Designing Network Security / Edition 2

Hardcover (Print)
Used and New from Other Sellers
Used and New from Other Sellers
from $1.99
Usually ships in 1-2 business days
(Save 97%)
Other sellers (Hardcover)
  • All (21) from $1.99   
  • New (3) from $14.76   
  • Used (18) from $1.99   
Sort by
Page 1 of 1
Showing All
Note: Marketplace items are not eligible for any coupons and promotions
Seller since 2007

Feedback rating:



New — never opened or used in original packaging.

Like New — packaging may have been opened. A "Like New" item is suitable to give as a gift.

Very Good — may have minor signs of wear on packaging but item works perfectly and has no damage.

Good — item is in good condition but packaging may have signs of shelf wear/aging or torn packaging. All specific defects should be noted in the Comments section associated with each item.

Acceptable — item is in working order but may show signs of wear such as scratches or torn packaging. All specific defects should be noted in the Comments section associated with each item.

Used — An item that has been opened and may show signs of wear. All specific defects should be noted in the Comments section associated with each item.

Refurbished — A used item that has been renewed or updated and verified to be in proper working condition. Not necessarily completed by the original manufacturer.

2004-03-01 Hardcover New NEW-IT IS BRAND NEW-clean text, tight binding, It is free from any foreign markings.

Ships from: Rockford, IL

Usually ships in 1-2 business days

  • Canadian
  • International
  • Standard, 48 States
  • Standard (AK, HI)
  • Express, 48 States
  • Express (AK, HI)
Seller since 2015

Feedback rating:


Condition: New
Brand new.

Ships from: acton, MA

Usually ships in 1-2 business days

  • Standard, 48 States
  • Standard (AK, HI)
Seller since 2015

Feedback rating:


Condition: New
Brand new.

Ships from: acton, MA

Usually ships in 1-2 business days

  • Standard, 48 States
  • Standard (AK, HI)
Page 1 of 1
Showing All
Sort by


Corporate network security issues still very much fill the media today. Most books available on this subject today focus on hosts or firewall security problems, or provide a theoretical study of security technologies. In contrast, Designing Network Security offers a very practical approach to the implementation of secure network design, offering the additional bonus of Cisco specific perspectives and case studies. Designing Network Security demonstrates in a practical manner how to architect and implement a site security policy that translates to a secure corporate network environment.
  • Provides a solid foundation on network security from Cisco s perspective
  • Presents a practical view of securing the network infrastructure that no other book has provided to date
  • Offers a comprehensive analysis of architecting and implementing a site security policy
Read More Show Less

Product Details

  • ISBN-13: 9781587051173
  • Publisher: Cisco Press
  • Publication date: 10/30/2003
  • Series: Networking Technology Series
  • Edition description: Subsequent
  • Edition number: 2
  • Pages: 745
  • Product dimensions: 7.74 (w) x 9.48 (h) x 2.08 (d)

Meet the Author

Merike Kaeo (CCIE #1287) has been in the networking industry for more than 10 years. As a member of the IEEE and IETF, she brings a wealth of technical and practical knowledge to the community, helping professionals to understand complex networking concepts. Merike has been employed with Cisco Systems, Inc. since June 1993 where she has worked primarily on technical issues relating to router performance, network routing protocols, network design, and network security. From 1988 to 1993, Merike worked at the National Institutes of Health in Bethesda, MD, designing and implementing the original FDDI backbone for the NIH campus using Cisco routers. She received her BSEE degree from Rutgers University in 1987 and completed her MSEE degree from George Washington University in 1998.
Read More Show Less

Read an Excerpt

Chapter 2: Security Technologies

A wide range of security technologies exists that provide solutions for securing network access and data transport mechanisms within the corporate network infrastructure. Many of the technologies overlap in solving problems that relate to ensuring user or device identity, data integrity, and data confidentiality.

Throughout this book, authentication, authorization, and access control are incorporated into the concept of identity. Although these concepts are distinct, they all pertain to each individual user of the network -be it a person or device. Each person or device is a distinct entity that has separate abilities within the network and is allowed access to resources based on who they are. Although in the purest sense, identity really pertains only to authentication, in many cases, it makes sense to discuss the entities authorization and access control at the same time.

Authentication is the process of validating the claimed identity of an end user or a device (such as clients, servers, switches, routers, firewalls, and so on). Authorization is the process of granting access rights to a user, groups of users, or specified system; access control is limiting the flow of information from the resources of a system to only the authorized persons or systems in the network. In most of the cases we will study, authorization and access control are subsequent to successful authentication.

