I N D E X
Numerics3DES (Triple DES) encryption algorithm 272, 283802.1x standards
802.11 standards 327, 331–333protocol stacks 331, 332scanning functions 334
authentication framework 339–342EAP protocol and 802.11i 340–342
802.x standards, IEEE 332
AAAA (authentication, authorization, and accounting)
131, 165AAA model 235
accounting 239–241authentication 237–238authorization 238configuration of CiscoSecure ACS 256–265securing network with AAA server 236security servers 241–252
Kerberos 250–252RADIUS 245–249TACACS+ versus RADIUS 250
aaa new-model command 237acceptable use policy 82access control
based on IP addresses 116DAC model, attributes of 112restricting access to a website 114of routers 131
Access Control Entries (ACE) 138access lists, router 138–148
applied to an interface, configuring direction of the data flow 143
assigning to router interface 154dynamic 252enhanced 144–148
dynamic access lists 144time-based access lists 146reflexive access lists 147
extended numbered access list 141–144identification numbers and types 138named access list commands 140numbered access list commands 139permissions, example of 154permitting IPSec traffic on VPNs 288PIX Firewall 167–170SNMP managers using community string 359standard numbered IP access lists, additional
keywords 140access points (APs) 333
beacon messages, SSID in 336placement and configuration of 344–349SAFE design recommendations 343wireless clients communicating without 328zone coverage area and 329
access-enable command 255issued for user in a dynamic access list 145
access-list filters on routers, vulnerability of 162accounting 235, 236, 239–241
important function records 241TACACS+ 245
accounts, renaming critical accounts 109ACK (Acknowledgment field), TCP headers 23Acknowledgment number, TCP 20ACS (Access Control Server) 242
configuration of 256–265download site, trial copies 250RADIUS authentication setup 249
active responses to attacks, network IDS 215active scanning for wireless stations or access points
334adaptive protocols, checking 96Adaptive Security Algorithm (ASA) 166Address Resolution Protocol (ARP), spoofing 29–30address space of program code, making
nonexecutable 29administrative personnel, access to routers 131administration, VPN manager functions 288Advanced Services for Network Security (ASNS) 86AES (Advanced Encryption Standard) 64, 66, 283agents, SNMP 356
defining relationship with manager 359
1587201672.book Page 433 Wednesday, August 11, 2004 3:36 PM
434
AH (authentication header) protocol 277establishing use of in IPSec policy 284identified in IPSec transform sets 283identifying for IKE Phase 2 283transport mode 280tunnel mode 281
Airsnort program 338Aladdin eToken 256alarms and events (RMON), monitoring traffic with
361alarms, IDS 194
analyzing for IDS tuning 227monitoring and tuning 225network IDS 217routers configured for network IDS 212
alerts and audit trails, generated by CBAC 148algorithms
asymmetric key algorithms 66–69Diffie-Hellman 68PGP 69RSA 68–69
definition of 63encryption 282–284hashing 69SSL and TLS 71symmetric key algorithms 64–66
AES 64, 66, 283DES 64, 272, 283Triple DES (3DES) 65–66, 272, 283
allow all model (security plan) 83allowed and disallowed behavior, defining 81analysis tools (network traffic analysis) 95annualized rate of occurrence (ARO) 9annual loss expectancy (ALE) 9anomaly-based IDSs 200anonymous access 116antireplay protection 277antivirus software 51, 181application layer, OSI model
data-driven attacks 160Kerberos authentication service 250SNMP on 356
application-layer protocols, CBAC inspection of 148–152
APs. See access pointsARO (annualized rate of occurrence) 9ARP (Address Resolution Protocol)
spoofing 29–30ASA (Adaptive Security Algorithm) 166
PIX Firewall data flow 167ASNS (Advanced Services for Network Security) 86asymmetric key algorithms 66–69
Diffie-Hellman 68PGP 69RSA 68–69
asymmetric key encryption 272, 301attacks
broadcast, configuring router to prevent 154buffer overflow 28connection hijacking (TCP) 26connection-killing (TCP/IP) 25in cryptoanalysis 61data-driven 160denial-of-service (DoS)
distributed 161stopping with stateful firewall 163using IP spoofing 20
deriving WEP key stream with protocol analyzer 339
e-mail 161ICMP packets, using to export confidential
information 22IP fragment attacks 23network IDS responses to 213prevented by policy-based IDS 199rebuffed by network IDS (example) 208SYN-flooding, prevention by CBAC 148types of attacks 161–162
auditing 109audit trails generated by CBAC 148case study 366–372education on. See SANS Institutemonitoring traffic with RMON and SNMP 361network auditing in design process 95SAA (Service Assurance Agent), using 362SNMP. See SNMP
authenticated users, potential threats posed by 6
AH (authentication header) protocol
1587201672.book Page 434 Wednesday, August 11, 2004 3:36 PM
435
authentication 85, 235, 237–238802.1x framework and EAP protocol 340–342alternatives to reusable passwords 50configuring for website access 114–117encapsulating security payload. See ESP protocol
279hardware keys, using 43HMAC, used with IPSec 274IPSec, identifying method for IKE Phase 1 282Kerberos 48, 250–252open, for wireless networks 337peer authentication methods on VPNs 274, 284PKI users 307RADIUS 246–249
ACS setup for 249attribute pairs (AV pairs) 247summary of 248
shared key authentication, wireless networks 337TACACS+ 257–265token-based systems 42user authentication method, selecting for VPN 294WEP protocol 339wireless station, using WEP 333, 337WLANs, stations and clients 334–335
authentication header protocol. See AH protocolauthentication policy 82authentication, authorization, and accounting. See
AAAauthority and scope, statement of (security policy) 82authorization 235, 236, 238
TACACS+ 243autocommand 145automating signature updates for IDSs 221AV pairs, RADIUS authentication 247availability of data and resources 8
Bbackplane capacity constraints, network design 93banner for router to warn off intruders 135baseline of your current security posture 81basic authentication 116basic service set (BSS) 333beacon frames 334beacon messages, SSID in 336
Belt and Braces Firewall architecture 168biometrics 53–55
face recognition 55fingerprint scanning 54signature recognition 55typing 54voice recognition 54
block ciphers 64AES 64, 66, 283DES 64, 272, 283Triple DES 65–66, 272, 283
BOOTP server 137broadcast attacks, prevention of 154browsers 118–123Brussels router, 134BSS (basic service set) 333buffer capacity constraints, network design 93buffer overflows 28bugs, risk of 9building-to-building wireless networks 330bytes 15
Ccamera systems, internal physical security 45campus access policy 82card bus (wireless NIC) 328CAs (Certificate Authorities) 37, 72, 302
