Опубликованный материал нарушает ваши авторские права? Сообщите нам.
Вуз: Предмет: Файл:
Cisco Network Security Little Black Book - Joe Harris.pdf
3.17 Mб


Thanks for buying Cisco Network Security Little Black Book, the definitive guide for security configurations on Cisco routers.

New business practices and opportunities are driving a multitude of changes in all areas of enterprise networks, and as such, enterprise security is becoming more and more prevalent as enterprises try to understand and manage the risks associated with the rapid development of business applications deployed over the enterprise network. This coupled with the exponential growth of the Internet has presented a daunting security problem to most enterprises: How does the enterprise implement and update security defenses and practices in an attempt to reduce its vulnerability to exposure from security breaches?

In this book, I will attempt to bridge the gap between the theory and practice of network security and place much of its emphasis on securing the enterprise infrastructure, but first let me emphasize that there is no such thing as absolute security. The statement that a network is secure, is more often than not, misunderstood to mean that there is no possibility of a security breach. However, as you will see throughout this book, having a secure network means that the proper security mechanisms have been put in place in an attempt to reduce most of the risks enterprise assets are exposed to. I have tried to include enough detail on the theories and protocols for reasonable comprehension so that the networking professional can make informed choices regarding security technologies. Although the focus of this book is on the Cisco product offering, the principles apply to many other environments as well.

Is this Book for You?

Cisco Network Security Little Black Book was written with the intermediate or advanced user in mind. The following topics are among those that are covered:

Internet Protocol Security (IPSec)

Network Address Translation (NAT)

Authentication, authorization, and accounting (AAA)

TCP Intercept

Unicast Reverse Path Forwarding (Unicast RPF)

Ethernet Switch Security

How to Use this Book

This book is similar in format to a typical book in the Little Black Book series. Each chapter has two main sections: "In Brief," followed by "Immediate Solutions."

"In Brief" introduces the subject matter of the chapter and explains the principles it is based upon. This section does not delve too deeply into details; instead it elaborates only on the points that are most important for understanding the material in "Immediate Solutions." "Immediate Solutions" presents several tasks related to the subject of the chapter and presented in "In Brief." The tasks in "Immediate Solutions" vary from simple to complex. The vast array of task levels provides a broad coverage of the subject.

This book contains seven chapters. The following sections include a brief preview of each one.


Chapter 1: Securing the Infrastructure

Chapter 1 provides insight into enterprise security problems and challenges that face many organizations today in the "Internet Age" and focuses on the configuration of networking devices to ensure restricted and confidential access to them within the enterprise infrastructure.

Chapter 2: AAA Security Technologies

Chapter 2 includes a detailed examination of Cisco's authentication, authorization, and accounting (AAA) architecture, and the technologies that not only use its features, but also provide them. It presents proven concepts useful for implementing AAA security solutions and discusses how to configure networking devices to support the AAA architecture.

Chapter 3: Perimeter Router Security

Chapter 3 describes many of the security issues that arise when connecting an enterprise network to the Internet. It also details the technologies that can be used to minimize the threat of exposure to the enterprise and its assets. The chapter covers features such as TCP Intercept, Unicast Reverse Path Forwarding (Unicast RPF), and Network Address Translation (NAT).

Chapter 4: IOS Firewall Feature Set

Chapter 4 discusses the add−on component to the Cisco IOS that provides routers with many of the features available to the PIX firewall, which extends to routers with similar functionality as that provided from a separate firewall device. It covers features such as ContextBased Access Control (CBAC), Port Application Mapping (PAM), and the IOS Firewall Intrusion Detection System (IDS).

Chapter 5: Cisco Encryption Technology

Chapter 5 presents on overview of encryption algorithms, hashing techniques, symmetric key encryption, asymmetric key encryption, and digital signatures. It discusses how to configure a router to support Cisco Encryption Technologies and presents detailed methods for testing the encryption configuration.

Chapter 6: Internet Protocol Security

Chapter 6 presents an overview of the framework of open standards for ensuring secure private communications over IP networks and IPSec. It discusses how to configure a router for support of the protocols used to create IPSec virtual private networks (VPNs) and details the configuration of preshared keys, manual keys, and certificate authority support.

Chapter 7: Additional Access List Features

Chapter details the use of access lists and the security features they provide. It discusses the use of dynamic and reflexive access lists, as well as standard and extended access lists.

Appendix A: IOS Firewall IDS Signature List

Appendix A provides a detailed list of the 59 intrusion−detection signatures that are included in the Cisco IOS Firewall feature set. The signatures are presented in numerical order with a detailed description of the signature number contained within the Cisco Secure IDS Network Security Database (NSD).


Appendix B: Securing Ethernet Switches

Appendix B presents an overview of methods used to provide security for the Catalyst Ethernet model of switches. This appendix discusses how to configure VLANS, Vlan Access Lists, IP permit lists, port security, SNMP security, and support for the AAA architecture on the Catalyst line of Ethernet switches.

The Little Black Book Philosophy

Written by experienced professionals, Coriolis Little Black Books are terse, easily "thumb−able" question−answerers and problem−solvers. The Little Black Book's unique two−part chapter format—brief technical overviews followed by practical immediate solutions—is structured to help you use your knowledge, solve problems, and quickly master complex technical issues to become an expert. By breaking down complex topics into easily manageable components, this format helps you quickly find what you're looking for, with the diagrams and code you need to make it happen.

The author sincerely believes that this book will provide a more cost−effective and timesaving means for preparing and deploying Cisco security features and services. By using this reference, the reader can focus on the fundamentals of the material, instead of spending time deciding on acquiring numerous expensive texts that may turn out to be, on the whole, inapplicable to the desired subject matter. This book also provides the depth and coverage of the subject matter in an attempt to avoid gaps in security−related technologies that are presented in other "single" reference books. The information security material in this book is presented in an organized, professional manner, that will be a primary source of information for individuals new to the field of security, as well as for practicing security professionals. This book is mostly a practical guide for configuring security−related technologies on Cisco routers, and as such, the chapters may be read in any order.

I welcome your feedback on this book. You can either email The Coriolis Group at ctp@coriolis.com, or email me directly at joefharris@netscape.net. Errata, updates, and more are available at http://www.coriolis.com/.