Cisco press network security architectures

Network Security ArchitecturesBy Sean Convery ..... As t he PSO dir ect or for Net r ex, he built fr om scr at ch an out st anding secur it y- consult ing or ganizat ion t hat suppor t e

Network Security Architectures

By Sean Convery

Publisher : Cisco Pr e ss Pub Dat e: Apr il 1 9 , 2 0 0 4

Pr int I SBN: 1 5 8 7 0 5 1 1 5 X Pages: 7 9 2

Table of Cont ent s | I ndex

Exper t guidance on designing secur e net w or ks

Under st and secur it y best pr act ices and how t o t ake advant age of t he net w or king gear youalr eady have

Review designs for cam pus, edge, and t elew or ker net w or ks of var ying sizes

Lear n design consider at ions for device har dening, Layer 2 and Layer 3 secur it y issues, denial ofser vice, I Psec VPNs, and net w or k ident it y

Under st and secur it y design consider at ions for com m on applicat ions such as DNS, m ail, and w eb

I dent ify t he key secur it y r oles and placem ent issues for net w or k secur it y elem ent s such asfir ew alls, int r usion det ect ion syst em s, VPN gat ew ays, cont ent filt er ing, as w ell as for t r adit ionalnet w or k infr ast r uct ur e devices such as r out er s and sw it ches

Lear n 10 cr it ical st eps t o designing a secur it y syst em for your net w or k

Exam ine secur e net w or k m anagem ent designs t hat allow your m anagem ent com m unicat ions t o

be secur e w hile st ill m aint aining m axim um ut ilit y

Tr y your hand at secur it y design w it h t hr ee included case st udies

Benefit fr om t he exper ience of t he pr incipal ar chit ect of t he or iginal Cisco Syst em s SAFE

Secur it y Bluepr int

Wr it t en by t he pr incipal ar chit ect of t he or iginal Cisco Syst em s SAFE Secur it y Bluepr int , Net w or kSecur it y Ar chit ect ur es is your com pr ehensive how - t o guide t o designing and im plem ent ing a secur enet w or k Whet her your backgr ound is secur it y or net w or king, you can use t his book t o lear n how t o

br idge t he gap bet w een a highly available, efficient net w or k and one t hat st r ives t o m axim ize

secur it y The included secur e net w or k design t echniques focus on m aking net w or k and secur it y

t echnologies w or k t oget her as a unified syst em r at her t han as isolat ed syst em s deployed in an hoc w ay

ad-Beginning w her e ot her secur it y books leave off, Net w or k Secur it y Ar chit ect ur es show s you how t hevar ious t echnologies t hat m ake up a secur it y syst em can be used t oget her t o im pr ove your

net w or k's secur it y The t echnologies and best pr act ices you'll find w it hin ar e not r est r ict ed t o a singlevendor but br oadly apply t o vir t ually any net w or k syst em This book discusses t he w hys and how s ofsecur it y, fr om t hr eat s and count er m easur es t o how t o set up your secur it y policy t o m esh w it h yournet w or k ar chit ect ur e Aft er lear ning det ailed secur it y best pr act ices cover ing ever yt hing fr om Layer 2secur it y t o e- com m er ce design, you'll see how t o apply t he best pr act ices t o your net w or k and lear n

t o design your ow n secur it y syst em t o incor por at e t he r equir em ent s of your secur it y policy You'll

r eview det ailed designs t hat deal w it h t oday's t hr eat s t hr ough applying defense- in- dept h t echniquesand w or k t hr ough case st udies t o find out how t o m odify t he designs t o addr ess t he unique

consider at ions found in your net w or k

Whet her you ar e a net w or k or secur it y engineer , Net w or k Secur it y Ar chit ect ur es w ill becom e your

pr im ar y r efer ence for designing and building a secur e net w or k

This book is par t of t he Net w or king Technology Ser ies fr om Cisco Pr ess, w hich offer s net w or king

pr ofessionals valuable infor m at ion for const r uct ing efficient net w or ks, under st anding new

t echnologies, and building successful car eer s

Network Security Architectures

By Sean Convery

Publisher : Cisco Pr e ss Pub Dat e: Apr il 1 9 , 2 0 0 4

Pr int I SBN: 1 5 8 7 0 5 1 1 5 X Pages: 7 9 2

Table of Cont ent s | I ndex

A Note from Cisco Systems on the SAFE Blueprint and Network Security Architectures

Part I Network Security Foundations

Chapter 2 Security Policy and Operations Life Cycle

Attack Results

Part II Designing Secure Networks

Chapter 7 Network Security Platform Options and Best Deployment Practices

Chapter 9 Identity Design Considerations

Types of Identity

Part III Secure Network Designs

Identity Considerations

Part IV Network Management, Case Studies, and Conclusions

All r ight s r eser ved No par t of t his book m ay be r epr oduced or t r ansm it t ed in any for m or by any

m eans, elect r onic or m echanical, including phot ocopying, r ecor ding, or by any infor m at ion st or age and

r et r ieval syst em , w it hout w r it t en per m ission fr om t he publisher , except for t he inclusion of br ief

quot at ions in a r eview

Pr int ed in t he Unit ed St at es of Am er ica 1 2 3 4 5 6 7 8 9 0

Fir st Pr int ing Apr il 2004

Libr ar y of Congr ess Cat aloging- in- Publicat ion Num ber : 2002107132

Warning and Disclaimer

This book is designed t o pr ovide infor m at ion about net w or k secur it y Ever y effor t has been m ade t o

m ake t his book as com plet e and as accur at e as possible, but no w ar r ant y or fit ness is im plied Theinfor m at ion is pr ovided on an " as is" basis The aut hor s, Cisco Pr ess, and Cisco Syst em s, I nc., shallhave neit her liabilit y nor r esponsibilit y t o any per son or ent it y w it h r espect t o any loss or dam ages

ar ising fr om t he infor m at ion cont ained in t his book or fr om t he use of t he discs or pr ogr am s t hat m ayaccom pany it The opinions expr essed in t his book belong t o t he aut hor and ar e not necessar ily t hose

of Cisco Syst em s, I nc

Trademark Acknowledgments

All t er m s m ent ioned in t his book t hat ar e know n t o be t r adem ar ks or ser vice m ar ks have been

appr opr iat ely capit alized Cisco Pr ess or Cisco Syst em s, I nc., cannot at t est t o t he accur acy of t hisinfor m at ion Use of a t er m in t his book should not be r egar ded as affect ing t he validit y of any

t r adem ar k or ser vice m ar k

The follow ing m at er ials have been r epr oduced by Pear son Technology Gr oup w it h t he per m ission ofCisco Syst em s I nc.: Table 16- 1, Figur es 3- 11 t hr ough 3- 13, Figur es 6- 1 t hr ough 6- 8, Figur e 6- 10,

Figur e 6- 23, Figur e 6- 26, Figur e 7- 8, and Figur es 10- 18 t hr ough 10- 21 COPYRI GHT © 2004 CI SCOSYSTEMS, I NC ALL RI GHTS RESERVED

Corporate and Government Sales

Cisco Pr ess offer s excellent discount s on t his book w hen or der ed in quant it y for bulk pur chases orspecial sales

For m ore inform at ion please cont act :

U.S Cor por a t e a n d Gov e r n m e n t Sa le s

1- 800- 382- 3419, corpsales@pearsont echgroup.com

For sa le s ou t side t h e U.S ple a se con t a ct :

I nt ernat ional Sales, int ernat ional@pearsoned.com

Feedback Information

At Cisco Pr ess, our goal is t o cr eat e in- dept h t echnical books of t he highest qualit y and value Eachbook is cr aft ed w it h car e and pr ecision, under going r igor ous developm ent t hat involves t he uniqueexper t ise of m em ber s fr om t he pr ofessional t echnical com m unit y

Reader s' feedback is a nat ur al cont inuat ion of t his pr ocess I f you have any com m ent s r egar ding how

w e could im pr ove t he qualit y of t his book, or ot her w ise alt er it t o bet t er suit your needs, you cancont act us t hr ough e- m ail at feedback@ciscopress.com Please m ake sur e t o include t he book t it le and

I SBN in your m essage

We gr eat ly appr eciat e your assist ance

Credits

Edit or- in- Chief John Kane

Execut ive Edit or Br et t Bar t ow

Cisco Repr esent at ive Ant hony Wolfenden

Cisco Pr ess Pr ogr am

Manager

Nannet t e M Noble

Acquisit ions Edit or Michelle Gr andin

Pr oduct ion Manager Pat r ick Kanouse

Developm ent Edit or Gr ant Munr oe

Pr oduct ion Ar gosy Publishing

Technical Edit or s Qiang Huang,

Jeff Recor ,Russell Rice, andRoland SavilleTeam Coor dinat or Tam m i Bar net t

Cover Designer Louisa Adair

Cor por a t e H e a dqu a r t e r s

Eu r ope a n H e a dqu a r t e r s

Cisco Syst em s I nt ernat ional BV

Haar ler ber gpar k

Cisco Syst em s has m or e t han 200 offices in t he follow ing count r ies and r egions Addr esses, phone

num ber s, and fax num ber s ar e list ed on t he Cisco.com W e b sit e a t w w w cisco.com / go/ office s

Ar gent ina • Aust r alia • Aust r ia • Belgium • Br azil • Bulgar ia • Canada • Chile • China PRC • Colom bia • Cost a Rica • Cr oat ia • Czech Republic • Denm ar k • Dubai, UAE • Finland • F r ance • Ger m any • Gr eece • Hong Kong SAR • Hungar y • I ndia • I ndonesia •