This chapter describes security technologies commonly used for establishing identity (authentication, authorization, and access control) as well as for ensuring some degree of data integrity and confidentiality in a network. Data integrity ensures that the data has not been altered or destroyed except by people who are explicitly intended to modify it; data confidentiality ensures that only the entities allowed to see the data see it in a usable format.

The intent is to develop a basic understanding of how these technologies can be implemented in corporate networks and to identify their strengths and weaknesses. The following categories have been selected in an attempt to group the protocols according to shared attributes:

  • Identity technologies
  • Security in TCP/IP structured layers
  • Virtual private dial-up security technologies
  • Public Key Infrastructure and distribution models

NOTE Many of the technologies discussed here either have been, or are in the process of being

Identity Technologies

This section describes the primary technologies used to establish identity for a host, an enduser, or both. Authentication is an extremely critical element because everything is based on who you are. In many corporate networks, you would not grant authorized access to specific parts of the network before establishing who is trying to gain access to restricted resources. How foolproof the authentication method is depends on the technology used.

We can loosely categorize authentication methods as those where there is local control and those where you provide authentication verification through a trusted third party.

One of the potential weaknesses in some authentication methods is who you trust. Many authentication methods rely on a third party to verify someone's identity. The strength of this verification is the limiting factor in the strength of the authentication. When using a third party to authenticate an end user or device, ask yourself, "What is the likelihood that the third party I'm counting on to provide the authentication verification has been compromised?"

The technologies discussed in this section include variants of secure passwords, which provide varying degrees of security and are offered by most vendors today. Many protocols will authorize some form of connection setup after authentication is successfully verified. In dial-up environments, a peer-to-peer link level connection is established; sometimes, additional access control mechanisms can be employed at higher levels of the protocol stack, such as permitting access to hosts with certain IP addresses accessing specific applications. We will look at different protocols that often use an initial authentication process to then grant authorization and access control.

NOTE Digital certificates can be used as an authentication method, as discussed in detail in "Public

Secure Passwords

Although passwords are often used as proof for authenticating a user or device, passwords can easily be compromised if they are easy to guess, if they are not changed often enough, and if they are transmitted in cleartext across a network. To make passwords more secure, more robust methods are offered by encrypting the password or by modifying the encryption so that the encrypted value changes each time. This is the case with most one-time password schemes; the most common being the S/Key protocol and the token password authentication schemes.

S/Key Password Protocol

The S/Key One- Time Password System, released by Bellcore and defined in RFC 1760, is a one-time password generation scheme based on MD4 and MD5. The S/Key protocol is designed to counter a replay attack when a user is attempting to log in to a system. A replay attack in the context of login is when someone eavesdrops on a network connection to get the login ID and password of a legitimate user and later uses it to gain access to the network.

The operation of the S/Key protocol is client/server based: the client is typically a PC, and the server is some flavor of UNIX. Initially, both the client and the server must be configured with the same pass phrase and an iteration count. The iteration count specifies how many times a given input will be applied to the hash function. The client initiates the S/Key exchange by sending an initialization packet; the server responds with a sequence number and seed, as shown in Figure 2- 1.

The client then computes the one-time password, a process that involves three distinct steps: a preparatory step, a generation step, and an output function (see Figure 2-2).

1. In the preparatory step, the client enters a secret pass phrase. This pass phrase is concatenated with the seed that was transmitted from the server in cleartext.

2. The generation step applies the secure hash function multiple times, producing a 64-bit final output.

3. The output function takes the 64-bit one-time password and displays it in readable form.

The last phase is for the client to pass the one-time password to the server, where it can be verified (see Figure 2-3).

The server has a file (on the UNIX reference implementation, it is /etc/skeykeys) containing, for each user, the one-time password from the last successful login. To verify an authentication attempt, the authentication server passes the received one-time password through the secure hash function once. If the result of this operation matches the stored previous one-time password, the authentication is successful and the accepted one-time password is stored for future use.

Because the number of hash function applications executed by the client decreases by one each time, this ensures a unique sequence of generated passwords. However, at some point, the user must reinitialize the system to avoid being unable to log in again. The system is reinitialized using the keyinit command, which allows the changing of the secret pass phrase, the iteration count, and the seed.

