Network Security Architectures By Sean Convery Publisher : Cisco Pr e ss Pub Dat e: Apr il , 0 Print I SBN: 1 X Pages: Table of Cont ent s | I ndex Expert guidance on designing secure net works Underst and securit y best pract ices and how t o t ake advant age of t he net working gear you already have Review designs for cam pus, edge, and t eleworker net works of varying sizes Learn design considerat ions for device hardening, Layer and Layer securit y issues, denial of service, I Psec VPNs, and net work ident it y Underst and securit y design considerat ions for com m on applicat ions such as DNS, m ail, and web I dent ify t he key securit y roles and placem ent issues for net work securit y elem ent s such as firewalls, int rusion det ect ion syst em s, VPN gat eways, cont ent filt ering, as well as for t radit ional net work infrast ruct ure devices such as rout ers and swit ches Learn 10 crit ical st eps t o designing a securit y syst em for your net work Exam ine secure net work m anagem ent designs t hat allow your m anagem ent com m unicat ions t o be secure while st ill m aint aining m axim um ut ilit y Try your hand at securit y design wit h t hree included case st udies Benefit from t he experience of t he principal archit ect of t he original Cisco Syst em s SAFE Securit y Blueprint Writ t en by t he principal archit ect of t he original Cisco Syst em s SAFE Securit y Blueprint , Net work Securit y Archit ect ures is your com prehensive how- t o guide t o designing and im plem ent ing a secure net work Whet her your background is securit y or net working, you can use t his book t o learn how t o bridge t he gap bet ween a highly available, efficient net work and one t hat st rives t o m axim ize securit y The included secure net work design t echniques focus on m aking net work and securit y t echnologies work t oget her as a unified syst em rat her t han as isolat ed syst em s deployed in an adhoc way Beginning where ot her securit y books leave off, Net work Securit y Archit ect ures shows you how t he various t echnologies t hat m ake up a securit y syst em can be used t oget her t o im prove your net work's securit y The t echnologies and best pract ices you'll find wit hin are not rest rict ed t o a single vendor but broadly apply t o virt ually any net work syst em This book discusses t he whys and hows of securit y, from t hreat s and count er m easures t o how t o set up your securit y policy t o m esh wit h your net work archit ect ure Aft er learning det ailed securit y best pract ices covering everyt hing from Layer securit y t o e- com m erce design, you'll see how t o apply t he best pract ices t o your net work and learn t o design your own securit y syst em t o incorporat e t he requirem ent s of your securit y policy You'll review det ailed designs t hat deal wit h t oday's t hreat s t hrough applying defense- in- dept h t echniques and work t hrough case st udies t o find out how t o m odify t he designs t o address t he unique considerat ions found in your net work Whet her you are a net work or securit y engineer, Net work Securit y Archit ect ures will becom e your prim ary reference for designing and building a secure net work This book is part of t he Net working Technology Series from Cisco Press, which offers net working professionals valuable inform at ion for const ruct ing efficient net works, underst anding new t echnologies, and building successful careers Network Security Architectures By Sean Convery Publisher : Cisco Pr e ss Pub Dat e: Apr il , 0 Print I SBN: 1 X Pages: Table of Cont ent s | I ndex Copyright About the Author About the Technical Reviewers Acknowledgments A Note from Cisco Systems on the SAFE Blueprint and Network Security Architectures Icons Used in This Book Command Syntax Conventions Foreword Preface This Book's Relationship to the SAFE White Papers Why Network Security? New Technologies, New Vulnerabilities How This Book Is Organized Who Should Read This Book? Caveats Summary Part I Network Security Foundations Chapter Network Security Axioms Network Security Is a System Business Priorities Must