Designing Network Security

In the world of network security, it is easy to get lost in a particular technology or application and fail to see "the forest from the trees." While the author does cover many of the "trees" in the world of network security, I find that this book is also helpful in obtaining a view of the "forest" of network security from a practical rather than a strictly conceptual perspective. I am especially impressed with breadth and depth that this book contains in this revised and updated 2nd edition.

Although written primarily for users of Cisco Systems equipment, the first eight chapters do contain information of interest to all network engineers involved in the design of network security. From PKI, Kerberos, and RADIUS to IPSec, 802.11b wireless, 802.1x port authentication and routing protocols, this book covers the full range of security areas that a network engineer needs to understand. Looking to set up a DMZ? Wanting to understand IPSec? Looking to reduce your organization's risk of being attacked? It is all covered here. Even Cisco's LEAP (Lightweight Extensible Authentication Protocol) for wireless networks is discussed. I cannot think of any relevant network security topic that the author has missed.

Chapters 9 through 12 provide the practical implementation steps and configuration scripts required to secure a Cisco-based network. IOS, CatOS, and PIX Firewall configuration templates are included as examples. As a component of network security, network availability in layer 2 and layer 3 networks is also discussed. A network designer can use these chapters to design a fundamentally secure Cisco network.

Note that this book is not intended for someone new to networking - there is an assumption of a solid understanding of basic networking and telecommunications concepts. If you are new to networking you may find this book a little too challenging. I think that someone who has a solid networking background can successfully read this book from cover to cover and grasp all of the concepts. This book will probably be the most useful for network engineers and security specialists working in a Cisco network and tasked with improving network security.

I find the end of chapter questions to be useful in stimulating the network design thinking process. Although this book is not designed to be a certification guide, someone pursuing the CCSP (Cisco Certified Security Professional) or the CCIE Security certifications may find this book to be a helpful overview of the relevant security technologies.

This is not intended as a criticism, but be aware that since this book covers so many network security topics, it may not cover a specific area to the depth that you are looking for. This is understandable since the book is intended to cover the fundamentals of network security. If you are looking for an exhaustive treatment of one particular area such as NIDS (Network Intrusion Detection Systems), you will need to consult other materials.

This book will likely remain on your shelf as a ready reference guide to the design of network security.

Rating:
Summary: A complete-in-one-volume resource for self-teaching
Review: Designing Network Security: A Practical Guide To Creating A Secure Network Infrastructure by Cisco Systems expert Merike Kaeo is a solid introduction for experienced computer programmers seeking to acquire the specific skills necessary to implement an effective, high quality security. Ranging from basic cryptography; to common techniques and specific configuration examples (with especial focus on common protocol vulnerabilities); securing dial-in access, and much, much more, Designing Network Security is a complete-in-one-volume resource for self-teaching, and is ideal as a continuing reference and instructional text for advanced coursework in designing and developing computer network security systems and protocols.

Rating:
Summary: A must read for Administrators and Management alike.
Review: Designing network security

This book is exceptional at its task. Bridge the gap of security technology's for both technical staff and management alike.
It's straightforward approach to bring the overall security stance into perspective starts out with a security primer on fundamentals of cryptography and the overall security principals and technologies that empower organizations to deter and prevent most attacks by understanding the why's and how's.
The coverage of the technologies and approaches are both technical enough to understand and yet are in "plain English" for those that aren't fluent in "geek speak".
The implementation portion of the book covers true life practice and policy with examples of how to fit into most any network but that are real enough that even someone new to the field could understand and start to piece together the whole picture. By appearance this book is truly written for the senior technicians to fully incorporate security into daily practice. Reality shows that the book is still realistic enough to keep the scope within reason and allow the management and less seasoned technicians alike the ability to read and grasp the how's and why's so they can prepare for the investment and implementation aspects that will certainly follow the understanding of what security implications truly are in a network environment.
The best reading in the book however is covered in the security policy section of the book. This is where the real life work is in today's age since the single weakest point in any security implementation is the end user. The policies and guidelines outlined in any company create the true meat of the company's stance on security. Technicians alone can not secure every aspect of the network without the users learning their part in protecting and following up on the policies that this book can help the management create. The book lays the foundations to understand both the technology aspects of security and how it can be prepared to fully secure the network using today's technologies and then to understand the principles that undermine security. Once these fundamental concerns are addressed they are able to be applied to a policy which educates and informs users and staff of what is required of them to maintain that security.
From the perspective of someone that has administrated and managed networks from both aspects it would be very hard to not recommend this book as required reading for anyone that has a part in their networks security or functions. While this book is published by Cisco Press and covers a great deal of Cisco oriented configuration information the book is standalone for any network, Cisco based or not.

Rating:
Summary: A to Z about network security
Review: I recently read the book titled "Designing Network Security" by Merike Kaeo. ISBN: 1587051176. This book happens to be the second edition of the title. This book is an excellent source of information regarding network security and security in general. The book covers a broad scope of technologies and areas relating to security. Probably the single best source for security topics in one book that I've read. It's an A-Z book on security.

