I N D E X

Numerics3DES (Triple DES) encryption algorithm 272, 283802.1x standards

802.11 standards 327, 331–333protocol stacks 331, 332scanning functions 334

authentication framework 339–342EAP protocol and 802.11i 340–342

802.x standards, IEEE 332

AAAA (authentication, authorization, and accounting)

131, 165AAA model 235

accounting 239–241authentication 237–238authorization 238configuration of CiscoSecure ACS 256–265securing network with AAA server 236security servers 241–252

Kerberos 250–252RADIUS 245–249TACACS+ versus RADIUS 250

aaa new-model command 237acceptable use policy 82access control

based on IP addresses 116DAC model, attributes of 112restricting access to a website 114of routers 131

Access Control Entries (ACE) 138access lists, router 138–148

applied to an interface, configuring direction of the data flow 143

assigning to router interface 154dynamic 252enhanced 144–148

dynamic access lists 144time-based access lists 146reflexive access lists 147

extended numbered access list 141–144identification numbers and types 138named access list commands 140numbered access list commands 139permissions, example of 154permitting IPSec traffic on VPNs 288PIX Firewall 167–170SNMP managers using community string 359standard numbered IP access lists, additional

keywords 140access points (APs) 333

beacon messages, SSID in 336placement and configuration of 344–349SAFE design recommendations 343wireless clients communicating without 328zone coverage area and 329

access-enable command 255issued for user in a dynamic access list 145

access-list filters on routers, vulnerability of 162accounting 235, 236, 239–241

important function records 241TACACS+ 245

accounts, renaming critical accounts 109ACK (Acknowledgment field), TCP headers 23Acknowledgment number, TCP 20ACS (Access Control Server) 242

configuration of 256–265download site, trial copies 250RADIUS authentication setup 249

active responses to attacks, network IDS 215active scanning for wireless stations or access points

334adaptive protocols, checking 96Adaptive Security Algorithm (ASA) 166Address Resolution Protocol (ARP), spoofing 29–30address space of program code, making

nonexecutable 29administrative personnel, access to routers 131administration, VPN manager functions 288Advanced Services for Network Security (ASNS) 86AES (Advanced Encryption Standard) 64, 66, 283agents, SNMP 356

defining relationship with manager 359

1587201672.book Page 433 Wednesday, August 11, 2004 3:36 PM

434

AH (authentication header) protocol 277establishing use of in IPSec policy 284identified in IPSec transform sets 283identifying for IKE Phase 2 283transport mode 280tunnel mode 281

Airsnort program 338Aladdin eToken 256alarms and events (RMON), monitoring traffic with

361alarms, IDS 194

analyzing for IDS tuning 227monitoring and tuning 225network IDS 217routers configured for network IDS 212

alerts and audit trails, generated by CBAC 148algorithms

asymmetric key algorithms 66–69Diffie-Hellman 68PGP 69RSA 68–69

definition of 63encryption 282–284hashing 69SSL and TLS 71symmetric key algorithms 64–66

AES 64, 66, 283DES 64, 272, 283Triple DES (3DES) 65–66, 272, 283

allow all model (security plan) 83allowed and disallowed behavior, defining 81analysis tools (network traffic analysis) 95annualized rate of occurrence (ARO) 9annual loss expectancy (ALE) 9anomaly-based IDSs 200anonymous access 116antireplay protection 277antivirus software 51, 181application layer, OSI model

data-driven attacks 160Kerberos authentication service 250SNMP on 356

application-layer protocols, CBAC inspection of 148–152

APs. See access pointsARO (annualized rate of occurrence) 9ARP (Address Resolution Protocol)

spoofing 29–30ASA (Adaptive Security Algorithm) 166

PIX Firewall data flow 167ASNS (Advanced Services for Network Security) 86asymmetric key algorithms 66–69

Diffie-Hellman 68PGP 69RSA 68–69

asymmetric key encryption 272, 301attacks

broadcast, configuring router to prevent 154buffer overflow 28connection hijacking (TCP) 26connection-killing (TCP/IP) 25in cryptoanalysis 61data-driven 160denial-of-service (DoS)

distributed 161stopping with stateful firewall 163using IP spoofing 20

deriving WEP key stream with protocol analyzer 339

e-mail 161ICMP packets, using to export confidential

information 22IP fragment attacks 23network IDS responses to 213prevented by policy-based IDS 199rebuffed by network IDS (example) 208SYN-flooding, prevention by CBAC 148types of attacks 161–162

auditing 109audit trails generated by CBAC 148case study 366–372education on. See SANS Institutemonitoring traffic with RMON and SNMP 361network auditing in design process 95SAA (Service Assurance Agent), using 362SNMP. See SNMP

authenticated users, potential threats posed by 6

AH (authentication header) protocol

1587201672.book Page 434 Wednesday, August 11, 2004 3:36 PM

435

authentication 85, 235, 237–238802.1x framework and EAP protocol 340–342alternatives to reusable passwords 50configuring for website access 114–117encapsulating security payload. See ESP protocol

279hardware keys, using 43HMAC, used with IPSec 274IPSec, identifying method for IKE Phase 1 282Kerberos 48, 250–252open, for wireless networks 337peer authentication methods on VPNs 274, 284PKI users 307RADIUS 246–249

ACS setup for 249attribute pairs (AV pairs) 247summary of 248

shared key authentication, wireless networks 337TACACS+ 257–265token-based systems 42user authentication method, selecting for VPN 294WEP protocol 339wireless station, using WEP 333, 337WLANs, stations and clients 334–335

authentication header protocol. See AH protocolauthentication policy 82authentication, authorization, and accounting. See

AAAauthority and scope, statement of (security policy) 82authorization 235, 236, 238

TACACS+ 243autocommand 145automating signature updates for IDSs 221AV pairs, RADIUS authentication 247availability of data and resources 8

Bbackplane capacity constraints, network design 93banner for router to warn off intruders 135baseline of your current security posture 81basic authentication 116basic service set (BSS) 333beacon frames 334beacon messages, SSID in 336

Belt and Braces Firewall architecture 168biometrics 53–55

face recognition 55fingerprint scanning 54signature recognition 55typing 54voice recognition 54

block ciphers 64AES 64, 66, 283DES 64, 272, 283Triple DES 65–66, 272, 283

BOOTP server 137broadcast attacks, prevention of 154browsers 118–123Brussels router, 134BSS (basic service set) 333buffer capacity constraints, network design 93buffer overflows 28bugs, risk of 9building-to-building wireless networks 330bytes 15