Come First Network Security Promotes Good Network Design Everything Is a Target Everything Is a Weapon Strive for Operational Simplicity Good Network Security Is Predictable Avoid Security Through Obscurity Confidentiality and Security Are Not the Same Summary Reference Applied Knowledge Questions Chapter Security Policy and Operations Life Cycle You Can't Buy Network Security What Is a Security Policy? Security System Development and Operations Overview Summary References Applied Knowledge Questions Chapter Secure Networking Threats The Attack Process Attacker Types Vulnerability Types Attack Results Attack Taxonomy Summary References Applied Knowledge Questions Chapter Network Security Technologies The Difficulties of Secure Networking Security Technologies Emerging Security Technologies Summary References Applied Knowledge Questions Part II Designing Secure Networks Chapter Device Hardening Components of a Hardening Strategy Network Devices NIDS Host Operating Systems Applications Appliance-Based Network Services Rogue Device Detection Summary References Applied Knowledge Questions Chapter General Design Considerations Physical Security Issues Layer Security Considerations IP Addressing Design Considerations ICMP Design Considerations Routing Considerations Transport Protocol Design Considerations DoS Design Considerations Summary References Applied Knowledge Questions Chapter Network Security Platform Options and Best Deployment Practices Network Security Platform Options Network Security Device Best Practices Summary Reference Applied Knowledge Questions Chapter Common Application Design Considerations E-Mail DNS HTTP/HTTPS FTP Instant Messaging Application Evaluation Summary References Applied Knowledge Questions Chapter Identity Design Considerations Basic Foundation Identity Concepts Types of Identity Factors in Identity Role of Identity in Secure Networking Identity Technology Guidelines Identity Deployment Recommendations Summary References Applied Knowledge Questions Chapter 10 IPsec VPN Design Considerations VPN Basics Types of IPsec VPNs IPsec Modes of Operation and Security Options Topology Considerations Design Considerations Site-to-Site Deployment Examples IPsec Outsourcing Summary References Applied Knowledge Questions Chapter 11 Supporting-Technology Design Considerations Content Load Balancing Wireless LANs IP Telephony Summary References Applied Knowledge Questions Chapter 12 Designing Your Security System Network Design Refresher Security System Concepts Impact of Network Security on the Entire Design Ten Steps to Designing Your Security System Summary Applied Knowledge Questions Part III Secure Network Designs Chapter 13 Edge Security Design What Is the Edge? Expected Threats Threat Mitigation Identity Considerations Network Design Considerations Small Network Edge Security Design Medium Network Edge Security Design High-End Resilient Edge Security Design Provisions for E-Commerce and Extranet Design Summary References Applied Knowledge Questions Chapter 14 Campus Security Design What Is the Campus? Campus Trust Model Expected Threats Threat Mitigation Identity Considerations Network Design Considerations Small Network Campus Security Design Medium Network Campus Security Design High-End Resilient Campus Security Design Summary References Applied Knowledge Questions Chapter 15 Teleworker Security Design Defining the Teleworker Environment Expected Threats Threat Mitigation Identity Considerations Network Design Considerations Software-Based Teleworker Design Hardware-Based Teleworker Design Design Evaluations Summary Reference Applied Knowledge Questions Part IV Network Management, Case Studies, and Conclusions Chapter 16 Secure Network Management and Network Security Management Utopian Management Goals Organizational Realities Protocol Capabilities Tool Capabilities Secure Management Design Options Network Security Management Best Practices Summary References Applied Knowledge Questions Chapter 17 Case Studies Introduction Real-World Applicability Organization NetGamesRUs.com University of Insecurity Black Helicopter Research Limited