Chapter 1 Modern Network Security Threats Lecturer: Mohammad Tariq Meeran Network Security
Feb 13, 2016
Chapter 1
Modern Network Security Threats
Lecturer: Mohammad Tariq Meeran
Network Security
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 2
Objectives
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 3
Introduction
Network security is now an integral part of
computer networking.
Network security involves protocols,
technologies, devices, tools, and techniques
to secure data and mitigate threats.
Network security solutions emerged in the 1960s
but did not mature into a comprehensive set of
solutions for modern networks until the 2000s.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 4
Introduction (cont.)
Network security is largely driven by the effort to
stay one step ahead of ill-intentioned hackers.
Network security professionals attempt to prevent
attacks while minimizing the effects of real-time
attacks.
Business continuity is another major driver of
network security.
Network security organizations have been created
to establish formal communities of network
security professionals.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 5
Introduction (cont.)
These organizations set standards, encourage
collaboration, and provide workforce development
opportunities for security professionals.
The complexity of network security makes it
difficult to master all it encompasses. Different
organizations have created domains.
This division allows professionals to focus on more
precise areas of expertise in their training,
research, and employment.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 6
Introduction (cont.)
Network attacks are classified so that it
is easier to learn about them and
address them appropriately.
Viruses, worms, and Trojan Horses
are specific types of network attacks.
More generally, network attacks are
classified as reconnaissance, access,
or Denial of Service attacks.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 7
Evolution of Network Security
In July 2001, the Code Red worm attacked web servers
globally, infecting over 350,000 hosts.
The worm not only disrupted access to the infected
servers, but also affected the local networks hosting the
servers, making them very slow or unusable.
The Code Red worm caused a Denial of Service (DoS) to
millions of users.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 8
Evolution of Network Security
If the network security professionals
responsible for these Code Red-infected
servers had developed and implemented a
security policy, security patches would
have been applied in a timely manner.
The Code Red worm would have been
stopped and would only merit a footnote in
network security history.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 9
Evolution of Network Security
Network security relates directly to an
organization's business continuity.
Network security breaches can disrupt e-
commerce, cause the loss of business data,
threaten people's privacy and compromise the
integrity of information.
These breaches can result in lost revenue for
corporations, theft of intellectual property, and
lawsuits, and can even threaten public safety.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 10
Evolution of Network Security
Maintaining a secure network ensures the safety of
network users and protects commercial interests.
Security professionals must constantly be aware of
new and evolving threats and attacks to networks,
and vulnerabilities of devices and applications.
This information is used to adapt, develop and
implement mitigation techniques. However,
security of the network is ultimately the
responsibility of everyone that uses it.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 11
Evolution of Network Security
"Necessity is the mother of invention." This
saying applies perfectly to network security. In
the early days of the Internet, commercial
interests were negligible.
The vast majority of users were research and
development experts. Early users rarely
engaged in activities that would harm other
users.
The Internet was not a secure environment
because it did not need to be.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 12
Evolution of Network Security
Early on, networking involved connecting people
and machines through communications media.
The job of a networker was to get devices
connected to improve people's ability to
communicate information and ideas.
The early users of the Internet did not spend
much time thinking about whether or not their
online activities presented a threat to the
network or to their own data.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 13
Evolution of Network Security
When the first viruses were unleashed and the
first DoS attack occurred, the world began to
change for networking professionals.
To meet the needs of users, network
professionals learned techniques to secure
networks.
The primary focus of many network
professionals evolved from designing, building,
and growing networks to securing existing
networks.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 14
Evolution of Network Security
Today, the Internet is a very different network
compared to its beginnings in the 1960s.
The job of a network security professional
includes ensuring that appropriate personnel are
well-versed in network security tools, processes,
techniques, protocols, and technologies.
It is critical that network security professionals
manage the constantly evolving threats to
networks.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 15
Evolution of Network Security
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 16
Evolution of Network Security
One of the first network security tools was the
intrusion detection system (IDS), first developed
by SRI International in 1984.
An IDS provides real-time detection of certain
types of attacks while they are in progress. This
detection allows network professionals to more
quickly mitigate the negative impact of these
attacks on network devices and users.
In the late 1990s, the intrusion prevention system
or sensor (IPS) began to replace the IDS solution.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 17
Evolution of Network Security
In addition to IDS and IPS solutions, firewalls
were developed to prevent undesirable traffic
from entering prescribed areas within a
network, thereby providing perimeter security.
In 1988, Digital Equipment Corporation (DEC)
created the first network firewall in the form of
a packet filter.
These early firewalls inspected packets to see
if they matched sets of predefined rules, with
the option of forwarding or dropping the
packets accordingly.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 18
Evolution of Network Security
Packet filtering firewalls inspect each packet in
isolation without examining whether a packet is
part of an existing connection.
In 1989, AT&T Bell Laboratories developed the
first stateful firewall. Like packet filtering firewalls,
stateful firewalls use predefined rules for
permitting or denying traffic.
Unlike packet filtering firewalls, stateful firewalls
keep track of established connections and
determine if a packet belongs to an existing flow
of data.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 19
Evolution of Network Security
In addition to dealing with threats from outside
of the network, network professionals must also
be prepared for threats from inside the network.
Internal threats, whether intentional or
accidental, can cause even greater damage
than external threats.
Despite this fact, it has taken more than 20
years after the introduction of tools and
techniques for mitigating external threats to
develop mitigation tools and techniques for
internal threats.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 20
Evolution of Network Security
A common scenario for a threat originating from inside the
network is a disgruntled employee with some technical
skills and a willingness to do harm.
Most threats from within the network leverage the
protocols and technologies used on the local area network
(LAN) or the switched infrastructure.
These internal threats basically fall into two categories:
spoofing and DoS.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 21
Evolution of Network Security
Spoofing attacks are attacks in which one device
attempts to pose as another by falsifying data.
For example, MAC address spoofing occurs when
one computer accepts data packets based on the
MAC address of another computer.
