Proxy Servers

405

(1)

Remote Desktop Solutions

405

(4)

Single Session

406

(2)

Multiple Session

408

(1)

IPSec

409

(4)

IPSec Client Integration

410

(1)

IPSec Server Integration

411

(1)

IPSec Perimeter Defense Adjustments

412

(1)

IPSec Architectures

413

(1)

Other VPN Considerations

413

(1)

Proprietary VPN Implementations

413

(1)

Compromised or Malicious VPN Clients

414

(1)

VPN Design Case Study

414

(4)

Case Study: Home Users and Multiple Applications

414

(4)

Summary

418

(1)

References

418

(1)

17 Tuning the Design for Performance

419

(28)

Performance and Security

419

(3)

Defining Performance

419

(2)

Understanding the Importance of Performance in Security

421

(1)

Network Security Design Elements That Impact Performance

422

(10)

The Performance Impacts of Network Filters

422

(3)

Network Architecture

425

(5)

Case Studies to Illustrate the Performance Impact of Network Security Design Elements

430

(2)

Impact of Encryption

432

(7)

Cryptographic Services

433

(1)

Understanding Encryption at the Network and Transport Layers

433

(3)

Using Hardware Accelerators to Improve Performance

436

(1)

Case Studies to Illustrate the Performance Impact of Encryption

437

(2)

Using Load Balancing to Improve Performance

439

(2)

Problems with Load Balancing

440

(1)

Layer 4 Dispatchers

440

(1)

Layer 7 Dispatchers

441

(1)

Mitigating the Effects of DoS Attacks

441

(4)

ICMP Flooding

442

(2)

SYN Flooding

444

(1)

Summary

445

(1)

References

445

(2)

18 Sample Designs

447

(24)

Review of Security Design Criteria

447

(2)

Case Studies

449

(19)

Case Study 1: Telecommuter Who Is Using a Broadband Connection

450

(2)

Case Study 2: A Small Business That Has a Basic Internet Presence

452

(4)

Case Study 3: A Small E-Commerce Site

456

(6)

Case Study 4: A Complex E-Commerce Site

462

(6)

Summary

468

(3)

IV Maintaining and Monitoring Perimeter Security

19 Maintaining a Security Perimeter

471

(26)

System and Network Monitoring

471

(15)

Big Brother Fundamentals

472

(3)

Establishing Monitoring Procedures

475

(8)

Security Considerations for Remote Monitoring

483

(3)

Incident Response

486

(4)

Notification Options

486

(1)

General Response Guidelines

487

(1)

Responding to Malicious Incidents

488

(1)

Automating Event Responses

489

(1)

Accommodating Change

490

(5)

Fundamentals of Change Management

490

(2)

Implementing Change-Management Controls

492

(3)

Summary

495

(1)

References

496

(1)

20 Network Log Analysis

497

(20)

The Importance of Network Log Files

497

(5)

Characteristics of Log Files

498

(2)

Purposes of Log Files

500

(2)

Log Analysis Basics

502

(6)

Getting Started with Log Analysis

502

(2)

Automating Log Analysis

504

(3)

Timestamps

507

(1)

Analyzing Router Logs

508

(1)

Cisco Router Logs

508

(1)

Other Router Logs

509

(1)

Analyzing Network Firewall Logs

509

(3)

Cisco PIX Logs

509

(1)

Check Point FireWall-1 Logs

510

(1)

IPTables Logs

511

(1)

Analyzing Host-Based Firewall and IDS Logs

512

(3)

ZoneAlarm

512

(1)

Norton Personal Firewall

513

(2)

Summary

515

(2)

21 Troubleshooting Defense Components

517

(34)

The Process of Troubleshooting

517

(3)

Collecting Symptoms

518

Reviewing Recent Changes

515

(4)

Forming a Hypothesis

519

(1)

Testing the Hypothesis

519

(1)

Analyzing the Results

519

(1)

Repeating It Necessary

519

(1)

Troubleshooting Rules of Thumb

520

(2)

Make Orin One Change at a Time

520

(1)

Keep an Open Mind

520

(1)

Get a Second Opinion

520

(1)

Stay Focused on Fixing the Problem

521

(1)

Don't Implement a Fix That Further Compromises Your Security

521

(1)

The Obvious Problems Are Often Overlooked

521

(1)

Document, Document, Document!

