Tải bản đầy đủ

1723 network security auditing


Network Security Auditing
Chris Jackson, CCIE No. 6256Cisco Press

Cisco Press
800 East 96th Street
Indianapolis, IN 46240


ii

Network Security Auditing

Network Security Auditing
Chris Jackson, CCIE No. 6256
Copyright © 2010 Cisco Systems, Inc.
Published by:
Cisco Press
800 East 96th Street
Indianapolis, IN 46240 USA
All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means,

electronic or mechanical, including photocopying, recording, or by any information storage and retrieval
system, without written permission from the publisher, except for the inclusion of brief quotations in a
review.
ISBN-13: 978-1-58705-352-8
ISBN-10: 1-58705-352-7
Printed in the United States of America
First Printing June 2010
Library of Congress Cataloging-in-Publication Data: Library of Congress Cataloging-in-Publication data
is on file.

Warning and Disclaimer
This book is designed to provide information about Cisco network security. Every effort has been made
to make this book as complete and as accurate as possible, but no warranty or fitness is implied.
The information is provided on an “as is” basis. The author, Cisco Press, and Cisco Systems, Inc. shall
have neither liability nor responsibility to any person or entity with respect to any loss or damages arising
from the information contained in this book or from the use of the discs or programs that may accompany it.
The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems,
Inc.


iii

Trademark Acknowledgments
All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Cisco Press or Cisco Systems, Inc. cannot attest to the accuracy of this information. Use
of a term in this book should not be regarded as affecting the validity of any trademark or service mark.
Corporate and Government Sales
The publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales, which may include electronic versions and/or custom covers and content particular to your business, training goals, marketing focus, and branding interests. For more information, please contact:
U.S. Corporate and Government Sales 1-800-382-3419 corpsales@pearsontechgroup.com
For sales outside the United States please contact: International Sales international@pearsoned.com

Feedback Information
At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book
is crafted with care and precision, undergoing rigorous development that involves the unique expertise of
members from the professional technical community.
Readers’ feedback is a natural continuation of this process. If you have any comments regarding how we
could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us
through e-mail at feedback@ciscopress.com. Please make sure to include the book title and ISBN in your
message.
We greatly appreciate your assistance.
Publisher: Paul Boger



Cisco Representative: Erik Ullanderson

Associate Publisher: Dave Dusthimer

Cisco Press Program Manager: Anand Sundaram

Executive Editor: Brett Bartow

Technical Editors: Todd Reagan, Brian Sak

Managing Editor: Sandra Schroeder

Senior Development Editor: Kimberley Debus

Project Editor: Deadline Driven Publishing

Copy Editor: Deadline Driven Publishing

Editorial Assistant: Vanessa Evans

Book Designer: Louisa Adair

Composition: Mark Shirar

Indexer: Ginny Munroe

Americas Headquarters
Cisco Systems, Inc.
San Jose, CA

Asia Pacific Headquarters
Cisco Systems (USA) Pte. Ltd.
Singapore

Europe Headquarters
Cisco Systems International BV
Amsterdam, The Netherlands

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.
CCDE, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the
Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the
Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step,
Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers,
Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and
the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0812R)


iv

Network Security Auditing

Dedications
This book is dedicated to my beautiful wife Barbara, who also happens to be my best friend,
and my two wonderful children Caleb and Sydney. Without your love and support, this book
would not have been possible. I consider myself extremely lucky to have such a wonderful
family in my life to share this journey with. You taught me the meaning of love and you make
everything shiny and filled with joy.

About the Author
Christopher L. Jackson, CCIE No. 6256, is a security technical solutions architect in the U.S.
Channels organization with Cisco and is focused on developing security consulting practices
in the Cisco partner community. Throughout his career in internetworking, Chris has built
secure networks that map to a strong security policy for a large number of organizations
including UPS, GE, and Sprint. Chris is an active speaker on security for Cisco through
TechwiseTV, conferences, and web casts. He has authored numerous whitepapers and is
responsible for a number of Cisco initiatives to build stronger security partners through security practice building.
Chris is a highly certified individual with dual CCIEs (Routing and Switching & Security),
CISSP, ISA, seven SANS GIAC certifications (GSNA, GCIH, GCFW, GCIA, GCUX, GCWN,
and GSEC), and ITIL V3. Chris also holds a bachelors degree in business administration from
McKendree College. Residing in Bradenton, Florida, Chris enjoys tinkering with his home
automation system and playing with his ever-growing collection of electronic gadgets. His
wife Barbara and two children Caleb and Sydney are the joy of his life and proof that not
everything has to plug into a wall outlet to be fun.

