SKIP THE SHIPPING
Use code NOSHIP during checkout to save 40% on eligible eBooks, now through January 5. Shop now.
Register your product to gain access to bonus material or receive a coupon.
This PDF will be accessible from your Account page after purchase and requires PDF reading software, such as Acrobat® Reader®.
The eBook requires no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.
This complete new guide to auditing network security is an indispensable resource for security, network, and IT professionals, and for the consultants and technology partners who serve them.
Cisco network security expert Chris Jackson begins with a thorough overview of the auditing process, including coverage of the latest regulations, compliance issues, and industry best practices. The author then demonstrates how to segment security architectures into domains and measure security effectiveness through a comprehensive systems approach.
Network Security Auditing thoroughly covers the use of both commercial and open source tools to assist in auditing and validating security policy assumptions. The book also introduces leading IT governance frameworks such as COBIT, ITIL, and ISO 17799/27001, explaining their values, usages, and effective integrations with Cisco security products.
This book arms you with detailed auditing checklists for each domain, realistic design insights for meeting auditing requirements, and practical guidance for using complementary solutions to improve any company’s security posture.
This security book is part of the Cisco Press Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end, self-defending networks.
Introduction xxi
Chapter 1 The Principles of Auditing 1
Security Fundamentals: The Five Pillars 1
Assessment 2
Prevention 3
Detection 3
Reaction 4
Recovery 4
Building a Security Program 4
Policy 5
Procedures 6
Standards 7
Security Controls 7
Administrative Controls 7
Technical Controls 8
Physical Controls 8
Preventative Controls 8
Detective Controls 8
Corrective Controls 8
Recovery Controls 9
Managing Risk 9
Risk Assessment 10
Risk Mitigation 14
Risk in the Fourth Dimension 16
How, What, and Why You Audit 17
Audit Charter 17
Engagement Letter 18
Types of Audits 19
Security Review 19
Security Assessment 19
Security Audit 20
The Role of the Auditor 20
Places Where Audits Occur 21
Policy Level 21
Procedure Level 21
Control Level 22
The Auditing Process 22
Planning Phase: Audit Subject, Objective, and Scope 22
Research Phase: Planning, Audit Procedures, and Evaluation Criteria 23
Data Gathering Phase: Checklists, Tools, and Evidence 23
Data Analysis Phase: Analyze, Map, and Recommend 24
Audit Report Phase: Write, Present, and File the Audit Report 24
Follow-Up Phase: Follow up, Follow up, Follow up! 25
Summary 25
References in This Chapter 26
Chapter 2 Information Security and the Law 27
IT Security Laws 27
Hacking, Cracking, and Fraud Laws 29
Computer Fraud and Abuse Act 29
Access Device Statute 31
Electronic Communications Privacy Act 34
Title I: Wiretap Act 34
Title II: Stored Communications Act 37
Title III: Pen/Trap Statute 38
Intellectual Property Laws 39
Digital Millennium Copyright Act 39
Economic Espionage Act 41
CAN-SPAM Act of 2003 42
State and Local Laws 43
Reporting a Crime 44
Regulatory Compliance Laws 46
SOX 46
HIPAA 48
Privacy Rule 50
Security Rule 51
Transactions and Code Sets Standard Rule 52
Identifiers Rule 52
Enforcement Rule 52
GLBA 54
PCI DSS 55
Summary 59
References in This Chapter 60
Federal Hacking Laws 60
State Laws 60
Chapter 3 Information Security Governance, Frameworks, and Standards 61
Understanding Information Security Governance 61
People: Roles and Responsibilities 64
Information Security Governance Organizational Structure 65
Board of Directors 65
Security Steering Committee 65
CEO or Executive Management 66
CIO/CISO 66
Security Director 66
Security Analyst 66
Security Architect 66
Security Engineer 67
Systems Administrator 67
Database Administrator 67
IS Auditor 67
End User 67
Spotting Weaknesses in the People Aspect of Security 67
Process: Security Governance Frameworks 68
COSO 68
Control Environment 69
Risk Assessment 70
Control Activities 70
Information and Communication 70
Monitoring 70
COBIT 71
ITIL 75
Technology: Standards Procedures and Guidelines 76
ISO 27000 Series of Standards 76
NIST 78
Center for Internet Security 80
NSA 80
DISA 81
SANS 82
ISACA 83
Cisco Security Best Practices 84
Summary 85
References in This Chapter 86
Web Resources 86
Chapter 4 Auditing Tools and Techniques 87
Evaluating Security Controls 87
Auditing Security Practices 89
Testing Security Technology 91
