End-to-End Network Security

Defense-in-Depth

Best practices for assessing and improving network defenses and responding to security incidents

Omar Santos

Information security practices have evolved from Internet perimeter protection to an in-depth defense model in which multiple countermeasures are layered throughout the infrastructure to address vulnerabilities and attacks. This is necessary due to increased attack frequency, diverse attack sophistication, and the rapid nature of attack velocity–all blurring the boundaries between the network and perimeter.

End-to-End Network Security is designed to counter the new generation of complex threats. Adopting this robust security strategy defends against highly sophisticated attacks that can occur at multiple locations in your network. The ultimate goal is to deploy a set of security capabilities that together create an intelligent, self-defending network that identifies attacks as they occur, generates alerts as appropriate, and then automatically responds.

End-to-End Network Security provides you with a comprehensive look at the mechanisms to counter threats to each part of your network. The book starts with a review of network security technologies then covers the six-step methodology for incident response and best practices from proactive security frameworks. Later chapters cover wireless network security, IP telephony security, data center security, and IPv6 security. Finally, several case studies representing small, medium, and large enterprises provide detailed example configurations and implementation strategies of best practices learned in earlier chapters.

Adopting the techniques and strategies outlined in this book enables you to prevent day-zero attacks, improve your overall security posture, build strong policies, and deploy intelligent, self-defending networks.

“Within these pages, you will find many practical tools, both process related and technology related, that you can draw on to improve your risk mitigation strategies.”

–Bruce Murphy, Vice President, World Wide Security Practices, Cisco

Omar Santos is a senior network security engineer at Cisco®. Omar has designed, implemented, and supported numerous secure networks for Fortune 500 companies and the U.S. government. Prior to his current role, he was a technical leader within the World Wide Security Practice and the Cisco Technical Assistance Center (TAC), where he taught, led, and mentored many engineers within both organizations.

• Guard your network with firewalls, VPNs, and intrusion prevention systems

• Control network access with AAA

• Enforce security policies with Cisco Network Admission Control (NAC)

• Learn how to perform risk and threat analysis

• Harden your network infrastructure, security policies, and procedures against security threats

• Identify and classify security threats

• Trace back attacks to their source

• Learn how to best react to security incidents

• Maintain visibility and control over your network with the SAVE framework

• Apply Defense-in-Depth principles to wireless networks, IP telephony networks, data centers, and IPv6 networks

This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.

Category: Networking: Security

Covers: Network security and incident response

$55.00 USA / $63.00 CAN

Amazon.com® Reader Reviews (Ranked by Helpfulness)

Average Amazon.com® Rating:  Based on 3 Ratings

comprehensive outlook - 2007-11-07
Reviewer Rating:
The book furnishes a comprehensive understanding of how to secure a network. Firewalls are the first and most common defense. If your network is large enough, then you may or should have several of these, between your internal subnets. And the network routes that face the rest of the internet should have a DMZ.

By now, most readers are already aware of the need for firewalls. What you get here are practical steps in installing and managing these. But another key extra is how to maintain virtual private nets. An acknowledgement that many companies have people who need to access securely from outside the corporate network. A VPN can be much trickier to set up, and there is a computational cost to using it.

The text also goes into how to handle IPv6 networks, and when these interact with the usual IPv4 networks of the outside world. A bit unclear what is the market demand for these IPv6 nets, thus far. I've nothing against them. But v6 deployment has been much slower than expected. Still, it's good that the book includes them in its discussion.

Comprehensive look at how to secure a Cisco infrastructure - 2007-11-14
Reviewer Rating:
One of the mistakes many organizations make when it comes to information security is thinking that the firewall will do it all. Management often replies incredulously to a hacking incident with the thought "but don't we have a firewall".

Organizations need to realize a single appliance alone won't protect their enterprise, irrespective of what the makers of such appliances suggest and promise. A true strategy of security defense in depth is required to ensure a comprehensive level of security is implemented. Defense in depth uses multiple computer security technologies to keep organizations risks in check. One example of defense in depth is having an anti-virus and anti-spyware solution both at the user's desktop, and also at the gateway.

With that, End-to-End Network Security: Defense-in-Depth provides an in-depth look at the various issues around defense in depth. Rather than taking a very narrow approach to security, the book focuses on the comprehensive elements of designing a secure information security infrastructure that can really work to ensure an organization is protected against the many different types of threats it will face on a daily basis.

The books 12 chapters provide a broad look at the various ways in which to secure a network. Aside from a minor mistake in chapter 1 where the author confuses encryptions standards and encryption algorithms (but then again, many people make the same mistake), the book provides a clear and to the point approach to the topic at hand. After reading the book, one will have a large amount of the information needed to secure their Cisco-based network.

While it is not in the title, the book is completely centered on Cisco hardware, software, and Cisco IOS. It is a Cisco Press title written by a Cisco employee, as you would expect, it has a heavy Cisco slant. For those that do not work in a Cisco environment, the information in the book will likely be far too Cisco centric for their needs. A review of the index shows that the book provides a near A-Z overview of information security. One of the only missing letters is `J', but then again, that would require writing about Juniper.

Chapter 1 starts off with a detailed overview of the fundamentals of network security technologies. Chapter 2 details the various security frameworks and methodologies around securing network devices. The six-step methodology that the author writes of is comprised of preparation, identification, classification, traceback, reaction and postmortem.

The author mistakenly writes that manual analysis of complex firewall policies is almost impossible because it is very time-consuming. The truth is that the time-consuming aspect does not make it impossible. It can be done, but the author is correct that the use of automated tools makes such analysis much quicker and easier.

Chapters 5 and 6 provide an excellent overview of reacting to information security incidents. The chapters cover all of the necessary details, from laws, log finals, postmortem and more.

Chapter 9 provides and extensive overview of the various elements of IPT security. It includes various ways to protect the many parts of a Cisco IPT infrastructure. In this chapter and the others, the author does a very good job of detailing the various configurations steps necessary to secure a Cisco device, both at the graphical level and also at the ISO command line level.

Chapter 12 concludes the book with 3 case studies of using defense in depth a small, medium and large enterprise networks. Different size networks have different requirements and constraints and are not secured in the same manner.

Overall, End-to-End Network Security: Defense-in-Depth is an excellent and comprehensive book on how to secure a Cisco infrastructure. It details the many threats such an environment will face, and lists countermeasures to mitigate each of those threats. Anyone involved in securing Cisco-based networks will find this book to be quite helpful in their effort to secure their network.

Too high level to be practical - 2007-12-06
Reviewer Rating:
The author, Omar Santos, must be a very smart person. I did not find any technical problems in the book. However, this book, unlike the majority of the Cisco Press books simply is not useful to most people. They tend to spend less than a page on any one technology or topic and never get down to the nuts and bolts. If you are a security intermediate to expert practitioner and you want to page through the book to find security topics that you do not know about, that is a great use of this book. However, you will have to research that topic with another book or Internet resource.

Browse Similar Topics

Top Level Categories:
Networking

Sub-Categories:
Networking > Cisco
Networking > Security