Ccamera systems, internal physical security 45campus access policy 82card bus (wireless NIC) 328CAs (Certificate Authorities) 37, 72, 302

creating your own CA 312–323enrolling in 73hierarchical CAs 305single root CA 305validating signature of 73

CBAC (Context Based Access Control), 148–152, 154CDP (Cisco Discovery Protocol) 137certificate authorities. See CAscertificate revocation lists. See CRLscertificates 72, 274, 275, 284. See also digital IDs

placement on a CRL 308types of 38

chalk marks (war-chalking) 342Challenge Handshake Authentication Protocol

(CHAP) 243change control (business processes) 98Chargen attack 161

Chargen attack

1587201672.book Page 435 Wednesday, August 11, 2004 3:36 PM

436

Check Point, software firewalls 173checksums 15CIA (confidentiality, integrity, and availability) 8ciphers 63

block and stream ciphers 64–65Cisco

Advanced Services for Network Security (ASNS) 86

Internet Operating System. See IOSIntrusion Detection Host sensor 204Intrusion Detection System (IDS) 164IOS 165IOS-based IDSs, deployment on a router or PIX-

based IDS 212Light Extensible Authentication Protocol (LEAP)

339Linksys product line 331PIX Firewall 164, 165–170Router Security Configuration Guide 394SAFE Blueprint 377–383Secure Agent Manager 204, 206Secure Integrated Software 212Wireless Security Suite 339, 342

Cisco Discovery Protocol (CDP) 137Cisco IOS Firewall CBAC engine. See CBACCisco Press website, certificates 308Cisco Secure Encyclopedia (CSEC) 162, 195CiscoSecure Access Control Server. See ACSCiscoSecure Private Internet Exchange Firewall. See

PIX Firewall 165CiscoSecure products 162CiscoView application 367CiscoWorks VMS Suite 204client-based firewalls 174clients, setting up VPN client 297ClipBook Viewer 111closed network 79coded messages. See cipherscold site (disaster recovery plan) 46command and control network 218command and control port, network IDS 208command line interface (CLI), PIX Firewall and 165commands

IOS privileged executive commands 236monitoring and troubleshooting SNMP 360SAA operations, specifying 363

comments, adding in named access lists 143Common Criteria EAL 4 ratings (NetScreen and PIX)

170community networks, wireless 330community strings, SNMP 359, 371

assigning a view to 359compression algorithm (LZS) 295compromised keys 308computer resources, in security policies 81computers, cryptography and 63conduits. See access lists, PIX Firewallconfidentiality, integrity, and availability (CIA) 8Connect accounting function 241Connection Establishment timer 25connection hijacking (TCP) 26connection-based security policy 166, 183connection-killing attacks 25connectivity and associated policies 81consensus, communicating 81console access to devices, avoiding 45consoles, accessing routers from 131constraints, network design 93content filtering 178–181Context-Based Access Control (CBAC) 138, 148–152,

154cookies 123costs and benefits of security 9countermeasures against vulnerabilities, information

about 162covert channels 21CPU, tie-ups in attacks 161CPU processing speed 93crackers 40, 193, 342

hackers versus 5–6script kiddies 6

cracking codes (cryptoanalysis) 61credentials, Kerberos 252CRLs (certificate revocation lists) 308cross certifying 305cryptography 61–76. See also encryption

asymmetric key algorithms 66–69Diffie-Hellman 68PGP 69RSA 68

cryptoanalysis versus 61digital certificates 72hashing algorithms 69

Check Point, software firewalls

1587201672.book Page 436 Wednesday, August 11, 2004 3:36 PM

437

MD5 70SHA-1 71

history of 61–63NSA research and education on 393PKCS (Public Key Cryptography Standard) 307secret key, Kerberos 48SSL and TLS 71symmetric key algorithms

AES 64, 66, 283DES 64, 272, 283Triple DES (3DES) 65–66, 272–283

wireless equivalent privacy keys. See WEP protocol

CSEC (Cisco Secure Encyclopedia) 162

DDAC (Discretionary Access Control) 107, 112DAD (disclosure, alteration, and denial) 8Data Encryption Standard. See DESdata flow

NetScreen firewalls 171PIX Firewall 167

data integrity 8on VPNs 273

data packets, inspection up to Layer 4 162data streams 15data-driven, application-layer attacks 160datagrams, IP 16DDoS (distributed denial-of-service) attacks 165debug commands (SNMP), documentation of 361deep packet firewalls 162

Cisco PIX and NetScreen firewalls 164NetScreen 171

defense in depth strategy 96–97defenses 35–56

antivirus software 51biometrics 53–55in depth 96–97digital IDs 35–40encrypted files 52

firewalls 49intrusion detection systems (IDSs) 40PC card-based solutions 41physical security 44–46residing in multiple locations 96reusable passwords 50

defining roles 81definitions section (example VPN security policy) 87demilitarized zones. See DMZsdenial-of-service attacks. See DoS attacksdeny all model (security plan) 83deny all statement

ending extended numbered or named access lists 142

ending standard or named access lists 140DES (Data Encryption Standard) 64

encryption algorithms 272, 283design phase, network life cycle 98designing a secure network 91–101

network design methodology 97–99network design principles 92–97

defense in depth 96design activities, tools, and techniques 94–

96requirements and constraints 93top-down design practices 92

physical security 99–101return on investment 99switches and hubs 101

Destination Unreachable message 22developers’ digital ID 38device management, network IDS 217

IDM (IDS Device Manager) 226in-band 220out-of-band 219

device port density constraints, network design 93devices, physical access to 45DHCP (Dynamic Host Configuration Protocol) 289Diffie-Hellman algorithm 68Diffie-Hellman key exchange 272–273

identifying method for IKE Phase 1 282digest 40

digest

1587201672.book Page 437 Wednesday, August 11, 2004 3:36 PM

438

digital certificates. See certificatesdigital IDs 35–40

HTTPS, use of 48parameters of 37types of 38

digital signatures 73, 274combined with passwords 256RSA signatures 275

digital signing of public keys 302director, network-based IDS 208disaster recovery planning 45, 97, 101disclosure, alteration, and denial (DAD) 8Discretionary Access Control (DAC) 107, 112distributed denial-of-service (DDoS) attacks 161DMZs (demilitarized zones) 49, 165, 183

configuring security levels 168outside connections and 170web server connected on, attacks against 210

DNS (Domain Name Service)lookup service 137NetScreen Deep Inspection firewall and 171passing address to VPN client 295spoofing 30

DNS poisoning 161DoS (denial-of-service) attacks

launching with TCP flags 24Smurf attack 198starting with IP address spoofing 20stateful firewalls and 163TCP SYN flood attacks 161

dropping packets, router configured for network IDS 212

dynamic access lists 252dynamic access lists, routers 144dynamic and static translation slots, ASA and 167Dynamic Host Configuration Protocol (DHCP) 289