Summary Reference Applied Knowledge Questions Chapter 18 Conclusions Introduction Management Problems Will Continue Security Will Become Computationally Less Expensive Homogeneous and Heterogeneous Networks Legislation Should Garner Serious Consideration IP Version Changes Things Network Security Is a System Summary References Appendix A Glossary of Terms Appendix B Answers to Applied Knowledge Questions Chapter Chapter Chapter Chapter Chapter Chapter Chapter Chapter Chapter Chapter 10 Chapter 11 Chapter 12 Chapter 13 Chapter 14 Chapter 15 Chapter 16 Appendix C Sample Security Policies INFOSEC Acceptable Use Policy Password Policy Guidelines on Antivirus Process Index Copyright Copyright © 2004 Cisco Syst em s, I nc Published by: Cisco Press 800 East 96t h St reet I ndianapolis, I N 46240 USA All right s reserved No part of t his book m ay be reproduced or t ransm it t ed in any form or by any m eans, elect ronic or m echanical, including phot ocopying, recording, or by any inform at ion st orage and ret rieval syst em , wit hout writ t en perm ission from t he publisher, except for t he inclusion of brief quot at ions in a review Print ed in t he Unit ed St at es of Am erica First Print ing April 2004 Library of Congress Cat aloging- in- Publicat ion Num ber: 2002107132 Warning and Disclaimer This book is designed t o provide inform at ion about net work securit y Every effort has been m ade t o m ake t his book as com plet e and as accurat e as possible, but no warrant y or fit ness is im plied The inform at ion is provided on an " as is" basis The aut hors, Cisco Press, and Cisco Syst em s, I nc., shall have neit her liabilit y nor responsibilit y t o any person or ent it y wit h respect t o any loss or dam ages arising from t he inform at ion cont ained in t his book or from t he use of t he discs or program s t hat m ay accom pany it The opinions expressed in t his book belong t o t he aut hor and are not necessarily t hose of Cisco Syst em s, I nc Trademark Acknowledgments All t erm s m ent ioned in t his book t hat are known t o be t radem arks or service m arks have been appropriat ely capit alized Cisco Press or Cisco Syst em s, I nc., cannot at t est t o t he accuracy of t his inform at ion Use of a t erm in t his book should not be regarded as affect ing t he validit y of any t radem ark or service m ark The following m at erials have been reproduced by Pearson Technology Group wit h t he perm ission of Cisco Syst em s I nc.: Table 16- , Figures 3- 11 t hrough 3-13 , Figures 6- t hrough 6- 8, Figure 6- 10, Figure 6- 23, Figure 6- 26, Figure 7- , and Figures 10- 18 t hrough 10- 21 COPYRI GHT © 2004 CI SCO SYSTEMS, I NC ALL RI GHTS RESERVED Corporate and Government Sales Cisco Press offers excellent discount s on t his book when ordered in quant it y for bulk purchases or special sales For m ore inform at ion please cont act : U.S Cor por a t e a n d Gove r n m e n t Sa le s 1- 800- 382- 3419, corpsales@pearsont echgroup.com For sa le s ou t side t h e U.S ple a se t a ct : I nt ernat ional Sales, int ernat ional@pearsoned.com Feedback Information At Cisco Press, our goal is t o creat e in- dept h t echnical books of t he highest qualit y and value Each book is craft ed wit h care and precision, undergoing rigorous developm ent t hat involves t he unique expert ise of m em bers from t he professional t echnical com m unit y Readers' feedback is a nat ural cont inuat ion of t his process I f you have any com m ent s regarding how we could im prove t he qualit y of t his book, or ot herwise alt er it t o bet t er suit your needs, you can cont act us t hrough e- m ail at feedback@ciscopress.com Please m ake sure t o include t he book t it le and I SBN in your m essage We great ly appreciat e your assist ance Credits Publisher John Wait Edit or- in- Chief John Kane Execut ive Edit or Bret t Bart ow Cisco Represent at ive Ant hony Wolfenden Cisco Press Program Manager Nannet t e M Noble Acquisit ions Edit or Michelle Grandin Product ion Manager Pat rick Kanouse Developm ent Edit or Grant Munroe Product ion Argosy Publishing Technical Edit ors Qiang Huang, Jeff