Cisco Systems’ next generation of network security devices and software is introduced in this book by one of Cisco’s product line managers in the security and technology department. Its purpose is to help customers understand and design a self-defending network and use it properly.
The ten chapters in the book cover different types of network attacks and defenses; the mitigation of distributed denial-of-service attacks; an overview of the Cisco adaptive security appliance; details of the Cisco incident control service; demystifying 802.1x; the implementation of network admission control; the network admission control appliance; the management of the Cisco security agent; the Cisco security manager; and the Cisco security monitoring, analysis, and response system.
These chapters outline Cisco’s layered approach to network security, often in graphic terms borrowed from the military (“network firewalls can also implement a demilitarized zone functionality”) or sports (“this [layered] defense is similar to that of a football team, starting with the front line”). The author presents a quite thorough explanation of what Cisco’s products do and how to get them to do it on the customer’s network. Of course, since there is no point in the posse publishing its weapons inventory for the black hats to see, the book gets rather vague when it comes to how things are done, which makes it difficult at times to evaluate how much of what is described is just wishful thinking and how much can really be counted on. Therein, of course, lies the rub.
It is common knowledge that network security is a major problem that is only getting worse. The notion of a self-defending network, if it means anything, certainly entails the ability not only to handle a wide range of known challenges, but also to cope effectively with new ones immediately as they appear. This is a dream of network operators, though the fight against the rise in network attacks seems as hopeless as the fight against the rise in entropy. One may win locally or for a short duration, but in the end one always seems to succumb to the network version of Murphy’s Law: “No system is foolproof because the fools are too ubiquitous and too ingenious.” Therefore, if the phrase “self-defending network” has any real meaning, and especially if it is to be the “proactive and holistic system” that Cisco touts it to be, it should somehow encompass both a component of artificial intelligence—which allows the system to learn about and combat new threats—and a component of fuzzy logic—which would allow it to deal with threats that are vaguely like, but not precisely the same as, known attacks. Now these components may be there, but if they are Cisco isn’t letting on. They have neatly categorized network attacks: viruses, worms, Trojan horses, denial-of service, distributed-denial-of-service, spyware, and phishing. But suppose something new (a Trojan donkey? a worm in snake’s clothing?) turns up.
The above comments should not detract from Cisco’s achievements in designing this system. Their network security system is definitely impressive when compared to other presently available systems, and this book does a good job of presenting an overview of it for potential and actual users. The prose is clear and avoids excessive technical jargon. The illustrations are useful and well done. Clearly, the people at Cisco know the audience to whom such books are directed, and are experienced at talking to it at the correct level.