521

(1)

The Troubleshooter's Toolbox

522

(26)

Application Layer Troubleshooting

325

(200)

Other Useful Utilities

525

(2)

Transport Layer Troubleshooting

527

(13)

Network Layer Troubleshooting

540

(5)

Link Layer Troubleshooting

545

(3)

Summary

548

(1)

References

549

(2)

22 Assessment Techniques

551

(38)

Roadmap for Assessing the Security of Your Network

551

(2)

Planning

553

(2)

Reconnaissance

555

(5)

Network Service Discovery

560

(6)

System Enumeration

560

(3)

Service Discovery

563

(3)

Vulnerability Discovery

566

(7)

Nessus

567

(1)

ISS Internet Scanner

568

(1)

Retina

569

(1)

LANguard

570

(2)

Vulnerabliity Research

572

(1)

Verification of Perimeter Components

573

(4)

Preparing for the Firewall Validation

573

(2)

Verifying Access Controls

575

(2)

Remote Access

577

(8)

Wardialing

577

(2)

Wardriving

579

(3)

VPNs and Reverse Proxies

582

(3)

Exploitation

585

(1)

Results Analysis and Documentation

586

(1)

Summary

587

(2)

23 Design Under Fire

589

(30)

The Hacker Approach to Attacking Networks

589

(1)

Adversarial Review

590

(2)

GIAC GCFW Student Practical Designs

592

(24)

Practical Design 1

593

(13)

Practical Design 2

606

(10)

Summary

616

(1)

References

617

(2)

24 A Unified Security Perimeter: The Importance of Defense in Depth

619

(22)

Castles: An Example of Defense-in-Depth Architecture

620

(12)

Hard Walls and Harder Cannonballs

621

(1)

Secret Passages

621

(5)

Hiding in the Mist

626

(2)

Defense on the Inside

628

(4)

Absorbent Perimeters

632

(3)

Honeypots

632

(1)

Rate Limiting

633

(2)

Failover

635

(1)

Defense in Depth with Information

635

(3)

The Problem of Diffusion

636

(1)

Cryptography and Defense in Depth

637

(1)

Summary

638

(3)

V Appendixes

A Cisco Access List Sample Configurations

641

(16)

Complete Access List for a Private Only Network

641

(4)

Complete Access List for a Screened Subnet Network That Allot s Public Server Internet Access

645

(5)

Example of a Router Configuration as Generated by the Cisco Auto Secure Feature

650

(7)

B Crypto 101

657

(6)

Encryption Algorithms

657

(4)

Shared Key: Symmetric

658

(1)

Public-Private Key: Asymmetric

659

(1)

Digital Signatures and Hash Algorithms

660

(1)

References

661

(2)

Index

663

Supplemental Materials

What is included with this book?

The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.

The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.