There are other types of spoofing attacks as well.
DoS attacks make computer resources
unavailable to intended users. Attackers use
various methods to launch DoS attacks.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 22
Evolution of Network Security
Evolution of LAN Security
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 23
Evolution of Network Security
In addition to preventing and denying malicious
traffic, network security also requires that data
stay protected.
Cryptography, the study and practice of
hiding information, is used pervasively in
modern network security.
Today, each type of network communication has
a corresponding protocol or technology
designed to hide that communication from
anyone other than the intended user.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 24
Evolution of Network Security
Wireless data can be encrypted (hidden) using
various cryptography applications. The
conversation between two IP phone users can be
encrypted.
The files on a computer can also be hidden with
encryption. These are just a few examples.
Cryptography can be used almost anywhere that
there is data communication.
In fact, the trend is toward all communication
being encrypted.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 25
Evolution of Network Security
Cryptography ensures data confidentiality, which
is one of the three components of information
security:
confidentiality, integrity, and availability
Information security deals with protecting
information and information systems from
unauthorized access, use, disclosure, disruption,
modification, or destruction.
Encryption provides confidentiality by hiding
plaintext data.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 26
Evolution of Network Security
Data integrity, meaning that the data is
preserved unaltered during any operation,
is achieved by the use of hashing
mechanisms.
Availability, which is data accessibility,
is guaranteed by network hardening
mechanisms and backup systems.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 27
Evolution of Network Security
Encrypting Data
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 28
Drivers for Network Security
The word hackers has a variety of meanings.
For many, it means Internet programmers who
try to gain unauthorized access to devices
on the Internet.
It is also used to refer to individuals that run
programs to prevent or slow network access
to a large number of users, or corrupt or
wipe out data on servers.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 29
Drivers for Network Security
But for some, the term hacker has a
positive interpretation as a network
professional that uses sophisticated
Internet programming skills to ensure
that networks are not vulnerable to
attack.
Good or bad, hacking is a driving force
in network security.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 30
Drivers for Network Security
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 31
Drivers for Network Security
The job of a network security professional is to
stay one step ahead of the hackers by:
attending training and workshops
participating in security organizations
subscribing to real-time feeds regarding threats
and perusing security websites on a daily basis
The network security professional must also
have access to state-of-the art security tools,
protocols, techniques, and technologies.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 32
Drivers for Network Security
Hacking started in the 1960s with phone freaking,
or phreaking, which refers to using various audio
frequencies to manipulate phone systems.
Phreaking began when AT&T introduced
automatic switches to their phone systems. The
AT&T phone switches used various tones, or tone
dialing, to indicate different functions, such as call
termination and call dialing.
A few AT&T customers realized that by imitating a
tone using a whistle, they could exploit the phone
switches to make free long-distance calls.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 33
Drivers for Network Security
As communication systems evolved, so did
hacking methods.
Wardialing became popular in the 1980s with
the use of computer modems.
Wardialing programs automatically scanned
telephone numbers within a local area,
dialing each one in search of computers,
bulletin board systems, and fax machines.
When a phone number was found,
password-cracking programs were used to
gain access.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 34
Drivers for Network Security
Wardriving began in the 1990s and is still
popular today. With wardriving, users gain
unauthorized access to networks via wireless
access points.
This is accomplished using a vehicle and a
wireless-enabled portable computer or PDA.
A number of other threats have evolved since
the 1960s, including network scanning tools
such as Nmap and SATAN, as well as remote
system administration hacking tools such as
Back Orifice.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 35
Drivers for Network Security
Trillions of dollars are transacted over the Internet on a
daily basis, and the livelihoods of millions depend on
Internet commerce.
For this reason, criminal laws are in place to protect
individual and corporate assets.
There are numerous cases of individuals who have had
to face the court system due to these laws.
The first email virus, the Melissa virus, was written by
David Smith of Aberdeen, New Jersey.
This virus resulted in memory overflows in Internet mail
servers. David Smith was sentenced to 20 months in
federal prison and a US$5,000 fine.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 36
Drivers for Network Security
Robert Morris created the first Internet
worm with 99 lines of code.
When the Morris Worm was released,
10% of Internet systems were brought to a
halt.
Robert Morris was charged and received
three years probation (trial), 400 hours of
community service, and a fine of
US$10,000.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 37
Drivers for Network Security
One of the most notorious (disreputable) Internet
hackers, Kevin Mitnick, was imprisoned for four
years for hacking credit card accounts in the
early 1990s.
Whether the attack is via spam, a virus, DoS, or
simply breaking into accounts, when the
creativity of hackers is used for malicious
purposes, they often end up going to jail, paying
large fines, and losing access to the very
environment in which they thrive (succeed).
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 38
Drivers for Network Security
As a result of hacker exploits, the
sophistication of hacker tools, and government
legislation, network security solutions
developed rapidly in the 1990s.
By the late 1990s, many sophisticated network
security solutions had been developed for
organizations to strategically deploy within
their networks.
With these solutions came new job
opportunities and increased compensation in
the field of network security.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 39
Drivers for Network Security
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 40
Drivers for Network Security
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 41
Drivers for Network Security
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 42
Drivers for Network Security
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 43
Drivers for Network Security
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 44
Drivers for Network Security
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 45
Drivers for Network Security
The annual income for a network security
professional is on the high end of the scale for
careers in technology because of the depth and
breadth of knowledge required.
Network security professionals must constantly
upgrade their skill set to keep abreast of the
latest threats.
The challenge of gaining and maintaining the
necessary knowledge often translates into a
shortage of network security professionals.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 46
Drivers for Network Security
Network security professionals are
responsible for maintaining data assurance
for an organization and ensuring the
integrity and confidentiality of information.
A network security professional might be
responsible for setting up firewalls and
intrusion prevention systems as well as
ensuring encryption of company data.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 47
Drivers for Network Security
Implementing enterprise authentication
schemes is another important task.