I r eland • I sr ael • I t aly • Japan • Kor ea • Luxem bou r g • Malaysia • Mexico • The Net her lands • New Zeal and • Nor w ay • Per u • Philippines • Poland • Por t ugal • Puer t o Rico • Rom ania • Russia • Saudi Ar abia • Scot land • Singapor e • Slovakia • Slovenia • Sout h Afr ica • Spain • Sw eden • Sw it zer land • Taiw a n • Thailand • Tur key • Ukr aine • Unit ed Kingdom • Unit ed St at es • Venezuela

• Viet nam • Zim babw e

Copyr ight © 2003 Cisco Syst em s, I nc All r ight s r eser ved CCI P, CCSP, t he Cisco Ar r ow logo, t he CiscoPowered Net w or k m ar k, t he Cisco Syst em s Ver ified logo, Cisco Unit y, Follow Me Br ow sing, For m Shar e,

iQ Net Readiness Scor ecar d, Net w or king Academ y, and Scr ipt Shar e ar e t r adem ar ks of Cisco Syst em s,

I nc.; Changing t he Way We Wor k, Live, Play, and Lear n, The Fast est Way t o I ncr ease Your I nt er netQuot ient , and iQuick St udy ar e ser vice m ar ks of Cisco Syst em s, I nc.; and Air onet , ASI ST, BPX,

Cat alyst , CCDA, CCDP, CCI E, CCNA, CCNP, Cisco, t he Cisco Cer t ified I nt er net w or k Exper t logo, Cisco

I OS, t he Cisco I OS logo, Cisco Pr ess, Cisco Syst em s, Cisco Syst em s Capit al, t he Cisco Syst em s logo,

Em pow er ing t he I nt er net Gener at ion, Ent er pr ise/ Solver , Et her Channel, Et her Sw it ch, Fast St ep,

GigaSt ack, I nt er net Quot ient , I OS, I P/ TV, iQ Exper t ise, t he iQ logo, Light St r eam , MGX, MI CA, t heNet w or ker s logo, Net w or k Regist r ar , Packet , PI X, Post - Rout ing, Pr e- Rout ing, Rat eMUX, Regist r ar ,SlideCast , SMARTnet , St r at aView Plus, St r at m , Sw it chPr obe, TeleRout er , Tr ansPat h, and VCO ar e

r egist er ed t r adem ar ks of Cisco Syst em s, I nc and/ or it s affiliat es in t he U.S and cer t ain ot her

count ries

All ot her t r adem ar ks m ent ioned in t his docum ent or Web sit e ar e t he pr oper t y of t heir r espect ive

ow ner s The use of t he w or d par t ner does not im ply a par t ner ship r elat ionship bet w een Cisco and any

ot her com pany ( 0303R)

Pr int ed in t he USA

Dedication

This book is dedicat ed t o m y w ife, Monica, and daught er , Mia,

w it hout w hose unending pat ience t his book w ould never have happened

I t is also dedicat ed t o m y new bor n son, Ronan, w it hout

w hose im m inent ar r ival I m ight st ill be w r it ing t his book t oday

About the Author

Se a n Con v e r y , CCI E No 4232, is a secur it y ar chit ect in t he Cisco Syst em s VPN and Secur it y Business

Unit , focusing on new secur it y t echnologies He has been w it h Cisco for six year s and is best know n as

t he pr inciple ar chit ect of t he or iginal Cisco SAFE Secur it y Bluepr int , as w ell as aut hor of sever al of it s

w hit e paper s Dur ing his t im e at Cisco, Sean has pr esent ed secur e net w or k design t o t housands ofCisco cust om er s ar ound t he w or ld and has consult ed w it h scor es of cust om er s on t heir secur it y

designs bot h lar ge and sm all Pr ior t o his t im e at Cisco, Sean held var ious posit ions in bot h I T andsecur it y consult ing dur ing his 12 year s in net w or king

When not t hinking about secur it y, Sean enj oys t w o- w heeled t r anspor t at ion ( w it h and w it hout a

m ot or ) , spending t im e w it h his fam ily on hikes, and near ly anyt hing involving being on, in, or under

t he w at er His pr ofessional w ebsit e is ht t p: / / w w w seanconvery.com

About the Technical Reviewers

Qia n g H u a n g, CCI E No 4937, is a net w or k consult ing engineer w it h t he Cisco Syst em s, I nc., Wor ld

Wide Secur it y Ser vices Pr act ices t eam His m ain r esponsibilit ies include per for m ing secur it y post ur eassessm ent , secur it y design r eview , and ot her secur it y ser vices engagem ent for cust om er s Befor e

t hat , Qiang w or ked as t he t echnical lead in t he VPN and net w or k secur it y t eam in t echnical suppor toper at ions ( TAC) at Cisco Syst em s Qiang has ext ensive exper ience w it h m any secur it y pr oduct s and

t echnologies, including fir ew alls, VPNs, I DS, and ident it y aut hent icat ion syst em s Qiang has CCI Es in

t he ar eas of I SP Dial, Rout ing and Sw it ching, and Secur it y Qiang holds a m ast er 's degr ee in elect r icalengineer ing fr om Color ado St at e Univer sit y

Je ff Re cor cur r ent ly ser ves as t he pr esident and CEO of t he Olym pus Secur it y Gr oup, I nc., w her e he

is r esponsible for consult ing w it h lar ge client s on t he t opics of secur it y st r at egy, r et ur n on invest m ent( ROI ) , and r isk m it igat ion As t he for m er global dir ect or of t he Nor t el Net w or ks Global Pr ofessionalSer vices Secur it y Pr act ice, Jeff w as r esponsible for developing an int er nat ional set of ser vice offer ings

t o addr ess evolving syst em s secur it y and net w or k design r equir em ent s Jeff has r oughly 18 year s ofexper ience consult ing w it h com panies in secur it y and net w or k design Som e exam ples of his

exper ience include t he follow ing: as t he MI S dir ect or for Holt zm an & Silver m an, he led an aut om at ion

pr oj ect r esult ing in an aw ar d for t he m ost out st anding applicat ion of t echnology in t he st at e of

Michigan As t he PSO dir ect or for Net r ex, he built fr om scr at ch an out st anding secur it y- consult ing

or ganizat ion t hat suppor t ed Global For t une 500 com panies, and as pr esident of t he Sar gon Gr oup,

I nc., he successfully built and sold ( t o Nor t el Net w or ks) a leading secur it y ser vices com pany Jeff is anadj unct pr ofessor at Walsh College ( depar t m ent chair of t he new ly cr eat ed I nfor m at ion Assur ance

Pr ogr am ) and is a w r it er and lect ur er on secur it y and net w or king t opics Jeff has been t eaching

secur it y t opics all over t he w or ld for var ious or ganizat ions He has published sever al ar t icles andaut hor ed t hr ee books: Realizing t he Vir t ual Pr ivat e Net w or k, I nfor m at ion Syst em s Secur it y, and a

m onogr aph on secur it y t opics by Educause His pr esent at ions focusing on net w or k secur it y have been

w ell r eceived at confer ences such as t he Gar t ner CI O Sum m it and CA Wor ld Jeff also chair s a

subcom m it t ee for t he I TAA, ser ves as a cor ner st one boar d m em ber of t he COMPTI A Secur it y +

Cer t ificat ion com m it t ee, ser ves on t he boar d of advisor s for t he FBI I nfr agar d pr ogr am , w as a

founding m em ber of t he I T- I SAC, and ser ves on t he com m it t ee for t he Par t ner ship for Cr it ical

I nfr ast r uct ur e Pr ot ect ion Jeff r eceived his bachelor 's degr ee fr om Michigan St at e Univer sit y and w ill

r eceive his m ast er 's degr ee in educat ion fr om t he Univer sit y of Phoenix in 2003 He has ear ned t he

CI SSP and CI SA designat ions and cur r ent ly ser ves on t w o separ at e boar ds of dir ect or s

Ru sse ll Rice is a t echnical m ar ket ing m anager in t he Cisco Syst em s VPN and Secur it y Business Unit ,

w hich focuses on new syst em secur it y planning and t he SAFE net w or k secur it y best pr act ice designguidelines Russell spent t he past 8 year s in net w or k secur it y t echnology, bot h w it hin Cisco and as t heDir ect or of Engineer ing at Global I nt er net

Aft er gr aduat ing fr om UC Ber keley w it h a bachelor 's degr ee in com put er science in 1988, Russell spent

t he subsequent 7 year s in assor t ed engineer ing, m ar ket ing, and m anagem ent posit ions at ABB, DowJones, and Gam er 's Den Russell is a fr equent Cisco evangelist at secur it y sem inar s, including

Net w or ker s, w her e he has r eceived m ult iple t op 3 over all t echnical pr esent er and session aw ar ds

Rola n d Sa v ille is a t echnical m ar ket ing engineer in ent er pr ise solut ions engineer ing at Cisco

Syst em s I n his 9 year s at Cisco, Roland has been involved in var ious secur it y pr oj ect s, includingdeveloping and ext ending t he SAFE bluepr int , suppor t ing pr oduct sales st aff, and pr oviding

int er com pany feedback on r oad m aps, st r at egies, and gap analysis Since July 2003, he has beeninvolved in pr oj ect s on w ir eless, I P t elephony, and video int elligence Roland r eceived his MBA fr omSant a Clar a Univer sit y He lives in Boca Rat on

A book of t his scope w ould not have been possible w it hout t he behind- t he- scenes w or k of m any

colleagues and t he input of sever al individuals t hr oughout t he I T indust r y