Excerpts

Inside Network Perimeter Security Second Edition Inside Network Perimeter Security Second Edition Preface The flight from Lihue to San Francisco is about five and a half hours and allows me some of my most productive work time. The phone doesn't ring, the dog doesn't ask to go outside, and my personal firewall doesn't start blinking because someone is trying to scan my computer. The flight attendant crews are starting to know me; I don't want any airplane food, I brought my own recycled water bottle filled with water from my own reverse osmosis filter, just let me write. I am very thankful for a bit of understanding from the crew of United FLT 30 for the time to write this preface. If any of my words give you insight into the current state of affairs with perimeter and internal network management, don't attribute that to me. I rely more each day of my life on the words in James 1:5; I am just the messenger. I was enjoying working on the second edition of this book when a scene on the airplane entertainment televisions caught my eye. It was a video history of United Airlines, which started by delivering airmail in rickety old airplanes with exposed cockpits. Today, modern, fast, sophisticated aircraft have an incredible safety record. The airline industry has gone from an oddity--a great tool to entertain the crowds at county fairs--to an industry that is crucial to our way of life and economy. The airlines in the United States were essentially grounded for about three days following the terrorist attacks of September 11, 2001. The U.S. Congress debated whether to give the airlines money; they decided against it and United is now in chapter 11. By exploring what has changed in the airline world, you will see both the past and the future of our industry, information technology (IT). Like the airline industry, IT has historically been accomplished on rickety platforms. We have benefited from rapid advances in technology. We have seen a decline in personal service. We are headed for continuous inspections, a defense-in-depth approach, and we are every bit as vulnerable and at the same time crucial to the economy. Rickety Planes What if we flew in computers? That gives "crash" a whole new meaning, doesn't it? Well, if we did, I am sure you would agree that we would all be dead. I would love to say operating systems are really improving, but it isn't so. I installed XP SP2 beta, one of the least-rickety operating systems I have worked with in a long time, on a clone of my primary laptop a couple months ago, and it has been interesting. As soon as I submit the remainder of my chapters for this book, I will upgrade my production box. As I write this, the Windows update version has still not been released, and it will be very interesting to see what breaks when the home users get upgraded. A lot of people died in the early days of the airline industry, and as I say, if we flew in those early planes today, most of us would be dead. Now here is the kicker: IPS systems and intelligent switches are nothing but software applications or ASICs that are built on these rickety operating systems. One of the primary themes of this book is never to trust the operating system, to expect perimeter components to fail. This book will show you techniques for failover, layering defense components, segmenting internal networks, using instrumentation to detect anomalies, and troubleshooting. In the early days of perimeter defense, the only choice that information security practitioners had was to layer their perimeter software on these rickety operating systems. Fires in the West For years, I was a network builder for the Department of Defense, which uses large, high-end, fast networks. The most effective security mechanism for separation of sensitive information was implemented with a physical solution--an airgap. If you want to protect one network from another, just don't connect them together. Worms such as Blaster taught us that many networks that supposedly were not connected to the Internet actually were in one way or another, but if you audit carefully and never allow an exception, airgaps work. The problem with an airgap is the two networks cannot interoperate, a concept directly in contradiction with the Internet philosophy and electronic business. The past few years have been a bad time for the U.S. West, as rain has been minimal, with fires starting earlier and earlier each year it seems. One of the most effective tools for managing fires is a firebreak; it isn't as powerful as an airgap (sometimes the fire will bridge it), but segmenting the forest into zones is a powerful technique. The information technology analog for a firebreak is to segment the internal network. This can be done with internal intelligent Network Intrusion Prevention Switches (NIPS), with some elbow grease using current generation switches and applying access control to VLANs, or with low-cost appliance-type firewalls used on the internal network. It can even be done manually using anomaly IDS to detect switch ports heating up, which is usually a signature of a worm, and shutting down the switch. Segmenting internal networks with "firebreaks" allows us to have the interoperability and reduce the risk of losing all our internal systems to a destructive worm "wildfire." This book discusses a number of perimeter and internal network designs. Some are more focused on security, whereas others are focused on performance. Some focus on uptime and help you to understand how to choose these designs based on your organization's requirements. Note -One of the reasons that early airplanes were so dangerous is that a large number of them were hand built. Even if the planes were built in a factory, after a couple of years, they might as well be hand built because of the number of times they were repaired and modified. Can you see how similar the early airplanes are to our server and desktop operating systems? We all agree that patching to reduce the vulnerability footprint is critical, but if no two servers are alike, exactly how do you test the patch? Repeatable builds give an IT shop a major increase in security just like factory-built aircraft. So do appliance firewalls. They are factory built, plug and go. It's not guaranteed that their OS is hardened, but you do know that the OS on the appliance is factory built, consistent, and probably stripped of unneeded programs. These low-cost appliances are very useful for segmenting an internal network. Rapid Advances in Technology Modern aircrafts have wings, fly through the air, and land on the ground--and that is about all they have in common with the first airplanes. The advances in airframe design, materials, avionics, navigation and route selection, and airport operations make it difficult to believe that people ever considered getting into the early airplanes. I would love to say that modern perimeter systems are so advanced that it is inconceivable that we ever tried to protect our systems with those early firewalls, but we haven't made that much progress yet. However, hope prevails, and we certainly see evidence of improvement. Perimeter defense systems have come way down in price for any given bandwidth point; many can be upgraded by just downloading a new image. Deep packet inspection at gigabit speed is possible right now for the well-funded organization. Subscription models that update daily or weekly are the norm and support an architecture of perimeter components to create hybrid systems that combine classic perimeter defense, reporting sensors, and possibly even vulnerability assessments that allow performing internal correlation. This book discusses the importance of using the information collected by peri