The job entails maintaining detailed logs of
suspicious activity on the network to use
for reprimanding (warning) or prosecuting
violators.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 48
Network Security Organizations
Three of the more well-established network
security organizations are:
SysAdmin, Audit, Network, Security (SANS)
Institute
Computer Emergency Response Team (CERT)
International Information Systems Security
Certification Consortium (pronounce (ISC)2 as
"I-S-C-squared")
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 49
Network Security Organizations
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 50
Network Security Organizations
CERT is part of the U.S. federally funded Software
Engineering Institute (SEI) at Carnegie Mellon
University.
CERT is chartered to work with the Internet community
in detecting and resolving computer security incidents.
The Morris Worm motivated the formation of CERT at
the directive of the Defense Advanced Research
Projects Agency (DARPA).
The CERT Coordination Center (CERT/CC) focuses
on coordinating communication among experts during
security emergencies to help prevent future incidents.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 51
Network Security Organizations
CERT responds to major security incidents and
analyzes product vulnerabilities.
CERT works to manage changes relating to
progressive intruder techniques and to the
difficulty of detecting attacks and catching
attackers.
CERT develops and promotes the use of
appropriate technology and systems management
practices to resist attacks on networked systems,
to limit damage, and to ensure continuity of
services.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 52
Network Security Organizations
CERT focuses on five areas: software assurance,
secure systems, organizational security,
coordinated response, and education and training.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 53
Network Security Organizations
(ISC)2 provides vendor-neutral education
products and career services in more than 135
countries. Its membership includes 60,000
certified industry professionals worldwide.
The mission of (ISC)2 is to make the cyber world
a safe place through elevating information
security to the public domain and supporting and
developing information security professionals
around the world.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 54
Network Security Organizations
)ISC)2 develops and maintains the (ISC)2 Common
Body of Knowledge (CBK).
The CBK defines global industry standards, serving
as a common framework of terms and principles
that (ISC)2 credentials are based upon.
Most notably, (ISC)2 is universally recognized for its
four information security certifications, including one
of the most popular certifications in the network
security profession, the Certified Information
Systems Security Professional (CISSP).
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 55
Network Security Organizations
(ISC)2 promotes expertise in handling security threats
through its education and certification programs.
As a member, individuals have access to current
industry information and networking opportunities
unique to its network of certified information security
professionals.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 56
Network Security Organizations
One of the most useful tools for the network
security professional is Really Simple Syndication
(RSS) feeds.
RSS is a family of XML-based formats used to
publish frequently updated information, such as
blog entries, news headlines, audio, and video.
RSS uses a standardized format.
An RSS feed includes complete or summarized
text, plus metadata, such as publishing dates and
authorships.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 57
Network Security Organizations
RSS benefits
subscribe to timely updates from favored websites
RSS feeds can be read using a web-based RSS
reader
The RSS reader software checks the user's
subscribed feeds regularly
Network security professional can acquire up-to-
date information on a daily basis
Aggregate real-time threat information for review at
any time.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 58
Network Security Organizations
For example, the US-CERT Current
Activity web page is a regularly updated
summary of the most frequent, high-impact
types of security incidents being reported
to the US-CERT.
A text-only RSS feed is available at
http://www.us-cert.gov/current/index.rdf.
It reports 24/7, information regarding
security advisories, email scams, backup
vulnerabilities, malware spreading via
social network sites, and other potential
threats.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 59
Domains of Network Security
It is vital for a network security professional
to understand the drivers for network
security and be familiar with the
organizations dedicated to network security.
It is also important to have an understanding
of the various network security domains.
Domains provide an organized framework to
facilitate learning about network security.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 60
Domains of Network Security
There are 12 network security domains
specified by the International Organization
for Standardization (ISO)/International
Electrotechnical Commission (IEC).
Described by ISO/IEC 27002, these 12
domains serve to organize at a high level
the vast realm of information under the
umbrella of network security.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 61
Domains of Network Security
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 62
Domains of Network Security
The 12 domains of network security provide a
convenient separation for the elements of
network security.
While it is not important to memorize these 12
domains, it is important to be aware of their
existence and formal declaration by the ISO.
They serve as a useful reference going forward
in your work as a network security professional.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 63
Domains of Network Security
One of the most important domains is
security policy.
A security policy is a formal statement of
the rules by which people must abide who
are given access to the technology and
information assets of an organization.
The concept, development, and
application of a security policy play a
significant role in keeping an organization
secure.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 64
Domains of Network Security
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 65
Network Security Policies
The network security policy is a broad, end-to-end
document designed to be clearly applicable to an
organization's operations.
The policy is used to aid in network design,
convey security principles, and facilitate network
deployments.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 66
Network Security Policies
The network security policy outlines rules for
network access, determines how policies are
enforced, and describes the basic architecture of
the organization's network security environment.
The document is generally several pages.
Because of its breadth of coverage and impact,
it is usually compiled by a committee.
It is a complex document meant to govern items
such as data access, web browsing, password
usage, encryption, and email attachments.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 67
Network Security Policies
A security policy should keep ill-intentioned
users out and have control over potentially
risky users.
When a policy is created, it must be
understood first what services are available
to which users.
The network security policy establishes a
hierarchy of access permissions, giving
employees only the minimal access
necessary to perform their work.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 68
Network Security Policies
The network security policy outlines what
assets need to be protected and gives
guidance on how it should be protected.
One possible guideline that administrators
can use when developing the security
policy and determining various mitigation
strategies is the Cisco SecureX
architecture.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 69
Network Security Policies
The Cisco SecureX architecture is designed to
provide effective security for any user, using any
device, from any location, and at any time.
This new security architecture uses a higher-
level policy language that takes into account the
full context of a situation - who, what, where,
when and how.
With highly distributed security policy
enforcement, security is pushed closer to where
the end user is working.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 70
Network Security Policies
This architecture includes the
following five major components:
Scanning Engines
Delivery Mechanisms
Security Intelligence Operations (SIO)
Policy Management Consoles
Next-generation Endpoint
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 71
Network Security Policies
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 72
Network Security Policies
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 73
Network Security Policies
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 74
Network Security Policies
Increased user mobility has created complexities for
securing the IT infrastructure.
