Inside Network Perimeter Security

( 1 )

Overview

Security professionals and administrators now have access to one of the most valuable resources for learning best practices for network perimeter security. Inside Network Perimeter Security, Second Edition is your guide to preventing network intrusions and defending against any intrusions that do manage to slip through your perimeter. This acclaimed resource has been updated to reflect changes in the security landscape, both in terms of vulnerabilities and defensive tools. Coverage also includes intrusion ...

See more details below
Paperback (REV)
$34.83
BN.com price
(Save 30%)$49.99 List Price
Other sellers (Paperback)
  • All (18) from $3.14   
  • New (10) from $30.43   
  • Used (8) from $3.14   
Sending request ...

Overview

Security professionals and administrators now have access to one of the most valuable resources for learning best practices for network perimeter security. Inside Network Perimeter Security, Second Edition is your guide to preventing network intrusions and defending against any intrusions that do manage to slip through your perimeter. This acclaimed resource has been updated to reflect changes in the security landscape, both in terms of vulnerabilities and defensive tools. Coverage also includes intrusion prevention systems and wireless security. You will work your way through fortifying the perimeter, designing a secure network, and maintaining and monitoring the security of the network. Additionally, discussion of tools such as firewalls, virtual private networks, routers and intrusion detection systems make Inside Network Perimeter Security, Second Edition a valuable resource for both security professionals and GIAC Certified Firewall Analyst certification exam candidates.

Read More Show Less

Editorial Reviews

From Barnes & Noble
The Barnes & Noble Review
Your network security perimeter is being attacked more relentlessly than ever before. Inside Network Perimeter Security, Second Edition brings together today’s latest best practices for defending yourself.

Lead author Stephen Northcutt currently runs the SANS Institute, arguably the world’s No. 1 security research and training organization. (Previously, he was chief of information warfare for the U.S. Ballistic Missile Defense Organization. Impressed? You should be.)

Northcutt and his coauthors cover every defense technology: firewalls, proxies, routers, VPN, IDS, host-centric defense, and more. (New in this edition: extensive coverage of intrusion prevention.) But technology’s only half of this book. The authors offer comprehensive guidance on designing defense-in-depth, including three sample designs. There’s equally thorough information on perimeter maintenance and monitoring.

There are many good books on network security, but only a few indispensable ones. This is one of them. Bill Camarda, from the May 2005 Read Only

Read More Show Less

Product Details

  • ISBN-13: 9780672327377
  • Publisher: Sams
  • Publication date: 3/11/2005
  • Edition description: REV
  • Edition number: 2
  • Pages: 768
  • Sales rank: 999,999
  • Product dimensions: 6.92 (w) x 8.89 (h) x 1.65 (d)

Meet the Author

Stephen Northcutt is a graduate of Mary Washington College. Before entering the field of computer security, he worked as a Navy helicopter search and rescue crewman, whitewater raft guide, chef, martial arts instructor, cartographer, and network designer. Stephen is author/coauthor of Incident Handling Step-by-Step, Intrusion Signatures and Analysis, Inside Network Perimeter Security, 2nd Edition, IT Ethics Handbook, SANS Security Essentials, SANS Security Leadership Essentials, and Network Intrusion Detection, 3rd Edition. He was the original author of the Shadow Intrusion Detection System before accepting the position of Chief for Information Warfare at the Ballistic Missile Defense Organization. Stephen currently serves as Director of the SANS Institute.

Lenny Zeltser's work in information security draws upon experience in system administration, software architecture, and business administration. Lenny has directed security efforts for several organizations, co-founded a software company, and consulted for a major financial institution. He is a senior instructor at the SANS Institute, having written and taught a course on reverse-engineering malware. Lenny is also a coauthor of books such as SANS Security Essentials and Malware: Fighting Malicious Code. He holds a number of professional certifications, including CISSP and GSE, and is an incident handler at SANS Internet Storm Center. Lenny has earned a bachelor of science in engineering degree from the University of Pennsylvania and a master in business administration degree from MIT. More information about Lenny's projects and interests is available at http://www.zeltser.com.

Scott Winters has been working in all aspects of networking and computer security for over 14 years. He has been an Instructor, Network Engineer, and Systems Administrator and is currently employed as a Senior Consultant for Unisys at the Commonwealth of Pennsylvania Enterprise Server Farm. He has SANS GIAC Firewalls and Incident Handling certifications, as well as MCSE, CNE, Cisco CCNP, CCDP, and other industry certifications. Other accomplishments include authoring and editing of SANS GIAC Training and Certification course content, as well as exam content. He was a primary author of the first edition of Inside Network Perimeter Security and a contributing author for SANS Security Essentials with CISSP CBK. He has also been involved in the SANS GIAC Mentoring program and has served on the SANS GCFW Advisory Board.

Karen Kent is an Associate with Booz Allen Hamilton, where she provides guidance to Federal agencies on a broad range of information assurance concerns, including incident handling, intrusion detection, VPNs, log monitoring, and host security. Karen has earned a bachelor's degree in computer science from the University of Wisconsin-Parkside and a master's degree in computer science from the University of Idaho. She holds the CISSP certification and four SANS GIAC certifications. Karen has contributed to several books, including Intrusion Signatures and Analysis, published numerous articles on security, and coauthored several publications for the National Institute of Standards and Technology (NIST), including NIST Special Publication 800-61: Computer Security Incident Handling Guide.

Ronald W. Ritchey has an active interest in secure network design and network intrusion techniques. He gets to exercise this interest regularly by conducting penetration testing efforts for Booz Allen Hamilton, where he has had the opportunity to learn firsthand the real-world impact of network vulnerabilities. He is also an active researcher in the field with peer-reviewed publications in the area of automated network security analysis. Ronald has authored courses on computer security that have been taught across the country, and he periodically teaches graduate-level courses on computer security. Ronald holds a masters degree in computer science from George Mason University and is currently pursuing his Ph.D. in information technology at their School of Information Technology and Engineering. His doctoral research involves automating network security analysis.

