CCIEProfessionalDevelopmentSeriesNetwork
SecurityTechnologiesandSolutions
byYusufBhaiji-CCIENo.9305
Publisher:CiscoPress
PubDate:March19,2008
PrintISBN-10:1-58705-246-6
PrintISBN-13:978-1-58705-246-0
eTextISBN-10:0-7686-8196-0
eTextISBN-13:978-0-7686-8196-3
Pages:840
TableofContents|Index
Overview
CCIEProfessionalDevelopment
NetworkSecurityTechnologiesandSolutions
Acomprehensive,all-in-onereferenceforCisconetwork
security
YusufBhaiji,CCIENo.9305
NetworkSecurityTechnologiesandSolutionsisa
comprehensivereferencetothemostcutting-edgesecurity
productsandmethodologiesavailabletonetworking
professionalstoday.Thisbookhelpsyouunderstandand
implementcurrent,state-of-the-artnetworksecurity
technologiestoensuresecurecommunicationsthroughoutthe
networkinfrastructure.
Withaneasy-to-followapproach,thisbookservesasacentral
repositoryofsecurityknowledgetohelpyouimplementend-toendsecuritysolutionsandprovidesasinglesourceof
knowledgecoveringtheentirerangeoftheCisconetwork
securityportfolio.Thebookisdividedintofivepartsmapping
toCiscosecuritytechnologiesandsolutions:perimetersecurity,
identitysecurityandaccessmanagement,dataprivacy,security
monitoring,andsecuritymanagement.Together,allthese
elementsenabledynamiclinksbetweencustomersecurity
policy,userorhostidentity,andnetworkinfrastructures.
Withthisdefinitivereference,youcangainagreater
understandingofthesolutionsavailableandlearnhowtobuild
integrated,securenetworksintoday'smodern,heterogeneous
networkingenvironment.Thisbookisanexcellentresourcefor
thoseseekingacomprehensivereferenceonmatureand
emergingsecuritytacticsandisalsoagreatstudyguideforthe
CCIESecurityexam.
"Yusuf'sextensiveexperienceasamentorandadvisorinthe
securitytechnologyfieldhashonedhisabilitytotranslatehighly
technicalinformationintoastraight-forward,easy-tounderstandformat.Ifyou'relookingforatrulycomprehensive
guidetonetworksecurity,thisistheone!"
—SteveGordon,VicePresident,TechnicalServices,Cisco
YusufBhaiji,CCIENo.9305(R&SandSecurity),hasbeenwith
Ciscoforsevenyearsandiscurrentlytheprogrammanagerfor
CiscoCCIESecuritycertification.HeisalsotheCCIEProctorin
theCiscoDubaiLab.Priortothis,hewastechnicalleadforthe
SydneyTACSecurityandVPNteamatCisco.
Filtertrafficwithaccesslistsandimplementsecurity
featuresonswitches
ConfigureCiscoIOSrouterfirewallfeaturesanddeployASA
andPIXFirewallappliances
UnderstandattackvectorsandapplyLayer2andLayer3
mitigationtechniques
SecuremanagementaccesswithAAA
Secureaccesscontrolusingmultifactorauthentication
technology
Implementidentity-basednetworkaccesscontrol
ApplythelatestwirelessLANsecuritysolutions
EnforcesecuritypolicycompliancewithCiscoNAC
LearnthebasicsofcryptographyandimplementIPsec
VPNs,DMVPN,GETVPN,SSLVPN,andMPLSVPN
technologies
Monitornetworkactivityandsecurityincidentresponsewith
networkandhostintrusionprevention,anomalydetection,
andsecuritymonitoringandcorrelation
DeploysecuritymanagementsolutionssuchasCisco
SecurityManager,SDM,ADSM,PDM,andIDM
LearnaboutregulatorycomplianceissuessuchasGLBA,
HIPPA,andSOX
ThisbookispartoftheCiscoCCIEProfessionalDevelopment
SeriesfromCiscoPress,whichoffersexpert-levelinstructionon
networkdesign,deployment,andsupportmethodologiesto
helpnetworkingprofessionalsmanagecomplexnetworksand
prepareforCCIEexams.
