Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Index
Numerics802.11X, 364
Aacceptable-encryption policies, 74acceptable-use policies, 74access attacks, 91–92access control, 127
Corportate Internet module, 203–204medium-sized network design, 242–243
access control lists (ACLs), SNMP, 144Access Control Server (ACS), 182–183
Campus modules, 49access filtering, Layer 3 switches, 278access points, 362–363access switches, Campus module (medium-
sized network design), 249access-group command, 226accountability policies, 73ACLs (access control lists), SNMP, 144ACS (Access Control Server), 182–183
campus module, 246Adaptive Security Algorithm (ASA), 161agents, SNMP, 144antispoofing, RFC 2827 filtering, 115–116antivirus policies, 74application layer attacks, 92
as threat to IP telephony networks, 340mitigating, 117–118
applicationsas targets, 37–38hardening, 115
Architecture for Voice, Video, and Integrated Data (AVVID), 5
ASA (Adaptive Security Algorithm), 161assets, risk assessment, 78
attacks, 85application layer attacks, 92
mitigating, 117–118applications, 37–38DoS attacks, 90–91, 109
mitigating, 115–117hosts, 35IP spoofing, 102
ISP routers, 218mitigating, 127–128
management traffic attacks, mitigating, 140man-in-the-middle attacks, 103–104
mitigating, 130mitigating, policy-based SAFE, 17–18networks, 36packet sniffers, 102
mitigating, 128–129password attacks, 102–103
mitigating, 129perimeter attacks, 158
data manipulation, 158DoS, 158IP spoofing, 158malicious, 159passive, 158port scans, 158rerouting attacks, 159session hijacks, 158unauthorized, 158
port redirection attacks, 104–105mitigating, 130–131
reconnaissance attacks, 89–90mitigating, 114–115
routers, 33switches, 34trojan-horse applications, 105
mitigating, 131
0899x.book Page 474 Thursday, November 4, 2004 3:18 PM
trust exploitation attacks, 92–93mitigating, 118
unauthorized access attacks, 91–92virus attacks, mitigating, 131viruses, 105
audit policies, 75authentication
applying to user and device, 343packet sniffers, 128policies, 73SAFE, 18–19
Auto Update Server Software (CiscoWorks), 185
availability statements, 73AVVID (Architecture for Voice, Video, and
Integrated Data), 5, 186Communication Services, 188Network Infrastructure, 187Service Control, 187
axioms for SAFE IP Telephony design, 341–344
Bblind-TCP scans, 89blueprints (SAFE), 17–19
axioms, 32–33applications are targets, 37–38hosts are targets, 35networks are targets, 36–37routers are targets, 33switches are targets, 34
design fundamentals, 31–32intrusion detection, 19–20medium-sized network design, 233,
237–238branches, 251Campus module, 246–250
Corporate Internet module, 238–246WAN module, 250–251
remote network design, 283, 287–292configuration, 287–288design guidelines, 290–292devices, 288–289threat mitigation, 288, 290
small network design, 199–200branches, 207Campus module, 205–207Corporate Internet module, 200–204headend/standalone
considerations, 207small network implementation, 217–218
IDS services, 221IOS Firewall routers, 219–224ISP routers, 218–219PIX Firewall, 224–228
branchesmedium-sized network design, 251small network design, 207
broadband access devices (remote-user networks), 288
bugtraq, 117Building Distribution module (Enterprise
Campus layer), 310–311design guidelines, 310mitigating threats to, 310
building module (large IP telephony networks), 349
Ccall interception, as threat to IP telephony
networks, 338caller identity spoofing, as threat to IP
telephony networks, 339
0899x.book Page 475 Thursday, November 4, 2004 3:18 PM
476
Campus module (SAFE), 47–48, 205–207design alternatives, 51, 207design guidelines, 206devices, 49–51for medium-sized IP telephony networks, 348for small IP telephony networks, 347medium-sized network design, 246–250threat mitigation, 205–206
CatOS switches, generic security configuration, 357–359
CD One (CiscoWorks), 185CERT (Computer Emergency Response
Team), 117CIA (confidentiality, integrity, and