About the Technical Editors

Todd Chapman has 10+ years of experience delivering IT services as varied as systems management, security, networking, clustering, Perl programming, and corporate development and training. Currently, Todd is a consultant for gedas USA, Inc., in Auburn Hills, Michigan, where he provides security consulting services for Volkswagen/Audi of America. For the last three years Todd has been an active member of the SANS GCFW advisory board and has written SANS certification exam questions in a number of disciplines. Todd's certifications include Red Hat Certified Engineer (RHCE), Microsoft Certified Systems Engineer (MCSE), GIAC Certified Firewall Analyst (GCFW), GIAC Certified Intrusion Analyst (GCIA), and GIAC Systems and Network Auditor (GSNA).

Anton Chuvakin, Ph.D., GCIA, GCIH, is a Security Strategist with netForensics, a security information management company, where he is involved with designing the product, researching potential new security features, and advancing the security roadmap. His areas of infosec expertise include intrusion detection, UNIX security, forensics, honeypots, and more. He is the author of the book Security Warrior (O'Reilly, January 2004) and a contributor to "Know Your Enemy II" by the Honeynet Project (AWL, June 2004) and "Information Security Management Handbook" (CRC, April 2004). In his spare time he maintains his security portal http://www.info-secure.org website.

Dan Goldberg recently created MADJiC Consulting, Inc., to provide network design and architecture reviews, intrusion detection and response, and vulnerability assessments in Central Virginia. He also works on research and writing projects for the SANS Institute and as technical director for Global Information Assurance Certification (GIAC). When not occupied by these activities, you may find him riding a mountain bike in the Blue Ridge Mountains.

John Spangler is a freelance Network Systems Engineer. Having over 10 years of experience, he has worked on everything from small office systems to large enterprise and ISP networks. John has worked as a technical editor for Cisco certification manuals.

Read More Show Less

Read an Excerpt

Inside Network Perimeter Security Second EditionInside Network Perimeter Security Second EditionPreface

The flight from Lihue to San Francisco is about five and a half hours and allows me some of my most productive work time. The phone doesn't ring, the dog doesn't ask to go outside, and my personal firewall doesn't start blinking because someone is trying to scan my computer. The flight attendant crews are starting to know me; I don't want any airplane food, I brought my own recycled water bottle filled with water from my own reverse osmosis filter, just let me write. I am very thankful for a bit of understanding from the crew of United FLT 30 for the time to write this preface. If any of my words give you insight into the current state of affairs with perimeter and internal network management, don't attribute that to me. I rely more each day of my life on the words in James 1:5; I am just the messenger.

I was enjoying working on the second edition of this book when a scene on the airplane entertainment televisions caught my eye. It was a video history of United Airlines, which started by delivering airmail in rickety old airplanes with exposed cockpits. Today, modern, fast, sophisticated aircraft have an incredible safety record. The airline industry has gone from an oddity—a great tool to entertain the crowds at county fairs—to an industry that is crucial to our way of life and economy. The airlines in the United States were essentially grounded for about three days following the terrorist attacks of September 11, 2001. The U.S. Congress debated whether to give the airlines money; they decided against it and United is now in chapter 11.

By exploring what has changed in the airline world, you will see both the past and the future of our industry, information technology (IT). Like the airline industry, IT has historically been accomplished on rickety platforms. We have benefited from rapid advances in technology. We have seen a decline in personal service. We are headed for continuous inspections, a defense-in-depth approach, and we are every bit as vulnerable and at the same time crucial to the economy.

Rickety Planes

What if we flew in computers? That gives "crash" a whole new meaning, doesn't it? Well, if we did, I am sure you would agree that we would all be dead. I would love to say operating systems are really improving, but it isn't so. I installed XP SP2 beta, one of the least-rickety operating systems I have worked with in a long time, on a clone of my primary laptop a couple months ago, and it has been interesting. As soon as I submit the remainder of my chapters for this book, I will upgrade my production box. As I write this, the Windows update version has still not been released, and it will be very interesting to see what breaks when the home users get upgraded. A lot of people died in the early days of the airline industry, and as I say, if we flew in those early planes today, most of us would be dead.

Now here is the kicker: IPS systems and intelligent switches are nothing but software applications or ASICs that are built on these rickety operating systems. One of the primary themes of this book is never to trust the operating system, to expect perimeter components to fail. This book will show you techniques for failover, layering defense components, segmenting internal networks, using instrumentation to detect anomalies, and troubleshooting. In the early days of perimeter defense, the only choice that information security practitioners had was to layer their perimeter software on these rickety operating systems.

Fires in the West

For years, I was a network builder for the Department of Defense, which uses large, high-end, fast networks. The most effective security mechanism for separation of sensitive information was implemented with a physical solution—an airgap. If you want to protect one network from another, just don't connect them together. Worms such as Blaster taught us that many networks that supposedly were not connected to the Internet actually were in one way or another, but if you audit carefully and never allow an exception, airgaps work.

The problem with an airgap is the two networks cannot interoperate, a concept directly in contradiction with the Internet philosophy and electronic business. The past few years have been a bad time for the U.S. West, as rain has been minimal, with fires starting earlier and earlier each year it seems. One of the most effective tools for managing fires is a firebreak; it isn't as powerful as an airgap (sometimes the fire will bridge it), but segmenting the forest into zones is a powerful technique. The information technology analog for a firebreak is to segment the internal network. This can be done with internal intelligent Network Intrusion Prevention Switches (NIPS), with some elbow grease using current generation switches and applying access control to VLANs, or with low-cost appliance-type firewalls used on the internal network. It can even be done manually using anomaly IDS to detect switch ports heating up, which is usually a signature of a worm, and shutting down the switch. Segmenting internal networks with "firebreaks" allows us to have the interoperability and reduce the risk of losing all our internal systems to a destructive worm "wildfire."

This book discusses a number of perimeter and internal network designs. Some are more focused on security, whereas others are focused on performance. Some focus on uptime and help you to understand how to choose these designs based on your organization's requirements.