Category:NetworkSecurity
Covers:CCIESecurityExam
CCIEProfessionalDevelopmentSeriesNetwork
SecurityTechnologiesandSolutions
byYusufBhaiji-CCIENo.9305
Publisher:CiscoPress
PubDate:March19,2008
PrintISBN-10:1-58705-246-6
PrintISBN-13:978-1-58705-246-0
eTextISBN-10:0-7686-8196-0
eTextISBN-13:978-0-7686-8196-3
Pages:840
TableofContents|Index
Copyright
AbouttheAuthor
Acknowledgments
IconsUsedinThisBook
CommandSyntaxConventions
Foreword
Introduction
PartI:PerimeterSecurity
Chapter1.OverviewofNetworkSecurity
FundamentalQuestionsforNetworkSecurity
TransformationoftheSecurityParadigm
PrinciplesofSecurity—TheCIAModel
Policies,Standards,Procedures,Baselines,Guidelines
SecurityModels
PerimeterSecurity
SecurityinLayers
SecurityWheel
Summary
References
Chapter2.AccessControl
TrafficFilteringUsingACLs
IPAddressOverview
SubnetMaskVersusInverseMaskOverview
ACLConfiguration
UnderstandingACLProcessing
TypesofAccessLists
Summary
References
Chapter3.DeviceSecurity
DeviceSecurityPolicy
HardeningtheDevice
SecuringManagementAccessforSecurityAppliance
DeviceSecurityChecklist
Summary
References
Chapter4.SecurityFeaturesonSwitches
SecuringLayer2
Port-LevelTrafficControls
PrivateVLAN(PVLAN)
AccessListsonSwitches
SpanningTreeProtocolFeatures
DynamicHostConfigurationProtocol(DHCP)Snooping
IPSourceGuard
DynamicARPInspection(DAI)
AdvancedIntegratedSecurityFeaturesonHigh-End
CatalystSwitches
ControlPlanePolicing(CoPP)Feature
CPURateLimiters
Layer2SecurityBestPractices
Summary
References
Chapter5.CiscoIOSFirewall
Router-BasedFirewallSolution
Context-BasedAccessControl(CBAC)
CBACFunctions
HowCBACWorks
CBAC-SupportedProtocols
ConfiguringCBAC
IOSFirewallAdvancedFeatures
Zone-BasedPolicyFirewall(ZFW)
Summary
References
Chapter6.CiscoFirewalls:ApplianceandModule
FirewallsOverview
HardwareVersusSoftwareFirewalls
CiscoPIX500SeriesSecurityAppliances
CiscoASA5500SeriesAdaptiveSecurityAppliances
CiscoFirewallServicesModule(FWSM)
FirewallApplianceSoftwareforPIX500andASA5500
FirewallApplianceOSSoftware
FirewallModes
StatefulInspection
ApplicationLayerProtocolInspection
AdaptiveSecurityAlgorithmOperation
SecurityContext
SecurityLevels
RedundantInterface
IPRouting
NetworkAddressTranslation(NAT)
ControllingTrafficFlowandNetworkAccess
ModularPolicyFramework(MPF)
CiscoAnyConnectVPNClient
RedundancyandLoadBalancing
Firewall"Module"SoftwareforFirewallServicesModule
(FWSM)
FirewallModuleOSSoftware
NetworkTrafficThroughtheFirewallModule
InstallingtheFWSM
Router/MSFCPlacement
ConfiguringtheFWSM
Summary
References
Chapter7.AttackVectorsandMitigationTechniques
Vulnerabilities,Threats,andExploits
MitigationTechniquesatLayer3
MitigationTechniquesatLayer2
SecurityIncidentResponseFramework
Summary
References
PartII:IdentitySecurityandAccessManagement
Chapter8.SecuringManagementAccess
AAASecurityServices
AuthenticationProtocols
ImplementingAAA
ConfigurationExamples
Summary
References
Chapter9.CiscoSecureACSSoftwareandAppliance
CiscoSecureACSSoftwareforWindows
AdvancedACSFunctionsandFeatures
ConfiguringACS
CiscoSecureACSAppliance
Summary
References
Chapter10.MultifactorAuthentication
IdentificationandAuthentication
Two-FactorAuthenticationSystem
CiscoSecureACSSupportforTwo-FactorAuthentication
Systems
Summary
References
Chapter11.Layer2AccessControl
TrustandIdentityManagementSolutions
Identity-BasedNetworkingServices(IBNS)
IEEE802.1x
Deployingan802.1xSolution
Implementing802.1xPort-BasedAuthentication
Summary
References
