Inside Network Perimeter Security

Inside Network Perimeter
Security
Table Of Contents
1. Inside Network Perimeter Security ............................................ Error! Bookmark not defined.
2. Table of Contents ....................................................................... Error! Bookmark not defined.
3. Copyright .................................................................................... Error! Bookmark not defined.
4. About the Authors ..................................................................... Error! Bookmark not defined.
5. About the Technical Editors ....................................................... Error! Bookmark not defined.
6. Acknowledgments...................................................................... Error! Bookmark not defined.
7. We Want to Hear from You! ...................................................... Error! Bookmark not defined.
8. Reader Services .......................................................................... Error! Bookmark not defined.
9. Preface ....................................................................................... Error! Bookmark not defined.
9.1 Rickety Planes ..................................................................................................................... 9
9.2 Fires in the West ................................................................................................................. 9
9.3 Rapid Advances in Technology.......................................................................................... 10
9.4 Decline in Personal Service ............................................................................................... 11
9.5 Continuous Inspections..................................................................................................... 12
9.6 Defense in Depth .............................................................................................................. 12
9.7 Core Business Sector ......................................................................................................... 13
10. Introduction ............................................................................. Error! Bookmark not defined.
10.1 Who Should Read This Book .............................................. Error! Bookmark not defined.
10.2 Why We Created This Book's Second Edition .................... Error! Bookmark not defined.
10.3 Overview of the Book's Contents....................................... Error! Bookmark not defined.
10.4 Conventions ....................................................................... Error! Bookmark not defined.
11. Part I: The Essentials of Network Perimeter Security ............. Error! Bookmark not defined.
11.1 Chapter 1. Perimeter Security Fundamentals ................... Error! Bookmark not defined.
11.1.1 Terms of the Trade ...................................................... Error! Bookmark not defined.
11.1.2 Defense in Depth ........................................................ Error! Bookmark not defined.
11.1.3 Case Study: Defense in Depth in Action...................... Error! Bookmark not defined.
11.1.4 Summary ..................................................................... Error! Bookmark not defined.
11.2 Chapter 2. Packet Filtering ................................................ Error! Bookmark not defined.
11.2.1 TCP/IP Primer: How Packet Filtering Works ............... Error! Bookmark not defined.
11.2.2 TCP and UDP Ports ...................................................... Error! Bookmark not defined.
11.2.3 TCP's Three-way Handshake ....................................... Error! Bookmark not defined.

11.2.4 The Cisco Router as a Packet Filter ............................. Error! Bookmark not defined.
11.2.5 An Alternative Packet Filter: IPChains......................... Error! Bookmark not defined.
11.2.6 The Cisco ACL .............................................................. Error! Bookmark not defined.
11.2.7 Effective Uses of Packet-Filtering Devices .................. Error! Bookmark not defined.
11.2.8 Egress Filtering ............................................................ Error! Bookmark not defined.
11.2.9 Tracking Rejected Traffic............................................. Error! Bookmark not defined.
11.2.10 Problems with Packet Filters..................................... Error! Bookmark not defined.
11.2.11 Dynamic Packet Filtering and the Reflexive Access ListError! Bookmark not defined.
11.2.12 Summary ................................................................... Error! Bookmark not defined.
11.2.13 References ................................................................ Error! Bookmark not defined.
11.3 Chapter 3. Stateful Firewalls ............................................. Error! Bookmark not defined.
11.3.1 How a Stateful Firewall Works .................................... Error! Bookmark not defined.
11.3.2 The Concept of State ................................................... Error! Bookmark not defined.
11.3.3 Stateful Filtering and Stateful Inspection ................... Error! Bookmark not defined.
11.3.5 References .................................................................. Error! Bookmark not defined.
11.4 Chapter 4. Proxy Firewalls................................................. Error! Bookmark not defined.
11.4.1 Fundamentals of Proxying .......................................... Error! Bookmark not defined.
11.4.2 Pros and Cons of Proxy Firewalls ................................ Error! Bookmark not defined.
11.4.3 Types of Proxies .......................................................... Error! Bookmark not defined.
11.4.4 Tools for Proxying ....................................................... Error! Bookmark not defined.
11.5 Chapter 5. Security Policy ................................................. Error! Bookmark not defined.
11.5.1 Firewalls Are Policy ..................................................... Error! Bookmark not defined.
11.5.2 How to Develop Policy ................................................ Error! Bookmark not defined.
11.5.3 Perimeter Considerations ........................................... Error! Bookmark not defined.
12. Part II: Fortifying the Security Perimeter ................................ Error! Bookmark not defined.
12.1 Chapter 6. The Role of a Router ........................................ Error! Bookmark not defined.
12.1.1 The Router as a Perimeter Device .............................. Error! Bookmark not defined.
12.1.2 The Router as a Security Device .................................. Error! Bookmark not defined.
12.1.3 Router Hardening ........................................................ Error! Bookmark not defined.