When computing the S/Key password on the client side, the client pass phrase can be of any length -more than eight characters is recommended. The use of the non-secret seed allows a client to use the same secret pass phrase on multiple machines (using different seeds) and to safely recycle secret pass phrases by changing the seed.

Note: Many implementations require the generated one-time password to be entered either using a cut-and-paste approach, or manually. In manual entry scenarios, the one-time password is converted to, and accepted, as a sequence of six short (one- to four-letter) English words. Each word is chosen from a dictionary of 2,048 words; at 11 bits per word, all one-time passwords may be encoded. Interoperability requires that all S/Key system hosts and calculators use the same dictionary.

S/Key is an alternative to simple passwords. Free as well as commercial implementations are widely available....

Read More Show Less

Table of Contents

Pt. I Security Fundamentals 3
Ch. 1 Basic Cryptography 5
Ch. 2 Security Technologies 37
Ch. 3 Applying Security Technologies to Real Networks 135
Ch. 4 Routing Protocol Security 207
Pt. II The Corporate Security Policy 239
Ch. 5 Threats in an Enterprise Network 241
Ch. 6 Considerations for a Site Security Policy 291
Ch. 7 Design and Implementation of the Corporate Security Policy 313
Ch. 8 Incident Handling 355
Pt. III Practical Implementation 375
Ch. 9 Securing the Corporate Network Infrastructure 377
Ch. 10 Securing Internet Access 445
Ch. 11 Securing Remote Dial-In Access 501
Ch. 12 Securing VPN, Wireless, and VoIP Networks 575
Pt. IV Appendixes 609
App. A Sources of Technical Information 611
App. B Reporting and Prevention Guidelines: Industrial Espionage and Network Intrusions 615
App. C Port Numbers 629
App. D Mitigating Distributed Denial-of-Service Attacks 633
App. E Answers to Review Questions 665
Glossary 697
Index 711
Read More Show Less

Customer Reviews

Average Rating 4
( 4 )
Rating Distribution

5 Star


4 Star


3 Star


2 Star


1 Star


Your Rating:

Your Name: Create a Pen Name or

Barnes & Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation


  • - By submitting a review, you grant to Barnes & and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Terms of Use.
  • - Barnes & reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously
Sort by: Showing all of 4 Customer Reviews
  • Anonymous

    Posted October 4, 2005

    Well written, plenty examples

    Merike Kaeo's Designing Network Security, second edition, by Cisco Press is an easy to read volume with generous emphasis on the roles of planning and careful design in corporate information security strategy. The book draws its examples from Cisco Security platform appliances and software. Organized into three parts (ignoring the appendix) of four chapters each, the book progresses from description of various security concepts and technologies to security policy and planning, culminating in basic implementation scenarios. Of important consideration are the many case studies and configuration examples spruced throughout the volume. Part I starts with the first chapter on Cryptography, which concentrates on several contemporary cryptographic schemes. This is a good introduction to the topic for newbies and non-cryptographers. It provides clear context for many of the cryptographic schemes in us in many Cisco appliances and used in other parts of the book. Access Control, Public Key and Identity Management where all given diligent attention and their applicability in real networks explored at the end of part I. Part II develops the concepts and issues in corporate information security management from Enterprise Security Threat profiles in chapter 5, through considerations for site security, policy development and implementation and incidence management in chapter 8. I find this section as perhaps the most useful given the dilemma many organizations face today in developing comprehensive and holistic response to the ever growing threats to information and consequently much of their business infrastructure. This Section should also provide succor to security professionals grappling with the idea of developing a security policy and incident response procedure for their organizations. The case study on an educational institution is quit simplistic but in all provides some context for the complex task of policy development. This section like the other two is also well commented with advice and useful example scenarios. The implementation Chapter is a bonus for Information Security Professionals working in predominantly Cisco environment. The section includes many easily adaptable real life configuration examples for many of the current Cisco appliances using IOS version 12.2 and later. Included are example configuration for routers, firewall, access control servers and Cisco IDS modules. Of course, most, if not all Cisco press text have their share of configuration examples using Cisco technologies, but the organization of this material brings much of the critical solutions into clear perspective. I got the book a few weeks after getting my CISSP certification and will recommend it as a good read for CISSP candidates even though it is a vendor specific volume, much of the discussion and theoretical underpinning of the text are relevant for a multi-vendor, homogenous security environment that the CISSP addresses. I have read several CCIE-Security specific texts and reviewed the requirements for the Exam. This volume is a sure buy for CCIE-Security candidates. This is a technical book for intermediate to expert level security and networking professionals, but more importantly it is an excellent desk reference for any information security consultant.