EEAP (Extensible Authentication Protocol) 339eavesdropping (sniffing) on publicly accessible

networks 72

echo and Echo-Reply messages 22echo messages to IP broadcast addresses 162e-commerce, necessity of network security for 79, 80economic constraints, network design 94EDE (encrypt–decrypt–encrypt) 65Electronic Communications Privacy Act (EPCA) 8e-mail 14

attacks using 161protection during transmission with PC encryption

cards 43social engineering attacks, use in 31

enable secret command 132, 153encapsulating security payload. See ESP protocolencrypted logins 46

Kerberos 48SSL (Secure Socket Layer) 48–49SSH (Secure Shell) 47–48

encryption 85, 272Diffie-Hellman key exchange 272–273ESP (encapsulating security payload) protocol

279file 52PC encryption cards 43public/private keys, digital IDs 39RSA-encrypted nonces 274, 276SEP (Scalable Encryption Processing) 292symmetric key algorithms 64–66

AES 64, 66, 283DES 64, 272, 283Triple DES (3DES) 65–66, 272, 283

WEP, improvement with TKIP 340wired equivalent privacy (WEP) keys 334, 337

encryption algorithmsestablishing in IPSec policy 284identified in IPSec transform sets 283identifying for ESP in IKE Phase 2 283identifying for IKE Phase 1 282

encryption file system (EFS) 52end stations, wireless. See stations, wirelessenforcement section, security policies 87enhanced access lists 144–148Enigma machine 62enrollment procedure, PKI 306

digital certificates

1587201672.book Page 438 Wednesday, August 11, 2004 3:36 PM

439

Enterprise Composite Network Model, out-of-band IDS management 220

environmental monitoring, high-level security areas 45environmental requirements for network equipment

93, 100EPCA (Electronic Communications Privacy Act) 8equipment failure, risk of 9errors, detection in data streams 15ESP (encapsulating security payload) protocol 279

establishing use of in IPSec policy 284identified in IPSec transform sets 283identifying for IKE Phase 2 283transport mode 281tunnel mode 281

Ethereal tool 27Ethernet

crossover cables 328NetScreen firewalls and 171speed, possible values for 185to wireless bridge 328WLANs, 802.3 IEEE standard 332

eToken 256evaluate command 147evasion techniques for network IDSs 202events and alarms (RMON), monitoring traffic with

361exclusive OR (XOR) function 338exec-timeout command 134exec-timeout, setting 153Explicit Congestion Notification (ECN) 20extended access lists 141

numbered 141–144reflexive 147

extended Log File Format, W3C 113extended service set (ESS) 333Extensible Authentication Protocol (EAP) 340–342external interface of the firewall 149external physical security 44, 100external weaknesses 5

Fface recognition 55fail-over site 46, 101

false negative IDS alarms 194false positive IDS alarms 194

eliminating in IDS tuning 227FERET (facial recognition technology) 55file encryption 52file protection 53file systems, hardening 107–109file transfers 14file-based requests (PKI enrollment) 307filtering

content filters, firewall 178–181packet filtering and stateless, by firewalls 162stateful, by firewalls 162, 163

FIN (finished with connection), TCP flag 23, 25FIN_WAIT timer 25financial institutions, privacy policies 8fingerprint scanning 54Firewall Service Module (FWSM) 166firewall-based VPNs 270firewalls 49, 85, 159–191

CBAC 148configured to filter based on TCP ports 20definition of 49enhancements for 175–181

antivirus software 181content filtering 178–181

enhancements forantivirus software 181content filters 178–181NAT (network address translation) 175–177proxy services 177–178

hardware-based 164, 165–173NetScreen 170–173PIX 164, 165–170

personal 174placing filtering routers and firewalls 181–190as proxy servers 178software-based (Check Point) 173stateful 163stateless 162–163types of 162

flags, TCP 23folders (cookie), making read-only 123four-way handshake mechanism, TCP FIN packets 25fragmentation offset (IP) 17, 23

fragmentation offset (IP)

1587201672.book Page 439 Wednesday, August 11, 2004 3:36 PM

440

fragmentation reassembly code, TCP/IP 161framework for security implementation 81FTP, NetScreen Deep Inspection Firewall and 171functional areas of a network, separation with firewalls

49FWSM (Firewall Service Module) 166

Ggateways (VPN), tunnel mode used between 281generator (parameter g, Diffie-Hellman) 68GIAC (Global Information Assurance Certification)

385GLB (Gramm-Leach-Bliley) Act 8global command (PIX Firewall) 187Global Information Assurance Certification (GIAC)

385globalization of business 14governments

security for emerging technologies, role in 8specifications for physical security 44, 100

Gramm-Leach-Bliley Act (GLB) 8graphical user interface (CiscoView) 367GRE (generic routing encapsulation) tunnels 271group names, specifying for SNMP server 360group rights 109groups, configuring on VPN Concentrator Group

Screen 290guideline, definition of 387

Hhacker 5hardening operating systems and applications 386hardening systems 107–123

browsers 118–123case study 124–128file systems 107–109web servers 109–117

hardware, SOHO 331hardware firewalls 164, 165–173

NetScreen 170–173PIX 164, 165–170

hardware interfaces 184hardware keys 42

hash 40hash algorithms

establishing use of in IPSec policy 284identified in IPSec transform sets 283identifying for IKE Phase 1 282identifying for IKE Phase 2 283

Hashed Message Authentication Codes (HMAC) protocol 274

hashing algorithms 69MD5 (Message Digest 5) 70Message Digest 5 (MD5) 70SHA-1 71

hashing passwords in the router configuration file 132headers

IP 16address spoofing in 20

TCP 18flags 23

Health Insurance Portability and Accountability Act (HIPAA) 8

hierarchical CA 305hijacking TCP connections 26history of operation, showing 365HMAC-MD5 274HMAC-SHA-1 274hoaxes 5honey-pots 202host IDS 41, 194, 204–207

deploying in network 203–206network IDS vs. 200sensor components and architecture 204

hostnames, identifying VPN peers with 284hosts, configuring SNMP server hosts 360hot site (disaster recovery plan) 46hotspot WLAN 328, 330HTTP

access to routers via 131cookies, simulating stateful environment with 123NetScreen Deep Inspection firewall and 171

