CCNA Security Chapter 1

Chapter 1

Modern Network Security Threats

Lecturer: Mohammad Tariq Meeran

Network Security

© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 2

Objectives


Introduction

Network security is now an integral part of

computer networking.

Network security involves protocols,

technologies, devices, tools, and techniques

to secure data and mitigate threats.

Network security solutions emerged in the 1960s

but did not mature into a comprehensive set of

solutions for modern networks until the 2000s.


Introduction (cont.)

Network security is largely driven by the effort to

stay one step ahead of ill-intentioned hackers.

Network security professionals attempt to prevent

attacks while minimizing the effects of real-time

attacks.

Business continuity is another major driver of

network security.

Network security organizations have been created

to establish formal communities of network

security professionals.



These organizations set standards, encourage

collaboration, and provide workforce development

opportunities for security professionals.

The complexity of network security makes it

difficult to master all it encompasses. Different

organizations have created domains.

This division allows professionals to focus on more

precise areas of expertise in their training,

research, and employment.



Network attacks are classified so that it

is easier to learn about them and

address them appropriately.

Viruses, worms, and Trojan Horses

are specific types of network attacks.

More generally, network attacks are

classified as reconnaissance, access,

or Denial of Service attacks.


Evolution of Network Security

In July 2001, the Code Red worm attacked web servers

globally, infecting over 350,000 hosts.

The worm not only disrupted access to the infected

servers, but also affected the local networks hosting the

servers, making them very slow or unusable.

The Code Red worm caused a Denial of Service (DoS) to

millions of users.



If the network security professionals

responsible for these Code Red-infected

servers had developed and implemented a

security policy, security patches would

have been applied in a timely manner.

The Code Red worm would have been

stopped and would only merit a footnote in

network security history.



Network security relates directly to an

organization's business continuity.

Network security breaches can disrupt e-

commerce, cause the loss of business data,

threaten people's privacy and compromise the

integrity of information.

These breaches can result in lost revenue for

corporations, theft of intellectual property, and

lawsuits, and can even threaten public safety.



Maintaining a secure network ensures the safety of

network users and protects commercial interests.

Security professionals must constantly be aware of

new and evolving threats and attacks to networks,

and vulnerabilities of devices and applications.

This information is used to adapt, develop and

implement mitigation techniques. However,

security of the network is ultimately the

responsibility of everyone that uses it.



"Necessity is the mother of invention." This

saying applies perfectly to network security. In

the early days of the Internet, commercial

interests were negligible.

The vast majority of users were research and

development experts. Early users rarely

engaged in activities that would harm other

users.

The Internet was not a secure environment

because it did not need to be.



Early on, networking involved connecting people

and machines through communications media.

The job of a networker was to get devices

connected to improve people's ability to

communicate information and ideas.

The early users of the Internet did not spend

much time thinking about whether or not their

online activities presented a threat to the

network or to their own data.



When the first viruses were unleashed and the

first DoS attack occurred, the world began to

change for networking professionals.

To meet the needs of users, network

professionals learned techniques to secure

networks.

The primary focus of many network

professionals evolved from designing, building,

and growing networks to securing existing

networks.



Today, the Internet is a very different network

compared to its beginnings in the 1960s.

The job of a network security professional

includes ensuring that appropriate personnel are

well-versed in network security tools, processes,

techniques, protocols, and technologies.

It is critical that network security professionals

manage the constantly evolving threats to

networks.





One of the first network security tools was the

intrusion detection system (IDS), first developed

by SRI International in 1984.

An IDS provides real-time detection of certain

types of attacks while they are in progress. This

detection allows network professionals to more

quickly mitigate the negative impact of these

attacks on network devices and users.

In the late 1990s, the intrusion prevention system

or sensor (IPS) began to replace the IDS solution.



In addition to IDS and IPS solutions, firewalls

were developed to prevent undesirable traffic

from entering prescribed areas within a

network, thereby providing perimeter security.

In 1988, Digital Equipment Corporation (DEC)

created the first network firewall in the form of

a packet filter.

These early firewalls inspected packets to see

if they matched sets of predefined rules, with

the option of forwarding or dropping the

packets accordingly.



Packet filtering firewalls inspect each packet in

isolation without examining whether a packet is

part of an existing connection.

In 1989, AT&T Bell Laboratories developed the

first stateful firewall. Like packet filtering firewalls,

stateful firewalls use predefined rules for

permitting or denying traffic.

Unlike packet filtering firewalls, stateful firewalls

keep track of established connections and

determine if a packet belongs to an existing flow

of data.



In addition to dealing with threats from outside

of the network, network professionals must also

be prepared for threats from inside the network.

Internal threats, whether intentional or

accidental, can cause even greater damage

than external threats.

Despite this fact, it has taken more than 20

years after the introduction of tools and

techniques for mitigating external threats to

develop mitigation tools and techniques for

internal threats.



A common scenario for a threat originating from inside the

network is a disgruntled employee with some technical

skills and a willingness to do harm.

Most threats from within the network leverage the

protocols and technologies used on the local area network

(LAN) or the switched infrastructure.

These internal threats basically fall into two categories:

spoofing and DoS.



Spoofing attacks are attacks in which one device

attempts to pose as another by falsifying data.

For example, MAC address spoofing occurs when

one computer accepts data packets based on the

MAC address of another computer.

There are other types of spoofing attacks as well.

DoS attacks make computer resources

unavailable to intended users. Attackers use

various methods to launch DoS attacks.



Evolution of LAN Security



In addition to preventing and denying malicious

traffic, network security also requires that data

stay protected.

Cryptography, the study and practice of

hiding information, is used pervasively in

modern network security.

Today, each type of network communication has

a corresponding protocol or technology

designed to hide that communication from

anyone other than the intended user.



Wireless data can be encrypted (hidden) using

various cryptography applications. The

conversation between two IP phone users can be

encrypted.

The files on a computer can also be hidden with

encryption. These are just a few examples.

Cryptography can be used almost anywhere that

there is data communication.

In fact, the trend is toward all communication

being encrypted.



Cryptography ensures data confidentiality, which

is one of the three components of information

security:

confidentiality, integrity, and availability

Information security deals with protecting

information and information systems from

unauthorized access, use, disclosure, disruption,

modification, or destruction.

Encryption provides confidentiality by hiding

plaintext data.