Chapter12.WirelessLAN(WLAN)Security
WirelessLAN(WLAN)
WLANSecurity
MitigatingWLANAttacks
CiscoUnifiedWirelessNetworkSolution
Summary
References
Chapter13.NetworkAdmissionControl(NAC)
BuildingtheSelf-DefendingNetwork(SDN)
NetworkAdmissionControl(NAC)
CiscoNACApplianceSolution
CiscoNACFrameworkSolution
Summary
References
PartIII:DataPrivacy
Chapter14.Cryptography
SecureCommunication
VirtualPrivateNetwork(VPN)
Summary
References
Chapter15.IPsecVPN
VirtualPrivateNetwork(VPN)
IPsecVPN(SecureVPN)
PublicKeyInfrastructure(PKI)
ImplementingIPsecVPN
Summary
References
Chapter16.DynamicMultipointVPN(DMVPN)
DMVPNSolutionArchitecture
DMVPNDeploymentTopologies
ImplementingDMVPNHub-and-SpokeDesigns
ImplementingDynamicMeshSpoke-to-SpokeDMVPN
Designs
Summary
References
Chapter17.GroupEncryptedTransportVPN(GETVPN)
GETVPNSolutionArchitecture
ImplementingCiscoIOSGETVPN
Summary
References
Chapter18.SecureSocketsLayerVPN(SSLVPN)
SecureSocketsLayer(SSL)Protocol
SSLVPNSolutionArchitecture
ImplementingCiscoIOSSSLVPN
CiscoAnyConnectVPNClient
Summary
References
Chapter19.MultiprotocolLabelSwitchingVPN(MPLSVPN)
MultiprotocolLabelSwitching(MPLS)
MPLSVPN(TrustedVPN)
ComparisonofL3andL2VPNs
Layer3VPN(L3VPN)
ImplementingL3VPN
Layer2VPN(L2VPN)
ImplementingL2VPN
Summary
References
PartIV:SecurityMonitoring
Chapter20.NetworkIntrusionPrevention
IntrusionSystemTerminologies
NetworkIntrusionPreventionOverview
CiscoIPS4200SeriesSensors
CiscoIDSServicesModule(IDSM-2)
CiscoAdvancedInspectionandProtectionSecurity
ServicesModule(AIP-SSM)
CiscoIPSAdvancedIntegrationModule(IPS-AIM)
CiscoIOSIPS
DeployingIPS
CiscoIPSSensorOSSoftware
CiscoIPSSensorSoftware
IPSHighAvailability
IPSApplianceDeploymentGuidelines
CiscoIntrusionPreventionSystemDeviceManager(IDM)
ConfiguringIPSInlineVLANPairMode
ConfiguringIPSInlineInterfacePairMode
ConfiguringCustomSignatureandIPSBlocking
Summary
References
Chapter21.HostIntrusionPrevention
SecuringEndpointsUsingaSignaturelessMechanism
CiscoSecurityAgent(CSA)
CSAArchitecture
CSACapabilitiesandSecurityFunctionalRoles
CSAComponents
ConfiguringandManagingCSADeploymentbyUsingCSA
MC
Summary
References
Chapter22.AnomalyDetectionandMitigation
AttackLandscape
AnomalyDetectionandMitigationSystems
CiscoDDoSAnomalyDetectionandMitigationSolution
CiscoTrafficAnomalyDetector
CiscoGuardDDoSMitigation
PuttingItAllTogetherforOperation
ConfiguringandManagingtheCiscoTrafficAnomaly
Detector
ConfiguringandManagingCiscoGuardMitigation
Summary
References
Chapter23.SecurityMonitoringandCorrelation
SecurityInformationandEventManagement
CiscoSecurityMonitoring,Analysis,andResponse
System(CS-MARS)
DeployingCS-MARS
Summary
References
PartV:SecurityManagement
Chapter24.SecurityandPolicyManagement
CiscoSecurityManagementSolutions
CiscoSecurityManager
CiscoRouterandSecurityDeviceManager(SDM)
CiscoAdaptiveSecurityDeviceManager(ASDM)
CiscoPIXDeviceManager(PDM)
CiscoIPSDeviceManager(IDM)
Summary
References
Chapter25.SecurityFrameworkandRegulatoryCompliance
SecurityModel
Policies,Standards,Guidelines,andProcedures
BestPracticesFramework
ComplianceandRiskManagement
RegulatoryComplianceandLegislativeActs
GLBA—Gramm-Leach-BlileyAct
HIPAA—HealthInsurancePortabilityandAccountability
Act
SOX—Sarbanes-OxleyAct
WorldwideOutlookofRegulatoryComplianceActsand
Legislations
CiscoSelf-DefendingNetworkSolution
Summary
References
Index
Copyright
CCIEProfessionalDevelopment
NetworkSecurityTechnologiesandSolutions
YusufBhaiji
Copyright©2008CiscoSystems,Inc.