creating your own CA 312–323enrolling in 73hierarchical CAs 305single root CA 305validating signature of 73
CBAC (Context Based Access Control), 148–152, 154CDP (Cisco Discovery Protocol) 137certificate authorities. See CAscertificate revocation lists. See CRLscertificates 72, 274, 275, 284. See also digital IDs
placement on a CRL 308types of 38
chalk marks (war-chalking) 342Challenge Handshake Authentication Protocol
(CHAP) 243change control (business processes) 98Chargen attack 161
Chargen attack
1587201672.book Page 435 Wednesday, August 11, 2004 3:36 PM
436
Check Point, software firewalls 173checksums 15CIA (confidentiality, integrity, and availability) 8ciphers 63
block and stream ciphers 64–65Cisco
Advanced Services for Network Security (ASNS) 86
Internet Operating System. See IOSIntrusion Detection Host sensor 204Intrusion Detection System (IDS) 164IOS 165IOS-based IDSs, deployment on a router or PIX-
based IDS 212Light Extensible Authentication Protocol (LEAP)
339Linksys product line 331PIX Firewall 164, 165–170Router Security Configuration Guide 394SAFE Blueprint 377–383Secure Agent Manager 204, 206Secure Integrated Software 212Wireless Security Suite 339, 342
Cisco Discovery Protocol (CDP) 137Cisco IOS Firewall CBAC engine. See CBACCisco Press website, certificates 308Cisco Secure Encyclopedia (CSEC) 162, 195CiscoSecure Access Control Server. See ACSCiscoSecure Private Internet Exchange Firewall. See
PIX Firewall 165CiscoSecure products 162CiscoView application 367CiscoWorks VMS Suite 204client-based firewalls 174clients, setting up VPN client 297ClipBook Viewer 111closed network 79coded messages. See cipherscold site (disaster recovery plan) 46command and control network 218command and control port, network IDS 208command line interface (CLI), PIX Firewall and 165commands
IOS privileged executive commands 236monitoring and troubleshooting SNMP 360SAA operations, specifying 363
comments, adding in named access lists 143Common Criteria EAL 4 ratings (NetScreen and PIX)
170community networks, wireless 330community strings, SNMP 359, 371
assigning a view to 359compression algorithm (LZS) 295compromised keys 308computer resources, in security policies 81computers, cryptography and 63conduits. See access lists, PIX Firewallconfidentiality, integrity, and availability (CIA) 8Connect accounting function 241Connection Establishment timer 25connection hijacking (TCP) 26connection-based security policy 166, 183connection-killing attacks 25connectivity and associated policies 81consensus, communicating 81console access to devices, avoiding 45consoles, accessing routers from 131constraints, network design 93content filtering 178–181Context-Based Access Control (CBAC) 138, 148–152,
154cookies 123costs and benefits of security 9countermeasures against vulnerabilities, information
about 162covert channels 21CPU, tie-ups in attacks 161CPU processing speed 93crackers 40, 193, 342
hackers versus 5–6script kiddies 6
cracking codes (cryptoanalysis) 61credentials, Kerberos 252CRLs (certificate revocation lists) 308cross certifying 305cryptography 61–76. See also encryption
asymmetric key algorithms 66–69Diffie-Hellman 68PGP 69RSA 68
cryptoanalysis versus 61digital certificates 72hashing algorithms 69
Check Point, software firewalls
1587201672.book Page 436 Wednesday, August 11, 2004 3:36 PM
437
MD5 70SHA-1 71
history of 61–63NSA research and education on 393PKCS (Public Key Cryptography Standard) 307secret key, Kerberos 48SSL and TLS 71symmetric key algorithms
AES 64, 66, 283DES 64, 272, 283Triple DES (3DES) 65–66, 272–283
wireless equivalent privacy keys. See WEP protocol
CSEC (Cisco Secure Encyclopedia) 162
DDAC (Discretionary Access Control) 107, 112DAD (disclosure, alteration, and denial) 8Data Encryption Standard. See DESdata flow
NetScreen firewalls 171PIX Firewall 167
data integrity 8on VPNs 273
data packets, inspection up to Layer 4 162data streams 15data-driven, application-layer attacks 160datagrams, IP 16DDoS (distributed denial-of-service) attacks 165debug commands (SNMP), documentation of 361deep packet firewalls 162
Cisco PIX and NetScreen firewalls 164NetScreen 171
defense in depth strategy 96–97defenses 35–56
antivirus software 51biometrics 53–55in depth 96–97digital IDs 35–40encrypted files 52
firewalls 49intrusion detection systems (IDSs) 40PC card-based solutions 41physical security 44–46residing in multiple locations 96reusable passwords 50
defining roles 81definitions section (example VPN security policy) 87demilitarized zones. See DMZsdenial-of-service attacks. See DoS attacksdeny all model (security plan) 83deny all statement
ending extended numbered or named access lists 142
ending standard or named access lists 140DES (Data Encryption Standard) 64
encryption algorithms 272, 283design phase, network life cycle 98designing a secure network 91–101
network design methodology 97–99network design principles 92–97
defense in depth 96design activities, tools, and techniques 94–
96requirements and constraints 93top-down design practices 92
physical security 99–101return on investment 99switches and hubs 101
Destination Unreachable message 22developers’ digital ID 38device management, network IDS 217
IDM (IDS Device Manager) 226in-band 220out-of-band 219
device port density constraints, network design 93devices, physical access to 45DHCP (Dynamic Host Configuration Protocol) 289Diffie-Hellman algorithm 68Diffie-Hellman key exchange 272–273
identifying method for IKE Phase 1 282digest 40
digest
1587201672.book Page 437 Wednesday, August 11, 2004 3:36 PM
438
digital certificates. See certificatesdigital IDs 35–40
HTTPS, use of 48parameters of 37types of 38
digital signatures 73, 274combined with passwords 256RSA signatures 275
digital signing of public keys 302director, network-based IDS 208disaster recovery planning 45, 97, 101disclosure, alteration, and denial (DAD) 8Discretionary Access Control (DAC) 107, 112distributed denial-of-service (DDoS) attacks 161DMZs (demilitarized zones) 49, 165, 183
configuring security levels 168outside connections and 170web server connected on, attacks against 210
DNS (Domain Name Service)lookup service 137NetScreen Deep Inspection firewall and 171passing address to VPN client 295spoofing 30
DNS poisoning 161DoS (denial-of-service) attacks
launching with TCP flags 24Smurf attack 198starting with IP address spoofing 20stateful firewalls and 163TCP SYN flood attacks 161
dropping packets, router configured for network IDS 212
dynamic access lists 252dynamic access lists, routers 144dynamic and static translation slots, ASA and 167Dynamic Host Configuration Protocol (DHCP) 289
EEAP (Extensible Authentication Protocol) 339eavesdropping (sniffing) on publicly accessible
networks 72
