Network Security Fundamentals [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

Network Security Fundamentals [Electronic resources] - نسخه متنی

Gert De Laet, Gert Schauwers

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Acknowledgments

Icons Used in This Book

Command Syntax Conventions

Foreword

Introduction

Part I. Introduction

Chapter 1. Network Security Overview

Defining Trust

Weaknesses and Vulnerabilities

Responsibilities for Network Security

Security Objectives

Conclusion

Q&A

Chapter 2. Understanding VulnerabilitiesThe Need for Security

Risk and Vulnerability

TCP/IP Suite Weaknesses

Buffer Overflows

Spoofing Techniques

Social Engineering

Conclusion

Q&A

Chapter 3. Understanding Defenses

Digital IDs

Intrusion Detection System

PC CardBased Solutions

Physical Security

Encrypted Login

Firewalls

Reusable Passwords

Antivirus Software

Encrypted Files

Biometrics

Conclusion

Q&A

Part II. Building Blocks

Chapter 4. Cryptography

Cryptography versus Cryptanalysis

Modern-Day Techniques

Conclusion

Q&A

Chapter 5. Security Policies

Defining a Security Policy?

Importance of a Security Policy

Development Process

Incident Handling Process

Security Wheel

Sample Security Policy

Conclusion

Q&A

Chapter 6. Secure Design

Network DesignPrinciples

Network DesignMethodology

Return on Investment

Physical Security Issues

Switches and Hubs

Conclusion

Q&A

Part III. Tools and Techniques

Chapter 7. Web Security

Hardening

Case Study

Conclusion

Q&A

Chapter 8. Router Security

Basic Router Security

Router Security to Protect the Network

CBAC

Case Study

Conclusion

Q&A

References in This Chapter

Chapter 9. Firewalls

Firewall Basics

Different Types of Firewalls

Enhancements for Firewalls

Case Study: Placing Filtering Routers and Firewalls

Summary

Q&A

Chapter 10. Intrusion Detection System Concepts

Introduction to Intrusion Detection

Host-Based IDSs

Network-Based IDSs

IDS Management CommunicationsMonitoring the Network

Sensor Maintenance

Case Study: Deployment of IDS Sensors in the Organization and Their Typical Placement

Conclusion

Q&A

Chapter 11. Remote Access

AAA Model

AAA Servers

Lock-and-Key Feature

Two-Factor Identification

Case Study: Configuring Secure Remote Access

Summary

Q&A

Chapter 12. Virtual Private Networks

Generic Routing Encapsulation Tunnels

IP Security

VPNs with IPSec

Case Study: Remote Access VPN

Conclusion

Q&A

Chapter 13. Public Key Infrastructure

Public Key Distribution

Trusted Third Party

PKI Topology

Enrollment Procedure

Revocation Procedure

Case Study: Creating Your Own CA

Conclusion

Q&A

Chapter 14. Wireless Security

Different WLAN Configurations

What Is a WLAN?

How Wireless Works

Risks of Open Wireless Ports

War-Driving and War-Chalking

SAFE WLAN Design Techniques and Considerations

Case Study: Adding Wireless Solutions to a Secure Network

Conclusion

Q&A

Chapter 15. Logging and Auditing

Logging

SYSLOG

Simple Network Management Protocol

Remote Monitoring

Service Assurance Agent

Case Study

Conclusion

Q&A

Part IV. Appendixes

Appendix A. SAFE Blueprint

Introduction to the SAFE Blueprint

SAFE Blueprint: Overview of the Architecture

Summary

References in This Appendix

Appendix B. SANS Policies

SANS Overview

SANS Initiatives and Programs

Security Policy Project

Is It a Policy, a Standard, or a Guideline?

References in This Appendix

Appendix C. NSA Guidelines

Security Guides

References in This Appendix

Appendix D. Answers to Chapter Q&A

Chapter 1 Q&A

Chapter 2 Q&A

Chapter 3 Q&A

Chapter 4 Q&A

Chapter 5 Q&A

Chapter 6 Q&A

Chapter 7 Q&A

Chapter 8 Q&A

Chapter 9 Q&A

Chapter 10 Q&A

Chapter 11 Q&A

Chapter 12 Q&A

Chapter 13 Q&A

Chapter 14 Q&A

Chapter 15 Q&A

Bibliography

Books

Website References

Index
توضیحات
افزودن یادداشت جدید

Lock-and-Key Feature


The lock-and-key feature uses dynamic access lists to create specific temporary openings in the network in response to a user authentication success. Chapter 8, "Router Security," briefly discusses the usage of a dynamic access list; this chapter contains more detail.