Publishedby:
CiscoPress
800East96thStreet
Indianapolis,IN46240USA
Allrightsreserved.Nopartofthisbookmaybereproducedor
transmittedinanyformorbyanymeans,electronicor
mechanical,includingphotocopying,recording,orbyany
informationstorageandretrievalsystem,withoutwritten
permissionfromthepublisher,exceptfortheinclusionofbrief
quotationsinareview.
PrintedintheUnitedStatesofAmerica
FirstPrintingMarch2008
LibraryofCongressCataloging-in-PublicationData:
Bhaiji,FahimHussainYusuf.
Networksecuritytechnologiesandsolutions/YusufBhaiji.
p.cm.
ISBN978-1-58705-246-0(pbk.)
1.Computernetworks--Securitymeasures.I.Title.
TK5105.59.B4682008
005.8--dc22
2008003231
ISBN-13:978-1-58705-246-6
WarningandDisclaimer
Thisbookisdesignedtoprovideinformationaboutnetwork
securitytechnologiesandsolutions.Everyefforthasbeenmade
tomakethisbookascompleteandasaccurateaspossible,but
nowarrantyorfitnessisimplied.
Theinformationisprovidedonan"asis"basis.Theauthors,
CiscoPress,andCiscoSystems,Inc.shallhaveneitherliability
norresponsibilitytoanypersonorentitywithrespecttoany
lossordamagesarisingfromtheinformationcontainedinthis
bookorfromtheuseofthediscsorprogramsthatmay
accompanyit.
Theopinionsexpressedinthisbookbelongtotheauthorand
arenotnecessarilythoseofCiscoSystems,Inc.
TrademarkAcknowledgments
Alltermsmentionedinthisbookthatareknowntobe
trademarksorservicemarkshavebeenappropriately
capitalized.CiscoPressorCiscoSystems,Inc.,cannotattestto
theaccuracyofthisinformation.Useofaterminthisbook
shouldnotberegardedasaffectingthevalidityofany
trademarkorservicemark.
CorporateandGovernmentSales
Thepublisheroffersexcellentdiscountsonthisbookwhen
orderedinquantityforbulkpurchasesorspecialsales,which
mayincludeelectronicversionsand/orcustomcoversand
contentparticulartoyourbusiness,traininggoals,marketing
focus,andbrandinginterests.Formoreinformation,please
contact:
U.S.CorporateandGovernmentSales1-800-3823419
ForsalesoutsidetheUnitedStatespleasecontact:InternationalSales
FeedbackInformation
AtCiscoPress,ourgoalistocreatein-depthtechnicalbooksof
thehighestqualityandvalue.Eachbookiscraftedwithcare
andprecision,undergoingrigorousdevelopmentthatinvolves
theuniqueexpertiseofmembersfromtheprofessional
technicalcommunity.