Data integrity, meaning that the data is

preserved unaltered during any operation,

is achieved by the use of hashing

mechanisms.

Availability, which is data accessibility,

is guaranteed by network hardening

mechanisms and backup systems.



Encrypting Data


Drivers for Network Security

The word hackers has a variety of meanings.

For many, it means Internet programmers who

try to gain unauthorized access to devices

on the Internet.

It is also used to refer to individuals that run

programs to prevent or slow network access

to a large number of users, or corrupt or

wipe out data on servers.



But for some, the term hacker has a

positive interpretation as a network

professional that uses sophisticated

Internet programming skills to ensure

that networks are not vulnerable to

attack.

Good or bad, hacking is a driving force

in network security.





The job of a network security professional is to

stay one step ahead of the hackers by:

attending training and workshops

participating in security organizations

subscribing to real-time feeds regarding threats

and perusing security websites on a daily basis

The network security professional must also

have access to state-of-the art security tools,

protocols, techniques, and technologies.



Hacking started in the 1960s with phone freaking,

or phreaking, which refers to using various audio

frequencies to manipulate phone systems.

Phreaking began when AT&T introduced

automatic switches to their phone systems. The

AT&T phone switches used various tones, or tone

dialing, to indicate different functions, such as call

termination and call dialing.

A few AT&T customers realized that by imitating a

tone using a whistle, they could exploit the phone

switches to make free long-distance calls.



As communication systems evolved, so did

hacking methods.

Wardialing became popular in the 1980s with

the use of computer modems.

Wardialing programs automatically scanned

telephone numbers within a local area,

dialing each one in search of computers,

bulletin board systems, and fax machines.

When a phone number was found,

password-cracking programs were used to

gain access.



Wardriving began in the 1990s and is still

popular today. With wardriving, users gain

unauthorized access to networks via wireless

access points.

This is accomplished using a vehicle and a

wireless-enabled portable computer or PDA.

A number of other threats have evolved since

the 1960s, including network scanning tools

such as Nmap and SATAN, as well as remote

system administration hacking tools such as

Back Orifice.



Trillions of dollars are transacted over the Internet on a

daily basis, and the livelihoods of millions depend on

Internet commerce.

For this reason, criminal laws are in place to protect

individual and corporate assets.

There are numerous cases of individuals who have had

to face the court system due to these laws.

The first email virus, the Melissa virus, was written by

David Smith of Aberdeen, New Jersey.

This virus resulted in memory overflows in Internet mail

servers. David Smith was sentenced to 20 months in

federal prison and a US$5,000 fine.



Robert Morris created the first Internet

worm with 99 lines of code.

When the Morris Worm was released,

10% of Internet systems were brought to a

halt.

Robert Morris was charged and received

three years probation (trial), 400 hours of

community service, and a fine of

US$10,000.



One of the most notorious (disreputable) Internet

hackers, Kevin Mitnick, was imprisoned for four

years for hacking credit card accounts in the

early 1990s.

Whether the attack is via spam, a virus, DoS, or

simply breaking into accounts, when the

creativity of hackers is used for malicious

purposes, they often end up going to jail, paying

large fines, and losing access to the very

environment in which they thrive (succeed).



As a result of hacker exploits, the

sophistication of hacker tools, and government

legislation, network security solutions

developed rapidly in the 1990s.

By the late 1990s, many sophisticated network

security solutions had been developed for

organizations to strategically deploy within

their networks.

With these solutions came new job

opportunities and increased compensation in

the field of network security.















The annual income for a network security

professional is on the high end of the scale for

careers in technology because of the depth and

breadth of knowledge required.

Network security professionals must constantly

upgrade their skill set to keep abreast of the

latest threats.

The challenge of gaining and maintaining the

necessary knowledge often translates into a

shortage of network security professionals.



Network security professionals are

responsible for maintaining data assurance

for an organization and ensuring the

integrity and confidentiality of information.

A network security professional might be

responsible for setting up firewalls and

intrusion prevention systems as well as

ensuring encryption of company data.



Implementing enterprise authentication

schemes is another important task.

The job entails maintaining detailed logs of

suspicious activity on the network to use

for reprimanding (warning) or prosecuting

violators.


Network Security Organizations

Three of the more well-established network

security organizations are:

SysAdmin, Audit, Network, Security (SANS)

Institute

Computer Emergency Response Team (CERT)

International Information Systems Security

Certification Consortium (pronounce (ISC)2 as

"I-S-C-squared")





CERT is part of the U.S. federally funded Software

Engineering Institute (SEI) at Carnegie Mellon

University.

CERT is chartered to work with the Internet community

in detecting and resolving computer security incidents.

The Morris Worm motivated the formation of CERT at

the directive of the Defense Advanced Research

Projects Agency (DARPA).

The CERT Coordination Center (CERT/CC) focuses

on coordinating communication among experts during

security emergencies to help prevent future incidents.



CERT responds to major security incidents and

analyzes product vulnerabilities.

CERT works to manage changes relating to

progressive intruder techniques and to the

difficulty of detecting attacks and catching

attackers.

CERT develops and promotes the use of

appropriate technology and systems management

practices to resist attacks on networked systems,

to limit damage, and to ensure continuity of

services.



CERT focuses on five areas: software assurance,

secure systems, organizational security,

coordinated response, and education and training.



(ISC)2 provides vendor-neutral education

products and career services in more than 135

countries. Its membership includes 60,000

certified industry professionals worldwide.

The mission of (ISC)2 is to make the cyber world

a safe place through elevating information

security to the public domain and supporting and

developing information security professionals

around the world.



)ISC)2 develops and maintains the (ISC)2 Common

Body of Knowledge (CBK).

The CBK defines global industry standards, serving

as a common framework of terms and principles

that (ISC)2 credentials are based upon.

Most notably, (ISC)2 is universally recognized for its

four information security certifications, including one

of the most popular certifications in the network

security profession, the Certified Information

Systems Security Professional (CISSP).



(ISC)2 promotes expertise in handling security threats

through its education and certification programs.

As a member, individuals have access to current

industry information and networking opportunities

unique to its network of certified information security

professionals.



One of the most useful tools for the network

security professional is Really Simple Syndication

(RSS) feeds.

RSS is a family of XML-based formats used to

publish frequently updated information, such as

blog entries, news headlines, audio, and video.

RSS uses a standardized format.

