Home > Store

Inside Network Perimeter Security, 2nd Edition

Register your product to gain access to bonus material or receive a coupon.

Inside Network Perimeter Security, 2nd Edition

Book

  • Sorry, this book is no longer in print.
Not for Sale

Description

  • Copyright 2005
  • Dimensions: 7" x 9"
  • Pages: 768
  • Edition: 2nd
  • Book
  • ISBN-10: 0-672-32737-6
  • ISBN-13: 978-0-672-32737-7

Security professionals and administrators now have access to one of the most valuable resources for learning best practices for network perimeter security. Inside Network Perimeter Security, Second Edition is your guide to preventing network intrusions and defending against any intrusions that do manage to slip through your perimeter. This acclaimed resource has been updated to reflect changes in the security landscape, both in terms of vulnerabilities and defensive tools. Coverage also includes intrusion prevention systems and wireless security. You will work your way through fortifying the perimeter, designing a secure network, and maintaining and monitoring the security of the network. Additionally, discussion of tools such as firewalls, virtual private networks, routers and intrusion detection systems make Inside Network Perimeter Security, Second Edition a valuable resource for both security professionals and GIAC Certified Firewall Analyst certification exam candidates.

Sample Content

Online Sample Chapters

Inside Network Perimeter Security: Packet Filtering

Inside Network Perimeter Security: Proxy Firewalls

Inside Network Perimeter Security: Stateful Firewalls

Packet Filtering

Perimeter Security Fundamentals

Perimeter Security Fundamentals

Proxy Firewalls

Stateful Firewalls

Table of Contents

Introduction.

    Who Should Read This Book.

    Why We Created This Book’s Second Edition.

    Overview of the Book’s Contents.

    Conventions.

I. THE ESSENTIALS OF NETWORK PERIMETER SECURITY.

1. Perimeter Security Fundamentals.

    Terms of the Trade.

      The Perimeter.

      Border Routers.

      Firewalls.

      Intrusion Detection Systems.

      Intrusion Prevention Systems.

      Virtual Private Networks.

      Software Architecture.

      De-Militarized Zones and Screened Subnets.

    Defense in Depth.

      Components of Defense in Depth.

    Case Study: Defense in Depth in Action.

    Summary.

2. Packet Filtering.

    TCP/IP Primer: How Packet Filtering Works.

    TCP and UDP Ports.

    TCP’s Three-way Handshake.

    The Cisco Router as a Packet Filter.

    An Alternative Packet Filter: IPChains.

    The Cisco ACL.

      Rule Order.

      Cisco IOS Basics.

    Effective Uses of Packet-Filtering Devices.

      Filtering Based on Source Address: The Cisco Standard ACL.

    Egress Filtering.

    Tracking Rejected Traffic.

      Filtering by Port and Destination Address: The Cisco Extended ACL.

      The Cisco Extended ACL.

    Problems with Packet Filters.

      Spoofing and Source Routing.

      Fragments.

      Opening a “Hole” in a Static Packet Filter.

      Two-way Traffic and the established  Keyword.

      Protocol Problems: Extended Access Lists and FTP.

    Dynamic Packet Filtering and the Reflexive Access List.

      FTP Problems Revisited with the Reflexive Access List.

      Reflexive ACLs with UDP and ICMP Traffic: Clearing Up DNS Issues.

      Trouble in Paradise: Problems with Reflexive Access Lists.

      Cisco IPv6 Access Lists.

    Summary.

    References.

3. Stateful Firewalls.

    How a Stateful Firewall Works.

    The Concept of State.

      Transport and Network Protocols and State.

      Application-Level Traffic and State.

    Stateful Filtering and Stateful Inspection.

      Stateful Firewall Product Examples.

    Summary.

    References.

4. Proxy Firewalls.

    Fundamentals of Proxying.

    Pros and Cons of Proxy Firewalls.

      Advantages of Proxy Firewalls.

      Disadvantages of Proxy Firewalls.

    Types of Proxies.

      Web Proxies.

      Reverse Proxies.

      Anonymizing Proxies.

    Tools for Proxying.

      Firewall Toolkit (FWTK).

      SOCKS.

      Squid.

    Summary.

5. Security Policy.

    Firewalls Are Policy.

      Active Policy Enforcement.

      Unenforceable Policy.

    How to Develop Policy.

