http://freepdf-books.com End-to-End Network Security Defense-in-Depth Omar Santos Cisco Press Cisco Press 800 East 96th Street Indianapolis, Indiana 46240 USA http://freepdf-books.com ii End-to-End Network Security Defense-in-Depth Omar Santos Copyright© 2008 Cisco Systems, Inc. Published by: Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review. Printed in the United States of America First Printing August 2007 Library of Congress Cataloging-in-Publication Data: Santos, Omar. End-to-end network security : defense-in-depth / Omar Santos. p. cm. ISBN 978-1-58705-332-0 (pbk.) 1. Computer networks—Security measures. I. Title. TK5105.59.S313 2007 005.8—dc22 2007028287 ISBN-10: 1-58705-332-2 ISBN-13: 978-1-58705-332-0 Warning and Disclaimer This book is designed to provide information about end-to-end network security. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information is provided on an “as is” basis. The authors, Cisco Press, and Cisco Systems shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may accompany it. The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems. Trademark Acknowledgments All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Cisco Press or Cisco Systems, Inc. cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark. http://freepdf-books.com iii Feedback Information At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community. Readers’ feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book or otherwise alter it to better suit your needs, you can contact us through e-mail at [email protected]. Please make sure to include the book title and ISBN in your message. We greatly appreciate your assistance. Corporate and Government Sales The publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales which may include electronic versions and/or custom covers and content particular to your business, training goals, marketing focus, and branding interests. For more information, please contact: U.S. Corporate and Government Sales 1-800-382-3419 [email protected] For sales outside the United States, please contact: International Sales [email protected] Publisher Paul Boger Associate Publisher Dave Dusthimer Cisco Representative Anthony Wolfenden Cisco Press Program Manager Jeff Brady Executive Editor Brett Bartow Managing Editor Patrick Kanouse Development Editor Betsey Henkels Project Editor Jennifer Gallant Copy Editor Karen A. Gill Technical Editors Pavan Reddy John Stuppi Editorial Assistant Vanessa Evans Book and Cover Designer Louisa Adair Composition ICC Macmillan Inc. Indexer Ken Johnson Proofreader Anne Poynter http://freepdf-books.com iv About the Author Omar Santos is a senior network security engineer and Incident Manager within the Product Security Incident Response Team (PSIRT) at Cisco. Omar has designed, implemented, and supported numerous secure networks for Fortune 500 companies and the U.S. government, including the United States Marine Corps (USMC) and the U.S. Department of Defense (DoD). He is also the author of many Ciscoonline technical documents and configuration guidelines. Before his current role, Omar was a technical leader within the World Wide Security Practice and Cisco Technical Assistance Center (TAC), where he taught, led, and mentored many engineers within both organizations. He is an active member of the InfraGard organization. InfraGard is a cooperative undertaking that involves the Federal Bureau of Investigation and an association of businesses, academic institutions, state and local law enforcement agencies, and other participants. InfraGard is dedicated to increasing the security of the critical infrastructures of the United States of America. Omar has also delivered numerous technical presentations to Cisco customers and partners, as well as executive presentations to CEOs, CIOs, and CSOs of many organizations. He is also the author of the Cisco Press books: Cisco Network Admission Control, Volume II: NAC Deployment and Troubleshooting, and Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance. http://freepdf-books.com v About the Technical Reviewers Pavan Reddy, CCIE No. 4575, currently works as a consulting systems engineer for Cisco specializing in network security. Pavan has been collaborating with customers and partners on the design and implementation of large-scale enterprise and service provider security architectures for nearly ten years. Before joining Cisco, Pavan worked as a network security engineer in the construction and financial industries. Pavan also holds a bachelor of science degree in computer engineering from Carnegie Mellon. John Stuppi, CCIE No. 11154, is a network consulting engineer for Cisco. John is responsible for creating, testing, and communicating effective techniques using Cisco product capabilities to provide identification and mitigation options to Cisco customers who are facing current or expected security threats. John also advises Cisco customers on incident readiness and response methodologies and assists them in DoS and worm mitigation and preparedness. John is a CCIE and a CISSP, and he holds an Information Systems Security (INFOSEC) Professional Certification. In addition, John has a BSEE from Lehigh University and an MBA from Rutgers University. John lives in Ocean Township, New Jersey with his wife Diane and his two wonderful children, Thomas and Allison. http://freepdf-books.com vi Dedications I would like to dedicate this book to my lovely wife, Jeannette, and my two beautiful children, Hannah and Derek, who have inspired and supported me throughout the development of this book. I also dedicate this book to my parents, Jose and Generosa. Without their knowledge, wisdom, and guidance, I would not have the goals that I strive to achieve today. —Omar Acknowledgments I would like to acknowledge the technical editors, Pavan Reddy and John Stuppi. Their superb technical skills and input are what make this manuscript a success. Pavan has been a technical leader and advisor within Cisco for several years. He has led many projects for Fortune 500 enterprises and service providers. He was one of the key developers of the Cisco Operational Process Model (COPM). John has also led many implementations and designs for Cisco customers. His experience in worldwide threat intelligence provides a unique breadth of knowledge and value added. Many thanks to my management team, who have always supported me during the development of this book. I am extremely thankful to the Cisco Press team, especially Brett Bartow, Andrew Cupp, Betsey Henkels, and Jennifer Gallant for their patience and continuous support. Finally, I would like to acknowledge the great minds within the Cisco Security Technology Group (STG), Advanced Services, and Technical Support organizations. http://freepdf-books.com vii http://freepdf-books.com viii Contents at a Glance Foreword xix Introduction xx Part I Introduction to Network Security Solutions 3 Chapter 1 Overview of Network Security Technologies 5 Part II Security Lifecycle: Frameworks and Methodologies 41 Chapter 2 Preparation Phase 43 Chapter 3 Identifying and Classifying Security Threats 99 Chapter 4 Traceback 141 Chapter 5 Reacting to Security Incidents 153 Chapter 6 Postmortem and Improvement 167 Chapter 7 Proactive Security Framework 177 Part III Defense-In-Depth Applied 209 Chapter 8 Wireless Security 211 Chapter 9 IP Telephony Security 261 Chapter 10 Data Center Security 297 Chapter 11 IPv6 Security 329 Part IV Case Studies 339 Chapter 12 Case Studies 341 Index 422 http://freepdf-books.com ix Contents Foreword xix Introduction xx Part I Introduction to Network Security Solutions 3 Chapter 1 Overview of Network Security Technologies 5 Firewalls 5 Network Firewalls 6 Network Address Translation (NAT) 7 Stateful Firewalls 9 Deep Packet Inspection 10 Demilitarized Zones 10 Personal Firewalls 11 Virtual Private Networks (VPN) 12 Technical Overview of IPsec 14 Phase 1 14 Phase 2 16 SSL VPNs 18 Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) 19 Pattern Matching 20 Protocol Analysis 21 Heuristic-Based Analysis 21 Anomaly-Based Analysis 21 Anomaly Detection Systems 22 Authentication, Authorization, and Accounting (AAA) and Identity Management 23 RADIUS 23 TACACS+ 25 Identity Management Concepts 26 Network Admission Control 27 NAC Appliance 27 NAC Framework 33 Routing Mechanisms as Security Tools 36 Summary 39 http://freepdf-books.com