12.2 Chapter 7. Virtual Private Networks ................................. Error! Bookmark not defined.
12.2.1 VPN Basics ................................................................... Error! Bookmark not defined.
12.2.2 Advantages and Disadvantages of VPNs ..................... Error! Bookmark not defined.
12.2.3 IPSec Basics ................................................................. Error! Bookmark not defined.
12.2.4 Other VPN Protocols: PPTP and L2TP ......................... Error! Bookmark not defined.
12.3 Chapter 8. Network Intrusion Detection........................... Error! Bookmark not defined.
12.3.1 Network Intrusion Detection Basics ........................... Error! Bookmark not defined.
12.3.2 The Roles of Network IDS in a Perimeter Defense ..... Error! Bookmark not defined.
12.3.3 IDS Sensor Placement ................................................. Error! Bookmark not defined.
12.3.4 Case Studies ................................................................ Error! Bookmark not defined.
12.4 Chapter 9. Host Hardening................................................ Error! Bookmark not defined.
12.4.1 The Need for Host Hardening ..................................... Error! Bookmark not defined.
12.4.2 Removing or Disabling of Unnecessary Programs ...... Error! Bookmark not defined.
12.4.3 Limiting Access to Data and Configuration Files ......... Error! Bookmark not defined.
12.4.4 Controlling User and Privileges ................................... Error! Bookmark not defined.
12.4.5 Maintaining Host Security Logs................................... Error! Bookmark not defined.
12.4.6 Applying Patches ......................................................... Error! Bookmark not defined.
12.4.7 Additional Hardening Guidelines ................................ Error! Bookmark not defined.
12.5 Chapter 10. Host Defense Components............................ Error! Bookmark not defined.
12.5.1 Hosts and the Perimeter ............................................. Error! Bookmark not defined.
12.5.2 Antivirus Software....................................................... Error! Bookmark not defined.
12.5.3 Host-Based Firewalls ................................................... Error! Bookmark not defined.
12.5.4 Host-Based Intrusion Detection .................................. Error! Bookmark not defined.
12.5.5 Challenges of Host Defense Components ................... Error! Bookmark not defined.
12.6 Chapter 11. Intrusion Prevention Systems ....................... Error! Bookmark not defined.
12.6.1 Rapid Changes in the Marketplace ............................. Error! Bookmark not defined.
12.6.2 What Is IPS? ................................................................ Error! Bookmark not defined.
12.6.3 IPS Limitations ............................................................. Error! Bookmark not defined.
12.6.4 NIPS ............................................................................. Error! Bookmark not defined.
12.6.5 Host-Based Intrusion Prevention Systems .................. Error! Bookmark not defined.
13. Part III: Designing a Secure Network Perimeter...................... Error! Bookmark not defined.
13.1 Chapter 12. Fundamentals of Secure Perimeter Design ... Error! Bookmark not defined.
13.1.1 Gathering Design Requirements ................................. Error! Bookmark not defined.
13.1.2 Design Elements for Perimeter Security ..................... Error! Bookmark not defined.
13.2 Chapter 13. Separating Resources .................................... Error! Bookmark not defined.
13.2.1 Security Zones ............................................................. Error! Bookmark not defined.
13.2.2 Common Design Elements .......................................... Error! Bookmark not defined.
13.2.3 VLAN-Based Separation .............................................. Error! Bookmark not defined.
13.3 Chapter 14. Wireless Network Security ............................ Error! Bookmark not defined.
13.3.1 802.11 Fundamentals ................................................. Error! Bookmark not defined.
13.3.2 Securing Wireless Networks ....................................... Error! Bookmark not defined.
13.3.3 Auditing Wireless Security .......................................... Error! Bookmark not defined.
13.3.4 Case Study: Effective Wireless Architecture ............... Error! Bookmark not defined.
13.4 Chapter 15. Software Architecture ................................... Error! Bookmark not defined.
13.4.1 Software Architecture and Network Defense ............. Error! Bookmark not defined.
13.4.2 How Software Architecture Affects Network Defense Error! Bookmark not defined.
13.4.3 Software Component Placement ................................ Error! Bookmark not defined.
13.4.4 Identifying Potential Software Architecture Issues .... Error! Bookmark not defined.
13.4.5 Software Testing ......................................................... Error! Bookmark not defined.
13.4.6 Network Defense Design Recommendations ............. Error! Bookmark not defined.
13.4.7 Case Study: Customer Feedback System .................... Error! Bookmark not defined.
13.4.8 Case Study: Web-Based Online Billing Application ..... Error! Bookmark not defined.
13.4.10 References ................................................................ Error! Bookmark not defined.
13.5 Chapter 16. VPN Integration ............................................. Error! Bookmark not defined.
13.5.1 Secure Shell ................................................................. Error! Bookmark not defined.
13.5.2 Secure Sockets Layer ................................................... Error! Bookmark not defined.
13.5.3 Remote Desktop Solutions.......................................... Error! Bookmark not defined.
13.5.4 IPSec ............................................................................ Error! Bookmark not defined.
13.5.5 Other VPN Considerations .......................................... Error! Bookmark not defined.
13.5.6 VPN Design Case Study ............................................... Error! Bookmark not defined.
13.6 Chapter 17. Tuning the Design for Performance .............. Error! Bookmark not defined.
13.6.1 Performance and Security........................................... Error! Bookmark not defined.
13.6.2 Network Security Design Elements That Impact PerformanceError! Bookmark not defined.
13.6.3 Impact of Encryption ................................................... Error! Bookmark not defined.
13.6.4 Using Load Balancing to Improve Performance .......... Error! Bookmark not defined.
13.6.5 Mitigating the Effects of DoS Attacks ......................... Error! Bookmark not defined.
13.7 Chapter 18. Sample Designs.............................................. Error! Bookmark not defined.
13.7.1 Review of Security Design Criteria .............................. Error! Bookmark not defined.
13.7.2 Case Studies ................................................................ Error! Bookmark not defined.
14. Part IV: Maintaining and Monitoring Perimeter Security ....... Error! Bookmark not defined.
14.1 Chapter 19. Maintaining a Security Perimeter ................. Error! Bookmark not defined.
14.1.1 System and Network Monitoring ................................ Error! Bookmark not defined.
14.1.2 Incident Response ....................................................... Error! Bookmark not defined.
14.1.3 Accommodating Change ............................................. Error! Bookmark not defined.
14.2 Chapter 20. Network Log Analysis .................................... Error! Bookmark not defined.
14.2.1 The Importance of Network Log Files ......................... Error! Bookmark not defined.
14.2.2 Log Analysis Basics ...................................................... Error! Bookmark not defined.