About the Technical Reviewers
Todd Reagan, CCIE No. 20273, is a systems engineer for Cisco Systems where he focuses on
security technologies. Todd has more than 12 years of experience in IP internetworking,
including the design and implementation of global enterprise networks. His focus has been on
the security considerations of Internet peering, MPLS, and VPNs. He holds a bachelors
degree in computer science from Texas A&M University in College Station, Texas.
Brian Sak, CCIE 14441, CISSP, is a consulting systems engineer with Cisco Systems. He has
more than 10 years of experience with network security. Prior to joining Cisco Systems, Brian
provided consulting and assessment services for financial institutions, government agencies,
and Fortune 500 companies.


v

Acknowledgments
Writing a book is not an easy task. Gene Fowler summed up the writing process with the following quote: “Writing is easy. All you do is stare at a blank sheet of paper until drops of
blood form on your forehead.”
There is simply no way this book would exist without the many people who have helped me
along the way. Most of what I know about auditing and security comes from the fine people
at the SANS institute, who provide the very best in vendor-neutral security training. Thanks
to Tanya Baccam in particular for educating me about the art of auditing networks for fun
and profit.
I am very lucky to have a strong support network at Cisco of the brightest and most talented
engineers and hackers in the world. Todd Reagan helped with chapter 7, kept me straight on
MPLS, and acted as a sounding board for my more insane concepts. Brian Sak played a major
role in assisting with the writing of the wireless and password-hacking parts of the book.
Victor Lam kept me sane and picked up the slack on my projects as I toiled away to get the
book finished. You guys are incredible friends and words do not express how grateful I am for
your support.
A big thank you to my managers Rob Learned, Chad Bullock, and Tony Bouvia. Over the past
few years, they allowed me the time to work on this project and gave me encouragement and
support along the way. You three truly care about the success of your people and represent
the best qualities Cisco has to offer.
Thanks to Patrick Stark for being a fantastic friend and leader at Cisco. You always look out
for us and help us get what we need. You are committed to our success and it shows.
Last, but definitely not least, I want to thank Brett Bartow, Kimberley Debus, Ginny Munroe,
and all of the people at Cisco Press for working with me as I juggled my day job and this
book. I started this project when dinosaurs roamed the land, and you stuck with me regardless
of my elastic concept of time. I doubt there is a more professional bunch anywhere in the
publishing business.


vi

Network Security Auditing

Contents at a Glance
Introduction

xxi

Chapter 1

The Principles of Auditing

Chapter 2

Information Security and the Law

Chapter 3

Information Security Governance, Frameworks, and Standards

Chapter 4

Auditing Tools and Techniques

Chapter 5

Auditing Cisco Security Solutions

Chapter 6

Policy, Compliance, and Management

Chapter 7

Infrastructure Security

Chapter 8

Perimeter Intrusion Prevention

Chapter 9

Access Control

Chapter 10

Secure Remote Access

Chapter 11

Endpoint Protection

Chapter 12

Unified Communications
Index

447

1
27

87
131

177

289
317

359
397

237

153

61


vii

Contents
Introduction
Chapter 1

xxi

The Principles of Auditing

1

Security Fundamentals: The Five Pillars
Assessment

2

Prevention

3

Detection

3

Reaction

4

Recovery

4

Building a Security Program
Policy

4

5

Procedures
Standards

6
7

Security Controls

7

Administrative Controls
Technical Controls

7

8

Physical Controls

8

Preventative Controls
Detective Controls
Corrective Controls

8

Recovery Controls
Managing Risk

8

8
9

9

Risk Assessment
Risk Mitigation

10
14

Risk in the Fourth Dimension

16

How, What, and Why You Audit

17

Audit Charter

17

Engagement Letter
Types of Audits
Security Review

18

19
19

Security Assessment
Security Audit

19

20

The Role of the Auditor

20

Places Where Audits Occur
Policy Level

21

Procedure Level

21

21

1


viii

Network Security Auditing

Control Level

22

The Auditing Process

22

Planning Phase: Audit Subject, Objective, and Scope

22

Research Phase: Planning, Audit Procedures, and Evaluation Criteria
Data Gathering Phase: Checklists, Tools, and Evidence
Data Analysis Phase: Analyze, Map, and Recommend