HTTP server 137HTTPS 37, 48hubs and switches, network security design 101

IIANA (Internet Assigned Number Authority) 19

fragmentation reassembly code, TCP/IP

1587201672.book Page 440 Wednesday, August 11, 2004 3:36 PM

441

IAR (Internet Accessible Router) 176IBSS (independent basic service set) 329ICMP (Internet Control Message Protocol)

echo (ping) traffic to IP broadcast addresses 162used in TCP/IP connection covert channels 22

identification policy 82identification, two-factor 256identify theft 72IDM (IDS Device Manager) 226IDSs (intrusion detection systems) 40

anomaly-based 200case study 221–232

active response, blocking host 229–232IDS Event Viewer 228initializing and configuring network sensors

223–226sensor placement on the network 223tuning IDS 227

Cisco, 164honey-pots 202host-based 204–207

deploying in the network 206host sensor components and architecture 204

network IDS 207–217deploying in the network 210–216evasion/antievasion techniques 202management communications 217notification and reporting 217organizational issues and complications 202

network versus host 200policy-based 198sensor maintenance 221signature-based IDSs 196

IEEE (Institute of Electrical and Electronics Engineers) 327. See also 802.1x standards

IETF (Internet Engineering Task Force) 196IEV (IDS Event Viewer) 227IIS (Internet Information Services)

enabling logging 113hardening, website information on 117log file formats 113

IKE (Internet Key Exchange) protocol 256, 282establishing an IKE policy for VPNs 284SA (security association) lifetime 282

implementation phase, network life cycle 98

in-band management, network IDS 217, 220inbound and outbound traffic 168inbound packets, filtering 143, 154independent basic service set. See IBSSinform requests, SNMP 357

configuring router to send to a host 361information sent to SYSLOG server 355inside global address (NAT) 177inside interfaces 183inside intruders 40, 193inside local address (NAT) 177inspect commands, router 150inspection methodologies, firewalls 162inspection of packets at application layer by CBAC

148–152creating inspection rules (example) 154

Institute of Electrical and Electronics Engineers (IEEE) 327. See also 802.1x standards

integrated Windows authentication 116integrity of data 8Intercept Correlate Rules Engine (INCORE) (Secure

Agent) 204interface bandwidth constraints, network design 93interface command (PIX Firewall) 184, 186interface command to apply an access list to an

interface 143interfaces

configuring on VPN Concentrator Screen 289firewall

DMZ 183internal and external 149naming 183

information about 370NetScreen firewalls 171network IDS 208network, assigning IP addresses to 185PIX Firewall

naming of 165security levels 167

routerassigning access list to 143assigning CBAC inspection rules and access

list to 154monitoring interfaces 213

internal interface of the firewall 149

internal interface of the firewall

1587201672.book Page 441 Wednesday, August 11, 2004 3:36 PM

442

internal physical security 45, 100internal weaknesses and vulnerabilities 6International Telecommunications Union (ITU-T) 35Internet

access policy, coverage in security policy 82availability of networks to 80communication over 14–15mail server attack launched via 208restricted employee access to 178traffic levels, IDS and 203

Internet Accessible Router (IAR) 176Internet Assigned Number Authority (IANA) 19Internet Control Message Protocol. See ICMPInternet Engineering Task Force (IETF) 196Internet Explorer 118–123

security levels 119predefined, list of 119

security zones, changing settings for 118–119security, website information on 118

Internet Information Services. See IISInternet Key Exchange. See IKE protocolInternet Operating System. See IOSInternet relay chat, viruses on 51Internet Security Association and Key Management

Protocol (ISAKMP) 282Internet security zone (Internet Explorer) 118Internet-enabled business 79intranet security zone (Internet Explorer) 118Intrusion Detection System (IDS), Cisco 164intrusion detection system (IDSs) 40, 193–233

fundamentals of 194IDS sensors 41

getting past in Ping of Death attack 23signature-based IDS 195

IOS (Internet Operating System) 236AAA configuration on 236–241debug commands for SNMP 361IDSs based on, deployment on network 212Kerberos support 252Service Assurance Agent (SAA) 362–365SNMP versions supported 358SSH server 48TACACS+ support 242

IP router access lists 139IP address space, NetScreen firewalls and 172

IP addressesaccess control based on (for a PC) 116identifying VPN peers by 284inside and outside, defining for network interfaces

185internal network, translation to global addresses

186NAT (network address translation) and 175source and destination, TCP/IP connections 19

IP protocol 16–18. See also TCP/IP protocol suiteaddress spoofing 20Explicit Congestion Notification (ECN) 20fragment reassembly vulnerability 161fragmentation offset 17, 23mobile IP 18redirect 138redirection attacks 339sessions, logging of by network IDSs 213telephony, network design planning for 97

IPSec (IP Security) 272–283antireplay protection 277configuring all parameters for VPN 292data integrity function 273encryption 272establishing IPSec policy for VPNs 284eToken, storing certificates with 256four major functions of 272origin authentication 274–277

preshared keys method 274RSA signatures method 275RSA-encrypted nonces 276

preshared keys, peer authentication by 274protocol framework 277

AH (authentication header) 277ESP (encapsulating security payload) 279

selecting Security Association (SA) 293transform sets 282tunnel or transport mode 279VPNs with

configuring IPSec 285preparation for 284

wireless network security, using for 342IPSec concentrator 87iris and retina recognition 55ISAKMP (Internet Security Association and Key

Management Protocol) 282ISDN networks, NetScreen firewalls and 171

internal physical security

1587201672.book Page 442 Wednesday, August 11, 2004 3:36 PM

443

JJuniper Networks 170

KKEEP_ALIVE timer 25Kerberos 241, 250–252

encrypted login sessions 48key distribution center (KDC) 250key distribution methods

establishing in IKE policy for VPNs 284IPSec peer authentication 274

key exchange method, identifying for IKE Phase 1 282keys, compromised 308Kismet (WLAN packet analyzer) 336

Llabor requirements, network design and 94Land.C attacks 161LANs (local-area networks) 14. See also WLANs

peer-to-peer, limitations of 328viruses on 51wireless connectivity 330WLANs 328

LAN-to-LAN tunnel type 294latency, testing in network traffic simulation 96Layer 2 or Layer 3, OSI model, NetScreen firewalls

operating at 172Layer 3, OSI model 163Layer 4, OSI model (TCP layer) 162Layer 7, OSI model 250layered approach to security 91

defense in depth 96–97external physical security 44, 100internal physical security 45, 100

least trusted 4levels of logging 353

warning levels, information sent to SYSLOG server 354

life cycle (network), stages of 97–99Light Extensible Authentication Protocol (LEAP) 339link layer, extensible authentication (802.1x) 340