I w ould like t o t hank in par t icular Ber nie Tr udel for his cont r ibut ions dur ing t he out line and init ial

st ages of t his book, Russell Rice for his input in t he ear ly st ages of t he book and his availabilit y as asounding boar d w henever I needed som e w ell- t hought - out input , St eve Acheson for his r eview ofsever al chapt er s, Michele Guel for her input int o Chapt er 2, Mike Schiffm an for his r eview of Chapt er

3, Dan Wing for his suggest ions r egar ding m y t r eat m ent of NAT in Chapt er 6, Mar co Foschiano for hisencyclopedic know ledge of all t hings Layer 2, Dar r ell Root for t he DHCP filt er ing exam ples, Rob

Thom as for his excellent w ebsit e, John Bar t lom iej czyk for his assist ance t est ing DHCP at t acks, EliotLear for his r eview of Chapt er 8, Jeff Hillendahl for t he AAA best pr act ices he pr ovided, Mike

Sullenber ger for his key cont r ibut ions t o t he I Psec cont ent in Chapt er 10, Bar bar a Fr aser for her

assist ance w it h I ETF quest ions and I Psec, Dar r in Miller for his cont r ibut ions t o Chapt er 11 and

excellent r eview s of ot her chapt er s, and Ross Ander son for pr oviding som e gr eat feedback on t he bulk

of t he book, in addit ion t o w r it ing t he for ew or d

I n addit ion, I w ould like t o t hank all of m y cow or ker s at Cisco Syst em s w it h w hom I 've w or ked over

t he last six year s Big t hanks t o t he coaut hor s I w or ked w it h on t he SAFE bluepr int s: Roland Saville,Jason Halper n, Ber nie Tr udel ( again) , Dar r in Miller ( again) , and ever yone else w ho cont r ibut ed t oSAFE Also, I w ould like t o t hank m y m anager s dur ing t he per iod t he book w as being w r it t en: St eveCollen, Ken Wat son, and Rober t Gleichauf Also, m any t hanks go out t o Jim Ring and Br ian Waller forhir ing m e int o Cisco in t he fir st place and t hen for being under st anding w hen I m oved t o cor por at e t o

be a full- t im e secur it y geek Thanks go out t o Mat t hew Fr anz and Eloy Par is, w ho, som et im es

unknow ingly, answ er ed quest ions I had r elat ed t o t he book

Many t hanks t o m y pr im ar y t echnical r eview er s, Russell Rice, Jeff Recor , Roland Saville, and QiangHuang, w ho never hesit at ed t o hit m e w it h t he clue- st ick and w it hout w hose det ailed r eview s I 'mcer t ain t his book w ould be an unr eadable m ess

The folks at Cisco Pr ess deser ve special t hanks for st icking w it h m e t hr ough a couple of false st ar t s.Thanks t o Michelle Gr andin, Dayna I sley, and Tam m i Ross for keeping m e on schedule, on m essage,and under cont r act , r espect ively Special t hanks t o m y developm ent edit or , Gr ant Munr oe, for hisinsight and suggest ions int o t he or ganizat ion of t his book and for let t ing m e sneak in t he occasional

j oke w it hout t oo m uch fuss I also w ant t o t hank Pat r ick Kanouse for his assist ance dur ing t he final

pr epr ess st age of t he book

Thanks t o Topher Hughes for r ecom m ending Miles Davis's Kind of Blue as good w r it ing m usic At lastcheck, m y MP3 player t ells m e I 've list ened t o t hat CD 39 t im es t hr ough

Thanks t o Mike McManus and Chr is Law r ence for hir ing m e int o m y fir st com put er j ob and m y fir st I T

j ob, r espect ively

Big t hanks t o Michael Lucas for giving m e a sim ple for m ula t o ensur e t hat t his book w as finished on

t im e

I w ant t o t hank all t he or ganizat ions I 've pr ovided design guidance t o over t he year s I easily lear ned

as m uch fr om you as you lear ned fr om m e

Thanks t o all m y fam ily and fr iends w ho saw and hear d ver y lit t le fr om m e dur ing m y t im e w r it ing t hisbook I n par t icular , I w ould like t o t hank m y m ot her for all her pr oofr eads of m y school paper s and foralw ays pushing m e t o do m y best Also, I w ant t o t hank m y fat her for giving m e t he vision t o do

t hings a bit out side t he nor m and for being t her e w henever I needed him

My ult im at e and biggest t hanks go t o m y loving w ife, Monica, and m y super her o daught er , Mia Monica

kept m e going on m or e t han one occasion and bor e a m or e significant load of t he fam ily chor es, w hich

w as no sm all t ask consider ing she w as pr egnant t hr oughout t he bulk of t his book's cr eat ion Big

t hanks t o Mia for being pat ient w it h m e and not get t ing t oo angr y w hen she'd hear m e say, " I st illhave w or k t o do." I look for w ar d t o " Daddy's done w or king! " no longer being her favor it e t hing t o say

A Note from Cisco Systems on the SAFE

Blueprint and Network Security

Architectures

As Cisco Syst em s br oadened it s secur it y pr oduct por t folio and st ar t ed t he pr ocess of deepening t hesecur it y ser vices available on it s r out er and sw it ch plat for m s, t he Cisco SAFE Bluepr int effor t w aslaunched The goal w as t o assist net w or k and secur it y ar chit ect s and im plem ent er s by pr oact ivelydescr ibing secur it y best pr act ices t o assist as engineer s w or k t o design or augm ent t heir net w or ks t oaddr ess exist ing and em er ging t hr eat s The cor e of SAFE consist s of t echnical w hit e paper s

enum er at ing t hr eat s, m it igat ion t echniques, and net w or k funct ional m odular izat ion t hought s, along

w it h a heft y dose of sam ple designs and configur at ions

Sean Conver y is t he m ain for ce behind t he or iginal SAFE Bluepr int s, fr om concept t o consolidat ingconsider at ions, t o build out s, t o aut hor ing t he fir st pivot al w hit e paper s t hat Cisco post ed Lar gelybecause of his init ial effor t s, SAFE paper s t oday have achieved w ell over 1 m illion dow nloads and

br oad accept ance in t he secur it y com m unit y

This book appr oaches secur e net w or k design fr om a pr agm at ic view point , w hich ensur es it s

im m ediacy, r elevance, and ut ilit y I n t his book, Sean gr eat ly enhances t he basic infor m at ion m adeavailable in t he SAFE paper s Net w or k Secur it y Ar chit ect ur es is a one- st op locat ion for pr act icalsecur it y life cycle consider at ions, assessm ent s of m it igat ion t echnologies ver sus a var iet y of t hr eat s,det ailed design consider at ions, and alt er nat ives for a var iet y of sam ple or ganizat ional secur it y policiesand t echnologies in use

Russell Rice

Manager, Product Market ing

New Syst em Securit y Technologies

February 2004

Icons Used in This Book

Command Syntax Conventions

The convent ions used t o pr esent com m and synt ax in t his book ar e t he sam e convent ions used in t he

I OS Com m and Refer ence The Com m and Refer ence descr ibes t hese convent ions as follow s:

Boldfa ce indicat es com m ands and keyw or ds t hat ar e ent er ed lit er ally as show n I n act ual

configur at ion exam ples and out put ( not gener al com m and synt ax) , boldface indicat es com m ands

t hat ar e m anually input by t he user ( such as a sh ow com m and)

I t alics indicat e ar gum ent s for w hich you supply act ual values

Ver t ical bar s ( | ) separ at e alt er nat ive, m ut ually exclusive elem ent s

Squar e br acket s [ ] indicat e opt ional elem ent s

Br aces { } indicat e a r equir ed choice

Br aces w it hin br acket s [ { } ] indicat e a r equir ed choice w it hin an opt ional elem ent

Net w or k secur it y now consum es a significant shar e of a t ypical cor por at e infor m at ion t echnology ( I T)budget Scar em onger ing about t he I nt er net im poses a cost on business t hat is an or der of m agnit ude

gr eat er

Tr adit ional I T secur it y books have fallen som ew hat behind r eal- w or ld pr act ice The old- fashioned

pr ior it ies of confident ialit y, t hen int egr it y, t hen availabilit y have been r ever sed The ar r ival of

dist r ibut ed denial of ser vice at t acks has put availabilit y at t he t op But how do you deal w it h at t acks

t hat exploit vulner abilit ies in ot her people's syst em s r at her t han your ow n?