23
24

Audit Report Phase: Write, Present, and File the Audit Report
Follow-Up Phase: Follow up, Follow up, Follow up!
Summary

25

References in This Chapter
Chapter 2

26

Information Security and the Law
IT Security Laws

27

27

Hacking, Cracking, and Fraud Laws

29

Computer Fraud and Abuse Act

29

Access Device Statute

31

Electronic Communications Privacy Act
Title I: Wiretap Act

34

Title II: Stored Communications Act
Title III: Pen/Trap Statute
Intellectual Property Laws
Economic Espionage Act
CAN-SPAM Act of 2003
Reporting a Crime

38
39

41

42

43

44

Regulatory Compliance Laws
SOX

37

39

Digital Millennium Copyright Act

State and Local Laws

34

46

46

HIPAA

48

Privacy Rule

50

Security Rule

51

Transactions and Code Sets Standard Rule
Identifiers Rule
Enforcement Rule
GLBA
PCI DSS
Summary

52
52

54
55
59

References in This Chapter

60

52

25

24

23


ix

Federal Hacking Laws
State Laws
Chapter 3

60

60

Information Security Governance, Frameworks, and Standards
Understanding Information Security Governance
People: Roles and Responsibilities

61

64

Information Security Governance Organizational Structure
Board of Directors

65

Security Steering Committee

65

CEO or Executive Management
CIO/CISO

66

Security Director

66

Security Analyst

66

Security Architect

66

Security Engineer

67

Systems Administrator

67

Database Administrator
IS Auditor
End User

66

67

67
67

Spotting Weaknesses in the People Aspect of Security
Process: Security Governance Frameworks
COSO

68

Control Environment
Risk Assessment
Control Activities

69

70
70

Information and Communication
Monitoring
COBIT
ITIL

68

70

70

71

75

Technology: Standards Procedures and Guidelines
ISO 27000 Series of Standards
NIST

Center for Internet Security
NSA

80

DISA

81

SANS

82

ISACA

76

78
80

83

Cisco Security Best Practices

84

76

67

65

61


x

Network Security Auditing

Summary

85

References in This Chapter
Web Resources
Chapter 4

86

86

Auditing Tools and Techniques
Evaluating Security Controls
Auditing Security Practices

87
89

Testing Security Technology

91

Security Testing Frameworks

92

OSSTMM
ISSAF

93

93

NIST 800-115
OWASAP

94

94

Security Auditing Tools

95

Service Mapping Tools
Nmap

96

Hping

100

96

Vulnerability Assessment Tools
Nessus

105

Packet Capture Tools
Tcpdump

111

111

Wireshark/Tshark

114

Penetration Testing Tools
Core Impact
BackTrack

116

116

Metasploit

120
127

128

References in This Chapter

128

Security Testing Frameworks
Security Testing Tools
Chapter 5

101

101

RedSeal SRM

Summary

87

128

129

Auditing Cisco Security Solutions
Auditors and Technology
Security as a System

131

131

132

Cisco Security Auditing Domains

133

Policy, Compliance, and Management
Infrastructure Security

135

Perimeter Intrusion Prevention

136

134


xi

Access Control

136

Secure Remote Access
Endpoint Protection

137
138

Unified Communications

139

Defining the Audit Scope of a Domain

139

Identifying Security Controls to Assess

141

Mapping Security Controls to Cisco Solutions
The Audit Checklist
Summary
Chapter 6

143

144

150

Policy, Compliance, and Management
Do You Know Where Your Policy Is?
Auditing Security Policies
Standard Policies

154

158

Acceptable Use

158

Minimum Access

158

Network Access

158

Remote Access

159

Internet Access

159

User Account Management
Data Classification
Server Security

160

161

Mobile Devices

161
161

Physical Security
Password Policy

161
162

Malware Protection
Incident Handling
Audit Policy

159

159

Change Management

Guest Access

153

153

162
162

162

Software Licensing

162

Electronic Monitoring and Privacy

163

Policies for Regulatory and Industry Compliance

163

Cisco Policy Management and Monitoring Tools

165

Cisco MARS

165

Cisco Configuration Professional
Cisco Security Manager

167

169

Cisco Network Compliance Manager

171


xii

Network Security Auditing

Chapter 7

Checklist

174

Summary

176

References in This Chapter

176

Infrastructure Security

177

Infrastructure Threats

177

Unauthorized Access
Denial of Service

177

178

Traffic Capture

178

Layer 2 Threats

179

Network Service Threats
Policy Review

180

180

Infrastructure Operational Review

181

The Network Map and Documentation
Logical Diagrams

182

182

Physical Diagrams

182

Asset Location and Access Requirements
Data Flow and Traffic Analysis
Administrative Accounts