An RSS feed includes complete or summarized

text, plus metadata, such as publishing dates and

authorships.



RSS benefits

subscribe to timely updates from favored websites

RSS feeds can be read using a web-based RSS

reader

The RSS reader software checks the user's

subscribed feeds regularly

Network security professional can acquire up-to-

date information on a daily basis

Aggregate real-time threat information for review at

any time.



For example, the US-CERT Current

Activity web page is a regularly updated

summary of the most frequent, high-impact

types of security incidents being reported

to the US-CERT.

A text-only RSS feed is available at

http://www.us-cert.gov/current/index.rdf.

It reports 24/7, information regarding

security advisories, email scams, backup

vulnerabilities, malware spreading via

social network sites, and other potential

threats.


Domains of Network Security

It is vital for a network security professional

to understand the drivers for network

security and be familiar with the

organizations dedicated to network security.

It is also important to have an understanding

of the various network security domains.

Domains provide an organized framework to

facilitate learning about network security.



There are 12 network security domains

specified by the International Organization

for Standardization (ISO)/International

Electrotechnical Commission (IEC).

Described by ISO/IEC 27002, these 12

domains serve to organize at a high level

the vast realm of information under the

umbrella of network security.





The 12 domains of network security provide a

convenient separation for the elements of

network security.

While it is not important to memorize these 12

domains, it is important to be aware of their

existence and formal declaration by the ISO.

They serve as a useful reference going forward

in your work as a network security professional.



One of the most important domains is

security policy.

A security policy is a formal statement of

the rules by which people must abide who

are given access to the technology and

information assets of an organization.

The concept, development, and

application of a security policy play a

significant role in keeping an organization

secure.




Network Security Policies

The network security policy is a broad, end-to-end

document designed to be clearly applicable to an

organization's operations.

The policy is used to aid in network design,

convey security principles, and facilitate network

deployments.



The network security policy outlines rules for

network access, determines how policies are

enforced, and describes the basic architecture of

the organization's network security environment.

The document is generally several pages.

Because of its breadth of coverage and impact,

it is usually compiled by a committee.

It is a complex document meant to govern items

such as data access, web browsing, password

usage, encryption, and email attachments.



A security policy should keep ill-intentioned

users out and have control over potentially

risky users.

When a policy is created, it must be

understood first what services are available

to which users.

The network security policy establishes a

hierarchy of access permissions, giving

employees only the minimal access

necessary to perform their work.



The network security policy outlines what

assets need to be protected and gives

guidance on how it should be protected.

One possible guideline that administrators

can use when developing the security

policy and determining various mitigation

strategies is the Cisco SecureX

architecture.



The Cisco SecureX architecture is designed to

provide effective security for any user, using any

device, from any location, and at any time.

This new security architecture uses a higher-

level policy language that takes into account the

full context of a situation - who, what, where,

when and how.

With highly distributed security policy

enforcement, security is pushed closer to where

the end user is working.



This architecture includes the

following five major components:

Scanning Engines

Delivery Mechanisms

Security Intelligence Operations (SIO)

Policy Management Consoles

Next-generation Endpoint









Increased user mobility has created complexities for

securing the IT infrastructure.

Deploying piecemeal security solutions can lead to

duplicated efforts and inconsistent access policies, and

requires increased integration and staffing to support.

Cisco SecureX products work together to provide

effective security for any user, using any device, from

any location, at any time.

This is one of the primary reasons for relying on the

Cisco SecureX architecture to help shape the security

policy.













A network security policy drives all the steps to

be taken to secure network resources, not just

equipment requirements and procedures.

One of the most important steps in creating a

policy is identifying critical assets which

includes:

Databases, vital applications

customer and employee information

classified commercial information

shared drives

email servers and web servers.



A security policy is a set of objectives for the

company, rules of behavior for users and

administrators, and requirements for system

and management that collectively ensure the

security of network and computer systems in

an organization.

A security policy is a "living document,"

meaning that the document is never finished and

is continuously updated as technology,

business, and employee requirements change.



For example, an organization's employee laptops

will be subject to various types of attacks, such as

email viruses.

A network security policy explicitly defines how

frequently virus software updates and virus

definition updates must be installed.

Additionally, the network security policy includes

guidelines for what users can and cannot do. This

is normally stipulated as a formal acceptable use

policy (AUP).

The AUP must be as explicit as possible to avoid

ambiguity or misunderstanding.




Viruses

The primary vulnerabilities for end-user computers

are virus, worm, and Trojan Horse attacks:

A virus is malicious software which attaches to

another program to execute a specific unwanted

function on a computer.

A worm executes arbitrary code and installs copies of

itself in the memory of the infected computer, which

then infects other hosts.

A Trojan Horse is an application written to look like

something else. When a Trojan Horse is downloaded

and opened, it attacks the end-user computer from

within.


Virus, Worm and Trojan Horse


Virus

Traditionally, the term virus refers to an

infectious organism that requires a host cell

to grow and replicate.

A University of Southern California student

named Frederick Cohen suggested the term

"computer virus" in 1983.

A computer virus, referred to as a virus in the

rest of this course, is a program that can copy

itself and infect a computer without the

knowledge of the user.


Virus

A virus is a malicious code that is attached to

legitimate programs or executable files.

Most viruses require end-user activation and can

lay dormant for an extended period and then

activate at a specific time or date.

A simple virus may install itself at the first line of

code on an executable file.

When activated, the virus might check the disk

for other executables, so that it can infect all the

files it has not yet infected.


Virus

Viruses can be harmless, such as those that display a

picture on the screen, or they can be destructive, such

as those that modify or delete files on the hard drive.

Viruses can also be programmed to mutate to avoid

detection.

In the past, viruses were usually spread via floppy

disks and computer modems.

Today, most viruses are spread by USB memory

sticks, CDs, DVDs, network shares, or email.

Email viruses are now the most common type of virus.


Virus


Virus Spreading


Worms

Worms are a particularly dangerous type of

hostile code.

They replicate themselves by independently

exploiting vulnerabilities in networks.

Worms usually slow down networks.

Whereas a virus requires a host program to

run, worms can run by themselves.

They do not require user participation and

can spread extremely fast over the

network.


Worms

Worms are responsible for some of the most

devastating attacks on the Internet.

For example, the SQL Slammer Worm of January

2003 slowed down global Internet traffic as a result

of Denial of Service.