Tr adit ional cr ypt ogr aphy books ar e also inadequat e A discussion of t he m echanics and t he r elat ive

m er it s of differ ent cr ypt ogr aphic algor it hm s is all ver y int er est ing, but t he pr act it ioner m ust w or k w it h

w hat 's act ually out t her e The r eal vulner abilit ies ar e r ar ely m at t er s of deep m at hem at ics but of

im plem ent at ion det ail Configur at ion m anagem ent is m uch m or e im por t ant t o t he pr act it ioner t handiffer ent ial cr ypt analysis

As t he I T secur it y field m at ur es, it is per haps helpful t o dr aw an analogy w it h m edicine The days w hen

m edical st udent s could lear n fr om a single book ar e long gone I nst ead, t hey st udy fr om a var iet y ofsour ces Basic scient ific t ext s on anat om y and biochem ist r y ar e st ill a necessar y foundat ion But it is atleast as im por t ant t o st udy clinical t ext s on how par t icular diseases develop and ar e m anaged

We have plent y of books on t he under lying t heor yon cr ypt om at hem at ics and t he t heor y of secur eoper at ing syst em s We have ver y lit t le on t he " clinical pr act ice" of infor m at ion secur it yw r it ing based on

r eal exper ience of how r eal syst em s fail

That 's w hy it is a pleasur e t o have a book w r it t en by Sean Conver y Sean is a Cisco guy, and it 's Cisco

r out er s t hat r un t he I nt er net now adays So, he br ings a cr ucial per spect ive as w ell as a level of

t echnical det ail and a dept h of under st anding t hat few ot her w r it er s could aspir e t o His exper ience

fr om w or king in t he Cisco consult ing business is also som et hing t hat m any pr act it ioner s w ould like t oshar e

Designing and configur ing net w or ks so as t o r em ain r esilient in t he face of m alice, er r or , and

m ischance is st ill som et hing of a black ar t Per haps it w ill event ually be w ell enough under st ood t o be

r educed t o for m ulae But in t he m eant im e, Sean's book w ill be one of t he guides

Ross Ander son

Professor of Securit y Engineering, Cam bridge Universit y, England

Aut hor of Securit y EngineeringA Guide t o Building Dependable Dist ribut ed Syst em s

July 2003

What 's t he differ ence bet w een designing net w or k secur it y and designing secur e net w or ks?

At fir st glance, it can seem like sem ant ics I n fact , t he differ ence lies in t he appr oach t o t he pr oblem of

pr oviding net w or k secur it y Designing net w or k secur it y im plies t hat net w or k secur it y could be

designed, by it self, w it hout m uch t hought t o t he sur r ounding net w or k On t he ot her hand, designingsecur e net w or ks m eans incor por at ing secur it y as par t of t he net w or k design fr om t he st ar t

The pr im ar y goal of t his book is t o pr ovide a syst em at ic appr oach t o designing secur e net w or ks I n adepar t ur e fr om m ost Cisco Pr ess books, t he cont ent in t his book is lar gely vendor neut r al I w ouldexpect an oper at or w it h no Cisco gear w hat soever ( net w or k or secur it y) t o be able t o use t his book t odesign a secur e net w or k

Sever al net w or k secur it y books focus on hacking st or ies, secur it y t echnologies, or t heor et ical secur it yconcept s Alt hough elem ent s of t he kinds of infor m at ion you m ight find in t hose books ar e includedher e, t he focus is on how t he var ious elem ent s of secur it y can be com bined t o solve r eal pr oblem s in

t oday's net w or ks This book is built ar ound t he concept of cr eat ing som et hing I call a " secur it y

syst em " This book descr ibes a pr act ical, pr oven appr oach t o designing net w or ks t hat ar e secur e,

m anageable, and deployable using t echnology t hat is available t oday I 've per sonally used elem ent s of

t his appr oach w it h dozens of or ganizat ions w or ldw ide t o help st ar t t hem on a pat h t o m or e secur enet w or king

Thr oughout t his book, you w ill lear n about secur it y best pr act ices and sound design pr inciples, w hich

w ill enable you t o m ake educat ed decisions w hen secur ing var ious par t s of your net w or k By t he t im eyou get t o t he act ual designs, you w ill not only under st and t he r easons behind each design, you w illlikely have ar r ived at sim ilar designs on your ow n Not only w ill you be able t o under st and t he designsand develop your ow n var iat ions, you w ill also lear n act ual device configur at ions for key elem ent s of

t he secur e net w or k Reading t hr ough t he included case st udies w ill allow you t o fur t her r efine yourknow ledge by applying t he concept s you've lear ned t o sam ple net w or ks t hat have r eal business

r equir em ent s and r eal secur it y issues

This is not j ust anot her net w or k secur it y book w it h a sexy cover t o ent er t ain you On t he ot her hand,

t he goal is not t o bor e you w it h long, t heor et ical disser t at ions on secur it y t echnologies I nst ead, t hisbook com bines m any pr act ical exam ples, som e t heor y, and a spr inkle of hum or t o em phasize t he

pr inciples discussed I n t he end, I hope t o give you a set of t ools t o evaluat e net w or ks and t o r edesign

t hem t o im pr ove t heir secur it y Enj oy t he j our ney

This Book's Relationship to the SAFE White Papers

Over t he year s, I have w r it t en a num ber of w hit e paper s on net w or k secur it y I f int er est is m easur ed

by t he num ber of dow nloads, t he ones t hat ar e par t of t he SAFE ser ies ar e by far t he m ost popular They descr ibe t he bluepr int s for secur e net w or k designs developed by Cisco See t he follow ing URL for

m or e infor m at ion: ht t p: / / w w w cisco.com / go/ safe

Alt hough I have r eceived m uch posit ive feedback on t he SAFE w hit e paper s, m any r eader s ask m e t oshow t hem in m or e det ail how t hey can design t he sam e level of secur it y in t heir ow n net w or ks Thisbook is int ended t o show you exam ples of secur e designs and t he m eans w it h w hich t o ar r ive at

sim ilar designs t o m eet t he specific business, policy, and t echnology needs of your or ganizat ion Thediffer ence is a lot like giving you a fishing r od and show ing you how t o use it ver sus j ust giving you t hefish

I n addit ion, t his book pr ovides configur at ions for t he r elevant t echnologies discussed in t he book Theconfigur at ions ar e also com m ent ed w hen appr opr iat e t o aid in under st anding

Why Network Security?

I T secur it y is t he pr ot ect ion of syst em s, r esour ces, and infor m at ion fr om unint ended and unaut hor izedaccess or m isuse Alt hough defining som et hing as br oad as secur it y invit es cr it icism , w hichever

definit ion you use, it w ould be ext r em ely har d t o find any CEOs or gener al m anager s w illing t o adm it

t hat t hey ar e not concer ned w it h t his t opic A r eview of t he m ost publicized at t acks over t he year sindicat es t hat net w or k secur it y plays an im por t ant r ole in achieving t he goals of t he pr eceding

definit ion

I n addit ion, I T applicat ions, and lat ely, I nt er net applicat ions, ar e becom ing m or e and m or e m

ission-cr it ical t o or ganizat ions The com plexit y of t hese applicat ions, along w it h t he oper at ing syst em andcom put ing plat for m s t hat t hey r un on, m akes t hem vulner able t o at t acks Because t he applicat ionoft en cont r ols access t o t he infor m at ion, secur it y of t he applicat ions is also im por t ant

The net w or k pr ovides t he conduit for user s t o int er act w it h t he applicat ion and t her eby t he dat a I tfollow s t hat secur ing t he net w or k is im per at ive as t he fir st line of defense in I T secur it y Wit hout asecur e net w or k, applicat ions and infor m at ion can be subj ect ed t o cont inuous salvos fr om t he m ult it ude

of at t acker s

The developm ent of net w or k secur it y par allels t he developm ent of net w or k t echnologies, t her ebyenfor cing t his old adage: if som eone builds it , som eone else w ill find a w ay t o br eak it The fir st

net w or ks consist ed of ser ial point - t o- point lines connect ing dum b t er m inals t o a cent r al com put er To

br eak int o t hese sim ple syst em s, one had t o get physical access t o eit her t he t er m inal or t he ser ialpor t Secur it y syst em s consist ed pr incipally of physical secur it y m echanism s

To incr ease t he flexibilit y of access for user s, m odem s w er e added t o t he ser ial por t s This allow eduser s as w ell as at t acker s t o have access fr om anyw her e a t elephone line r eached Unaut hor izedaccess w as obt ained pr incipally by using w ar - dialing t act ics t o sear ch for answ er ing m odem s Secur it ysyst em s focused on aut hent icat ing legit im at e user s by var ious t echniques such as dial back Passw or d

t echnology also im pr oved

The r equir em ent s for shar ing infor m at ion, especially am ong academ ic and r esear ch user s, led t o t he

cr eat ion of var ious net w or ks, one of w hich event ually developed int o t he I nt er net This not only

enabled com put er user s t o exchange and access vast am ount s of infor m at ion fr om a single syst em , italso gave hacker s a com plet e net w or k of pot ent ial host s t o at t ack The ease of connect ivit y pr ovided

by TCP/ I P incr eased t he possibilit y of at t acks t o new levels Not only could int r uder s at t ack any host

on t he net w or k, som e w er e at t r act ed t o t he com put ing pow er of all t hese net w or ked host s I n 1988,Rober t Mor r is launched t he fir st I nt er net w or m and t ook dow n 6000 host s: 10 per cent of t hose on t he

I nt er net at t he t im e

I t w as in t hese ear ly days of t he I nt er net t hat t he fir st gener at ion of fir ew alls w as developed Thebast ion host bet w een t w o filt er ing r out er s pr ovided pr ot ect ion at t he TCP/ I P net w or k connect ion level.Com put ing pow er and net w or k connect ivit y cont inued t o incr ease, and at t acks becam e m or e

sophist icat ed As a r esult , t he fir ew all design evolved t hr ough a num ber of design gener at ions

Fast - for w ar d t o t oday: fir ew alls have been j oined by a num ber of ot her secur it y devices and

applicat ions t o pr ot ect net w or ks Unfor t unat ely, despit e t he sophist icat ion of t hese t ools in t oday'snet w or k designs and t he fact t hat or ganizat ions spend m or e on net w or k secur it y, unaut hor ized accesscont inues t o incr ease Thr ee pr im ar y r easons m ight account for t his pr oblem

The fir st is t hat alt hough net w or k secur it y t ools cont inue t o advance, senior m anagem ent m indset

t ends t ow ar d t he not ion t hat a m agic bullet ( such as a fir ew all) can be pur chased t o " solve" t he

secur it y pr oblem Second, net w or k secur it y designs have not kept pace w it h t he changing ut ilizat ion of

t he net w or k and it s expanding per im et er Thir d, t he sophist icat ion of scr ipt ed at t ack t ools is

incr easing, subj ect ing ever yone t o net w or k at t acks based not on t he at t acker 's m ot ivat ion t o

com pr om ise your sit e, but r at her by t he net w or k's vulner abilit y t o specific at t acks To solve t his

pr oblem , t he design of secur e net w or ks m ust change This book offer s an appr oach t hat int egr at essecur it y int o ever y aspect of net w or k design.