Configuration Management
Vulnerability Management
Disaster Recovery

183

183
184
184

184

Wireless Operations

185

Infrastructure Architecture Review
Management Plane Auditing

185

186

Cisco Device Management Access
Syslog
NTP

194

Netflow

195

Control Plane Auditing
IOS Hardening

196

196

Routing Protocols

198

Protecting the Control Plane
Data Plane Auditing

199

201

Access Control Lists
iACLs

187

193

202

202

Unicast Reverse Path Forwarding
Layer 2 Security

204

203

182


xiii

VTP

204

Port Security

205

DHCP Snooping

205

Dynamic ARP Inspection
IP Source Guard

206

206

Disable Dynamic Trunking

206

Protecting Spanning Tree

207

Switch Access Controls Lists
Protect Unused Ports
Wireless Security

208

209

210

Wireless Network Architecture

210

Cisco Adaptive Wireless Intrusion Prevention System
Protecting Wireless Access

212

Wireless Service Availability

213

Rogue Access Point Detection

214

General Network Device Security Best Practices
Technical Testing

217

Router Testing

219

Switch Testing

221

Wireless Testing
Checklist

230

Summary

235

225

References in This Chapter
Chapter 8

236

Perimeter Intrusion Prevention
Perimeter Threats and Risk
Policy Review

237

237

238

Perimeter Operations Review

239

Management and Change Control

239

Monitoring and Incident Handling

240

Perimeter Architecture Review

242

What Are You Protecting?
Perimeter Design Review
Logical Architecture

244

Physical Architecture
What Is the Risk?

243
243

245

246

Good Design Practices

247

216

211


xiv

Network Security Auditing

Auditing Firewalls

247

Review Firewall Design
Simple Firewall

248

248

Screening Router and Firewall
Firewall with DMZ

248

249

Firewall with DMZ and Services Network
High Availability Firewall
IOS Firewall Deployment

250

Review Firewall Configuration

251

Firewall Modes of Operation

252

Firewall Virtualization
Filtering Methods

253

253

Network Address Translation
Secure Management
Logging

249

250

255

256

256

Other Configuration Checks
Review Rule Base

257

Cisco Firewall Rule Basics
Rule Review

256
257

259

Rule Optimization

260

The ASA Modular Policy Framework and Application
Inspection 261
IOS Zone-Based Firewall
Auditing IPS

263

265

How IPS Works

266

Review IPS Deployment

268

Review IPS Configuration

269

Protect the Management Interface

271

Administrative Access and Authentication
NTP Configuration
Signature Updates
Event Logging

274
274

275

Review IPS Signatures

276

Signature Definitions

276

Event Action Rules

277

Target Value Rating

277

IOS IPS

278

271


xv

Technical Control Testing
Firewall Rule Testing
Testing the IPS

279
279

281

Conducting an IPS Test
Reviewing the Logs
Checklist

284

Summary

287

282

284

References in This Chapter
Chapter 9

Access Control

288

289

Fundamentals of Access Control
Identity and Authentication

289
290

Access Control Threats and Risks
Access Control Policy

291

292

Access Control Operational Review

293

Identity Operational Good Practices

293

Authorization and Accounting Practices
Administrative Users

294

296

Classification of Assets

297

Access Control Architecture Review

297

Identity and Access Control Technologies
Network Admission Control
NAC Components
How NAC Works

298

299
300

NAC Deployment Considerations
NAC Posture Assessment

303

Identity-Based Networking Services
Deployment Methods
NAC Guest Server
NAC Profiler
Technical Testing

302
304

305

306

306
308

Authentication and Identity Handling
Posture Assessment Testing

309

Testing for Weak Authentication
Checklist

313

Summary

315

References in This Chapter

315

309

308

298


xvi

Network Security Auditing

Chapter 10

Secure Remote Access

317

Defining the Network Edge
VPN Fundamentals
Confidentiality

317

318
319

Symmetric Encryption

320

Asymmetric Encryption
Integrity

321

323

Authentication and Key Management
IPsec, SSL, and dTLS
IPsec

324

326

326

Secure Socket Layer

328

Datagram Transport Layer Security (dTLS)
Remote Access Threats and Risks
Remote Access Policies