availability), 77Cisco AVVID (Architecture for Voice, Video,
and Integrated Data), 186–188Communication Services, 188Network Infrastructure, 187Service Control, 187
Cisco IOS firewalls, 160–161medium-sized networks, 267–268
Cisco PIX firewalls, 161–162Cisco SAFE Implementation exam, scenarios,
391–392answers, 398–407branches (21-5), 394IKE configuration for IPSec VPNs
(21-10), 397IPT solution for small networks
(21-8), 397medium-sized company network design
(18-6), 395–396medium-sized company network design
(21-6), 395medium-sized company network design
(21-7), 395medium-sized network design
(18-2), 392medium-sized network design
(18-3), 393medium-sized network design (21-2),
392–393medium-sized network design
(21-3), 393secure wireless network design
(21-9), 397small company network design
(21-4), 394
small network design (18-1), 391small network design (21-1), 391–392
Cisco Secure Access Control Server (ACS), 182–183
Cisco Secure IDS, 162–164, 166Cisco Secure PIX Firewalls, 179Cisco Secure Policy Manager (CSPM),
185–186Cisco View (CiscoWorks), 184Cisco VPN 3000 Series Concentrators, 179Cisco VPN clients, 292CiscoWorks VPN/Security Management
Solution (VMS), 184–185clients (VPNs)
Cisco VPN clients, 292VPN hardware clients, 291–292security, 180–182
commandsaccess-group, 226ip audit IDS in, 221permit ip any command, 73
communication policies, 75Communication Services (AVVID), 188Computer Emergency Response Team
(CERT), 117concentrators, security, 179–180confidentiality, IP-based telephony support
of, 342confidentiality, integrity, and availability
(CIA), 77configuring
CatOS switches, generic security configuration, 357–359
remote networks, 287–288router security, 355–357VPNs, medium-sized networks, 271
connectivity, VPNsCorporate Internet module, 204IOS Firewall routers, 221
control protocols, network management protocols, 143–144
controlling voice-to-data segment interaction, 343
Core module (Enterprise Campus layer), 311core switches (Campus module), medium-
sized network design, 248–249Corporate Internet module, 200–204
access control, 203–204design alternatives, 204
Campus module (SAFE)
0899x.book Page 476 Thursday, November 4, 2004 3:18 PM
477
design guidelines, 202–204Enterprise Edge layer, 51–57, 320
design guidelines for, 321–323filtering, 203–204for small IP telephony networks, 346intrusion detection, 204medium-sized network design
design alternatives, 245–246design guidelines, 241–245threat mitigation, 240–241
threat mitigation, 201–202VPN connectivity, 204
corporate servers, campus module, 49, 246cost-effective deployment of SAFE, 21cryptography, packet sniffers, 129CSA software, host IPS, 165–166
CSA MC, 166CSA software, 165–166
CSPM (Cisco Secure Policy Manager), 185–186
D“day-zero” attacks, 165DDoS (distributed denial of service)
attacks, 91ISP routers, 218mitigating on medium-sized networks, 265
denial of service (DoS) attacks, 90–91, 109mitigating, 115–117
deployment models, 167, 345designing
Building Distribution module, guidelines, 311
Building module, guidelines, 310Corporate Internet module, guidelines,
321–323E-Commerce module, guidelines, 315–316Management module, guidelines, 307–308medium-sized networks, 233,
237–238branches, 251Campus module, 246–250Corporate Internet module, 238–246headend/standalone
considerations, 251WAN module, 250–251
remote networks, 283, 287–292configuring, 287–288design guidelines, 290–292devices, 288–289threat mitigation, 288, 290
SAFE blueprints, 17, 31–32access authorization, 18authentication, 18–19axioms, 32–38Campus module, 51cost-effective deployment, 21emerging networked application
support, 21intrusion detection, 19–20policy-based attack mitigation, 17–18security, 17–18
Server Module, guidelines, 312small network design, 199–200
branches, 207Campus module, 205–207Corporate Internet module, 200–204headend/standalone
considerations, 207VPNs
and Remote Access Module, guidelines, 318–319
security, 188WLANs, 365