Deploying piecemeal security solutions can lead to
duplicated efforts and inconsistent access policies, and
requires increased integration and staffing to support.
Cisco SecureX products work together to provide
effective security for any user, using any device, from
any location, at any time.
This is one of the primary reasons for relying on the
Cisco SecureX architecture to help shape the security
policy.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 75
Network Security Policies
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 76
Network Security Policies
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 77
Network Security Policies
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 78
Network Security Policies
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 79
Network Security Policies
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 80
Network Security Policies
A network security policy drives all the steps to
be taken to secure network resources, not just
equipment requirements and procedures.
One of the most important steps in creating a
policy is identifying critical assets which
includes:
Databases, vital applications
customer and employee information
classified commercial information
shared drives
email servers and web servers.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 81
Network Security Policies
A security policy is a set of objectives for the
company, rules of behavior for users and
administrators, and requirements for system
and management that collectively ensure the
security of network and computer systems in
an organization.
A security policy is a "living document,"
meaning that the document is never finished and
is continuously updated as technology,
business, and employee requirements change.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 82
Network Security Policies
For example, an organization's employee laptops
will be subject to various types of attacks, such as
email viruses.
A network security policy explicitly defines how
frequently virus software updates and virus
definition updates must be installed.
Additionally, the network security policy includes
guidelines for what users can and cannot do. This
is normally stipulated as a formal acceptable use
policy (AUP).
The AUP must be as explicit as possible to avoid
ambiguity or misunderstanding.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 83
Network Security Policies
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 84
Viruses
The primary vulnerabilities for end-user computers
are virus, worm, and Trojan Horse attacks:
A virus is malicious software which attaches to
another program to execute a specific unwanted
function on a computer.
A worm executes arbitrary code and installs copies of
itself in the memory of the infected computer, which
then infects other hosts.
A Trojan Horse is an application written to look like
something else. When a Trojan Horse is downloaded
and opened, it attacks the end-user computer from
within.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 85
Virus, Worm and Trojan Horse
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 86
Virus
Traditionally, the term virus refers to an
infectious organism that requires a host cell
to grow and replicate.
A University of Southern California student
named Frederick Cohen suggested the term
"computer virus" in 1983.
A computer virus, referred to as a virus in the
rest of this course, is a program that can copy
itself and infect a computer without the
knowledge of the user.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 87
Virus
A virus is a malicious code that is attached to
legitimate programs or executable files.
Most viruses require end-user activation and can
lay dormant for an extended period and then
activate at a specific time or date.
A simple virus may install itself at the first line of
code on an executable file.
When activated, the virus might check the disk
for other executables, so that it can infect all the
files it has not yet infected.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 88
Virus
Viruses can be harmless, such as those that display a
picture on the screen, or they can be destructive, such
as those that modify or delete files on the hard drive.
Viruses can also be programmed to mutate to avoid
detection.
In the past, viruses were usually spread via floppy
disks and computer modems.
Today, most viruses are spread by USB memory
sticks, CDs, DVDs, network shares, or email.
Email viruses are now the most common type of virus.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 89
Virus
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 90
Virus Spreading
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 91
Worms
Worms are a particularly dangerous type of
hostile code.
They replicate themselves by independently
exploiting vulnerabilities in networks.
Worms usually slow down networks.
Whereas a virus requires a host program to
run, worms can run by themselves.
They do not require user participation and
can spread extremely fast over the
network.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 92
Worms
Worms are responsible for some of the most
devastating attacks on the Internet.
For example, the SQL Slammer Worm of January
2003 slowed down global Internet traffic as a result
of Denial of Service.
Over 250,000 hosts were affected within 30 minutes of
its release.
The worm exploited a buffer overflow bug in
Microsoft's SQL Server.
A patch for this vulnerability was released in mid-2002,
so the servers that were affected were those that did
not have the update patch applied.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 93
Worms
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 94
Worms
Despite the mitigation techniques that have
emerged over the years, worms have
continued to evolve with the Internet and still
pose a threat.
While worms have become more sophisticated
over time, they still tend to be based on
exploiting weaknesses in software
applications.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 95
Worms
Most worm attacks have three major
components:
Enabling vulnerability - A worm
installs itself using an exploit
mechanism (email attachment,
executable file, Trojan Horse)
Propagation mechanism - After
gaining access to a device, the worm
replicates itself and locates new
targets.
Payload - Any malicious code that
results in some action. Most often this
is used to create a backdoor.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 96
Worms
When exploring the major worm and virus
attacks over the past 20 years, it is
noticeable that the various phases of
attack methods employed by hackers are
often quite similar.
There are five basic phases of attack,
regardless of whether a worm or virus
is deployed.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 97
Worms
Probe phase - Vulnerable targets are identified.
The goal is to find computers that can be subverted
(threatened).
Internet Control Message Protocol (ICMP) ping
scans are used to map networks.
Then the application scans and identifies operating
systems and vulnerable software.
Hackers can obtain passwords using social
engineering, dictionary attack, brute-force attack, or
network sniffing.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 98
Worms
Penetrate phase - Exploit code is
transferred to the vulnerable target.
The goal is to get the target to execute
the exploit code through an attack
vector, such as a buffer overflow,
ActiveX or Common Gateway Interface
(CGI) vulnerabilities, or an email virus.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 99
Worms
Persist phase - After the attack is
successfully launched in the memory, the
code tries to persist on the target system.
The goal is to ensure that the attacker code
is running and available to the attacker
even if the system reboots.
This is achieved by modifying system files,
making registry changes, and installing
new code.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 100
Worms
Propagate phase - The attacker
attempts to extend the attack to other
targets by looking for vulnerable
neighboring machines.