329

330

Remote Access Operational Review
VPN Device Provisioning

331

331

Mobile Access Provisioning

332

Mobile User Role-Based Access Control
Monitoring and Incident Handling
Remote Access Architecture Review
Site-to-Site VPN Technologies
Easy VPN

329

333

333
333

335

335

IPsec and Generic Router Encapsulation (GRE)
Dynamic Multipoint VPN (DMVPN)

336

336

Multi Protocol Label Switching (MPLS) and Virtual Routing and
Forwarding (VRF) VPNs 337
GETVPN

339

Mobile User Access VPN
IPsec Client

340

341

Clientless SSL VPN

341

Cisco Secure Desktop

342

SSL Full Tunneling Client
VPN Network Placement
VPN Access Controls

344
345

346

Site-to-Site Access Controls
Mobile User Access Controls
Remote Access Good Practices

346
347
348


xvii

Technical Testing

350

Authentication
IPsec
SSL

350

351
352

Site-to-Site Access Control Testing

353

Mobile User Access Control Testing
Monitoring and Log Review
Checklist

354

Summary

358

References in This Chapter
Chapter 11

Endpoint Protection
Endpoint Risks

358

359

359

Endpoint Threats
Malware

353

354

360

360

Web-Based Threats

362

Social Networking and Web 2.0
E-Mail Threats

366

Data Loss Threats
Policy Review

365

367

368

Endpoint Protection Operational Control Review
Current Threat Intelligence

370

Vulnerability and Patch Management
Monitoring and Incident Handling
Security Awareness Program
Endpoint Architecture Review

373

373

374
374

Cisco Security Intelligence Operations
SensorBase

375

Cisco Threat Operations Center
Dynamic Update Function
Web Controls

Web Security Appliance
ASA
IPS
CSA

376

376
376

378
379
380

E-Mail Controls

380

E-Mail Policy Enforcement

381

375

375

370


xviii

Network Security Auditing

E-Mail Authentication
Data Loss Prevention
Web

383

383

E-Mail

384

Client

385

Patch Management
Monitoring
Web

381

386

386

386

E-Mail

388

MARS

388

Technical Testing

388

Acceptable Use Enforcement

388

Malware Detection and Quarantine

389

SPAM, Phishing, and E-Mail Fraud

390

Encryption

390

Patch Management and Enforcement
Data Loss Prevention Testing
Detection and Response
Checklist

391

Summary

396

391

391

References in This Chapter
Chapter 12

396

Unified Communications

397

Unified Communications Risks
VoIP Threats

397

399

Denial of Service
Confidentiality
Fraud

390

399
401

401

UC Policy and Standards Review

403

UC Operational Control Review

404

User and Phone Provisioning

404

Change Management
Asset Management

405
405

Call Detail Record Review
Administrative Access

406

406

Vulnerability Management

406

Security Event Monitoring and Log Review

407


xix

Disaster Recovery

408

UC Architecture Review

408

Unified Communications Fundamentals
H.323

410

MGCP
SCCP
SIP

409

412
412

413

Session Border Controller
RTP and SRTP

416

Call Processing

416

Infrastructure Controls
Switch Security

418

418

ACLs and Firewalling
IPS

415

420

421

Gateway Protection
Site to Site
Wireless

422

422
423

Call Control Protection

423

Communications Manager Hardening

423

Authentication, Integrity, and Encryption
Phone Proxy

426

Secure SIP Trunking

426

Toll Fraud Prevention
Application Controls

428
431

Voice Endpoint Controls

432

Monitoring and Management
Technical Testing

VLAN Separation
Eavesdropping
Gateway

433

434
434

436

438

Toll Fraud

438

Monitoring and Incident Detection
Checklist

439

Summary

444

References in This Chapter

445

438

424


xx

Network Security Auditing

Icons Used in This Book
V

Router

Edge Label
Switch Router

NetRanger

Voice-Enabled
Router

NAC Appliance

Switch
Multilayer Switch

PIX Firewall
Cisco ASA
Appliance

ATM Switch

Authentication
Server

Firewall
Firewall Services
Module

IP

U

Cisco Unified Cisco Unity
Server
Presence Server

Laptop

IP Telephony
Router

PC

Ethernet
Connection

Serial
Connection

Signaling
Controller

TelePresence

IP Phone

Cisco Unified
Communications
Manager (CUCM)

Wireless
Access Point

File Server

Web
Server

Phone
Polycom

Analog
Phone

SIP Proxy
Server

PMC
Mobile
Access Phone

PBX

Network Cloud

Cisco Carrier
Routing System

Command Syntax Conventions
The conventions used to present command syntax in this book are the same conventions
used in the IOS Command Reference. The Command Reference describes these conventions
as follows:


Boldface indicates commands and keywords that are entered literally as shown. In
actual configuration examples and output (not general command syntax), boldface
indicates commands that are manually input by the user (such as a show command).



