Ha Gre Hub and Spoke
Figure 10-31 shows the topology for an HA GRE hub-and-spoke design. Note that the GRE tunnel IP addresses are not shown to avoid cluttering the diagram. They are defined in the same manner as the previous design. Figure 10-31. HA GRE Hub-and-Spoke Design Figure 10-31. HA GRE Hub-and-Spoke Design Here you can see that R10 has a primary tunnel to R50 and a secondary tunnel to R40. R20 is configure just the opposite. Bandwidth metrics are placed on the GRE links to specify path preference. Since...
Partial Mesh
Partial mesh (Figure 10-13) is a slight variation on hub and spoke for which you identify links with high interspoke traffic and create IPsec tunnels between them. This allows the majority of the design to benefit from the scalability of hub and spoke while allowing the connectivity benefits that full mesh provides where needed. Here you can see that three spokes have formed a small meshed network, enabling direct communications. Assuming the number of meshed spokes is kept to a minimum, this...
UDP Spoofing
Table 3-12 shows the summary information for the UDP spoofing attack. Any attack able to access the raw packet driver in a system Inject unauthorized data into an application that uses UDP as its means of transport Corruption or disclosure of information The UDP header is 8 bytes long and is shown in Figure 3-7.
Routers with Layer 34 Stateless ACLs
Table 4-14 shows the summary information for routers with Layer 3 4 stateless ACLs. Table 4-14. Routers with Layer 3 4 Stateless ACLs Table 4-14. Routers with Layer 3 4 Stateless ACLs Router with Layer 3 4 stateless ACLs Direct access Network manipulation IP spoofing IP redirect Routers with basic stateless ACLs are workhorses in network security. They deserve the name firewall just as much as a stateful appliance firewall does, even though they might lack certain features. Basic ACLs, shown...
Figure 118 Basic 8021xEap Wlan Design
As you can see, with the exception of an added RADIUS server, the basic design remains the same as b essential to perform filtering at the router, although some policies might still dictate its use. In addition, devices could be put on the same subnet as the user traffic, it makes good sense to keep the separation L3 switching is fine with consideration of the same caveats as described for the basic WEP design.
Appendix C Sample Security Policies
To give you a flavor of security policy wording and scope, this appendix includes three sample security policies in use by an organization. For more information on security policies, refer to Chapter 2, Security Policies and Operations Life Cycle. For more sample policies, check out the SANS security policy website at the following URL Here is one company's acceptable use policy. Notice that even though this is the most essential security policy you will write, this one is relatively short....
Example 31 Nmap Ping Sweep
tick Users sconvery sconvery nmap -sP 10.1.1.0 24 Starting nmap V. 3.00 ( www.insecure.org nmap ) Host (10.1.1.0) seems to be a subnet broadcast address (returned 3 extra pings). Note -- the actual IP also responded. Host (10.1.1.1) appears to be up. Host (10.1.1.12) appears to be up. Host (10.1.1.22) appears to be up. Host (10.1.1.23) appears to be up. Host (10.1.1.101) appears to be up. Host (10.1.1.255) seems to be a subnet broadcast address (returned 3 extra pings). Note -- the actual IP...
Sniffer
Table 3-5 shows the summary information for the sniffer attack. Read traffic off the wire the attacker would not ordinarily see learn passwords When an attacker captures packets off the wire or as they pass through the attacker's system, this usually can be considered some form of sniffer attack. The main goal of sniffer attacks is to read the information in an intelligent way so that the attacker can learn about the target systems. As such, a successful sniffing attack requires that the...
Inline NIDS
One of the main disadvantages of a NIDS is its inability to easily and reliably stop attacks that it detects. A new crop of applications is in development to allow NIDS to move inline with the flow of traffic, merging with the functions of traditional firewalls. These devices could stop attacks from L2 to L7 reliably and before attacks cause any damage. The big potential problem with these systems is that just moving an IDS inline does not solve any of the inherent problems with IDS in fact, it...
Access Point Hardening
Like most devices on the network, access points (APs) must be hardened. Out of the box, they typically enabled. An unauthorized deployment of an AP in an organization can eliminate the validity of any incre having physical access to the network. This is particularly troubling for teleworker home deployments bi that purchases an AP from a consumer electronics store will never enable security features. If you have at that teleworker location, outsiders will be able to access the central site over...
Stateful Firewall DMZ Design
After stateful firewalls became more generally available, organizations started replacing the second router in the dual-router DMZ design with a stateful firewall. This design is shown in Figure 7-5. Figure 7-5. Stateful Firewall DMZ Design Figure 7-5. Stateful Firewall DMZ Design This design improves on the dual-router DMZ design by allowing strong filtering between the internal network and the public servers and Internet. Many organizations still use this filtering option today, especially...
