Chapter 1: Network Security Axioms
Chapter 2: Security Policy and Operations Life Cycle
Chapter 3: Secure Networking Threats
Chapter 4: Network Security Technologies
Chapter 5: Device Hardening
Chapter 6: General Design Considerations
Chapter 7: Network Security Platform Options and Best Deployment Practices
Chapter 8: Common Application Design Considerations
Chapter 9: Identity Design Considerations
Chapter 10: IPsec VPN Design Considerations
Chapter 11: Supporting-Technology Design Considerations
Chapter 12: Designing Your Security System
Chapter 13: Edge Security Design
Chapter 14: Campus Security Design
Chapter 15: Teleworker Security Design
Chapter 16: Secure Network Management and Network Security Management
Chapter 17: Case Studies
Chapter 18: Conclusions

Find a bad link or one in the book I don't have here? Send me email at: sconvery@employees.org

Chapter 1: Network Security Axioms

  • CAIDA
  • Ptacek, Thomas H., and Timothy N. Newsham. Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection.
  • Tippett, P. "Defense-In-Breadth." Information Security Magazine (February 2002).

    Chapter 2: Security Policy and Operations Life Cycle

  • Analysts: Egghead's inquiry cost millions.
  • Fraser, B. RFC 2196, Site Security Handbook.
  • Guel, Michele D. A Short Primer for Developing Security Policies.
  • Hackers break in N.Y. Times Web site.
  • Insecure.org.
  • Moore, A., R. Ellison, and R. Linger. Attack Modeling for Information Security and Survivability. Technical note CMU/SEI-2001-TN-001.
  • Nessus Vulnerability Scanner.
  • Packetstorm Security.
  • SecurityFocus.

    Chapter 3: Secure Networking Threats

  • Aleph One. Smashing the Stack for Fun and Profit.
  • Back Orifice 2000.
  • CAIDA Code Red Analysis.
  • CERT Code Red Advisory.
  • CERT Melissa Advisory.
  • CERT Nimda Advisory.
  • Chkrootkit.
  • Computer Emergency Response Team.
  • Cross-Site Scripting FAQ.
  • Dave Dittrich's Distributed Denial of Service site.
  • DC Phone Home. -link dead?
  • dsniff.
  • Ethereal.
  • Ettercap.
  • Fragroute.
  • Fyodor. Remote OS Detection via TCP/IP Stack FingerPrinting.
  • Google.
  • Howard, John D. An Analysis of Security Incidents on the Internet, 1989-1995.
  • Hping.
  • John the Ripper Password Cracker.
  • LC4.
  • Libnet.
  • Nessus.
  • Netcat.
  • Netstumbler.
  • Nmap.
  • Paketto Keiretsu.
  • Ptacek, Thomas H., and Timothy N. Newsham. Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection.
  • Slashdot.
  • STRIP. - Link Updated Since Book Publish
  • War driving.
  • World Wide Web Security FAQ.

    Chapter 4: Network Security Technologies

  • Computer Security Issues and Trends, CSI 2002.
  • Ellison, C., and B. Schneier. Ten Risks of PKI.
  • halflife. Bypassing Integrity Checking Systems. Phrack Issue 51
  • Hogwash. - Site no longer being maintained
  • Yan, Jeff. A Note on Proactive Password Checking.

    Chapter 5: Device Hardening

  • Apache HTTP Server Project. Security Tips: Apache HTTP Server Security.
  • APTools.
  • Brett and Variable K. "Building Bastion Routers Using Cisco IOS." Phrack Magazine 9, no. 55 (September 1999), 10 of 19.
  • Cisco Systems, Inc. AutoSecure.
  • Cisco Systems, Inc. Cisco PIX Firewall System Log Messages.
  • Cisco Systems, Inc. Configuring Secure Shell.
  • Cisco Systems, Inc. Configuring SNMP Support.
  • Cisco Systems, Inc. Improving Security on Cisco Routers.
  • Cisco Systems, Inc. Logging System Messages.
  • Cisco Systems, Inc. Quick Start Guide for Cisco Intrustion Detection System Version 4.0.
  • Cisco Systems, Inc. SC: Part I: Authentication, Authorization, and Accounting (AAA).
  • Free BSD, FreeBSD Security How-To.
  • Microsoft. Microsoft TechNet Security Guides. - Link Updated Since Book Publish
  • National Security Agency Security Recommendation Guides. Cisco Router Guides. - Link Updated Since Book Publish
  • Securing Debian Manual. - Link Updated Since Book Publish
  • Sun Microsystems. Sun Blueprints Program and Sun Blueprints Online Magazine.
  • Thomas, R. Secure BIND Template.