Note - One of the reasons that early airplanes were so dangerous is that a large number of them were hand built. Even if the planes were built in a factory, after a couple of years, they might as well be hand built because of the number of times they were repaired and modified.

Can you see how similar the early airplanes are to our server and desktop operating systems? We all agree that patching to reduce the vulnerability footprint is critical, but if no two servers are alike, exactly how do you test the patch? Repeatable builds give an IT shop a major increase in security just like factory-built aircraft.

So do appliance firewalls. They are factory built, plug and go. It's not guaranteed that their OS is hardened, but you do know that the OS on the appliance is factory built, consistent, and probably stripped of unneeded programs. These low-cost appliances are very useful for segmenting an internal network.

Rapid Advances in Technology

Modern aircrafts have wings, fly through the air, and land on the ground—and that is about all they have in common with the first airplanes. The advances in airframe design, materials, avionics, navigation and route selection, and airport operations make it difficult to believe that people ever considered getting into the early airplanes.

I would love to say that modern perimeter systems are so advanced that it is inconceivable that we ever tried to protect our systems with those early firewalls, but we haven't made that much progress yet. However, hope prevails, and we certainly see evidence of improvement. Perimeter defense systems have come way down in price for any given bandwidth point; many can be upgraded by just downloading a new image.

Deep packet inspection at gigabit speed is possible right now for the well-funded organization. Subscription models that update daily or weekly are the norm and support an architecture of perimeter components to create hybrid systems that combine classic perimeter defense, reporting sensors, and possibly even vulnerability assessments that allow performing internal correlation.

This book discusses the importance of using the information collected by perimeter devices to help defend the network. The data collected and reported by these devices fuels the most advanced analysis capability in the world—the Internet Storm Center (ISC). Organizations such as ISC and Internet Security Systems's X-Force are often the first groups to detect a new worm beginning to cause trouble on the Internet. One of the upcoming models for security is continuous reporting, or operational readiness, and this requires sensors all over the network to constantly report in. The technology of network security is dynamic. It's important to have constant updates to maintain security in the face of the ever-changing threat.

It is worth mentioning that ease of use and good security might be orthogonal. If it were as easy to get into an airplane and fly as it is to get into a car and drive, the skies would be a dangerous place. Appliance wireless access points often aggregate all wireless and built-in wired ports into the same broadcast domains. Possibilities for attacks exist based on MAC address spoofing, sniffing the internal traffic from outside the plant in the parking lot, the use of rogue, unapproved access points bought at Best Buy and plugged into the Net, access points with a bit more power than the FTC allows being broadcast into the internal network from the parking lot, and failures of the authentication system. The most common reason for aircraft crashes today is poor maintenance, and we are going to see the same thing with wireless implementations as better security technology becomes available.

Decline in Personal Service

More has changed on the human side of the airline equation than just the name change from stewardesses to flight attendants. First class isn't first class, and it goes downhill from there. The airlines seem to be testing the limits to see just how much abuse people will take—and they wonder why they occasionally deal with passenger rage. Sadly, the IT industry has never been big on personal service. There were exceptions, back in the glory days of big blue. We had a bit of trouble with an IBM mainframe, and they tossed a squad of technicians into an airplane and dropped them by parachute into our parking lot. Until the technicians dropped on target, vice presidents would call every 15 minutes to apprise us of the location of the plane. Okay, I am kidding, but not by much. Those of us in IT security should take heed. I hope you understand what your CEO is thinking right now. He gave you money for security after 9/11 because it seemed to be the right thing to do. You still got hit by worms. He increased ITSEC to 5% of the IT budget. You still got hit by worms. Now you are in a meeting thinking about asking the CEO for unplanned money to implement a NIPS or HIPS solution. I strongly suggest you invest time in looking at your requirements, making sure that you choose the best technology for your needs and that customer service is part of the budget request so the people impacted by the active defense layer you are thinking about implementing will have someone intelligent and caring to call.

Nowadays, the IT industry has two primary features: bad software and worse service. One of the advantages of this book is that the entire author team has pragmatic experience with most of the commercial and freeware perimeter products on the market, including the rapidly changing personal firewall market. We can't do much to help you with the bad software, and we never intend to bash any vendor—each has its foibles. However, we can help you in finding ways to meet your mission goals despite the flaws in the technology we each use. We devote an entire chapter of the book to implementing defense components, such as personal firewalls at a host level, to help you avoid some of the common pitfalls and know what technology is available. The latest generation of Host Intrusion Protection Systems (HIPS), which are essentially personal firewalls with operating system shims to trap dangerous operating system interrupts, have already proved themselves in production and are an important and valuable layer of defense.

Continuous Inspections

One of the primary reasons the aircraft industry has been able to make gigantic leaps in improving safety is the rigorous, complete, and continuous inspections for every component and process related to flying. This is also the most important change that we need to make. When I teach at the SANS Institute, a security research and education organization, I often say, "Who reads the event logs every day?" Some hands go up. I try to memorize their faces and catch them alone at the break. Then I ask them, "What is in the logs? What recurring problems are there?" They usually cannot answer. This book can help you deploy sensors and scanners. An entire chapter is devoted to intrusion detection. Even your organization's software architecture is a security perimeter component, as you will learn in the software architecture chapter.

If you were to ask me what the growth industry in IT was, I would answer that consoles, sensors, and agents to collect and display information would be a strong candidate. Computer systems change rapidly. They are analogous to the barnstormer bi-planes that flew around county fairs. When something broke, a blacksmith, automobile mechanic, or seamstress fabricated a new part. We can add and uninstall software in a heartbeat, but when we do, we cannot get back to the place where we were before the change. We need to monitor for change continuously, and until we learn how to do this and rigorously enforce change control, flying in computers will be nearly certain death.

