Home > Store

Practice of Network Security, The: Deployment Strategies for Production Environments

Register your product to gain access to bonus material or receive a coupon.

Practice of Network Security, The: Deployment Strategies for Production Environments


  • Sorry, this book is no longer in print.
Not for Sale



  • Detailed, start-to-finish case study—Shows how to systematically redesign an insecure enterprise network to protect it against external and internal threats.
    • Gives students a realistic understanding of how network security concepts and tools work together in real networks and organizations.

  • Security analysis, planning, deployment, and management—Shows how to define appropriate security models, translate them into effective, enforceable policies, and then deploy and administer security based on the models and policies that have been defined.
    • Helps students understand all stages of the security project lifecycle, and succeed regardless of the phase or task they are given responsibility for.

  • In-depth coverage of Internet security and firewalls—Covers securing Web/application servers, DNS servers, email servers, and file/print servers.
    • Teaches students how to improve security in organizational environments with ubiquitous connections to the Internet.

  • Up-to-the-minute coverage of wireless security—Includes detailed coverage of the unique security issues associated with wireless LANs and WANs, and the best available solutions.
    • Gives students expertise that is in increasingly high demand, as wireless networks spread rapidly throughout organizations and businesses.

    • In-depth coverage of access control—Systematically reviews techniques for controlling access via authentication, authorization, and accounting.

    • Ensure that students know how to provide the basic access control that every secure network is built upon.

  • Intrusion detection and response—Covers the five phases of responding to an attack: detect, isolate, halt, report, and prosecute,
    • Reflects the reality that attacks will be launched against virtually every server or organization, and gives students realistic, practical techniques for responding.

  • Effective day-to-day network security administration—Covers every essential aspect of security administration, monitoring, and logging.
  • Step-by-step coverage of VPNs and remote access—Shows how to provide secure remote access for people wherever they are.
    • Helps students address one of today's most common security challenges: reliable, secure remote access.


  • Copyright 1996
  • Dimensions: 7" x 9-1/2"
  • Pages: 416
  • Edition: 1st
  • Book
  • ISBN-10: 0-13-046223-3
  • ISBN-13: 978-0-13-046223-7

Enterprise security for real netadmins in the real worldThis book shows how to secure an enterprise network in the real world--when you're on the front lines, constantly under attack, and you don't always get the support you need. Symantec security engineer and former UUNet network architect Allan Liska addresses every facet of network security, from risk profiling through access control, Web/email security through day-to-day monitoring. He systematically identifies today's most widespread security mistakes and vulnerabilities--and offers realistic solutions you can begin implementing right away.Coverage Includes:

  • Quantifying security risks and "selling" security throughout the organization
  • Defining security models that reflect your company's philosophy
  • Translating your security model into effective, enforceable policies
  • Making your routers and switches your first lines of network defense
  • Controlling access via authentication, authorization, and accounting
  • Configuring secure VPNs and remote access
  • Securing wireless LANs and WANs
  • Establishing a DMZ between your network and the public Internet
  • Securing Web/application servers, DNS servers, email servers, and file/print servers
  • Implementing effective day-to-day network security administration, monitoring, and logging
  • Responding to attacks: detect, isolate, halt, report, and prosecute

Liska integrates these techniques in an end-to-end case study, showing you how to redesign an insecure enterprise network for maximum security--one step at a time.

Sample Content

Online Sample Chapter

Network Security: Understanding Types of Attacks

Table of Contents

1. Defining the Scope.

What is Network Security? What Types of Network Security Are Important? What Is the Cost of Lax Security Policies? Where Is the Network Vulnerable? The Network. Summary.

2. Security Mode.

Choosing a Security Mode. OCTAVE. Build Asset-Based Threat Profiles. Identify Infrastructure Vulnerabilities. Evaluate Security Strategy and Plans. Summary.

3. Understanding Types of Attacks.

Sniffing and Port Scanning. Exploits. Spoofing. Distributed Denial of Service Attacks. Viruses and Worms. Summary.

4. Routing.

The Router on the Network. The Basics. Disabling Unused Services. Redundancy. Securing Routing Protocols. Limit Access to Routers. Change Default Passwords! Summary.

5. Switching.

The Switch on the Network. Multilayer Switching. VLANs. Spanning Tree. MAC Addressing. Restricting Access to Switches. Summary.

6. Authentication, Authorization, and Accounting.

Kerberos. RADIUS. TACACS+. Summary.

7. Remote Access and VPNs.

VPN Solutions. IP VPN Security. Dial-In Security Access. DSL and Cable VPN Security. Encrypting Remote Sessions. The VPN on the Network. Summary.

8. Wireless Wide Area Networks.

Wireless WAN Security Issues. Spread Spectrum Technology. Location. Summary.

9. Wireless Local Area Networks.

Access Point Security. SSID. WEP. MAC Address Filtering.RADIUS Authentication. WLAN VPN. 802.11i92. Summary.

10. Firewalls and Intrusion Detection Systems.

The Purpose of the Firewall. What a Firewall Cannot Do. Types of Firewalls. Layer 2 Firewalls. Intrusion Detection Systems. Summary.

11. The DMZ.

DMZ Network Design. Multiple DMZ Design. DMZ Rulesets. Summary.

12. Server Security.

General Server Security Guidelines. Backups. Web Server Security. Mail Server Security. Outsourcing. Summary.

13. DNS Security.

Securing Your Domain Name. A Secure BIND Installation. Limit Access to Domain Information. DNS Outsourcing. Djbdns. Summary.

