Network Security Architectures

Welcome to the twenty-first century in the world of computers and networking. With more issues occurring that have negative affects on the environment that information technologists work in, the knowledge of information security is slowly becoming critical. Sean Convery presents a detailed guide into the world of designing a secure network environment. Within "Network Security Architecture", Sean delves into the whys, the hows, and most importantly the cause and effect. As you examine the table of contents alone, it becomes clear that he has spent a great deal of time researching and detailing numerous different components of a network environment that have to be examined and considered for proper network security. A close look at the book's table of contents will point out different areas that any Network Engineering individual from the Junior Administrator to the Senior Architect needs to be knowledgeable in. Sean examines policy, threats and the technologies available, he details how to harden devices and describes items that need to be considered in designing either new networks or enhancing existing ones. For these reasons alone this book is necessary for anyone that manages any portion of a computer network. This book offers far more than an education of network security. It is clearly designed not only to educate individuals, but provide a single reference for all network security areas as well. Like many Cisco Press books, "Network Security Architectures" chapters are divided into three sections --: an introduction, the body, and finally a summary. It is these summary sections that help the most. In For example, in Chapter 6 on pages 262 thru 264, the concept of Design Consideration is summarized with charts. Where individual summaries appear light or limited, the book enhances the information covered in a section called "Applied Knowledge". This section helps individuals quickly implement what is covered in extreme detail in the chapter. Don't just look at the summary and applied knowledge sections, because this would not do all the hard work Sean placed in the book justice. For instance, in Chapter 5 on Hardening Devices, Sean provides clear examples on how to configure devices for security and hardening. This topic alone has not similarly covered since O'Reilly's book on "Hardening Cisco Routers" and that one did not go to the level of how to configure the devices fully. As anyone that is familiar with Cisco Technology and Cisco Systems knows, they routinely publish various "SAFE" documents on topics. This book takes input from those documents, combining them with other both real world examples and theory to provide a greater combined presentation. Like any Cisco documentation this book can either be read in its entirety from cover to cover or only the sections that are needed now. But as you read the book you will realize that while "SAFE" documents focus on key issues, this book details not only the issues and the

Overall I give this book two thumbs up. Here are a few things I got out of this book: Under the section titled "security policies and operations lifecycle", I found the introduction very helpful. I like the way the topics are broken down into business needs, risk analysis, security policy development, followed by the operations lifecycle that included information on system monitoring maintenance, compliance checking, and incident response. Under the section titled "what is a security policy", I also found this section helpful and the simple statements describing a security policy as a formal statement of rules where people are given access to an organizations technology information assets, was very concise and understandable. Under the section titled "security policy enforcement considerations", I found it interesting that this was broken into several different sections of real-time technology enforcement, passive technology assisted compliance checking, non-technical compliance checking, and contractual compliance checking. This little section made policy enforcement crystal clear while providing a practical outline for policy enforcement. Another helpful feature of this book was on page 45 where an outline of best practice steps are given. These four steps to building a best practice for security provided a decent roadmap for developing a practical security policy. Under the section "secure networking threats", the descriptions provided for the attack process and attacker types was very enlightening. I also found it interesting to read about the Script Kittie, Crackers, and Elite network attackers. The section also described vulnerability types as software, hardware, configuration, policy, and usage, which I also found to be a great outline and organized structure for understanding where these vulnerabilities lie. Also in this section of "secure networking threats" on the summary page on 115 I found the attack summary table with scoring to be a very ingenious tool. This table breaks down the following attack elements and rates them according to detection difficulty, ease-of-use, frequency, impact and, overall rating. The following attack elements were included in this table: Buffer overflow, Identity spoofing, war dialling/driving, virus/word/Trojan horse, direct access, remote control software, probe scan, rootkit, Sniffer, application floating, udp spoofing, rouge devices, Web applications, data scavenging, man in the middle, distributed denial of service, TCP spoofing, Arp redirection spoofing, TCP Syn flood, IP spoofing, IP redirection, Smurf, transport redirection, MAC Flooding, Mac spoofing, network manipulation, and STP redirection. All in all I felt this was a very comprehensive list. In the section titled "general design considerations", this section provided a fantastic overview of how to control physical access to facilities and the different methods for doing so including lock and key access, key card access,

This comprehensive textbook is ideal for information security architects tasked with designing secure networks, both as a teaching text and as a reference. It covers: - Good practice network security design guidelines ('axioms') - Purpose and definition of network security policies - Good advice on designing the network security system (i.e. the overarching network security architecture into which individual network devices must fit) from the ground up (i.e. physical security to application security, OSI layers 1 to 7) - Specific technical advice on configuring network devices for security ('hardening') - Technical descriptions of the vulnerabilities in network services, accompanied by advice on how to secure them - Typical design considerations for network perimeter ('edge') security, internal network ('campus') security and remote access (teleworker) security - Secure network management and network security management (compared and contrasted in 40 pages) I appreciate the author's emphasis on architectural security design but he also succeeds in giving a reasonably comprehensive introduction to more specific elements of network security. This is not a hand-waving helicopter-overview of the topic but a far more substantial tome. At the same time, the clear writing style, simple diagrams and nuggets of practical advice make it an enjoyable read. The book is liberally sprinkled with URLs to useful additional resources and the author maintains a website with up-to-date links and a sample chapter (www.seanconvery.com). Each chapter concludes with exam-style review questions (with answers) and further questions intended to stimulate the reader to think about the material in their local organizational context. The topic almost inevitably involves loads of acronyms so thankfully a succinct glossary is included. Three network security design examples (mini case studies) towards the end of the book demonstrate the techniques previously described. These are good for getting readers to practice thinking like a real network security architect. Despite being published by Cisco Press, the book is not specifically about Cisco products. However, the examples and several of the security features are Cisco-specific. Given the market presence of Cisco, this is not a serious drawback but a little more balance would have added credibility (e.g. security vulnerabilities in LEAP, Cisco's wireless LAN authentication protocol, are not described but merely hinted-at). All in all, this book has already proved its worth to me. I read it cover-to-cover in a couple of days and have already started using it as a reference. Recommended reading for those with a professional interest in information security architecture.

I have read many books in the Cisco Press and this one is up there with the best in terms of practical use, technical depth and ease of reading. The author does a great job of laying out the book in a logical manner that is sure to help Security Architects take on the daunting task of network security design with a higher level of confidence. As a systems engineer responsible for large network designs, I have found this book to provide very good information for many scenarios, a multitude of good links to provide additional resources for discussed topics as well as out of scope topics, and also a good supplement for the backround knowledge required for the CCIE Security exam, for which I am currently preparing for. I consider this one as much a must have as Doyle for IP Routing or Clarke for LAN Switching.Raymond Santini CCIE# 12315