EAP WLAN design, 366–367IPSec WLAN design, 368–371large-enterprise WLAN design,
371–375medium-sized network design, 376–378remote network design, 379–380small network design, 378–379
deviceson medium-sized networks, 264on remote networks, 288–289rogue, 344SAFE Campus module, 49–51
dial-in servers, Corporate Internet module, 53–55, 239
distributed DoS attacks, 91DNS servers, Corporate Internet module,
53–54, 239DoS (denial of service) attacks, 90–91, 109
as threat to IP telephony networks, 340
DoS (denial of service) attacks
0899x.book Page 477 Thursday, November 4, 2004 3:18 PM
478
EEAP, 364
large-enterprise WLAN design, 372–373medium-sized WLAN design, 376small WLAN design, 379WLAN design model, 366–367
EAP-TLS (EAP-Transport Layer Security), 365
EAS (Advance Encryption Standard), 365E-Commerce module (Enterprise Edge
layer), 314–316Edge Distribution module (Enterprise
Campus layer), 313edge routers
Corporate Internet module, 53–55, 239medium-sized networks
ISP traffic filtering, 266public VLAN traffic filtering, 267
encryption, WEPalternatives to, 364–365enhancements to, 365
Enterprise Campus layerBuilding Distribution module, 310
design guidelines, 311Building module, 310Core module, 311Edge Distribution module, 313Management module, 305
design guidelines, 307–308mitigating threats in, 307
Server module, 312Enterprise Edge layer, 314
Corporate Internet module, 320design guidelines, 321–323
E-Commerce module, 314mitigating threats to, 315–316
VPN and Remote Access module, 317design guidelines for, 318–319
WAN module, 323external security threats, 22extranet policies, 74
Ffile/web servers, corporate Internet
module, 239file-management protocols, 144filtering
access filtering, Layer 3 switches, 278Corporate Internet module, 203–204inside interface filtering, PIX Firewall,
269–270internal traffic filtering
IOS Firewall routers, 222PIX Firewall, 226
ISP traffic filtering, edge routers, 266medium-sized network design, 242–243outside interface filtering, PIX Firewall,
225, 268–269public services segment filtering, PIX
Firewall, 270–271public services traffic filtering, PIX
Firewall, 226public VLAN traffic filtering, edge
routers, 267remote-access segment filtering, PIX
Firewall, 271firewalls
Cisco IOS firewalls, 160–161Cisco PIX firewalls, 161–162Corporate Internet module, 53–54, 239packet filtering, 160, 168perimiter firewalls, 160–162PIX Firewall on small networks, 224–228proxy servers, 160, 168remote-site firewalls, 290–291stateful
controlling voice-to-data segment interaction, 343
packet filtering, 160, 168VPNs, security, 178
FTP servers, Corporate Internet module, 53–54
GGramm-Leach-Bliley Act (GLBA) and the
Sarbanes-Oxley Public Company Accounting Reform and Investor Protection Act, 71
EAP
0899x.book Page 478 Thursday, November 4, 2004 3:18 PM
479
HH.323, 336–337hardening applications, 115hardware clients, 181–182hardware-based VPN WLAN design, 380headend/standalone considerations, small
network design, 207Health Insurance Portability and
Accountability Act (HIPAA), 71HIDS (host-based intrusion detection system),
48, 163medium-sized networks, 275
host-based intrusion detection systems (HIDS). See HIDS (host-based intrusion detection system)
host-based IPS (intrusion prevention system), 165
CSA MC, 166CSA software, 165–166
hostsas targets, 35attacks on, 35Corporate Internet module, 54
HTTP servers, Corporate Internet module, 53–54
Iidentity management, VPN security, 182–183IDSs (intrusion detection systems) , 37–38
Campus module, medium-sized network design, 249
configuring, PIX Firewall, 227medium-sized network design, 243–244sensors, 163–164services for small networks, 221
IDS Host Sensor (CiscoWorks), 185IDS management console (MC), 164, 166IIS directory traversal vunerability, 92implementing
medium-sized networks, 259, 264devices, 264edge routers, 266–267HIDS, 275IOS Firewall, 267–268ISP routers, 265–266Layer 3 switches, 277–278NIDS, 272–275
