Network Security First-Step

<p>Introduction xxii</p> <p><strong>Chapter 1</strong> There Be Hackers Here! 1</p> <p>Essentials First: Looking for a Target 2</p> <p>Hacking Motivations 3</p> <p>Targets of Opportunity 4</p> <p>Are You a Target of Opportunity? 6</p> <p>Targets of Choice 7</p> <p>Are You a Target of Choice? 7</p> <p>The Process of an Attack 9</p> <p>Reconnaissance 9</p> <p>Footprinting (aka Casing the Joint) 11</p> <p>Scanning 18</p> <p>Enumeration 23</p> <p>Enumerating Windows 24</p> <p>Gaining Access 26</p> <p>Operating System Attacks 27</p> <p>Application Attacks 27</p> <p>Misconfiguration Attacks 28</p> <p>Scripted Attacks 29</p> <p>Escalating Privilege 30</p> <p>Covering Tracks 31</p> <p>Where Are Attacks Coming From? 32</p> <p>Common Vulnerabilities, Threats, and Risks 33</p> <p>Overview of Common Attacks and Exploits 36</p> <p>Network Security Organizations 39</p> <p>CERT Coordination Center 40</p> <p>SANS 40</p> <p>Center for Internet Security (CIS) 40</p> <p>SCORE 41</p> <p>Internet Storm Center 41</p> <p>National Vulnerability Database 41</p> <p>Security Focus 42</p> <p>Learning from the Network Security Organizations 42</p> <p>Chapter Summary 43</p> <p>Chapter Review 43</p> <p><strong>Chapter 2</strong> Security Policies 45</p> <p>Responsibilities and Expectations 50</p> <p>A Real-World Example 50</p> <p>Who Is Responsible? You Are! 50</p> <p>Legal Precedence 50</p> <p>Internet Lawyers 51</p> <p>Evolution of the Legal System 51</p> <p>Criminal Prosecution 52</p> <p>Real-World Example 52</p> <p>Individuals Being Prosecuted 53</p> <p>International Prosecution 53</p> <p>Corporate Policies and Trust 53</p> <p>Relevant Policies 54</p> <p>User Awareness Education 54</p> <p>Coming to a Balance 55</p> <p>Corporate Policies 55</p> <p>Acceptable Use Policy 57</p> <p>Policy Overview 57</p> <p>Purpose 58</p> <p>Scope 58</p> <p>General Use and Ownership 58</p> <p>Security and Proprietary Information 59</p> <p>Unacceptable Use 60</p> <p>System and Network Activities 61</p> <p>Email and Communications Activities 62</p> <p>Enforcement 63</p> <p>Conclusion 63</p> <p>Password Policy 64</p> <p>Overview 64</p> <p>Purpose 64</p> <p>Scope 64</p> <p>General Policy 65</p> <p>General Password Construction Guidelines 66</p> <p>Password Protection Standards 67</p> <p>Enforcement 68</p> <p>Conclusion 68</p> <p>Virtual Private Network (VPN) Security Policy 69</p> <p>Purpose 69</p> <p>Scope 69</p> <p>Policy 70</p> <p>Conclusion 71</p> <p>Wireless Communication Policy 71</p> <p>Scope 72</p> <p>Policy Statement 72</p> <p>General Network Access Requirements 72</p> <p>Lab and Isolated Wireless Device Requirements 72</p> <p>Home Wireless Device Requirements 73</p> <p>Enforcement 73</p> <p>Definitions 73</p> <p>Revision History 73</p> <p>Extranet Connection Policy 74</p> <p>Purpose 74</p> <p>Scope 74</p> <p>Security Review 75</p> <p>Third-Party Connection Agreement 75</p> <p>Business Case 75</p> <p>Point of Contact 75</p> <p>Establishing Connectivity 75</p> <p>Modifying or Changing Connectivity and Access 76</p> <p>Terminating Access 76</p> <p>Conclusion 76</p> <p>ISO Certification and Security 77</p> <p>Delivery 