Defense in Depth

It is a tragedy when a single passenger plane crashes, worse when a plane full of people goes down, and an unspeakable horror when a plane is used as a weapon of terrorism. Today, airports are transforming into examples of defense in depth. Defense in depth is a primary focus of this book, and the concept is quite simple: Make it harder to attack at chokepoint after chokepoint. How many security systems or defensive layers would you have to defeat to rush through an airport race to a waiting, fueled, long-range jet, commandeer the plane, drive it out on the tarmac to take off, and use it as a missile? Many are obvious, such as security checkpoints, armed National Guard troops, locked doors, and tarmac controls. If you did manage to get the plane in the air, you would also have to defeat fighter aircraft. It isn't impossible, but it is unlikely that you could defeat the defense in depth that is now employed at airports.

Defense in depth is present in every chapter of this book, and it's becoming easier to implement in information technology. High-speed programmable hardware boxes, such as UnityOne from TippingPoint, can help protect our network borders from worm outbreaks. Technologies we have already discussed in this preface, such as next-generation intelligent switches and HIPS, allow us to implement multiple layers for our perimeter and internal networks, albeit at a significant cost. No matter what role you play in your organization, it is important to read the intrusion prevention chapter and make sure the folks in charge of the budget know what is on the horizon. As you read this book, you will learn how to architect your network so that it is resistant to attack. As we evolve as an information-based society, the importance of protecting intellectual property assets continues to rise.

Core Business Sector

In less than a century, airplanes have gone from being an oddity to being vitally important to the economy. Information technology has done the same in less time and continues to grow in importance. We have been more than a bit lazy. I often wonder what the effect of a worm with the infection rate of Blaster that overwrote (not deleted, overwrote) every location on the hard drive of an infected computer four hours after infection would be. If the Congress of the United States did not vote on a bailout package for the airline industry, IT should not expect one. One of the primary keys to survival in business over the next few years will be managing the flow of information so that resources are available when they are needed with full integrity, while the confidentiality of proprietary and sensitive information is maintained. It is a big task, so we had better get started.

—Stephen Northcutt and the authoring team

© Copyright Pearson Education. All rights reserved.

Read More Show Less

Table of Contents

Introduction.

Who Should Read This Book.

Why We Created This Book’s Second Edition.

Overview of the Book’s Contents.

Conventions.

I. THE ESSENTIALS OF NETWORK PERIMETER SECURITY.

1. Perimeter Security Fundamentals.

Terms of the Trade.

The Perimeter.

Border Routers.

Firewalls.

Intrusion Detection Systems.

Intrusion Prevention Systems.

Virtual Private Networks.

Software Architecture.

De-Militarized Zones and Screened Subnets.

Defense in Depth.

Components of Defense in Depth.

Case Study: Defense in Depth in Action.

Summary.

2. Packet Filtering.

TCP/IP Primer: How Packet Filtering Works.

TCP and UDP Ports.

TCP’s Three-way Handshake.

The Cisco Router as a Packet Filter.

An Alternative Packet Filter: IPChains.

The Cisco ACL.

Rule Order.

Cisco IOS Basics.

Effective Uses of Packet-Filtering Devices.

Filtering Based on Source Address: The Cisco Standard ACL.

Egress Filtering.

Tracking Rejected Traffic.

Filtering by Port and Destination Address: The Cisco Extended ACL.

The Cisco Extended ACL.

Problems with Packet Filters.

Spoofing and Source Routing.

Fragments.

Opening a “Hole” in a Static Packet Filter.

Two-way Traffic and the established Keyword.

Protocol Problems: Extended Access Lists and FTP.

Dynamic Packet Filtering and the Reflexive Access List.

FTP Problems Revisited with the Reflexive Access List.

Reflexive ACLs with UDP and ICMP Traffic: Clearing Up DNS Issues.

Trouble in Paradise: Problems with Reflexive Access Lists.

Cisco IPv6 Access Lists.

Summary.

References.

3. Stateful Firewalls.

How a Stateful Firewall Works.

The Concept of State.

Transport and Network Protocols and State.

Application-Level Traffic and State.

Stateful Filtering and Stateful Inspection.

Stateful Firewall Product Examples.

Summary.

References.

4. Proxy Firewalls.

Fundamentals of Proxying.

Pros and Cons of Proxy Firewalls.

Advantages of Proxy Firewalls.

Disadvantages of Proxy Firewalls.

Types of Proxies.

Web Proxies.

Reverse Proxies.

Anonymizing Proxies.

Tools for Proxying.

Firewall Toolkit (FWTK).

SOCKS.

Squid.

Summary.

5. Security Policy.

Firewalls Are Policy.

Active Policy Enforcement.

Unenforceable Policy.

How to Develop Policy.

Identify Risks.

Communicate Your Findings.

Create or Update the Security Policy as Needed.

Determine Policy Compliance.

Sound Out the Organization’s Rules and Culture.

Elements of Policy.

Hallmarks of Good Policy.

Perimeter Considerations.

Real-world Operations and Policy.

Rules of the Road.

Summary.

References.

II. FORTIFYING THE SECURITY PERIMETER.

6. The Role of a Router.

The Router as a Perimeter Device.

Routing.

Secure Dynamic Routing.

The Router as a Security Device.

The Router as a Part of Defense in Depth.

The Router as a Lone Perimeter Security Solution.

Router Hardening.

Operating System.

Locking Down Administration Points.

SSH.

The Console Port.

TFTP and FTP.

Configuration Management Tricks with TFTP and Scripts.

Simple Network Management Protocol.

Disable Unneeded Services.

Configure NTP and NTP Authentication.

Cisco TCP Keepalives Services.

Unicast Reverse Path Forwarding.

Internet Control Message Protocol Blocking.

Spoofing and Source Routing.

Router Logging.

Automatic Securing and Auditing of Cisco Routers.

Summary.

7. Virtual Private Networks.

VPN Basics.

Basic VPN Methodology.

Advantages and Disadvantages of VPNs.

Benefits of a VPN.

Disadvantages of VPN.

IPSec Basics.

IPSec Protocol Suite.

IKE.

IPSec Security Protocols AH and ESP.

IPSec Configuration Examples.

Other VPN Protocols: PPTP and L2TP.

PPTP.

