In the transparent cache deployment, WCCP is generally used to redirect web queries from a router to the cache. Assuming the cache is on a dedicated router interface and is properly filtered with ACLs, what is the most likely way a determined attacker could try to compromise the cache?
Since the cache is partitioned from the rest of the network by using proper filtering, the easiest method the attacker has is to compromise the router through its own management channels. The same technique could be used on the cache because, even with restrictive filtering, you need some way to manage the device.
Considering the techniques used to load balance security devices in this chapter, are there any unique considerations when attempting to load balance IPsec devices?
The keying material is the biggest issue. If you are going to load balance IPsec devices using dedicated LB devices as discussed in this chapter, ensuring that the devices appear as a single entity to the outside world is very difficult without transferring private key material to each of the devices (which is itself a security risk). A better alternative is to consider the HA/LB options discussed in Chapter 10, "IPsec VPN Design Considerations," that are specific to IPsec.
In a teleworker environment, are there any unique security considerations for WLANs?
If you have a VPN hardware device deployed at a teleworker location, the IPsec encryption starts at this device. This means that if you have an insecure WLAN device behind the VPN, outsiders can access your corporate network or, at the very least, sniff the traffic teleworkers send to and receive from your network.
Why are some of the 802.1x concerns discussed in Chapter 9 lessened in a WLAN environment?
For WLAN security, you are using 802.1x to provision a session key that will be used to encrypt all communications from the host to the AP. This is different than 802.1x in a LAN environment where, once authenticated, only the MAC address of the station is checked with no per-frame encryption enabled. The 802.1x flaws still apply, so be sure to examine closely the security option you select to ensure there is a mechanism to mitigate these issues.
Are there any security considerations for using IPsec and IPT together?
The main one is the added latency introduced by IPsec. By using IPT, you have a delay tolerance beyond which phone conversations become difficult. Different IPsec deployments add differing amounts of latency, so be sure to examine this in the testing phase of your security system.
Part I. Network Security Foundations
Network Security Axioms
Security Policy and Operations Life Cycle
Secure Networking Threats
Network Security Technologies
Part II. Designing Secure Networks
General Design Considerations
Network Security Platform Options and Best Deployment Practices
Common Application Design Considerations
Identity Design Considerations
IPsec VPN Design Considerations
Supporting-Technology Design Considerations
Designing Your Security System
Part III. Secure Network Designs
Edge Security Design
Campus Security Design
Teleworker Security Design
Part IV. Network Management, Case Studies, and Conclusions
Secure Network Management and Network Security Management
Appendix A. Glossary of Terms
Appendix B. Answers to Applied Knowledge Questions
Appendix C. Sample Security Policies
INFOSEC Acceptable Use Policy
Guidelines on Antivirus Process