77</p> <p>ISO/IEC 27002 78</p> <p>Sample Security Policies on the Internet 79</p> <p>Industry Standards 79</p> <p>Payment Card Industry Data Security Standard (PCI DSS) 80</p> <p>Sarbanes-Oxley Act of 2002 (SOX) 80</p> <p>Health Insurance Portability and Accounting Act (HIPAA) of 1996 81</p> <p>Massachusetts 201: Standards for the Protection of Personal Information of Residents of the Commonwealth 81</p> <p>SAS 70 Series 82</p> <p>Chapter Summary 82</p> <p>Chapter Review 83</p> <p><strong>Chapter 3</strong> Processes and Procedures 85</p> <p>Security Advisories and Alerts: Getting the Intel You Need to Stay Safe 86</p> <p>Responding to Security Advisories 87</p> <p>Step 1: Awareness 88</p> <p>Step 2: Incident Response 90</p> <p>Step 3: Imposing Your Will 95</p> <p>Steps 4 and 5: Handling Network Software Updates (Best Practices) 96</p> <p>Industry Best Practices 98</p> <p>Use a Change Control Process 98</p> <p>Read All Related Materials 98</p> <p>Apply Updates as Needed 99</p> <p>Testing 99</p> <p>Uninstall 99</p> <p>Consistency 99</p> <p>Backup and Scheduled Downtime 100</p> <p>Have a Back-Out Plan 100</p> <p>Forewarn Helpdesk and Key User Groups 100</p> <p>Don't Get More Than Two Service Packs Behind 100</p> <p>Target Noncritical Servers/Users First 100</p> <p>Service Pack Best Practices 101</p> <p>Hotfix Best Practices 101</p> <p>Service Pack Level Consistency 101</p> <p>Latest Service Pack Versus Multiple Hotfixes 101</p> <p>Security Update Best Practices 101</p> <p>Apply Admin Patches to Install Build Areas 102</p> <p>Apply Only on Exact Match 102</p> <p>Subscribe to Email Notification 102</p> <p>Summary 102</p> <p>Chapter Review and Questions 104</p> <p><strong>Chapter 4</strong> Network Security Standards and Guidelines 105</p> <p>Cisco SAFE 2.0 106</p> <p>Overview 106</p> <p>Purpose 106</p> <p>Cisco Validated Design Program 107</p> <p>Branch/WAN Design Zone Guides 107</p> <p>Campus Design Zone Guides 107</p> <p>Data Center Design Zone Guides 108</p> <p>Security Design Zone Guides 109</p> <p>Cisco Best Practice Overview and Guidelines 110</p> <p>Basic Cisco IOS Best Practices 110</p> <p>Secure Your Passwords 110</p> <p>Limit Administrative Access 111</p> <p>Limit Line Access Controls 111</p> <p>Limit Access to Inbound and Outbound Telnet (aka vty Port) 112</p> <p>Establish Session Timeouts 113</p> <p>Make Room Redundancy 113</p> <p>Protect Yourself from Common Attacks 114</p> <p>Firewall/ASAs 115</p> <p>Encrypt Your Privileged User Account 115</p> <p>Limit Access Control 116</p> <p>Make Room for Redundant Systems 116</p> <p>General Best Practices 117</p> <p>Configuration Guides 117</p> <p>Intrusion Prevention System (IPS) for IOS 117</p> <p>NSA Security Configuration Guides 118</p> <p>Cisco Systems 119</p> <p>Switches Configuration Guide 119</p> <p>VoIP/IP Telephony Security Configuration Guides 119</p> <p>Microsoft Windows 119</p> <p>Microsoft Windows Applications 120</p> <p>Microsoft Windows 7/Vista/Server 2008 120</p> <p>Microsoft Windows XP/Server 2003 121</p> <p>Apple 121</p> <p>Microsoft Security 121</p> <p>Security Policies 121</p> <p>Microsoft Windows XP Professional 