Product Description

Security professionals and administrators now have access to one of the most valuable resources for learning best practices for network perimeter security. Inside Network Perimeter Security, Second Edition is your guide to preventing network intrusions and defending against any intrusions that do manage to slip through your perimeter. This acclaimed resource has been updated to reflect changes in the security landscape, both in terms of vulnerabilities and defensive tools. Coverage also includes intrusion prevention systems and wireless security. You will work your way through fortifying the perimeter, designing a secure network, and maintaining and monitoring the security of the network. Additionally, discussion of tools such as firewalls, virtual private networks, routers and intrusion detection systems make Inside Network Perimeter Security, Second Edition a valuable resource for both security professionals and GIAC Certified Firewall Analyst certification exam candidates.

Product Details

• Amazon Sales Rank: #385228 in Books
• Published on: 2005-03-14
• Original language: English
• Number of items: 1
• Binding: Paperback
• 768 pages

About the Author

Stephen Northcutt is a graduate of Mary Washington College. Before entering the field of computer security, he worked as a Navy helicopter search and rescue crewman, whitewater raft guide, chef, martial arts instructor, cartographer, and network designer. Stephen is author/coauthor of Incident Handling Step-by-Step, Intrusion Signatures and Analysis, Inside Network Perimeter Security, 2nd Edition, IT Ethics Handbook, SANS Security Essentials, SANS Security Leadership Essentials, and Network Intrusion Detection, 3rd Edition. He was the original author of the Shadow Intrusion Detection System before accepting the position of Chief for Information Warfare at the Ballistic Missile Defense Organization. Stephen currently serves as Director of the SANS Institute.

Lenny Zeltser's work in information security draws upon experience in system administration, software architecture, and business administration. Lenny has directed security efforts for several organizations, co-founded a software company, and consulted for a major financial institution. He is a senior instructor at the SANS Institute, having written and taught a course on reverse-engineering malware. Lenny is also a coauthor of books such as SANS Security Essentials and Malware: Fighting Malicious Code. He holds a number of professional certifications, including CISSP and GSE, and is an incident handler at SANS Internet Storm Center. Lenny has earned a bachelor of science in engineering degree from the University of Pennsylvania and a master in business administration degree from MIT. More information about Lenny's projects and interests is available at http://www.zeltser.com.

Scott Winters has been working in all aspects of networking and computer security for over 14 years. He has been an Instructor, Network Engineer, and Systems Administrator and is currently employed as a Senior Consultant for Unisys at the Commonwealth of Pennsylvania Enterprise Server Farm. He has SANS GIAC Firewalls and Incident Handling certifications, as well as MCSE, CNE, Cisco CCNP, CCDP, and other industry certifications. Other accomplishments include authoring and editing of SANS GIAC Training and Certification course content, as well as exam content. He was a primary author of the first edition of Inside Network Perimeter Security and a contributing author for SANS Security Essentials with CISSP CBK. He has also been involved in the SANS GIAC Mentoring program and has served on the SANS GCFW Advisory Board.

Karen Kent is an Associate with Booz Allen Hamilton, where she provides guidance to Federal agencies on a broad range of information assurance concerns, including incident handling, intrusion detection, VPNs, log monitoring, and host security. Karen has earned a bachelor's degree in computer science from the University of Wisconsin-Parkside and a master's degree in computer science from the University of Idaho. She holds the CISSP certification and four SANS GIAC certifications. Karen has contributed to several books, including Intrusion Signatures and Analysis, published numerous articles on security, and coauthored several publications for the National Institute of Standards and Technology (NIST), including NIST Special Publication 800-61: Computer Security Incident Handling Guide.

