Slashdot Mirror

← Back to Stories (view on slashdot.org)

End-to-End Network Security

Posted by samzenpus on from the protect-ya-network dept.

Ben Rothke writes "One of the mistakes many organizations make when it comes to information security is thinking that the firewall will do it all. Management often replies incredulously to a hacking incident with the thought "but don't we have a firewall". Organizations need to realize a single appliance alone won't protect their enterprise, irrespective of what the makers of such appliances suggest and promise. A true strategy of security defense in depth is required to ensure a comprehensive level of security is implemented. Defense in depth uses multiple computer security technologies to keep organizations risks in check. One example of defense in depth is having an anti-virus and anti-spyware solution both at the user's desktop, and also at the gateway." Read on for the rest of Ben's review. End-to-End Network Security: Defense-in-Depth author Omar Santos pages 480 publisher Cisco Press rating 9 reviewer Ben Rothke ISBN 1587053322 summary Excellent and comprehensive look at how to secure a Cisco infrastructure End-to-End Network Security: Defense-in-Depth provides an in-depth look at the various issues around defense in depth. Rather than taking a very narrow approach to security, the book focuses on the comprehensive elements of designing a secure information security infrastructure that can really work to ensure an organization is protected against the many different types of threats it will face on a daily basis.

The books 12 chapters provide a broad look at the various ways in which to secure a network. Aside from a minor mistake in chapter 1 where the author confuses encryptions standards and encryption algorithms (but then again, many people make the same mistake), the book provides a clear and to the point approach to the topic at hand. After reading the book, one will have a large amount of the information needed to secure their Cisco-based network.

While it is not in the title, the book is completely centered on Cisco hardware, software, and Cisco IOS. It is a Cisco Press title written by a Cisco employee, as you would expect, it has a heavy Cisco slant. For those that do not work in a Cisco environment, the information in the book will likely be far too Cisco centric for their needs. A review of the index shows that the book provides a near A-Z overview of information security. One of the only missing letters is 'J', but then again, that would require writing about Juniper.

Chapter 1 starts off with a detailed overview of the fundamentals of network security technologies. Chapter 2 details the various security frameworks and methodologies around securing network devices. The six-step methodology that the author writes of is comprised of preparation, identification, classification, traceback, reaction and postmortem.

The author mistakenly writes that manual analysis of complex firewall policies is almost impossible because it is very time-consuming. The truth is that the time-consuming aspect does not make it impossible. It can be done, but the author is correct that the use of automated tools makes such analysis much quicker and easier.

Chapters 5 and 6 provide an excellent overview of reacting to information security incidents. The chapters cover all of the necessary details, from laws, log finals, postmortem and more.

Chapter 9 provides and extensive overview of the various elements of IPT security. It includes various ways to protect the many parts of a Cisco IPT infrastructure. In this chapter and the others, the author does a very good job of detailing the various configurations steps necessary to secure a Cisco device, both at the graphical level and also at the ISO command line level.

Chapter 12 concludes the book with 3 case studies of using defense in depth a small, medium and large enterprise networks. Different size networks have different requirements and constraints and are not secured in the same manner.

Overall, End-to-End Network Security: Defense-in-Depth is an excellent and comprehensive book on how to secure a Cisco infrastructure. It details the many threats such an environment will face, and lists countermeasures to mitigate each of those threats. Anyone involved in securing Cisco-based networks will find this book to be quite helpful in their effort to secure their network.

Ben Rothke is a security consultant with BT INS and the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase End-to-End Network Security from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

21 of 99 comments (clear)

  1. Let me be one of the first to say by Nursie · · Score: 4, Insightful

    "Duh!"

    C'mon, an incoming firewall is a good start, but it's just that. You still need AV, Anti-malware is good. Spam filtering, individual machine firewalls, server security, access limits for users, restrictions on what can be attached to the network, a secure area with limited access for those whose laptops travel a lot...

    This is, is it not, pretty elementary stuff?

    1. Re:Let me be one of the first to say by Bender0x7D1 · · Score: 3, Interesting

      This is, is it not, pretty elementary stuff?

      It really depends on who you are...

      I suppose someone who has a Ph.D. in physics would say that quantum mechanics is pretty elementary stuff. The problem here is that you are assuming everyone who is in charge of a network has the knowledge, background and experience to understand security. Most don't. Many who think they do - don't. There is so much to keep track of that it's a full-time job just to keep up with the attackers. If you have a lot of other work to do, you probably aren't keeping current in every area you need to. That's why there are security experts who get paid a lot of money to help secure systems and networks.