Recor, Russell Rice, and Roland Saville Team Coordinat or Tam m i Barnet t Cover Designer Louisa Adair Cor por a t e H e a dqu a r t e r s Cisco Syst em s, I nc 170 West Tasm an Drive San Jose, CA 95134- 1706 USA www.cisco.com Tel: 408 526- 4000 800 553- NETS ( 6387) Fax: 408 526- 4100 Eu r ope a n H e a dqu a r t e r s Cisco Syst em s I nt ernat ional BV Haarlerbergpark Haarlerbergweg 13- 19 1101 CH Am st erdam The Net herlands www- europe.cisco.com Tel: 31 20 357 1000 Fax: 31 20 357 1100 Am e r ica s H e a dqu a r t e r s Cisco Syst em s, I nc 170 West Tasm an Drive San Jose, CA 95134- 1706 USA www.cisco.com Tel: 408 526- 7660 Fax: 408 527- 0883 Asia Pa cific H e a dqu a r t e r s Cisco Syst em s, I nc Capit al Tower 168 Robinson Road # 22- 01 t o # 29- 01 Singapore 068912 www.cisco.com Tel: + 65 6317 7777 Fax: + 65 6317 7799 Cisco Syst em s has m ore t han 200 offices in t he following count ries and regions Addresses, phone num bers, and fax num bers are list ed on t he Cisco.com W e b sit e a t w w w cisco.com / go/ office s Argent ina • Aust ralia • Aust ria • Belgium • Brazil • Bulgaria • Canada • Chile • China PRC • Colom bia • Cost a Rica • Croat ia • Czech Republic • Denm ark • Dubai, UAE • Finland • rance F • Germ any • Greece • Hong Kong SAR • Hungary • I ndia • I ndonesia • I reland • I srael • I t aly • Japan • Korea • Luxem bou rg • Malaysia • Mexico • The Net herlands • New Zeal and • Norway • Peru • Philippines • Poland • Port ugal • Puert o Rico • Rom ania • Russia • Saudi Arabia • Scot land • Singapore • Slovakia • Slovenia • Sout h Africa • Spain • Sweden • Swit zerland • Taiwa n • Thailand • Turkey • Ukraine • Unit ed Kingdom Unit • ed St at es • Venezuela • Viet nam • Zim babwe Copyright © 2003 Cisco Syst em s, I nc All right s reserved CCI P, CCSP, t he Cisco Arrow logo, t he Cisco Powered Net work m ark, t he Cisco Syst em s Verified logo, Cisco Unit y, Follow Me Browsing, Form Share, iQ Net Readiness Scorecard, Net working Academ y, and Script Share are t radem arks of Cisco Syst em s, I nc.; Changing t he Way We Work, Live, Play, and Learn, The Fast est Way t o I ncrease Your I nt ernet Quot ient , and iQuick St udy are service m arks of Cisco Syst em s, I nc.; and Aironet , ASI ST, BPX, Cat alyst , CCDA, CCDP, CCI E, CCNA, CCNP, Cisco, t he Cisco Cert ified I nt ernet work Expert logo, Cisco I OS, t he Cisco I OS logo, Cisco Press, Cisco Syst em s, Cisco Syst em s Capit al, t he Cisco Syst em s logo, Em powering t he I nt ernet Generat ion, Ent erprise/ Solver, Et herChannel, Et herSwit ch, Fast St ep, GigaSt ack, I nt ernet Quot ient , I OS, I P/ TV, iQ Expert ise, t he iQ logo, Light St ream , MGX, MI CA, t he Net workers logo, Net work Regist rar, Packet , PI X, Post - Rout ing, Pre- Rout ing, Rat eMUX, Regist rar, SlideCast , SMARTnet , St rat aView Plus, St rat m , Swit chProbe, TeleRout er, TransPat h, and VCO are regist ered t radem arks of Cisco Syst em s, I nc and/ or it s affiliat es in t he U.S and cert ain ot her count ries All ot her t radem arks m ent ioned in t his docum ent or Web sit e are t he propert y of t heir respect ive owners The use of t he word part ner does not im ply a part nership relat ionship bet ween Cisco and any ot her com pany ( 0303R) Print ed in t he USA Dedication hardening settings 2nd Layer 3/4 stateless ACLs management access 2nd 3rd ACL options SNMP network edge security routing black holes content design considerations asymmetric routing 2nd protocol security 2nd protocol security:specific protocol options 2nd 3rd 4th 5th symmetric routing IPsec Layer considerations manipulating flows security design effects sinkhole routing Routing Information Protocol [See RIP] RSA (Rivest-Shamir-Adleman) Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Z] S/MIME (Secure Multipurpose Internet Mail Extensions) SA establishment (IPsec) phase phase sandwich security device load balancing scalability AAA server network security system design SCP 2nd script kiddies scripting cross-site scripting SECOPS (security operations) Secure FTP (SFTP) Secure Hash Algorithm (SHA) Secure Multipurpose Internet Mail