Ronald W. Ritchey has an active interest in secure network design and network intrusion techniques. He gets to exercise this interest regularly by conducting penetration testing efforts for Booz Allen Hamilton, where he has had the opportunity to learn firsthand the real-world impact of network vulnerabilities. He is also an active researcher in the field with peer-reviewed publications in the area of automated network security analysis. Ronald has authored courses on computer security that have been taught across the country, and he periodically teaches graduate-level courses on computer security. Ronald holds a masters degree in computer science from George Mason University and is currently pursuing his Ph.D. in information technology at their School of Information Technology and Engineering. His doctoral research involves automating network security analysis.

Todd Chapman has 10+ years of experience delivering IT services as varied as systems management, security, networking, clustering, Perl programming, and corporate development and training. Currently, Todd is a consultant for gedas USA, Inc., in Auburn Hills, Michigan, where he provides security consulting services for Volkswagen/Audi of America. For the last three years Todd has been an active member of the SANS GCFW advisory board and has written SANS certification exam questions in a number of disciplines. Todd's certifications include Red Hat Certified Engineer (RHCE), Microsoft Certified Systems Engineer (MCSE), GIAC Certified Firewall Analyst (GCFW), GIAC Certified Intrusion Analyst (GCIA), and GIAC Systems and Network Auditor (GSNA).

Anton Chuvakin, Ph.D., GCIA, GCIH, is a Security Strategist with netForensics, a security information management company, where he is involved with designing the product, researching potential new security features, and advancing the security roadmap. His areas of infosec expertise include intrusion detection, UNIX security, forensics, honeypots, and more. He is the author of the book Security Warrior (O'Reilly, January 2004) and a contributor to "Know Your Enemy II" by the Honeynet Project (AWL, June 2004) and "Information Security Management Handbook" (CRC, April 2004). In his spare time he maintains his security portal http://www.info-secure.org website.

Dan Goldberg recently created MADJiC Consulting, Inc., to provide network design and architecture reviews, intrusion detection and response, and vulnerability assessments in Central Virginia. He also works on research and writing projects for the SANS Institute and as technical director for Global Information Assurance Certification (GIAC). When not occupied by these activities, you may find him riding a mountain bike in the Blue Ridge Mountains.

John Spangler is a freelance Network Systems Engineer. Having over 10 years of experience, he has worked on everything from small office systems to large enterprise and ISP networks. John has worked as a technical editor for Cisco certification manuals.

Excerpt. © Reprinted by permission. All rights reserved.

Inside Network Perimeter Security Second Edition

Preface

The flight from Lihue to San Francisco is about five and a half hours and allows me some of my most productive work time. The phone doesn't ring, the dog doesn't ask to go outside, and my personal firewall doesn't start blinking because someone is trying to scan my computer. The flight attendant crews are starting to know me; I don't want any airplane food, I brought my own recycled water bottle filled with water from my own reverse osmosis filter, just let me write. I am very thankful for a bit of understanding from the crew of United FLT 30 for the time to write this preface. If any of my words give you insight into the current state of affairs with perimeter and internal network management, don't attribute that to me. I rely more each day of my life on the words in James 1:5; I am just the messenger.

I was enjoying working on the second edition of this book when a scene on the airplane entertainment televisions caught my eye. It was a video history of United Airlines, which started by delivering airmail in rickety old airplanes with exposed cockpits. Today, modern, fast, sophisticated aircraft have an incredible safety record. The airline industry has gone from an oddity—a great tool to entertain the crowds at county fairs—to an industry that is crucial to our way of life and economy. The airlines in the United States were essentially grounded for about three days following the terrorist attacks of September 11, 2001. The U.S. Congress debated whether to give the airlines money; they decided against it and United is now in chapter 11.

By exploring what has changed in the airline world, you will see both the past and the future of our industry, information technology (IT). Like the airline industry, IT has historically been accomplished on rickety platforms. We have benefited from rapid advances in technology. We have seen a decline in personal service. We are headed for continuous inspections, a defense-in-depth approach, and we are every bit as vulnerable and at the same time crucial to the economy.

