Cisco Security Architectures - Held_ Gilbert.pdf

(9889 KB) Pobierz
Microsoft Word - Document1
Cisco Security Architectures
Gilbert Held
Kent Hundley
Copyright © 1999 by The McGraw-Hill Companies, Inc. All Rights Reserved. Printed in the United
States of America. Except as permitted under the United States Copyright Act of 1976, no part of
this publication may be reproduced or distributed in any form or by any means, or stored in a
database or retrieval system, without the prior written permission of the publisher.
1 2 3 4 5 6 7 8 9 0 AGM/AGM 9 0 4 3 2 1 0 9
ISBN: 0—07—134708—9
The sponsoring editor for this book was Steven Elliot, and the production supervisor was Clare
Printed and bound by Quebecor/Martinsburg
Throughout this book, trademarked names are used. Rather than put a trademark symbol after
every occurrence of a trademarked name, we used the names in an editorial fashion only, and to
the benefit of the trademark owner, with no intention of infringement of the trademark. Where such
designations appear in this book, they have been printed with initial caps.
Information contained in this work has been obtained by The McGraw-Hill Companies, Inc.
("McGraw-Hill") from sources believed to be reliable. However, neither McGraw-Hill nor its authors
guarantees the accuracy or completeness of any information published herein and neither McGraw-
Hill nor its authors shall be responsible for any errors, omissions, or damages arising out of use of
this information. This work is published with the understanding that McGraw-Hill and its authors are
supplying information but are not attempting to render engineering or other professional services. If
such services are required, the assistance of an appropriate professional should be sought.
Stanley. It was set by D&G Limited, LLC .
Preface
Overview
In the past, the strength of countries and organizations were measured in terms of production, with
tons of steel, barrels of oil, and similar metrics used to gauge their place among contemporaries.
Today, the strength of countries and organizations is more dependent upon their capacity to
transfer information. That information can range in scope from satellite images of terrorists' base
camps in a village in Afghanistan, which are used to wage retaliatory strikes by countries, to the
flow of financial information between organizations and the use of ATM machines by consumers. If
this information flow is disrupted or altered, the effect on countries, organizations, and individuals
can be severe or even disastrous. Just imagine if a person could intercept the flow of financial
information and reroute the flow of funds into an account in Switzerland or in the Bahamas.
Depending on whose account was diverted, countries, businesses, or individuals might become
candidates for national or Chapter 11 bankruptcy.
The key to securing networks is obtained through the use of appropriate equipment and policies
that govern the use of such equipment. When we talk about securing computer networks to include
Internet access, most people rightfully think of Cisco Systems, because that company provides
approximately 80 percent of the routers used to connect organizational networks to the Internet.
Thus, the focus of this book reflects its title and deals with Cisco Systems equipment, covering in
detail the operation and utilization of that company's routers and firewalls.
While the only network that is completely secure is the one that is truly isolated and is contained in
a locked laboratory or closet, information presented in this book was written to provide you with a
solid foundation concerning tools and techniques you can use to secure your Cisco Systems-
based network. By obtaining a detailed understanding of how to correctly configure access lists, as
well as enabling different firewall functions, you can avoid many common mistakes that result in
network vulnerability. When appropriate, we will include real-life examples obtained from several
decades of collective consulting experience. To avoid embarrassing previous and current clients,
we will use pseudonyms to hide the guilty. Because security is a learning process, you should note
errors and omissions—as well as techniques—that can result in potential security problems, to
ensure that such errors and omissions are avoided. Thus, by focusing on how to correctly
configure equipment, we will provide you with the information necessary to minimize the
vulnerability of your organization's network. While nobody can guarantee a perfectly secure net
work, the information contained in this book should assist you in your goal of obtaining the
foundation needed to minimize potential network vulnerabilities.
As professional authors, we highly value reader feedback. If you wish to share your thoughts
concerning the scope and depth of topics covered in this book, or if there are areas you would like
to see covered in a future edition, you can contact us either through our publisher or directly via e-
mail.