echo and Echo-Reply messages 22echo messages to IP broadcast addresses 162e-commerce, necessity of network security for 79, 80economic constraints, network design 94EDE (encrypt–decrypt–encrypt) 65Electronic Communications Privacy Act (EPCA) 8e-mail 14
attacks using 161protection during transmission with PC encryption
cards 43social engineering attacks, use in 31
enable secret command 132, 153encapsulating security payload. See ESP protocolencrypted logins 46
Kerberos 48SSL (Secure Socket Layer) 48–49SSH (Secure Shell) 47–48
encryption 85, 272Diffie-Hellman key exchange 272–273ESP (encapsulating security payload) protocol
279file 52PC encryption cards 43public/private keys, digital IDs 39RSA-encrypted nonces 274, 276SEP (Scalable Encryption Processing) 292symmetric key algorithms 64–66
AES 64, 66, 283DES 64, 272, 283Triple DES (3DES) 65–66, 272, 283
WEP, improvement with TKIP 340wired equivalent privacy (WEP) keys 334, 337
encryption algorithmsestablishing in IPSec policy 284identified in IPSec transform sets 283identifying for ESP in IKE Phase 2 283identifying for IKE Phase 1 282
encryption file system (EFS) 52end stations, wireless. See stations, wirelessenforcement section, security policies 87enhanced access lists 144–148Enigma machine 62enrollment procedure, PKI 306
digital certificates
1587201672.book Page 438 Wednesday, August 11, 2004 3:36 PM
439
Enterprise Composite Network Model, out-of-band IDS management 220
environmental monitoring, high-level security areas 45environmental requirements for network equipment
93, 100EPCA (Electronic Communications Privacy Act) 8equipment failure, risk of 9errors, detection in data streams 15ESP (encapsulating security payload) protocol 279
establishing use of in IPSec policy 284identified in IPSec transform sets 283identifying for IKE Phase 2 283transport mode 281tunnel mode 281
Ethereal tool 27Ethernet
crossover cables 328NetScreen firewalls and 171speed, possible values for 185to wireless bridge 328WLANs, 802.3 IEEE standard 332
eToken 256evaluate command 147evasion techniques for network IDSs 202events and alarms (RMON), monitoring traffic with
361exclusive OR (XOR) function 338exec-timeout command 134exec-timeout, setting 153Explicit Congestion Notification (ECN) 20extended access lists 141
numbered 141–144reflexive 147
extended Log File Format, W3C 113extended service set (ESS) 333Extensible Authentication Protocol (EAP) 340–342external interface of the firewall 149external physical security 44, 100external weaknesses 5
Fface recognition 55fail-over site 46, 101
false negative IDS alarms 194false positive IDS alarms 194
eliminating in IDS tuning 227FERET (facial recognition technology) 55file encryption 52file protection 53file systems, hardening 107–109file transfers 14file-based requests (PKI enrollment) 307filtering
content filters, firewall 178–181packet filtering and stateless, by firewalls 162stateful, by firewalls 162, 163
FIN (finished with connection), TCP flag 23, 25FIN_WAIT timer 25financial institutions, privacy policies 8fingerprint scanning 54Firewall Service Module (FWSM) 166firewall-based VPNs 270firewalls 49, 85, 159–191
CBAC 148configured to filter based on TCP ports 20definition of 49enhancements for 175–181
antivirus software 181content filtering 178–181
enhancements forantivirus software 181content filters 178–181NAT (network address translation) 175–177proxy services 177–178
hardware-based 164, 165–173NetScreen 170–173PIX 164, 165–170
personal 174placing filtering routers and firewalls 181–190as proxy servers 178software-based (Check Point) 173stateful 163stateless 162–163types of 162
flags, TCP 23folders (cookie), making read-only 123four-way handshake mechanism, TCP FIN packets 25fragmentation offset (IP) 17, 23
fragmentation offset (IP)
1587201672.book Page 439 Wednesday, August 11, 2004 3:36 PM
440
fragmentation reassembly code, TCP/IP 161framework for security implementation 81FTP, NetScreen Deep Inspection Firewall and 171functional areas of a network, separation with firewalls
49FWSM (Firewall Service Module) 166
Ggateways (VPN), tunnel mode used between 281generator (parameter g, Diffie-Hellman) 68GIAC (Global Information Assurance Certification)
385GLB (Gramm-Leach-Bliley) Act 8global command (PIX Firewall) 187Global Information Assurance Certification (GIAC)
385globalization of business 14governments
security for emerging technologies, role in 8specifications for physical security 44, 100
Gramm-Leach-Bliley Act (GLB) 8graphical user interface (CiscoView) 367GRE (generic routing encapsulation) tunnels 271group names, specifying for SNMP server 360group rights 109groups, configuring on VPN Concentrator Group
Screen 290guideline, definition of 387
Hhacker 5hardening operating systems and applications 386hardening systems 107–123
browsers 118–123case study 124–128file systems 107–109web servers 109–117
hardware, SOHO 331hardware firewalls 164, 165–173
NetScreen 170–173PIX 164, 165–170
hardware interfaces 184hardware keys 42
hash 40hash algorithms
establishing use of in IPSec policy 284identified in IPSec transform sets 283identifying for IKE Phase 1 282identifying for IKE Phase 2 283
Hashed Message Authentication Codes (HMAC) protocol 274
hashing algorithms 69MD5 (Message Digest 5) 70Message Digest 5 (MD5) 70SHA-1 71
hashing passwords in the router configuration file 132headers
IP 16address spoofing in 20
TCP 18flags 23
Health Insurance Portability and Accountability Act (HIPAA) 8
hierarchical CA 305hijacking TCP connections 26history of operation, showing 365HMAC-MD5 274HMAC-SHA-1 274hoaxes 5honey-pots 202host IDS 41, 194, 204–207
deploying in network 203–206network IDS vs. 200sensor components and architecture 204
hostnames, identifying VPN peers with 284hosts, configuring SNMP server hosts 360hot site (disaster recovery plan) 46hotspot WLAN 328, 330HTTP
access to routers via 131cookies, simulating stateful environment with 123NetScreen Deep Inspection firewall and 171
HTTP server 137HTTPS 37, 48hubs and switches, network security design 101
IIANA (Internet Assigned Number Authority) 19
fragmentation reassembly code, TCP/IP
1587201672.book Page 440 Wednesday, August 11, 2004 3:36 PM
441
IAR (Internet Accessible Router) 176IBSS (independent basic service set) 329ICMP (Internet Control Message Protocol)
echo (ping) traffic to IP broadcast addresses 162used in TCP/IP connection covert channels 22
identification policy 82identification, two-factor 256identify theft 72IDM (IDS Device Manager) 226IDSs (intrusion detection systems) 40
anomaly-based 200case study 221–232
active response, blocking host 229–232IDS Event Viewer 228initializing and configuring network sensors
223–226sensor placement on the network 223tuning IDS 227
Cisco, 164honey-pots 202host-based 204–207
deploying in the network 206host sensor components and architecture 204
