Network Security Architectures (Hardcover)

~ (Author)

Editorial Reviews

Amazon.com Review

Network security is finally getting the attention it's long deserved, with organizations devoting time and money to the problem and more than a few independent consultants peddling their services in the area. Network security, though, is hard to do right, largely because it's not concerned with making the network do something (like connect the head office to the factory), but with making it not do something (allow access to an ill-defined community of malefactors). Network Security Architectures explains the generally accepted design practices that make networks as resistant as possible to damage and invasion.

Relatively little of this book is concerned with software configuration details, and it's generally not a paean to Cisco Systems products. Rather, this is a design guide, advising that it's usually best to put the proxy server inside the firewall and often a good idea to put IP phones on a private (RFC 1918) address range. Sean Convery--he wrote one of Cisco's standard security white papers--diligently explains why his advice is as it is, and how anticipated evolutions in technology might change design decisions. He makes clear that network security is an evolving discipline, but in this book documents the state of the art very well. Read this, then keep up with the latest on the Web sites, and you'll be in great shape to keep your networks safe. --David Wall

Topics covered: How to design data networks (including those that carry voice over IP) to be as inherently secure as possible. Threat assessment, device hardening, safe routing, VPNs, and the specific risks and requirements of applications (such as email) are covered. Detailed designs appear for common situations, such as securing telecommuter connections and tightening security on a corporate campus.

Product Description

Expert guidance on designing secure networks

Understand security best practices and how to take advantage of the networking gear you already have
Review designs for campus, edge, and teleworker networks of varying sizes
Learn design considerations for device hardening, Layer 2 and Layer 3 security issues, denial of service, IPsec VPNs, and network identity
Understand security design considerations for common applications such as DNS, mail, and web
Identify the key security roles and placement issues for network security elements such as firewalls, intrusion detection systems, VPN gateways, content filtering, as well as for traditional network infrastructure devices such as routers and switches
Learn 10 critical steps to designing a security system for your network
Examine secure network management designs that allow your management communications to be secure while still maintaining maximum utility
Try your hand at security design with three included case studies

Benefit from the experience of the principle architect of the original Cisco Systems SAFE Security Blueprint
Written by the principle architect of the original Cisco Systems SAFE Security Blueprint, Network Security Architectures is your comprehensive how-to guide to designing and implementing a secure network. Whether your background is security or networking, you can use this book to learn how to bridge the gap between a highly available, efficient network and one that strives to maximize security. The included secure network design techniques focus on making network and security technologies work together as a unified system rather than as isolated systems deployed in an ad-hoc way.

Beginning where other security books leave off, Network Security Architectures shows you how the various technologies that make up a security system can be used together to improve your network's security. The technologies and best practices you'll find within are not restricted to a single vendor but broadly apply to virtually any network system. This book discusses the whys and hows of security, from threats and counter measures to how to set up your security policy to mesh with your network architecture. After learning detailed security best practices covering everything from Layer 2 security to e-commerce design, you'll see how to apply the best practices to your network and learn to design your own security system to incorporate the requirements of your security policy. You'll review detailed designs that deal with today's threats through applying defense-in-depth techniques and work through case studies to find out how to modify the designs to address the unique considerations found in your network.

Whether you are a network or security engineer, Network Security Architectures will become your primary reference for designing and building a secure network.

This book is part of the Networking Technology Series from Cisco Press, which offers networking professionals valuable information for constructing efficient networks, understanding new technologies, and building successful careers.

See all Editorial Reviews

Product Details

• Hardcover: 792 pages
• Publisher: Cisco Press; 2nd edition (April 29, 2004)
• Language: English
• ISBN-10: 158705115X
• ISBN-13: 978-1587051159
• Product Dimensions: 9.2 x 7.6 x 2 inches
• Shipping Weight: 3.3 pounds (View shipping rates and policies)
• Average Customer Review: 5.0 out of 5 stars  See all reviews (4 customer reviews)
• Amazon.com Sales Rank: #536,185 in Books (See Bestsellers in Books)

Customer Reviews

Most Helpful Customer Reviews

9 of 9 people found the following review helpful:

5.0 out of 5 stars Cisco Security for Network Architecture, December 2, 2004

By	Joel E. Natt (Atlanta, GA USA) - See all my reviews (REAL NAME)

Welcome to the twenty-first century in the world of computers and networking. With more issues occurring that have negative affects on the environment that information technologists work in, the knowledge of information security is slowly becoming critical. Sean Convery presents a detailed guide into the world of designing a secure network environment. Within "Network Security Architecture", Sean delves into the whys, the hows, and most importantly the cause and effect. As you examine the table of contents alone, it becomes clear that he has spent a great deal of time researching and detailing numerous different components of a network environment that have to be examined and considered for proper network security.

A close look at the book's table of contents will point out different areas that any Network Engineering individual from the Junior Administrator to the Senior Architect needs to be knowledgeable in. Sean examines policy, threats and the technologies available, he details how to harden devices and describes items that need to be considered in designing either new networks or enhancing existing ones. For these reasons alone this book is necessary for anyone that manages any portion of a computer network. This book offers far more than an education of network security. It is clearly designed not only to educate individuals, but provide a single reference for all network security areas as well.