14.2.3 Analyzing Router Logs ................................................. Error! Bookmark not defined.
14.2.4 Analyzing Network Firewall Logs ................................ Error! Bookmark not defined.
14.2.5 Analyzing Host-Based Firewall and IDS Logs ............... Error! Bookmark not defined.
14.3 Chapter 21. Troubleshooting Defense Components ........ Error! Bookmark not defined.
14.3.1 The Process of Troubleshooting ................................. Error! Bookmark not defined.
14.3.2 Troubleshooting Rules of Thumb ................................ Error! Bookmark not defined.
14.3.3 The Troubleshooter's Toolbox .................................... Error! Bookmark not defined.
14.4 Chapter 22. Assessment Techniques ................................ Error! Bookmark not defined.
14.4.1 Roadmap for Assessing the Security of Your Network Error! Bookmark not defined.
14.4.2 Planning....................................................................... Error! Bookmark not defined.
14.4.3 Reconnaissance ........................................................... Error! Bookmark not defined.
14.4.4 Network Service Discovery ......................................... Error! Bookmark not defined.
14.4.5 Vulnerability Discovery ............................................... Error! Bookmark not defined.
14.4.6 Verification of Perimeter Components ....................... Error! Bookmark not defined.
14.4.7 Remote Access ............................................................ Error! Bookmark not defined.
14.4.8 Exploitation ................................................................. Error! Bookmark not defined.
14.4.9 Results Analysis and Documentation .......................... Error! Bookmark not defined.
14.4.10 Summary ................................................................... Error! Bookmark not defined.
14.5 Chapter 23. Design Under Fire .......................................... Error! Bookmark not defined.
14.5.1 The Hacker Approach to Attacking Networks ............. Error! Bookmark not defined.
14.5.2 Adversarial Review ...................................................... Error! Bookmark not defined.
14.5.3 GIAC GCFW Student Practical Designs ........................ Error! Bookmark not defined.
14.6 Chapter 24. A Unified Security Perimeter: The Importance of Defense in DepthError! Bookmark
not defined.
14.6.1 Castles: An Example of Defense-in-Depth ArchitectureError! Bookmark not defined.
14.6.2 Absorbent Perimeters ................................................. Error! Bookmark not defined.
14.6.3 Defense in Depth with Information ............................ Error! Bookmark not defined.
15. Part V: Appendixes .................................................................. Error! Bookmark not defined.