PIX Firewall, 268–272VPN 3000 Concentrator, 276
small networks, 217–218IDS services, 221IOS Firewall routers, 219–224ISP routers, 218–219PIX Firewall, 224–228
in-band network management, 139information technology systems, 73information-sensitivity policies, 74initialization-collision attacks,
preventing, 368inside interface filtering on medium-sized
networks, 269–270internal routers, Corporate Internet
module, 53, 56internal security threats, 22internal traffic filtering
IOS Firewall routers, 222PIX Firewall, 226
internal-lab security policies, 75Internet DMZ equipment policies, 75intrusion detection systems (IDSs). See IDSs
(intrusion detection systems)IOS Firewall routers, 160–161
small networks, 219–224internal traffic filtering, 222public services traffic filtering, 223public traffic filtering, 223–224VPNs, 221
medium-sized networks, 267–268ip audit IDS in command, 221IP phones, voice/data segmentation, 342IP spoofing, 102, 158
as threat to IP telephony networks, 339ISP routers, 218mitigating, 127–128
on medium-sized networks, 265on remote-user networks, 289
“IP Telephony Security in Depth” whitepaper, 335
IPSecdesigning large-enterprise WLANs,
373–375medium WLAN design, 377–378VPNs, 364WLAN design model, 368–371
alternative designs, 371threats mitigated by, 370
IPSec
0899x.book Page 479 Thursday, November 4, 2004 3:18 PM
480
ISP routersCorporate Internet module, 53, 55medium-sized networks, 265–266small network implementation, 218–219
ITU H.323 standard, 336
Llarge IP telephony network design, 349
building module, 349server module, 350–351
large-enterprise WLAN design, 371EAP model, 372–373IPSec model, 373, 375
Layer 2 hubs (remote-user networks), 288Layer 2 services, medium-sized network
design, 245Layer 2 switches
Campus modules, 49–50, 246Corporate Internet module, 53–55, 239
Layer 3 switchesCampus modules, 49–50, 246configuring on medium-sized networks,
277–278LEAP (Lite-EAP), 364logging protocols, network management
protocols, 143
Mman-in-the-middle attacks, 103–104Management Center for IDS Sensors
(CiscoWorks), 185Management Center for PIX Firewalls
(CiscoWorks), 185Management Center for VPN Routers
(CiscoWorks), 185management hosts, Campus modules, 49–51Management module (Enterprise Campus
layer), 305design guidelines, 307–308mitigating threats in, 307
management traffic attacks, mitigating, 140management VLANs on wireless
networks, 375managers (SNMP), 144man-in-the-middle attacks, mitigating, 130
on remote-user networks, 289
medium-sized networksdesigning, 233, 237–238
branches, 251Campus module, 246–250Corporate Internet module, 238–246headend/standalone
cosiderations, 251WAN module, 250–251
implementing, 259, 264devices, 264edge routers, 266–267HIDS, 275IOS Firewall, 267–268ISP routers, 265–266Layer 3 switches, 277–278NIDS, 272–275PIX Firewall, 268–272VPN 3000 Concentrator, 276
IP telephony networks, Campus module, 348
MGCP (Media Gateway Control Protocol), 337
midsize networks, SAFE implementation, 8mitigating
attacksapplication layer attacks, 117–118DoS (denial of service) attacks,
115–117IP spoofing, 127–128management traffic attacks, 140man-in-the-middle attacks, 130password attacks, 129port redirection attacks, 130–131reconnaisance attacks, 114–115trust exploitation attacks, 118trojan-horse applications, 131unauthorized access, 117virus attacks, 131
threatsto Campus module, 205–206to Corporate Internet module,
201–202, 240–241to medium-sized network designs,
247–251to Building module, 310to E-Commerce module, 315to remote networks, 288, 290to Management module, 307
ISP routers
0899x.book Page 480 Thursday, November 4, 2004 3:18 PM
481
modules, SAFE, 47Campus module, 47–51Corporate Internet module, 51–57WAN module, 58
Monitoring Center for Security (CiscoWorks), 185
monitoring protocols, network management protocols, 143–144
mutual authentication WLAN design model, 366–367
N–ONetwork Infrastructure (AVVID), 187network intrusion detection system (NIDS).