Over 250,000 hosts were affected within 30 minutes of

its release.

The worm exploited a buffer overflow bug in

Microsoft's SQL Server.

A patch for this vulnerability was released in mid-2002,

so the servers that were affected were those that did

not have the update patch applied.


Worms


Worms

Despite the mitigation techniques that have

emerged over the years, worms have

continued to evolve with the Internet and still

pose a threat.

While worms have become more sophisticated

over time, they still tend to be based on

exploiting weaknesses in software

applications.


Worms

Most worm attacks have three major

components:

Enabling vulnerability - A worm

installs itself using an exploit

mechanism (email attachment,

executable file, Trojan Horse)

Propagation mechanism - After

gaining access to a device, the worm

replicates itself and locates new

targets.

Payload - Any malicious code that

results in some action. Most often this

is used to create a backdoor.


Worms

When exploring the major worm and virus

attacks over the past 20 years, it is

noticeable that the various phases of

attack methods employed by hackers are

often quite similar.

There are five basic phases of attack,

regardless of whether a worm or virus

is deployed.


Worms

Probe phase - Vulnerable targets are identified.

The goal is to find computers that can be subverted

(threatened).

Internet Control Message Protocol (ICMP) ping

scans are used to map networks.

Then the application scans and identifies operating

systems and vulnerable software.

Hackers can obtain passwords using social

engineering, dictionary attack, brute-force attack, or

network sniffing.


Worms

Penetrate phase - Exploit code is

transferred to the vulnerable target.

The goal is to get the target to execute

the exploit code through an attack

vector, such as a buffer overflow,

ActiveX or Common Gateway Interface

(CGI) vulnerabilities, or an email virus.


Worms

Persist phase - After the attack is

successfully launched in the memory, the

code tries to persist on the target system.

The goal is to ensure that the attacker code

is running and available to the attacker

even if the system reboots.

This is achieved by modifying system files,

making registry changes, and installing

new code.


Worms

Propagate phase - The attacker

attempts to extend the attack to other

targets by looking for vulnerable

neighboring machines.

Propagation vectors include emailing

copies of the attack to other systems,

uploading files to other systems using file

shares or FTP services, active web

connections, and file transfers through

Internet Relay Chat (IRC).


Worms

Paralyze phase - Actual damage is done to the

system.

Files can be erased, systems can crash,

information can be stolen, and distributed DoS

(DDoS) attacks can be launched.

The five basic phases of attack allow security

experts to conveniently describe worms and

viruses according to their particular

implementation mechanism for each phase.

This makes it easier to categorize worms and

viruses.


Worms


Trojan Horse

The term Trojan Horse originated from

Greek mythology (folklore).

Greek warriors offered the people of Troy

(Trojans) a giant hollow horse as a gift.

The Trojans brought the giant horse into

their walled city, unaware that it contained

many Greek warriors.

At night, after most Trojans were asleep,

the warriors burst out of the horse and

overtook the city.


Trojan Horse

A Trojan Horse in the world of computing is

malware that carries out malicious operations

under the guise of a desired function.

A virus or worm could carry a Trojan Horse.

A Trojan Horse contains hidden, malicious code

that exploits the privileges of the user that runs

it.

Games can often have a Trojan Horse attached

to them.


Trojan Horse


Trojan Horse

The Trojan Horse concept is flexible. It can

cause immediate damage, provide remote

access to the system (a back door), or

perform actions as instructed remotely,

such as "send me the password file once

per week."

Custom-written Trojan Horses, such as

Trojan Horses with a specific target, are

difficult to detect.


Trojan Horse

Trojan Horses are

usually classified

according to the

damage that they

cause or the

manner in which

they breach a

system:


Trojan Horse

Remote-access Trojan Horse - enables unauthorized

remote access

Data sending Trojan Horse - provides the attacker with

sensitive data such as passwords

Destructive Trojan Horse - corrupts or deletes files

Proxy Trojan Horse - user's computer functions as a proxy

server

FTP Trojan Horse -opens port 21

Security software disabler Trojan Horse - stops antivirus

programs or firewalls from functioning

Denial of Service Trojan Horse - slows or halts network

activity


Mitigating viruses, worms

and Trojan horses

A majority of the software vulnerabilities that are

discovered relate to buffer overflows.

A buffer is an allocated area of memory used

by processes to store data temporarily.

A buffer overflow occurs when a fixed-length

buffer reaches its capacity and a process

attempts to store data above and beyond that

maximum limit.

This can result in extra data overwriting adjacent

memory locations as well as cause other

unexpected behavior.


Buffer overflows are usually the primary

conduit through which viruses, worms, and

Trojan Horses do their damage.

In fact, there are reports that suggest that

one-third of the software vulnerabilities

identified by CERT relate to buffer

overflows.


and Trojan horses


Viruses and Trojan Horses tend to take

advantage of local root buffer overflows.

A root buffer overflow is a buffer overflow

intended to attain root privileges to a system.

Local root buffer overflows require the end user

or system to take some type of action.

A local root buffer overflow is typically initiated by

a user opening an email attachment, visiting a

website, or exchanging a file via instant

messaging.


and Trojan horses


Worms such as SQL Slammer and Code Red exploit

remote root buffer overflows.

Remote root buffer overflows are similar to local root

buffer overflows, except that local end user or system

intervention is not required.


and Trojan horses


• Viruses, worms, and Trojan horses can cause serious problems on networks and end systems. • Network administrators have several means of mitigating these attacks. • Note that mitigation techniques are often referred to in the security community as countermeasures.


and Trojan horses


The primary means of mitigating virus and

Trojan horse attacks is anti-virus software.

Anti-virus software helps prevent hosts from

getting infected and spreading malicious

code.

It requires much more time to clean up

infected computers than it does to maintain

up-to-date anti-virus software and anti-virus

definitions on the same machines.


and Trojan horses


Anti-virus software is the most widely deployed

security product on the market today.

Several companies that create anti-virus software,

such as Symantec, Computer Associates, McAfee,

and Trend Micro, have been in the business of

detecting and eliminating viruses for more than a

decade.

Many corporations and educational institutions

purchase volume licensing for their users.


and Trojan horses


Anti-virus products have update

automation options so that new virus

definitions and new software updates can

be downloaded automatically or on

demand.

This practice is the most critical

requirement for keeping a network free of

viruses and should be formalized in a

network security policy.


and Trojan horses


Anti-virus products are host-based. These

products are installed on computers and

servers to detect and eliminate viruses.