      Identify Risks.

      Communicate Your Findings.

      Create or Update the Security Policy as Needed.

      Determine Policy Compliance.

      Sound Out the Organization’s Rules and Culture.

      Elements of Policy.

      Hallmarks of Good Policy.

    Perimeter Considerations.

      Real-world Operations and Policy.

      Rules of the Road.

    Summary.

    References.

II. FORTIFYING THE SECURITY PERIMETER.

6. The Role of a Router.

    The Router as a Perimeter Device.

      Routing.

      Secure Dynamic Routing.

    The Router as a Security Device.

      The Router as a Part of Defense in Depth.

      The Router as a Lone Perimeter Security Solution.

    Router Hardening.

      Operating System.

      Locking Down Administration Points.

      SSH.

      The Console Port.

      TFTP and FTP.

      Configuration Management Tricks with TFTP and Scripts.

      Simple Network Management Protocol.

      Disable Unneeded Services.

      Configure NTP and NTP Authentication.

      Cisco TCP Keepalives Services.

      Unicast Reverse Path Forwarding.

      Internet Control Message Protocol Blocking.

      Spoofing and Source Routing.

      Router Logging.

      Automatic Securing and Auditing of Cisco Routers.

    Summary.

7. Virtual Private Networks.

    VPN Basics.

      Basic VPN Methodology.

    Advantages and Disadvantages of VPNs.

      Benefits of a VPN.

      Disadvantages of VPN.

    IPSec Basics.

      IPSec Protocol Suite.

      IKE.

      IPSec Security Protocols AH and ESP.

      IPSec Configuration Examples.

    Other VPN Protocols: PPTP and L2TP.

      PPTP.

      L2TP.

      Comparison of PPTP, L2TP, and IPSec.

      PPTP and L2TP Examples.

    Summary.

    References.

8. Network Intrusion Detection.

    Network Intrusion Detection Basics.

      The Need for Intrusion Detection.

      Anomaly Detection.

      Signature Detection.

      False Positives and False Negatives.

      Alerting, Logging, and Reporting.

      Intrusion Detection Software.

      Intrusion-Related Services.

    The Roles of Network IDS in a Perimeter Defense.

      Identifying Weaknesses.

      Detecting Attacks from Your Own Hosts.

      Incident Handling and Forensics.

      Complementing Other Defense Components.

    IDS Sensor Placement.

      Deploying Multiple Network Sensors.

      Placing Sensors Near Filtering Devices.

      Placing IDS Sensors on the Internal Network.

      Working with Encryption.

      Processing in High-traffic Situations.

      Configuring Switches.

      Using an IDS Management Network.

      Maintaining Sensor Security.

    Case Studies.

      Case Study 1: Simple Network Infrastructure.

      Case Study 2: Multiple External Access Points.

      Case Study 3: Unrestricted Environment.

    Summary.

9. Host Hardening.

    The Need for Host Hardening.

    Removing or Disabling of Unnecessary Programs.

      Controlling Network Services.

      Removing Extraneous Software Components.

    Limiting Access to Data and Configuration Files.

    Controlling User and Privileges.

      Managing Unattended Accounts.

      Protecting Administrative Accounts.

      Enforcing Strong Passwords.

      Controlling Group Membership.

    Maintaining Host Security Logs.

      Windows Logging and Auditing.

      UNIX Logging and Auditing.

    Applying Patches.

    Additional Hardening Guidelines.

      Automating Host-Hardening Steps.

      Common Security Vulnerabilities.

      Hardening Checklists.

    Summary.

10. Host Defense Components.

    Hosts and the Perimeter.

      Workstation Considerations.

      Server Considerations.

    Antivirus Software.

      Strengths of Antivirus Software.

      Limitations of Antivirus Software.

    Host-Based Firewalls.

      Firewalls for Workstations.

      Firewalls for Servers.

    Host-Based Intrusion Detection.

      The Role of Host-Based IDS.

      Host-Based IDS Categories.

    Challenges of Host Defense Components.

      Defense Components on Compromised Hosts.

      Controlling Distributed Host Defense Components.

    Summary.

    References.

11. Intrusion Prevention Systems.

    Rapid Changes in the Marketplace.

    What Is IPS?

      An IPS Must Be Fast.

      An IPS Must Keep State.