See NIDS (network intrusion detection system)
network maintenance policies, 73network management, 139
in-band network management, 139out-of-band network management, 139–140protocols, 140–141
control protocols, 143–144file-management protocols, 144logging protocols, 143monitoring protocols, 143–144remote-access protocols, 141–143reporting protocols, 143time-synchronization protocols, 145
traffic attacks, mitigating, 140network modules (SAFE), 47
Campus module, 47–51Corporate Internet module, 51–57WAN module, 58
network posture visibility, reducing, 114network reconnaissance attacks, mitigating
on remote-user networks, 289Network Time Protocol (NTP), 141, 145networks
as targets, 36–37security threats, 21
external threats, 22internal threats, 22structured threats, 21unstructured threats, 22
NIDS (network intrusion detection system), 47, 163
Campus modules, 49–50, 246
Corporate Internet module, 53, 56, 239medium-sized networks, 272–275
nondistributed DoS attacks, 90–91NTP (Network Time Protocol), 141, 145
OOB (out-of-band) networks, 18OTP (one-time password) servers, campus
module, 49, 246out-of-band (OOB) networks, 18out-of-band network management, 139–140outside interface filtering, PIX Firewall, 225
on medium-sized networks, 268–269
Ppacket filtering, 160, 168packet sniffers, 102
mitigating, 128–129password attacks, 102–103
mitigating, 129password-protection policies, 75passwords, testing, 129PC-based IP phones, susceptibility to attacks,
342PEAP (Protected EAP), 365perimeter security, 158
Cisco Secure IDS, 162–166data manipulation, 158DoS, 158firewalls, 160–162IP spoofing, 158malicious destruction, 159passive eavesdropping, 158port scans, 158product selection, 166–167products, 167rerouting attacks, 159routers, 159–160session hijacks, 158traffic flow filtering on medium-size
networks, 242unauthorized access, 158
permissive security policies, 72permit ip any command, 73personal firewall software (remote-user
networks), 288
personal firewall software (remote-user networks)
0899x.book Page 481 Thursday, November 4, 2004 3:18 PM
482
Pfleeger, Charles, 78PIX Firewall, 161–162
medium-size networks, 268–272inside interface filtering, 269–270outside interface filtering, 268–269public services segment filtering,
270–271remote-access segment filtering, 271VPN configuration, 271
small networks, 224–228IDS configuration, 227internal traffic filtering, 226outside interface filtering, 225VPN configuration, 227–228
policies 67, 72acceptable-encryption policies, 74acceptable-use policies, 74accountability policies, 73antivirus policies, 74audit policies, 75authentication policies, 73availability statements, 73communication policies, 75extranet policies, 74goals, 76–77implementing, 79–80information technology systems, 73information-sensitivity policies, 74internal-lab security policies, 75Internet DMZ equipment policies, 75network maintenance policies, 73password-protection policies, 75permissive policies, 72primary characteristics, 75remote-access policies, 74restrictive policies, 72risk assessments, 77–78subpolicies, 73–75violations-reporting policies, 74VPN security policies, 75wireless networking policies, 75
port redirection attacks, 104–105mitigating, 130–131
port scans, 158potential threats to wireless networks, 363
alternatives to WEP, 364–365preventing initialization-collision attacks, 368
protocols, network management, 140–141control protocols, 143–144file-management protocols, 144logging protocols, 143monitoring protocols, 143–144remote-access protocols, 141–143reporting protocols, 143time-synchronization protocols, 145
proxy servers, 160, 168public services segment filtering (PIX
Firewall), medium-sized networks, 270–271public services traffic filtering
IOS Firewall routers, 223PIX Firewall, 226
public traffic filtering, IOS Firewall routers, 223–224
public VLAN traffic filtering on medium-sized networks, 267