However, they do not prevent viruses from

entering the network, so a network

security professional needs to be aware of

the major viruses and keep track of

security updates regarding emerging

viruses.


and Trojan horses



and Trojan horses


Worms are more network-based than viruses. Worm

mitigation requires diligence and coordination on the

part of network security professionals.

The response to a worm infection can be broken down

into four phases: containment, inoculation, quarantine,

and treatment.


and Trojan horses


The containment phase involves limiting the

spread of a worm infection to areas of the

network that are already affected.

This requires compartmentalization and

segmentation of the network to slow down or

stop the worm.

Containment requires using both outgoing and

incoming ACLs on routers and firewalls at

control points within the network.


and Trojan horses


The inoculation phase runs parallel to or

subsequent to the containment phase.

During the inoculation phase, all uninfected

systems are patched with the appropriate

vendor patch for the vulnerability.

The inoculation process further deprives the

worm of any available targets.

The mobile environment prevalent (common) on

modern networks poses significant challenges.


and Trojan horses


Laptops are routinely taken out of the

secure network environment and

connected to potentially unsecure

environments, such as home networks.

Without proper patching of the system, a

laptop can be infected with a worm or

virus and then bring it back into the secure

environment of the organization's network

where it can infect other systems.


and Trojan horses


The quarantine phase involves tracking

down and identifying infected machines

within the contained areas and

disconnecting, blocking, or removing

them.

This isolates these systems appropriately for

the treatment phase.


and Trojan horses


During the treatment phase, actively infected

systems are disinfected of the worm.

This can involve:

terminating the worm process,

removing modified files or system settings that

the worm introduced,

patching the vulnerability the worm used to

exploit the system.

in more severe cases, can require completely

reinstalling the system.


and Trojan horses


In the case of the SQL Slammer worm:

Malicious traffic was detected on UDP port

1434.

This port should normally be blocked by a

firewall on the perimeter.

Most infections enter by way of back doors and

do not pass through the firewall;

Therefore, to prevent the spreading of this

worm it would be necessary to block this port

on all devices throughout the internal network.


and Trojan horses


In some cases, the port on which the worm is

spreading might be critical to business operation.

For example, when SQL Slammer was

propagating, some organizations could not block

UDP port 1434 because it was required to

access the SQL Server for legitimate business

transactions.

In such a situation, alternatives must be

considered.


and Trojan horses


If the network devices using the service on the

affected port are known, permitting selective

access is an option.

For example, if only a small number of clients

are using SQL Server, one option is to open

UDP port 1434 to critical devices only.

Selective access is not guaranteed to solve the

problem, but it certainly lowers the probability of

infection.


and Trojan horses



and Trojan horses


Attack Methodologies

There are many different types of network

attacks other than viruses, worms, and Trojan

Horses.

To mitigate attacks, it is useful to first have the

various types of attacks categorized.

There is no standardized way of categorizing

network attacks.

The method used in this course classifies

attacks in three major categories.



Reconnaissance Attacks

Involve the unauthorized discovery and

mapping of systems, services, or vulnerabilities.

Employ the use of packet sniffers and port

scanners, which are widely available as free

downloads on the Internet.

Is analogous to a thief surveying a

neighborhood for vulnerable homes to break

into, such as an unoccupied residence or a

house with an easy-to-open door or window.



Access Attacks

Exploit known vulnerabilities in authentication

services, FTP services, and web services to

gain entry to web accounts, confidential

databases, and other sensitive information.

Often employs a dictionary attack to guess

system passwords.

There are also specialized dictionaries for

different languages that can be used.



Denial of Service Attacks

Send extremely large numbers of requests

over a network or the Internet.

These excessive requests cause the target

device to run sub-optimally.

Consequently, the attacked device becomes

unavailable for legitimate access and use.

By executing exploits or combinations of

exploits, DoS attacks slow or crash

applications and processes.


Attack Methodologies, Reconnaissance attacks

Reconnaissance Attack details

is also known as information gathering and, in

most cases, precedes an access or DoS attack.

the malicious intruder typically begins by

conducting a ping sweep of the target network to

determine which IP addresses are active.

The intruder then determines which services or

ports are available on the live IP addresses.

Nmap is the most popular application for

performing port scans.



From the port information obtained, the

intruder queries the ports to determine the

type and version of the application and

operating system that is running on the target

host.

The intruders look for vulnerable services that

can be exploited later when there is less

likelihood of being caught.



Reconnaissance attacks use various tools

to gain access to a network:

Packet sniffers

Ping sweeps

Port scans

Internet information queries



A packet sniffer is:

a software application that uses a network

adapter card in promiscuous mode

Promiscuous mode is a mode in which the

network adapter card sends all packets that

are received to an application for processing.

Some network applications distribute network

packets in unencrypted plaintext.



A packet sniffer can:

only work in the same collision domain as

the network being attacked, unless the

attacker has access to the intermediary

switches.

Be freeware and shareware, such as

Wireshark





Ping Sweep

When used as legitimate tools, it runs a

series of tests against hosts and devices to

identify vulnerable services.

The information is gathered by examining IP

addressing and port, or banner, data from

both TCP and UDP ports.

Used to acquire information to compromise

the system.



Ping Sweep (cont.)

is a basic network scanning technique that

determines which range of IP addresses map to

live hosts.

A single ping indicates whether one specified

host computer exists on the network.

It consists of ICMP echo requests sent to

multiple hosts.

It is among the older and slower methods used

to scan a network.



Port Scans

Each service on a host is associated with a

well-known port number.

Scan a range of TCP or UDP port numbers on

a host to detect listening services.

It consists of sending a message to each port

on a host.

The response that the sender receives

indicates whether the port is used.


Attack Methodologies, Reconnaissance

attacks

Internet information queries can reveal:

information such as who owns a particular

domain and what addresses have been

assigned to that domain.

who owns a particular IP address and which

domain is associated with the address.

present a picture of the live hosts in a

particular environment if used together with

ping sweeps.





Reconnaissance attacks are typically the

precursor to further attacks with the

intention of gaining unauthorized access to a

network or disrupting network functionality.

It can be detected by configuring alarms

that are triggered when certain parameters

are exceeded, such as ICMP requests per

second.



A variety of technologies and devices can be

used to monitor this type of activity and generate

an alarm.