Rickety Planes

What if we flew in computers? That gives "crash" a whole new meaning, doesn't it? Well, if we did, I am sure you would agree that we would all be dead. I would love to say operating systems are really improving, but it isn't so. I installed XP SP2 beta, one of the least-rickety operating systems I have worked with in a long time, on a clone of my primary laptop a couple months ago, and it has been interesting. As soon as I submit the remainder of my chapters for this book, I will upgrade my production box. As I write this, the Windows update version has still not been released, and it will be very interesting to see what breaks when the home users get upgraded. A lot of people died in the early days of the airline industry, and as I say, if we flew in those early planes today, most of us would be dead.

Now here is the kicker: IPS systems and intelligent switches are nothing but software applications or ASICs that are built on these rickety operating systems. One of the primary themes of this book is never to trust the operating system, to expect perimeter components to fail. This book will show you techniques for failover, layering defense components, segmenting internal networks, using instrumentation to detect anomalies, and troubleshooting. In the early days of perimeter defense, the only choice that information security practitioners had was to layer their perimeter software on these rickety operating systems.

Fires in the West

For years, I was a network builder for the Department of Defense, which uses large, high-end, fast networks. The most effective security mechanism for separation of sensitive information was implemented with a physical solution—an airgap. If you want to protect one network from another, just don't connect them together. Worms such as Blaster taught us that many networks that supposedly were not connected to the Internet actually were in one way or another, but if you audit carefully and never allow an exception, airgaps work.

The problem with an airgap is the two networks cannot interoperate, a concept directly in contradiction with the Internet philosophy and electronic business. The past few years have been a bad time for the U.S. West, as rain has been minimal, with fires starting earlier and earlier each year it seems. One of the most effective tools for managing fires is a firebreak; it isn't as powerful as an airgap (sometimes the fire will bridge it), but segmenting the forest into zones is a powerful technique. The information technology analog for a firebreak is to segment the internal network. This can be done with internal intelligent Network Intrusion Prevention Switches (NIPS), with some elbow grease using current generation switches and applying access control to VLANs, or with low-cost appliance-type firewalls used on the internal network. It can even be done manually using anomaly IDS to detect switch ports heating up, which is usually a signature of a worm, and shutting down the switch. Segmenting internal networks with "firebreaks" allows us to have the interoperability and reduce the risk of losing all our internal systems to a destructive worm "wildfire."

This book discusses a number of perimeter and internal network designs. Some are more focused on security, whereas others are focused on performance. Some focus on uptime and help you to understand how to choose these designs based on your organization's requirements.

---

Note - One of the reasons that early airplanes were so dangerous is that a large number of them were hand built. Even if the planes were built in a factory, after a couple of years, they might as well be hand built because of the number of times they were repaired and modified.

Can you see how similar the early airplanes are to our server and desktop operating systems? We all agree that patching to reduce the vulnerability footprint is critical, but if no two servers are alike, exactly how do you test the patch? Repeatable builds give an IT shop a major increase in security just like factory-built aircraft.

So do appliance firewalls. They are factory built, plug and go. It's not guaranteed that their OS is hardened, but you do know that the OS on the appliance is factory built, consistent, and probably stripped of unneeded programs. These low-cost appliances are very useful for segmenting an internal network.

---

Rapid Advances in Technology

Modern aircrafts have wings, fly through the air, and land on the ground—and that is about all they have in common with the first airplanes. The advances in airframe design, materials, avionics, navigation and route selection, and airport operations make it difficult to believe that people ever considered getting into the early airplanes.

I would love to say that modern perimeter systems are so advanced that it is inconceivable that we ever tried to protect our systems with those early firewalls, but we haven't made that much progress yet. However, hope prevails, and we certainly see evidence of improvement. Perimeter defense systems have come way down in price for any given bandwidth point; many can be upgraded by just downloading a new image.