Propagation vectors include emailing
copies of the attack to other systems,
uploading files to other systems using file
shares or FTP services, active web
connections, and file transfers through
Internet Relay Chat (IRC).
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 101
Worms
Paralyze phase - Actual damage is done to the
system.
Files can be erased, systems can crash,
information can be stolen, and distributed DoS
(DDoS) attacks can be launched.
The five basic phases of attack allow security
experts to conveniently describe worms and
viruses according to their particular
implementation mechanism for each phase.
This makes it easier to categorize worms and
viruses.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 102
Worms
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 103
Trojan Horse
The term Trojan Horse originated from
Greek mythology (folklore).
Greek warriors offered the people of Troy
(Trojans) a giant hollow horse as a gift.
The Trojans brought the giant horse into
their walled city, unaware that it contained
many Greek warriors.
At night, after most Trojans were asleep,
the warriors burst out of the horse and
overtook the city.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 104
Trojan Horse
A Trojan Horse in the world of computing is
malware that carries out malicious operations
under the guise of a desired function.
A virus or worm could carry a Trojan Horse.
A Trojan Horse contains hidden, malicious code
that exploits the privileges of the user that runs
it.
Games can often have a Trojan Horse attached
to them.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 105
Trojan Horse
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 106
Trojan Horse
The Trojan Horse concept is flexible. It can
cause immediate damage, provide remote
access to the system (a back door), or
perform actions as instructed remotely,
such as "send me the password file once
per week."
Custom-written Trojan Horses, such as
Trojan Horses with a specific target, are
difficult to detect.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 107
Trojan Horse
Trojan Horses are
usually classified
according to the
damage that they
cause or the
manner in which
they breach a
system:
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 108
Trojan Horse
Remote-access Trojan Horse - enables unauthorized
remote access
Data sending Trojan Horse - provides the attacker with
sensitive data such as passwords
Destructive Trojan Horse - corrupts or deletes files
Proxy Trojan Horse - user's computer functions as a proxy
server
FTP Trojan Horse -opens port 21
Security software disabler Trojan Horse - stops antivirus
programs or firewalls from functioning
Denial of Service Trojan Horse - slows or halts network
activity
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 109
Mitigating viruses, worms
and Trojan horses
A majority of the software vulnerabilities that are
discovered relate to buffer overflows.
A buffer is an allocated area of memory used
by processes to store data temporarily.
A buffer overflow occurs when a fixed-length
buffer reaches its capacity and a process
attempts to store data above and beyond that
maximum limit.
This can result in extra data overwriting adjacent
memory locations as well as cause other
unexpected behavior.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 110
Buffer overflows are usually the primary
conduit through which viruses, worms, and
Trojan Horses do their damage.
In fact, there are reports that suggest that
one-third of the software vulnerabilities
identified by CERT relate to buffer
overflows.
Mitigating viruses, worms
and Trojan horses
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 111
Viruses and Trojan Horses tend to take
advantage of local root buffer overflows.
A root buffer overflow is a buffer overflow
intended to attain root privileges to a system.
Local root buffer overflows require the end user
or system to take some type of action.
A local root buffer overflow is typically initiated by
a user opening an email attachment, visiting a
website, or exchanging a file via instant
messaging.
Mitigating viruses, worms
and Trojan horses
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 112
Worms such as SQL Slammer and Code Red exploit
remote root buffer overflows.
Remote root buffer overflows are similar to local root
buffer overflows, except that local end user or system
intervention is not required.
Mitigating viruses, worms
and Trojan horses
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 113
• Viruses, worms, and Trojan horses can cause serious problems on networks and end systems. • Network administrators have several means of mitigating these attacks. • Note that mitigation techniques are often referred to in the security community as countermeasures.
Mitigating viruses, worms
and Trojan horses
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 114
The primary means of mitigating virus and
Trojan horse attacks is anti-virus software.
Anti-virus software helps prevent hosts from
getting infected and spreading malicious
code.
It requires much more time to clean up
infected computers than it does to maintain
up-to-date anti-virus software and anti-virus
definitions on the same machines.
Mitigating viruses, worms
and Trojan horses
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 115
Anti-virus software is the most widely deployed
security product on the market today.
Several companies that create anti-virus software,
such as Symantec, Computer Associates, McAfee,
and Trend Micro, have been in the business of
detecting and eliminating viruses for more than a
decade.
Many corporations and educational institutions
purchase volume licensing for their users.
Mitigating viruses, worms
and Trojan horses
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 116
Anti-virus products have update
automation options so that new virus
definitions and new software updates can
be downloaded automatically or on
demand.
This practice is the most critical
requirement for keeping a network free of
viruses and should be formalized in a
network security policy.
Mitigating viruses, worms
and Trojan horses
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 117
Anti-virus products are host-based. These
products are installed on computers and
servers to detect and eliminate viruses.
However, they do not prevent viruses from
entering the network, so a network
security professional needs to be aware of
the major viruses and keep track of
security updates regarding emerging
viruses.
Mitigating viruses, worms
and Trojan horses
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 118
Mitigating viruses, worms
and Trojan horses
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 119
Worms are more network-based than viruses. Worm
mitigation requires diligence and coordination on the
part of network security professionals.
The response to a worm infection can be broken down
into four phases: containment, inoculation, quarantine,
and treatment.
Mitigating viruses, worms
and Trojan horses
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 120
The containment phase involves limiting the
spread of a worm infection to areas of the
network that are already affected.
This requires compartmentalization and
segmentation of the network to slow down or
stop the worm.
Containment requires using both outgoing and
incoming ACLs on routers and firewalls at
control points within the network.
Mitigating viruses, worms
and Trojan horses
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 121
The inoculation phase runs parallel to or
subsequent to the containment phase.
During the inoculation phase, all uninfected
systems are patched with the appropriate
vendor patch for the vulnerability.
The inoculation process further deprives the
worm of any available targets.
The mobile environment prevalent (common) on
modern networks poses significant challenges.