Cisco's Adaptive Security Appliance (ASA)

provides intrusion prevention in a standalone

device.

Additionally, the Cisco ISR supports network-

based intrusion prevention through the Cisco

IOS security image.


Attack Methodologies, Access Attacks

Access Attacks

Hackers use access attacks on networks

or systems for three reasons:

retrieve data,

gain access, and

escalate access privileges.

Often employ password attacks to guess

system passwords.


Password attacks can be implemented

using several methods, including brute-

force attacks, Trojan Horse programs,

IP spoofing, and packet sniffers.

However, most password attacks refer

to brute-force attacks, which involve

repeated attempts.




A brute-force attack

Often performed using a program that runs

across the network and attempts to log in to a

shared resource, such as a server.

After an attacker gains access to a resource,

the attacker has the same access rights as the

user whose account was compromised.

If this account has sufficient privileges, the

attacker can create a back door for future

access



As an example, a user can run the

L0phtCrack, or LC5, application to perform a

brute-force attack to obtain a Windows server

password.

When the password is obtained, the attacker

can install a keylogger, which sends a copy

of all keystrokes to a desired destination.

Or, a Trojan Horse can be installed to send a

copy of all packets sent and received by the

target to a particular destination.





There are five types of access attacks:

Password attack - An attacker attempts to guess

system passwords. A common example is a

dictionary attack.



Trust exploitation - An attacker uses

privileges granted to a system in an

unauthorized way, possibly leading to

compromising the target.



Port redirection - A compromised system is used as a

jump-off point for attacks against other targets.

An intrusion tool is installed on the compromised system

for session redirection.



Man-in-the-middle attack

An attacker is positioned in the middle of

communications between two legitimate entities

in order to read or modify the data that passes

between the two parties.

A popular man-in-the-middle attack involves a

laptop acting as a rogue access point to

capture and copy all network traffic from a

targeted user.

Often the user is in a public location on a

wireless hotspot.



Man in the middle Attack



Buffer overflow - A program writes data

beyond the allocated buffer memory.

Buffer overflows usually arise as a

consequence of a bug in a C or C++

program.

A result of the overflow is that valid data

is overwritten or exploited to enable the

execution of malicious code.



Access attacks

Can be detected by reviewing logs, bandwidth

utilization, and process loads.

By reviewing logs, security personnel can

determine if an unusual number of failed login

attempts have occurred.

Software packages such as ManageEngine

EventLog Analyzer or Cisco Secure Access

Control Server (CSACS) maintain information

regarding failed login attempts to network

devices.



UNIX and Windows servers also keep a log of failed

login attempts.

Cisco routers and firewall devices can be configured to

prevent login attempts for a given time from a particular

source after a prescribed number of failures in a

specified amount of time.

Man-in-the-middle attacks often involve replicating

data.

An indication of such an attack is an unusual amount

of network activity and bandwidth utilization, as

indicated by network monitoring software.




Attack Methodologies, Denial of Service Attacks

Denial of Service Attacks

Results in some sort of interruption of service to

users, devices, or applications.

Several mechanisms can generate a DoS attack.

The simplest method is to generate large

amounts of what appears to be valid network

traffic.

This type of network DoS attack saturates the

network so that valid user traffic cannot get

through.


A DoS attack takes advantage of the fact that target

systems such as servers must maintain state

information.

Applications may rely on expected buffer sizes and

specific content of network packets.

A DoS attack can exploit this by sending packet sizes or data values that are not expected by the receiving application.



There are two major reasons a DoS attack

occurs:

A host or application fails to handle an

unexpected condition, such as maliciously

formatted input data, an unexpected interaction

of system components, or simple resource

exhaustion.

A network, host, or application is unable to

handle an enormous quantity of data, causing

the system to crash or become extremely slow.



DoS attacks attempt to compromise the

availability of a network, host, or

application.

They are considered a major risk

because they can easily interrupt a

business process and cause

significant loss.

These attacks are relatively simple to

conduct, even by an unskilled attacker.



One example of a DoS attack is sending a

poisonous packet.

A poisonous packet is an improperly

formatted packet designed to cause the

receiving device to process the packet in an

improper fashion.

The poisonous packet causes the receiving

device to crash or run very slowly.

This attack can cause all communications to and

from the device to be disrupted.



In another example, an attacker sends a

continuous stream of packets, which

overwhelms the available bandwidth of network

links.

It is impossible to differentiate between the

attacker and legitimate traffic and to trace an

attack quickly back to its source.

If many systems in the Internet core are

compromised, the attacker may be able to take

advantage of virtually unlimited bandwidth to

unleash packet storms toward desired targets.



A Distributed Denial of Service Attack

(DDoS) is similar in intent to a DoS attack,

except that a DDoS attack originates

from multiple coordinated sources.

A DDoS attack also presents the

challenge of requiring the network

defense to identify and stop each

distributed attacker.



As an example, a DDoS attack could proceed as

follows. A hacker scans for systems that are

accessible.

After the hacker accesses several "handler"

systems, the hacker installs zombie software on

them. Zombies then scan and infect agent

systems.

When the hacker accesses the agent systems, the

hacker loads remote-control attack software to

carry out the DDoS attack.



Attack Methodologies, Denial of Service

Attacks



Attacks

Distributed DoS Attack



Attacks

It is useful to detail three common DoS attacks to

get a better understanding of how DoS attacks

work.

Ping of Death

In a ping of death attack, a hacker sends an echo

request in an IP packet larger than the maximum

packet size of 65,535 bytes.

Sending a ping of this size can crash the target

computer.

A variant of this attack is to crash a system by

sending ICMP fragments, which fill the

reassembly buffers of the target.


Ping of Death


Smurf Attack

In a smurf attack, a perpetrator sends a large

number of ICMP requests to directed

broadcast addresses, all with spoofed

source addresses on the same network as

the respective directed broadcast.

If the routing device delivering traffic to those

broadcast addresses forwards the directed

broadcasts, all hosts on the destination

networks send ICMP replies, multiplying the

traffic by the number of hosts on the networks.




Smurf Attack



TCP SYN Flood

In a TCP SYN flood attack, a flood of TCP SYN

packets is sent, often with a forged sender address.

Each packet is handled like a connection request,

causing the server to spawn a half-open connection by

sending back a TCP SYN-ACK packet and waiting for

a packet in response from the sender address.