Like many Cisco Press books, "Network Security Architectures" chapters are divided into three sections --: an introduction, the body, and finally a summary. It is these summary sections that help the most. In For example, in Chapter 6 on pages 262 thru 264, the concept of Design Consideration is summarized with charts. Where individual summaries appear light or limited, the book enhances the information covered in a section called "Applied Knowledge". This section helps individuals quickly implement what is covered in extreme detail in the chapter. Don't just look at the summary and applied knowledge sections, because this would not do all the hard work Sean placed in the book justice. For instance, in Chapter 5 on Hardening Devices, Sean provides clear examples on how to configure devices for security and hardening. This topic alone has not similarly covered since O'Reilly's book on "Hardening Cisco Routers" and that one did not go to the level of how to configure the devices fully.

As anyone that is familiar with Cisco Technology and Cisco Systems knows, they routinely publish various "SAFE" documents on topics. This book takes input from those documents, combining them with other both real world examples and theory to provide a greater combined presentation. Like any Cisco documentation this book can either be read in its entirety from cover to cover or only the sections that are needed now. But as you read the book you will realize that while "SAFE" documents focus on key issues, this book details not only the issues and the possible alternatives, but provides reasoning for implementing the recommendations in clear English. Convery's book is both an excellent resource and a great guide. Its ability to present both the Cisco and the real world philosophy on network architecture is critical for all that work in this arena.

As I mentioned previously Convery, uses the Cisco "SAFE" documents as guide points, but those are only detailed references. His book takes them to the next logical level and as such I could spend hours and pages detailing all the other reasons someone should acquiring a copy of this book, but the key reason I believe is that it is a clear consolidated source to design, implement and support a secure and highly available network. But the simple fact is in this day and age with more and more Viruses, Worms, Trojan horses, Network Probe attacks and numerous other problems in the growing Internet can anyone not afford to plan a "SMART" and "SAFE" network architecture? That is the real question that should drive someone to consider this book for there library and refer to it on a regular basis. I know I have already.

I highly recommend this excellent reference book for networking and security practitioners in any size environment. The investment will save time and money, even if only a few of the recommendations are implemented. You will find yourself referring to it frequently.

8 of 8 people found the following review helpful:

5.0 out of 5 stars Network Security Design Must Have, June 1, 2004

By	Raymond A Santini (New York, NY) - See all my reviews

I have read many books in the Cisco Press and this one is up there with the best in terms of practical use, technical depth and ease of reading. The author does a great job of laying out the book in a logical manner that is sure to help Security Architects take on the daunting task of network security design with a higher level of confidence. As a systems engineer responsible for large network designs, I have found this book to provide very good information for many scenarios, a multitude of good links to provide additional resources for discussed topics as well as out of scope topics, and also a good supplement for the backround knowledge required for the CCIE Security exam, for which I am currently preparing for. I consider this one as much a must have as Doyle for IP Routing or Clarke for LAN Switching.

Raymond Santini CCIE# 12315

7 of 7 people found the following review helpful:

5.0 out of 5 stars Recommended for professional infosec architects, June 26, 2004

By	Dr. G. Hinson "NoticeBored.com" (New Zealand) - See all my reviews (REAL NAME)

This comprehensive textbook is ideal for information security architects tasked with designing secure networks, both as a teaching text and as a reference. It covers:
- Good practice network security design guidelines ('axioms')
- Purpose and definition of network security policies
- Good advice on designing the network security system (i.e. the overarching network security architecture into which individual network devices must fit) from the ground up (i.e. physical security to application security, OSI layers 1 to 7)
- Specific technical advice on configuring network devices for
security ('hardening')
- Technical descriptions of the vulnerabilities in network services, accompanied by advice on how to secure them
- Typical design considerations for network perimeter ('edge') security, internal network ('campus') security and remote access (teleworker) security
- Secure network management and network security management (compared and contrasted in 40 pages)

I appreciate the author's emphasis on architectural security design but he also succeeds in giving a reasonably comprehensive introduction to more specific elements of network security. This is not a hand-waving helicopter-overview of the topic but a far more substantial tome. At the same time, the clear writing style, simple diagrams and nuggets of practical advice make it an enjoyable read.

The book is liberally sprinkled with URLs to useful additional resources and the author maintains a website with up-to-date links and a sample chapter (www.seanconvery.com).

Each chapter concludes with exam-style review questions (with answers) and further questions intended to stimulate the reader to think about the material in their local organizational context. The topic almost inevitably involves loads of acronyms so thankfully a succinct glossary is included.

Three network security design examples (mini case studies) towards the end of the book demonstrate the techniques previously described. These are good for getting readers to practice thinking like a real network security architect.

Despite being published by Cisco Press, the book is not specifically about Cisco products. However, the examples and several of the security features are Cisco-specific. Given the market presence of Cisco, this is not a serious drawback but a little more balance would have added credibility (e.g. security vulnerabilities in LEAP, Cisco's wireless LAN authentication protocol, are not described but merely hinted-at).

All in all, this book has already proved its worth to me. I read it cover-to-cover in a couple of days and have already started using it as a reference. Recommended reading for those with a professional interest in information security architecture.