Deep packet inspection at gigabit speed is possible right now for the well-funded organization. Subscription models that update daily or weekly are the norm and support an architecture of perimeter components to create hybrid systems that combine classic perimeter defense, reporting sensors, and possibly even vulnerability assessments that allow performing internal correlation.

This book discusses the importance of using the information collected by perimeter devices to help defend the network. The data collected and reported by these devices fuels the most advanced analysis capability in the world—the Internet Storm Center (ISC). Organizations such as ISC and Internet Security Systems's X-Force are often the first groups to detect a new worm beginning to cause trouble on the Internet. One of the upcoming models for security is continuous reporting, or operational readiness, and this requires sensors all over the network to constantly report in. The technology of network security is dynamic. It's important to have constant updates to maintain security in the face of the ever-changing threat.

It is worth mentioning that ease of use and good security might be orthogonal. If it were as easy to get into an airplane and fly as it is to get into a car and drive, the skies would be a dangerous place. Appliance wireless access points often aggregate all wireless and built-in wired ports into the same broadcast domains. Possibilities for attacks exist based on MAC address spoofing, sniffing the internal traffic from outside the plant in the parking lot, the use of rogue, unapproved access points bought at Best Buy and plugged into the Net, access points with a bit more power than the FTC allows being broadcast into the internal network from the parking lot, and failures of the authentication system. The most common reason for aircraft crashes today is poor maintenance, and we are going to see the same thing with wireless implementations as better security technology becomes available.

Decline in Personal Service

More has changed on the human side of the airline equation than just the name change from stewardesses to flight attendants. First class isn't first class, and it goes downhill from there. The airlines seem to be testing the limits to see just how much abuse people will take—and they wonder why they occasionally deal with passenger rage. Sadly, the IT industry has never been big on personal service. There ...

Customer Reviews

Excellent book at discussing how to defend your network perimeter
This review is for the 2nd edition of this book.

"Inside Network Perimeter Security" (INPS) by Northcutt, Zeltser, Winters, Kent, and Ritchey suitably covers the broad topic of securing a network's edge. The book is based, on part, from various SANS Institute training material (Northcutt is the CEO of the SANS Institute). Most of the items documented in INPS are honed from years of discussions in classes (and is mentioned an `excellent supplementary resource" for the GIAC Certified Firewall Analyst (GCFW)).

The book first focuses on perimeter fundamentals - including dedicating about 100 pages to the three main types of firewalls (Packet, Stateful & Proxy). The second section discusses how to fortify other areas of the perimeter - by implementing hardened routers and hosts, VPNs, IDSs, and IPS. The third section discusses designing a secure perimeter from the ground up (consider it best practices). This includes a much-needed chapter on wireless security. The last section is how to monitor and maintain the perimeter.

It is hard to characterize who this book should be aimed at. While configurations examples are given for many different platforms and OSs, the configs cannot be considered complete. I feel this book would serve network admins well as a starting point and as introduction to concepts that they might not be familiar with.

Some items I like from Inside Network Perimeter Security:

-Chapter 6 gives a great discussion on Cisco routers. What really impresses me is, since the documentation is from someone besides CiscoPress, you get an idea of other ways to harden Cisco routers (see the telnet trick on page 142). The first appendix also gives a great collection of different ACLs (consider it an update of the NSA's list). I have over 50 CiscoPress books, and information found in these 2 chapters I have not seen documented in any CiscoPress book.

-Chapter 21 provides a `quick' list of tools to use to help troubleshoot and isolate an issue. While there are some great books that are wholly dedicated to showing the ins-and-outs of different tools, sometimes you can't see the trees through the forest. Within just a few short pages, INPS is able to suggest a plethora of different tools to use based upon the issue.

The book mentions that it's goal "...is to create a practical guide for designing, deploying, and maintaining a real-world network security perimeter." I believe they have done just that!