Lock-and-key is a traffic-filtering security feature that dynamically filters IP protocol traffic to grant access per user to a specific source/destination host. Lock-and-key is configured using IP dynamic extended access lists. It is the dynamic functionality that makes this feature so interesting. Access lists are typically created and maintained by manually defining the lists and then distributing or deploying them to all other devices in the network. This feature can be used in conjunction with other standard access lists and static extended access lists. It is recommended to use the lock-and-key feature in combination with a AAA server (either TACACS+ or RADIUS) to provide authentication, authorization, and accounting services. Although the lock-and-key is server independent, it is ideally designed for the TACACS+ server. TACACS+ has three components to provide authentication, authorization, and accounting services: protocol support within access servers and routers, protocol specification, and a centralized security database.

The following example, which includes Figures 11-7 and 11-8 as well as sample configurations, demonstrates the advantages of having the TACACS+ server in combination with the lock-and-key feature.

Figure 11-7. Dynamic Access List

[View full size image]

Figure 11-8. User Definitions on TACACS+ Server

[View full size image]

Figure 11-7 displays the scenario for a remote user trying to use FTP to access a corporate fileserver (FileServer1) with the IP address 144.2.2.2.

Using this lock-and-key feature to log in to systems is easy. In Figure 11-7, a remote worker (sales manager) needs to upload weekly sales data onto an FTP server. The network administrator has set up Router1 as the lock-and-key router. Therefore, the sales manager is required to log in to Router1 to connect to the corporate network. When a user logs in from the PC (140.6.6.6), the lock-and-key challenges the user for a preconfigured test such as username and password. This username/password pair is defined in the database of the TACACS+ server. Figure 11-8 illustrates the user settings for sales manager Gert on the TACACS+ server.

When the user responds, the login information is checked against the data stored in the TACACS+ database, which is set up and maintained by the network system administrator. Finally, a connection is dynamically made that allows data to be securely transmitted from the sales manager's PC to FileServer1. All these steps are explained and clarified using configuration examples and some

show commands.

To force the users to create a dynamic access list, the network administrator sets up Router1 in such a way that users logging in are prompted to authenticate with the TACACS+ server automatically. Therefore, the following configuration is required under vty 0 4 line:


line vty 0 4 
login local 
autocommand access-enable host timeout 10

Then you can define an extended access list that is applied when a user (any user) logs in to the router and the

access-enable command is issued. The name "salesmanagers" is used as a reference for the access list. 


access-list 101 dynamic salesmanagers permit ip any any

A second access list needs to block everything except the ability to use FTP to access FileServer1.


access-list 101 permit tcp any host 144.2.2.2 eq ftp

After applying the access list to the interface on which users are coming in, the lock-and-key feature is activated.


interface FastEthernet0/0 
ip access-group 101 in

If users now use Telnet to access the router, they must provide their usernames and passwords to open the hole:


C:\>
telnet 142.2.65.6 
Trying 142.2.65.6 ... Open
User Access Verification
Username: Gert
Password:
[Connection to 142.2.65.6 closed by foreign host]
C:\>

When you use the

show access-lists command, the access list looks like this before any user has used Telnet to reach the router:


Router1#
show access-lists 
Extended IP access list 101
Dynamic salesmanagers permit ip any any
permit tcp any host 144.2.2.2 eq ftp
Router1#

Now take a look at the access list again after the user Gert used Telnet to reach Router1 from 140.6.6.6:


Router1#
show access-list 
Extended IP access list 101
Dynamic salesmanagers permit ip any any
permit ip host 144.2.2.2 any (4 matches) (time left 586)
permit tcp any host 144.2.2.2 eq ftp (40 matches)
Router1#

A hole has been created in the access list, and users should now be able to have complete IP access to any destination IP address from their source address. In this case, the hole is created for accessing FileServer1 with IP address 144.2.2.2.

The temporary entry is removed after a specified idle timeout or absolute timeout period configured by the system manager. Depending on the template defined by the network administrator, the new lock-and-key access lists can be configured to authenticate a single user or multiple users and devices on a remote LAN.

/ 196