122</p> <p>Microsoft Windows Server 2003 122</p> <p>Microsoft Windows 7 122</p> <p>Windows Server 2008 123</p> <p>Microsoft Security Compliance Manager 124</p> <p>Chapter Summary 125</p> <p>Chapter Link Toolbox Summary 125</p> <p><strong>Chapter 5</strong> Overview of Security Technologies 127</p> <p>Security First Design Concepts 128</p> <p>Packet Filtering via ACLs 131</p> <p>Grocery List Analogy 132</p> <p>Limitations of Packet Filtering 136</p> <p>Stateful Packet Inspection 136</p> <p>Detailed Packet Flow Using SPI 138</p> <p>Limitations of Stateful Packet Inspection 139</p> <p>Network Address Translation (NAT) 140</p> <p>Increasing Network Security 142</p> <p>NAT's Limitations 143</p> <p>Proxies and Application-Level Protection 144</p> <p>Limitations of Proxies 146</p> <p>Content Filters 147</p> <p>Limitations of Content Filtering 150</p> <p>Public Key Infrastructure 150</p> <p>PKI's Limitations 151</p> <p>Reputation-Based Security 152</p> <p>Reactive Filtering Can't Keep Up 154</p> <p>Cisco Web Reputation Solution 155</p> <p>AAA Technologies 156</p> <p>Authentication 156</p> <p>Authorization 157</p> <p>Accounting 157</p> <p>Remote Authentication Dial-In User Service (RADIUS) 158</p> <p>Terminal Access Controller Access Control System (TACACS) 159</p> <p>TACACS+ Versus RADIUS 160</p> <p>Two-Factor Authentication/Multifactor Authentication 161</p> <p>IEEE 802.1x: Network Access Control (NAC) 162</p> <p>Network Admission Control 163</p> <p>Cisco TrustSec 164</p> <p>Solution Overview 164</p> <p>Cisco Identity Services Engine 166</p> <p>Chapter Summary 168</p> <p>Chapter Review Questions 168</p> <p><strong>Chapter 6</strong> Security Protocols 169</p> <p>Triple DES Encryption 171</p> <p>Encryption Strength 171</p> <p>Limitations of 3DES 172</p> <p>Advanced Encryption Standard (AES) 172</p> <p>Different Encryption Strengths 173</p> <p>Limitations of AES 173</p> <p>Message Digest 5 Algorithm 173</p> <p>MD5 Hash in Action 175</p> <p>Secure Hash Algorithm (SHA Hash) 175</p> <p>Types of SHA 176</p> <p>SHA-1 176</p> <p>SHA-2 176</p> <p>Point-to-Point Tunneling Protocol (PPTP) 177</p> <p>PPTP Functionality 177</p> <p>Limitations of PPTP 178</p> <p>Layer 2 Tunneling Protocol (L2TP) 179</p> <p>L2TP Versus PPTP 180</p> <p>Benefits of L2TP 180</p> <p>L2TP Operation 181</p> <p>Secure Shell (SSH) 182</p> <p>SSH Versus Telnet 184</p> <p>SSH Operation 186</p> <p>Tunneling and Port Forwarding 187</p> <p>Limitations of SSH 188</p> <p>SNMP v3 188</p> <p>Security Built In 189</p> <p>Chapter Summary 192</p> <p>Chapter Review Questions 192</p> <p><strong>Chapter 7</strong> Firewalls 193</p> <p>Firewall Frequently Asked Questions 194</p> <p>Who Needs a Firewall? 195</p> <p>Why Do I Need a Firewall? 195</p> <p>Do I Have Anything Worth Protecting? 