I give this book 5 pings out of 5:
!!!!!

state of the art
The authors provide a nicely detailed explanation of current network defenses and practises. Each major topic in this field is well covered. Firewalls and packet filtering are clearly done. The preferred choice of example router is from Cisco. But the principles are obviously applicable to devices from any competing vendor.

The book also recommends egress filtering; which is not often discussed in other texts. It helps guard against your net being used to send out malware. This helps the overall environment of the Internet. Moreover, there is also a tangible benefit to you. By doing egress checks, you can detect if one of your machines has been subverted. Which is always good to know.

VPNs are given an entire chapter, due to their importance. The book also goes beyond talking about Intrusion Detection Systems to discuss Intrusion Prevention Systems. More proactive.

To some sysadmins, the most important chapter might be that on wireless networks. As these have grown hugely, so too have the attacks against them. You can learn how to bolt down your wireless network.

Four stars if reorganized and distilled, five if updated
I first looked at Inside Network Perimeter Security, 2nd Ed (INPS:2E) for my blog, in May 2005. I decided to try reading it this week because I've been reading books on related topics. Individually, the INPS:2E authors largely know their craft. Unfortunately, the book is so poorly organized and diffused that I don't know why other reviewers rate it so highly. Furthermore, the choice of material covered and certain recommendations drag the book down. A third edition might be promising, but I recommend avoiding INPS:2E.

On the macro level, I question the ordering of the book's parts. It's best to lead with definitions, policy, and design, but that doesn't happen here. Part I is mostly about firewalls, with a chapter about policy at the end (Ch 5). Fundamentals of Secure Perimeter Design (Ch 12) appears in Part III (Designing a Secure Network Perimeter). Another design chapter (Ch 23) pops up in Part IV. This makes no sense. The book should have been divided into Theory / Implementation / Processes or some other rational system, with all related material in the proper place.

For example, the operation of FTP (control vs data channels, active vs passive FTP, etc.) is separated into three chapters (2, 3, and 4). FTP should have been explained early in one place, then referenced later. Host IPS appears as part of Ch 11, when it should have been in Ch 10 (Host Defense Components). VPNs appear in Ch 7 and again in Ch 16. TCP state is explained in Ch 3 (Stateful Firewalls), when it should have been covered in Ch 2 (Packeting Filtering) or in a different and earlier section. Yet another firewall -- Pf -- isn't shown until Ch 10 (which covers host defense). Ch 6 (The Role of a Router) covers routers, but Ch 2 mostly covered using routers for filtering.

Beyond organization, the book's choice of technical material is sometimes questionable. INPS:2E spends a good deal of time on reflexive ACLs, even though Cisco recommends using CBAC instead. INPS:2E mentions CBAC but gives no implementation details. Worse, the extrusion RACL suggestion on p 51 allows outbound FTP control (port 21 TCP) but makes no provision for FTP data channels. Ch 19 promotes the virtues of Big Brother, a monitoring tool that's been declining for years since its acquisition. Nagios should have been covered instead. When I also see discussions of IPChains (Ch 2) and FWTK (Ch 4), I question the relevancy of the text.

Despite these problems, most of the book's technical recommendations are sound. I found fault with a few suggestions, e.g. "a good way to improve security is to disable SSID broadcasts on all wireless access points" (p 364). I did like the tip on changing Windows MAC addresses on p 365.

If a third edition is planned, I would like to see a ground-up rewrite. A lead author should plan the chapters of the book, including a rough outline of each chapter's contents. Experts can work within that framework, and then have the lead author edit for consistency and coherency. As it stands, INPS:2E reads more like a collection of disparate thoughts loosely bound by a network security theme. If the existing material was rewritten with clarity and structure in mind, the book would probably be 350-400 pages (not 660).

Richard Deal's Cisco Router Firewall Security, while Cisco-centric, is a better book on this subject. The older Security Sage's Guide to Hardening the Network Infrastructure is helpful. Sean Convery's Network Security Architectures might be the best of all.