As a designer of secure networks, one of the first things you must consider is the vast interdependency of today's larger networks. The Internet is the best example, but within each organization there exists a microcosm of the Internet. From an attacker's perspective, these interdependencies allow for the attacker's goals to be met in any number of ways.
As an example, assume an attacker wants to bring down your website. The following list outlines the attacker's options:
The list of options that an attacker has goes on and on. In the preceding example, the attacker has several target options, as follows:
You could generate a list like this for every network-connected device anywhere in the world: end stations, servers, wireless LAN access points (WLAN APs), routers, operating systems, switches, firewalls, the network medium, applications, load balancers, personal digital assistants (PDAs), cell phones, and so on. Everything is a target.
Many security deployments are overly concerned with protecting servers without spending much energy protecting the rest of the network. Although there is no doubt that Internet-reachable servers (such as the web server example) are one of the highest-profile targets, focusing on protecting only those systems will leave your design lacking in many areas. Which of the following attacks would you consider more damaging to your enterprise?
Number 2 clearly has the biggest impact on the organization. In addition, worrying mostly about your servers implies that that's where most of the good stuff is. With today's mobile workforce, portable computers can contain critical organization information, just like a server can. In addition, portable computers are generally much easier for an attacker to compromise. When you stop to consider the different ways in which an attacker can gain access to your network, it can be very daunting. You, as the security architect, must devise a way to protect every system you have in your organization, whereas an attacker must simply find one where you messed up. As you will see in Chapter 2, having a good security policy can help guide you down the path of worrying about the right things, in the right amounts.
Part I. Network Security Foundations
Network Security Axioms
Security Policy and Operations Life Cycle
Secure Networking Threats
Network Security Technologies
Part II. Designing Secure Networks
Device Hardening
General Design Considerations
Network Security Platform Options and Best Deployment Practices
Common Application Design Considerations
Identity Design Considerations
IPsec VPN Design Considerations
Supporting-Technology Design Considerations
Designing Your Security System
Part III. Secure Network Designs
Edge Security Design
Campus Security Design
Teleworker Security Design
Part IV. Network Management, Case Studies, and Conclusions
Secure Network Management and Network Security Management
Case Studies
Conclusions
References
Appendix A. Glossary of Terms
Appendix B. Answers to Applied Knowledge Questions
Appendix C. Sample Security Policies
INFOSEC Acceptable Use Policy
Password Policy
Guidelines on Antivirus Process
Index