New Technologies, New Vulnerabilities

I n addit ion t o t oday's at t acks, t he net w or k secur it y engineer is concer ned about t he vulner abilit ies of

t he lat est net w or k t echnologies I n t he last few year s, I Psec vir t ual pr ivat e net w or ks ( VPNs) have been

t out ed as a m or e cost effect ive and flexible m eans of connect ivit y Cer t ainly, t he encr ypt ion and

aut hent icat ion m echanism s specified in I Psec pr ovide a st r ong t echnique for pr ot ect ing t he

confident ialit y of t he t r anspor t ed infor m at ion, but t he incr ease in t he num ber of connect ions t o t he

I nt er net expands t he exposur e of t he net w or k

Likew ise, w ir eless LANs have int r oduced a w hole new set of vulner abilit ies The possibilit y of

unaut hor ized user s gaining access t o t he cor por at e net w or k is no longer lim it ed t o physical

connect ivit y; it can be done over t he air At t acker s need only be in t he pr oxim it y of your cor por at elocat ion t o get access t o t he t r ansm ission m edium

These ar e only t w o of t he m any new t echnologies being int r oduced in cor por at e net w or ks To m aint ain

t he secur it y post ur e of a net w or k, t he design engineer m ust sim ult aneously int egr at e secur it y

t echnologies and best pr act ices as each new t echnology is int r oduced int o t he net w or k

How This Book Is Organized

This book is or ganized int o four par t s:

Pa r t INet w or k Secur it y Foundat ions

Pa r t I IDesigning Secur e Net w or ks

Pa r t I I ISecur e Net w or k Designs

Pa r t I VNet w or k Managem ent , Case St udies, and Conclusions

Par t I, " Net w or k Secur it y Foundat ions," is an over view of t he building blocks of net w or k secur it y Thefir st four chapt er s of t he book pr ovide t he pr er equisit e infor m at ion for t ackling t he design pr ocess.Each chapt er could be a book of it s ow n, but t he focus her e is on giving you quick access t o t he

essent ial elem ent s so you can m ake educat ed secur e- net w or k design decisions Many r efer ences ar e

pr ovided t o help you supplem ent your know ledge in t hese ar eas The infor m at ion in Chapt er 3,

" Secur e Net w or king Thr eat s," and Chapt er 4, " Net w or k Secur it y Technologies," is ext ensively

r efer enced t hr oughout t he r est of t he book and im pact s t he decisions t hat ar e m ade in t he sam pledesigns in Par t I I I

Par t I I, " Designing Secur e Net w or ks," is a com pr ehensive discussion of t he t echnologies and

t echniques available t o t he secur it y designer and t he pr ocess you can go t hr ough t o build your secur it ysyst em Fir st a chapt er is dedicat ed t o device har dening, follow ed by chapt er s t hat cover gener aldesign consider at ions, plat for m opt ions, and applicat ion issues Par t I I also exam ines som e specific

ar eas of secur e net w or k designs: ident it y, I Psec VPNs, and a suit e of suppor t ing t echnologies such ascont ent , w ir eless, and voice The design pr ocess in Chapt er 12, " Designing Your Secur it y Syst em ," is

t he key t o t his sect ion and pr ovides you w it h t he pr ocess r equir ed for Par t I I I

Par t I I I, " Secur e Net w or k Designs," pr esent s t he t hr ee pr incipal sect ions of a secur e net w or k design:edge, cam pus, and t elew or ker net w or ks These chapt er s t ake t he infor m at ion fr om t he fir st 12

chapt er s and apply it t o t he differ ent ar eas of a net w or k in need of secur it y Var iat ions of t hese

designs ar e show n based on t he size of t he net w or k, and opt ions for incr easing or r educing secur it y asyour r esour ces dict at e ar e included

Par t I V, " Net w or k Managem ent , Case St udies, and Conclusions," concludes t he book by focusing fir st

on net w or k m anagem ent , an oft en over looked ar ea of secur e net w or king Case st udies ar e t hen

pr ovided t o give you an oppor t unit y t o t r y your hand at designing a secur it y syst em for sam ple

or ganizat ions w it h specific business and secur it y r equir em ent s

The book closes by r einfor cing t he key elem ent s of secur e net w or king and pr ovides som e insight int o

ar eas for fur t her consider at ion, such as I nt er net Pr ot ocol ver sion 6 ( I Pv6) and w hat incr easing

com put ing pow er can m ean for net w or k secur it y

Who Should Read This Book?

Robust secur e net w or k design is of int er est t o alm ost ever yone in t he I T or ganizat ion Fr om t he senior

I T m anager or CI O t o t he secur it y oper at ions engineer , I believe t his book is of som e value Som epar t s of t his book ar e m or e r elevant t o cer t ain people in t he or ganizat ion, so I highlight t he im por t antsect ions for differ ent j ob funct ions Alt hough I w ould pr efer t hat you r ead t he book cover t o cover ,

t im e doesn't alw ays per m it t hat I 've t r ied t o pr ovide specific r efer ences t o key concept s t hr oughout

t he book so t hat if you com e acr oss an unfam iliar ar ea, you can r efer t o t he chapt er in w hich it is

m or e com pr ehensively discussed

Network/Security Architect

Designing secur e net w or ks is alw ays a challenge in balancing t he business r equir em ent s of net w or kaccess w it h t he secur it y r equir em ent s and policies of an or ganizat ion I f par t , or all, of your r ole

includes t his j ob funct ion, you ar e t he pr incipal audience for t his book I st r ongly r ecom m end t hat you

r ead ever y sect ion, even if you skim t he m at er ial chapt er s cover ing t opics you alr eady know w ell

Network/Security Operations Engineer

I f you ar e in t his r ole, you pr obably have lit t le t im e in your day except t o r un fr om fir e t o fir e,

r esponding t o t he lat est net w or k- dow n em er gency or at t ack incident All t he w hile, you t r y t o im pr ove

t he per for m ance and t he secur it y post ur e of t he net w or k This book w ill help you in t he second par t ofyour j ob I f you can spar e t he t im e, I r ecom m end r eading t he w hole book; ot her w ise, focus on

Chapt er 1, " Net w or k Secur it y Axiom s," Chapt er 6, " Gener al Design Consider at ions," Chapt er 11,

" Suppor t ing- Technology Design Consider at ions," and Chapt er 16, " Secur e Net w or k Managem ent andNet w or k Secur it y Managem ent "

IT Manager

You ar e one of a num ber of I T m anager s w ho have been given t he j oint t ask of im pr oving t he secur it ypost ur e of t he net w or k w hile m aint aining a net w or k t hat m eet s business r equir em ent s; w hat do youdo? I r ecom m end t hat you r ead all of Par t I for a t hor ough backgr ound on net w or k secur it y and skim

t hr ough Par t I I as w ell as Chapt er 16 Skim t he r est of t he book, but t hor oughly r ead Chapt er 12 t ounder st and t he design pr ocess and Chapt er 18, " Conclusions," t o help you plan for t he fut ur e

CIO and Others with Passing Interest

Congr at ulat ions if you fit in t his gr oup and you ar e r eading t he pr eface This book w as pr obably

r ecom m ended t o you by one of t he t hr ee pr eceding gr oups St aying on t op of net w or k secur it y is

im por t ant I f you don't have t im e t o skim t hr ough t he w hole book, I r ecom m end t hat you focus on t hefollow ing sect ions: Chapt er 1 for t he fundam ent al axiom s of net w or k secur it y and Chapt er 12 for t hesecur e net w or k design pr ocess

Now t hat you know w hat t his book is about , I can t ell you w hat it does not include This book does notcover sever al im por t ant ar eas of I T secur it y I t is not focused on dissect ing at t acks and dem onst r at ing

t he ins and out s of t he lat est at t ack t ools I t does not focus on each specific feat ur e in secur it y

pr oduct s such as fir ew alls and ant ivir us soft w ar e I t does not descr ibe in det ail how t o har den popularser ver oper at ing syst em s I t is not a configur at ion guide for Cisco pr oduct s, even t hough all t he t est ingfor t his book w as done using Cisco pr oduct s for t he net w or k devices Finally, it does not cover t hebasics of I T secur it y Alt hough net w or k secur it y novices can r ead t his book and get a lot out of it , t hey

w ould enj oy it m or e if t hey fir st r eview ed a book cover ing secur it y fundam ent als

I hope you enj oy t his book and find it t r uly useful I enj oyed w r it ing it and r eally felt like I em pt ied m y

br ain w hen it com es t o secur e net w or k design I 'll be post ing er r at a t o m y w ebsit e:

ht t p: / / w w w seanconvery.com Also, because t yping in som e of t he pr ovided URLs could be annoying,all t he links in t his book ar e cont ained at t he w ebsit e as w ell Happy r eading!