Rreconnaissance attacks, 89–90remote network design, 283, 287–292
configuration, 287–288design guidelines, 290–292
Cisco VPN clients, 292medium-sized networks, 244remote-site firewalls, 290–291remote-site routers, 291VPN hardware clients, 291–292
devices, 288–289threat mitigation, 288–290
remote-access policies, 74remote-access protocols, network
management protocols, 141–143remote-access segment filtering on medium-
size networks, 271remote-access VPN clients (remote-user
networks), 288remote-site firewalls, 290–291remote-site routers, 291remote-user networks, SAFE, 9reporting protocols, network management
protocols, 143repudiation as threat to IP telephony
networks, 339Resource Manager Essentials, 184restrictive security policies, 72
Pfleeger, Charles
0899x.book Page 482 Thursday, November 4, 2004 3:18 PM
483
RFC 2827 filteringantispoofing, 115–116IP spoofing, 127
on medium-sized networks, 266rogue access points, 363rogue devices, 344routers
as targets, 33configuring security, 355–357edge routers
Corporate Internet module, 53, 55on medium-sized networks, 266–267
internal routers on Corporate Internet module, 53, 56
ISP routersCorporate Internet module, 53, 55on medium-sized networks, 265–266
perimeter routers, 159–160remote-site routers, 291VPNs, security, 178
SSAFE, 5, 13, 27, 335
axioms, 32–33applications are targets, 37–38hosts are targets, 35networks are targets, 36–37routers are targets, 33switches are targets, 34
design, 17, 31–32philosophy behind, 199policy-based attack mitigation, 17–18security, 17–18
Enterprise blueprint, 6–7IP Telephony design, 10–11
axioms, 341–344large IP telephony networks, 349–351medium-sized IP telephony networks,
Campus module, 348network components, 335–336small IP telephony networks, 345–347VoIP protocols, 336–337
medium-size network design, 233, 237–238
branches, 251Campus module, 246–250
Corporate Internet module, 238–246headend/standalone considerations,
251WAN module, 250–251
medium-size network implementation, 259, 264
devices, 264edge routers, 266–267HIDS, 275IOS Firewall, 267–268ISP routers, 265–266Layer 3 switches, 277–278NIDS, 272–275PIX Firewall, 268–272VPN 3000 Concentrator, 276
network modules, 47Campus module, 47–51Corporate Internet module, 51–57WAN module, 58
remote network design, 9, 283, 287–292configuration, 287–288design guidelines, 290–292devices, 288–289threat mitigation, 288, 290
securtityaccess authorization, 18authentication, 18–19cost-effective deployment, 21emerging networked application
support, 21implementing, 18intrusion detection, 19–20managing, 18policy-based attack mitigation, 17–18reporting, 18
small network design, 199–200branches, 207Campus module, 205–207Corporate Internet module, 200–204
small network implementation, 217–218IDS services, 221IOS Firewall routers, 219–224ISP routers, 218–219PIX Firewall, 224–228
white papers“A Security Blueprint for Enterprise
Networks,“ 6–7
SAFE
0899x.book Page 483 Thursday, November 4, 2004 3:18 PM
484
“Extending the Security Blueprint to Small, Midsize, and Remote-User Networks,” 7–9
“IP Telephony Security in Depth,” 10–11
“SAFE Code-Red Attack Mitigation,” 11
“SAFE L2 Application Note,” 11“SAFE Nimda Attack Mitigation,” 11“SAFE RPC DCOM/W32/Blaster
Attack Mitigation,” 11“SAFE SQL Slammer Worm Attack
Mitigation,” 11“Wireless LAN Security in Depth,” 10
WLANs, 10SAFE Implementation exam scenarios,
391–402script kiddies, 22SDP (Session Description Protocol), 337Secure IDS, 162–166Secure PIX Firewalls, 179Secure Shell (SSH), 18Secure Socket Header (SSH), 141–142Secure Sockets Layer (SSL), 18, 141–142security
attacks, 85application layer attacks, 92applications, 37–38DoS (denial of service) attacks,
90–91, 109hosts, 35IP spoofing, 127–128man-in-the-middle attacks,
103–104, 130networks, 36packet sniffers, 128–129password attacks, 129port redirection attacks,
