Summary

Authentication represents one of the basic foundations of defense in depth and should be deployed in every network infrastructure. You should follow a few basic best practices to keep your network secure, including the following:

• Don't allow privileged access to the outside of your security appliance.

• Use hard-to-guess usernames and passwords.

• Do not use clear text protocols such as HTTP and Telnet for device management.

• Use ASDM or SSH for ASA/PIX Security Appliance management. Both use full encryption for data, as well as authentication credentials.

• Check your logs frequently to make sure that there is no unauthorized access occurring.

• Consider AAA to add value in logging and authentication flexibility.

In addition to device management authentication, you can deploy authentication for the following web services:

• HTTP

• HTTPS

• FTP

• Telnet

Authenticating services enables you to grant only certain users access to the services listed here. You can also use outbound authentication for the same services.

Besides merely blocking access to certain websites or classes of websites, URL blocking can prove effective to stop malware from installing itself on the PCs behind your security appliance. It can mitigate the following web- and browser-based problems:

• Spyware

• Pop-up advertisements

• Trojan downloads

• Web viruses

• Downloading of dangerous software

You have now deployed authentication, the first layer of defense in-depth. Chapter 8, "Deploying Perimeter Protection," covers locking down the perimeter of your network, adding protection assistance against denial-of-service attacks, and filtering your traffic.

The remaining steps to fully deploy defense in depth in your network are covered in the following chapters:

• Chapter 8, "Deploying Perimeter Protection"

• Chapter 9, "Deploying Network Intrusion Prevention"

• Chapter 10, "Deploying Host Intrusion Prevention"

• Chapter 11, "Deploying VPNs"