Extensions (S/MIME) secure network management cleartext in-band 2nd cryptographically secure in-band best deployment practices Network layer 2nd 3rd supported platforms hybrid management design 2nd optional components organizational realities out-of-band (OOB) management 2nd 3rd 4th 5th 6th protocol capabilities HTTP/HTTPS 2nd NetFlow 2nd 3rd SNMP 2nd 3rd Syslog 2nd 3rd Telnet/SSH TFTP/FTP/SFTP/SCP tool capabilities network security management tools 2nd 3rd troubleshooting 2nd secure networking legislation 2nd Secure Shell (SSH) Secure Socket Layer (SSL) Secure Sockets Layer (SSL) offload security affect on routing and IP addressing 2nd application-based security devices custom appliances 2nd applications DNS 2nd 3rd 4th 5th 6th 7th e-mail 2nd 3rd e-mail, access control e-mail, design recommendations evaluation FTP HTTP/SSL 2nd 3rd 4th instant messaging (IM) 2nd as a system attacks application manipulation attacks 2nd attacker elite attacker types composite attacks 2nd 3rd 4th 5th 6th 7th 8th 9th 10th crackers data scavenging direct access attacks flooding attacks 2nd 3rd 4th 5th flooding attacks:application flooding 2nd flooding attacks:TCP SYN flooding 2nd network manipulation attacks 2nd probing and scanning 2nd process rating scale read attacks redirection attacks 2nd 3rd 4th 5th results 2nd rogue devices script kiddiess sniffer attacks 2nd spoofing attacks 2nd 3rd 4th 5th 6th 7th 8th 9th 10th 11th 12th taxonomies 2nd 3rd war dialing/driving avoiding security through obscurity 2nd best practices 2nd firewalls 2nd 3rd 4th 5th 6th Black Helicopter Research case study 2nd attack example design choices 2nd 3rd 4th migration strategy security requirements 2nd business priorities 2nd caching campus 2nd 3rd design considerations 2nd high-end resilient campus security design 2nd 3rd 4th 5th 6th 7th 8th 9th 10th medium network campus security design 2nd 3rd 4th 5th 6th 7th 8th 9th small network campus security design 2nd 3rd 4th 5th 6th 7th 8th threats 2nd 3rd choke points 2nd compliance checking confidentiality 2nd content filtering 2nd 3rd 4th 5th e-mail filtering 2nd 3rd Web filtering cost cryptography file system cryptography L2 cryptography 2nd L5 to L7 cryptography network layer cryptography 2nd cryptography cryptography difficulties of 2nd 3rd 4th disabling unneeded services domains of trust 2nd 3rd network design DoS attacks ICMP unreachable DoS considerations network flooding design considerations 2nd 3rd 4th 5th 6th 7th TCP SYN flooding design considerations events extranets firewalls routers with Layer 3/4 stateless ACLs stateful 2nd 3rd good network design 2nd identity 2nd 802.1x/EAP design guidelines AAA AAA server design guidelines 2nd 3rd 4th 5th 6th 7th 8th 9th 10th 11th 12th deployment 2nd device:device identity digital certificates factors IP addresses L4 information MAC addresses network vs application physical access role in secure networking shared usernames incident response IPsec authentication methods 2nd 3rd authentication methodsMode Config DH Encryption Protocol Selection PFS split tunneling IPT data interception deployment options firewalls IPv6 2nd Layer 802.1x ARP 2nd 3rd best practices Cisco-specific protocols 2nd 3rd 4th DHCP 2nd 3rd MAC flooding 2nd 3rd 4th protocols PVLANs STP 2nd 3rd VLAN hopping 2nd 3rd VLANs layer roles 2nd legislation 2nd load balancing 2nd security device load balancing 2nd 3rd 4th SLB 2nd NetGamesRUs.com case study 2nd migration strategy security requirements 2nd 3rd 4th network-integrated security functions router/switch hardware integrated 2nd NIDS alerts anomaly-based NIDS 2nd attack response best practices deployment 2nd multisegment NIDS placement signature-based NIDS TCP resets operational simplicity 2nd OS network security devices 2nd 3rd 4th OSs passwords passphrases physical cable plant issues data centers electromagnetic radiation concerns identity mechanisms for insecure locations key card access keycard with turnstile lock-and-key access PC threats preventing password recovery at insecure locations single-factor identity problem policies antivirus guidelines 2nd enforcement 2nd InfoSec example 