    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted February 28, 2005

    Book Review of Designing Network Security

    I started reading this book because of the title, i.e., ¿Designing Network Security¿, and of course, the ¿Cisco¿ name. This book needs to be re-vamped and Cisco Press should release a third edition. There are so many typographical errors, errors in the figures and in the configuration examples, that it falls far short of what I¿ve come to expect from Cisco Press. Yet¿, this reader recommends buying the book because it encompasses all of the basic material in designing security into your network. It became evident throughout several of the initial chapters (at least to this reader) that there was more than one author involved in the writing of the book. There was such a difference in writing style and the structure of the material from section to section, that it was oftentimes distracting. It made this reader wish that the same author (of the well-written sections) actually wrote all sections. This reader found it inordinately important that the first chapters be complete, concise, and very explanatory with lots of examples of the discussed topics, e.g., cryptography, hash functions, Data Link Layer protocols, and security protocols. As these topics are very much the basis to understanding why and how security is implemented, it should have behooved the editors to ensure the topics were thoroughly covered. Chapter 1 starts out with the author stating that the intent was to provide the reader ¿with a precursory understanding¿ of basic cryptography. Unfortunately, this reader believes that the ¿precursory understanding¿ left MUCH to be desired. Had the author discussed the different algorithms and hash functions more than just ¿basically¿, the reader would glean the necessary understanding of ¿basic¿ cryptography and how it¿s employed in the security protocols. Only through multiple examples can the author ensure that the reader really understands the ¿basics¿. This reader recommends that future readers go to outside sources to really read up on ¿basic cryptography¿ before continuing with the book. The author does a decent job of discussing the supporting transport protocols (tcp or udp), and she lists of all of the listening ports. Too many books leave it to the reader to find out the port numbers on their own. Having it all in one book gives the reader a great reference manual. I noticed that the author spent a lot of time discussing some subjects, but very little time discussing others. For example, when discussing SHTTP, the author states that ¿In practice, SHTTP has achieved limited use.¿ This reader would have appreciated several examples of how SHTTP, and other briefly discussed subjects/protocols, are/were deployed even though their use was only limited. These types of discussions maintain the reader¿s interest, and improve the likelihood that the book will be read in its entirety. Part of writing for an audience is keeping the audience¿s interest. The author clearly explains the difference between application layer security protocols, transport layer security protocols, and security protocols found in other layers. Finally, this reader understands the difference between SHTTP and HTTPS. The author gave a very good explanation of L2F protocol, but it would have enhanced the reading had the author made comparisons with the PPP protocol. And -- as this reader read each section, the suspicion surfaced that two different people wrote the different Layer 2 Protocol sections. Though the figures were helpful, there were several with errors, and most importantly, the reader could benefit from even more figures. Most of the protocol-implementation descriptions left too much of the physical details out of their descriptions, e.g., the actual physical architecture should have been depicted as well as an example of the frame formats. This reader went to a personal library to re-discover frame formats in order to be able to decipher what the author wanted

    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted January 7, 2004

    A good overall resource on network security policy, design, and implementation.

