In the transparent cache deployment, WCCP is generally used to redirect web queries from a router to the cache. Assuming the cache is on a dedicated router interface and is properly filtered with ACLs, what is the most likely way a determined attacker could try to compromise the cache?


Since the cache is partitioned from the rest of the network by using proper filtering, the easiest method the attacker has is to compromise the router through its own management channels. The same technique could be used on the cache because, even with restrictive filtering, you need some way to manage the device.


Considering the techniques used to load balance security devices in this chapter, are there any unique considerations when attempting to load balance IPsec devices?


The keying material is the biggest issue. If you are going to load balance IPsec devices using dedicated LB devices as discussed in this chapter, ensuring that the devices appear as a single entity to the outside world is very difficult without transferring private key material to each of the devices (which is itself a security risk). A better alternative is to consider the HA/LB options discussed in Chapter 10, "IPsec VPN Design Considerations," that are specific to IPsec.


In a teleworker environment, are there any unique security considerations for WLANs?


If you have a VPN hardware device deployed at a teleworker location, the IPsec encryption starts at this device. This means that if you have an insecure WLAN device behind the VPN, outsiders can access your corporate network or, at the very least, sniff the traffic teleworkers send to and receive from your network.


Why are some of the 802.1x concerns discussed in Chapter 9 lessened in a WLAN environment?


For WLAN security, you are using 802.1x to provision a session key that will be used to encrypt all communications from the host to the AP. This is different than 802.1x in a LAN environment where, once authenticated, only the MAC address of the station is checked with no per-frame encryption enabled. The 802.1x flaws still apply, so be sure to examine closely the security option you select to ensure there is a mechanism to mitigate these issues.


Are there any security considerations for using IPsec and IPT together?


The main one is the added latency introduced by IPsec. By using IPT, you have a delay tolerance beyond which phone conversations become difficult. Different IPsec deployments add differing amounts of latency, so be sure to examine this in the testing phase of your security system.

Part I. Network Security Foundations

Network Security Axioms

Security Policy and Operations Life Cycle

Secure Networking Threats

Network Security Technologies

Part II. Designing Secure Networks

Device Hardening

General Design Considerations

Network Security Platform Options and Best Deployment Practices

Common Application Design Considerations

Identity Design Considerations

IPsec VPN Design Considerations

Supporting-Technology Design Considerations

Designing Your Security System

Part III. Secure Network Designs

Edge Security Design

Campus Security Design

Teleworker Security Design

Part IV. Network Management, Case Studies, and Conclusions

Secure Network Management and Network Security Management

Case Studies



Appendix A. Glossary of Terms

Appendix B. Answers to Applied Knowledge Questions

Appendix C. Sample Security Policies

INFOSEC Acceptable Use Policy

Password Policy

Guidelines on Antivirus Process


Network Security Architectures
Network Security Architectures
ISBN: 158705115X
EAN: 2147483647
Year: 2006
Pages: 249
Authors: Sean Convery

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net