Linksys, Inc. 331local Internet security zone (Internet Explorer) 118local-area networks (LANs) 14lock-and-key access lists 144lock-and-key feature 252–256logging 353–356

case study 366–372default log file directory, changing for security

114enabling for web servers 113

IIS, supported log file formats 113IP session, by network IDSs 213levels of 353SYSLOG 354

logins, encrypted 46Kerberos 48SSL (Secure Socket Layer) 48–49SSH (Secure Shell) 47–48

LZS compression algorithm 295

MMAC (medium access control) layer, WLANs 332

security enhancements, IEEE 802,11i standard 340

mail server, attack on rebuffed by network IDS 208malware, definition and categories of 5man in the middle attacks 162Management Information Base (MIB) 356management station

communication with sensors 217network IDS 208

management, IDS 193manager functions, VPN 288managers, SNMP

defining relationship with agent 359limiting access to objects 359

man-in-the-middle attacks 72WEP protocol, vulnerability to 338

manpower and labor costs for IDSs 203masks, router access lists 140McAfee Antivirus software applications 51MD5 encryption algorithm, secret password hashes

132

MD5 encryption algorithm, secret password hashes

1587201672.book Page 443 Wednesday, August 11, 2004 3:36 PM

444

MD5 or SHA-1 hash algorithmsestablishing use of in IPSec policy 284identifying for IKE Phase 2 283IKE Phase 1, using with 282

medium access control. See MAC layer, WLANs 332memory, tied up in TCP SYN flood attacks 161Message Digest 5 (MD5) algorithm 40, 70message injection attacks 339message modification attacks 339MIB (Management Information Base) 356Microsoft. See also Internet Explorer

hardening IIS, website information on 117security information on the website 110operating systems

security patches and updates 6misuse, risk of 9mobile IP 18modular approach to network security 91monitoring network 218monitoring port, network IDS 208multicasting, testing in network traffic simulation 96multiple locations for network defenses 96

Nnamed access lists 139

commands 140nameif command (PIX Firewall) 183NAT (network address translation) 168, 175

disadvantages of 177enabling PIX for 183–189router NAT translation table, viewing 176

nat command (PIX Firewall) 186National Security Agency. See NSANetScreen firewalls 164, 170–173

data flow 171deep packet layer inspection 171functions not convered in detail 173session table 171

NetStumbler (WLAN packet analyzer) 336network accounting function 241network address translation. See NATnetwork addresses 140network architecture 92network audits 95

network design 91fundamental principles 92–97

defense in depth 96design activities, tools, and techniques 94–

96requirements and constraints 93top-down design practices 92

methodology 97–99physical security 99–101return on investment 99switches and hubs 101

network IDS 41, 194, 207–217case study 221–232

active response, blocking host 229–232IDS Event Viewer 228sensor initialization and configuration 223–

226sensor placement 223tuning IDS 227

deploying in the network 210–216PIX Firewall as sensor 213router IDS features and network modules

212evasion and antievasion techniques 202host IDS versus 200management communications 217

in-band management 220out-of-band management 219

notification and reporting 217organizational issues and complications 202

political constraints 203social constraints 203technological constraints 203

responses to attacksIP session logging 213TCP resets 215

sensor components and architecture 208network infrastructure, requirements of 92network interface cards (NICs), wireless 328network layer (Layer 3, OSI model) 163

correspondence of IP protocol to 16mobile IP connections 18

Network Management Server (NMS) 164Network Management System (NMS) 356network performance, monitoring with SAA 362

MD5 or SHA-1 hash algorithms

1587201672.book Page 444 Wednesday, August 11, 2004 3:36 PM

445

network resources, use and protection of (security policy) 81

network securitybooks 427responsibilities for 7–8websites 428

network security database (NSDB) 197updates for IDS signatures 221

network trafficanalysis of 95inbound and outbound 168simulating 96

networks, availability to Internet and public networks 80

NMS (Network Management Server) 164NMS (Network Management System) 356nonces 274, 276nonstatistical anomaly detection 200notification alarms, IDS 194notification features, network IDS 217notifications, SNMP 357

configuring 361NSA (National Security Agency) 393–395

security guides 394NSDB (network security database) 197

updates for IDS signatures 221NTFS file encryption 52number used once. See noncesnumbered access list commands 139numbered access lists, extended 141–144

Oopen authentication, wireless networks with 337operating systems

hardening security of 107–123browsers 118–123case study 124–128file systems 107–109SANS step-by-step guides for 386web servers 109–117

overlapping IP fragment bug 161software-based firewalls and 174

operation phase, network life cycle 98optimization phase, network life cycle 99origin authentication, IPSec 274–277

OSI modelLayer 2 or Layer 3 mode, NetScreen firewalls

operating at 172Layer 3 (network) 163

IP, corresponding to 16Layer 4 (TCP) 162Layer 7 (application layer) 250

SNMP on 356TCP/IP mapped to 16transport layer (TCP) 18

outbound network traffic 168outbound packets, filtering 143out-of-band management, network IDS 217, 219outside global address (NAT) 177outside hosts, connections to internal resources 169outside interfaces 183outside intruders 40, 193outside local address (NAT) 177overlapping IP fragment implementation bug 161

Ppacket filtering 162packet filters for routers. See access lists, router 138parameter g (Diffie-Hellman) 68parameter p (Diffie-Hellman) 68passive response to attacks, network IDS 213passive scanning for wireless stations or access points

334Password Authentication Protocol (PAP) 243passwords

capture by Trojan horses 161combined with digital signatures 256configuring secure passwords for routers 131encryption, service password-encryption

command 135, 153file protection with 53reusable 50router

assigned to the console, VTY, AUX lines, and enable 134

configuration for Telnet 133enable and user-level passwords 133recovery procedure for 132

PAT (Port Address Translation) 175, 176disadvantages of 177

patching, vulnerabilities 86

patching, vulnerabilities

1587201672.book Page 445 Wednesday, August 11, 2004 3:36 PM

446

pattern-matching IDS signatures 195PC card-based solutions (security) 41–43

hardware keys 42PC encryption cards 43security cards 41

PC encryption cards 43PCI (Peripheral Component Interconnect) 328PCMCIA (wireless NIC) 328PDIOO (planning, design, implementation, operation,

and optimization) 97peer authentication methods on VPNs 274peer-to-peer WLANs 328, 329performance, monitoring with SAA 362Peripheral Component Interconnect. See PCIpermissions

changing in DACs 112router access list, example of 154web content directory, changing for Internet

Explorer 126Windows file systems, hardening security settings

107–109permit entry 147persistent cookies 123Personal Computer Memory Card International