Sean J Conver y

March 18, 2004

Part I: Network Security Foundations

Chapt er 1 Net w or k Secur it y Axiom s

Chapt er 2 Secur it y Policy and Oper at ions Life Cycle

Chapt er 3 Secur e Net w or king Thr eat s

Chapt er 4 Net w or k Secur it y Technologies

Chapter 1 Network Security Axioms

This chapt er cover s t he follow ing t opics:

Net w or k Secur it y I s a Syst em

Business Pr ior it ies Must Com e Fir st

Net w or k Secur it y Pr om ot es Good Net w or k Design

Ever yt hing I s a Tar get

Ever yt hing I s a Weapon

St r ive for Oper at ional Sim plicit y

Good Net w or k Secur it y I s Pr edict able

Avoid Secur it y Thr ough Obscur it y

Confident ialit y and Secur it y Ar e Not t he Sam e

Appear at point s w hich t he enem y m ust hast en t o defend; m ar ch sw ift ly t o places w her e you ar enot expect ed

Sun Zi, The Ar t of War

[ The U.S m ilit ar y m ust ] adopt a new " capabilit ies- based" appr oachone t hat focuses less on w ho

m ight t hr eat en us, or w her e, and m or e on how w e m ight be t hr eat ened and w hat is needed t odet er and defend against such t hr eat s

U.S Secr et ar y of Defense Donald Rum sfeld, For eign Affair s, Volum e 81, No 3, May 2002

Fir st - t im e net w or k secur it y ar chit ect s alw ays com e t o a r ealizat ion about halfw ay t hr ough t heir fir stnet w or k secur it y design pr oj ect I t eclipses all of t he ot her r ealizat ions t hat t hey've had t o dat e

r egar ding net w or k secur it y Minor obser vat ions such as " Net w or k secur it y is har d," " I don't knowenough," or " Why didn't t he last secur it y adm inist r at or docum ent t hings bet t er ?" all lead t o t he m ainconclusion: " I 'm in t he w r ong business if I don't like being t he under dog."

One of t he t hings t hat can help you in t he challenging under t aking of secur e net w or k design is anunder st anding of t he gr ound r ules I call t hese gr ound r ules axiom s An axiom as defined by Mer r iam -Webst er is " a m axim w idely accept ed on it s int r insic m er it " When I say " axiom " in t his book, I am

r efer r ing t o over ar ching design pr inciples, consider at ions, or guidelines t hat ar e br oad enough t o apply

t o all ar eas of secur e net w or k design Also, since " int r insic m er it " is a bit open t o int er pr et at ion, I 'll

pr ovide em pir ical pr oofs t o back up m y claim s

Axiom s ar e sim ilar t o design pr inciples but ar e subt ly differ ent A design pr inciple is sm aller in scopeand oft en involves only a single t echnology or affect s only a lim it ed ar ea of t he net w or k For exam ple,

t hat t he int r usion- det ect ion syst em ( I DS) should be inst alled as close as possible t o t he host s you ar e

t r ying t o pr ot ect is a design pr inciple But because it applies only t o I DS deploym ent s, it is not anaxiom

Axiom s ar e pr esent ed fir st for t w o r easons Fir st , t hey allow you t o consider and apply t he axiom s asyou r ead t he r est of t his book Second, if I didn't m ent ion t hem now , t his book w ould be t hr ee t im es

as long because I w ould r epeat m yself const ant ly A solid under - st anding of t hese axiom s w ill help youunder st and how t o appr oach designing secur e net w or ks

Network Security Is a System

Net w or k secur it y is a syst em I t 's not a fir ew all, it 's not int r usion det ect ion, it 's not vir t ual pr ivat enet w or king, and it is not aut hent icat ion, aut hor izat ion, and account ing ( AAA) Secur it y isn't anyt hing

t hat Cisco Syst em s or any of it s par t ner s or com pet it or s can sell you Alt hough t hese pr oduct s and

t echnologies play an im por t ant r ole, net w or k secur it y is m or e com pr e- hensive I t all st ar t s, as hasbecom e alm ost cliché in t he indust r y, w it h a secur it y policy Fr om t her e, it br anches out t o include t hepeople char ged w it h confor m ing t o t hat policy and t hose t hat m ust enfor ce it Then it finally r esult s inchanges t o t he act ual net w or k infr ast r uct ur e

Consider t he r esur gence of net w or k w or m s t hat occur r ed in 2001 and t hat show s no sign of slow ing.Never m ind t hat net w or k w or m s ar e a pr oblem as old as Rober t Mor r is's I nt er net w or m fr om 1988;

t hese w or m s cause m assive dam age Code Red, for exam ple, infect ed over 340,000 host s in it s fir st

24 hour s of exist ence ( sour ce: ht t p: / / www.caida.org) This is im por t ant because a lar ge num ber of

t hose host s w er e pr ot ect ed by fir ew alls Unfor t unat ely, m ost fir ew alls don't do deep- packet inspect ion,and even if t hey did, no one knew w hat t o look for w hen Code Red hit The fir ew alls sim ply r ecognized

t hat t he packet w as ar r iving on por t 80, and t hey let it pass t hr ough Once inside, Code Red w as fr ee

t o infect t he ent ir e int er nal net w or k, w hich w as oft en deployed w it hout net w or k secur it y cont r ols Asyst em could have m it igat ed t he effect s of Code Red, but a single fir ew all doesn't st and a chance.But w hat is a syst em w hen it com es t o net w or k secur it y? Br oadly defined, a net w or k secur it y syst em

is as follow s:

A collect ion of net w or k- connect ed devices, t echnologies, and best pr act ices t hat w or k in

com plem ent ar y w ays t o pr ovide secur it y t o infor m at ion asset s

The key w or d in t hat definit ion is com plem ent ary Having basic r out er access cont r ol list s ( ACLs) ,

st at eful fir ew all ACLs, and host - based fir ew all ACLs gives you lot s of basic access cont r ol, but it isn't asyst em For a t r ue net w or k secur it y syst em , you need com plem ent ar y t echnology t hat applies t o aspecific t hr eat pat t er n Som e in t he infor m at ion secur it y indust r y call t his " defense- in- dept h." A

pr act ical m et hod of det er m ining t he qualit y of your syst em is t o br eak dow n t he quant it y and m akeup

of t he var ious deployed t hr eat m it igat ion t echniques: pr ot ect , det ect , det er , r ecover , and t r ansfer This kind of evaluat ion is helpful in t he ear ly st ages of net w or k secur it y syst em developm ent As you

m ove t ow ar d im plem ent at ion, you m ust delve t o a deeper level The easiest w ay t o do t his is t o

r ever se your t hinking by consider ing how differ ent t hr eat cat egor ies w ill be m it igat ed by t he syst emyou have put in place

As an exam ple, let 's r et ur n t o t he por t 80 w or m s j ust discussed What ar e som e differ ent syst emelem ent s t hat w ill m it igat e t he t hr eat of an HTTPbased w or m t o a public w eb ser ver ? The follow ing listsum m ar izes t hese syst em elem ent s, w hich ar e explained in m or e det ail in Chapt er 3, " Secur e

Net w or king Thr eat s" :

A pr oper ly configur ed fir ew all can help pr event a w eb ser ver , once com pr om ised, fr om infect ing

ot her syst em s on differ ent net w or ks

Pr ivat e vir t ual LANs ( PVLANs; but not r egular VLANs; m or e infor m at ion is given in Chapt er 6,

" Gener al Design Consider at ions" ) can help pr event a w eb ser ver fr om infect ing ot her syst em s on

t he sam e net w or k

Net w or k I DS ( NI DS) can help det ect and block at t em pt ed infect ions of t he w eb ser ver

Host I DS ( HI DS) can per for m t he sam e funct ions as NI DS, but t hey have t he added benefit ofbeing closer t o t he host , w hich gener ally m eans t hey have access t o m or e cont ext ual dat a

r egar ding t he specific at t ack

Ant ivir us soft w ar e has t he capabilit y t o det ect cer t ain w or m s or ot her m alicious code if t he

signat ur e dat abase has been updat ed t o det ect it

Finally, alt hough good syst em adm inist r at or ( sysadm in) pr act ices ar en't t he focus of t his book,lot s of pr act ices such as t im ely pat ching, r egular vulner abilit y scanning, oper at ing syst em ( OS)lockdow n, and im plem ent at ion of w eb ser ver best pr act ices can m ake a r eal differ ence in

pr event ing a syst em com pr om ise

All of t he pr eceding syst em elem ent s w or k t oget her t o m it igat e t he t hr eat Alt hough each elem ent isn't

100 per cent effect ive at st opping HTTP- based w or m s, basic m at hem at ical pr obabilit y show s t hat t he

m or e com plem ent ar y syst em elem ent s you have in place t o count er a given t hr eat , t he gr eat er t helikelihood t hat t he t hr eat w ill be neut r alized

Test ing t he t r ue m et t le of your net w or k secur it y syst em doesn't com e w hen you ar e under at t ack by

t he know n but r at her t he unknow n Alt hough scr ipt kiddies ar e pr edict able in t heir lack of cr eat ivit y, adet er m ined and skilled at t acker w ill likely have a st ash of unique t echniques

Pick your favor it e secur it y incident fr om t he past , w het her it is t he Mor r is w or m fr om 1988, r oot kit sand I P spoofing in t he 1990s ( m or e infor m at ion is given in Chapt er 3) , dist r ibut ed denial of ser vice( DDoS) at t acks in 2000, HTTP w or m s in 2001, or t he SQL Slam m er and MS Blast er w or m s in 2003 I t

is easy t o point out t he failings of your net w or k secur it y aft er your syst em s ar e affect ed by an at t ack

I t is t hr ough t his " lear ning t hr ough pain" pr ocess t hat m any seem ingly appar ent secur it y issues ar esuddenly br ought t o light