Security Testing Frameworks 92
OSSTMM 93
ISSAF 93
NIST 800-115 94
OWASAP 94
Security Auditing Tools 95
Service Mapping Tools 96
Nmap 96
Hping 100
Vulnerability Assessment Tools 101
Nessus 101
RedSeal SRM 105
Packet Capture Tools 111
Tcpdump 111
Wireshark/Tshark 114
Penetration Testing Tools 116
Core Impact 116
Metasploit 120
BackTrack 127
Summary 128
References in This Chapter 128
Security Testing Frameworks 128
Security Testing Tools 129
Chapter 5 Auditing Cisco Security Solutions 131
Auditors and Technology 131
Security as a System 132
Cisco Security Auditing Domains 133
Policy, Compliance, and Management 134
Infrastructure Security 135
Perimeter Intrusion Prevention 136
Access Control 136
Secure Remote Access 137
Endpoint Protection 138
Unified Communications 139
Defining the Audit Scope of a Domain 139
Identifying Security Controls to Assess 141
Mapping Security Controls to Cisco Solutions 143
The Audit Checklist 144
Summary 150
Chapter 6 Policy, Compliance, and Management 153
Do You Know Where Your Policy Is? 153
Auditing Security Policies 154
Standard Policies 158
Acceptable Use 158
Minimum Access 158
Network Access 158
Remote Access 159
Internet Access 159
User Account Management 159
Data Classification 159
Change Management 160
Server Security 161
Mobile Devices 161
Guest Access 161
Physical Security 161
Password Policy 162
Malware Protection 162
Incident Handling 162
Audit Policy 162
Software Licensing 162
Electronic Monitoring and Privacy 163
Policies for Regulatory and Industry Compliance 163
Cisco Policy Management and Monitoring Tools 165
Cisco MARS 165
Cisco Configuration Professional 167
Cisco Security Manager 169
Cisco Network Compliance Manager 171
Checklist 174
Summary 176
References in This Chapter 176
Chapter 7 Infrastructure Security 177
Infrastructure Threats 177
Unauthorized Access 177
Denial of Service 178
Traffic Capture 178
Layer 2 Threats 179
Network Service Threats 180
Policy Review 180
Infrastructure Operational Review 181
The Network Map and Documentation 182
Logical Diagrams 182
Physical Diagrams 182
Asset Location and Access Requirements 182
Data Flow and Traffic Analysis 183
Administrative Accounts 183
Configuration Management 184
Vulnerability Management 184
Disaster Recovery 184
Wireless Operations 185
Infrastructure Architecture Review 185
Management Plane Auditing 186
Cisco Device Management Access 187
Syslog 193
NTP 194
Netflow 195
Control Plane Auditing 196
IOS Hardening 196
Routing Protocols 198
Protecting the Control Plane 199
Data Plane Auditing 201
Access Control Lists 202
iACLs 202
Unicast Reverse Path Forwarding 203
Layer 2 Security 204
VTP 204
Port Security 205
DHCP Snooping 205
Dynamic ARP Inspection 206
IP Source Guard 206
Disable Dynamic Trunking 206
Protecting Spanning Tree 207
Switch Access Controls Lists 208
Protect Unused Ports 209
Wireless Security 210
Wireless Network Architecture 210
Cisco Adaptive Wireless Intrusion Prevention System 211
Protecting Wireless Access 212
Wireless Service Availability 213
Rogue Access Point Detection 214
General Network Device Security Best Practices 216
Technical Testing 217
Router Testing 219
Switch Testing 221
Wireless Testing 225
Checklist 230
Summary 235
References in This Chapter 236
Chapter 8 Perimeter Intrusion Prevention 237
Perimeter Threats and Risk 237
Policy Review 238
Perimeter Operations Review 239
Management and Change Control 239
Monitoring and Incident Handling 240
Perimeter Architecture Review 242
What Are You Protecting? 243
Perimeter Design Review 243
Logical Architecture 244
Physical Architecture 245
What Is the Risk? 246
Good Design Practices 247
Auditing Firewalls 247
Review Firewall Design 248
Simple Firewall 248
Screening Router and Firewall 248
Firewall with DMZ 249
Firewall with DMZ and Services Network 249
High Availability Firewall 250
IOS Firewall Deployment 250
Review Firewall Configuration 251
Firewall Modes of Operation 252
Firewall Virtualization 253
Filtering Methods 253
Network Address Translation 255
Secure Management 256
Logging 256
Other Configuration Checks 256
Review Rule Base 257
Cisco Firewall Rule Basics 257
Rule Review 259
Rule Optimization 260
The ASA Modular Policy Framework and Application
Inspection 261
IOS Zone-Based Firewall 263
Auditing IPS 265
How IPS Works 266
Review IPS Deployment 268
Review IPS Configuration 269
Protect the Management Interface 271
Administrative Access and Authentication 271
NTP Configuration 274
Signature Updates 274
Event Logging 275
Review IPS Signatures 276
Signature Definitions 276
Event Action Rules 277
Target Value Rating 277
IOS IPS 278