      --
      Reading code is like reading the dictionary - you have to read half of it before you can go back and understand it.
  2. Why not just dump Windows? by webmaster404 · · Score: 2, Insightful

    Why not just dump Windows and go for either emulating XP on a Virtual Machine or run OS-X, Linux or BSD? Seriously, if your worried about your employees downloading a "screensaver" for Windows and infecting the network, just run Linux and I bet you over 80% of the time thats what it is. As for "retraining" you would spend more money retraining and getting better hardware (and worse software) to get Vista, and Office 2007 while Ubuntu can be themed like XP/Vista/Amiga/OS-X or any other previous operating system. Open Office has a much lower learning curve then giving them Office 2007. So just switching to Linux takes out just about 100% of malware/virus problems which bring in back-doors and other ways of accessing, not to mention the code is open so you can be 100% sure that you won't get a "stealth update" or delayed patches or even currently unkown flaws in the kernel. As for a firewall, just running your connections through a router would help a bit, set up Firestarter or another iptables front-end for Linux, set secure root passwords and the only way that it can be cracked is if the IT department decided to crack it because they would be the ones that set it up. So moral to the book is, switch to Linux or just about any OS other then Windows, set up a firewall and secure passwords and you will be fine.

    --
    There is no "disagree" moderation, and troll, flamebait and overrated are not valid substitutes
    1. Re:Why not just dump Windows? by MikeFM · · Score: 2, Informative

      What's really bad is that a clever hacker can bypass much of your companies security just by getting someone running Windows to let themselves be infected with a program that gives the hacker terminal access to their computer and the ability to catch usernames, passwords, etc. Suddenly they have all the right authorization and access to your protected systems from inside the LAN. Worse, they can often infect other Windows systems giving the hacker access to the protected systems with many different user creditials. Would you want a hacker accessing ANYTHING that any Windows user on your network has access to? For most companies that gives access to everything because most data is accessed by a least on Windows user.

      If you have Windows on your network then it's not difficult to penetrate your network. I've done this experiment many times with many different companies I've worked for. I can always gain secure access.

      --
      At what price learning? At what cost wisdom? The price is a man's peace of mind, and the cost is his life.
    2. Re:Why not just dump Windows? by Vanessa+MacDougal · · Score: 2, Insightful

      There is nothing magical about other operating systems. Denial-of-service (DOS) attacks and the reading of unencrypted data, for instance, know no OS. You need end-to-end security regardless of your platform.

    3. Re:Why not just dump Windows? by webmaster404 · · Score: 2, Insightful

      Yes I know that they can lock down Windows, I worked for a company for a short time that locked down Windows. The fact though was, between an over-aggressive content-blocking server that blocked non-inappropriate or time wasting sites, the fact that Firefox could never update itself because I didn't have Read, write and execute privileges to update Firefox (which by the way was already installed by the IT department) most IT departments I have found know very very little about computers, they either know how to use Windows and other MS software or a little about hardware, very few know anything about computers and many have irrational fears (like checking your E-Mail from a web based E-Mail account will suddenly infect the entire network, didn't give a reason or anything even when I asked) and so I don't think that "locking down Windows" will solve anything about it, it will just give them more ways to mess everything up.

      As for the applications, very few businesses that I have seen, have any "must-need" software on most of their computers, sure there are a few that would need to have a VM running to run a few or have Windows dual-booting but for the average worker, Linux is sufficient. And I am not proposing a total abrupt change, but when the next licensing fee has to be sent in, or when it is time for an upgrade, Linux works 85% of the time for a solution and the other times, just dual-booting Windows or keeping a VM with it installed works.

      As for the social aspect, Linux would allow them to download what they choose and surf the internet without IT locking down computers to being unusable. There is very very very little Linux malware, and those that do exist are either not in the wild, or as long as you use a halfway recent distro (like Fedora Core 1) you will be safe from them if you keep up on your patches. Also, most Windows Malware/Adware/Spyware/Viruses are caused by a program that looks legit but isn't, Linux reduces this threat by the package management system, when you type in sudo apt-get install firefox, you can be assured that someone has looked that over and that it matches checksums to make 100% sure its Firefox and not some malware. If you don't trust that, you can compile it completly from source, there is little way unless you are randomly installing binary files, then you won't get any malware on a Linux machine. Also, if there is a problem, a sysadmin can simply SSH into the system and fix the problem.