However, because the sender address is forged, the

response never comes.

These half-open connections saturate the number of

available connections the server is able to make,

keeping it from responding to legitimate requests until

after the attack ends.



TCP SYN Flood



The TCP SYN flood, ping of death, and smurf attacks

demonstrate how devastating a DoS attack can be.

There are five basic ways that DoS attacks can do

harm:

Consumption of resources, such as bandwidth, disk space, or

processor time

Disruption of configuration information, such as routing

information

Disruption of state information, such as unsolicited resetting of

TCP sessions

Disruption of physical network components

Obstruction of communication between the victim and others.



It is usually not difficult to determine if a DoS attack

is occurring.

A large number of complaints about not being able

to access resources is a first sign of a DoS attack.

To minimize the number of attacks, a network

utilization software package should be running at all

times.

This should also be required by the network security

policy.

A network utilization graph showing unusual activity

could indicate a DoS attack.



Keep in mind that DoS attacks could be

a component of a larger offensive.

DoS attacks can lead to problems in the

network segments of the computers

being attacked.

If the attack is conducted on a sufficiently

large scale, entire geographical regions

of Internet connectivity could be

compromised.



Not all service outages, even those that result

from malicious activity, are necessarily DoS

attacks.

In any case, DoS attacks are among the most

dangerous types of attacks, and it is critical that

a network security professional act quickly to

mitigate the effects of such attacks.


Attack Methodologies, Mitigating Network Attacks

There are a variety of network attacks, network

attack methodologies, and categorizations of

network attacks.

The important question is, 'How do I mitigate

these network attacks?‘

The type of attack, as specified by the

categorization of reconnaissance, access, or

DoS attack, determines the means of

mitigating a network threat.



Reconnaissance attacks can be mitigated in several

ways:

Using strong authentication is a first option for defense

against packet sniffers.

Strong authentication is a method of authenticating users

that cannot easily be circumvented.

A One-Time Password (OTP) is a form of strong

authentication.

OTPs utilize two-factor authentication.

Two-factor authentication combines something one

has, such as a token card, with something one knows,

such as a PIN.



Encryption is also effective for mitigating packet sniffer

attacks.

If traffic is encrypted, it is practically irrelevant if a

packet sniffer is being used because the captured data

is not readable.



Antisniffer software and hardware tools

detect changes in the response time of

hosts to determine whether the hosts are

processing more traffic than their own

traffic loads would indicate.

While this does not completely eliminate

the threat, as part of an overall mitigation

system, it can reduce the number of

instances of threat.



A switched infrastructure is the norm

today, which makes it difficult to capture

any data except that on your immediate

collision domain, which probably contains

only one host.

A switched infrastructure does not

eliminate the threat of packet sniffers, but

can greatly reduce the sniffer's

effectiveness.



It is impossible to mitigate port scanning. But

using an IPS and firewall can limit the

information that can be discovered with a port

scanner.

Ping sweeps can be stopped if ICMP echo and

echo-reply are turned off on edge routers.

However, when these services are turned off,

network diagnostic data is lost.



Network-based IPS and host-based IPS

can usually notify an administrator when a

reconnaissance attack is under way.

This warning enables the administrator to

better prepare for the coming attack or to

notify the ISP from where the

reconnaissance probe is launching from.



Several techniques are also available for

mitigating access attacks.

A surprising number of access attacks are

carried out through simple password guessing or

brute-force dictionary attacks against

passwords.

The use of encrypted or hashed authentication

protocols, along with a strong password policy,

greatly reduces the probability of successful

access attacks.



There are specific practices that help to

ensure a strong password policy:

Disabling accounts after a specific number of

unsuccessful logins.

Not using plaintext passwords. Use either a

one-time password (OTP) or encrypted

password.

Using strong passwords. Strong passwords

are at least eight characters and contain

uppercase letters, lowercase letters, numbers,

and special characters.



The principle of minimum trust should also be

designed into the network structure.

This means that systems should not use one

another unnecessarily.

For example, if an organization has a server

that is used by untrusted devices, such as web

servers, the trusted device (server) should not

trust the untrusted devices (web servers)

unconditionally.



Cryptography is a critical

component of any modern

secure network.

Using encryption for remote

access to a network is

recommended. Also, routing

protocol traffic should be

encrypted as well.

The more that traffic is

encrypted, the less opportunity

hackers have for intercepting

data with man-in-the-middle

attacks.



Companies with a high-profile Internet presence should

plan in advance how to respond to potential DoS

attacks.

Historically, many DoS attacks were sourced from

spoofed source addresses.

These types of attacks can be thwarted using

antispoofing technologies on perimeter routers and

firewalls.

Many DoS attacks today are distributed DoS attacks

carried out by compromised hosts on several networks.

Mitigating DDoS attacks requires careful diagnostics,

planning, and cooperation from ISPs.



The most important elements for

mitigating DoS attacks are firewalls and

IPSs. Both host-based and network-based

IPSs are strongly recommended.

Cisco routers and switches support a

number of antispoofing technologies, such

as port security, DHCP snooping, IP

Source Guard, Dynamic ARP Inspection,

and ACLs.



Lastly, although Quality of Service (QoS) is not

designed as a security technology, one of its

applications, traffic policing, can be used to

limit ingress traffic from any given customer on

an edge router.

This limits the impact a single source can have

on ingress bandwidth utilization.



Defending your network against attack requires

constant vigilance and education. There are 10

best practices that represent the best insurance

for your network.

1. Keep patches up to date by installing them weekly or

daily, if possible, to prevent buffer overflow and

privilege escalation attacks.

2. Shut down unnecessary services and ports.

3. Use strong passwords and change them often.

4. Control physical access to systems.



5. Avoid unnecessary web page inputs. Some

websites allow users to enter usernames and

passwords.

A hacker can enter more than just a username.

For example, entering "jdoe; rm -rf /" might allow

an attacker to remove the root file system from a

UNIX server.

Programmers should limit input characters and

not accept invalid characters such as | ; < > as

input.



6. Perform backups and test the backed up files

on a regular basis.

7. Educate employees about the risks of social

engineering, and develop strategies to validate

identities over the phone, via email, or in person.

8. Encrypt and password-protect sensitive data.

9. Implement security hardware and software such

as firewalls, IPSs, virtual private network (VPN)

devices, anti-virus software, and content filtering.