    I wish I had the benefit of this book when I was first starting out in my career in security. Weighing in at a hefty 745 pages, Designing Network Security 2nd. Ed. By Merike Kaeo (ISBN 1-58705-117-6) is a consise and fairly authoritative guide to the sometimes daunting task of designing secure networks - with a special emphasis placed on Cisco solutions of course. The book is divided into three major sections that break down to basic theory and essentials, policy design and best practices, and implementation with Cisco hardware. In my opinion it is best suited as a reference book for those who already have a firm foundation in security and networking, but could also be of value to beginner level techs with a bit of patience. While the topics that are covered have all pertinent information discussed, some might wish that there were a bit more explanation of the hows and whys. <p> The first section ¿ ¿Security Fundamentals¿ is an especially valuable part of the book in that it provides a great desk reference to the building blocks of secure networks. The first chapter deals with the basics of encryption technologies ¿ symmetrical/asymmetrical cryptography, digital hashes, public key systems, etc. From there the book moves into what is probably its meatiest chapter which covers the application of encryption into security technologies which range from TACACS+ authorization to TLS encryption. Following the precedent of building on previous chapters, the third chapter deals with the application of these security technologies into protecting real world installations. I was especially impressed with the attention paid to wireless and VOIP technologies in this chapter ¿ this is one of the first discussions of VOIP security I have seen in a general reference book. The first section winds up with a fairly exhaustive discussion on routing protocol security which I also thought was excellent. <p> The second section ¿ ¿The Corporate Security Policy¿ is a good reference to infosec management. Many topics covered in this section are applicable to the CISSP exam, so if that is a career goal for you this can act as one of your study guides. The section begins with a discussion of threats in the enterprise environment. Types of threats as well as common protocol vulnerabilites are discussed. I felt that some of the material in this chapter was a bit dated, in particular the sections on TCP sequence number attacks (most recent OS¿s have improved their sequence generation routines to make it nearly impossible to do this) and the ping of death (which I don¿t remember working on anything after Windows 95 or Linux 2.0.23). The next chapter is a bit more valuable in its discussion of the basics of risk assessment and management. This leads into a discussion of actual design and implementation of security policy. Sample topics include physical/logical controls, data confidentiality, and policies/procedures for staff. And finally this section concludes with a good chapter on incident handling and response. <p> The final section ¿ ¿Practical Implementation¿ is the Cisco-centric third of the book. Many parts of this section are a good reference to points covered on the CCSP exams, especially the SECUR test. The first chapter deals with configuring access controls and audit on Cisco devices from the PIX to switches and routers. A brief discussion of intrusion detection implementations is also included. The next chapter consists of primarily information dealing with firewall/screening router construction ¿ content filtering, packet screening, and the various types of IOS filters. Several implementation examples are included to walk you through the process of configuring CBAC (content-based access control) and the Cisco PIX. From there the section moves to remote access security, with good sections on all Cisco based AAA (authentication, authorization, and accounting) features including lock-and-key and accounting-based b

    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted December 29, 2003

    A to Z about network security

    I recently read the book titled ¿Designing Network Security¿ by Merike Kaeo. ISBN: 1587051176. This book happens to be the second edition of the title. This book is an excellent source of information regarding network security and security in general. The book covers a broad scope of technologies and areas relating to security. Probably the single best source for security topics in one book that I¿ve read. It¿s an A-Z book on security. The fading lines of responsibility in the realm of security is pretty much forcing every Information Technology (IT) professional to play a role in today¿s security strategy. With the boundaries being sketch well with in most every facet of Information Technology, it leave a big gap as to what the everyday IT professional can understand and contribute to a successful security architecture. This book, in my opinion, does an excellent job of bridging that wide gap for most networking professionals. I think every networking professional should have a copy of this book on their desk. This book is best suited for professionals with a beginner to intermediate level of understanding of security principles, concepts and technologies. This book is essential for professionals looking to keep up with the ever-changing world of IT. Having this book will allow you to understand some of the more challenging and complex concepts that face each and every IT professional regarding security. Persons that are interested in achieving the popular Certified Information Systems Security Professional (CISSP) certification would find this title very helpful, not just as a resource to pass the exam, but also as a valuable reference to continue to learn from even after becoming certified. There are great supporting figures and diagrams that assist in grasping some of the complex ideas and technologies. Most are very basic and stick to the principle concepts, which is great when getting your feet wet with a technology that¿s new to you. It provides a good foundation to build upon. Compared to the first version of this title, the second version offers information regarding leading edge technologies such as Voice over IP (VoIP) and wireless networks. Another topic covered in the second version is Virtual Private Networks (VPN). Making the second version of this title a very well rounded resource. Another new chapter in the second addition is on Routing Protocol Security. The Routing Protocol Security chapter has some good information on several of the widely deployed Interior Gateway Protocols such as RIP, EIGRP and OSPF. The chapter covers information mostly on the authentication pieces and fundamental rules of each routing protocol and not much more. I found the small section on BGP in the chapter to be a little sparse and expected BGP to be covered in a bit more detail. Nonetheless, is does mention briefly, some of the challenges with BGP and a few of the proposed successors of the BGP protocol such as S-BGP and SoBGP. This is an all-a-round good reference for network security.

    Was this review helpful? Yes  No   Report this review
Sort by: Showing all of 4 Customer Reviews

If you find inappropriate content, please report it to Barnes & Noble
Why is this product inappropriate?
Comments (optional)