L2TP.

Comparison of PPTP, L2TP, and IPSec.

PPTP and L2TP Examples.

Summary.

References.

8. Network Intrusion Detection.

Network Intrusion Detection Basics.

The Need for Intrusion Detection.

Anomaly Detection.

Signature Detection.

False Positives and False Negatives.

Alerting, Logging, and Reporting.

Intrusion Detection Software.

Intrusion-Related Services.

The Roles of Network IDS in a Perimeter Defense.

Identifying Weaknesses.

Detecting Attacks from Your Own Hosts.

Incident Handling and Forensics.

Complementing Other Defense Components.

IDS Sensor Placement.

Deploying Multiple Network Sensors.

Placing Sensors Near Filtering Devices.

Placing IDS Sensors on the Internal Network.

Working with Encryption.

Processing in High-traffic Situations.

Configuring Switches.

Using an IDS Management Network.

Maintaining Sensor Security.

Case Studies.

Case Study 1: Simple Network Infrastructure.

Case Study 2: Multiple External Access Points.

Case Study 3: Unrestricted Environment.

Summary.

9. Host Hardening.

The Need for Host Hardening.

Removing or Disabling of Unnecessary Programs.

Controlling Network Services.

Removing Extraneous Software Components.

Limiting Access to Data and Configuration Files.

Controlling User and Privileges.

Managing Unattended Accounts.

Protecting Administrative Accounts.

Enforcing Strong Passwords.

Controlling Group Membership.

Maintaining Host Security Logs.

Windows Logging and Auditing.

UNIX Logging and Auditing.

Applying Patches.

Additional Hardening Guidelines.

Automating Host-Hardening Steps.

Common Security Vulnerabilities.

Hardening Checklists.

Summary.

10. Host Defense Components.

Hosts and the Perimeter.

Workstation Considerations.

Server Considerations.

Antivirus Software.

Strengths of Antivirus Software.

Limitations of Antivirus Software.

Host-Based Firewalls.

Firewalls for Workstations.

Firewalls for Servers.

Host-Based Intrusion Detection.

The Role of Host-Based IDS.

Host-Based IDS Categories.

Challenges of Host Defense Components.

Defense Components on Compromised Hosts.

Controlling Distributed Host Defense Components.

Summary.

References.

11. Intrusion Prevention Systems.

Rapid Changes in the Marketplace.

What Is IPS?

An IPS Must Be Fast.

An IPS Must Keep State.

An IPS Must Be Accurate and Up to Date.

An IPS Must Have the Ability to Nullify an Attack.

IPS Limitations.

An Excuse to Ignore Sound Practice.

An IPS Simply Buys You Time.

NIPS.

How Chokepoint NIPS Work.

Switch-Type NIPS.

Switch NIPS Deployment Recommendations.

Host-Based Intrusion Prevention Systems.

Real-world Defense Scenarios.

Dynamic Rule Creation for Custom Applications.

Monitoring File Integrity.

Monitoring Application Behavior.

HIPS Advantages.

HIPS Challenges.

More HIPS Challenges.

HIPS Recommendations.

Summary.

III. DESIGNING A SECURE NETWORK PERIMETER.

12. Fundamentals of Secure Perimeter Design.

Gathering Design Requirements.

Determining Which Resources to Protect.

Determining Who the Potential Attackers Are.

Defining Your Business Requirements.

Design Elements for Perimeter Security.

Firewall and Router.

Firewall and VPN.

Multiple Firewalls.

Summary.

References.

13. Separating Resources.

Security Zones.

A Single Subnet.

Multiple Subnets.

Common Design Elements.

Mail Relay.

Split DNS.

Client Separation.

VLAN-Based Separation.

VLAN Boundaries.

Jumping Across VLANs.

Firewalls and VLANs.

Private VLANs.

Summary.

References.

14. Wireless Network Security.

802.11 Fundamentals.

Securing Wireless Networks.

Network Design.

Wireless Encryption.

Hardening Access Points.

Defense in Depth for Wireless Networks.

Auditing Wireless Security.

Auditing the Wireless Network Design.

Auditing Encryption.

Case Study: Effective Wireless Architecture.

Summary.

References.

15. Software Architecture.

Software Architecture and Network Defense.

The Importance of Software Architecture.

The Need to Evaluate Application Security.

How Software Architecture Affects Network Defense.

Firewall and Packet-Filtering Changes.

Web Services and Interapplication Communications.

Conflicts with Network Configuration.

Encrypting Connections.

Performance and Reliability.

Atypical Operating System.

Software Component Placement.

Single-System Applications.

Multitier Applications

Administrator Access to Systems.

Applications for Internal Users Only.

Identifying Potential Software Architecture Issues.

Software Evaluation Checklist.

Sources of Application Information.

How to Handle an Unsecurable.

Application.

Software Testing.

Host Security.

Network Configuration and Security.

Network Defense Design Recommendations.

Case Study: Customer Feedback System.

Deployment Locations.

Architecture Recommendation.

Case Study: Web-Based Online Billing Application.

Deployment Locations.

Architecture Recommendation.

Summary.

References.

16. VPN Integration.

Secure Shell.

Standard SSH Connections.

SSH Tunnels.

Secure Sockets Layer.

SSL Standard Connections.

SSL Tunnels.

SSL Proxy Servers.

Remote Desktop Solutions.

Single Session.

Multiple Session.

IPSec.

IPSec Client Integration.

IPSec Server Integration.

IPSec Perimeter Defense Adjustments.

IPSec Architectures.

Other VPN Considerations.

Proprietary VPN Implementations.

Compromised or Malicious VPN Clients.

VPN Design Case Study.

Case Study: Home Users and Multiple Applications.

Summary.

References.

17. Tuning the Design for Performance.

Performance and Security.

Defining Performance.

Understanding the Importance of Performance in Security.

Network Security Design Elements That Impact Performance.

The Performance Impacts of Network Filters.

Network Architecture.

Case Studies to Illustrate the Performance Impact of Network Security Design Elements.

Impact of Encryption.