195</p> <p>What Does a Firewall Do? 196</p> <p>Firewalls Are “The Security Policy” 197</p> <p>We Do Not Have a Security Policy 200</p> <p>Firewall Operational Overview 200</p> <p>Firewalls in Action 202</p> <p>Implementing a Firewall 203</p> <p>Determine the Inbound Access Policy 205</p> <p>Determine Outbound Access Policy 206</p> <p>Essentials First: Life in the DMZ 206</p> <p>Case Studies 208</p> <p>Case Study: To DMZ or Not to DMZ? 208</p> <p>Firewall Limitations 214</p> <p>Chapter Summary 215</p> <p>Chapter Review Questions 216</p> <p><strong>Chapter 8</strong> Router Security 217</p> <p>Edge Router as a Choke Point 221</p> <p>Limitations of Choke Routers 223</p> <p>Routers Running Zone Based Firewall 224</p> <p>Zone-Based Policy Overview 225</p> <p>Zone-Based Policy Configuration Model 226</p> <p>Rules for Applying Zone-Based Policy Firewall 226</p> <p>Designing Zone-Based Policy Network Security 227</p> <p>Using IPsec VPN with Zone-Based Policy Firewall 228</p> <p>Intrusion Detection with Cisco IOS 229</p> <p>When to Use the FFS IDS 230</p> <p>FFS IDS Operational Overview 231</p> <p>FFS Limitations 233</p> <p>Secure IOS Template 234</p> <p>Routing Protocol Security 251</p> <p>OSPF Authentication 251</p> <p>Benefits of OSPF Neighbor Authentication 252</p> <p>When to Deploy OSPF Neighbor Authentication 252</p> <p>How OSPF Authentication Works 253</p> <p>Chapter Summary 254</p> <p>Chapter Review Questions 255</p> <p><strong>Chapter 9</strong> IPsec Virtual Private Networks (VPNs) 257</p> <p>Analogy: VPNs Securely Connect IsLANds 259</p> <p>VPN Overview 261</p> <p>VPN Benefits and Goals 263</p> <p>VPN Implementation Strategies 264</p> <p>Split Tunneling 265</p> <p>Overview of IPsec VPNs 265</p> <p>Authentication and Data Integrity 268</p> <p>Tunneling Data 269</p> <p>VPN Deployment with Layered Security 270</p> <p>IPsec Encryption Modes 271</p> <p>IPsec Tunnel Mode 271</p> <p>Transport Mode 272</p> <p>IPsec Family of Protocols 272</p> <p>Security Associations 273</p> <p>ISAKMP Overview 273</p> <p>Internet Key Exchange (IKE) Overview 274</p> <p>IKE Main Mode 274</p> <p>IKE Aggressive Mode 275</p> <p>IPsec Security Association (IPsec SA) 275</p> <p>IPsec Operational Overview 276</p> <p>IKE Phase 1 277</p> <p>IKE Phase 2 278</p> <p>Perfect Forward Secrecy 278</p> <p>Diffie-Hellman Algorithm 279</p> <p>Router Configuration as VPN Peer 281</p> <p>Configuring ISAKMP 281</p> <p>Preshared Keys 282</p> <p>Configuring the ISAKMP Protection Suite 282</p> <p>Configuring the ISAKMP Key 283</p> <p>Configuring IPsec 284</p> <p>Step 1: Create the Extended ACL 284</p> <p>Step 2: Create the IPsec Transforms 284</p> <p>Step 3: Create the Crypto Map 285</p> <p>Step 4: Apply the Crypto Map to an Interface 286</p> <p>Firewall VPN Configuration for Client Access 286</p> <p>Step 1: Define Interesting Traffic 288</p> <p>Step 2: IKE Phase 1[udp port 500] 288</p> <p>Step 3: IKE Phase 2 288</p> <p>Step 4: Data Transfer 289</p> <p>Step 5: Tunnel Termination 289</p> <p>SSL VPN Overview 289</p> <p>Comparing SSL and IPsec VPNs 290</p> <p>Which to Deploy: Choosing Between IPsec and SSL VPNs 292</p> <p>Remote-Access VPN Security Considerations 293</p> <p>Steps to Securing the Remote-Access VPN 294</p> <p>Cisco AnyConnect VPN Secure Mobility Solution 295</p> <p>Chapter Summary 296</p> <p>Chapter Review Questions 297</p> <p><strong>Chapter 10</strong> Wireless Security 299</p> <p>Essentials First: Wireless LANs 301</p> <p>What Is Wi-Fi? 302</p> <p>Benefits of Wireless LANs 303</p> <p>Wireless Equals Radio