Hardening Network Infrastructure

Wesley J. Noonan

McGraw-Hill /Osborne

New York Chicago San Francisco
Lisbon London Madrid Mexico City Milan
New Delhi San Juan Seoul Singapore Sydney Toronto

McGraw-Hill /Osborne
2100 Powell Street, 10th Floor
Emeryville, California 94608
U.S.A.

To arrange bulk purchase discounts for sales promotions, premiums, or fund-raisers, please contact McGraw-Hill /Osborne at the above address. For information on translations or book distributors outside the U.S.A., please see the International Contact Information page immediately following the index of this book.

Copyright 2004 by The McGraw-Hill Companies, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication.

1234567890 CUS CUS 01987654
ISBN 0-07-225502-1

Publisher
Brandon A. Nordin

Vice President & Associate Publisher
Scott Rogers

Acquisitions Editor
Tracy Dunkelberger

Project Editor
Mark Karmendy

Acquisitions Coordinator
Athena Honore

Technical Editor
Eric Seagren

Copy Editors
Bart Reed, Lisa Theobald,
Mark Karmendy

Proofreaders
Linda and Paul Medoff

Indexer
Jack Lewis

Composition
Kelly Stanton-Scott, John Patrus

Illustrators
Kathleen Edwards, Melinda Lytle

Cover Series Design
Theresa Havener

Series Design
Kelly Stanton-Scott, Peter F. Hancik

This book was composed with Corel VENTURA ¢ Publisher.

Information has been obtained by McGraw-Hill /Osborne from sources believed to be reliable. However, because of the possibility of human or mechanical error by our sources, McGraw-Hill /Osborne, or others, McGraw-Hill /Osborne does not guarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions or the results obtained from use of such information.

To my wife Norma for her support.

To my dogs Loki and Odin for keeping me companyon those long days and nights of writing.

To Dwaine for being a father, even though he didn t need to be.

About the Author

Wesley J. Noonan (Houston, Texas) has been working in the computer industry for over 11 years , specializing in Windows-based networks and network infrastructure design and implementation. He is a Senior Network Consultant for Collective Technologies, LLC (www.colltech.com) a company that specializes in storage, server and network design, architecture, implementation, and security. Wes got his start in the United States Marine Corps working on its Banyan VINES network, and has since worked on building and designing secure networks ranging in size from 25 to 25,000 users. Most recently Wes has been working on designing and implementing a 100-location secure VPN internetwork, implementing a global secure Citrix installation, and performing numerous security audits and security design consultations for Collective Technologies, LLC customers. Wes previously worked in R&D for BMC Software, Inc., on their PATROL management solutions, architecting and testing their network and application management products. Previous engagements have included designing a secure network infrastructure for a company that provided 24/7 in-flight airplane status and information, as well as working with a number of Houston-based finance and petrochemical companies in the design and implementation of their security and network infrastructure solutions. Wes is also an active trainer, developing and teaching his own custom, Cisco-based routing and switching curriculum. He has spoken at a number of technical conferences and user groups, including MCTCON2002 and the Associate of IT Professionals “Houston, on the subject of network security and methods to secure a corporate network infrastructure from exploits and intruders. He is an active participant on the SecurityFocus and Firewall-Wizards mailing lists. His certifications include MCSE, CCNA, CCDA, NNCSS, and Security+, of which he was a subject matter expert. This is the second book that Wes has written, previously authoring a chapter on network security and design for The CISSP Training Guide by QUE Publishing. Wes is fortunate in the sense that he manages to get paid for what he considers a hobby and continues to be entertained by all aspects of network design and security.

About the Series Editor

Roberta Bragg (Grain Valley, MO), CISSP, MCSE:Security, MVP, Security+, ETI-Client Server, Certified Technical Trainer, IBM Certified Trainer, DB2-UDB, Citrix Certified Administrator, has been a Security Advisor columnist for MCP magazine for six years, is a Security Expert for searchWin2000.com, and writes for the Security

Watch newsletter, which has over 55,000 subscribers. Roberta designed, planned, produced, and participated in the first Windows Security Summit, held in Seattle, WA in 2002. Roberta is the author and presenter of the Windows Security Academy, a three-day hands-on secure network-building workshop. She has taught for SANS and MIS. She was selected by Microsoft to present the IT Professional advanced track for their 2004 Security Summits. Roberta is a Security Evangelist, traveling all over the world consulting, assessing, and training in network and Windows security issues. She is featured in the Cool Careers for Girls book series by Ceel Pasternak and Linda Thornburg. Roberta has served as adjunct faculty member at Seattle Pacific University and the Johnson County Community College, teaching courses on Windows 2000 Security Design and Network Security Design. Roberta is the author of MCSE Self-Paced Training Kit (Exam 70-298): Designing Security for a Microsoft Windows Server 2003 Network. Roberta is the lead author of McGraw-Hill/Osborne s Network Security: The Complete Reference . She has written on SQL Server 2000, CISSP, and Windows Security for QUE and New Riders.

About the Technical Reviewer

Eric S. Seagren (Missouri City, TX), CISSP, SCNP, CCNA, CNE, MCP+i, MCSE, has eight years of experience in the computer industry, with the last five years spent in the financial industry for a Fortune 100 company. Eric s computer career began running cables and performing general network and server troubleshooting for a small Houston-based company. His experience in the financial industry has involved Novell and Microsoft server administration, disaster recovery responsibilities, and Y2K remediation efforts. He has spent the last couple of years as an IT Architect, designing secure, scalable, and redundant networks, including extensive DMZ design, and evaluating and auditing the security of various network designs and products including routers, switches, firewalls, and intrusion detection and prevention systems.

Acknowledgments

This book would not have been possible without the help and assistance of numerous people. First, thank you Roberta for providing me this opportunity. Second, I have to thank the editors who took the words I wrote and invariably made them sound so much better. Tracy, Athena, Mark, Bart, and Lisa, thank you all. I also could not have done this without the assistance of my technical editor, Eric Seagren, for collaborating with me far more than he was required to and taking the cheesy Visio diagrams I created and making them look sharp. This book would also not have been possible without the assistance of numerous vendors and technical contributors who provided me access to hardware, software, documentation, resources, and good old-fashioned advice: MaryEtta Morris for her assistance with obtaining Cisco wireless equipment; Anne Camden, Public Relations Manager for Dell portable and wireless products for her assistance with obtaining Dell wireless products; Roger Billings of Nortel Networks for going above and beyond the call in getting me access to Nortel Equipment (Roger, other vendors could learn from you about customer service); and Ben Thomas of Cisco Systems, Inc., for getting me access to Cisco IDS technologies. Thank you also to Chuck Cook for getting me started so many years ago, being one of my mentors, and for giving me free reign in his lab during this endeavor.