network IDS 207–217deploying in the network 210–216evasion/antievasion techniques 202management communications 217notification and reporting 217organizational issues and complications 202
network versus host 200policy-based 198sensor maintenance 221signature-based IDSs 196
IEEE (Institute of Electrical and Electronics Engineers) 327. See also 802.1x standards
IETF (Internet Engineering Task Force) 196IEV (IDS Event Viewer) 227IIS (Internet Information Services)
enabling logging 113hardening, website information on 117log file formats 113
IKE (Internet Key Exchange) protocol 256, 282establishing an IKE policy for VPNs 284SA (security association) lifetime 282
implementation phase, network life cycle 98
in-band management, network IDS 217, 220inbound and outbound traffic 168inbound packets, filtering 143, 154independent basic service set. See IBSSinform requests, SNMP 357
configuring router to send to a host 361information sent to SYSLOG server 355inside global address (NAT) 177inside interfaces 183inside intruders 40, 193inside local address (NAT) 177inspect commands, router 150inspection methodologies, firewalls 162inspection of packets at application layer by CBAC
148–152creating inspection rules (example) 154
Institute of Electrical and Electronics Engineers (IEEE) 327. See also 802.1x standards
integrated Windows authentication 116integrity of data 8Intercept Correlate Rules Engine (INCORE) (Secure
Agent) 204interface bandwidth constraints, network design 93interface command (PIX Firewall) 184, 186interface command to apply an access list to an
interface 143interfaces
configuring on VPN Concentrator Screen 289firewall
DMZ 183internal and external 149naming 183
information about 370NetScreen firewalls 171network IDS 208network, assigning IP addresses to 185PIX Firewall
naming of 165security levels 167
routerassigning access list to 143assigning CBAC inspection rules and access
list to 154monitoring interfaces 213
internal interface of the firewall 149
internal interface of the firewall
1587201672.book Page 441 Wednesday, August 11, 2004 3:36 PM
442
internal physical security 45, 100internal weaknesses and vulnerabilities 6International Telecommunications Union (ITU-T) 35Internet
access policy, coverage in security policy 82availability of networks to 80communication over 14–15mail server attack launched via 208restricted employee access to 178traffic levels, IDS and 203
Internet Accessible Router (IAR) 176Internet Assigned Number Authority (IANA) 19Internet Control Message Protocol. See ICMPInternet Engineering Task Force (IETF) 196Internet Explorer 118–123
security levels 119predefined, list of 119
security zones, changing settings for 118–119security, website information on 118
Internet Information Services. See IISInternet Key Exchange. See IKE protocolInternet Operating System. See IOSInternet relay chat, viruses on 51Internet Security Association and Key Management
Protocol (ISAKMP) 282Internet security zone (Internet Explorer) 118Internet-enabled business 79intranet security zone (Internet Explorer) 118Intrusion Detection System (IDS), Cisco 164intrusion detection system (IDSs) 40, 193–233
fundamentals of 194IDS sensors 41
getting past in Ping of Death attack 23signature-based IDS 195
IOS (Internet Operating System) 236AAA configuration on 236–241debug commands for SNMP 361IDSs based on, deployment on network 212Kerberos support 252Service Assurance Agent (SAA) 362–365SNMP versions supported 358SSH server 48TACACS+ support 242
IP router access lists 139IP address space, NetScreen firewalls and 172
IP addressesaccess control based on (for a PC) 116identifying VPN peers by 284inside and outside, defining for network interfaces
185internal network, translation to global addresses
186NAT (network address translation) and 175source and destination, TCP/IP connections 19
IP protocol 16–18. See also TCP/IP protocol suiteaddress spoofing 20Explicit Congestion Notification (ECN) 20fragment reassembly vulnerability 161fragmentation offset 17, 23mobile IP 18redirect 138redirection attacks 339sessions, logging of by network IDSs 213telephony, network design planning for 97
IPSec (IP Security) 272–283antireplay protection 277configuring all parameters for VPN 292data integrity function 273encryption 272establishing IPSec policy for VPNs 284eToken, storing certificates with 256four major functions of 272origin authentication 274–277
preshared keys method 274RSA signatures method 275RSA-encrypted nonces 276
preshared keys, peer authentication by 274protocol framework 277
AH (authentication header) 277ESP (encapsulating security payload) 279
selecting Security Association (SA) 293transform sets 282tunnel or transport mode 279VPNs with
configuring IPSec 285preparation for 284
wireless network security, using for 342IPSec concentrator 87iris and retina recognition 55ISAKMP (Internet Security Association and Key
Management Protocol) 282ISDN networks, NetScreen firewalls and 171
internal physical security
1587201672.book Page 442 Wednesday, August 11, 2004 3:36 PM
443
JJuniper Networks 170
KKEEP_ALIVE timer 25Kerberos 241, 250–252
encrypted login sessions 48key distribution center (KDC) 250key distribution methods
establishing in IKE policy for VPNs 284IPSec peer authentication 274
key exchange method, identifying for IKE Phase 1 282keys, compromised 308Kismet (WLAN packet analyzer) 336
Llabor requirements, network design and 94Land.C attacks 161LANs (local-area networks) 14. See also WLANs
peer-to-peer, limitations of 328viruses on 51wireless connectivity 330WLANs 328
LAN-to-LAN tunnel type 294latency, testing in network traffic simulation 96Layer 2 or Layer 3, OSI model, NetScreen firewalls
operating at 172Layer 3, OSI model 163Layer 4, OSI model (TCP layer) 162Layer 7, OSI model 250layered approach to security 91
defense in depth 96–97external physical security 44, 100internal physical security 45, 100
least trusted 4levels of logging 353
warning levels, information sent to SYSLOG server 354
life cycle (network), stages of 97–99Light Extensible Authentication Protocol (LEAP) 339link layer, extensible authentication (802.1x) 340
Linksys, Inc. 331local Internet security zone (Internet Explorer) 118local-area networks (LANs) 14lock-and-key access lists 144lock-and-key feature 252–256logging 353–356
case study 366–372default log file directory, changing for security
114enabling for web servers 113
IIS, supported log file formats 113IP session, by network IDSs 213levels of 353SYSLOG 354
logins, encrypted 46Kerberos 48SSL (Secure Socket Layer) 48–49SSH (Secure Shell) 47–48
LZS compression algorithm 295
MMAC (medium access control) layer, WLANs 332
security enhancements, IEEE 802,11i standard 340
