www.it-ebooks.info End-to-End Network Security Defense-in-Depth Omar Santos Cisco Press Cisco Press 800 East 96th Street Indianapolis, Indiana 46240 USA www.it-ebooks.info ii End-to-End Network Security Defense-in-Depth Omar Santos Copyright© 2008 Cisco Systems, Inc Published by: Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA All rights reserved No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review Printed in the United States of America First Printing August 2007 Library of Congress Cataloging-in-Publication Data: Santos, Omar End-to-end network security : defense-in-depth / Omar Santos p cm ISBN 978-1-58705-332-0 (pbk.) Computer networks—Security measures I Title TK5105.59.S313 2007 005.8—dc22 2007028287 ISBN-10: 1-58705-332-2 ISBN-13: 978-1-58705-332-0 Warning and Disclaimer This book is designed to provide information about end-to-end network security Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied The information is provided on an “as is” basis The authors, Cisco Press, and Cisco Systems shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may accompany it The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems Trademark Acknowledgments All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized Cisco Press or Cisco Systems, Inc cannot attest to the accuracy of this information Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark www.it-ebooks.info iii Feedback Information At Cisco Press, our goal is to create in-depth technical books of the highest quality and value Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community Readers’ feedback is a natural continuation of this process If you have any comments regarding how we could improve the quality of this book or otherwise alter it to better suit your needs, you can contact us through e-mail at feedback@ciscopress.com Please make sure to include the book title and ISBN in your message We greatly appreciate your assistance Corporate and Government Sales The publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales which may include electronic versions and/or custom covers and content particular to your business, training goals, marketing focus, and branding interests For more information, please contact: U.S Corporate and Government Sales 1-800-382-3419 corpsales@pearsontechgroup.com For sales outside the United States, please contact: International Sales international@pearsoned.com Publisher Associate Publisher Cisco Representative Cisco Press Program Manager Executive Editor Managing Editor Development Editor Project Editor Copy Editor Technical Editors Editorial Assistant Book and Cover Designer Composition Indexer Proofreader Paul Boger Dave Dusthimer Anthony Wolfenden Jeff Brady Brett Bartow Patrick Kanouse Betsey Henkels Jennifer Gallant Karen A Gill Pavan Reddy John Stuppi Vanessa Evans Louisa Adair ICC Macmillan Inc Ken Johnson Anne Poynter www.it-ebooks.info iv About the Author Omar Santos is a senior network security engineer and Incident Manager within the Product Security Incident Response Team (PSIRT) at Cisco Omar has designed, implemented, and supported numerous secure networks for Fortune 500 companies and the U.S government, including the United States Marine Corps (USMC) and the U.S Department of Defense (DoD) He is also the author of many Cisco online technical documents and configuration guidelines Before his current role, Omar was a technical leader within the World Wide Security Practice and Cisco Technical Assistance Center (TAC), where he taught, led, and mentored many engineers within both organizations He is an active member of the InfraGard organization InfraGard is a cooperative undertaking that involves the Federal Bureau of Investigation and an association of businesses, academic institutions, state and local law enforcement agencies, and other participants InfraGard is dedicated to increasing the security of the critical infrastructures of the United States of America Omar has also delivered numerous technical presentations to Cisco customers and partners, as well as executive presentations to CEOs, CIOs, and CSOs of many organizations He is also the author of the Cisco Press books: Cisco Network Admission Control, Volume II: NAC Deployment and Troubleshooting, and Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance www.it-ebooks.info v About the Technical Reviewers Pavan Reddy, CCIE No 4575, currently works as a consulting systems engineer for Cisco specializing in network security Pavan has been collaborating with customers and partners on the design and implementation of large-scale