The fading lines of responsibility in the realm of security is pretty much forcing every Information Technology (IT) professional to play a role in today's security strategy. With the boundaries being sketch well with in most every facet of Information Technology, it leave a big gap as to what the everyday IT professional can understand and contribute to a successful security architecture. This book, in my opinion, does an excellent job of bridging that wide gap for most networking professionals. I think every networking professional should have a copy of this book on their desk.

This book is best suited for professionals with a beginner to intermediate level of understanding of security principles, concepts and technologies. This book is essential for professionals looking to keep up with the ever-changing world of IT. Having this book will allow you to understand some of the more challenging and complex concepts that face each and every IT professional regarding security. Persons that are interested in achieving the popular Certified Information Systems Security Professional (CISSP) certification would find this title very helpful, not just as a resource to pass the exam, but also as a valuable reference to continue to learn from even after becoming certified.

There are great supporting figures and diagrams that assist in grasping some of the complex ideas and technologies. Most are very basic and stick to the principle concepts, which is great when getting your feet wet with a technology that's new to you. It provides a good foundation to build upon.

Compared to the first version of this title, the second version offers information regarding leading edge technologies such as Voice over IP (VoIP) and wireless networks. Another topic covered in the second version is Virtual Private Networks (VPN). Making the second version of this title a very well rounded resource. Another new chapter in the second addition is on Routing Protocol Security. The Routing Protocol Security chapter has some good information on several of the widely deployed Interior Gateway Protocols such as RIP, EIGRP and OSPF. The chapter covers information mostly on the authentication pieces and fundamental rules of each routing protocol and not much more. I found the small section on BGP in the chapter to be a little sparse and expected BGP to be covered in a bit more detail. Nonetheless, is does mention briefly, some of the challenges with BGP and a few of the proposed successors of the BGP protocol such as S-BGP and SoBGP.

This is an all-a-round good reference for network security.

Rating:
Summary: Good Security Architecture Info- With Emphasis on Cisco
Review: Merike Kaeo has been a network security professional with Cisco Systems, Inc for over 10 years. As a CCIE and a member of IEEE and IETF Kaeo has a tremendous amount of knowledge and experience to share on the subject.

The first of the book provide an overview of the core "Security Fundamentals". Each chapter delves a little deeper as the author talks about various aspects of network security including encryption, authentication, PKI, wireless security and more.

Beyond that Kaeo discusses the prevailing environment and what sorts of threats exist currently. Aimed more at infosec managers than administrators it provides a good look at common attack methods and things to consider when implementing network security. These first two sections combined also provide a wealth of information to help those aspiring to pass the CISSP or other security certification exams.

The last part of the book is primarily Cisco-centric. That isn't necessarily a bad thing since so many businesses rely on Cisco hardware for their network infrastructure. It certainly won't hurt your career in information security to be well-versed in Cisco technology.

The book is long- almost 800 pages. But, Kaeo manages to keep it moving and give the reader the information they need without getting bogged down being boring or too wordy. The figures and diagrams included help the reader to comprehend the concepts and topics presented.

This is a very good book with tons of useful information.

Tony Bradley is a consultant and writer with a focus on network security, antivirus and incident response. He is the About.com Guide for Internet / Network Security (http://netsecurity.about.com), providing a broad range of information security tips, advice, reviews and information. Tony also contributes frequently to other industry publications. For a complete list of his freelance contributions you can visit Essential Computer Security (http://www.tonybradley.com).

Rating:
Summary: A Reader
Review: Mr. Kaeo realized a good job in order to applying security concept throught practical examples. Designing Network Security resume and apply ideas about corporate security which enhance practicioner and academic review his own security models look for different alternatives in changing world of Technology.

Rating:
Summary: Very good!!!
Review: Practical, concise and very up-to-date.
The description of the chapters 1 and 2 is quite didactic.
The chapters 9 and 12 are excellent.
I recommend this book for those who want to connect the theory of the cryptography with the practice at hardware level.

Rating:
Summary: An excellent desktop reference
Review: Summary: A good overall resource on network security policy, design, and implementation.

I wish I had the benefit of this book when I was first starting out in my career in security. Weighing in at a hefty 745 pages, Designing Network Security 2nd. Ed. By Merike Kaeo (ISBN 1-58705-117-6) is a consise and fairly authoritative guide to the sometimes daunting task of designing secure networks - with a special emphasis placed on Cisco solutions of course. The book is divided into three major sections that break down to basic theory and essentials, policy design and best practices, and implementation with Cisco hardware. In my opinion it is best suited as a reference book for those who already have a firm foundation in security and networking, but could also be of value to beginner level techs with a bit of patience. While the topics that are covered have all pertinent information discussed, some might wish that there were a bit more explanation of the hows and whys.