Ther e is no w ay t o avoid t his kind of lear ning, but you can t r y t o m inim ize it by designing your secur it ysyst em t o deal w it h br oad cat egor ies of at t acks r at her t han specific ones I n fact , one of t he m any

m et r ics used t o gauge t he success of your secur it y syst em is t o count how m any t im es you've had t o

m ake significant m odificat ions t o adapt t o t he lat est t hr eat s I deally, it is an infr equent occur r ence.Net w or k secur it y is a syst em I f you r em em ber not hing else fr om t his book, I did a ver y bad j ob of

w r it ing it But if you r em em ber only a few t hings, I hope one is t he pr eceding sim ple st at em ent

Business Priorities Must Come First

A univer sit y I once w or ked w it h decided it w as t im e t o allow t he st udent body and facult y w ir elessaccess t o t he cam pus net w or k The convenience of access, cost r educt ion in w ir ing buildings, andpot ent ial pr oduct ivit y incr ease w er e t he over ar ching business dr iver s for t he decision At fir st blush,how ever , t he secur it y depar t m ent w as r eluct ant t o pr oceed

For year s, t he univer sit y did not r equir e st udent s t o have account s t o access t he net w or k Rat her ,aut hent icat ion w as r equir ed only w hen st udent s t r ied t o log in or access cer t ain m anaged ser ver s andser vices Fur t her , as is com m only t he case in educat ional envir onm ent s, t he net w or k w as view ed as

r equir ing lit t le policinga Wild West fr ont ier t ow n w her e t he im por t ance of shar ing infor m at ion usually

t r um ps a secur it y concer n if t hey ever conflict Moving t o w ir eless r aised a bevy of concer ns w it h t hesecur it y t eam , as follow s:

How t o m ake sur e t hat only st udent s and facult y w er e given access t o t he net w or k t hr ough

w ir eless and pr event any r andom per son fr om accessing t he net w or k ( t he exist ing envir onm ent

w as assum ed good enough because it w as believed t o r equir e physical por t access)

How t o m ake sur e t hat anyone w it h a w ir eless device couldn't har m an im por t ant elem ent of t henet w or k or t he w ir eless syst em int egr it y

What t o do t o pr event w ir eless eavesdr opping, especially given t he ease w it h w hich one canobt ain sniffing t ools

I t is w or t h not ing t hat in t he exist ing w ir ed envir onm ent , lit t le por t secur it y had been im plem ent ed,and t he int er nal net w or k w as r at her w ide open t o sniffing and ot her at t acks t hat em anat ed fr om

w it hin t he cam pus net w or k Clear ly, t he secur it y t eam 's concer n over w ir eless illust r at ed how t hey

j udged t he new t echnology by a double st andar d because t he exist ing envir onm ent w as not being held

t o t he sam e scr ut iny But r egar dless of t he policy enfor cem ent inconsist ency, t he Secur it y Oper at ions( SECOPS) t eam st ill desir ed t o do it s ut m ost t o addr ess t he per ceived w ir eless vulner abilit ies

Unr aveling t he sit uat ion a lit t le m or e, SECOPS discover ed t her e w er e t hr ee m aj or fact or s t o

under st and in t his decision about WLAN deploym ent ( see Figur e 1- 1) The flow det ailed in t his figur e isdiscussed in m uch gr eat er det ail in Chapt er 2, " Secur it y Policy and Oper at ions Life Cycle."

Bu sin e ss obj e ct iv e s The univer sit y m ade a business decision t o em br ace a new access

t echnology

Se cu r it y policy The univer sit y had a secur it y policy, and it needed t o be applied consist ent ly.

Se cu r it y de sign The design of w ir eless t echnology w as not a clean fit on t he cur r ent design

fr am ew or k being used, and hence a st r ong r eluct ance t o m eet t he obj ect ive w as being r aised

Figu r e 1 - 1 Bu sin e ss Pr ior it ie s

Reconciling t he business dr iver s and secur it y concer ns is t he hear t of t he axiom , and r eally all t heaxiom st at es is w ho w ins w hen t her e is conflict The decision is act ually easy: business pr ior it ies m ustcom e fir st That is absolut ely necessar y t o ensur e t hat businesses can cont inue t o evolve This

includes em br acing new t echnologies, m oving oper at ions online, and int egr at ing ser vices m or e t ight ly

t han befor e

So, w hat is a secur it y designer t o do? I f t he r equir em ent is t o do w hat t he business dict at es at t heexpense of secur ing t he syst em s, w hy even have a secur it y depar t m ent ? Tw o t r icks can m ake your lifeeasier

Fir st , r ealize t hat t he r elat ionship bet w een business obj ect ives, t he secur it y policy, and secur it y design

is sym biot ic Alt hough it flow s fr om t he t op dow n, you m ust dr aw lines fr om t he bot t om up, t oo ( see

Figur e 1- 1) I t is t he r esponsibilit y of secur it y designer s t o ensur e t hat secur it y im plicat ions and t r offs ar e int r oduced as consider at ions in business planning To do t his w ell, it is necessar y t o link back

ade-t o ade-t he secur iade-t y policy You m usade-t ensur e ade-t haade-t no double sade-t andar ds ar e being applied and ade-t haade-t all

r elevant t hr eat s have been consider ed or , at t he ver y least , not ed and ignor ed Rem ain clinical andconsist ent in discussing alt er nat ives and r am ificat ions in m eet ing new business dem ands This w ill

r esult in m or e educat ed decisions being m ade by senior m anagem ent I n t he sam ple case, t he

univer sit y em bar ked on t he w ir eless pr oj ect I n addit ion, t he univer sit y r ecognized t hat t he secur it ypolicy w as not being applied consist ent ly, and a separ at e init iat ive w as invest igat ed t o r eview t he

w ir ed net w or k

Second, successful secur it y design appr oaches t r y t o envision and easily allow for t he next w ave of

r equir em ent s You don't w ant t o have t o cont inually r evam p syst em s and ar chit ect ur es as t he

business needs evolve; r at her , lever aging exist ing t echnology is m or e effect ive One of t he best

appr oaches is t o focus on m odular designs, w hich pr ovide a building block appr oach and isolat e

por t ions of t he net w or k in case t hey m ust be m odified Much of t he r est of t his book focuses on

t eaching m odular design t echniques

Network Security Promotes Good Network Design

Alt hough it happens far less oft en now , I st ill occasionally sit dow n w it h a cust om er w ho says, " OK, t henet w or k design is done, now w e need t o t hink about secur it y We'r e cer t ain w e need a fir ew all andhave also hear d som et hing about I DS."

Designing secur e net w or ks in t his m anner put s you on a fast t r ack t o a net w or k design in w hich t hesecur it y is t acked on, int er fer es w it h t he per for m ance of t he net w or k, and is view ed by t he r est of t he

I nfor m at ion Technology ( I T) st aff as a necessar y evil and a bur den t o t he oper at ion of t he net w or k.Alt hough it is t r ue t hat secur it y gener ally isn't " fr ee" fr om a net w or k design per spect ive, if you design

it fr om t he beginning, it can achieve a balance w it h t he r est of t he net w or k infr ast r uct ur e This

im pr oves not only t he secur it y of your net w or k but also it s r eliabilit y and scalabilit y

Let 's consider a ver y basic exam ple Suppose you m ust pr ovide connect ivit y bet w een a dat a cent er , a

gr oup of user s, and a r em ot e com pany accessing your net w or k over an ext r anet connect ion Wit hout

t hought t o secur it y, your net w or k design m ight r esem ble t he net w or k show n in Figur e 1- 2

Figu r e 1 - 2 N o Se cu r it y Ex a m ple

Along com es t he infor m at ion secur it y ( I NFOSEC) r epr esent at ive w ho says, " Whoa! What ar e you doingconnect ing t his ot her com pany r ight int o our dat a cent er ? We need som e secur it y her e." So, you w ind

up adding a soft w ar e fir ew all t o t he r out er w it h a ser ies of ACLs t o cont r ol t r affic flow s bet w een t he

r em ot e com pany and t he dat a cent er Wit h t he r out er t aking on t he added bur den of soft w ar e

fir ew alling, it s CPU st ar t s t o incr ease in ut ilizat ion This causes per for m ance degr adat ion not onlybet w een t he r em ot e com pany and t he dat a cent er , but bet w een t he user s and t he dat a cent er as w ell.Her e you see net w or k secur it y not pr om ot ing good net w or k design but r at her im pact ing t he net w or kdesign Even if you fast - for w ar d int o t he fut ur e of w ir e- speed fir ew alls and cr ypt o in ever y device, t heoper at ional com plexit y int r oduced by having dispar at e syst em s connect ed t hr ough t he sam e syst em isnot t r ivial

I f you back up and r edo t he design w hile t hinking about t he secur it y r isks, you m ight w ind up w it h anet w or k r esem bling t he one in Figur e 1- 3

Figu r e 1 - 3 D e sign w it h Se cu r it y

The net w or k show n in Figur e 1- 3 is a gr oss over sim plificat ion, of cour se, but hopefully it get s t he pointacr oss I n t his exam ple, a separ at e fir ew all is inst alled bet w een t he r em ot e com pany and t he dat acent er t hat can pr ovide bet t er cont r ols w it h less per for m ance im pact , sim plified oper at ions, and, best

of all, it in no w ay affect s t he com m unicat ion bet w een t he user s and t he dat a cent er

