Contents
Chapter 1 There Be Hackers Here!
Essentials First: Looking for a Target
Are You a Target of Opportunity?
Footprinting (aka Casing the Joint)
Where Are Attacks Coming From?
Common Vulnerabilities, Threats, and Risks
Overview of Common Attacks and Exploits
Network Security Organizations
Center for Internet Security (CIS)
National Vulnerability Database
Learning from the Network Security Organizations
Responsibilities and Expectations
Security and Proprietary Information
Email and Communications Activities
General Password Construction Guidelines
Virtual Private Network (VPN) Security Policy
General Network Access Requirements
Lab and Isolated Wireless Device Requirements
Home Wireless Device Requirements
Third-Party Connection Agreement
Modifying or Changing Connectivity and Access
ISO Certification and Security
Sample Security Policies on the Internet
Payment Card Industry Data Security Standard (PCI DSS)
Sarbanes-Oxley Act of 2002 (SOX)
Health Insurance Portability and Accounting Act (HIPAA) of 1996
Chapter 3 Processes and Procedures
Security Advisories and Alerts: Getting the Intel You Need to Stay Safe
Responding to Security Advisories
Steps 4 and 5: Handling Network Software Updates (Best Practices)
Forewarn Helpdesk and Key User Groups
Don’t Get More Than Two Service Packs Behind
Target Noncritical Servers/Users First
Service Pack Level Consistency
Latest Service Pack Versus Multiple Hotfixes
Security Update Best Practices
Apply Admin Patches to Install Build Areas
Subscribe to Email Notification
Chapter 4 Network Security Standards and Guidelines
Cisco Validated Design Program
Data Center Design Zone Guides
Cisco Best Practice Overview and Guidelines
Basic Cisco IOS Best Practices
Limit Access to Inbound and Outbound Telnet (aka vty Port)
Protect Yourself from Common Attacks
Encrypt Your Privileged User Account
Make Room for Redundant Systems
Intrusion Prevention System (IPS) for IOS
NSA Security Configuration Guides
VoIP/IP Telephony Security Configuration Guides
Microsoft Windows Applications
Microsoft Windows 7/Vista/Server 2008
Microsoft Windows XP/Server 2003
Microsoft Windows XP Professional
Microsoft Security Compliance Manager
Chapter 5 Overview of Security Technologies
Security First Design Concepts
Limitations of Packet Filtering
Detailed Packet Flow Using SPI
Limitations of Stateful Packet Inspection
Network Address Translation (NAT)
Proxies and Application-Level Protection
Limitations of Content Filtering
Reactive Filtering Can’t Keep Up
Remote Authentication Dial-In User Service (RADIUS)
Terminal Access Controller Access Control System (TACACS)
Two-Factor Authentication/Multifactor Authentication
IEEE 802.1x: Network Access Control (NAC)
Cisco Identity Services Engine
Advanced Encryption Standard (AES)
Different Encryption Strengths
Secure Hash Algorithm (SHA Hash)
Point-to-Point Tunneling Protocol (PPTP)
Layer 2 Tunneling Protocol (L2TP)
Firewall Frequently Asked Questions
Do I Have Anything Worth Protecting?
Firewalls Are “The Security Policy”
We Do Not Have a Security Policy
Determine the Inbound Access Policy
Determine Outbound Access Policy
Essentials First: Life in the DMZ
Case Study: To DMZ or Not to DMZ?
Routers Running Zone Based Firewall
Zone-Based Policy Configuration Model
Rules for Applying Zone-Based Policy Firewall
Designing Zone-Based Policy Network Security
Using IPsec VPN with Zone-Based Policy Firewall
Intrusion Detection with Cisco IOS
Benefits of OSPF Neighbor Authentication
When to Deploy OSPF Neighbor Authentication
Chapter 9 IPsec Virtual Private Networks (VPNs)
Analogy: VPNs Securely Connect IsLANds
Authentication and Data Integrity
VPN Deployment with Layered Security
Internet Key Exchange (IKE) Overview
IPsec Security Association (IPsec SA)
Router Configuration as VPN Peer
Configuring the ISAKMP Protection Suite
Step 1: Create the Extended ACL
Step 2: Create the IPsec Transforms
Step 4: Apply the Crypto Map to an Interface
Firewall VPN Configuration for Client Access
Step 1: Define Interesting Traffic
Step 2: IKE Phase 1[udp port 500]
Which to Deploy: Choosing Between IPsec and SSL VPNs
Remote-Access VPN Security Considerations
Steps to Securing the Remote-Access VPN
Cisco AnyConnect VPN Secure Mobility Solution
Essentials First: Wireless LANs
Wireless Equals Radio Frequency
Sniffing to Eavesdrop and Intercept Data
Rogue/Unauthorized Access Points
Misconfiguration and Bad Behavior
Device and Access Point Association
Wired Equivalent Privacy (WEP)
WEP Limitations and Weaknesses
Extensible Authentication Protocol (EAP)
Essentials First: Wireless Hacking Tools
Chapter 11 Intrusion Detection and Honeypots
Essentials First: Intrusion Detection
Host Intrusion Detection System
Network Intrusion Detection System
Signature or Pattern Detection
Essentials First: Vulnerability Analysis
Denial of Service (DoS) Attacks
Security Assessments and Penetration Testing
Internal Vulnerability and Penetration Assessment
External Penetration and Vulnerability Assessment
Features and Benefits of Vulnerability Scanners
CORE IMPACT Pro (a Professional Penetration Testing Product)