Cryptographic Services.

Understanding Encryption at the Network and Transport Layers.

Using Hardware Accelerators to Improve Performance.

Case Studies to Illustrate the Performance Impact of Encryption.

Using Load Balancing to Improve Performance.

Problems with Load Balancing.

Layer 4 Dispatchers.

Layer 7 Dispatchers.

Mitigating the Effects of DoS Attacks.

ICMP Flooding.

SYN Flooding.

Summary.

References.

18. Sample Designs.

Review of Security Design Criteria.

Case Studies.

Case Study 1: Telecommuter Who Is Using a Broadband Connection.

Case Study 2: A Small Business That Has a Basic Internet Presence.

Case Study 3: A Small E-Commerce Site.

Case Study 4: A Complex E-Commerce Site.

Summary.

IV. MAINTAINING AND MONITORING PERIMETER SECURITY

19. Maintaining a Security Perimeter.

System and Network Monitoring.

Big Brother Fundamentals.

Establishing Monitoring Procedures.

Security Considerations for Remote Monitoring.

Incident Response.

Notification Options.

General Response Guidelines.

Responding to Malicious Incidents.

Automating Event Responses.

Accommodating Change.

Fundamentals of Change Management.

Implementing Change-Management Controls.

Summary.

References.

20. Network Log Analysis.

The Importance of Network Log Files.

Characteristics of Log Files.

Purposes of Log Files.

Log Analysis Basics.

Getting Started with Log Analysis.

Automating Log Analysis.

Timestamps.

Analyzing Router Logs.

Cisco Router Logs.

Other Router Logs.

Analyzing Network Firewall Logs.

Cisco PIX Logs.

Check Point FireWall-1 Logs.

IPTables Logs.

Analyzing Host-Based Firewall and IDS Logs.

ZoneAlarm.

Norton Personal Firewall.

Summary.

21. Troubleshooting Defense Components.

The Process of Troubleshooting.

Collecting Symptoms.

Reviewing Recent Changes.

Forming a Hypothesis.

Testing the Hypothesis.

Analyzing the Results.

Repeating If Necessary.

Troubleshooting Rules of Thumb.

Make Only One Change at a Time.

Keep an Open Mind.

Get a Second Opinion.

Stay Focused on Fixing the Problem.

Don’t Implement a Fix That Further Compromises Your Security.

The Obvious Problems Are Often Overlooked.

Document, Document, Document!.

The Troubleshooter’s Toolbox.

Application Layer Troubleshooting.

Other Useful Utilities.

Transport Layer Troubleshooting.

Network Layer Troubleshooting.

Link Layer Troubleshooting.

Summary.

References.

22. Assessment Techniques.

Roadmap for Assessing the Security of Your Network.

Planning.

Reconnaissance.

Network Service Discovery.

System Enumeration.

Service Discovery.

Vulnerability Discovery.

Nessus.

ISS Internet Scanner.

Retina.

LANguard.

Vulnerability Research.

Verification of Perimeter Components.

Preparing for the Firewall Validation.

Verifying Access Controls.

Remote Access.

Wardialing.

Wardriving.

VPNs and Reverse Proxies.

Exploitation.

Results Analysis and Documentation.

Summary.

23. Design Under Fire.

The Hacker Approach to Attacking Networks.

Adversarial Review.

GIAC GCFW Student Practical Designs.

Practical Design 1.

Practical Design 2.

Summary.

References.

24. A Unified Security Perimeter: The Importance of Defense in Depth.

Castles: An Example of Defense-in-Depth Architecture.

Hard Walls and Harder Cannonballs.

Secret Passages.

Hiding in the Mist.

Defense on the Inside.

Absorbent Perimeters.

Honeypots.

Rate Limiting.

Failover.

Defense in Depth with Information.

The Problem of Diffusion.

Cryptography and Defense in Depth.

Summary.

V. APPENDIXES

Appendix A. Cisco Access List Sample Configurations.

Complete Access List for a Private-Only Network.

Complete Access List for a Screened Subnet Network That Allows Public Server Internet Access.

Example of a Router Configuration as Generated by the Cisco Auto Secure Feature.

Appendix B. Crypto 101.

Encryption Algorithms.

Shared Key: Symmetric.

Public—Private Key: Asymmetric.

Digital Signatures and Hash Algorithms.

References.

Index.

Read More Show Less

Preface

Inside Network Perimeter Security Second Edition

Preface

The flight from Lihue to San Francisco is about five and a half hours and allows me some of my most productive work time. The phone doesn't ring, the dog doesn't ask to go outside, and my personal firewall doesn't start blinking because someone is trying to scan my computer. The flight attendant crews are starting to know me; I don't want any airplane food, I brought my own recycled water bottle filled with water from my own reverse osmosis filter, just let me write. I am very thankful for a bit of understanding from the crew of United FLT 30 for the time to write this preface. If any of my words give you insight into the current state of affairs with perimeter and internal network management, don't attribute that to me. I rely more each day of my life on the words in James 1:5; I am just the messenger.

I was enjoying working on the second edition of this book when a scene on the airplane entertainment televisions caught my eye. It was a video history of United Airlines, which started by delivering airmail in rickety old airplanes with exposed cockpits. Today, modern, fast, sophisticated aircraft have an incredible safety record. The airline industry has gone from an oddity—a great tool to entertain the crowds at county fairs—to an industry that is crucial to our way of life and economy. The airlines in the United States were essentially grounded for about three days following the terrorist attacks of September 11, 2001. The U.S. Congress debated whether to give the airlines money; they decided against it and United is now in chapter 11.

By exploring what has changed in the airline world, you will see both the past and the future of our industry, information technology (IT). Like the airline industry, IT has historically been accomplished on rickety platforms. We have benefited from rapid advances in technology. We have seen a decline in personal service. We are headed for continuous inspections, a defense-in-depth approach, and we are every bit as vulnerable and at the same time crucial to the economy.