Private VLANs
PVLANs offer further subdivision within an existing VLAN, allowing individual ports to be separated from others while still sharing the same IP subnet. This allows separation between devices to occur without requiring a separate IP subnet for each device (and the associated IP addresses that would waste). In it simplest form, PVLANs support isolated ports and promiscuous ports. Isolated ports can talk only to promiscuous ports, while promiscuous ports can talk to any port. In this deployment,...
Data Scavenging
Table 3-2 shows the summary information for the data-scavenging attack. Network utilities Whois, Nslookup, Finger, Traceroute, Ping Learn IP ranges, DNS servers, mail servers, public systems, points of contact, and so forth Data scavenging is generally step 1 in any deliberate attack against a network. Here, the attacker uses a combination of network-based utilities and Internet search engine queries to learn as much as possible about the target company. The attack is almost impossible to...
Table 38 Buffer Overflow
Critical application vulnerabilities check http www.cert.org for the latest Escalate privileges on target machine Buffer overflows are the most common form of application vulnerability. In short, they occur when an application developer fails to do proper bounds checking with the memory addresses an application utilizes. For example, a typical program might expect 20 bytes of input from the user for a particular memory address. If the user instead sends 300 bytes, the application should drop...
Be Aware of Electromagnetic Radiation
In 1985, the concerns of the paranoid among the security community were confirmed. Wim van Eck released a paper confirming that a well-resourced attacker can read the output of a cathode-ray tube (CRT) computer monitor by measuring the electromagnetic radiation (EMR) produced by the device. This isn't particularly easy to do, but it is by no means impossible. Wim's paper can be found here This form of attack is now commonly called van Eck phreaking. Additionally, in 2002, Markus Kuhn at the...
Multifirewall Design
This design has a number of variations. It is primarily used for e-commerce or other sensitive transactions. Such transactions generally require multiple trust levels as opposed to just inside, outside, and server. One such example of this design is shown in Figure 7-7. There are many others. In this design, the set of trusted servers often supports transaction requests from the semitrusted servers. These semitrusted servers service requests from the untrusted servers. The untrusted servers...
Appendix B Answers to Applied Knowledge Questions
Chapter 1 Chapter 2 Chapter 3 Chapter 4 Chapter 5 Chapter 6 Chapter 7 Chapter 8 Chapter 9 Chapter 10 Chapter 11 Chapter 12 Chapter 13 Chapter 14 Chapter 15 Chapter 16 1 GeeWiz.com just released a patented remote process watchdog tool that allows you to govern the processes running on any server in your network. Should you find an excuse to buy it Al Not right away. In addition to operational and financial questions, you must determine how this technology complements your current design. Buying...
Design Evaluations
You can now evaluate the success of these designs against the teleworker-focused attack list in Table 15-1. If you recall Chapter 12, Designing Your Security System, this step appears a bit out of order because threat evaluation should also occur during the design of the network, not just after. It is presented in this form to ease understanding of the designs and threats. Table 15-2 shows the top 10 threats from Table 15-1 and shows the security elements used in this design that mitigate these...
Modern Three Interface Firewall Design
Most designs today use the topology shown in Figure 7-6. This design has become the current gold standard in firewall edge deployments. More-secure options exist (see the next design), but this is the best balance of security, cost, and management. Figure 7-6. Three-Interface Firewall Design Figure 7-6. Three-Interface Firewall Design The biggest benefit this design provides is requiring that all traffic flow through the firewall. This includes traffic from the Internet to the public servers,...
Table 31 Probing and Scanning Example
Nmap (http www.insecure.org nmap) Nessus (http www.nessus.org) Learn IPs and applications available at victim network IDS and firewalls (with log analysis) The following list defines the components of the table Member of class subclass Refers to the class and subclass to which the specific attack belongs. In Figure 3-4, for example, the attack TCP spoofing is a member of the class spoof and the subclass transport. Sample implementations Provides examples of the given attack. In some cases, this...
War Dialing and War Driving
Table 3-4 shows the summary information for the war dialing driving attack. War dialers many options Tone Loc is popular War driving Netstumbler (http www.netstumbler.com ) Find insecure modems or wireless APs connected to a victim network regular checking using war-driving tools War dialing and war driving allow attackers to get into the victim network without going through the front door. In war dialing, the attacker dials the phone number prefixes assigned to the victim or the victim's area,...
Figure 1110 Basic IPsec WLAN Topology
These ACLs are for user traffic only, management access control options are discussed in chapter 16 Inbound ACL on R1 Fa0 0 Permit IPsec traffic to the IPsec gateway access-list 101 permit esp 192.168.1.0 0.0.0.255 host 192.168.2.1 access-list 101 permit udp 192.168.1.0 0.0.0.255 eq isakmp host 192.168.2.1 eq isakmp access-list 101 permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps Permit DCHP release access-list 101 permit udp 192.168.1.0 0.0.0.255 eq bootpc host 10.5.5.50 eq...
