Omar Santos - End-to-End Network Security: Defense-in-Depth

Omar Santos

Cisco Press
800 East 96th Street
Indianapolis, Indiana 46240 USA

End-to-End Network Security Defense-in-Depth

Omar Santos

Copyright 2008 Cisco Systems, Inc.

Published by:

Cisco Press
800 East 96th Street
Indianapolis, IN 46240 USA

All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review.

Printed in the United States of America

First Printing August 2007

Library of Congress Cataloging-in-Publication Data:

Santos, Omar.
End-to-end network security : defense-in-depth / Omar Santos.
p. cm.
ISBN 978-1-58705-332-0 (pbk.)
1. Computer networksSecurity measures. I. Title.
TK5105.59.S313 2007
005.8dc22
2007028287

ISBN-10: 1-58705-332-2

ISBN-13: 978-1-58705-332-0

This book is designed to provide information about end-to-end network security. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied.

The information is provided on an "as is" basis. The authors, Cisco Press, and Cisco Systems shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may accompany it.

The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems.

All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Cisco Press or Cisco Systems, Inc. cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark.

At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community.

Readers' feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book or otherwise alter it to better suit your needs, you can contact us through e-mail at . Please make sure to include the book title and ISBN in your message.

We greatly appreciate your assistance.

The publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales which may include electronic versions and/or custom covers and content particular to your business, training goals, marketing focus, and branding interests. For more information, please contact:

U.S. Corporate and Government Sales

1-800-382-3419

For sales outside the United States, please contact:

International Sales

Publisher
Paul Boger

Associate Publisher
Dave Dusthimer

Cisco Representative
Anthony Wolfenden

Cisco Press Program Manager
Jeff Brady

Executive Editor
Brett Bartow

Managing Editor
Patrick Kanouse

Development Editor
Betsey Henkels

Project Editor
Jennifer Gallant

Copy Editor
Karen A. Gill

Technical Editors
Pavan Reddy

John Stuppi

Editorial Assistant
Vanessa Evans

Book and Cover Designer
Louisa Adair

Composition
ICC Macmillan Inc.

Indexer
Ken Johnson

Proofreader
Anne Poynter

Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Asia Pacific Headquarters
Cisco Systems, Inc.
168 Robinson Road
#28-01 Capital Tower
Singapore 068912
www.cisco.com
Tel: +65 6317 7777
Fax: +65 6317 7799
Europe Headquarters
Cisco Systems International BV
Haarlerbergpark
Haarlerbergweg 13-19
1101 CH Amsterdam
The Netherlands
www-europe.cisco.com
Tel: +31 0 800 020 0791
Fax: +31 0 20 357 1100

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices .

2007 Cisco Systems, Inc. All rights reserved. CCVP, the Cisco logo, and the Cisco Square Bridge logo are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networking Academy, Network Registrar, Packet, PIX, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0609R)

I would like to dedicate this book to my lovely wife, Jeannette, and my two beautiful children, Hannah and Derek, who have inspired and supported me throughout the development of this book.

I also dedicate this book to my parents, Jose and Generosa. Without their knowledge, wisdom, and guidance, I would not have the goals that I strive to achieve today.

Omar

Omar Santos is a senior network security engineer and Incident Manager within the Product Security Incident Response Team (PSIRT) at Cisco. Omar has designed, implemented, and supported numerous secure networks for Fortune 500 companies and the U.S. government, including the United States Marine Corps (USMC) and the U.S. Department of Defense (DoD). He is also the author of many Cisco online technical documents and configuration guidelines. Before his current role, Omar was a technical leader within the World Wide Security Practice and Cisco Technical Assistance Center (TAC), where he taught, led, and mentored many engineers within both organizations. He is an active member of the InfraGard organization. InfraGard is a cooperative undertaking that involves the Federal Bureau of Investigation and an association of businesses, academic institutions, state and local law enforcement agencies, and other participants. InfraGard is dedicated to increasing the security of the critical infrastructures of the United States of America.

Omar has also delivered numerous technical presentations to Cisco customers and partners, as well as executive presentations to CEOs, CIOs, and CSOs of many organizations. He is also the author of the Cisco Press books: Cisco Network Admission Control , Volume II: NAC Deployment and Troubleshooting, and Cisco ASA: All-in-One Firewall, IPS , and VPN Adaptive Security Appliance .