Rickety Planes

What if we flew in computers? That gives "crash" a whole new meaning, doesn't it? Well, if we did, I am sure you would agree that we would all be dead. I would love to say operating systems are really improving, but it isn't so. I installed XP SP2 beta, one of the least-rickety operating systems I have worked with in a long time, on a clone of my primary laptop a couple months ago, and it has been interesting. As soon as I submit the remainder of my chapters for this book, I will upgrade my production box. As I write this, the Windows update version has still not been released, and it will be very interesting to see what breaks when the home users get upgraded. A lot of people died in the early days of the airline industry, and as I say, if we flew in those early planes today, most of us would be dead.

Now here is the kicker: IPS systems and intelligent switches are nothing but software applications or ASICs that are built on these rickety operating systems. One of the primary themes of this book is never to trust the operating system, to expect perimeter components to fail. This book will show you techniques for failover, layering defense components, segmenting internal networks, using instrumentation to detect anomalies, and troubleshooting. In the early days of perimeter defense, the only choice that information security practitioners had was to layer their perimeter software on these rickety operating systems.

Fires in the West

For years, I was a network builder for the Department of Defense, which uses large, high-end, fast networks. The most effective security mechanism for separation of sensitive information was implemented with a physical solution—an airgap. If you want to protect one network from another, just don't connect them together. Worms such as Blaster taught us that many networks that supposedly were not connected to the Internet actually were in one way or another, but if you audit carefully and never allow an exception, airgaps work.

The problem with an airgap is the two networks cannot interoperate, a concept directly in contradiction with the Internet philosophy and electronic business. The past few years have been a bad time for the U.S. West, as rain has been minimal, with fires starting earlier and earlier each year it seems. One of the most effective tools for managing fires is a firebreak; it isn't as powerful as an airgap (sometimes the fire will bridge it), but segmenting the forest into zones is a powerful technique. The information technology analog for a firebreak is to segment the internal network. This can be done with internal intelligent Network Intrusion Prevention Switches (NIPS), with some elbow grease using current generation switches and applying access control to VLANs, or with low-cost appliance-type firewalls used on the internal network. It can even be done manually using anomaly IDS to detect switch ports heating up, which is usually a signature of a worm, and shutting down the switch. Segmenting internal networks with "firebreaks" allows us to have the interoperability and reduce the risk of losing all our internal systems to a destructive worm "wildfire."

This book discusses a number of perimeter and internal network designs. Some are more focused on security, whereas others are focused on performance. Some focus on uptime and help you to understand how to choose these designs based on your organization's requirements.


Note - One of the reasons that early airplanes were so dangerous is that a large number of them were hand built. Even if the planes were built in a factory, after a couple of years, they might as well be hand built because of the number of times they were repaired and modified.

Can you see how similar the early airplanes are to our server and desktop operating systems? We all agree that patching to reduce the vulnerability footprint is critical, but if no two servers are alike, exactly how do you test the patch? Repeatable builds give an IT shop a major increase in security just like factory-built aircraft.

So do appliance firewalls. They are factory built, plug and go. It's not guaranteed that their OS is hardened, but you do know that the OS on the appliance is factory built, consistent, and probably stripped of unneeded programs. These low-cost appliances are very useful for segmenting an internal network.

Rapid Advances in Technology

Modern aircrafts have wings, fly through the air, and land on the ground—and that is about all they have in common with the first airplanes. The advances in airframe design, materials, avionics, navigation and route selection, and airport operations make it difficult to believe that people ever considered getting into the early airplanes.

I would love to say that modern perimeter systems are so advanced that it is inconceivable that we ever tried to protect our systems with those early firewalls, but we haven't made that much progress yet. However, hope prevails, and we certainly see evidence of improvement. Perimeter defense systems have come way down in price for any given bandwidth point; many can be upgraded by just downloading a new image.

Deep packet inspection at gigabit speed is possible right now for the well-funded organization. Subscription models that update daily or weekly are the norm and support an architecture of perimeter components to create hybrid systems that combine classic perimeter defense, reporting sensors, and possibly even vulnerability assessments that allow performing internal correlation.

This book discusses the importance of using the information collected by perimeter devices to help defend the network. The data collected and reported by these devices fuels the most advanced analysis capability in the world—the Internet Storm Center (ISC). Organizations such as ISC and Internet Security Systems's X-Force are often the first groups to detect a new worm beginning to cause trouble on the Internet. One of the upcoming models for security is continuous reporting, or operational readiness, and this requires sensors all over the network to constantly report in. The technology of network security is dynamic. It's important to have constant updates to maintain security in the face of the ever-changing threat.

It is worth mentioning that ease of use and good security might be orthogonal. If it were as easy to get into an airplane and fly as it is to get into a car and drive, the skies would be a dangerous place. Appliance wireless access points often aggregate all wireless and built-in wired ports into the same broadcast domains. Possibilities for attacks exist based on MAC address spoofing, sniffing the internal traffic from outside the plant in the parking lot, the use of rogue, unapproved access points bought at Best Buy and plugged into the Net, access points with a bit more power than the FTC allows being broadcast into the internal network from the parking lot, and failures of the authentication system. The most common reason for aircraft crashes today is poor maintenance, and we are going to see the same thing with wireless implementations as better security technology becomes available.

Decline in Personal Service

More has changed on the human side of the airline equation than just the name change from stewardesses to flight attendants. First class isn't first class, and it goes downhill from there. The airlines seem to be testing the limits to see just how much abuse people will take—and they wonder why they occasionally deal with passenger rage. Sadly, the IT industry has never been big on personal service. There were exceptions, back in the glory days of big blue. We had a bit of trouble with an IBM mainframe, and they tossed a squad of technicians into an airplane and dropped them by parachute into our parking lot. Until the technicians dropped on target, vice presidents would call every 15 minutes to apprise us of the location of the plane. Okay, I am kidding, but not by much. Those of us in IT security should take heed. I hope you understand what your CEO is thinking right now. He gave you money for security after 9/11 because it seemed to be the right thing to do. You still got hit by worms. He increased ITSEC to 5% of the IT budget. You still got hit by worms. Now you are in a meeting thinking about asking the CEO for unplanned money to implement a NIPS or HIPS solution. I strongly suggest you invest time in looking at your requirements, making sure that you choose the best technology for your needs and that customer service is part of the budget request so the people impacted by the active defense layer you are thinking about implementing will have someone intelligent and caring to call.