2nd 3rd 4th 5th overview passwords 2nd 3rd 4th 5th predictability 2nd proxy servers DMZ proxy design firewall-enforced uster aggregation risks analysis routing protocols asymmetric routing 2nd message authentication specific protocol options 2nd 3rd 4th 5th symmetric routing software deployment stateless security features system design collapsed campus design core distribution, and access design model core, distribution, and access design management ten steps to design 2nd 3rd 4th 5th 6th 7th 8th system development and operations 2nd examining policy drivers 2nd policy development 2nd 3rd steps to success system design 2nd system life cycles 2nd 3rd 4th system rough drafts system scalability and performance technologies host and application security 2nd 3rd 4th 5th 6th 7th identity technologies 2nd 3rd 4th 5th 6th 7th 8th teleworker design evaluations hardware-based design 2nd 3rd 4th host protections identity network-transit protections software-based design 2nd threats 2nd 3rd 4th transport protocols University of Insecurity case study 2nd attack examples 2nd design choices 2nd 3rd migration strategy security requirements vendors vs access vulnerabilities 2nd 3rd 4th configuration hardware policy software usage weapons WLANs 802.11 security enhancements 802.11 WEP 2nd access point hardening differentiated groups WLANs direct Internet access WLANs DoS attacks L3+ cryptography 2nd 3rd 4th 5th recommendations rogue APs security device load balancing 2nd HA firewall vs HA/LB firewall sandwich model stick model security management security policy database (SPD) selecting technologies for network security design semitrusted IPsec topology 2nd Sendmail Server Load Balancing (SLB) servers DNS configuration proxy SFTP 2nd SFTP (Secure FTP) SHA (Secure Hash Algorithm) shared identity signature-based NIDS 2nd Simple Network Management Protocol [See SNMP] single sign-on (SSO) sinkhole routing site-to-site IPsec platforms site-to-site IPsec VPNs deployment examples 2nd 3rd 4th 5th 6th 7th 8th 9th 10th 11th 12th site-to-site VPNs remote acces edge Slashdot effect SLB (Server Load Balancing) small network campus security design 2nd alternatives Ethernet switches evaluation internal servers user hosts WLAN AP small network edge security design alternatives decreased security small network design increased security small network design design requirements and overview devices and security roles Ethernet switches optional WAN routers public servers router/security gateways evaluation VPNs smurf attacks 2nd sniffer attacks 2nd sniffers WLANs SNMP (Simple Network Management Protocol) deployment best practices security considerations use of SOCKS software open source disadvantages OS-based network security 2nd security legislation teleworker computers design considerations 2nd vulnerabilites SPD (security policy database) split tunneling (IPsec) 2nd performance spoofing DNS 2nd spoofing attacks IP spoofing 2nd 3rd 4th 5th 6th 7th 8th 9th 10th MAC spoofing SQL (Structured Query Language) SSH deployment use of SSH (Secure Shell) 2nd SSH/SSL 2nd SSL security SSL (Secure Sockets Layer) SSL (Secure Sockets Layer) offload SSO (single sign-on) SSSH firewalls stacheldraht standards state-sharing security devices stateful firewall DMZ design stateful firewalls 2nd 3rd high-end resilient campus security design high-end resilient edge design Internet edge stateless security features static translation stick model of security device load balancing STP 2nd 3rd support open source software switches hardening firewalls 2nd symmetric routing SYN cookies syslog Syslog 2nd deployment best practices security considerations Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Z] TACACS+ taxonomies attacks 2nd 3rd application manipulation attacks 2nd composite attacks 2nd 3rd 4th 5th 6th 7th 8th 9th 10th direct access attacks flooding attacks 2nd 3rd 4th 5th 6th 7th 8th 9th network manipulation attacks 2nd read attacks redirection attacks 2nd 3rd 4th 5th sniffer attacks 2nd spoofing attacks 2nd 3rd 4th 5th 6th 7th 8th 9th 10th 11th 12th TCN (Topology Change Notification) TCP (Transmission Control