Association. (PCMCIA) 328personal digital ID or certificate 38personal firewalls 174personnel awareness of security policy 46personnel training in physical security 101PGP (Pretty Good Privacy) 69, 302PHY (physical) layer, WLANs 332physical security 44–46

disaster recovery plans 45governmental specifications 100internal 45, 100intrusion by tailgating 101network design 99–101outside and external security 44personnel training 101securing the perimeter 100survivability and recovery 101

ping, use in Smurf attacks 162Ping of Death attack 23

PIX Firewall 164, 165–170commands for managing and troubleshooting 190configuration as cut-through proxy 168data flow for 167features and functions not covered in detail 170full working configuration (case study) 189IDS 213NAT (network address translation) 183–189placement of 169, 181

PKCS (Public Key Cryptography Standard) 307PKI (Public Key Infrastructure) 72, 301–323

creating your own CA 312–323enrolling in a CA 73enrollment procedure 306public key distribution 301revocation of certificates 307topologies of trust 304trusted third party 302

key exchange 304public key signing 304

planning stage (network life cycle) 98plug-ins, browser 118point-to-multipoint bridge (WLANs) 328point-to-point bridge (WLANs) 328point-to-point WLANs 330policy section (example security policy for a VPN) 87policy, definition of 387policy-based IDS 198

attacks prevented by 199political constraints

on network design 94on network IDS 203

pool of global addresses 187Port Address Translation (PAT) 175port numbers 19ports

colors for 369risks of open wireless ports 336

power blackouts, countering 45, 101preshared keys (peer authentication method) 274Pretty Good Privacy (PGP) 69, 302prime numbers

parameter p, Diffie-Hellman algorithm 68RSA algorithm 69

privacy policies, financial institutions 8private data traversing public networks 80

pattern-matching IDS signatures

1587201672.book Page 446 Wednesday, August 11, 2004 3:36 PM

447

Private Internet Exchange. See PIX Firewall 165private key (digital IDs) 39Private Ports 19privilege levels 239processor speed 93protocol decode-based IDS signatures 195protocol stacks (802.11 standard) 331protocols

adaptive, checking in network traffic simulation 96

CBAC inspection of 151CBAC intelligent filtering for 148Internet Key Exchange (IKE) 282IPSec 277

establishing use of in IPSec policy 284identification of in transform sets 283tunnel or transport mode 279

tunneling, selecting for VPN 292proxies

configuring PIX Firewall as cut-through proxy 168

limiting attacks with 162network use of proxy services 177

PSH (Push function), TCP field 23public key (digital IDs) 39public key cryptography 272, 307Public Key Infrastructure. See PKIpublic networks, sending private data over 80Public Service Segment (PSS) 49. See also DMZspurpose of a security policy 82

example for a VPN 86PuTTY (SSH client) 48

Qquality of service (QoS)

guaranteeing, costs of 94validating and testing adequately 96

Rradio frequency (RF) technology, use by WLANs 331radio, cryptography and 62

RADIUS 241, 245–249with 802.11i authentication framework 340ACS setup for RADIUS authentication 249authentication 246

attribute pairs 247summary of 248TACACS+ versus 250

RDEP (Remote Data Exchange Protocol)communication between network IDS sensor and

director 217IP session logging, network IDSs 213

realm 292recovery from disasters 101Redirect messages 22redirection (IP redirect service) 138redundancy in network designs 97reflect option 147reflexive access lists 147Registered Ports 19remarks, adding in named access lists 143remote access 79, 235–266

AAA model 235accounting 239–241authentication 237–238authorization 238servers 241–252

configuration of AAA server (CiscoSecure ACS) 256–265

lock-and-key feature 252–256security policy coverage of 82two-factor identification 256

Remote Access tunnel type 294remote access VPNs 269

case study 285–298Remote Authentication Dial-In User Service. See

RADIUSRemote Data Exchange Protocol. See RDEPRemote Monitoring (RMON) 372remote Telnet sessions and logins, securing 47reporting features, network IDS 217requirements and constraints, network design 93resetting TCP connections

network IDS response to attacks 215router configured for network IDS 212

Response Time Reporter (RTR). See SAAresponses to alerts, network IDS 213restricted security zone (Internet Explorer) 118

restricted security zone (Internet Explorer)

1587201672.book Page 447 Wednesday, August 11, 2004 3:36 PM

448

retina and iris recognition 55return on investment (ROI), network design and 99reusable passwords 50reverse lookup, countering DNS spoofing with 31reverse social engineering attacks 31RFCs (Request for Comments), protocol analysis for

violations of 195rights, permissions versus 107risk assessment

annualized rate of occurrence (ARO) 9single loss expectancy (SLE) 9types of risks 9

risksreducing with tools to support design process 95vulnerabilities and 13–14

Rivest, Shamir, and Adelman (RSA) algorithm 68, 273RMON (Remote Monitoring) 361robust defenses 96roles, defining 81route command (PIX Firewall) 188routers 17

AAA configurations on Cisco IOS router 236–241AAA model, enabling 237Brussels 134Cisco Router Security Configuration Guide 394configuring GRE tunnels on 271configuring IPSec on 282configuring to send only warnings to SYSLOG

server 355content filtering 178extended access lists 20filtering, placement of 181IDS features and network modules 212NAT translation table, viewing 176PIX Firewall and 166security

administrative access, configuring 131banner to warn intruders 135case study of telecommuter connecting to

branch office 152–156CBAC (Cisco IOS Firewall) 148–152commands to configure a new router 153console port, timeout 135enable and user-level passwords configured

133online information, Cisco web site 138

passwords assigned to console, VTY, AUX lines and enable 134

services, turning off or restricting access 137security for network protection 138–148

access lists 138RSA (Rivest, Shamir, and Adelman) algorithm 273RSA Laboratories, PKCS standards 307RSA signatures (peer authentication method) 274, 275RSA-encrypted nonces (peer authentication method)

274, 276RST (Reset the connection), TCP header flag 23RTR (Response Time Reporter). See SAArtr operation-number command 363

SSA (security association)

establishing for IPSec 284IKE SA lifetime 282ISAKMP protocol 282mode configuration option for VPNs 295reauthentication after IKE SA expires 295selection for IPSec on remote access VPN 293

SAA (Service Assurance Agent) 362–365SAFE (Security Architecture for Enterprises) 91, 377–

383Blueprint for Enterprise Networks, web site 97out-of-band management, network IDS 220overview of architecture 379references for further information 382summary of 382WLAN design 342

SANS Institute 385–390policy, standard, and guideline, definitions of 387programs and initiatives 385references for further information 389Security Policy Project 386templates for security policies 387–389

scalabilityfor cryptographic applications 302key exchange with PKI 307network configuration, stateless firewalls and 163nonscalable methods of public key distribution