Technical Control Testing 279
Firewall Rule Testing 279
Testing the IPS 281
Conducting an IPS Test 282
Reviewing the Logs 284
Checklist 284
Summary 287
References in This Chapter 288
Chapter 9 Access Control 289
Fundamentals of Access Control 289
Identity and Authentication 290
Access Control Threats and Risks 291
Access Control Policy 292
Access Control Operational Review 293
Identity Operational Good Practices 293
Authorization and Accounting Practices 294
Administrative Users 296
Classification of Assets 297
Access Control Architecture Review 297
Identity and Access Control Technologies 298
Network Admission Control 298
NAC Components 299
How NAC Works 300
NAC Deployment Considerations 302
NAC Posture Assessment 303
Identity-Based Networking Services 304
Deployment Methods 305
NAC Guest Server 306
NAC Profiler 306
Technical Testing 308
Authentication and Identity Handling 308
Posture Assessment Testing 309
Testing for Weak Authentication 309
Checklist 313
Summary 315
References in This Chapter 315
Chapter 10 Secure Remote Access 317
Defining the Network Edge 317
VPN Fundamentals 318
Confidentiality 319
Symmetric Encryption 320
Asymmetric Encryption 321
Integrity 323
Authentication and Key Management 324
IPsec, SSL, and dTLS 326
IPsec 326
Secure Socket Layer 328
Datagram Transport Layer Security (dTLS) 329
Remote Access Threats and Risks 329
Remote Access Policies 330
Remote Access Operational Review 331
VPN Device Provisioning 331
Mobile Access Provisioning 332
Mobile User Role-Based Access Control 333
Monitoring and Incident Handling 333
Remote Access Architecture Review 333
Site-to-Site VPN Technologies 335
Easy VPN 335
IPsec and Generic Router Encapsulation (GRE) 336
Dynamic Multipoint VPN (DMVPN) 336
Multi Protocol Label Switching (MPLS) and Virtual Routing and
Forwarding (VRF) VPNs 337
GETVPN 339
Mobile User Access VPN 340
IPsec Client 341
Clientless SSL VPN 341
Cisco Secure Desktop 342
SSL Full Tunneling Client 344
VPN Network Placement 345
VPN Access Controls 346
Site-to-Site Access Controls 346
Mobile User Access Controls 347
Remote Access Good Practices 348
Technical Testing 350
Authentication 350
IPsec 351
SSL 352
Site-to-Site Access Control Testing 353
Mobile User Access Control Testing 353
Monitoring and Log Review 354
Checklist 354
Summary 358
References in This Chapter 358
Chapter 11 Endpoint Protection 359
Endpoint Risks 359
Endpoint Threats 360
Malware 360
Web-Based Threats 362
Social Networking and Web 2.0 365
E-Mail Threats 366
Data Loss Threats 367
Policy Review 368
Endpoint Protection Operational Control Review 370
Current Threat Intelligence 370
Vulnerability and Patch Management 373
Monitoring and Incident Handling 373
Security Awareness Program 374
Endpoint Architecture Review 374
Cisco Security Intelligence Operations 375
SensorBase 375
Cisco Threat Operations Center 375
Dynamic Update Function 376
Web Controls 376
Web Security Appliance 376
ASA 378
IPS 379
CSA 380
E-Mail Controls 380
E-Mail Policy Enforcement 381
E-Mail Authentication 381
Data Loss Prevention 383
Web 383
E-Mail 384
Client 385
Patch Management 386
Monitoring 386
Web 386
E-Mail 388
MARS 388
Technical Testing 388
Acceptable Use Enforcement 388
Malware Detection and Quarantine 389
SPAM, Phishing, and E-Mail Fraud 390
Encryption 390
Patch Management and Enforcement 390
Data Loss Prevention Testing 391
Detection and Response 391
Checklist 391
Summary 396
References in This Chapter 396
Chapter 12 Unified Communications 397
Unified Communications Risks 397
VoIP Threats 399
Denial of Service 399
Confidentiality 401
Fraud 401
UC Policy and Standards Review 403
UC Operational Control Review 404
User and Phone Provisioning 404
Change Management 405
Asset Management 405
Call Detail Record Review 406
Administrative Access 406
Vulnerability Management 406
Security Event Monitoring and Log Review 407
Disaster Recovery 408
UC Architecture Review 408
Unified Communications Fundamentals 409
H.323 410
MGCP 412
SCCP 412
SIP 413
Session Border Controller 415
RTP and SRTP 416
Call Processing 416
Infrastructure Controls 418
Switch Security 418
ACLs and Firewalling 420
IPS 421
Gateway Protection 422
Site to Site 422
Wireless 423
Call Control Protection 423
Communications Manager Hardening 423
Authentication, Integrity, and Encryption 424
Phone Proxy 426
Secure SIP Trunking 426
Toll Fraud Prevention 428
Application Controls 431
Voice Endpoint Controls 432
Monitoring and Management 433
Technical Testing 434
VLAN Separation 434
Eavesdropping 436
Gateway 438
Toll Fraud 438
Monitoring and Incident Detection 438
Checklist 439
Summary 444
References in This Chapter 445