mail server, attack on rebuffed by network IDS 208malware, definition and categories of 5man in the middle attacks 162Management Information Base (MIB) 356management station
communication with sensors 217network IDS 208
management, IDS 193manager functions, VPN 288managers, SNMP
defining relationship with agent 359limiting access to objects 359
man-in-the-middle attacks 72WEP protocol, vulnerability to 338
manpower and labor costs for IDSs 203masks, router access lists 140McAfee Antivirus software applications 51MD5 encryption algorithm, secret password hashes
132
MD5 encryption algorithm, secret password hashes
1587201672.book Page 443 Wednesday, August 11, 2004 3:36 PM
444
MD5 or SHA-1 hash algorithmsestablishing use of in IPSec policy 284identifying for IKE Phase 2 283IKE Phase 1, using with 282
medium access control. See MAC layer, WLANs 332memory, tied up in TCP SYN flood attacks 161Message Digest 5 (MD5) algorithm 40, 70message injection attacks 339message modification attacks 339MIB (Management Information Base) 356Microsoft. See also Internet Explorer
hardening IIS, website information on 117security information on the website 110operating systems
security patches and updates 6misuse, risk of 9mobile IP 18modular approach to network security 91monitoring network 218monitoring port, network IDS 208multicasting, testing in network traffic simulation 96multiple locations for network defenses 96
Nnamed access lists 139
commands 140nameif command (PIX Firewall) 183NAT (network address translation) 168, 175
disadvantages of 177enabling PIX for 183–189router NAT translation table, viewing 176
nat command (PIX Firewall) 186National Security Agency. See NSANetScreen firewalls 164, 170–173
data flow 171deep packet layer inspection 171functions not convered in detail 173session table 171
NetStumbler (WLAN packet analyzer) 336network accounting function 241network address translation. See NATnetwork addresses 140network architecture 92network audits 95
network design 91fundamental principles 92–97
defense in depth 96design activities, tools, and techniques 94–
96requirements and constraints 93top-down design practices 92
methodology 97–99physical security 99–101return on investment 99switches and hubs 101
network IDS 41, 194, 207–217case study 221–232
active response, blocking host 229–232IDS Event Viewer 228sensor initialization and configuration 223–
226sensor placement 223tuning IDS 227
deploying in the network 210–216PIX Firewall as sensor 213router IDS features and network modules
212evasion and antievasion techniques 202host IDS versus 200management communications 217
in-band management 220out-of-band management 219
notification and reporting 217organizational issues and complications 202
political constraints 203social constraints 203technological constraints 203
responses to attacksIP session logging 213TCP resets 215
sensor components and architecture 208network infrastructure, requirements of 92network interface cards (NICs), wireless 328network layer (Layer 3, OSI model) 163
correspondence of IP protocol to 16mobile IP connections 18
Network Management Server (NMS) 164Network Management System (NMS) 356network performance, monitoring with SAA 362
MD5 or SHA-1 hash algorithms
1587201672.book Page 444 Wednesday, August 11, 2004 3:36 PM
445
network resources, use and protection of (security policy) 81
network securitybooks 427responsibilities for 7–8websites 428
network security database (NSDB) 197updates for IDS signatures 221
network trafficanalysis of 95inbound and outbound 168simulating 96
networks, availability to Internet and public networks 80
NMS (Network Management Server) 164NMS (Network Management System) 356nonces 274, 276nonstatistical anomaly detection 200notification alarms, IDS 194notification features, network IDS 217notifications, SNMP 357
configuring 361NSA (National Security Agency) 393–395
security guides 394NSDB (network security database) 197
updates for IDS signatures 221NTFS file encryption 52number used once. See noncesnumbered access list commands 139numbered access lists, extended 141–144
Oopen authentication, wireless networks with 337operating systems
hardening security of 107–123browsers 118–123case study 124–128file systems 107–109SANS step-by-step guides for 386web servers 109–117
overlapping IP fragment bug 161software-based firewalls and 174
operation phase, network life cycle 98optimization phase, network life cycle 99origin authentication, IPSec 274–277
OSI modelLayer 2 or Layer 3 mode, NetScreen firewalls
operating at 172Layer 3 (network) 163
IP, corresponding to 16Layer 4 (TCP) 162Layer 7 (application layer) 250
SNMP on 356TCP/IP mapped to 16transport layer (TCP) 18
outbound network traffic 168outbound packets, filtering 143out-of-band management, network IDS 217, 219outside global address (NAT) 177outside hosts, connections to internal resources 169outside interfaces 183outside intruders 40, 193outside local address (NAT) 177overlapping IP fragment implementation bug 161
Ppacket filtering 162packet filters for routers. See access lists, router 138parameter g (Diffie-Hellman) 68parameter p (Diffie-Hellman) 68passive response to attacks, network IDS 213passive scanning for wireless stations or access points
334Password Authentication Protocol (PAP) 243passwords
capture by Trojan horses 161combined with digital signatures 256configuring secure passwords for routers 131encryption, service password-encryption
command 135, 153file protection with 53reusable 50router
assigned to the console, VTY, AUX lines, and enable 134
configuration for Telnet 133enable and user-level passwords 133recovery procedure for 132
PAT (Port Address Translation) 175, 176disadvantages of 177
patching, vulnerabilities 86
patching, vulnerabilities
1587201672.book Page 445 Wednesday, August 11, 2004 3:36 PM
446
pattern-matching IDS signatures 195PC card-based solutions (security) 41–43
hardware keys 42PC encryption cards 43security cards 41
PC encryption cards 43PCI (Peripheral Component Interconnect) 328PCMCIA (wireless NIC) 328PDIOO (planning, design, implementation, operation,
and optimization) 97peer authentication methods on VPNs 274peer-to-peer WLANs 328, 329performance, monitoring with SAA 362Peripheral Component Interconnect. See PCIpermissions
changing in DACs 112router access list, example of 154web content directory, changing for Internet
Explorer 126Windows file systems, hardening security settings
107–109permit entry 147persistent cookies 123Personal Computer Memory Card International
Association. (PCMCIA) 328personal digital ID or certificate 38personal firewalls 174personnel awareness of security policy 46personnel training in physical security 101PGP (Pretty Good Privacy) 69, 302PHY (physical) layer, WLANs 332physical security 44–46