About the Authors
Gil Held is an award-winning lecturer and author. He is the author of over 40 books covering
computer and communications technology. A member of the adjunct faculty at Georgia College
and State University, Gil teaches courses in LAN Performance and was selected to represent the
United States at technical conferences in Moscow and Jerusalem.
Kent Hundley (CCNA) is a Senior Network Consultant for International Network Services, a global
provider of network integration and management services. He specializes in Cisco-centric security
issues for Fortune 500 companies.
Chapter 1: Introduction
Overview
In the preface to this book, we noted that the strength of countries, organizations, and individuals
in a modern society depends to a great extent upon the flow of information. That information flow
must be transported from source to destination in a reliable manner, such that the receiver can be
assured of the identity of the originator—as well as the fact that the received data was not altered.
In addition, some types of information should be excluded from recognition by other parties. Thus,
at a minimum, there are several security-related issues associated with the transmission of
information to include authentication and encryption.
When constructing data networks, authentication and encryption might only represent a portion of
security features and techniques you might wish to consider. To obtain an appreciation for the
variety of security features and techniques you might wish to consider, let's first examine the need
for security—along with some of the potential threats that result in the requirements to obtain
security-related equipment to protect the modern organizational network.
The Need for Security
Figure 1—1 illustrates an example of a corporate network that is connected to the Internet.
Although many people might be tempted to consider security equipment as a necessity to protect
the computers on the private network from people who can access the Internet, that might not be
the only networking boundary that requires a degree of protection. The private network, regardless
of its structure, might also require one or more security devices, techniques, and policies to protect
equipment on that network from inadvertent or intentional employee actions. Thus, in this section,
we will examine the need for security from both external and internal threats.
Figure 1—1: Public network threats
Public Network Threats
In this section, we will consider public network threats to represent potential or actual threats
originating on a public network. These threats are directed at an organization's private network but
are also connected to the public network. Because the Internet literally represents a network of
interconnected networks without a boundary, the organizational network becomes accessible to
the tens of millions of people who now access the Internet. Without a method to control access to
the segments shown behind the organizational router, each workstation and server operated by
the organization becomes vulnerable to intentional, malicious actions that could emanate from
anywhere on the globe. Such malicious actions could include an attempted break-in into a server
or the transmission of e-mail to a workstation user with an executable virus either embedded in the
e-mail as a macro or added as a file attachment.
A second area of concern with respect to the network configuration illustrated in Figure 1—1
involves two items: the transmission line that connects the organizational router to the Internet
Service Provider (ISP) router, and the ISP's connection to the Internet. Once data traffic leaves the
premises of the organization, ensuring that the transmission is not read nor modified becomes
more difficult. This occurs because physical security employed via building passes and employee
recognition can prevent a person from gaining access to a wire closet and using a protocol
analyzer to record traffic. Once data flows beyond the physical span of control of the organization,