104–105, 130–131reconnaisance attacks, 89–90routers, 33switches, 34trojan-horse applications, 105, 131trust exploitation attacks, 92–93unauthorized access attacks, 91–92virus attacks, 105, 131
CatOS switches, generic security configuration, 357–359
firewalls, remote-site firewalls, 290–291
IDSs, 37–38IP spoofing, 102managing, 38management traffic attacks, mitigating, 140mitigating
application layer attacks, 117–118DoS attacks, 115–117reconnaissance attacks, 114–115trust exploitation attacks, 118unauthorized access, 117
need for, 71–72NIDS, Campus modules, 50packet sniffers, 102password attacks, 102–103perimiter security, 158
Cisco Secure IDS, 162–166data manipulation, 158DoS (denial of service), 158firewalls, 160–162IP spoofing, 158malicious destruction, 159passive eavesdropping, 158port scans, 158products, 166–167rerouting attacks, 159routers, 159–160session hijacks, 158unauthorized access, 158
policies, 67, 72acceptable-encryption policies, 74acceptable-use policies, 74accountability policies, 73antivirus policies, 74audit policies, 75authentication policies, 73availability statements, 73communication policies, 75extranet policies, 74goals, 76–77implementing, 79–80information technology systems, 73information-sensitivity policies, 74internal-lab security policies, 75Internet DMZ equipment policies, 75network maintenance policies, 73password-protection policies, 75permissive policies, 72primary characteristics, 75remote-access policies, 74
SAFE
0899x.book Page 484 Thursday, November 4, 2004 3:18 PM
485
restrictive policies, 72risk assessments, 77–78subpolicies, 73–75violations-reporting policies, 74VPN security policies, 75wireless networking policies, 75
routers, configuring for, 355–357SAFE. See SAFEthreats, 21
external threats, 22internal threats, 22structured threats, 21unstructured threats, 22
VPNs (virtual private networks), 178AVVID, 186–188clients, 180–182concentrators, 179–180design considerations, 188firewalls, 178identity management, 182–183managing, 184–186routers, 178
Security Wheel concept, 79–80segmenting telephony traffic, 341selecting perimiter security products,
166–167sensors (IDS), 163–164Server module (Enterprise Campus
layer), 312Server module (large IP telephony
networks), 350–351Service Control (AVVID), 187Simple Network Management Protocol
(SNMP). See SNMP (Simple Network Mail Protocol)
Simple Network Management Protocol v3 (SNMPv3), 18
single-site campus deployment model, 345SIP (Session Initiation Protocol), 337small networks
designing, 199–200branches, 207Campus module, 205–207Corporate Internet module, 200–204headend/standalone
considerations, 207IP telephony networks, 345–347
implementing, 217–218IDS services, 221
IOS Firewall routers, 219–224ISP routers, 218–219PIX Firewall, 224–228
SMTP servers, Corporate Internet module, 53–54, 239
SNMP (Simple Network Management Protocol), 141–144
ACLs (access control lists), 144agents, 144management hosts, campus module, 246managers, 144
SNMPv3 (Simple Network Management Protocol v3), 18
software clients, 180software-based VPN WLAN design, 380SSH (Secure Shell), 18SSH (Secure Socket Header), 141SSL (Secure Sockets Layer), 18, 141–142stateful firewalls, controlling voice-to-data
segment interaction, 343stateful packet filtering, 160, 168string attacks, 92structured security threats, 21subnets, intrusion detection, 19–20subpolicies, 73–75susceptibility of wireless networks, 363
alternatives to WEP, 364–365switched infrastructures, packet sniffers, 128switches
as targets, 34CatOS switches, generic security
configuration, 357–359Layer 2 switches
Campus modules, 49–50Corporate Internet module, 53, 55
Layer 3 switches, Campus modules, 49–50Sysadmin, Campus modules, 49Syslog, 141–143
Campus modules, 49, 246
TTCP intercept, 116Telnet, 141–142testing passwords, 129TFTP (Trivial File Transfer Protocol),
141, 144
TFTP (Trivial File Transfer Protocol)