enterprise and service provider security architectures for nearly ten years Before joining Cisco, Pavan worked as a network security engineer in the construction and financial industries Pavan also holds a bachelor of science degree in computer engineering from Carnegie Mellon John Stuppi, CCIE No 11154, is a network consulting engineer for Cisco John is responsible for creating, testing, and communicating effective techniques using Cisco product capabilities to provide identification and mitigation options to Cisco customers who are facing current or expected security threats John also advises Cisco customers on incident readiness and response methodologies and assists them in DoS and worm mitigation and preparedness John is a CCIE and a CISSP, and he holds an Information Systems Security (INFOSEC) Professional Certification In addition, John has a BSEE from Lehigh University and an MBA from Rutgers University John lives in Ocean Township, New Jersey with his wife Diane and his two wonderful children, Thomas and Allison www.it-ebooks.info vi Dedications I would like to dedicate this book to my lovely wife, Jeannette, and my two beautiful children, Hannah and Derek, who have inspired and supported me throughout the development of this book I also dedicate this book to my parents, Jose and Generosa Without their knowledge, wisdom, and guidance, I would not have the goals that I strive to achieve today —Omar Acknowledgments I would like to acknowledge the technical editors, Pavan Reddy and John Stuppi Their superb technical skills and input are what make this manuscript a success Pavan has been a technical leader and advisor within Cisco for several years He has led many projects for Fortune 500 enterprises and service providers He was one of the key developers of the Cisco Operational Process Model (COPM) John has also led many implementations and designs for Cisco customers His experience in worldwide threat intelligence provides a unique breadth of knowledge and value added Many thanks to my management team, who have always supported me during the development of this book I am extremely thankful to the Cisco Press team, especially Brett Bartow, Andrew Cupp, Betsey Henkels, and Jennifer Gallant for their patience and continuous support Finally, I would like to acknowledge the great minds within the Cisco Security Technology Group (STG), Advanced Services, and Technical Support organizations www.it-ebooks.info vii www.it-ebooks.info viii Contents at a Glance Foreword xix Introduction xx Part I Introduction to Network Security Solutions Chapter Overview of Network Security Technologies Part II Security Lifecycle: Frameworks and Methodologies 41 Chapter Preparation Phase 43 Chapter Identifying and Classifying Security Threats 99 Chapter Traceback 141 Chapter Reacting to Security Incidents 153 Chapter Postmortem and Improvement 167 Chapter Proactive Security Framework 177 Part III Defense-In-Depth Applied 209 Chapter Wireless Security 211 Chapter IP Telephony Security 261 Chapter 10 Data Center Security 297 Chapter 11 IPv6 Security 329 Part IV Case Studies 339 Chapter 12 Case Studies 341 Index 422 www.it-ebooks.info ix Contents Foreword xix Introduction xx Part I Introduction to Network Security Solutions Chapter Overview of Network Security Technologies Firewalls Network Firewalls Network Address Translation (NAT) Stateful Firewalls Deep Packet Inspection 10 Demilitarized Zones 10 Personal Firewalls 11 Virtual Private Networks (VPN) 12 Technical Overview of IPsec 14 Phase 14 Phase 16 SSL VPNs 18 Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) Pattern Matching 20 Protocol Analysis 21 Heuristic-Based Analysis 21 Anomaly-Based Analysis 21 Anomaly Detection Systems 19 22 Authentication, Authorization, and Accounting (AAA) and Identity Management RADIUS 23 TACACS+ 25 Identity Management Concepts 26 Network Admission Control NAC Appliance 27 NAC Framework 33 27 Routing Mechanisms as Security Tools Summary 36 39 www.it-ebooks.info 23 .. .End- to -End Network Security Defense-in-Depth Omar Santos Cisco Press Cisco Press 800 East 96th Street Indianapolis, Indiana 46240 USA www.it-ebooks.info ii End- to -End Network Security. .. Cataloging-in-Publication Data: Santos, Omar End- to -end network security : defense-in-depth / Omar Santos p cm ISBN 978-1-58705-332-0 (pbk.) Computer networks Security measures I Title TK5105.59.S313... insight from End- to -End Network Security, but also returning to its pages to ensure you are on target in your endeavors We have seen dramatic increases in the type and nature of threats to our information