Italic indicates arguments for which you supply actual values.



Vertical bars (|) separate alternative, mutually exclusive elements.



Square brackets ([ ]) indicate an optional element.



Braces ({ }) indicate a required choice.



Braces within brackets () indicate a required choice within an optional element.


xxi

Introduction
Mention the word audit to IT professionals and you will probably see their eyes glaze over as
they imagine frightening visions of auditors with pointy tails, pitchforks, and checklists running around and pointing out all of the things they have done wrong to their manager. The
purpose of a security audit is not to place blame or pick apart network design, but to ensure
the integrity, effectiveness, and compliance of corporate security policies. Auditing provides
the ability to test the assumptions companies have about how secure they think they are from
threats and to gauge whether or not policies map to industry best practices and compliance
laws. An organization’s level of risk is quantified by placing a value on the assets of the business and analyzing what impact the exploitation of vulnerabilities can have to the business as
a whole. Auditors find risk and check to see whether the appropriate controls are in place to
mitigate exposure to that risk.
Auditing is not just about running a bunch of hacker tools in an attempt to break into the network. There are many types of audits, and the scope of an audit defines what the auditor
inspects and how often. Many organizations require an annual audit of key systems by an outside firm (external audit), whereas others also mandate internal audits every six months or
before and after any major IT project. If you are subject to PCI compliance requirements, you
might need to have an audit preformed every quarter. The bottom line is if you aren’t auditing
today, you will be forced to through regulations or encouraged to by industry best practices.
It simply makes good business sense to measure the effectiveness of your security investment.
The ultimate benefit of auditing is to continuously improve the processes, procedures, and
controls put in place to secure valuable corporate assets. Businesses today have a responsibility to their customers to safe guard their confidential data. Numerous high-profile security failures have shattered that trust through carelessness while handling backup media and allowing
millions of credit cards and financial records to fall into the hands of individuals determined
to illegally profit at the expense of others. It takes only one major breach to appear in the
news for a company to experience significant loss of shareholder value and sometimes even
the total loss of the company itself. Having a policy and enforcing it are essential to protecting your business. Auditing that policy plays a key role in making sure that the policy actually
accomplishes the goal of reducing risk and therefore protects key assets from loss. A large
percentage of security failures can be minimized or prevented with a strong risk-based auditing program.

Goals
The goal of this book is not to be yet another hacker book devoted to the latest tools and
techniques for breaking into networks. Those skills are useful, but are not the primary focus
of a security audit. There have been many books devoted to that topic and they are typically
out of date by the time they come to press because of the speed in which technology
changes. This book is about measuring the deployment of Cisco security technologies to mitigate risk. Baseline technical testing is covered from a process standpoint, but the focus is not
on penetration testing.


xxii

Network Security Auditing

This book provides the reader with a practical guide to building an auditing and assessment
program that factors in regulatory and industry security requirements, with real examples of
how Cisco products can help address those needs. Recognizing that security is a system that
relies on strong policy is the key principle. The value of the book lies in its ability to show real
applications of Cisco security technology in the context of an auditing framework. Here are
the key benefits of the book:


Provides an overview of the auditing process and introduces important regulations
and industry best practices.



Demonstrates how to use commercial and open source tools to assist with the auditing process and validate security policy assumptions.



Introduces IT governance frameworks such as Cobit, ITIL, and ISO 17799/27001
while providing guidance about how to leverage each with Cisco security products.



Shows the reader how to segment security architectures into domains that provide a
systems approach to auditing Cisco networks.



Supplies a detailed auditing checklist after each domain for the reader to utilize in an
auditing program.



Provides design guidance for meeting auditing requirements and shows how complementary security solutions greatly increase the overall security posture of a company.



Guides the reader to build an auditing program that utilizes the techniques presented
in the book.