15.1 Appendix A. Cisco Access List Sample Configurations ...... Error! Bookmark not defined.
15.1.1 Complete Access List for a Private-Only Network ...... Error! Bookmark not defined.
15.1.2 Complete Access List for a Screened Subnet Network That Allows Public Server Internet
Access ..................................................................................... Error! Bookmark not defined.
15.1.3 Example of a Router Configuration as Generated by the Cisco Auto Secure FeatureError!
Bookmark not defined.
15.2 Appendix B. Crypto 101 .................................................... Error! Bookmark not defined.
15.2.1 Encryption Algorithms ................................................ Error! Bookmark not defined.
16. Index......................................................................................... Error! Bookmark not defined.
16.1 SYMBOL .............................................................................. Error! Bookmark not defined.
16.2 A ......................................................................................... Error! Bookmark not defined.
16.3 B ......................................................................................... Error! Bookmark not defined.
16.4 C ......................................................................................... Error! Bookmark not defined.
16.5 D ......................................................................................... Error! Bookmark not defined.
16.6 E.......................................................................................... Error! Bookmark not defined.
16.7 F.......................................................................................... Error! Bookmark not defined.
16.8 G ......................................................................................... Error! Bookmark not defined.
16.9 H ......................................................................................... Error! Bookmark not defined.
16.10 I ........................................................................................ Error! Bookmark not defined.
16.11 J ........................................................................................ Error! Bookmark not defined.
16.12 K ....................................................................................... Error! Bookmark not defined.
16.13 L ........................................................................................ Error! Bookmark not defined.
16.14 M ...................................................................................... Error! Bookmark not defined.
16.15 N ....................................................................................... Error! Bookmark not defined.
16.16 O ....................................................................................... Error! Bookmark not defined.
16.17 P ....................................................................................... Error! Bookmark not defined.
16.18 Q ....................................................................................... Error! Bookmark not defined.
16.19 R ....................................................................................... Error! Bookmark not defined.
16.20 S........................................................................................ Error! Bookmark not defined.
16.21 T........................................................................................ Error! Bookmark not defined.
16.22 U ....................................................................................... Error! Bookmark not defined.
16.23 V ....................................................................................... Error! Bookmark not defined.
16.24 W ...................................................................................... Error! Bookmark not defined.