Mitigating viruses, worms
and Trojan horses
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 122
Laptops are routinely taken out of the
secure network environment and
connected to potentially unsecure
environments, such as home networks.
Without proper patching of the system, a
laptop can be infected with a worm or
virus and then bring it back into the secure
environment of the organization's network
where it can infect other systems.
Mitigating viruses, worms
and Trojan horses
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 123
The quarantine phase involves tracking
down and identifying infected machines
within the contained areas and
disconnecting, blocking, or removing
them.
This isolates these systems appropriately for
the treatment phase.
Mitigating viruses, worms
and Trojan horses
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 124
During the treatment phase, actively infected
systems are disinfected of the worm.
This can involve:
terminating the worm process,
removing modified files or system settings that
the worm introduced,
patching the vulnerability the worm used to
exploit the system.
in more severe cases, can require completely
reinstalling the system.
Mitigating viruses, worms
and Trojan horses
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 125
In the case of the SQL Slammer worm:
Malicious traffic was detected on UDP port
1434.
This port should normally be blocked by a
firewall on the perimeter.
Most infections enter by way of back doors and
do not pass through the firewall;
Therefore, to prevent the spreading of this
worm it would be necessary to block this port
on all devices throughout the internal network.
Mitigating viruses, worms
and Trojan horses
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 126
In some cases, the port on which the worm is
spreading might be critical to business operation.
For example, when SQL Slammer was
propagating, some organizations could not block
UDP port 1434 because it was required to
access the SQL Server for legitimate business
transactions.
In such a situation, alternatives must be
considered.
Mitigating viruses, worms
and Trojan horses
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 127
If the network devices using the service on the
affected port are known, permitting selective
access is an option.
For example, if only a small number of clients
are using SQL Server, one option is to open
UDP port 1434 to critical devices only.
Selective access is not guaranteed to solve the
problem, but it certainly lowers the probability of
infection.
Mitigating viruses, worms
and Trojan horses
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 128
Mitigating viruses, worms
and Trojan horses
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 129
Attack Methodologies
There are many different types of network
attacks other than viruses, worms, and Trojan
Horses.
To mitigate attacks, it is useful to first have the
various types of attacks categorized.
There is no standardized way of categorizing
network attacks.
The method used in this course classifies
attacks in three major categories.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 130
Attack Methodologies
Reconnaissance Attacks
Involve the unauthorized discovery and
mapping of systems, services, or vulnerabilities.
Employ the use of packet sniffers and port
scanners, which are widely available as free
downloads on the Internet.
Is analogous to a thief surveying a
neighborhood for vulnerable homes to break
into, such as an unoccupied residence or a
house with an easy-to-open door or window.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 131
Attack Methodologies
Access Attacks
Exploit known vulnerabilities in authentication
services, FTP services, and web services to
gain entry to web accounts, confidential
databases, and other sensitive information.
Often employs a dictionary attack to guess
system passwords.
There are also specialized dictionaries for
different languages that can be used.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 132
Attack Methodologies
Denial of Service Attacks
Send extremely large numbers of requests
over a network or the Internet.
These excessive requests cause the target
device to run sub-optimally.
Consequently, the attacked device becomes
unavailable for legitimate access and use.
By executing exploits or combinations of
exploits, DoS attacks slow or crash
applications and processes.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 133
Attack Methodologies, Reconnaissance attacks
Reconnaissance Attack details
is also known as information gathering and, in
most cases, precedes an access or DoS attack.
the malicious intruder typically begins by
conducting a ping sweep of the target network to
determine which IP addresses are active.
The intruder then determines which services or
ports are available on the live IP addresses.
Nmap is the most popular application for
performing port scans.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 134
Attack Methodologies, Reconnaissance attacks
From the port information obtained, the
intruder queries the ports to determine the
type and version of the application and
operating system that is running on the target
host.
The intruders look for vulnerable services that
can be exploited later when there is less
likelihood of being caught.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 135
Attack Methodologies, Reconnaissance attacks
Reconnaissance attacks use various tools
to gain access to a network:
Packet sniffers
Ping sweeps
Port scans
Internet information queries
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 136
Attack Methodologies, Reconnaissance attacks
A packet sniffer is:
a software application that uses a network
adapter card in promiscuous mode
Promiscuous mode is a mode in which the
network adapter card sends all packets that
are received to an application for processing.
Some network applications distribute network
packets in unencrypted plaintext.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 137
Attack Methodologies, Reconnaissance attacks
A packet sniffer can:
only work in the same collision domain as
the network being attacked, unless the
attacker has access to the intermediary
switches.
Be freeware and shareware, such as
Wireshark
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 138
Attack Methodologies, Reconnaissance attacks
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 139
Attack Methodologies, Reconnaissance attacks
Ping Sweep
When used as legitimate tools, it runs a
series of tests against hosts and devices to
identify vulnerable services.
The information is gathered by examining IP
addressing and port, or banner, data from
both TCP and UDP ports.
Used to acquire information to compromise
the system.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 140
Attack Methodologies, Reconnaissance attacks
Ping Sweep (cont.)
is a basic network scanning technique that
determines which range of IP addresses map to
live hosts.
A single ping indicates whether one specified
host computer exists on the network.
It consists of ICMP echo requests sent to
multiple hosts.
It is among the older and slower methods used
to scan a network.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 141
Attack Methodologies, Reconnaissance attacks
Port Scans
Each service on a host is associated with a
well-known port number.
Scan a range of TCP or UDP port numbers on
a host to detect listening services.
It consists of sending a message to each port
on a host.
The response that the sender receives
indicates whether the port is used.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 142
Attack Methodologies, Reconnaissance
attacks
Internet information queries can reveal:
information such as who owns a particular
domain and what addresses have been
assigned to that domain.
who owns a particular IP address and which
domain is associated with the address.
present a picture of the live hosts in a
particular environment if used together with
ping sweeps.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 143
Attack Methodologies, Reconnaissance attacks
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 144
Attack Methodologies, Reconnaissance attacks
Reconnaissance attacks are typically the
precursor to further attacks with the
intention of gaining unauthorized access to a
network or disrupting network functionality.