Readers'feedbackisanaturalcontinuationofthisprocess.If
youhaveanycommentsregardinghowwecouldimprovethe
qualityofthisbook,orotherwisealterittobettersuityour
needs,youcancontactusthroughe-mailat
Pleasemakesuretoincludethe
booktitleandISBNinyourmessage.
Wegreatlyappreciateyourassistance.
Publisher
PaulBoger
AssociatePublisher
DaveDusthimer
CiscoRepresentative
AnthonyWolfenden
CiscoPressProgram
Manager
JeffBrady
ExecutiveEditor
BrettBartow
ManagingEditor
PatrickKanouse
DevelopmentEditor
BetseyHenkels
ProjectEditor
SanDeePhillips
CopyEditor
BarbaraHacha
TechnicalEditors
NairiAdamian,Kevin
Hofstra,GertDeLaet
EditorialAssistant
VanessaEvans
BookandCover
Designer
LouisaAdair
Composition
MarkShirar
Indexer
TimWright
Proofreader
KarenA.Gill
Dedications
Thisbookisdedicatedtomybelovedwife,Farah.Withouther
supportandencouragement,Icouldnothavecompletedthis
book.
AbouttheAuthor
YusufBhaiji,CCIENo.9305(RoutingandSwitchingand
Security),hasbeenwithCiscoforsevenyearsandiscurrently
theprogrammanagerfortheCiscoCCIESecurityCertification
andCCIEproctorinCiscoDubaiLab.Priortothis,hewas
technicalleadfortheSydneyTACSecurityandVPNteam.
Yusuf'spassionforsecuritytechnologiesandsolutionshas
playedadominantroleinhis17yearsofindustryexperience,
fromasfarbackashisinitialmaster'sdegreeincomputer
science,andhassincebeenreflectedinhisnumerous
certifications.
Yusufprideshimselfinhisknowledge-sharingabilities,which
areevidentinthefactthathehasmentoredmanysuccessful
candidates,aswellashavingdesignedanddeliveredanumber
ofNetworkSecuritysolutionsaroundtheglobe.
Yusufisanadvisoryboardmemberofseveralnonprofit
organizationsforthedisseminationoftechnologiesand
promotionofindigenousexcellenceinthefieldof
internetworkingthroughacademicandprofessionalactivities.
YusufchairstheNetworkersSocietyofPakistan(NSP)andIPv6
ForumPakistanchapter.
YusufhasalsoauthoredaCiscoPresspublicationtitledCCIE
SecurityPracticeLabs(ISBN1587051346),releasedinearly
2004.HehasbeenatechnicalreviewerforseveralCiscoPress
publicationsandwrittenarticles,whitepapers,and
presentationsonvarioussecuritytechnologies.Heisafrequent
lecturerandwell-knownspeakerpresentinginseveral
conferencesandseminarsworldwide.
AbouttheTechnicalReviewers
NairiAdamian,CCIESecurityNo.10294,hasbeenwithCisco
since1999andcurrentlyisatechnicalsupportmanagerat
Cisco,Australia.Sheleadsateamofcustomersupport
engineersattheCiscoTechnicalAssistanceCenter(TAC).She
holdsabachelor'sdegreeincomputingsciencefromUniversity
ofTechnology,Sydney,andhasanMBAfromMacquarie
GraduateSchoolofManagement.
KevinHofstra,CCIENo.14619,CCNP,CCDP,CCSP,CCVP,
managesanetworkengineeringunitwithintheAirForce
CommunicationsAgencyoftheU.S.DepartmentofDefense.Mr.
Hofstraisresponsiblefordesigning,implementing,and
optimizingDoDnetworksandhasdeployedasacivilian
engineertoIraq,Kuwait,andQatarinsupportofOperation
IraqiFreedom.Mr.Hofstrahasacomputersciencedegreefrom
YaleUniversityandamasterofengineeringdegreein
telecommunicationsandamasterofengineeringmanagement
degreefromtheUniversityofColorado.
GertDeLaet,CCIENo.2657,isaproductmanagerforthe
CCIEteamatCisco.GertwasacontributingauthortoCCIE
SecurityExamCertificationGuideandCCDAExamCertification
GuidefromCiscoPress.HeresidesinBrussels,Belgium.