Nowadays, the IT industry has two primary features: bad software and worse service. One of the advantages of this book is that the entire author team has pragmatic experience with most of the commercial and freeware perimeter products on the market, including the rapidly changing personal firewall market. We can't do much to help you with the bad software, and we never intend to bash any vendor—each has its foibles. However, we can help you in finding ways to meet your mission goals despite the flaws in the technology we each use. We devote an entire chapter of the book to implementing defense components, such as personal firewalls at a host level, to help you avoid some of the common pitfalls and know what technology is available. The latest generation of Host Intrusion Protection Systems (HIPS), which are essentially personal firewalls with operating system shims to trap dangerous operating system interrupts, have already proved themselves in production and are an important and valuable layer of defense.

Continuous Inspections

One of the primary reasons the aircraft industry has been able to make gigantic leaps in improving safety is the rigorous, complete, and continuous inspections for every component and process related to flying. This is also the most important change that we need to make. When I teach at the SANS Institute, a security research and education organization, I often say, "Who reads the event logs every day?" Some hands go up. I try to memorize their faces and catch them alone at the break. Then I ask them, "What is in the logs? What recurring problems are there?" They usually cannot answer. This book can help you deploy sensors and scanners. An entire chapter is devoted to intrusion detection. Even your organization's software architecture is a security perimeter component, as you will learn in the software architecture chapter.

If you were to ask me what the growth industry in IT was, I would answer that consoles, sensors, and agents to collect and display information would be a strong candidate. Computer systems change rapidly. They are analogous to the barnstormer bi-planes that flew around county fairs. When something broke, a blacksmith, automobile mechanic, or seamstress fabricated a new part. We can add and uninstall software in a heartbeat, but when we do, we cannot get back to the place where we were before the change. We need to monitor for change continuously, and until we learn how to do this and rigorously enforce change control, flying in computers will be nearly certain death.

Defense in Depth

It is a tragedy when a single passenger plane crashes, worse when a plane full of people goes down, and an unspeakable horror when a plane is used as a weapon of terrorism. Today, airports are transforming into examples of defense in depth. Defense in depth is a primary focus of this book, and the concept is quite simple: Make it harder to attack at chokepoint after chokepoint. How many security systems or defensive layers would you have to defeat to rush through an airport race to a waiting, fueled, long-range jet, commandeer the plane, drive it out on the tarmac to take off, and use it as a missile? Many are obvious, such as security checkpoints, armed National Guard troops, locked doors, and tarmac controls. If you did manage to get the plane in the air, you would also have to defeat fighter aircraft. It isn't impossible, but it is unlikely that you could defeat the defense in depth that is now employed at airports.

Defense in depth is present in every chapter of this book, and it's becoming easier to implement in information technology. High-speed programmable hardware boxes, such as UnityOne from TippingPoint, can help protect our network borders from worm outbreaks. Technologies we have already discussed in this preface, such as next-generation intelligent switches and HIPS, allow us to implement multiple layers for our perimeter and internal networks, albeit at a significant cost. No matter what role you play in your organization, it is important to read the intrusion prevention chapter and make sure the folks in charge of the budget know what is on the horizon. As you read this book, you will learn how to architect your network so that it is resistant to attack. As we evolve as an information-based society, the importance of protecting intellectual property assets continues to rise.

Core Business Sector

In less than a century, airplanes have gone from being an oddity to being vitally important to the economy. Information technology has done the same in less time and continues to grow in importance. We have been more than a bit lazy. I often wonder what the effect of a worm with the infection rate of Blaster that overwrote (not deleted, overwrote) every location on the hard drive of an infected computer four hours after infection would be. If the Congress of the United States did not vote on a bailout package for the airline industry, IT should not expect one. One of the primary keys to survival in business over the next few years will be managing the flow of information so that resources are available when they are needed with full integrity, while the confidentiality of proprietary and sensitive information is maintained. It is a big task, so we had better get started.

—Stephen Northcutt and the authoring team

© Copyright Pearson Education. All rights reserved.

Read More Show Less

Customer Reviews

Average Rating 5
( 1 )
Rating Distribution

5 Star

(1)

4 Star

(0)

3 Star

(0)

2 Star

(0)

1 Star

(0)

Your Rating:

Your Name: Create a Pen Name or

Barnes & Noble.com Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & Noble.com that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & Noble.com does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at BN.com or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation

Reminder:

  • - By submitting a review, you grant to Barnes & Noble.com and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Noble.com Terms of Use.
  • - Barnes & Noble.com reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & Noble.com also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on BN.com. It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

 
Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously
Sort by: Showing 1 Customer Reviews
  • Anonymous

    Posted June 20, 2005

    state of the art

    The authors provide a nicely detailed explanation of current network defenses and practises. Each major topic in this field is well covered. Firewalls and packet filtering are clearly done. The preferred choice of example router is from Cisco. But the principles are obviously applicable to devices from any competing vendor. The book also recommends egress filtering; which is not often discussed in other texts. It helps guard against your net being used to send out malware. This helps the overall environment of the Internet. Moreover, there is also a tangible benefit to you. By doing egress checks, you can detect if one of your machines has been subverted. Which is always good to know. VPNs are given an entire chapter, due to their importance. The book also goes beyond talking about Intrusion Detection Systems to discuss Intrusion Prevention Systems. More proactive. To some sysadmins, the most important chapter might be that on wireless networks. As these have grown hugely, so too have the attacks against them. You can learn how to bolt down your wireless network.

    Was this review helpful? Yes  No   Report this review
Sort by: Showing 1 Customer Reviews

If you find inappropriate content, please report it to Barnes & Noble
Why is this product inappropriate?
Comments (optional)