0899x.book Page 485 Thursday, November 4, 2004 3:18 PM
486
threats, 21external, 22internal, 22mitigating
Campus module, 205–206Corporate Internet module,
201–202, 240–241medium-sized network design,
247–251remote networks, 288–290
structured, 21to IP telephony networks, 338
application layer attacks, 340call interception, 338caller identity spoofing, 339DoS, 340IP spoofing, 339repudiation, 339toll fraud, 339trust exploitation, 340unauthorized access, 339viruses, 338
unstructured, 22time-synchronization protocols, network
management protocols, 145TKIP (Temporal Key Integrity Protocol), 365toll fraud as threat to IP telephony
networks, 339traffic-rate limiting, 117Trivial File Transfer Protocol (TFTP),
141, 144Trojan-horse attacks, 105
mitigating, 131on remote-user networks, 289
trust exploitation attacks, 92–93as threat to IP telephony networks, 340mitigating, 118
Uunauthorized access attacks, 91–92
as threat to IP telephony networks, 339mitigating, 117
on remote-user networks, 289uncontrollable information, 89unstructured security threats, 22user workstations, Campus modules, 49
Vviolations-reporting policies, 74virtual private networks (VPNs). See VPNs
(virtual private networks)viruses, 105
as threat to IP telephony networks, 338mitigating, 131
on remote-user networks, 289VLANs
management VLANs, on wireless networks, 375
segregation, Layer 3 switches, 277–278VMS (VPN/Security Management Solution),
184–185voice and data traffic segmentation, 341voice servers, securing, 344VoIP (voice over IP)
H.323, 336–337MGCP, 337SIP, 337
VPN 3000 Series Concentrators, 276VPN and Remote Access module
(Enterprise Edge layer), 317–319VPN Monitor (CiscoWorks), 184VPN/Security Management Solution (VMS),
184–185VPNs (virtual private networks), 178
concentrators, Corporate Internet module, 53, 56, 239
configuringon medium-sized networks, 271on PIX Firewall, 227–228
connectivityCorporate Internet module, 204IOS Firewall routers, 221
firewall routers (remote-user networks), 288hardware clients, 291–292IPSec, 364SAFE, 9security, 178
AVVID, 186–188clients, 180–182concentrators, 179–180design considerations, 188firewalls, 178identity management, 182–183management, 184–186policies, 75routers, 178
threats
0899x.book Page 486 Thursday, November 4, 2004 3:18 PM
487
vulnerability of wireless networks, 363alternatives to WEP, 364–365
WWAN centralized call-processing deployment
model, 345WAN distributed call-processing deployment
model, 345WAN module, 58
medium-sized network design, 250–251Enterprise Edge layer, 323
WEPalternatives to, 364–365enhancements to, 365
white papers, SAFE, 335“A Security Blueprint for Enterprise
Networks,” 6–7“Extending the Security Blueprint to Small,
Midsize, and Remote-User Networks,” 7–9
“IP Telephony Security in Depth,” 10–11“SAFE Code-Red Attack Mitigation,” 11“SAFE L2 Application Note,” 11“SAFE Nimda Attack Mitigation,” 11“SAFE RPC DCOM/W32/Blaster Attack
Mitigation,” 11“SAFE SQL Slammer Worm Attack
Migration,” 11“SAFE VPN IPSec Virtual Private
Networks,” 9“Wireless LAN Security in Depth,” 10
wireless networking wireless networks
access points, 362–363management VLANs, 375policies, 75vulnerability of, 363WEP, alternatives to, 364–365WLANs
designing, 365EAP WLAN design, 366–367IPSec WLAN design, 368–371large-enterprise WLAN design,
371–375medium-sized network design,
376–378
remote network design, 379–380small network design, 378–379
WLANsdesigning, 365EAP WLAN design, 366
threats mitigated by, 367IPSec WLAN design, 368–369
alternative designs, 371threats mitigated by, 370
large-enterprise WLAN design, 371EAP model, 372–373IPSec model, 373–375
management VLANs, 375medium-sized network design, 376
EAP WLAN design, 376IPSec WLAN design, 377–378
remote network design, 379–380SAFE, 10small network design, 378–379
workstations, Campus modules, 49
workstations, Campus modules
0899x.book Page 487 Thursday, November 4, 2004 3:18 PM