Protocol) TCP Intercept TCP resets TCP spoofing TCP SYN flooding 2nd design considerations technologies security application firewalls content filtering 2nd 3rd 4th 5th 6th 7th cryptography 2nd 3rd 4th 5th 6th 7th 8th emerging technologies firealls 2nd 3rd 4th 5th host and application security 2nd 3rd 4th 5th 6th 7th hybrid host systems identity technologies 2nd 3rd 4th 5th 6th 7th 8th inside NIDS NIDS 2nd 3rd 4th teleworker security design evaluations hardware-based design 2nd 3rd 4th host protections identity network-transit protections software-based design 2nd threats 2nd 3rd 4th Telnet deployment use of TFTP 2nd theft of service threat profile threats campus networks 2nd 3rd network edge 2nd 3rd OOB management teleworker systems 2nd 3rd 4th traffic assessment three-domain security design choke points three-interface firewall design three-tier e-commerce network design three-tier web design 2nd 3rd 4th TKIP TLS (Transport Layer Security) TLS (Transport Layer Security) topologies IPsec split tunneling 2nd IPsec VPNs 2nd 3rd centralized remote access firewall semitrusted 2nd trusted Topology Change Notification (TCN) traffic flow management Transmission Control Protocol [See TCP] transparent caches Transport Layer Security [See TLS] Transport Layer Security (TLS) transport mode (IPsec) 2nd transport protocols design considerations transport redirection attacks 2nd transport spoofing triple DES (3DES) Trojan horse Trojan horses troubleshooting flooding preparing for attacks secure network management 2nd trust choke points identities trusted IPsec toplogy tuning NIDS tunnel mode (IPsec) 2nd tunnelin GRE two-tier e-mail design two-tier web design Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Z] UDP UDP spoofing 2nd unicast reverse path forwarding [See uRPF] unicast reverse path forwarding (uRPF) University of Insecurity case study 2nd attack examples 2nd design choices 2nd 3rd migration strategy security requirements uRPF 2nd (unicast reverse path forwarding) 2nd usage vulnerabilities user hosts high-end resilient campus security design medium network campus security design small network campus design usernamees identity usernames setup Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Z] V VACLs DHCP warning van Eck phreaking vendors virtual private networks [See VPNs] viruses 2nd VLAN Query Protocol (VQP) VLAN trunking protocol (VTP) VLANs DHCP snooping hopping basic attacks creative attacks PVLANs 2nd 3rd security VPNs (virtual private networks) core, distribution, and access design model high-end resilient edge security IPsec firewall and NIDS placement 2nd 3rd 4th 5th platform options 2nd topology choices 2nd 3rd IPsec VPNs outsourcing site-to-site deployment examples 2nd 3rd 4th 5th 6th 7th 8th 9th 10th 11th 12th medium network remote access edge mobile worker concerns overview remote user VPNs site-to-site VPNs VQP (VLAN Query Protocol) VTP (VLAN trunking protocol) vulnerabilities 2nd 3rd 4th configuration hardware policy software usage vulnerability scanning Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Z] WAN routers small network edge security WANs branch vs head-end design core, distribution, and access design model distributed WAN considerations high-end resilient edge security medium network edge security war dialing/driving WCCP (Web Cache Control Protocol) weapons Web application attacks 2nd web applications 2nd two-tier web design Web Cache Control Protocol (WCCP) Web filtering WEP (Wired Equivalent Privacy) designing WPA Wi-Fi Protected Access (WPA) Wired Equivalent Privacy [See WEP] WLAN AP high-end resilient campus security design medium network campus security design small network campus design WLANs 802.11 security enhancements 802.11 WEP design access point hardening DoS attacks IPsec L3+ cryptography IPsec 2nd SSH/SSL 2nd rogue APs security differentiated groups WLANs direct Internet access WLANs recomendations sniffers worms 2nd WPA (Wi-Fi Protected Access) Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Z] Xauth (Extended Authentication) Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Z] zone transfers (DNS servers)