      Free, Easy to use, (it can be customized to behave like XP/OS-X/Vista) Secure, and Functional, theres no reason not to use Linux

      --
      There is no "disagree" moderation, and troll, flamebait and overrated are not valid substitutes
    4. Re:Why not just dump Windows? by jc42 · · Score: 2, Insightful

      C'mon; asking businesses to dump Windows would be a lot like asking America to dump Christianity, or asking Egypt to dump Islam. All three might be very good ideas, but suggesting any of them in the appropriate crowds will just get you fired/crucified/beheaded/whatever.

      When faced with religious beliefs like these, the best you can do is try to make the best of them, while trying to minimize their damage to people and property.

      [A couple decades ago I'd have included asking the USSR to dump Communism, but that happened. But I suspect that IBM/Microsoft, Christianity and Islam are much more deeply entrenched than Communism ever was. Anyway, my metaphor generator is redlined as it is. ;-]

      --
      Those who do study history are doomed to stand helplessly by while everyone else repeats it.
    5. Re:Why not just dump Windows? by Fred_A · · Score: 2, Funny

      While you're at it, got any waste management software for Linux? Sure, both Gnome and KDE have this little trashcan icon nowadays.
      It's all gotten very fancy.

      --

      May contain traces of nut.
      Made from the freshest electrons.
  3. from the protect-ya-network dept. by eikonoklastes · · Score: 2, Funny

    I thought this would have come from the preaching-to-the-choir dept.

  4. It's all useless by fremean · · Score: 3, Insightful

    You can spend billions of dollars securing your network end to end, but so long as you still employ staff (or let them have communication with the outside world) nothing you buy can protect you from ID-10-T security breaches

  5. Choice quote from CSI by mcrbids · · Score: 4, Funny

    As they were chasing the bad guy (girl?) through the 2nd Life game, the CSI lab was hacked. Choice quote:

    "We're under attack! Get that firewall UP NOW!"

    I mean, yes, it's CSI and nobody expects perfection, but that's representative of the way people often see things...

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.
    1. Re:Choice quote from CSI by dnormant · · Score: 2, Insightful

      My wife looked at me like I was nuts when I started to roll on the floor over that one...

      GET THE FIREWALL UP...

  6. Defense in depth by starfishsystems · · Score: 4, Insightful
    Defense in depth is an important security principle, among several others which have apparently not received any treatment in the book reviewed here.

    Considering that the book is cxclusively concerned with configuring proprietary network gear, that's perhaps understandable. But when the same book presumes, by its title, to offer a general treatment of end-to-end security will have badly misled its readers. This is not end-to-end security, but instead the much smaller subset which concerns how to manage network traffic.

    If we genuinely want to talk about end-to-end security, we'll have to look closely at the endpoints. We have to look at them in terms of their own architectural security, as well as how they function as communicating agents. And where communication is concerned, all the stuff in the middle, generally speaking, is not trustworthy.

    That's a more principled approach to what "defense in depth" means in the context of these endpoints. Sure there might be a few firewalls or encrypted tunnels along the way, but the endpoints have no means of assuring that this infrastructure is in fact secure. Should those layers fail to operate as expected, the security of the communication falls to other layers. Ultimately, the responsibility falls to the endpoints themselves.

    Dealing with security in several fragmented pieces is not so great. That's because security is an emergent property of the entire system, not something which can be directly composed from elements of the system. A text which provides a treatment of security princples comprehensively would be most welcome. Let's save the "end-to-end" terminology for when we're really looking at end-to-end architectures.

    --
    Parity: What to do when the weekend comes.
  7. Godwin says... by kensan · · Score: 2, Funny

    nothing for you to see, move along.

  8. Re:Or, just get a Mac/Linux? by nine-times · · Score: 2, Interesting

    I remember reading on slashdot several years ago about a network security idea to scrap all this firewall gateway etc stuff and just implement a secure desktop

    That's all well and good so long as you can really trust each individual machine. Also, you'll probably want to wait after the move to IPv6, or else you'll probably want to have some kind of gateway w/NAT. Even if you had all that, I wouldn't mind having a firewall anyway, just as an added layer of security.