disaster recovery plans 45governmental specifications 100internal 45, 100intrusion by tailgating 101network design 99–101outside and external security 44personnel training 101securing the perimeter 100survivability and recovery 101
ping, use in Smurf attacks 162Ping of Death attack 23
PIX Firewall 164, 165–170commands for managing and troubleshooting 190configuration as cut-through proxy 168data flow for 167features and functions not covered in detail 170full working configuration (case study) 189IDS 213NAT (network address translation) 183–189placement of 169, 181
PKCS (Public Key Cryptography Standard) 307PKI (Public Key Infrastructure) 72, 301–323
creating your own CA 312–323enrolling in a CA 73enrollment procedure 306public key distribution 301revocation of certificates 307topologies of trust 304trusted third party 302
key exchange 304public key signing 304
planning stage (network life cycle) 98plug-ins, browser 118point-to-multipoint bridge (WLANs) 328point-to-point bridge (WLANs) 328point-to-point WLANs 330policy section (example security policy for a VPN) 87policy, definition of 387policy-based IDS 198
attacks prevented by 199political constraints
on network design 94on network IDS 203
pool of global addresses 187Port Address Translation (PAT) 175port numbers 19ports
colors for 369risks of open wireless ports 336
power blackouts, countering 45, 101preshared keys (peer authentication method) 274Pretty Good Privacy (PGP) 69, 302prime numbers
parameter p, Diffie-Hellman algorithm 68RSA algorithm 69
privacy policies, financial institutions 8private data traversing public networks 80
pattern-matching IDS signatures
1587201672.book Page 446 Wednesday, August 11, 2004 3:36 PM
447
Private Internet Exchange. See PIX Firewall 165private key (digital IDs) 39Private Ports 19privilege levels 239processor speed 93protocol decode-based IDS signatures 195protocol stacks (802.11 standard) 331protocols
adaptive, checking in network traffic simulation 96
CBAC inspection of 151CBAC intelligent filtering for 148Internet Key Exchange (IKE) 282IPSec 277
establishing use of in IPSec policy 284identification of in transform sets 283tunnel or transport mode 279
tunneling, selecting for VPN 292proxies
configuring PIX Firewall as cut-through proxy 168
limiting attacks with 162network use of proxy services 177
PSH (Push function), TCP field 23public key (digital IDs) 39public key cryptography 272, 307Public Key Infrastructure. See PKIpublic networks, sending private data over 80Public Service Segment (PSS) 49. See also DMZspurpose of a security policy 82
example for a VPN 86PuTTY (SSH client) 48
Qquality of service (QoS)
guaranteeing, costs of 94validating and testing adequately 96
Rradio frequency (RF) technology, use by WLANs 331radio, cryptography and 62
RADIUS 241, 245–249with 802.11i authentication framework 340ACS setup for RADIUS authentication 249authentication 246
attribute pairs 247summary of 248TACACS+ versus 250
RDEP (Remote Data Exchange Protocol)communication between network IDS sensor and
director 217IP session logging, network IDSs 213
realm 292recovery from disasters 101Redirect messages 22redirection (IP redirect service) 138redundancy in network designs 97reflect option 147reflexive access lists 147Registered Ports 19remarks, adding in named access lists 143remote access 79, 235–266
AAA model 235accounting 239–241authentication 237–238authorization 238servers 241–252
configuration of AAA server (CiscoSecure ACS) 256–265
lock-and-key feature 252–256security policy coverage of 82two-factor identification 256
Remote Access tunnel type 294remote access VPNs 269
case study 285–298Remote Authentication Dial-In User Service. See
RADIUSRemote Data Exchange Protocol. See RDEPRemote Monitoring (RMON) 372remote Telnet sessions and logins, securing 47reporting features, network IDS 217requirements and constraints, network design 93resetting TCP connections
network IDS response to attacks 215router configured for network IDS 212
Response Time Reporter (RTR). See SAAresponses to alerts, network IDS 213restricted security zone (Internet Explorer) 118
restricted security zone (Internet Explorer)
1587201672.book Page 447 Wednesday, August 11, 2004 3:36 PM
448
retina and iris recognition 55return on investment (ROI), network design and 99reusable passwords 50reverse lookup, countering DNS spoofing with 31reverse social engineering attacks 31RFCs (Request for Comments), protocol analysis for
violations of 195rights, permissions versus 107risk assessment
annualized rate of occurrence (ARO) 9single loss expectancy (SLE) 9types of risks 9
risksreducing with tools to support design process 95vulnerabilities and 13–14
Rivest, Shamir, and Adelman (RSA) algorithm 68, 273RMON (Remote Monitoring) 361robust defenses 96roles, defining 81route command (PIX Firewall) 188routers 17
AAA configurations on Cisco IOS router 236–241AAA model, enabling 237Brussels 134Cisco Router Security Configuration Guide 394configuring GRE tunnels on 271configuring IPSec on 282configuring to send only warnings to SYSLOG
server 355content filtering 178extended access lists 20filtering, placement of 181IDS features and network modules 212NAT translation table, viewing 176PIX Firewall and 166security
administrative access, configuring 131banner to warn intruders 135case study of telecommuter connecting to
branch office 152–156CBAC (Cisco IOS Firewall) 148–152commands to configure a new router 153console port, timeout 135enable and user-level passwords configured
133online information, Cisco web site 138
passwords assigned to console, VTY, AUX lines and enable 134
services, turning off or restricting access 137security for network protection 138–148
access lists 138RSA (Rivest, Shamir, and Adelman) algorithm 273RSA Laboratories, PKCS standards 307RSA signatures (peer authentication method) 274, 275RSA-encrypted nonces (peer authentication method)
274, 276RST (Reset the connection), TCP header flag 23RTR (Response Time Reporter). See SAArtr operation-number command 363
SSA (security association)
establishing for IPSec 284IKE SA lifetime 282ISAKMP protocol 282mode configuration option for VPNs 295reauthentication after IKE SA expires 295selection for IPSec on remote access VPN 293
SAA (Service Assurance Agent) 362–365SAFE (Security Architecture for Enterprises) 91, 377–
383Blueprint for Enterprise Networks, web site 97out-of-band management, network IDS 220overview of architecture 379references for further information 382summary of 382WLAN design 342
SANS Institute 385–390policy, standard, and guideline, definitions of 387programs and initiatives 385references for further information 389Security Policy Project 386templates for security policies 387–389
scalabilityfor cryptographic applications 302key exchange with PKI 307network configuration, stateless firewalls and 163nonscalable methods of public key distribution