It can be detected by configuring alarms
that are triggered when certain parameters
are exceeded, such as ICMP requests per
second.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 145
Attack Methodologies, Reconnaissance attacks
A variety of technologies and devices can be
used to monitor this type of activity and generate
an alarm.
Cisco's Adaptive Security Appliance (ASA)
provides intrusion prevention in a standalone
device.
Additionally, the Cisco ISR supports network-
based intrusion prevention through the Cisco
IOS security image.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 146
Attack Methodologies, Access Attacks
Access Attacks
Hackers use access attacks on networks
or systems for three reasons:
retrieve data,
gain access, and
escalate access privileges.
Often employ password attacks to guess
system passwords.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 147
Password attacks can be implemented
using several methods, including brute-
force attacks, Trojan Horse programs,
IP spoofing, and packet sniffers.
However, most password attacks refer
to brute-force attacks, which involve
repeated attempts.
Attack Methodologies, Access Attacks
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 148
Attack Methodologies, Access Attacks
A brute-force attack
Often performed using a program that runs
across the network and attempts to log in to a
shared resource, such as a server.
After an attacker gains access to a resource,
the attacker has the same access rights as the
user whose account was compromised.
If this account has sufficient privileges, the
attacker can create a back door for future
access
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 149
Attack Methodologies, Access Attacks
As an example, a user can run the
L0phtCrack, or LC5, application to perform a
brute-force attack to obtain a Windows server
password.
When the password is obtained, the attacker
can install a keylogger, which sends a copy
of all keystrokes to a desired destination.
Or, a Trojan Horse can be installed to send a
copy of all packets sent and received by the
target to a particular destination.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 150
Attack Methodologies, Access Attacks
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 151
Attack Methodologies, Access Attacks
There are five types of access attacks:
Password attack - An attacker attempts to guess
system passwords. A common example is a
dictionary attack.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 152
Attack Methodologies, Access Attacks
Trust exploitation - An attacker uses
privileges granted to a system in an
unauthorized way, possibly leading to
compromising the target.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 153
Attack Methodologies, Access Attacks
Port redirection - A compromised system is used as a
jump-off point for attacks against other targets.
An intrusion tool is installed on the compromised system
for session redirection.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 154
Attack Methodologies, Access Attacks
Man-in-the-middle attack
An attacker is positioned in the middle of
communications between two legitimate entities
in order to read or modify the data that passes
between the two parties.
A popular man-in-the-middle attack involves a
laptop acting as a rogue access point to
capture and copy all network traffic from a
targeted user.
Often the user is in a public location on a
wireless hotspot.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 155
Attack Methodologies, Access Attacks
Man in the middle Attack
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 156
Attack Methodologies, Access Attacks
Buffer overflow - A program writes data
beyond the allocated buffer memory.
Buffer overflows usually arise as a
consequence of a bug in a C or C++
program.
A result of the overflow is that valid data
is overwritten or exploited to enable the
execution of malicious code.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 157
Attack Methodologies, Access Attacks
Access attacks
Can be detected by reviewing logs, bandwidth
utilization, and process loads.
By reviewing logs, security personnel can
determine if an unusual number of failed login
attempts have occurred.
Software packages such as ManageEngine
EventLog Analyzer or Cisco Secure Access
Control Server (CSACS) maintain information
regarding failed login attempts to network
devices.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 158
Attack Methodologies, Access Attacks
UNIX and Windows servers also keep a log of failed
login attempts.
Cisco routers and firewall devices can be configured to
prevent login attempts for a given time from a particular
source after a prescribed number of failures in a
specified amount of time.
Man-in-the-middle attacks often involve replicating
data.
An indication of such an attack is an unusual amount
of network activity and bandwidth utilization, as
indicated by network monitoring software.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 159
Attack Methodologies, Access Attacks
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 160
Attack Methodologies, Denial of Service Attacks
Denial of Service Attacks
Results in some sort of interruption of service to
users, devices, or applications.
Several mechanisms can generate a DoS attack.
The simplest method is to generate large
amounts of what appears to be valid network
traffic.
This type of network DoS attack saturates the
network so that valid user traffic cannot get
through.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 161
A DoS attack takes advantage of the fact that target
systems such as servers must maintain state
information.
Applications may rely on expected buffer sizes and
specific content of network packets.
A DoS attack can exploit this by sending packet sizes or data values that are not expected by the receiving application.
Attack Methodologies, Denial of Service Attacks
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 162
There are two major reasons a DoS attack
occurs:
A host or application fails to handle an
unexpected condition, such as maliciously
formatted input data, an unexpected interaction
of system components, or simple resource
exhaustion.
A network, host, or application is unable to
handle an enormous quantity of data, causing
the system to crash or become extremely slow.
Attack Methodologies, Denial of Service Attacks
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 163
DoS attacks attempt to compromise the
availability of a network, host, or
application.
They are considered a major risk
because they can easily interrupt a
business process and cause
significant loss.
These attacks are relatively simple to
conduct, even by an unskilled attacker.
Attack Methodologies, Denial of Service Attacks
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 164
One example of a DoS attack is sending a
poisonous packet.
A poisonous packet is an improperly
formatted packet designed to cause the
receiving device to process the packet in an
improper fashion.
The poisonous packet causes the receiving
device to crash or run very slowly.
This attack can cause all communications to and
from the device to be disrupted.
Attack Methodologies, Denial of Service Attacks
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 165
In another example, an attacker sends a
continuous stream of packets, which
overwhelms the available bandwidth of network
links.
It is impossible to differentiate between the
attacker and legitimate traffic and to trace an
attack quickly back to its source.
If many systems in the Internet core are
compromised, the attacker may be able to take
advantage of virtually unlimited bandwidth to
unleash packet storms toward desired targets.