  9. Human Factors by handy_vandal · · Score: 3, Interesting

    Also consider the human factors angle.

    I used to do tech support at a major US university. I'd show up at the user's desk, flip the keyboard upside down ... there's the password, taped to the underside of the keyboard. Hell, sometimes it was taped to the monitor. Not every time, of course -- a minority of users, really -- but often enough to make it a Bad Habit.

    -kgj

    --
    -kgj
    1. Re:Human Factors by firstnevyn · · Score: 2, Insightful

      If Mallory is sitting at the console you've already lost.

      A critical question is what are you attacking against? if it's Joe Random Cracker out on the interweb then the password being taped to the keyboard is BETTER than having a weak password that's memorised (and easilly bruteforced).

      If the threat is unauthorised access internally then it's a problem that it's taped to the keyboard written on a card in your wallet would still be better imho than a weak password.

      In short it's bad.. but when the threat isn't in the building (which is secure) it's not SO bad.

      --
      Good, fast and cheap pick two.

  10. Re:What a bunch of NAZIs we are.... by tjstork · · Score: 2

    We want freedom for the users to make their systems obey them, and allow them to study and modify it to suit their needs.

    That's all very noble sounding but its not at all the truth.

    No we don't. We want to impress our corporate masters with all of these shiny reports showing how much we know about everyone is on the system, trying to candy up our asses in the name of safety. We're no different from the people pushing camcorders in grocery stores. Security is a protection racket industry... "buy from us, before some hacker/muslim/bigfoot, gets you..." And really, it seems to me that the climate of fear that we are imposing on IT far and away outweighs the perceived benefit, just as it does, whenever security becomes an industry by itself.

    I guarantee that there is not a single developer on this board that has not written a security / tracking system for some product, somewhere, and not marveled at the possibilities of all that information they collect.

    --
    This is my sig.
  11. Re:Firewalls are your LAST line of defence... by Martin+Blank · · Score: 3, Informative

    You don't always know if you have insecure services, though. You can limit the rights of the accounts under which services run, but there may still be ways of using vulnerabilities to get around that. This is one of the reasons that application-level firewalls are becoming so popular, as allowing only RFC-compliant (at least essentially so) traffic can prevent numerous exploits. Having dropped such a firewall into the middle of a network before, I've seen what suddenly gets blocked.

    --
    You can never go home again... but I guess you can shop there.
  12. Networks, military bases, banks, whatever ... by ScrewMaster · · Score: 4, Insightful

    if you're depending entirely upon a perimeter defense you will get pwned.

    --
    The higher the technology, the sharper that two-edged sword.
  13. Well, yes... by jd · · Score: 2, Interesting
    ...but Cisco IOS supports more than firewalls - which seems to be the only focus of the book. IPSec in certificate-based router-to-router mode should be a fundamental consideration in business-to-business connections over the public Internet. Duplicating the endpoint would be essentially impossible.

    Active NIDS is usually discouraged when placed in serial with the network, as it usually can't block the network when in parallel. But if the NIDS server can log onto the managed switch or router, it can disable the connection on an intrusion being detected. If it's sniffing the packets on the regular network only (ie: not providing any service to the network), it can't be seen or disabled.

    If servers on the network aren't intended for outside use, make them IPv6-only and either make the router an IPv4/IPv6 gateway or use IPv6 tunnels to the extranets of interest. You can't crack what you can't connect to, putting those servers out of reach.

    PAM supports OPIE and S/KEY, so you can always make passwords MUCH harder to obtain or crack. Kerberos V is also good for that.

    Banning open protocols and .rhosts, requiring SSH or SSL/TLS-based protocols would likely do wonders for security as well. Even if passwords are technically encrypted, you can learn a huge amount from the rest of a session if it's not encrypted. Ergo, mandate encryption.

    Next, as far as possible, servers should use mandatory access controls (to limit the use of any bugs for escalation) and software that has been as audited as possible (to minimize the risks of such bugs existing in the first place). The greater the risk of holes, the less the value of protecting all the other avenues that could be used for attack.

    Finally, password files and other authentication data should be protected by means of strong encryption or strong cryptographic hashes according to requirements. That way, if a service ends up proving exploitable or some other hole is discovered, an attacker can't use such data to access the system with greater rights.

    Sure, this is (a) imperfect, (b) clock-cycle expensive and (c) costly if done right, but it WILL be better than any firewall on its own, no matter how good the firewall.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)