      An IPS Must Be Accurate and Up to Date.

      An IPS Must Have the Ability to Nullify an Attack.

    IPS Limitations.

      An Excuse to Ignore Sound Practice.

      An IPS Simply Buys You Time.

    NIPS.

      How Chokepoint NIPS Work.

      Switch-Type NIPS.

      Switch NIPS Deployment Recommendations.

    Host-Based Intrusion Prevention Systems.

      Real-world Defense Scenarios.

      Dynamic Rule Creation for Custom Applications.

      Monitoring File Integrity.

      Monitoring Application Behavior.

      HIPS Advantages.

      HIPS Challenges.

      More HIPS Challenges.

      HIPS Recommendations.

    Summary.

III. DESIGNING A SECURE NETWORK PERIMETER.

12. Fundamentals of Secure Perimeter Design.

    Gathering Design Requirements.

      Determining Which Resources to Protect.

      Determining Who the Potential Attackers Are.

      Defining Your Business Requirements.

    Design Elements for Perimeter Security.

      Firewall and Router.

      Firewall and VPN.

      Multiple Firewalls.

    Summary.

    References.

13. Separating Resources.

    Security Zones.

      A Single Subnet.

      Multiple Subnets.

    Common Design Elements.

      Mail Relay.

      Split DNS.

      Client Separation.

    VLAN-Based Separation.

      VLAN Boundaries.

      Jumping Across VLANs.

      Firewalls and VLANs.

      Private VLANs.

    Summary.

    References.

14. Wireless Network Security.

    802.11 Fundamentals.

    Securing Wireless Networks.

      Network Design.

      Wireless Encryption.

      Hardening Access Points.

      Defense in Depth for Wireless Networks.

    Auditing Wireless Security.

      Auditing the Wireless Network Design.

      Auditing Encryption.

    Case Study: Effective Wireless Architecture.

    Summary.

    References.

15. Software Architecture.

    Software Architecture and Network Defense.

      The Importance of Software Architecture.

      The Need to Evaluate Application Security.

    How Software Architecture Affects Network Defense.

      Firewall and Packet-Filtering Changes.

      Web Services and Interapplication Communications.

      Conflicts with Network Configuration.

      Encrypting Connections.

      Performance and Reliability.

      Atypical Operating System.

    Software Component Placement.

      Single-System Applications.

      Multitier Applications 

      Administrator Access to Systems.

      Applications for Internal Users Only.

    Identifying Potential Software Architecture Issues.

      Software Evaluation Checklist.

      Sources of Application Information.

      How to Handle an Unsecurable.

      Application.

    Software Testing.

      Host Security.

      Network Configuration and Security.

    Network Defense Design Recommendations.

    Case Study: Customer Feedback System.

      Deployment Locations.

      Architecture Recommendation.

    Case Study: Web-Based Online Billing Application.

      Deployment Locations.

      Architecture Recommendation.

    Summary.

      References.

16. VPN Integration.

    Secure Shell.

      Standard SSH Connections.

      SSH Tunnels.

    Secure Sockets Layer.

      SSL Standard Connections.

      SSL Tunnels.

      SSL Proxy Servers.

    Remote Desktop Solutions.

      Single Session.

      Multiple Session.

    IPSec.

      IPSec Client Integration.

      IPSec Server Integration.

      IPSec Perimeter Defense Adjustments.

      IPSec Architectures.

    Other VPN Considerations.

      Proprietary VPN Implementations.

      Compromised or Malicious VPN Clients.

    VPN Design Case Study.

      Case Study: Home Users and Multiple Applications.

    Summary.

    References.

17. Tuning the Design for Performance.

    Performance and Security.

      Defining Performance.

      Understanding the Importance of Performance in Security.

    Network Security Design Elements That Impact Performance.

      The Performance Impacts of Network Filters.

      Network Architecture.

      Case Studies to Illustrate the Performance Impact of Network Security Design Elements.

    Impact of Encryption.

      Cryptographic Services.

      Understanding Encryption at the Network and Transport Layers.

      Using Hardware Accelerators to Improve Performance.

      Case Studies to Illustrate the Performance Impact of Encryption.

    Using Load Balancing to Improve Performance.

      Problems with Load Balancing.

      Layer 4 Dispatchers.

      Layer 7 Dispatchers.

    Mitigating the Effects of DoS Attacks.