Acknowledgments
Iwouldliketothankmyfamilyforalltheircontinuoussupport
andencouragement,andespeciallymyfather,AsgharBhaiji,for
hiswisdom.Lastbutnotleast,Ireminisceaboutmymother,
KhatijaBhaiji,whoseloveisevershiningonme.
Iwouldliketoespeciallythankthetechnicalreviewers,Nairi
Adamian,GertDeLaet,andKevinHofstra,whohavedonean
amazingjobincontributingtothisbook.Theirvaluable
feedbackandeffortstoresearcheachtopicaregreatly
appreciatedintheaccomplishmentofthisproject.
IextendmysinceregratitudetoBrettBartowandtheentire
developmentteam—BetseyHenkels,DaynaIsley,Barbara
Hacha,SanDeePhillips,ChrisCleveland,andmembersofthe
CiscoPressteamworkingonthisproject,whoseexpert
guidancehasbeenadeterminingfactorinthecompletionof
thisbook.
Iwouldliketotakethisopportunitytothankmymanager,
SarahDeMark,theleadershipteamofLearning@Ciscogroup,
andmycolleaguesatCiscofortheirsupportinwritingthisbook
andeveryotherproject.Ihavebenefitedgreatlyfromworking
withthemandamhonoredtobeamemberofthisteam.
Finally,Iwouldliketothankyou,thereaderofthisbook,for
helpingmetomakethisbookasuccess.
IconsUsedinThisBook
[Viewfullsizeimage]
CommandSyntaxConventions
Theconventionsusedtopresentcommandsyntaxinthisbook
arethesameconventionsusedintheIOSCommandReference.
TheCommandReferencedescribestheseconventionsas
follows:
Boldfaceindicatescommandsandkeywordsthatare
enteredliterallyasshown.Inactualconfigurationexamples
andoutput(notgeneralcommandsyntax),boldface
indicatescommandsthataremanuallyinputbytheuser
(suchasashowcommand).
Italicindicatesargumentsforwhichyousupplyactual
values.
Verticalbars(|)separatealternative,mutuallyexclusive
elements.
Squarebrackets([])indicateanoptionalelement.
Braces({})indicatearequiredchoice.
Braceswithinbrackets([{}])indicatearequiredchoice
withinanoptionalelement.
Foreword
WiththeexplosionoftheInterneteconomy,thecontinuous
availabilityofmission-criticalsystemshasneverbeenmore
important.Networkadministratorsthroughtobusiness
managersareexpectedbytheircustomers,employees,and
supplierstoprovideconstantnetworkresourceavailabilityand
accesstocriticalapplicationsanddatainacompletelysecure
environment.Notonlyisthisachallenge,thestakesin
breachingnetworksecurityhaveneverbeenhigher.
NetworkSecurityTechnologiesandSolutionsisa
comprehensive,all-in-onereferenceformanagingCisco
networks.Itwaswrittentohelpnetworksecurityprofessionals
understandandimplementcurrent,state-of-the-artnetwork
securitytechnologiesandsolutions.Whetheryouareanexpert
innetworkingandsecurityoranovice,thisbookisavaluable
resource.
Manybooksonnetworksecurityarebasedprimarilyon
conceptsandtheory.NetworkSecurityTechnologiesand
Solutions,however,goesfarbeyondthat.Itisahands-ontool
forconfiguringandmanagingCiscomarket-leadingdynamic
linksbetweencustomersecuritypolicy,userorhostidentity,
andnetworkinfrastructures.Thefoundationofthisbookis
basedonkeyelementsfromtheCiscosecuritysolution.It
providespractical,day-to-dayguidanceonhowtosuccessfully
configureallaspectsofnetworksecurity,coveringtopicssuch
asperimetersecurity,identitysecurityandaccess
management,anddataprivacy,aswellassecuritymonitoring
andmanagement.