652484794.209.png 652484794.220.png 652484794.231.png 652484794.242.png 652484794.001.png 652484794.012.png 652484794.023.png 652484794.034.png 652484794.045.png 652484794.056.png 652484794.067.png 652484794.078.png 652484794.089.png 652484794.100.png 652484794.111.png 652484794.122.png 652484794.133.png 652484794.144.png 652484794.155.png 652484794.166.png 652484794.175.png 652484794.176.png 652484794.177.png 652484794.178.png 652484794.179.png 652484794.180.png 652484794.181.png 652484794.182.png 652484794.183.png 652484794.184.png 652484794.185.png 652484794.186.png 652484794.187.png 652484794.188.png 652484794.189.png 652484794.190.png 652484794.191.png 652484794.192.png 652484794.193.png 652484794.194.png 652484794.195.png 652484794.196.png 652484794.197.png 652484794.198.png 652484794.199.png 652484794.200.png 652484794.201.png 652484794.202.png 652484794.203.png 652484794.204.png 652484794.205.png 652484794.206.png 652484794.207.png 652484794.208.png 652484794.210.png 652484794.211.png 652484794.212.png 652484794.213.png 652484794.214.png 652484794.215.png 652484794.216.png 652484794.217.png 652484794.218.png 652484794.219.png 652484794.221.png 652484794.222.png 652484794.223.png 652484794.224.png 652484794.225.png 652484794.226.png 652484794.227.png 652484794.228.png 652484794.229.png 652484794.230.png 652484794.232.png 652484794.233.png 652484794.234.png 652484794.235.png 652484794.236.png 652484794.237.png 652484794.238.png 652484794.239.png 652484794.240.png 652484794.241.png 652484794.243.png 652484794.244.png 652484794.245.png 652484794.246.png 652484794.247.png 652484794.248.png 652484794.249.png 652484794.250.png 652484794.251.png 652484794.252.png 652484794.002.png 652484794.003.png 652484794.004.png 652484794.005.png 652484794.006.png 652484794.007.png 652484794.008.png 652484794.009.png 652484794.010.png 652484794.011.png 652484794.013.png 652484794.014.png 652484794.015.png 652484794.016.png 652484794.017.png 652484794.018.png 652484794.019.png 652484794.020.png 652484794.021.png 652484794.022.png 652484794.024.png 652484794.025.png 652484794.026.png 652484794.027.png 652484794.028.png 652484794.029.png 652484794.030.png 652484794.031.png 652484794.032.png 652484794.033.png 652484794.035.png 652484794.036.png 652484794.037.png 652484794.038.png 652484794.039.png 652484794.040.png 652484794.041.png 652484794.042.png 652484794.043.png 652484794.044.png 652484794.046.png 652484794.047.png 652484794.048.png 652484794.049.png 652484794.050.png 652484794.051.png 652484794.052.png 652484794.053.png 652484794.054.png 652484794.055.png 652484794.057.png 652484794.058.png 652484794.059.png 652484794.060.png 652484794.061.png 652484794.062.png 652484794.063.png 652484794.064.png 652484794.065.png 652484794.066.png 652484794.068.png 652484794.069.png 652484794.070.png 652484794.071.png 652484794.072.png 652484794.073.png 652484794.074.png 652484794.075.png 652484794.076.png 652484794.077.png 652484794.079.png 652484794.080.png 652484794.081.png 652484794.082.png 652484794.083.png 652484794.084.png 652484794.085.png 652484794.086.png 652484794.087.png 652484794.088.png 652484794.090.png 652484794.091.png 652484794.092.png 652484794.093.png 652484794.094.png 652484794.095.png 652484794.096.png 652484794.097.png 652484794.098.png 652484794.099.png 652484794.101.png 652484794.102.png 652484794.103.png 652484794.104.png 652484794.105.png 652484794.106.png 652484794.107.png 652484794.108.png 652484794.109.png 652484794.110.png 652484794.112.png 652484794.113.png 652484794.114.png 652484794.115.png 652484794.116.png 652484794.117.png 652484794.118.png 652484794.119.png 652484794.120.png 652484794.121.png 652484794.123.png 652484794.124.png 652484794.125.png 652484794.126.png 652484794.127.png 652484794.128.png 652484794.129.png 652484794.130.png 652484794.131.png 652484794.132.png 652484794.134.png 652484794.135.png 652484794.136.png 652484794.137.png 652484794.138.png 652484794.139.png 652484794.140.png 652484794.141.png 652484794.142.png 652484794.143.png 652484794.145.png 652484794.146.png 652484794.147.png 652484794.148.png 652484794.149.png 652484794.150.png 652484794.151.png 652484794.152.png 652484794.153.png 652484794.154.png 652484794.156.png 652484794.157.png 652484794.158.png 652484794.159.png 652484794.160.png 652484794.161.png 652484794.162.png 652484794.163.png 652484794.164.png 652484794.165.png 652484794.167.png 652484794.168.png 652484794.169.png 652484794.170.png 652484794.171.png 652484794.172.png 652484794.173.png 652484794.174.png

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika:

Zgłoś jeśli naruszono regulamin