The practical, authoritative Cisco network security implementation guide!
Finally, there's a single source for practical, hands-on guidance on
implementing and configuring the most important elements of Cisco network
Leading network security consultant James Pike offers step-by-step guidance
for implementing and configuring key Cisco security products-including in-depth
guidance on using PIX firewalls. Coverage includes:
- Essential Cisco security terminology, technologies, and design criteria
- Comprehensive, start-to-finish techniques for deploying IPSec security in
- Easy to understand introductions to Cisco Secure IDS/Net Ranger intrusion
detection, Cisco Secure Scanner/NetSonar scanning, and Cisco Secure Access
Control System access control
No other book brings together this much Cisco security information:
step-by-step tutorials, in-depth reference material, critical data for
configuration, and expert guidance for decision making. Whatever your role in
securing Cisco networks, Cisco Network Security will instantly become your #1
Table of Contents
Understanding Security Risk and Threats.
Technology Weaknesses. Protocol. Operating
Systems. Networking Equipment. Firewall “Holes” . Configuration Weaknesses.
Policy Weaknesses. Sources of Security Threats. Thrill Seekers and Adventurers.
Competitors. Thieves. Enemies or Spies. Hostile Employees. Hostile Former
Employer. Other Employee Sources. Threats to Network Security. Electronic
Eavesdropping. Denial of Service. Unauthorized Access. Session Replay. Session
Hijacking. Impersonation. Malicious Destruction. Repudiation. Viruses, Trojan
Horses, and Worms. Rerouting. What Are We To Do? What Needs Protection? What Is
the Nature of the Risk? What Kind of Protection Is Necessary? How Much Can You
Afford to Spend?
2. Security Architecture.
Goals of the Security Policy. Confidentiality
and Privacy of Data. Availability of the Data. Integrity of the Data. Identity
Authentication and Authorization. Nonrepudiation. Physical Security. Cabling.
Switches. Routers. Basic Network Security. Passwords. Network Security
Solutions. Perimeter Routers—First Layer of Defense. Firewalls—Perimeter
Reinforcement. Virtual Private Networks. Data Privacy and Integrity.
Vulnerability Assessment. Intrusion Detection. Access Controls and Identity.
Security Policy Management and Enforcement.
3. First Line of Defense—The Perimeter Router.
Passwords. Privileged Users. Basic Users.
Disable EXEC-Mode. Establish a Line-Specific Password. Establish User-Specific
Passwords. Limit Access Using Access Lists as Filters. Other Issues. Router
Services and Protocols. Simple Network Management Protocol. HTTP. TCP/IP
Services. Disable IP Source Route. Disable Non-Essential TCP and UDP Services.
Disable the Finger Service. Disable Proxy ARP. Disable Directed Broadcasts.
Disable the Cisco Discovery Protocol. Disable ICMP Redirects. Disable the
Network Time Protocol. Disable ICMP Unreachables Messages. Traffic Management.
Access Control Lists (ACL). Router-Based Attack Protection. Routing Protocols.
Audit Trails and Logging.
The Protocols of the Internet. IP—The Internet
Protocol. TCP—The Transmission Control Protocol. UDP—The User Datagram Protocol.
TCP and UDP Ports. What Is a Network Firewall? What Kind of Protection Does a
Firewall Provide? Protection and Features a Firewall Can Provide. What a
Firewall Doesn't Protect Against. Firewall Design Approaches. Network Level
Firewalls. Application Layer Firewalls. Network Design with Firewalls. The
Classic Firewall Design. The Contemporary Design. Router-Based Firewalls.
5. The Cisco Secure PIX Firewall.
Security Levels. The Adaptive Security
Algorithm. Network Address Translation. PIX Firewall Features. Defense Against
Network Attacks. Special Applications and Protocols. Controlling Traffic through
the PIX Firewall. Controlling Inbound Traffic with Conduits. Cut-Through-Proxy.
AAA Support via RADIUS and TACACS+.
6. Configuring the PIX Firewall.
Getting Started. Provision for Routing.
Configuring the PIX Firewall. Identifying the Interfaces. Permitting Access from
the Inside. Establish PIX Firewall Routes. Permitting Access from the Outside.
Testing and Remote Administration. Controlling Outbound Access. Java Applet
Filtering. Authentication and Authorization. Inbound Connections. Outbound
Connections. Logging Events. Syslog. Standby PIX Firewalls with Failover.
7. Router-Based Firewalls.
Access Lists. Standard Access Lists. Extended
Access Lists. Guidelines for Access Lists. Cisco Secure Integrated Software.
Cisco Secure Integrated Software Architecture. CBAC and Stateful Packet
Filtering. CBAC Supported Applications. Other Restrictions of CBAC. CSIS—Other
Features. Configuring CBAC. Other Considerations.
8. Introduction to Encryption Techniques.
Symmetric Key Encryption. Data Encryption
Standard. Advanced Encryption Standard and Others. Key Management. Asymmetric
Key Encryption. How Public-Key Encryption Works. Comparing Symmetric versus
Asymmetric Methods. The Diffie-Hellman Algorithm. Perfect Forward Secrecy. RSA
Public-Key Encryption. Message Authentication Codes.
9. Introduction to IPSec.
Where to Apply Encryption. Data Link Layer.
Network Layer. Transport Layer. Application Layer. Goals. Overview of IPSec.
IPSec Details. AH—The Authentication Header. ESP—The Encapsulating Security
Payload. Modes. SA, SPI, and SPD Defined. Key Management. Internet Key Exchange.
IKE, ISAKMP, OAKLEY, and the DOI. Basic Key Exchange. IKE Phase 1. IKE Phase 2.
10. Configuring IPSec.
Step 1—Planning for IPSec. Step 2—Configuring
Internet Key Exchange (IKE). Configuring Manual Keys. Dynamic Key Management.
PFS and SA Lifetimes. Other IKE Configuration Options. Command Syntax for IKE.
Step 3—Defining Transform Sets. Configuring Transform Sets. Step 4—Create Crypto
Access lists. Step 5—Creating Crypto Maps. Step 6—Applying Crypto Maps to an
Interface. Step 7—Test and Verify. Sample Configurations. Sample Configuration
#1—IPSec Manual Keys. Sample Configuration #2—IKE with PreShared Key.
11. Virtual Private Networks—VPNs.
Motivation for VPNs. Why VPNs. VPN Applications.
VPN Technologies. PPTP. L2TP. IPSec. Authentication Limitations.
12. Cisco's Other Security Products.
Access Control. Vulnerability Assessment. Phase
One—Network Mapping. Phase Two—Data Collection. Phase Three—Data Analysis. Phase
Four—Vulnerability Confirmation. Phase Five—Data Presentation and Navigation.
Phase Six—Reporting. Intrusion Detection. Reacting to Alerts.