301scanning functions, WLANs 333
retina and iris recognition
1587201672.book Page 448 Wednesday, August 11, 2004 3:36 PM
449
SCIF (Sensitive Compartmented Information Facilities), physical security manual 44
scope of a security policy 82example policy for a VPN 86
script kiddies 6scripting languages, most popular for browser plug-ins
118secret key cryptography 48secret passwords, enabling for Cisco routers 132Secure Agent Managers, Cisco 206Secure Agent, Cisco 204–205, 206secure areas 49Secure Hash Algorithm (SHA) 71Secure Integrated Software, Cisco 212Secure Policy Manager (Cisco), alarm-reporting
feature 217Secure Server Certification authority 38, 310Secure Shell. See SSHSecure Socket Layer. See SSLSecurity Architecture for Enterprises. See SAFEsecurity cards 41security guides (NSA) 394security incidents 81
handling procedure 82, 84security levels
Internet Explorer 119PIX Firewall interfaces 167, 183
security plan 82deny all and allow all models 83
security policies 79–88, 91auditing state of 95connection-based 166, 183defining 81development process 82development team 83development, best practices 378IDSs based on 198importance of 81–82incident handling process 84key components of 82main purpose of 82mixing models, problems with 83personnel awareness of 46reusable passwords and 50
sample security policy for a VPN 86SANS templates for 387–389security wheel 84senior management enforcement of 7
Security Policy Project (SANS) 386security servers
Cisco ACS 242Kerberos 48, 241, 250–252RADIUS 245–249TACACS+ versus RADIUS 250
security training and certification. See SANS Institutesecurity wheel 81, 84–85senior management, responsibilities for network
security 7Sensitive Compartmented Information Facilities
(SCIF), online information 100sensor components and architecture 208sensors, IDS 41, 193
host sensor components and architecture 204maintenance of 221network sensors 209
communication with director 217components and architecture 208placement on the network 210
SEP (Scalable Encryption Processing) 292separate service subnet (SSN) 165, 170SEQ/ACK (Sequence and Acknowledgment) numbers
attackers, use by 25in connection hijacking 26
sequence numbers, TCP 20prediction of in connection-killing attacks 25SYN (Synchronize sequence numbers) flag 23
server digital ID or website certificate 38Service Level Agreements (SLAs), verifying with
SAAs 362service password-encryption command 135, 153service set identifiers. See SSIDsservices
router, turning off or restricting access to 137selectively enabling or turning on all for host
system 83unnecessary, disabling, or removing 109
list of services that can be disabled 110session cookies 123, 124
session cookies
1587201672.book Page 449 Wednesday, August 11, 2004 3:36 PM
450
session table, NetScreen 171sessions
TCP and UDP, management by CBAC 148SHA-1 (Secure Hash Algorithm) 71show aaa user all command (Cisco IOS) 239show access-lists command 145, 255
reflexive access lists 147show accounting command (Cisco IOS) 239show ip nat translations command 176show privilege command 239show rtr command 364show rtr history command 365signature recognition (biometrics) 55signature-based IDS 194, 195
pros and cons of 196updating signatures 221
Simple Network Management Protocol. See SNMPsingle logon (Kerberos) 252Single Loss Expectancy (SLE) 9single root CA 305site security architecture 82Site Security Handbook (RFC 2196) 81site-to-site VPNs 270small office/home office (SOHO) hardware 331smart cards 41, 256
token-based authentication 42smoke, temperature, and humidity sensors 45Smurf attacks 162, 198Sniffer Pro (WLAN packet analyzer) 336sniffing on publicly accessible networks 72SNMP (Simple Network Management Protocol) 356–
362access to routers via 131configuration 359–361notifications 357RMON, using with 361SAA, accessing with 363setup (case study) 366versions 358
snmp-server command 359SoBig virus 51social constraints
network design 94on network IDS 203
social engineering 31countermeasures 32
sockets 19
softwareprotection with hardware keys 42unpatched, security threats from 6
software firewalls (Check Point) 173source and destination IP addresses, TCP/IP
connections 19source and destination port numbers 19Source Quench message 22speech analysis 54speed, network interface 185split tunneling 87spoof attacks 162spoofing
antispoofing protection, router configuration 154countermeasures 31techniques for 29
spyware 5SSH (Secure Shell) 47–48
versions 48wireless network security, using for 342
SSIDs (service set identifiers) 334vulnerabilities of 336
SSL (Secure Socket Layer) 48–49, 71SSN (separate service subnet) 165, 170standard IP access lists 139standard numbered IP access lists, additional keywords
supported 140standard, definition of 387standards for telecommunication equipment 35state information for TCP and UDP sessions, CBAC
and 148stateful filtering (firewalls) 162stateful firewalls 163stateful pattern-matching IDS systems 195stateless filtering 162static and dynamic translation slots, ASA and 167static routing on a PIX Firewall 188stations, wireless 333
SAFE design recommendations for 343scanning for other stations or access points 333
statistical anomaly detection 200stream ciphers 64subnet masks 140, 182survivability and recovery, physical security planning
101switches and hubs, network security design 101
switch security features, examples of 102
session table, NetScreen
1587201672.book Page 450 Wednesday, August 11, 2004 3:36 PM
451
switches, configuring for traffic-capture functions 211Sygate firewall 174symmetric key algorithms 64–66
AES 64, 66, 283DES (Data Encryption Standard) 64, 272Triple DES (3DES) 65–66, 272, 283
symmetric key encryption 272SYN (Synchronize sequence numbers), TCP flag 23SYN-flooding attacks, prevention by CBAC 148SysAdmin, Audit, Network, and Security. See SANS
InstituteSYSLOG 354SYSLOG server
router configured to send more information to 355router configured to send only warnings 355
TTACACS+ 241, 258–265
accounting 245ACS log 265authorization 243lock-and-key feature 253–256RADIUS versus 250summary of 244user authentication 144
tailgating 101TCP 18–20
additional information on, RFC 793 20Layer 4 of OSI model 162segment format 19sequence number prediction 25three-way handshake preceding data exchange 20
TCP connectionsresetting capability, network IDSs 215resetting with router configured for nework IDS
212TCP SYN flood attacks 161TCP SYN packets, in Land.C attacks 161TCP/IP protocol suite
fragmentation reassembly code 161IP layer 16mapped to OSI model 16security issues 20–27
weaknesses of 14–16closing a connection by FIN 25covert channels 21hijacking TCP connections 26IP fragment attacks 23SYN flood 25TCP flags 23
TCP/UDP ports, stateless firewalls and 163teardrop attacks 161technological constraints
