Besides securing the authentication event, why is Hypertext Transfer Protocol Secure (HTTPS) much more secure than HTTP?
Even if HTTP had encrypted passwords, the authentication event for HTTP occurs at the beginning of the session, and further authentication occurs only through the network and transport layer functions (IP, sequence, and port numbers). This means that any device capable of successfully spoofing that information can act as though it is the originator of the session. Because HTTPS uses SSL, an encrypted tunnel is built, and each packet is authenticated to ensure that it came from the originator of the session. This is part of the reason 802.1x has issues. The authentication event can be ridiculously strong, but if ongoing authentication is limited to validating a MAC address, you haven't gained very much.
Can network layer authentication be leveraged as a replacement for authenticating a particular application?
Not yet. In a future that includes ubiquitous strong authentication, integrity, and encryption for all network connections, I can see this information being leveraged as an alternative to reauthenticating the client. The unknown variable for me is how such systems will ensure that the user who originally authenticated is the one who is sitting at the computer. Some sort of proximity system will need to be employed for this to be effective.
Which kinds of physical security provide the most benefit if the goal is to reduce the requirements on an authentication system when inside the corporate perimeter?
You can refer to Chapter 6 for more information on this. The biggest thing besides good locks and the basics is a way to avoid tailgaters. If unknown persons are easily able to walk in behind an authorized user, your physical security isn't very strong. Unfortunately, the easiest way to prevent this kind of access is by having only a limited number of access points in the building (easy) and turnstiles/security guards at these points (hard).
When should you deploy a separate AAA server for administrative access versus your general user repository?
Often this is based on the size of the organization. I tend to prefer a separate server whenever financially viable because it makes it much easier to manage user rights. The administrative server (often TACACS+ in Cisco environments) has its own local user repository and can maintain separate passwords to make it clear to IT admins when they are exercising their admin rights rather than their general user rights. Also, the specific AAA extensions used for administrative access often require special configuration that might entail more complexity than you want on your production systems.
Part I. Network Security Foundations
Network Security Axioms
Security Policy and Operations Life Cycle
Secure Networking Threats
Network Security Technologies
Part II. Designing Secure Networks
General Design Considerations
Network Security Platform Options and Best Deployment Practices
Common Application Design Considerations
Identity Design Considerations
IPsec VPN Design Considerations
Supporting-Technology Design Considerations
Designing Your Security System
Part III. Secure Network Designs
Edge Security Design
Campus Security Design
Teleworker Security Design
Part IV. Network Management, Case Studies, and Conclusions
Secure Network Management and Network Security Management
Appendix A. Glossary of Terms
Appendix B. Answers to Applied Knowledge Questions
Appendix C. Sample Security Policies
INFOSEC Acceptable Use Policy
Guidelines on Antivirus Process