10. Develop a written security policy for the

company.





These methods are only a starting point for

sound security management.

Organizations must remain vigilant at all times to

defend against continually evolving threats.

Using these proven methods of securing a

network and applying the knowledge gained in

this chapter, you are now prepared to begin

deploying network security solutions.

One of the first deployment considerations

involves securing access to network devices.


NFP

The Cisco Network Foundation Protection (NFP)

framework provides comprehensive guidelines for

protecting the network infrastructure.

These guidelines form the foundation for continuous

delivery of service.

NFP logically divides routers and switches into three

functional areas:

Control Plane:

Responsible for routing data correctly.

Traffic consists of device-generated packets required for

operation

such as ARP message exchanges or OSPF routing advertisements.


NFP

Management Plane

Responsible for managing network elements.

Traffic is generated either by network devices or network

management stations using processes and protocols such as:

Telnet, SSH, TFTP, FTP, NTP, AAA, SNMP, syslog, TACACS+,

RADIUS, and NetFlow.

Data Plane (Forwarding Plane) –

Responsible for forwarding data.

Traffic normally consists of user-generated packets being

forwarded between end stations.

Most traffic travels through the router, or switch, via the data

plane.

Data plane packets are typically processed in fast-switching

cache.


NFP


NFP

Control plane security can be implemented using

the following features:

Cisco AutoSecure - Cisco AutoSecure provides a one-

step device lockdown feature to protect the control

plane as well as the management and data planes.

It is a script that is initiated from the CLI to configure the

security posture of routers.

The script disables nonessential system processes and

services.

It first makes recommendations to address security

vulnerabilities and then modifies the router

configuration.


NFP

Routing protocol authentication - Routing

protocol authentication, or Neighbor

authentication, prevents a router from accepting

fraudulent routing updates.

Most routing protocols support neighbor

authentication.

Control Plane Policing (CoPP) - CoPP is a Cisco

IOS feature designed to allow users to control

the flow of traffic that is handled by the route

processor of a network device.


NFP


NFP

CoPP is designed to prevent

unnecessary traffic from overwhelming

the route processor.

The CoPP feature treats the control

plane as a separate entity with its own

ingress (input) and egress (output) ports.

A set of rules can be established and

associated with the ingress and egress

ports of the control plane.


NFP

Management plane traffic is generated either by

network devices or network management

stations using processes and protocols such as

Telnet, SSH, TFTP, and FTP, etc.

The management plane is a very attractive

target to hackers.

For this reason, the management module was

built with several technologies designed to

mitigate such risks.


NFP

The information flow between management

hosts and the managed devices can be out-of-

band (OOB) (information flows within a network

on which no production traffic resides)

or in-band (information flows across the

enterprise production network, the Internet, or

both).

Management plane security can be implemented

using the following features:


NFP

Login and password policy - Restricts device

accessibility. Limits the accessible ports and

restricts the "who" and "how" methods of access.

Present legal notification - Displays legal notices.

These are often developed by legal counsel of a

corporation.

Ensure the confidentiality of data - Protects locally

stored sensitive data from being viewed or copied.

Uses management protocols with strong

authentication to mitigate confidentiality attacks

aimed at exposing passwords and device

configurations.


NFP

Role-based access control (RBAC) - Ensures

access is only granted to authenticated users,

groups, and services. RBAC and authentication,

authorization, and accounting (AAA) services

provide mechanisms to effectively manage access

control.

Authorize actions - Restricts the actions and views

that are permitted by any particular user, group, or

service.

Enable management access reporting - Logs and

accounts for all access. Records who accessed

the device, what occurred, and when it occurred.


NFP

RBAC restricts user access based on the role

of the user.

Roles are created according to job or task

functions, and assigned access permissions to

specific assets.

Users are then assigned to roles, and are

granted the permissions that are defined for

that role.

In Cisco IOS, the role-based CLI access

feature implements RBAC for router

management access.


NFP

The feature creates different "views" that define which

commands are accepted and what configuration

information is visible.

For scalability, users, permissions, and roles are

usually created and maintained in a central repository

server.

This makes the access control policy available to

multiple devices.

The central repository server can be a AAA server,

such as the Cisco Secure Access Control System

(ACS), which provides AAA services to a network for

management purposes.


NFP


NFP

Data plane traffic consists mostly of user-

generated packets being forwarded through the

router via the data plane.

Data plane security can be implemented using

ACLs, antispoofing mechanisms, and Layer 2

security features.

ACLs perform packet filtering to control which

packets move through the network and where

those packets are allowed to go.

ACLs are used to secure the data plane in a

variety of ways, including:


NFP

Blocking unwanted traffic or users - ACLs can

filter incoming or outgoing packets on an

interface.

They can be used to control access based on

source addresses, destination addresses, or

user authentication.

Reducing the chance of DoS attacks - ACLs can

be used to specify whether traffic from hosts,

networks, or users access the network.

The TCP intercept feature can also be

configured to prevent servers from being flooded

with requests for a connection.


NFP

Mitigating spoofing attacks - ACLs allow security

practitioners to implement recommended

practices to mitigate spoofing attacks.

Providing bandwidth control - ACLs on a slow

link can prevent excess traffic.

Classifying traffic to protect the Management

and Control planes - ACLs can be applied on

VTY line.


NFP

ACLs can also be used as an antispoofing

mechanism by discarding traffic that has an

invalid source address.

This forces attacks to be initiated from valid,

reachable IP addresses, allowing the packets to

be traced to the originator of an attack.

Features such as Unicast Reverse Path

Forwarding (uRPF) can be used to complement

the antispoofing strategy.


NFP

Cisco Catalyst switches can use integrated features to help

secure the Layer 2 infrastructure. The following are Layer 2

security tools integrated into the Cisco Catalyst switches:

Port security - Prevents MAC address spoofing and MAC address

flooding attacks.

DHCP snooping - Prevents client attacks on the DHCP server

and switch.

Dynamic ARP Inspection (DAI) - Adds security to ARP by using

the DHCP snooping table to minimize the impact of ARP

poisoning and spoofing attacks.

IP Source Guard - Prevents spoofing of IP addresses by using

the DHCP snooping table.


NFP


Summary


Summary


Summary

CCNA Security Chapter 1

Documents

introduction network

network security organizations

network security solutions

network security breaches

complexity of network

network security history

security policy

security patches