Frequency 303</p> <p>Wireless Networking 304</p> <p>Modes of Operation 305</p> <p>Coverage 306</p> <p>Bandwidth Availability 307</p> <p>WarGames Wirelessly 307</p> <p>Warchalking 308</p> <p>Wardriving 309</p> <p>Warspamming 311</p> <p>Warspying 312</p> <p>Wireless Threats 312</p> <p>Sniffing to Eavesdrop and Intercept Data 313</p> <p>Denial-of-Service Attacks 315</p> <p>Rogue/Unauthorized Access Points 316</p> <p>Misconfiguration and Bad Behavior 317</p> <p>AP Deployment Guidelines 317</p> <p>Wireless Security 318</p> <p>Service Set Identifier (SSID) 318</p> <p>Device and Access Point Association 319</p> <p>Wired Equivalent Privacy (WEP) 319</p> <p>WEP Limitations and Weaknesses 320</p> <p>MAC Address Filtering 320</p> <p>Extensible Authentication Protocol (EAP) 321</p> <p>LEAP 322</p> <p>EAP-TLS 322</p> <p>EAP-PSK 323</p> <p>EAP-TTLS 323</p> <p>Essential Wireless Security 323</p> <p>Essentials First: Wireless Hacking Tools 325</p> <p>NetStumbler 325</p> <p>Wireless Packet Sniffers 326</p> <p>Aircrack-ng 327</p> <p>OmniPeek 327</p> <p>Wireshark 329</p> <p>Chapter Summary 329</p> <p>Chapter Review Questions 330</p> <p><strong>Chapter 11</strong> Intrusion Detection and Honeypots 331</p> <p>Essentials First: Intrusion Detection 333</p> <p>IDS Functional Overview 335</p> <p>Host Intrusion Detection System 340</p> <p>Network Intrusion Detection System 341</p> <p>Wireless IDS 343</p> <p>Network Behavior Analysis 344</p> <p>How Are Intrusions Detected? 345</p> <p>Signature or Pattern Detection 346</p> <p>Anomaly-Based Detection 346</p> <p>Stateful Protocol Analysis 347</p> <p>Combining Methods 347</p> <p>Intrusion Prevention 347</p> <p>IDS Products 348</p> <p>Snort! 348</p> <p>Limitations of IDS 350</p> <p>Essentials First: Honeypots 354</p> <p>Honeypot Overview 354</p> <p>Honeypot Design Strategies 356</p> <p>Honeypot Limitations 357</p> <p>Chapter Summary 357</p> <p>Chapter Review Questions 357</p> <p><strong>Chapter 12</strong> Tools of the Trade 359</p> <p>Essentials First: Vulnerability Analysis 361</p> <p>Fundamental Attacks 361</p> <p>IP Spoofing/Session Hijacking 362</p> <p>Packet Analyzers 363</p> <p>Denial of Service (DoS) Attacks 363</p> <p>Other Types of Attacks 366</p> <p>Back Doors 368</p> <p>Security Assessments and Penetration Testing 370</p> <p>Internal Vulnerability and Penetration Assessment 370</p> <p>Assessment Methodology 371</p> <p>External Penetration and Vulnerability Assessment 371</p> <p>Assessment Methodology 372</p> <p>Physical Security Assessment 373</p> <p>Assessment Methodology 373</p> <p>Miscellaneous Assessments 374</p> <p>Assessment Providers 375</p> <p>Security Scanners 375</p> <p>Features and Benefits of Vulnerability Scanners 376</p> <p>Freeware Security Scanners 376</p> <p>Metasploit 376</p> <p>NMAP 376</p> <p>SAINT 377</p> <p>Nessus 377</p> <p>Retina Version 5.11.10 380</p> <p>CORE IMPACT Pro (a Professional Penetration Testing Product) 382</p> <p>In Their Own Words 383</p> <p>Scan and Detection Accuracy 384</p> <p>Documentation 384</p> <p>Documentation and Support 386</p> <p>Vulnerability Updates 386</p> <p>Chapter Summary 386</p> <p>Chapter Review Questions 387</p>