on network design 93on network IDS 203
telecommunications standards 35telecommuter connecting to branch office, protecting
routers (case study) 152–156telegraph, cryptography and 62telephone calls, used in social engineering attacks 31telephony, IP 97Telnet
access to routers 131router sessions via, configuring VTY password
132Temporal Key Integration Protocol (TKIP) 340Terminal Access Controller Access Control System
plus. See TACACS+terminals, logical virtual type (VTY) lines 133terrorism
Internet exploitation 14physical security and 44
theft, risk of 9three-way handshake, TCP connections 20
flags used in 23timers and TCP flags, sequences of 25
time-based access lists, routers 146timeout
console port of routers 135and thresholds in session management by CBAC
150timers, TCP/IP sessions 25TKIP (Temporal Key Integration Protocol) 340TLS (Transport Layer Security) 48, 71Token Ring networks
802.5 wireless standard, IEEE 332NetScreen firewalls and 171speed, values for 185
Token Ring networks
1587201672.book Page 451 Wednesday, August 11, 2004 3:36 PM
452
token-based authentication systems 42tools used in network design process 81, 94topologies of trust, PKI 302traffic filtering, CBAC 148traffic inspection, CBAC 148traffic, inbound and outbound 168traffic, network
analysis of 95monitoring with RMON and SNMP 361simulating 96
transform sets 282–283establishing use of in IPSec policy 284
translation slots, PIX Firewall 168translation table (NAT), viewing on Cisco router 176Transmission Control Protocol. See TCPTransmission Control Protocol/Internet Protocol. See
TCP/IP protocol suite 14Transport Layer Security (TLS) 48, 71transport layer, OSI 18transport mode (IPSec connections) 280traps, SNMP 357
configuring recipient of 360configuring router to send 361
Triple DES. See 3DES encryption algorithmTrojan horses 5, 161troubleshooting SNMP, commands for 360trust 3–4trusted sites security zone (Internet Explorer) 118trusted third-party protocol (PKI) 302
enrollment procedure for PKI users 306topologies of trust, PKI 304
tunnel mode (IPSec) 281tunneling
GRE (generic routing encapsulation) tunnels 271LAN-to-LAN or Remote Access tunnel type 294selecting protocol for VPN 292split tunneling 87
two-factor identification 256typing biometrics 54
UUDP bomb 161UDP ports, stateless firewalls and 163UDZs (user-defined zones) 171unauthorized programs, potential security holes from 6
uninterruptible power supplies (UPSs) 45, 101universal serial bus (USB) Smartcard key (eToken)
256unpatched software, security threats posed by 6unsafe environments, communicating and doing
business safely in 80untrusted 4URG (Urgent pointer field), TCP flag 23URL filtering. See content filteringURLs, secure (https) 37use policy for the network resources 81User Datagram Protocol (UDP) service, use in chargen
attack 161user-defined zones (UDZs) 171usernames, capture by Trojan horses 161users
configuring for SNMP 360VPN 296
Vventilation requirements for network equipment 93,
100view record, creating or modifying 359Virtual Private Networks. See VPNsvirtual type terminal (VTY) lines 132–133viruses 5
antivirus software 51, 181enabled by Trojan horses 161risk of 9smart card protection against 42
VMS Management Center for IDS, Cisco 217voice communication over IP, government role in
security 8voice recognition 54VPN concentrator 87VPNs (virtual private networks) 269–299
case study, remote access VPN 285–298enrollment of devices in PKI 307GRE (generic routing encapsulation) tunnels 271IPSec (IP Security) 272–283
antireplay protection 277data integrity 273origin authentication 274–277protocol framework 277transform sets 282
token-based authentication systems
1587201672.book Page 452 Wednesday, August 11, 2004 3:36 PM
453
tunnel or transport mode 279PKI solution for authentication 301types of 269using IPSec with
configuring IPSec 285preparation for 284
wireless network security, using for 342VTY (virtual type terminal) lines 132–133vulnerabilities 13–32
buffer overflows 28communications over public networks 72on data port 139, 161fingerprint scanning 54information about, in CSEC 162internal and external 5–6log file alteration or deletion by intruders 114patching 86reusable passwords 50risk and 13–14shared key authentication, WLANs 337social engineering 31
countermeasures 32software-based firewalls 174spoofing techniques 29SSIDs, WLAN 336TCP/IP security issues 20–27WEP protocol 338
countermeasures to 339
WW3C extended Log File Format 113WAN (wide area network) bandwidth, cost of 94war-driving and war-chalking 342warm site (disaster recovery plan) 46warning level of information sent to SYSLOG server
354warnings, Syslog 355weak passwords 50weaknesses. See also vulnerabilities
internal and external 5–6of TCP/IP protocol suite 14–16
Web applications 14web of trust 302
web security 107hardening 107–123
browsers 118–123case study 124–128file systems 107–109web servers 109–117
SSL as standard for 48web servers
attacks against, prevention with signature-based IDS 196
denial-of-service (DoS) attacks against 20–21, 24, 161, 163, 198
hardening 112–117logging, enabling 113restricting access to a website 114–117
securing, tasks involved in 109web-based requests (PKI enrollment) 307website certificates 38websites
information on network security 428restricting access to 114–117SSL-enabled 48
Well-Known Ports 19WEP (wired equivalent privacy) protocol 334, 336
countermeasures to vulnerabilities 339overview of 337vulnerabilities of 338
WEPCrack program 338wheel cipher 62Windows Internet Naming Service (WINS) 295Windows systems
file systems, hardening 107–109integrated authentication 116software patches for 6, 7
wired equivalent privacy. See WEP protocolwireless
how it works 333standards for WLAN applications 328
wireless and voice communication over IP, government role in security 8
wireless local-area networks. See WLANswireless network interface cards (NICs) 328wireless networks
building-to-building, types of 330community networks 330
wireless networks
1587201672.book Page 453 Wednesday, August 11, 2004 3:36 PM
454
wireless security 327–350adding wireless to secure network 344–349SAFE WLAN design 342war-driving and war-chalking 342
Wireless Security Suite, Cisco 339, 342WLANs (wireless LANs) 327
different configurations of 328–331EAP protocol and 802.11i standard 340hotspot 330how wireless works 333overview of 331peer-to-peer 329risks of open wireless ports 336SAFE WLAN design 342setting up WLAN connection 333
worms 5
XX.509 standard for digital certificates 35xlate. See translation slots, PIX FirewallXOR (exclusive OR) function 338
ZZoneAlarm firewall 174zones
firewall 171DMZs. See DMZspeer-to-peer WLAN 329
wireless security
1587201672.book Page 454 Wednesday, August 11, 2004 3:36 PM