Title:
The concise guide to enterprise internetworking and security
Personal Author:
Publication Information:
Indianapolis, IN : Pearson Education, 2001
ISBN:
9780789724205
Added Author:
Available:*
Library | Item Barcode | Call Number | Material Type | Item Category 1 | Status |
---|---|---|---|---|---|
Searching... | 30000010047338 | TK5105 C37 2001 | Open Access Book | Book | Searching... |
On Order
Summary
Summary
An Internetwork is a collection of individual networks, connected by networking devices, that functions as a single large network. This text considers the demands placed on the netwwork infrastructure and changes in software.
Table of Contents
Introduction | p. 1 |
About Security | p. 1 |
Layout of This Book | p. 2 |
Where to Go for More Information | p. 3 |
1 TCP/IP and Related Protocols | p. 5 |
How Data Travels Across Networks | p. 5 |
The Monolithic Versus Layered Method of Application Design | p. 6 |
The OSI Model | p. 6 |
The Physical Layer | p. 7 |
The Data Link Layer | p. 7 |
The Network Layer | p. 7 |
The Transport Layer | p. 7 |
The Session Layer | p. 7 |
The Presentation Layer | p. 8 |
The Application Layer | p. 8 |
TCP/IP and the Internet Layer Model | p. 8 |
Mapping TCP/IP to the OSI Model | p. 9 |
The Basics of Layer 2 | p. 10 |
Address Resolution Protocol | p. 11 |
Connection Versus Connectionless Communication | p. 11 |
TCP/IP | p. 12 |
Making TCP Connections | p. 13 |
IP Addressing | p. 13 |
IP Address Classes | p. 14 |
Routing | p. 15 |
User Datagram Protocol | p. 18 |
IP Packet Headers | p. 19 |
Telnet | p. 21 |
HTTP | p. 21 |
SMTP | p. 21 |
FTP | p. 22 |
DNS | p. 22 |
Internet Control Message Protocol (ICMP) | p. 23 |
Ping | p. 24 |
Internet Protocol Version 6 (IPv6) and ICMPv6 | p. 25 |
2 Understanding WAN Bandwidth Delivery | p. 29 |
Introduction to Bandwidth Delivery: How the Computer Crashed into the Telephone | p. 29 |
Packet Switched Versus Circuit Switched Networks | p. 31 |
The Telco Engineers Versus the Network Engineers | p. 32 |
Analog Modems | p. 32 |
Hierarchy of Dedicated Digital Services | p. 33 |
Physical Properties | p. 33 |
Signal Encoding | p. 33 |
DS0: The One True Standard | p. 35 |
DS1: the Ever Popular T1 | p. 35 |
The T1 Frame | p. 37 |
Fractional T1 | p. 38 |
T3 | p. 38 |
Fractional T3 | p. 39 |
SONET | p. 39 |
ISDN | p. 42 |
Basic Rate Interface (BRI) | p. 43 |
Primary Rate Interface (PRI) | p. 44 |
ISDN Layer 1--Physical | p. 45 |
ISDN Layer 2--Data Link | p. 46 |
ISDN Layer 3--Network | p. 48 |
Digital Subscriber Line (XDSL, aDSL, sDSL) | p. 49 |
ADSL | p. 50 |
R-ADSL | p. 50 |
HDSL | p. 50 |
IDSL | p. 51 |
VDSL | p. 51 |
SDSL | p. 51 |
Splitterless DSL or DSL-Lite | p. 51 |
Loading Coils | p. 53 |
Cable Modems | p. 53 |
Shared Network Technologies | p. 54 |
More on Sharing | p. 55 |
Frame Relay | p. 55 |
Circuit Switched Versus Packet Switched | p. 56 |
Advantages of Frame Relay | p. 56 |
Components of Frame Relay | p. 57 |
Congestion and Delay | p. 60 |
Asynchronous Transfer Mode (ATM) | p. 61 |
It's All About Timing | p. 62 |
Mitosis | p. 62 |
Why 53 Octets? | p. 64 |
ATM OSI Layers | p. 64 |
ATM Adaptation Layers | p. 65 |
Guaranteed Service Levels | p. 65 |
Wireless | p. 66 |
Hardware Requirements for Different Networks | p. 67 |
3 Security Concepts | p. 69 |
Who Is Threatening Your Data? | p. 69 |
Common Types of Attacks | p. 69 |
Web Defacement | p. 70 |
Unsolicited Commercial Email (UCE or Spam) | p. 70 |
Spoofing | p. 70 |
Denial of Service (DoS) | p. 71 |
Important Security Terminology | p. 73 |
Authentication | p. 74 |
Authorization | p. 74 |
Integrity | p. 74 |
Encryption | p. 75 |
Of Public Keys and Private Washrooms | p. 75 |
X.509 Certificates | p. 76 |
Pretty Good Privacy (PGP) Keys | p. 77 |
Public Key Infrastructure (PKI) | p. 78 |
Security Hardware | p. 78 |
Token-Based Cards | p. 78 |
Smart Cards | p. 79 |
Security Through Obscurity | p. 79 |
World View Versus Internal View | p. 79 |
Different Layers of Security | p. 80 |
No Security | p. 80 |