    Chapter 6: General Design Considerations

  • Arkin, O. ICMP Usage in Scanning.
  • arpwatch.
  • Baker, F., and R. Atkinson. RFC 2082, RIP-2 MD5 Authentication.
  • Cisco ACL Fragmentation Issues.
  • Cisco Documentation: ARP Inspection.
  • Cisco Documentation: DHCP Snooping.
  • Cisco Documentation: PIX Static Command.
  • Cisco Documentation: Port Security.
  • Cisco Documentation: Private VLANs.
  • Cisco Documentation: TCP Intercept.
  • Cisco Documentation: Unicast RPF.
  • Convery, S. Hacking Layer 2: Fun with Ethernet Switches.
  • DHCP DoS.
  • dsniff.
  • Ferguson, P., and D. Senie. RFC 2827, Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing.
  • Greene, B., C. Morrow, and B. Gemberling. ISP SecurityŚReal World Techniques.
  • Heffernan, A. RFC 2385, Protection of BGP Sessions via the TCP MD5 Signature Option.
  • IANA IPv4 Address Allocation.
  • Kuhn, M. and R. Anderson. Soft Tempest: Hidden Data Transmission Using Electromagnetic Emanations.
  • Kuhn, Markus G. Optical Time-Domain Eavesdropping Risks of CRT Displays.
  • Malkin, G. RFC 1723, RIP Version 2 Carrying Additional Information.
  • Morrow, C., and B. Gemberling. Backscatter DDoS Traceback.
  • Morrow, C., and B. Gemberling. Enabling Black Hole Filtering for Customers.
  • Moy, J. RFC 2328, OSPF Version 2.
  • Neil Jr. Spy Agency Taps into Undersea Cable. Wall Street Journal.
  • Ping of Death.
  • Portable Keystroke Logger.
  • Rekhter, Y., B. Moskowitz, D. Karrenberg, G. J. de Groot, and E. Lear. RFC 1918, Address Allocation for Private Internets.
  • SYN Cookies.
  • Taylor, David. Are There Vulnerabilities in VLAN Implementations?
  • Thomas, Rob. Bogon List.
  • Thomas, Rob. ICMP Filtering Guidelines.
  • VLAN 1 Considerations.
  • van Eck, Wim. Electromagnetic Radiation from Video Display Units: An Eavesdropping Risk?

    Chapter 7: Network Security Platform Options and Best Deployment Practices

  • No URLs in references

    Chapter 8: Common Application Design Considerations

  • BIND.
  • Klensin, J. RFC 2821. Simple Mail Transfer Protocol.
  • Cricket. Securing an Internet Name Server.
  • Men and Mice. DNS Single Point of Failure Research.
  • Thomas, Rob. Secure BIND Template.
  • Wunsch, Scott. Chroot-BIND HOWTO.

    Chapter 9: Identity Design Considerations

  • Aboba, Simon. RFC 2716, PPP EAP TLS Authentication Protocol.
  • Palekar, A., D. Simon, G. Zorn, J. Salowey, H. Zhou, S. Josefsson. Protected EAP Protocol (PEAP) Version 2.
  • Blunk, Vollbrecht. RFC 2284, PPP Extensible Authentication Protocol.
  • Cisco Documentation: Configuring 802.1x Port-Based Authentication.
  • Deploying Cisco Secure ACS for Windows in a Cisco Aironet Environment.
  • Dierks, Allen. RFC 2246, The TLS Protocol Version 1.0.
  • Guidelines for Placing ACS in the Network.
  • Haller, Metz. RFC 1938, A One-Time Password System.
  • IEEE 802.1x Standard, Port-Based Network Access Control. 2001.
  • Mishra, A., W. Arbaugh. An Initial Security Analysis of the IEEE 802.1x Standard.
  • Open Source Implementation of IEEE 802.1x.