16.25 Z........................................................................................ Error! Bookmark not defined.
9.1 Rickety Planes

What if we flew in computers? That gives "crash" a whole new meaning, doesn't it? Well, if
we did, I am sure you would agree that we would all be dead. I would love to say operating
systems are really improving, but it isn't so. I installed XP SP2 beta, one of the least-rickety
operating systems I have worked with in a long time, on a clone of my primary laptop a
couple months ago, and it has been interesting. As soon as I submit the remainder of my
chapters for this book, I will upgrade my production box. As I write this, the Windows
update version has still not been released, and it will be very interesting to see what breaks
when the home users get upgraded. A lot of people died in the early days of the airline
industry, and as I say, if we flew in those early planes today, most of us would be dead.
Now here is the kicker: IPS systems and intelligent switches are nothing but software
applications or ASICs that are built on these rickety operating systems. One of the primary
themes of this book is never to trust the operating system, to expect perimeter components
to fail. This book will show you techniques for failover, layering defense components,
segmenting internal networks, using instrumentation to detect anomalies, and
troubleshooting. In the early days of perimeter defense, the only choice that information
security practitioners had was to layer their perimeter software on these rickety operating
systems.
9.2 Fires in the West

For years, I was a network builder for the Department of Defense, which uses large, highend, fast networks. The most effective security mechanism for separation of sensitive
information was implemented with a physical solutionan airgap. If you want to protect one
network from another, just don't connect them together. Worms such as Blaster taught us
that many networks that supposedly were not connected to the Internet actually were in
one way or another, but if you audit carefully and never allow an exception, airgaps work.
The problem with an airgap is the two networks cannot interoperate, a concept directly in
contradiction with the Internet philosophy and electronic business. The past few years have
been a bad time for the U.S. West, as rain has been minimal, with fires starting earlier and
earlier each year it seems. One of the most effective tools for managing fires is a firebreak;
it isn't as powerful as an airgap (sometimes the fire will bridge it), but segmenting the
forest into zones is a powerful technique. The information technology analog for a firebreak
is to segment the internal network. This can be done with internal intelligent Network
Intrusion Prevention Switches (NIPS), with some elbow grease using current generation
switches and applying access control to VLANs, or with low-cost appliance-type firewalls
used on the internal network. It can even be done manually using anomaly IDS to detect
switch ports heating up, which is usually a signature of a worm, and shutting down the
switch. Segmenting internal networks with "firebreaks" allows us to have the interoperability
and reduce the risk of losing all our internal systems to a destructive worm "wildfire."
This book discusses a number of perimeter and internal network designs. Some are more
focused on security, whereas others are focused on performance. Some focus on uptime
and help you to understand how to choose these designs based on your organization's
requirements.
Note
One of the reasons that early airplanes were so dangerous is that a large number of them
were hand built. Even if the planes were built in a factory, after a couple of years, they
might as well be hand built because of the number of times they were repaired and
modified.
Can you see how similar the early airplanes are to our server and desktop operating
systems? We all agree that patching to reduce the vulnerability footprint is critical, but if no
two servers are alike, exactly how do you test the patch? Repeatable builds give an IT shop
a major increase in security just like factory-built aircraft.
So do appliance firewalls. They are factory built, plug and go. It's not guaranteed that their
OS is hardened, but you do know that the OS on the appliance is factory built, consistent,
and probably stripped of unneeded programs. These low-cost appliances are very useful for
segmenting an internal network.
9.3 Rapid Advances in Technology