When you get fur t her int o t he book, you w ill see m uch m or e com plex exam ples of secur e net w or kdesigns As you incr ease t he num ber of var iables fr om a secur it y and net w or king st andpoint , t his

pr oblem only am plifies The easiest w ay t o ensur e consist ent and pr edict able secur it y t hr oughout your

or ganizat ion is t o t hink about it r ight w hen you ar e in t he design phase of t he net w or k as a w hole.Unfor t unat ely, if you've inher it ed an exist ing net w or k t hat r equir es secur it y im pr ovem ent s, t his isn'talw ays easy

When you have a pr eexist ing net w or k t hat has lit t le or no net w or k secur it y, t he m ost effect ive w ay t o

im pr ove it s secur it y is t o logically divide t he net w or k int o funct ional m odules Then im pr ove each

m odule individually, focusing on t he ar ea of gr eat est w eakness Don't be afr aid t o t ake a m or e

com pr ehensive r edesign of t hese sm aller ar eas Tacking on bit s of secur it y her e and t her e t o avoid

r eaddr essing I P r anges or ot her bur densom e t asks usually cr eat es m or e w or k in t he long r un once youdet er m ine t hat t he t acked- on secur it y isn't get t ing t he j ob done These t opics r eceive m uch at t ent ion

t hr oughout t he book

To sum up, t hinking about net w or k secur it y aft er you've designed t he net w or k im pact s t he net w or kdesign Consider ing secur it y fr om t he beginning prom ot es good net w or k design Finally, if you have anexist ing insecur e net w or k design, logically divide it int o sm aller m odules and t hen im pr ove t he secur it y

of each ar ea one at a t im e, st ar t ing w it h your ar ea of gr eat est w eakness

Everything Is a Target

As a designer of secur e net w or ks, one of t he fir st t hings you m ust consider is t he vast

int er dependency of t oday's lar ger net w or ks The I nt er net is t he best exam ple, but w it hin each

or ganizat ion t her e exist s a m icr ocosm of t he I nt er net Fr om an at t acker 's per spect ive, t hese

int er dependencies allow for t he at t acker 's goals t o be m et in any num ber of w ays

As an exam ple, assum e an at t acker w ant s t o br ing dow n your w ebsit e The follow ing list out lines t he

at t acker 's opt ions:

Find an applicat ion or OS vulner abilit y on your syst em , exploit it t o gain r oot pr ivileges, and t hensim ply t ake t he ser ver offline or m odify it s cont ent

Send your w eb ser ver som e t ype of dir ect ed denial of ser vice ( DoS) , such as a TCP SYN flood,designed t o exhaust r esour ces on t he ser ver and cause it t o be nonr esponsive

Send at your I nt er net connect ion a DDoS at t ack designed t o consum e all available bandw idt hand t hus pr event legit im at e user s fr om accessing t he ser ver

Send t o a r out er or fir ew all cr aft ed packet s designed t o cause t hese devices t o pr ocess uselessdat a at t he expense of legit im at e t r affic

Com pr om ise your Dom ain Nam e Syst em ( DNS) ser ver or t he DNS ser ver of your I nt er net ser vice

pr ovider ( I SP) and change t he nam e r ecor d t o point t o anot her ser ver host ing bogus cont ent Com pr om ise anot her ser ver on t he sam e subnet as your w eb ser ver and launch an Addr essResolut ion Pr ot ocol ( ARP) spoofing at t ack t hat eit her denies ser vice t o all w eb r equest s or act s as

a m an- in- t he- m iddle ( MI TM) at t ack t hat m odifies cont ent befor e it leaves for it s int ended host Com pr om ise t he Et her net sw it ch pr oviding net w or k connect ivit y t o t he ser ver and disable t hepor t

I nj ect or m odify r out ing infor m at ion w it h your I SP t o cause quer ies t o your I P subnet t o be

dir ect ed t o anot her locat ion

The list of opt ions t hat an at t acker has goes on and on I n t he pr eceding exam ple, t he at t acker hassever al t ar get opt ions, as follow s:

Code secur it y of applicat ions and t he oper at ing syst em

DoS r esilience of applicat ions and t he oper at ing syst em

I nt er net bandw idt h

Rout er s or ot her Layer 3 ( L3) devices

DNS r edir ect ion

TCP/ I P pr ot ocol suit e

Layer 2 ( L2) devices

Rout ing pr ot ocols

You could gener at e a list like t his for ever y net w or k- connect ed device anyw her e in t he w or ld: end

st at ions, ser ver s, w ir eless LAN access point s ( WLAN APs) , r out er s, oper at ing syst em s, sw it ches,

fir ew alls, t he net w or k m edium , applicat ions, load balancer s, per sonal digit al assist ant s ( PDAs) , cellphones, and so on Ever yt hing is a t ar get

Many secur it y deploym ent s ar e over ly concer ned w it h pr ot ect ing ser ver s w it hout spending m uchener gy pr ot ect ing t he r est of t he net w or k Alt hough t her e is no doubt t hat I nt er net - r eachable ser ver s( such as t he w eb ser ver exam ple) ar e one of t he highest - pr ofile t ar get s, focusing on pr ot ect ing only

t hose syst em s w ill leave your design lacking in m any ar eas Which of t he follow ing at t acks w ould youconsider m or e dam aging t o your ent er pr ise?

Your w ebsit e is defaced w it h inappr opr iat e m at er ial, and t his event m akes new s headlines ar ound

t he secur it y ar chit ect , m ust devise a w ay t o pr ot ect ever y syst em you have in your or ganizat ion,

w her eas an at t acker m ust sim ply find one w her e you m essed up As you w ill see in Chapt er 2, having

a good secur it y policy can help guide you dow n t he pat h of w or r ying about t he r ight t hings, in t he r ight

am ount s

Everything Is a Weapon

One of t he biggest r easons ever yt hing is a t ar get is because near ly ever yt hing can be used as a

w eapon, and an at t acker is m ot ivat ed t o acquir e w eapons t o w ield against fut ur e t ar get s So, near lyever y successful at t ack has not only a dir ect r esult for t he at t acker , but an indir ect r esult in t hat t he

at t acker gains an addit ional w eapon t o use against new t ar get s For exam ple, if an at t acker is able t ocom pr om ise a Dynam ic Host Configur at ion Pr ot ocol ( DHCP) ser ver , consider t he pot ent ial next st ep:

The at t acker could st op t he DHCP ser vice aft er expir ing all leases and cause ever y syst em t hatneeds a dynam ic addr ess t o no longer have net w or k connect ivit y

The at t acker could use t he DHCP ser ver t o launch an at t ack in w hich t he t r ust t hat ot her syst em shave in t he DHCP ser ver is exploit ed t o gain access t o addit ional syst em s

The at t acker could leave t he DHCP ser ver r unning but change t he DHCP configur at ion t o send

m alicious DNS ser ver and default gat ew ay infor m at ion t o t he client This m alicious dat a appear svalid t o t he client but r edir ect s DNS quer ies and off- net t r affic t hr ough t he default gat ew ay t o t he

at t acker 's I P addr ess, not t he r eal ser ver s and r out er s Then all t he client 's off- net t r affic is

r edir ect ed t hr ough t he at t acker , w her e it is vulner able t o sniffing and MI TM at t acks

I n all but t he fir st and easiest at t ack exam ple, t he at t acker ut ilizes t he DHCP ser ver as a m eans t o

at t ack ot her syst em s Since near ly all of t he m ost devast at ing br eak- ins r equir e sever al st eps on t hepar t of t he at t acker , t he not ion of using your ow n syst em s as w eapons against you is cr it ical for t he

at t acker 's success I f your or ganizat ion is t he t ar get of a dir ect ed at t ack fr om r esour ceful, dedicat ed

at t acker s, w hich of t he follow ing at t ack scenar ios is easier t o successfully com plet e for t he at t acker ?

Penet r at e t hr ough t he cor por at e fir ew all w her e your com pany m ight have I DS deployed and

r esour ces m onit or ing for m alicious act ivit y

War dial ( dial all phone num ber s in a r ange sear ching for m odem s) in an at t em pt t o find anint er nal syst em accessible by m odem w it h a w eak passw or d Even t hough you m ight have apolicy against insecur e m odem s in your net w or k, it doesn't m ean ever yone has r ead and

under st ands t he policy I t also doesn't guar ant ee t hat an inadver t ent er r or w asn't m ade Onceconnect ed t o t hat int er nal syst em , t he at t acker can use t he vict im as a " j um p host " fr om w hich

t o at t ack m or e cr it ical ar eas of t he net w or k

The w ar - dialing exam ple is far m or e likely t o yield a good r esult for t he at t acker I f you put your self in

t he at t acker 's place and assum e t he at t acker has som e know ledge of your envir onm ent , you oft en find

t hat t he t hings you m ust pr ot ect and t he w ays in w hich you m ust pr ot ect t hem ar e ver y differ ent t han

t he count er m easur es you cur r ent ly have deployed

Alt hough our fir st t w o exam ples cent er on an at t acker using your exist ing syst em s as w eapons, t his

w ill not alw ays be t he case At t acker s could int r oduce devices int o your net w or k as a m eans t o fur t her

t heir goals Consider t he follow ing at t ack sequence in w hich an at t acker int r oduces an insecur e WLANnet w or k t o a locat ion w it hout any WLAN connect ivit y:

At t acker pur chases low - cost WLAN AP fr om t he local elect r onics r et ailer

1

At t acker dr esses in a m anner sim ilar t o ot her w or ker s at your com pany ( " business casual" dr ess

m akes t his even easier )

2

At t acker " t ailgat es" a legit im at e em ployee and gains physical access t o your building

3

4