YusufBhaijihasbeenwithCiscoforsevenyearsandiscurrently
theproductmanagerfortheCiscoCCIESecuritycertification
trackandaCCIEProctorinCiscoDubaiLab.Yusuf'spassionfor
securitytechnologiesandsolutionsisevidentinhis17yearsof
industryexperienceandnumerouscertifications.Yusuf's
extensiveexperienceasamentorandadvisorinthesecurity
technologyfieldhashonedhisabilitytotranslatehighly
technicalinformationintoastraightforward,easy-to-understand
format.Ifyou'relookingforatrulycomprehensiveguideto
networksecurity,thisistheone!
SteveGordon
CiscoSystems,Inc.
VicePresident,TechnicalServices
RemoteOperationsServicesandLearning@Cisco
Introduction
TheInternetwasbornin1969astheARPANET,aproject
fundedbytheAdvancedResearchProjectsAgency(ARPA)of
theU.S.DepartmentofDefense.TheInternetisaworldwide
collectionoflooselyconnectednetworksthatareaccessibleby
individualcomputersinvariedways,suchasgateways,routers,
dial-upconnections,andthroughInternetserviceproviders
(ISP).Anyonetodaycanreachanydevice/computerviathe
Internetwithouttherestrictionofgeographicalboundaries.
AsDr.VintonG.Cerfstates,"Thewonderfulthingaboutthe
Internetisthatyou'reconnectedtoeveryoneelse.Theterrible
thingabouttheInternetisthatyou'reconnectedtoeveryone
else."
Theluxuryofaccesstothiswealthofinformationcomeswithits
risks,withanyoneontheInternetpotentiallybeingthe
stakeholder.Therisksvaryfrominformationlossorcorruption
toinformationtheftandmuchmore.Thenumberofsecurity
incidentsisalsogrowingdramatically.
Withallthishappening,astrongdriveexistsfornetwork
securityimplementationstoimprovesecuritypostureswithin
everyorganizationworldwide.Today'smostcomplexnetworks
requirethemostcomprehensiveandintegratedsecurity
solutions.
Securityhasevolvedoverthepastfewyearsandisoneofthe
fastest-growingareasintheindustry.Informationsecurityison
topoftheagendaforallorganizations.Companiesneedtokeep
informationsecure,andthereisanever-growingdemandfor
theITprofessionalswhoknowhowtodothis.
Pointproductsarenolongersufficientforprotectingthe
informationandrequiresystem-levelsecuritysolutions.Linking
endpointandnetworksecurityisavitalingredientindesigning
themodernnetworkscoupledwithproactiveandadaptive
securitysystemstodefendagainstthenewbreedofday-zero
attacks.
Securityisnolongersimplyanenablingtechnologyoraonetimeaffair;ithasbecomeanessentialcomponentofthe
networkblueprint.Securitytechnologiesandsolutionsneedto
befundamentallyintegratedintotheinfrastructureitself,woven
intothefabricofthenetwork.Securitytodayrequires
comprehensive,end-to-endsolutions.
GoalsandMethods
CiscoNetworkSecurityTechnologiesandSolutionsisa
comprehensiveall-in-onereferencebookthatcoversallmajor
CiscoSecurityproducts,technologies,andsolutions.Thisbook
isacompletereferencethathelpsnetworkingprofessionals
understandandimplementcurrent,state-of-the-artsecurity
technologiesandsolutions.Thecoverageiswidebutdeep
enoughtoprovidetheaudiencewithconcepts,design,and
implementationguidelinesaswellasbasicconfigurationskills.
Withaneasy-to-understandapproach,thisinvaluableresource
willserveasacentralwarehouseofsecurityknowledgetothe
securityprofessionalswithend-to-endsecurity
implementations.
Thebookmakesnoassumptionofknowledgelevel,thereby
ensuringthatthereadershaveanexplanationthatwillmake
senseandbecomprehendibleatthesametime.Ittakesthe
readerfromthefundamentallevelofeachtechnologytomore
detaileddescriptionsanddiscussionsofeachsubject.
Withthisdefinitivereference,thereaderswillpossessagreater
understandingofthesolutionsavailableandlearnhowtobuild
integratedsecurenetworksintoday'smodern,heterogeneous
infrastructure.
Thisbookiscomprehensiveinscope,includinginformation
aboutmatureaswellasemergingtechnologies,includingthe
AdaptiveSecurityAppliance(ASA)FirewallSoftwareRelease