Modern aircrafts have wings, fly through the air, and land on the groundand that is about all
they have in common with the first airplanes. The advances in airframe design, materials,
avionics, navigation and route selection, and airport operations make it difficult to believe
that people ever considered getting into the early airplanes.
I would love to say that modern perimeter systems are so advanced that it is inconceivable
that we ever tried to protect our systems with those early firewalls, but we haven't made
that much progress yet. However, hope prevails, and we certainly see evidence of
improvement. Perimeter defense systems have come way down in price for any given
bandwidth point; many can be upgraded by just downloading a new image.
Deep packet inspection at gigabit speed is possible right now for the well-funded
organization. Subscription models that update daily or weekly are the norm and support an
architecture of perimeter components to create hybrid systems that combine classic
perimeter defense, reporting sensors, and possibly even vulnerability assessments that
allow performing internal correlation.
This book discusses the importance of using the information collected by perimeter devices
to help defend the network. The data collected and reported by these devices fuels the most
advanced analysis capability in the worldthe Internet Storm Center (ISC). Organizations
such as ISC and Internet Security Systems's X-Force are often the first groups to detect a
new worm beginning to cause trouble on the Internet. One of the upcoming models for
security is continuous reporting, or operational readiness, and this requires sensors all over
the network to constantly report in. The technology of network security is dynamic. It's
important to have constant updates to maintain security in the face of the ever-changing
threat.
It is worth mentioning that ease of use and good security might be orthogonal. If it were as
easy to get into an airplane and fly as it is to get into a car and drive, the skies would be a
dangerous place. Appliance wireless access points often aggregate all wireless and built-in
wired ports into the same broadcast domains. Possibilities for attacks exist based on MAC
address spoofing, sniffing the internal traffic from outside the plant in the parking lot, the
use of rogue, unapproved access points bought at Best Buy and plugged into the Net,
access points with a bit more power than the FTC allows being broadcast into the internal
network from the parking lot, and failures of the authentication system. The most common
reason for aircraft crashes today is poor maintenance, and we are going to see the same
thing with wireless implementations as better security technology becomes available.
9.4 Decline in Personal Service

More has changed on the human side of the airline equation than just the name change
from stewardesses to flight attendants. First class isn't first class, and it goes downhill from
there. The airlines seem to be testing the limits to see just how much abuse people will
takeand they wonder why they occasionally deal with passenger rage. Sadly, the IT industry
has never been big on personal service. There were exceptions, back in the glory days of
big blue. We had a bit of trouble with an IBM mainframe, and they tossed a squad of
technicians into an airplane and dropped them by parachute into our parking lot. Until the
technicians dropped on target, vice presidents would call every 15 minutes to apprise us of
the location of the plane. Okay, I am kidding, but not by much. Those of us in IT security
should take heed. I hope you understand what your CEO is thinking right now. He gave you
money for security after 9/11 because it seemed to be the right thing to do. You still got hit
by worms. He increased ITSEC to 5% of the IT budget. You still got hit by worms. Now you
are in a meeting thinking about asking the CEO for unplanned money to implement a NIPS
or HIPS solution. I strongly suggest you invest time in looking at your requirements, making
sure that you choose the best technology for your needs and that customer service is part
of the budget request so the people impacted by the active defense layer you are thinking
about implementing will have someone intelligent and caring to call.
Nowadays, the IT industry has two primary features: bad software and worse service. One
of the advantages of this book is that the entire author team has pragmatic experience with
most of the commercial and freeware perimeter products on the market, including the
rapidly changing personal firewall market. We can't do much to help you with the bad
software, and we never intend to bash any vendoreach has its foibles. However, we can
help you in finding ways to meet your mission goals despite the flaws in the technology we
each use. We devote an entire chapter of the book to implementing defense components,
such as personal firewalls at a host level, to help you avoid some of the common pitfalls and
know what technology is available. The latest generation of Host Intrusion Protection
Systems (HIPS), which are essentially personal firewalls with operating system shims to
trap dangerous operating system interrupts, have already proved themselves in production
and are an important and valuable layer of defense.
9.5 Continuous Inspections