14. Workstation Security.

General Workstation Security Guidelines. Virus and Worm Scanning. Administrative Access. Remote Login. Summary.

15. Managing Network Security.

Enforcing Security Policies. Understanding Network Security Risks. Avoiding Common Mistakes. Summary.

16. Monitoring.

What to Monitor. SNMP. Centralizing the Monitoring Process. Summary.

17. Logging.

Protecting Against Log-Altering Attacks. Syslog Servers. Sifting Through Logged Data. Summary.

18. Responding to an Attack.

Creating a Response Chain of Command. Take Notes and Gather Evidence. Contain and Investigate the Problem. Remove the Problem. Contact Appropriate Parties. Prepare a Postmortem. Summary.



As I am writing this introduction an alert has just come inabout a newly discovered vulnerability in Cisco’s CatOS. Thevulnerability, a buffer overflow in the CatOS HTTP daemon, is one that iscommonly found on devices that have stripped down HTTP daemons used formanagement purposes.

A couple of years ago this vulnerability would not haveraised too many eyebrows. After all, how often is a device within the networkinfrastructure attacked? Attacks are targeted toward servers, and insecureworkstations not routers, switches, firewalls, or other network infrastructure,right? That’s not the case any more. As networks have become more complexso have the attackers that try to infiltrate them. Network security is nolonger simply about protecting servers and workstations. Network security nowrequires a holistic understanding of the network, and an awareness ofvulnerabilities both at the edge and in the core.

As attackers have become more sophisticated, so have thetools they use to infiltrate networks. These tools, most freely available, havefiltered down to chat rooms and “warez” web sites, making it easierfor less knowledgeable users to launch an attack against a network, or multiplenetworks. Attacks against networks are now routinely launched by disgruntledteens, angry customers, ex-employees, or someone who just wants to see if itcan be done.

All these changes have combined to make the job of securityand network professionals much more difficult. The number of devices that mustbe protected has increased, while the security budget has remained the same orshrunk.  Security administratorsmust now spend time determining whether an attack is orchestrated by someonewho knows what they are doing and is trying to gain access to confidentialinformation, or some kid who wants to test out the last Denial of Service (DoS)tool.

In addition to these problems there is often a blending ofthe roles that security, network and server administrators play in protectingthe network. Separating the responsibilities of different groups, whileensuring that communication between the groups still occurs is an importantresponsibility.

Purpose of This Book

Throughout this book there are real world examples ofattacks used against networks, and suggestions for ways to protect networksagainst these attacks. However, it is important to keep in mind that a book isstatic; information within these pages is designed as a guideline, to helpadministrators develop a network security strategy.

Because each network is unique, it is impossible to deliveran all-encompassing strategy in a single book. Using the fundamentals providedin this book can help administrators find holes in current security strategies,or even start a discussion about security within the company.

I know that many people who pick up this book and thumbthrough it are going to think, at first glance, that much of what is listedhere is a waste of time. Many network administrators are too busy pluggingholes in the network to take the time to develop a security strategy, and theidea of trying to work with senior management to explain something ascomplicated as a DoS attack seems impossible. As difficult as these two taskmight seem, they are both important because, in the long run, they make the jobof securing the network easier.

Putting a security process in place helps to refine theroles that different groups will play in the security process; it also servesto divide up the work that needs to be done when securing a network. A securityprocess can also help create security baselines that make the job ofadministering a network much easier.

The purpose of this book is to make the job of securing thenetwork easier. By offering suggestions, based on real world experience, of howto streamline the security process and some common mistakes to watch for, thisbook can be used to help create a unique security strategy for yourorganization.

This book should not be used alone. If your organization isserious about having a current and complete security strategy you should use asmany tools as possible. In addition to this book, I would recommend thefollowing books:

  • Network Security: Private Communication in a Public World, by Charlie Kaufman, Radia Perlman, and Mike Speciner
  • Applied Cryptography: Protocols, Algorithms, and Source Code in C, by Bruce Schneier

Of course, books should not be your only source of securityinformation, the world of security changes too fast to rely solely on books forinformation. It is important to work with your server and network vendors tokeep up to date on the latest vulnerabilities, and the recommended fixes.Vendors also have a lot of insight and advice about current best securitypractices for their products.

Finally, using the Internet as a tool to keep up to datewith the latest security information can be important. As with any informationon the Internet it is usually a good idea to get a second opinion. There is alot of really good security information, but there is also a lot of badinformation and some that is just wrong. Usually surveying the top security websites, as well as vendor web sites can provide you with enough goodinformation. Some of the security sites I recommend and personally use are (inno particular order):

  • Security Focus (http://www.securityfocus.com/)
  • The SANS Institute (http://www.sans.org/)
  • Network Security Library (http://www.secinf.net/)
  • CERT® Coordination Center (http://www.cert.org/)
  • Insecure.Org (http://www.insecure.org/)
  • Computer Incident Advisory Capability (http://www.ciac.org/)

The information on these web sites is usually reliable andcan help you keep your network protected.

The Complaint Department

Knowing network and security engineers they way I do, I knowthere are going to be people who have complaints about things in this book.Some will feel I should have mentioned a tool that I did not, or that advice Igave was wrong.

If you are one of those people, I want you to tell me. Youcan e-mail me at allan@allan.org with any suggestions, flames, criticisms, or evenif you want to compliment the work.

As I said before, the world of security is constantlychanging, no doubt there will be a second and third edition of this book, andyour comments can help make those next editions even better, so I welcome them.


Submit Errata

More Information

Unlimited one-month access with your purchase
Free Safari Membership