Publisher: Cisco Press
What is a sinkhole router? What algorithm does TACACS+ use for accounting purposes? What three main protocols form IPsec? What is EAP? This book covers a broad range of network security topics and these are just some of the questions you will find answers while reading this publication. As the book author is also the author of CCIE Security lab exam, his involvement gives additional strength that makes this book a perfect asset to the networking security professionals interested in going after CCIE Security certification.
About the author
Saadat Malik manages the Technical Support Operations for the VPN and Network Security groups at Cisco Systems. As the author of the CCIE Security lab exam and also a member of the team that wrote the CCIE Security written qualification exam, he spearheaded the development of the CCIE Network Security certification. Saadat has taught computer networking at the graduate level at San Jose State University, and he is a regular speaker on various advanced network security topics at industry events and conferences.
Inside the book
As the author notes, there are several goals this book aims to: provide a complete discussion at an advanced level relating to network security in today's networks, to provide detailed and in-depth discussion and insight into the workings of the protocols behind network security implementations, to discuss the security principles that form the basis of various Cisco's network products, to provide insight into the operational needs and requirements of setting up and then maintaining a secure network and to discuss network maintenance and troubleshooting techniques essential to network security. If you are interested in any of these topics, and you are focusing on Cisco Systems' products, you'll find the needed information in this publication.
As for the target audience, if you cannot find your interest in the book goals mentioned above, the book is meant for two groups of people:
- Non CCIEs and CCIEs in other disciplines that are working towards CCIE Network Security certification
- Network security professionals who already have CCIE and would like to enhance their knowledge of some of the core concepts of networked security.
While creating organization's network topology, an important step is to set the various zones so they can reflect the importance of your information technology infrastructure. The most secure computers should be placed behind firewalls and intrusion detection systems, web servers and similar public services, on the other hand, get to be placed within Demilitarized Zones, or popularly just called DMZs. Mr. Malik uses DMZs as an opening for the, overview based part, covering topics related to process of building security into the network. As from the demilitarized zones perspective, you'll learn how to design one using several deployment ways as examples. These examples include using the three-legged firewall, placing the DMZ between the firewall and public network such as the Internet, creating a "dirty DMZ" and creating DMZ between stacked firewalls. The DMZ chapter is closed with a short case study describing usage of PIX Firewall for "zoning" the network.
As the integrity of an organization's network is critically important, securing the network devices is a needed step for making a secure environment. The "Device Security" chapter talks about that, and focuses on three main components of a secure (Cisco) network: switches, routers and PIX firewalls. Several protocols including HSRP and VRPP protocols are covered with having failure detection on mind. HSRP is deployed on Cisco routers and allows the working device to take care of failed device's business. VRPP is a protocol similar to HSRP, and altough it is not widely used on Cisco devices, it is covered because some of the Cisco's VPN Concentrators do use it. As regarding routing in a security manner, author covers techniques like black hole filtering and unicast reverse path forwarding and gives a nice touch with the two sample case studies on securing the commonly used BGP and OSPF routing protocols.
If you are familiar with Cisco Press reviews here on Help Net Security, you already familiar with the usual structure of Cisco Security titles. The majority of titles reviewed, offer sample case studies on the end of each chapter, making the readers more personal with some practical views on the, usually, very technical publications. I've mentioned this a few times, but this is a big plus as the case study itself will answer some of your questions and in the same time enlarge the level of your knowledge on the topic.
Next couple of "Network Security Principles and Practices" sections cover the most important parts of the Cisco Security cycle - Firewalls, Virtual Private Networks and Intrusion Detection. Firewalls and VPNs, being more extensive topics are covered with approximately 150 pages each and intrusion detection gets about 70 pages. I should note that these sections are full of architecture and infrastructure diagrams, tables and example code snippets offering various configuration examples. Several of the most interesting case studies include: Cisco PIX Firewall setup with three interfaces and running web server on the DMZ, setting up compulsory Layer 2 Tunneling Protocol (L2TP) tunneling, router-to-router IPSEC using digital signatures with digital certificates, using Cisco router or PIX as an IDS Sensor device and Mitnick's attack on Shimomura's computers. As a trivia note, author misspells Kevin's surname, and calls him Kevin Metnick.
Regarding the Network Access Control, Mr. Malik discusses AAA (Authentication, authorization and accounting), TACACS+ (protocol used for communication purposes between network access server and AAA security server) and RADIUS (Remote Authentication Dial-In Users Service protocol). After introducing the readers with the mentioned topics, author presents several case studies where he focuses at some specific security scenarios where AAA was used. Troubleshooting, as an important part of the security implementation is taken care of in the last chapter which includes tips and tricks for troubleshooting NAT, Cisco's IOS and PIX firewalls, IPsec VPNs, AAA and Intrusion Detection System.
What do I think of it
After previously reading specific titles such as "Cisco Secure Intrusion Detection System" and "Cisco Secure Virtual Private Networks", I find that the purpose of this book is to provide an overview on the whole Cisco security "world". While the mentioned books focus on the topics they are titled after, this book discusses about the most important parts regarding Cisco's security systems and combines them into a great guide about securing network infrastructures. If you are working with Cisco products, this book and all the Cisco Press security titles will be of a great use for expanding your knowledge or just introducing yourself with the power of Cisco's security infrastructure.
Answers to the questions presented in the review's introduction: As sinkhole is a router that has much bandwidth and significant resources. TACACS+ uses XOR and MD5 to calculate cipher texts. IPsec is formed by EDP, IKE and AH protocols. EAP is a flexible protocol that can carry authentication data between two entities that are trying to setup an authenticated communications.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.