Hardened Security | p. 80 |
Firewalls | p. 81 |
Demilitarized Zone | p. 82 |
Intrusion Detection Systems | p. 82 |
Different Kinds of Access Control | p. 83 |
Packet Screening | p. 83 |
Circuit Proxies | p. 83 |
Application Gateways | p. 84 |
Stateful Inspection | p. 84 |
Network Address Translation | p. 84 |
4 Defining Connection Requirements | p. 87 |
Getting an Idea of What Your Users Need | p. 87 |
Internet Applications Provided to the Internet | p. 89 |
Sizing Your Internet Connection | p. 92 |
Buying the Skills | p. 92 |
Hiring the Skills | p. 93 |
Earning the Skills | p. 93 |
Bandwidth Doesn't Always Mean Performance | p. 95 |
Criticality of Internet Connection | p. 96 |
Hosting All Servers On-Site | p. 96 |
Critical Outbound Access, No Critical On-Site Servers | p. 97 |
Bandwidth-on-Demand: Out of Speed | p. 97 |
Additional Services | p. 97 |
Virtual Private Networks | p. 98 |
Remote Access | p. 98 |
Multimedia, Multicasting, and the MBONE | p. 98 |
Security | p. 98 |
Cost | p. 99 |
Customer Premises Equipment | p. 99 |
Firewalls and Servers | p. 100 |
Where to Cut Corners | p. 100 |
Reiteration Is Your Constant Companion | p. 102 |
Connection Requirements Checklist | p. 102 |
5 Choosing an ISP | p. 105 |
Selecting the Right ISP Is a Critical Decision | p. 105 |
NSP or ISP? | p. 106 |
Network Access Point (NAP) | p. 106 |
Metropolitan Area Exchange (MAE) | p. 106 |
The Tiers of Babel | p. 107 |
Cost | p. 107 |
Paying by Bandwidth | p. 108 |
Paying by Usage | p. 108 |
Extras | p. 108 |
Reimbursements for Network Downtime | p. 108 |
Reliability/Reputation | p. 108 |
Peer Survey | p. 108 |
Capacity (Can Your ISP Meet Your Needs?) | p. 109 |
Installation and Setup Services ISPs Offer | p. 109 |
Bandwidth Options | p. 109 |
Web Hosting | p. 110 |
Mail Hosting | p. 110 |
Knowledge Services (Help Desk / Consulting) | p. 110 |
Managing Equipment Lease | p. 111 |
IP Address Blocks | p. 111 |
Co-locate: Your Equipment, the ISP's Building | p. 111 |
Co-Location Considerations | p. 112 |
Extended Protocols and Services | p. 118 |
Provisioning a WAN | p. 120 |
Customer Premises Equipment | p. 121 |
Managed Services | p. 121 |
Managing Your Router | p. 122 |
Managing Your Firewall | p. 122 |
Managing VPN Connectivity | p. 122 |
Offering Proxy Services | p. 123 |
Domain Name Registration | p. 123 |
DNS Mail Exchanger Records | p. 124 |
6 Consulting, Consultants, and Contractors | p. 125 |
Consultants, Contractors, and Projects | p. 125 |
Can You Do It All Yourself? | p. 126 |
From the Inside | p. 126 |
Before You Hire a Consultant | p. 126 |
Before You Hire a Contractor | p. 127 |
What Tasks Should You Farm Out? | p. 128 |
Questions You Should Ask Your Hired Help | p. 129 |
Bonding and Insurance | p. 130 |
The Request For Proposal | p. 131 |
Agreeing Parties | p. 131 |
Stated Objectives | p. 131 |
Deliverables | p. 131 |
Scope of Services | p. 132 |
Risks | p. 132 |
Requirements | p. 132 |
Coordinators | p. 133 |
Issues and Change Management | p. 133 |
Timeline and Costs | p. 135 |
Additional Costs | p. 135 |
Defining a Statement of Work | p. 135 |
Segment the Project into Stages | p. 135 |
Information Collection | p. 136 |
Analysis and Evaluation | p. 136 |
Recommendation | p. 137 |
Implementation | p. 137 |
Acceptance and Transition | p. 138 |
7 Design Considerations | p. 139 |
Before Building Your Network | p. 139 |
Getting Your Service from the Wall Through Hall | p. 140 |
Terminating the Telecom Demarcation | p. 140 |
Wiring Contractors | p. 140 |
Configuring Clients for a New Connection | p. 141 |
Proxy Configuration | p. 141 |
IP Addressing | p. 144 |
Internet Software | p. 145 |
Standard Build Process | p. 145 |
Defining IP Architecture | p. 146 |
Multi-Protocol Network Requirements | p. 146 |
Tunneling of Protocols Within IP | p. 146 |
Tunneling IPv6 in IPv4 | p. 147 |
Availability, Capacity, and Reliability | p. 147 |
Bandwidth, Latency, and Throughput | p. 149 |
Backup Circuits | p. 149 |
On-Demand Circuits | p. 149 |