Who Should Read This Book?
This book is geared toward beginner to intermediate-level auditing and more specifically,
auditing as it pertains to Cisco networks. The content is useful to anyone who wants to build
a program to measure the effectiveness of Cisco security products. IT governance and auditing have common roots with financial auditing, and in many cases, it is ultimately the responsibility of the CFO in larger organizations. The language and procedures an IT auditor follows
are similar to how a CPA might examine the books to certify that a business is keeping its
records accurately and paying its taxes on time. Both disciplines keep there eyes open for
fraud and try to anticipate how a system of controls can be circumvented. Every aspect of
auditing, such as database auditing or web applications, is not covered as the focus of this
book is on auditing the network. Numerous other books are dedicated to application and
website auditing and would be better at providing a deeper understanding in those areas. If
you are an IT auditor, security consultant, InfoSec manager, or someone who wants to assess
his own network for good security deployment practices, then this book is for you.


xxiii

How This Book Is Organized
The organization of this book breaks the material up into two major parts. The first part covers the principles of auditing and strives to teach the language and key components of the
auditing process. This overview pulls together a number of techniques for identifying risk and
shows how we must think like auditors in our network designs and device configurations. It
also covers the major regulatory, industry compliance, and security framework initiatives. The
section ends with a description of common auditing tools and techniques that can be used to
assess and verify that the policy is enforced by technical controls.
The second part, consisting of Chapters 5 through 12, covers the major Cisco security solution domains, which break down Cisco security technologies into seven categories that enable
the auditor to examine network security as a system of integrated components rather than
individual products. Each chapter discusses the risks, threats, policies, procedures, and technical controls that can be deployed to defend each domain. Best practices on network security
design and configuration are covered, too. The reader is also supplied with a checklist that can
be used as a starting point or reference for auditing.
The following provides more detail on the contents of each chapter:
Part I, “Principles of Auditing”
Chapter 1, “Principles of Auditing”: This chapter defines security fundamentals including
policies, procedures, standards, and controls. The basics of risk management and the how,
what, and why audits are performed. In addition, the auditing process is outlined with a sixstep methodology that can be used in performing an audit.
Chapter 2, “Security and the Law”: This chapter is about IT security laws and regulatory
compliance with an overview of many of the major federal and state statutes governing IT
Security. SOX, HIPAA, and GLBA are covered in addition to the PCI standard.
Chapter 3, “Security Governance, Frameworks, and Standards”: Security governance frameworks such a COSO, Cobit, and ITIL help businesses coordinate people, process, and technology around security objectives. This chapter covers these frameworks, and also includes
where to find source material that can be useful in building standards, procedures, and guidelines for security technology deployment.
Chapter 4, “Auditing Tools and Techniques”: This chapter addresses the basics for evaluating
security controls through technical testing. A combination of open source, commercial, and
integrated Cisco testing tools are presented.
Part II, “Mapping Cisco Security Controls to Auditing Requirements”
Chapter 5, “Security Solutions Domains”: Security solution domains are introduced in this
chapter as a method for assessing network security as an interconnected system. This chapter
also discusses building checklists for security audits.
Chapter 6, “Policy and Compliance”: Policy and compliance is the first auditing domain and
is focused on assessing security policies. This chapter provides an overview of key security
policies that businesses should have and how they should be constructed.


xxiv

Network Security Auditing

Chapter 7, “Infrastructure Security”: This chapter covers assessing baseline security features
and configuration that should be implemented on Cisco routers, switches, and wireless devices.
Chapter 8, “Perimeter Intrusion Prevention”: Assessing perimeter defenses is covered in this
chapter, with a focus on firewalls and intrusion prevention systems.
Chapter 9, “Access Control”: Access control technologies enable the enforcement of rolebased access requirements that follow the principle of least privilege. This chapter describes
how to assess identity-based networking solutions and network admission control.
Chapter 10, “Remote Access”: This chapter covers how to assess VPN technologies including
site-to-site and mobile-user VPNs. Best practices for deployment and testing methods are also
discussed.
Chapter 11, “Endpoint Protection”: Endpoint protection is about preventing and detecting
attacks targeted at users and their network devices. This chapter discusses methods that can
be used to assess policies, procedures, and controls to protect endpoints from web, email,
malware, and data loss.
Chapter 12, “Unified Communications”: This chapter addresses auditing Unified communications systems policies, procedures, and security controls used to maintain confidentiality and
defend against fraud.


Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Tải bản đầy đủ ngay

×