The first section - "Security Fundamentals" is an especially valuable part of the book in that it provides a great desk reference to the building blocks of secure networks. The first chapter deals with the basics of encryption technologies - symmetrical/asymmetrical cryptography, digital hashes, public key systems, etc. From there the book moves into what is probably its meatiest chapter which covers the application of encryption into security technologies which range from TACACS+ authorization to TLS encryption. Following the precedent of building on previous chapters, the third chapter deals with the application of these security technologies into protecting real world installations. I was especially impressed with the attention paid to wireless and VOIP technologies in this chapter - this is one of the first discussions of VOIP security I have seen in a general reference book. The first section winds up with a fairly exhaustive discussion on routing protocol security which I also thought was excellent.

The second section - "The Corporate Security Policy" is a good reference to infosec management. Many topics covered in this section are applicable to the CISSP exam, so if that is a career goal for you this can act as one of your study guides. The section begins with a discussion of threats in the enterprise environment. Types of threats as well as common protocol vulnerabilites are discussed. I felt that some of the material in this chapter was a bit dated, in particular the sections on TCP sequence number attacks (most recent OS's have improved their sequence generation routines to make it nearly impossible to do this) and the ping of death (which I don't remember working on anything after Windows 95 or Linux 2.0.23). The next chapter is a bit more valuable in its discussion of the basics of risk assessment and management. This leads into a discussion of actual design and implementation of security policy. Sample topics include physical/logical controls, data confidentiality, and policies/procedures for staff. And finally this section concludes with a good chapter on incident handling and response.

The final section - "Practical Implementation" is the Cisco-centric third of the book. Many parts of this section are a good reference to points covered on the CCSP exams, especially the SECUR test. The first chapter deals with configuring access controls and audit on Cisco devices from the PIX to switches and routers. A brief discussion of intrusion detection implementations is also included. The next chapter consists of primarily information dealing with firewall/screening router construction - content filtering, packet screening, and the various types of IOS filters. Several implementation examples are included to walk you through the process of configuring CBAC (content-based access control) and the Cisco PIX. From there the section moves to remote access security, with good sections on all Cisco based AAA (authentication, authorization, and accounting) features including lock-and-key and accounting-based billing. Finally, the book wraps up with a chapter on securing VPN, Wireless, and VOIP networks which focuses more on design than implementation, although there are still some Cisco (PIX) based examples. The book's appedices cover DDOS attacks, well-known port numbers, and guidelines for reporting and preventing intrusions.

Overall I felt this was an excellent book which clearly fufilled its purpose. For the intermediate to advanced network security engineer this could act as an excellent desktop reference, while still being accessible enough to teach to the beginner. The writing style is clear and precise, and I found no technical errors in the material presented. As I mentioned the book could act as an additional study aid for several security certifications including the CISSP or the CCSP. I look forward to the next volume by Ms. Kaeo.

Rating:
Summary: A complete survey of network security and more
Review: This is a big book, 745 pages, a bit about almost every topic in information security. The advantage of a book like this is that if you want to know three paragraphs about a security term that you are not familiar with, you can find it. The disadvantage of these survey type books is that they do not usually give you enough information to do anything.

Though there are some spots especially in the first few chapters where this happens, Merike Kaeo, the author, quickly succeeds in making this a book that goes beyond telling the reader about things and begins to share how to do things on Cisco equipment which is far more valuable. If you are a Cisco network engineer or administrator and are interested in learning more about information security this is probably a good book for you. I think this book would also benefit a manager or someone with purely theoretical information security knowledge that wants to be able ask technical people pragmatic questions.

The Voice over IP chapter was one of the clearest explanations I have seen, however a bit more of a warning about security, changing standards and interoperability would have been appreciated.

When work begins on 3rd edition, I would suggest more focus on using routing and switching technology to segment the internal network so a worm infection does not take down the entire facility. In general user VLANS to not need to talk to other user VLANS, they only need to communicate with servers.

My favorite part of the book is Appendix D, somehow I had never seen Rob Thomas paper on DDOS.

Rating:
Summary: A complete survey of network security and more
Review: This is a big book, 745 pages, a bit about almost every topic in information security. The advantage of a book like this is that if you want to know three paragraphs about a security term that you are not familiar with, you can find it. The disadvantage of these survey type books is that they do not usually give you enough information to do anything.

Though there are some spots especially in the first few chapters where this happens, Merike Kaeo, the author, quickly succeeds in making this a book that goes beyond telling the reader about things and begins to share how to do things on Cisco equipment which is far more valuable. If you are a Cisco network engineer or administrator and are interested in learning more about information security this is probably a good book for you. I think this book would also benefit a manager or someone with purely theoretical information security knowledge that wants to be able ask technical people pragmatic questions.

The Voice over IP chapter was one of the clearest explanations I have seen, however a bit more of a warning about security, changing standards and interoperability would have been appreciated.

When work begins on 3rd edition, I would suggest more focus on using routing and switching technology to segment the internal network so a worm infection does not take down the entire facility. In general user VLANS to not need to talk to other user VLANS, they only need to communicate with servers.

My favorite part of the book is Appendix D, somehow I had never seen Rob Thomas paper on DDOS.