301scanning functions, WLANs 333

retina and iris recognition

1587201672.book Page 448 Wednesday, August 11, 2004 3:36 PM

449

SCIF (Sensitive Compartmented Information Facilities), physical security manual 44

scope of a security policy 82example policy for a VPN 86

script kiddies 6scripting languages, most popular for browser plug-ins

118secret key cryptography 48secret passwords, enabling for Cisco routers 132Secure Agent Managers, Cisco 206Secure Agent, Cisco 204–205, 206secure areas 49Secure Hash Algorithm (SHA) 71Secure Integrated Software, Cisco 212Secure Policy Manager (Cisco), alarm-reporting

feature 217Secure Server Certification authority 38, 310Secure Shell. See SSHSecure Socket Layer. See SSLSecurity Architecture for Enterprises. See SAFEsecurity cards 41security guides (NSA) 394security incidents 81

handling procedure 82, 84security levels

Internet Explorer 119PIX Firewall interfaces 167, 183

security plan 82deny all and allow all models 83

security policies 79–88, 91auditing state of 95connection-based 166, 183defining 81development process 82development team 83development, best practices 378IDSs based on 198importance of 81–82incident handling process 84key components of 82main purpose of 82mixing models, problems with 83personnel awareness of 46reusable passwords and 50

sample security policy for a VPN 86SANS templates for 387–389security wheel 84senior management enforcement of 7

Security Policy Project (SANS) 386security servers

Cisco ACS 242Kerberos 48, 241, 250–252RADIUS 245–249TACACS+ versus RADIUS 250

security training and certification. See SANS Institutesecurity wheel 81, 84–85senior management, responsibilities for network

security 7Sensitive Compartmented Information Facilities

(SCIF), online information 100sensor components and architecture 208sensors, IDS 41, 193

host sensor components and architecture 204maintenance of 221network sensors 209

communication with director 217components and architecture 208placement on the network 210

SEP (Scalable Encryption Processing) 292separate service subnet (SSN) 165, 170SEQ/ACK (Sequence and Acknowledgment) numbers

attackers, use by 25in connection hijacking 26

sequence numbers, TCP 20prediction of in connection-killing attacks 25SYN (Synchronize sequence numbers) flag 23

server digital ID or website certificate 38Service Level Agreements (SLAs), verifying with

SAAs 362service password-encryption command 135, 153service set identifiers. See SSIDsservices

router, turning off or restricting access to 137selectively enabling or turning on all for host

system 83unnecessary, disabling, or removing 109

list of services that can be disabled 110session cookies 123, 124

session cookies

1587201672.book Page 449 Wednesday, August 11, 2004 3:36 PM

450

session table, NetScreen 171sessions

TCP and UDP, management by CBAC 148SHA-1 (Secure Hash Algorithm) 71show aaa user all command (Cisco IOS) 239show access-lists command 145, 255

reflexive access lists 147show accounting command (Cisco IOS) 239show ip nat translations command 176show privilege command 239show rtr command 364show rtr history command 365signature recognition (biometrics) 55signature-based IDS 194, 195

pros and cons of 196updating signatures 221

Simple Network Management Protocol. See SNMPsingle logon (Kerberos) 252Single Loss Expectancy (SLE) 9single root CA 305site security architecture 82Site Security Handbook (RFC 2196) 81site-to-site VPNs 270small office/home office (SOHO) hardware 331smart cards 41, 256

token-based authentication 42smoke, temperature, and humidity sensors 45Smurf attacks 162, 198Sniffer Pro (WLAN packet analyzer) 336sniffing on publicly accessible networks 72SNMP (Simple Network Management Protocol) 356–

362access to routers via 131configuration 359–361notifications 357RMON, using with 361SAA, accessing with 363setup (case study) 366versions 358

snmp-server command 359SoBig virus 51social constraints

network design 94on network IDS 203

social engineering 31countermeasures 32

sockets 19

softwareprotection with hardware keys 42unpatched, security threats from 6

software firewalls (Check Point) 173source and destination IP addresses, TCP/IP

connections 19source and destination port numbers 19Source Quench message 22speech analysis 54speed, network interface 185split tunneling 87spoof attacks 162spoofing

antispoofing protection, router configuration 154countermeasures 31techniques for 29

spyware 5SSH (Secure Shell) 47–48

versions 48wireless network security, using for 342

SSIDs (service set identifiers) 334vulnerabilities of 336

SSL (Secure Socket Layer) 48–49, 71SSN (separate service subnet) 165, 170standard IP access lists 139standard numbered IP access lists, additional keywords

supported 140standard, definition of 387standards for telecommunication equipment 35state information for TCP and UDP sessions, CBAC

and 148stateful filtering (firewalls) 162stateful firewalls 163stateful pattern-matching IDS systems 195stateless filtering 162static and dynamic translation slots, ASA and 167static routing on a PIX Firewall 188stations, wireless 333

SAFE design recommendations for 343scanning for other stations or access points 333

statistical anomaly detection 200stream ciphers 64subnet masks 140, 182survivability and recovery, physical security planning

101switches and hubs, network security design 101

switch security features, examples of 102

session table, NetScreen

1587201672.book Page 450 Wednesday, August 11, 2004 3:36 PM

451

switches, configuring for traffic-capture functions 211Sygate firewall 174symmetric key algorithms 64–66

AES 64, 66, 283DES (Data Encryption Standard) 64, 272Triple DES (3DES) 65–66, 272, 283

symmetric key encryption 272SYN (Synchronize sequence numbers), TCP flag 23SYN-flooding attacks, prevention by CBAC 148SysAdmin, Audit, Network, and Security. See SANS

InstituteSYSLOG 354SYSLOG server

router configured to send more information to 355router configured to send only warnings 355

TTACACS+ 241, 258–265

accounting 245ACS log 265authorization 243lock-and-key feature 253–256RADIUS versus 250summary of 244user authentication 144

tailgating 101TCP 18–20

additional information on, RFC 793 20Layer 4 of OSI model 162segment format 19sequence number prediction 25three-way handshake preceding data exchange 20

TCP connectionsresetting capability, network IDSs 215resetting with router configured for nework IDS

212TCP SYN flood attacks 161TCP SYN packets, in Land.C attacks 161TCP/IP protocol suite

fragmentation reassembly code 161IP layer 16mapped to OSI model 16security issues 20–27

weaknesses of 14–16closing a connection by FIN 25covert channels 21hijacking TCP connections 26IP fragment attacks 23SYN flood 25TCP flags 23