Remote Access Policy | p. 150 |
Doing Away with Dialups | p. 150 |
8 Assessing Your Security Needs | p. 151 |
Build an Adaptable Infrastructure | p. 151 |
The Tao of Security: Simplicity | p. 152 |
Service Assessment | p. 152 |
Serving the World | p. 153 |
Services Allowed from the Internet | p. 156 |
The Special Case of FTP | p. 158 |
Rules, Rulesets, and Rulebases | p. 159 |
Rule Order | p. 160 |
Performance-Tuning Your Firewall | p. 161 |
Turning Security Policy into Security | p. 163 |
Security Policy | p. 163 |
Default Stance | p. 163 |
Security Architecture | p. 163 |
Security Architecture to Rulebase | p. 164 |
Change Management | p. 167 |
Harden All Your Servers | p. 167 |
Drop Source Routed Traffic | p. 168 |
Drop Directed Broadcast Traffic | p. 169 |
Lock Down Your DNS Servers | p. 169 |
Disable Relaying and Other Information Features on Your SMTP Server | p. 170 |
Sample Prototype Designs | p. 170 |
Packet Filter Router Only | p. 170 |
Packet Filter Router with a DMZ | p. 172 |
Router / Firewall and DMZ Revisited with VPN | p. 175 |
9 Getting Connected | p. 179 |
Equipment Selection | p. 179 |
Router Selection | p. 179 |
CSU / DSU Selection | p. 182 |
Staging the Hardware | p. 182 |
Setting Up the Hardware: Out of the Box and Onto the Wall | p. 183 |
Connect and Configure the CSU / DSU | p. 183 |
B8ZS | p. 183 |
Connect and Configure the Router | p. 184 |
Burn In | p. 185 |
10 Implementing Security | p. 187 |
Setting Proper Expectations | p. 187 |
Hardening Systems | p. 188 |
Windows NT 4.0 | p. 188 |
Windows 2000 Server | p. 194 |
Lock Down Your DNS Server | p. 197 |
Application-Specific Hardening | p. 198 |
UNIX / Linux Systems | p. 198 |
Tweak Your Network Configurations for Security | p. 208 |
Remote Log Server | p. 210 |
UNIX / Linux | p. 211 |
Windows NT and 2000 | p. 211 |
EventLogs | p. 211 |
Sample Packet Filter Router Only | p. 212 |
Sample Packet Filter Router with a DMZ | p. 214 |
Sample Packet Filter Router with a Firewall and DMZ | p. 217 |
Minimal Router Filtering | p. 219 |
Starting Free and Clear | p. 220 |
Allow Internal Network Traffic Outbound to the Internet | p. 222 |
Protect the Firewall | p. 226 |
Allow Only Internal Admin Access to the Firewall | p. 228 |
Drop Traffic You Do Not Want Logged | p. 229 |
Services Provided to the Internet | p. 230 |
Drop DMZ Initiated Traffic | p. 233 |
Default Policy of Drop Everything | p. 234 |
Sample Packet Filter Router with a Firewall, DMZ, and VPN Security Gateway | p. 241 |
Bringing It All Together | p. 236 |
Check Point FireWall-1 on Windows NT | p. 242 |
Linux 2.2 and ipchains | p. 242 |
OpenBSD 2.7 and IP Filter | p. 244 |
11 Testing and Validation | p. 245 |
Is Your Network Working Properly? | p. 245 |
Assembling the Tools | p. 245 |
Software Utilities | p. 246 |
Hardware Sniffers | p. 250 |
Network Analyzers/Protocol Analyzers | p. 250 |
Testing Your Routing | p. 251 |
Using ARP | p. 251 |
Default Route | p. 251 |
Testing Your Required Services | p. 253 |
Testing Your Exposed Services | p. 253 |
Testing Your Security | p. 253 |
12 Managing Your Internet Connection | p. 255 |
Evaluating New Services | p. 255 |
Sign Up for BUGTRAQ | p. 256 |
Sign Up for NTBUGTRAQ | p. 257 |
Checking for Security Breaches | p. 258 |
Periodic Vulnerability Assessment | p. 258 |
Tools for Simple Intrusion Detection | p. 258 |
Monitoring and Baselining | p. 262 |
What to Baseline | p. 263 |
How Long Should Baselining Last? | p. 263 |
Peaks Versus Averages | p. 263 |
Identify the Sources of Peaks | p. 263 |
Log Monitoring | p. 263 |
Monitoring Usage | p. 267 |
Planning for the Future | p. 268 |
What's Going to Break First? | p. 269 |
Appraising New Technologies | p. 269 |
13 Moving to a New ISP | p. 271 |
Equipment Return | p. 271 |
IP Addressing--The Return of Leased Numbers | p. 272 |
DNS Modifications | p. 272 |
New Equipment Purchases | p. 272 |
Transition Period | p. 272 |
Security | p. 273 |
Mail Servers | p. 273 |
Upgrades | p. 273 |
Index | p. 275 |