    Chapter 10: IPsec VPN Design Considerations

  • Cisco Documentation: Dynamic Multipoint VPN (DMVPN).
  • Cisco Documentation: EIGRP Stub.
  • Cisco TAC Guide: IP Fragmentation and PMTUD.
  • Cisco Documentation: IPsec VPN High Availability Enhancements.
  • DES Challenge III, RSA Security.
  • FIPS 46-2, Data Encryption Standard.
  • FIPS 46-3, DES (Including 3DES).
  • FIPS 197, Advanced Encryption Standard (AES).
  • FIPS 180-1, Secure Hash Standard.
  • Halpern, J., and M. Sullenberger. Deploying and Managing Enterprise IPsec VPNs. Networkers (2002).
  • Hanks, S., T. Li, D. Farinacci, D. Meyer, and P. Traina. RFC 2784, Generic Routing Encapsulation.
  • Harkins, D., and D. Carrel. RFC 2409, The Internet Key Exchange (IKE).
  • Krawczyk, H. SKEME: A Versatile Secure Key Exchange Mechanism for Internet.
  • Kent, S., and R. Atkinson. RFC 2401, Security Architecture for IP.
  • Kent, S., and R. Atkinson. RFC 2402, IP Authentication Header.
  • Kent, S., and R. Atkinson. RFC 2406, IP Encapsulating Security Payload (ESP).
  • Orman, H. RFC 2412, The Oakley Key Determination Protocol.
  • Perkins, C. RFC 2003, IP Encapsulation within IP.
  • Piper, D. RFC 2407, The Internet IP Security Domain of Interpretation for ISAKMP.
  • Rivest, R. RFC 1321, The MD5 Message-Digest Algorithm.

    Chapter 11: Supporting-Technology Design Considerations

  • AirSnort.
  • APTools.
  • Arbaugh, W., N. Shankar, and J. Wang. Your 802.11 Wireless Network Has No Clothes.
  • Arkin, O. The Cisco IP Phones Compromise.
  • Arkin, O. Security Risk Factors with IP Telephony Based Networks.
  • Borisov, N., I. Goldber, and D. Wagner. Security of the WEP Algorithm.
  • Cisco Documentation: WLAN Auto Initiate VPN.
  • Flickenger, R. Antenna on the Cheap (er, Chip).
  • Fluhrer, S., I. Mantin, and A. Shamir. Weaknesses in the Key Scheduling Algorithm of RC4.
  • Halpern, J. SAFE: IP Telephony Security in Depth.
  • NetStumbler.
  • Voice over Misconfigured Internet Telephones (VOMIT).

    Chapter 12: Designing Your Security System

  • No URLs in references

    Chapter 13: Edge Security Design

  • Automotive Network Exchange.
  • Convery, S., and B. Trudel. SAFE: A Security Blueprint for Enterprise Networks.
  • Convery, S., and R. Saville. SAFE: Extending the Security Blueprint to Small, Midsize,and Remote-User Networks.

    Chapter 14: Campus Security Design

  • Convery, S., and B. Trudel. SAFE: A Security Blueprint for Enterprise Networks.
  • Convery, S., and R. Saville. SAFE: Extending the Security Blueprint to Small, Midsize,and Remote-User Networks.

    Chapter 15: Teleworker Security Design

  • Convery, S., and R. Saville. SAFE: Extending the Security Blueprint to Small, Midsize,and Remote-User Networks.

    Chapter 16: Secure Network Management and Network Security Management

  • Arbor Networks.
  • Cflowd. CAIDA.
  • Cisco Documentation: NetFlow.
  • Cisco Documentation: SNMP Configuration.
  • IETF Operations and Management Area.
  • Kiwi Syslog.
  • Lonvick, C. RFC 3164, The BSD Syslog Protocol.
  • Moore, D., V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver, The Spread of the Sapphire/Slammer Worm.
  • Sollins, K. RFC 1350, The TFTP Protocol (Revision 2).

    Chapter 17: Case Studies

  • Sun Microsystems Sun Ray Thin Clients. - Link changed since book publication.

    Chapter 18: Conclusions

  • No URLs in references