One of the primary reasons the aircraft industry has been able to make gigantic leaps in
improving safety is the rigorous, complete, and continuous inspections for every component
and process related to flying. This is also the most important change that we need to make.
When I teach at the SANS Institute, a security research and education organization, I often
say, "Who reads the event logs every day?" Some hands go up. I try to memorize their
faces and catch them alone at the break. Then I ask them, "What is in the logs? What
recurring problems are there?" They usually cannot answer. This book can help you deploy
sensors and scanners. An entire chapter is devoted to intrusion detection. Even your
organization's software architecture is a security perimeter component, as you will learn in
the software architecture chapter.
If you were to ask me what the growth industry in IT was, I would answer that consoles,
sensors, and agents to collect and display information would be a strong candidate.
Computer systems change rapidly. They are analogous to the barnstormer bi-planes that
flew around county fairs. When something broke, a blacksmith, automobile mechanic, or
seamstress fabricated a new part. We can add and uninstall software in a heartbeat, but
when we do, we cannot get back to the place where we were before the change. We need to
monitor for change continuously, and until we learn how to do this and rigorously enforce
change control, flying in computers will be nearly certain death.
9.6 Defense in Depth

It is a tragedy when a single passenger plane crashes, worse when a plane full of people
goes down, and an unspeakable horror when a plane is used as a weapon of terrorism.
Today, airports are transforming into examples of defense in depth. Defense in depth is a
primary focus of this book, and the concept is quite simple: Make it harder to attack at
chokepoint after chokepoint. How many security systems or defensive layers would you
have to defeat to rush through an airport race to a waiting, fueled, long-range jet,
commandeer the plane, drive it out on the tarmac to take off, and use it as a missile? Many
are obvious, such as security checkpoints, armed National Guard troops, locked doors, and
tarmac controls. If you did manage to get the plane in the air, you would also have to
defeat fighter aircraft. It isn't impossible, but it is unlikely that you could defeat the defense
in depth that is now employed at airports.
Defense in depth is present in every chapter of this book, and it's becoming easier to
implement in information technology. High-speed programmable hardware boxes, such as
UnityOne from TippingPoint, can help protect our network borders from worm outbreaks.
Technologies we have already discussed in this preface, such as next-generation intelligent
switches and HIPS, allow us to implement multiple layers for our perimeter and internal
networks, albeit at a significant cost. No matter what role you play in your organization, it is
important to read the intrusion prevention chapter and make sure the folks in charge of the
budget know what is on the horizon. As you read this book, you will learn how to architect
your network so that it is resistant to attack. As we evolve as an information-based society,
the importance of protecting intellectual property assets continues to rise.
9.7 Core Business Sector

In less than a century, airplanes have gone from being an oddity to being vitally important
to the economy. Information technology has done the same in less time and continues to
grow in importance. We have been more than a bit lazy. I often wonder what the effect of a
worm with the infection rate of Blaster that overwrote (not deleted, overwrote) every
location on the hard drive of an infected computer four hours after infection would be. If the
Congress of the United States did not vote on a bailout package for the airline industry, IT
should not expect one. One of the primary keys to survival in business over the next few
years will be managing the flow of information so that resources are available when they
are needed with full integrity, while the confidentiality of proprietary and sensitive
information is maintained. It is a big task, so we had better get started.

Inside Network Perimeter Security

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Inside Network Perimeter Security

Caricato da

Copyright:

Formati disponibili

Inside Network Perimeter

11.2.3 TCP's Three-way Handshake ....................................... Error! Bookmark not defined.

12.1.3 Router Hardening ........................................................ Error! Bookmark not defined.

14.2.2 Log Analysis Basics ...................................................... Error! Bookmark not defined.

15. Part V: Appendixes .................................................................. Error! Bookmark not defined.

16.24 W ...................................................................................... Error! Bookmark not defined.

9.1 Rickety Planes

9.2 Fires in the West

9.3 Rapid Advances in Technology

9.4 Decline in Personal Service

9.5 Continuous Inspections

9.6 Defense in Depth

9.7 Core Business Sector

Potrebbero piacerti anche