      ICMP Flooding.

      SYN Flooding.

    Summary.

    References.

18. Sample Designs.

    Review of Security Design Criteria.

    Case Studies.

      Case Study 1: Telecommuter Who Is Using a Broadband Connection.

      Case Study 2: A Small Business That Has a Basic Internet Presence.

      Case Study 3: A Small E-Commerce Site.

      Case Study 4: A Complex E-Commerce Site.

    Summary.

IV. MAINTAINING AND MONITORING PERIMETER SECURITY

19. Maintaining a Security Perimeter.

    System and Network Monitoring.

      Big Brother Fundamentals.

      Establishing Monitoring Procedures.

      Security Considerations for Remote Monitoring.

    Incident Response.

      Notification Options.

      General Response Guidelines.

      Responding to Malicious Incidents.

      Automating Event Responses.

    Accommodating Change.

      Fundamentals of Change Management.

      Implementing Change-Management Controls.

    Summary.

    References.

20. Network Log Analysis.

    The Importance of Network Log Files.

      Characteristics of Log Files.

      Purposes of Log Files.

    Log Analysis Basics.

      Getting Started with Log Analysis.

      Automating Log Analysis.

      Timestamps.

    Analyzing Router Logs.

      Cisco Router Logs.

      Other Router Logs.

    Analyzing Network Firewall Logs.

      Cisco PIX Logs.

      Check Point FireWall-1 Logs.

      IPTables Logs.

    Analyzing Host-Based Firewall and IDS Logs.

      ZoneAlarm.

      Norton Personal Firewall.

    Summary.

21. Troubleshooting Defense Components.

    The Process of Troubleshooting.

      Collecting Symptoms.

      Reviewing Recent Changes.

      Forming a Hypothesis.

      Testing the Hypothesis.

      Analyzing the Results.

      Repeating If Necessary.

    Troubleshooting Rules of Thumb.

      Make Only One Change at a Time.

      Keep an Open Mind.

      Get a Second Opinion.

      Stay Focused on Fixing the Problem.

      Don’t Implement a Fix That Further Compromises Your Security.

      The Obvious Problems Are Often Overlooked.

      Document, Document, Document!.

    The Troubleshooter’s Toolbox.

      Application Layer Troubleshooting.

      Other Useful Utilities.

      Transport Layer Troubleshooting.

      Network Layer Troubleshooting.

      Link Layer Troubleshooting.

    Summary.

    References.

22. Assessment Techniques.

    Roadmap for Assessing the Security of Your Network.

    Planning.

    Reconnaissance.

    Network Service Discovery.

      System Enumeration.

      Service Discovery.

    Vulnerability Discovery.

      Nessus.

      ISS Internet Scanner.

      Retina.

      LANguard.

      Vulnerability Research.

    Verification of Perimeter Components.

      Preparing for the Firewall Validation.

      Verifying Access Controls.

    Remote Access.

      Wardialing.

      Wardriving.

      VPNs and Reverse Proxies.

    Exploitation.

    Results Analysis and Documentation.

    Summary.

23. Design Under Fire.

    The Hacker Approach to Attacking Networks.

    Adversarial Review.

    GIAC GCFW Student Practical Designs.

      Practical Design 1.

      Practical Design 2.

    Summary.

    References.

24. A Unified Security Perimeter: The Importance of Defense in Depth.

    Castles: An Example of Defense-in-Depth Architecture.

      Hard Walls and Harder Cannonballs.

      Secret Passages.

      Hiding in the Mist.

      Defense on the Inside.

    Absorbent Perimeters.

      Honeypots.

      Rate Limiting.

      Failover.

    Defense in Depth with Information.

      The Problem of Diffusion.

      Cryptography and Defense in Depth.

    Summary.

V. APPENDIXES

Appendix A. Cisco Access List Sample Configurations.

    Complete Access List for a Private-Only Network.

    Complete Access List for a Screened Subnet Network That Allows Public Server Internet Access.

      Example of a Router Configuration as Generated by the Cisco Auto Secure Feature.

Appendix B. Crypto 101.

    Encryption Algorithms.

      Shared Key: Symmetric.

      Public—Private Key: Asymmetric.

      Digital Signatures and Hash Algorithms.

    References.

Index.

Updates

Submit Errata

More Information

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020