TCP/UDP ports, stateless firewalls and 163teardrop attacks 161technological constraints

on network design 93on network IDS 203

telecommunications standards 35telecommuter connecting to branch office, protecting

routers (case study) 152–156telegraph, cryptography and 62telephone calls, used in social engineering attacks 31telephony, IP 97Telnet

access to routers 131router sessions via, configuring VTY password

132Temporal Key Integration Protocol (TKIP) 340Terminal Access Controller Access Control System

plus. See TACACS+terminals, logical virtual type (VTY) lines 133terrorism

Internet exploitation 14physical security and 44

theft, risk of 9three-way handshake, TCP connections 20

flags used in 23timers and TCP flags, sequences of 25

time-based access lists, routers 146timeout

console port of routers 135and thresholds in session management by CBAC

150timers, TCP/IP sessions 25TKIP (Temporal Key Integration Protocol) 340TLS (Transport Layer Security) 48, 71Token Ring networks

802.5 wireless standard, IEEE 332NetScreen firewalls and 171speed, values for 185

Token Ring networks

1587201672.book Page 451 Wednesday, August 11, 2004 3:36 PM

452

token-based authentication systems 42tools used in network design process 81, 94topologies of trust, PKI 302traffic filtering, CBAC 148traffic inspection, CBAC 148traffic, inbound and outbound 168traffic, network

analysis of 95monitoring with RMON and SNMP 361simulating 96

transform sets 282–283establishing use of in IPSec policy 284

translation slots, PIX Firewall 168translation table (NAT), viewing on Cisco router 176Transmission Control Protocol. See TCPTransmission Control Protocol/Internet Protocol. See

TCP/IP protocol suite 14Transport Layer Security (TLS) 48, 71transport layer, OSI 18transport mode (IPSec connections) 280traps, SNMP 357

configuring recipient of 360configuring router to send 361

Triple DES. See 3DES encryption algorithmTrojan horses 5, 161troubleshooting SNMP, commands for 360trust 3–4trusted sites security zone (Internet Explorer) 118trusted third-party protocol (PKI) 302

enrollment procedure for PKI users 306topologies of trust, PKI 304

tunnel mode (IPSec) 281tunneling

GRE (generic routing encapsulation) tunnels 271LAN-to-LAN or Remote Access tunnel type 294selecting protocol for VPN 292split tunneling 87

two-factor identification 256typing biometrics 54

UUDP bomb 161UDP ports, stateless firewalls and 163UDZs (user-defined zones) 171unauthorized programs, potential security holes from 6

uninterruptible power supplies (UPSs) 45, 101universal serial bus (USB) Smartcard key (eToken)

256unpatched software, security threats posed by 6unsafe environments, communicating and doing

business safely in 80untrusted 4URG (Urgent pointer field), TCP flag 23URL filtering. See content filteringURLs, secure (https) 37use policy for the network resources 81User Datagram Protocol (UDP) service, use in chargen

attack 161user-defined zones (UDZs) 171usernames, capture by Trojan horses 161users

configuring for SNMP 360VPN 296

Vventilation requirements for network equipment 93,

100view record, creating or modifying 359Virtual Private Networks. See VPNsvirtual type terminal (VTY) lines 132–133viruses 5

antivirus software 51, 181enabled by Trojan horses 161risk of 9smart card protection against 42

VMS Management Center for IDS, Cisco 217voice communication over IP, government role in

security 8voice recognition 54VPN concentrator 87VPNs (virtual private networks) 269–299

case study, remote access VPN 285–298enrollment of devices in PKI 307GRE (generic routing encapsulation) tunnels 271IPSec (IP Security) 272–283

antireplay protection 277data integrity 273origin authentication 274–277protocol framework 277transform sets 282

token-based authentication systems

1587201672.book Page 452 Wednesday, August 11, 2004 3:36 PM

453

tunnel or transport mode 279PKI solution for authentication 301types of 269using IPSec with

configuring IPSec 285preparation for 284

wireless network security, using for 342VTY (virtual type terminal) lines 132–133vulnerabilities 13–32

buffer overflows 28communications over public networks 72on data port 139, 161fingerprint scanning 54information about, in CSEC 162internal and external 5–6log file alteration or deletion by intruders 114patching 86reusable passwords 50risk and 13–14shared key authentication, WLANs 337social engineering 31

countermeasures 32software-based firewalls 174spoofing techniques 29SSIDs, WLAN 336TCP/IP security issues 20–27WEP protocol 338

countermeasures to 339

WW3C extended Log File Format 113WAN (wide area network) bandwidth, cost of 94war-driving and war-chalking 342warm site (disaster recovery plan) 46warning level of information sent to SYSLOG server

354warnings, Syslog 355weak passwords 50weaknesses. See also vulnerabilities

internal and external 5–6of TCP/IP protocol suite 14–16

Web applications 14web of trust 302

web security 107hardening 107–123

browsers 118–123case study 124–128file systems 107–109web servers 109–117

SSL as standard for 48web servers

attacks against, prevention with signature-based IDS 196

denial-of-service (DoS) attacks against 20–21, 24, 161, 163, 198

hardening 112–117logging, enabling 113restricting access to a website 114–117

securing, tasks involved in 109web-based requests (PKI enrollment) 307website certificates 38websites

information on network security 428restricting access to 114–117SSL-enabled 48

Well-Known Ports 19WEP (wired equivalent privacy) protocol 334, 336

countermeasures to vulnerabilities 339overview of 337vulnerabilities of 338

WEPCrack program 338wheel cipher 62Windows Internet Naming Service (WINS) 295Windows systems

file systems, hardening 107–109integrated authentication 116software patches for 6, 7

wired equivalent privacy. See WEP protocolwireless

how it works 333standards for WLAN applications 328

wireless and voice communication over IP, government role in security 8

wireless local-area networks. See WLANswireless network interface cards (NICs) 328wireless networks

building-to-building, types of 330community networks 330

wireless networks

1587201672.book Page 453 Wednesday, August 11, 2004 3:36 PM

454

wireless security 327–350adding wireless to secure network 344–349SAFE WLAN design 342war-driving and war-chalking 342

Wireless Security Suite, Cisco 339, 342WLANs (wireless LANs) 327

different configurations of 328–331EAP protocol and 802.11i standard 340hotspot 330how wireless works 333overview of 331peer-to-peer 329risks of open wireless ports 336SAFE WLAN design 342setting up WLAN connection 333

worms 5

XX.509 standard for digital certificates 35xlate. See translation slots, PIX FirewallXOR (exclusive OR) function 338

ZZoneAlarm firewall 174zones

firewall 171DMZs. See DMZspeer-to-peer WLAN 329

wireless security

1587201672.book Page 454 Wednesday, August 11, 2004 3:36 PM