2/12/2012

Cisco Router Firewall Security Review

Cisco Router Firewall Security
Average Reviews:

(More customer reviews)
I really enjoyed reading Cisco Router Firewall Security (CRFS) by Richard Deal. This book delivers just what a technical Cisco book should: discussion of concepts, explanation of command syntax, and practical examples. The author offers several ways to solve a security problem and then recommends his preferred choice. He correctly leans towards applying cryptography when available and avoids clear-text authentication methods or control channels. If you avoid the first chapter and keep a few minor caveats in mind, I would consider CRFS to be a five-star book.
CRFS covers all of the major technologies I hoped to see in a book on Cisco security functions. Though published in August 2004, it manages to provide details on the newest Cisco IOS features that contemporary books often ignore. For example, the author emphasizes the benefits of configuring SSH access, and not only SSHv1; he explains that SSHv2 is preferred. I found the book's coverage of access control lists to be very clear, and I appreciated the author's discussions of strengths and weaknesses of different ACL types. Mr. Deal is also very conscious of the load placed on the router whenever higher-end security features or traffic inspection is invoked. His warnings provide operational insights to using IOS security features. Beginning with chapter 3, each section presented just the information I needed to implement various security features.
I gave CRFS four stars, and not five, because I found some of the author's perceptions of security to be confusing or sometimes wrong. He repeats at least five times the oft-quoted but never substantiated myth that "70 percent of network attacks" are internal. This is completely backwards, according to CSI/FBI and Secret Service studies that say around 70 percent of attacks are caused by outsiders. While some of the most devastating incidents are indeed perpetrated by insiders, the majority of attacks continue to be launched from outside the security perimeter. While this point may not seem that significant, it is not a solid footing on which the author can justify certain security recommendations.
While reading CRFS I also sensed that neither the author nor his technical editors were security professionals. I do not mean that they do not or have not handled security incidents. In fact, several of Mr. Deal's stories explicitly and properly address intrusions and other events. Rather, I sensed the author and his team were networking professionals first, with security duties tacked on. For example, p. 8 lists applications, the OS, and network infrastructure as "threats to your company's network." These have vulnerabilities -- they are not threats. On p. 28 Mr. Deal says "SSL can protect only web application traffic," but this is wrong. Pages 31-33 lists "some of the most common" DoS attacks, but the explanations there of chargen and ping of death attacks are wrong. WinNuke, a Windows DoS exploit from 1997, is also listed! Page 94 says "IDS solutions are still in their infancy," although they have been deployed for over 10 years. These and related security misperceptions made me believe a person with a primary security role should have reviewed CRFS.
It is easy to overlook these security faux pas, however. CRFS does a better job describing some security issues than other security-focused books. For example, I found the coverage of the effects of DoS attacks upon a router to be better than books specifically written about DoS! Mr. Deal frequently advocates monitoring as a way to know what is happening on the network, and I found his IDS deployment guidance to be sound.
To the extend I could evaluate Mr. Deal's discussion of Cisco features, I believe they are correct. One notable exception involves using the established keyword with ACLs. On p. 269 and elsewhere, the author claims "the established keyword looks to see if the ACK, FIN, PSH, RST, SYN, or URG TCP control flags are set. If they are, the TCP traffic is allowed in." This is incorrect; established looks for only the ACK or RST flags. This is not a major concern as other filtering options provide better defense anyway.
Overall, I consider CRFS to be an excellent piece of work. I am adding it to my recommended reading lists and I strongly suggest than anyone using Cisco routers in their perimeter read and heed this book. Keep an eye out for Mr. Deal's next book on building VPNs with Cisco gear.

Click Here to see more reviews about: Cisco Router Firewall Security

Harden perimeter routers with Cisco firewall functionality and features to ensure network securityDetect and prevent denial of service (DoS) attacks with TCP Intercept, Context-Based Access Control (CBAC), and rate-limiting techniques Use Network-Based Application Recognition (NBAR) to detect and filter unwanted and malicious traffic Use router authentication to prevent spoofing and routing attacks Activate basic Cisco IOS filtering features like standard, extended, timed, lock-and-key, and reflexive ACLs to block various types of security threats and attacks, such as spoofing, DoS, Trojan horses, and worms Use black hole routing, policy routing, and Reverse Path Forwarding (RPF) to protect against spoofing attacks Apply stateful filtering of traffic with CBAC, including dynamic port mapping Use Authentication Proxy (AP) for user authentication Perform address translation with NAT, PAT, load distribution, and other methods Implement stateful NAT (SNAT) for redundancy Use Intrusion Detection System (IDS) to protect against basic types of attacks Obtain how-to instructions on basic logging and learn to easily interpret results Apply IPSec to provide secure connectivity for site-to-site and remote access connections Read about many, many more features of the IOS firewall for mastery of router securityThe Cisco IOS firewall offers you the feature-rich functionality that you've come to expect from best-of-breed firewalls: address translation, authentication, encryption, stateful filtering, failover, URL content filtering, ACLs, NBAR, and many others. Cisco Router Firewall Security teaches you how to use the Cisco IOS firewall to enhance the security of your perimeter routers and, along the way, take advantage of the flexibility and scalability that is part of the Cisco IOS Software package. Each chapter in Cisco Router Firewall Security addresses an important component of perimeter router security. Author Richard Deal explains the advantages and disadvantages of all key security features to help you understand when they should be used and includes examples from his personal consulting experience to illustrate critical issues and security pitfalls. A detailed case study is included at the end of the book, which illustrates best practices and specific information on how to implement Cisco router security features.Whether you are looking to learn about firewall security or seeking how-to techniques to enhance security in your Cisco routers, Cisco Router Firewall Security is your complete reference for securing the perimeter of your network.This book is part of the Networking Technology Series from Cisco Press, which offers networking professionals valuable information for constructing efficient networks, understanding new technologies, and building successful careers.

Buy NowGet 24% OFF

Click here for more information about Cisco Router Firewall Security

No comments:

Post a Comment