Attack Methodologies, Denial of Service Attacks
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 166
A Distributed Denial of Service Attack
(DDoS) is similar in intent to a DoS attack,
except that a DDoS attack originates
from multiple coordinated sources.
A DDoS attack also presents the
challenge of requiring the network
defense to identify and stop each
distributed attacker.
Attack Methodologies, Denial of Service Attacks
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 167
As an example, a DDoS attack could proceed as
follows. A hacker scans for systems that are
accessible.
After the hacker accesses several "handler"
systems, the hacker installs zombie software on
them. Zombies then scan and infect agent
systems.
When the hacker accesses the agent systems, the
hacker loads remote-control attack software to
carry out the DDoS attack.
Attack Methodologies, Denial of Service Attacks
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 168
Attack Methodologies, Denial of Service
Attacks
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 169
Attack Methodologies, Denial of Service
Attacks
Distributed DoS Attack
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 170
Attack Methodologies, Denial of Service
Attacks
It is useful to detail three common DoS attacks to
get a better understanding of how DoS attacks
work.
Ping of Death
In a ping of death attack, a hacker sends an echo
request in an IP packet larger than the maximum
packet size of 65,535 bytes.
Sending a ping of this size can crash the target
computer.
A variant of this attack is to crash a system by
sending ICMP fragments, which fill the
reassembly buffers of the target.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 171
Ping of Death
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 172
Smurf Attack
In a smurf attack, a perpetrator sends a large
number of ICMP requests to directed
broadcast addresses, all with spoofed
source addresses on the same network as
the respective directed broadcast.
If the routing device delivering traffic to those
broadcast addresses forwards the directed
broadcasts, all hosts on the destination
networks send ICMP replies, multiplying the
traffic by the number of hosts on the networks.
Attack Methodologies, Denial of Service Attacks
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 173
Attack Methodologies, Denial of Service Attacks
Smurf Attack
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 174
Attack Methodologies, Denial of Service Attacks
TCP SYN Flood
In a TCP SYN flood attack, a flood of TCP SYN
packets is sent, often with a forged sender address.
Each packet is handled like a connection request,
causing the server to spawn a half-open connection by
sending back a TCP SYN-ACK packet and waiting for
a packet in response from the sender address.
However, because the sender address is forged, the
response never comes.
These half-open connections saturate the number of
available connections the server is able to make,
keeping it from responding to legitimate requests until
after the attack ends.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 175
Attack Methodologies, Denial of Service Attacks
TCP SYN Flood
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 176
Attack Methodologies, Denial of Service Attacks
The TCP SYN flood, ping of death, and smurf attacks
demonstrate how devastating a DoS attack can be.
There are five basic ways that DoS attacks can do
harm:
Consumption of resources, such as bandwidth, disk space, or
processor time
Disruption of configuration information, such as routing
information
Disruption of state information, such as unsolicited resetting of
TCP sessions
Disruption of physical network components
Obstruction of communication between the victim and others.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 177
Attack Methodologies, Denial of Service Attacks
It is usually not difficult to determine if a DoS attack
is occurring.
A large number of complaints about not being able
to access resources is a first sign of a DoS attack.
To minimize the number of attacks, a network
utilization software package should be running at all
times.
This should also be required by the network security
policy.
A network utilization graph showing unusual activity
could indicate a DoS attack.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 178
Attack Methodologies, Denial of Service Attacks
Keep in mind that DoS attacks could be
a component of a larger offensive.
DoS attacks can lead to problems in the
network segments of the computers
being attacked.
If the attack is conducted on a sufficiently
large scale, entire geographical regions
of Internet connectivity could be
compromised.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 179
Attack Methodologies, Denial of Service Attacks
Not all service outages, even those that result
from malicious activity, are necessarily DoS
attacks.
In any case, DoS attacks are among the most
dangerous types of attacks, and it is critical that
a network security professional act quickly to
mitigate the effects of such attacks.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 180
Attack Methodologies, Mitigating Network Attacks
There are a variety of network attacks, network
attack methodologies, and categorizations of
network attacks.
The important question is, 'How do I mitigate
these network attacks?‘
The type of attack, as specified by the
categorization of reconnaissance, access, or
DoS attack, determines the means of
mitigating a network threat.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 181
Attack Methodologies, Mitigating Network Attacks
Reconnaissance attacks can be mitigated in several
ways:
Using strong authentication is a first option for defense
against packet sniffers.
Strong authentication is a method of authenticating users
that cannot easily be circumvented.
A One-Time Password (OTP) is a form of strong
authentication.
OTPs utilize two-factor authentication.
Two-factor authentication combines something one
has, such as a token card, with something one knows,
such as a PIN.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 182
Attack Methodologies, Mitigating Network Attacks
Encryption is also effective for mitigating packet sniffer
attacks.
If traffic is encrypted, it is practically irrelevant if a
packet sniffer is being used because the captured data
is not readable.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 183
Attack Methodologies, Mitigating Network Attacks
Antisniffer software and hardware tools
detect changes in the response time of
hosts to determine whether the hosts are
processing more traffic than their own
traffic loads would indicate.
While this does not completely eliminate
the threat, as part of an overall mitigation
system, it can reduce the number of
instances of threat.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 184
Attack Methodologies, Mitigating Network Attacks
A switched infrastructure is the norm
today, which makes it difficult to capture
any data except that on your immediate
collision domain, which probably contains
only one host.
A switched infrastructure does not
eliminate the threat of packet sniffers, but
can greatly reduce the sniffer's
effectiveness.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 185
Attack Methodologies, Mitigating Network Attacks
It is impossible to mitigate port scanning. But
using an IPS and firewall can limit the
information that can be discovered with a port
scanner.
Ping sweeps can be stopped if ICMP echo and
echo-reply are turned off on edge routers.
However, when these services are turned off,
network diagnostic data is lost.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 186
Attack Methodologies, Mitigating Network Attacks
Network-based IPS and host-based IPS
can usually notify an administrator when a
reconnaissance attack is under way.
This warning enables the administrator to
better prepare for the coming attack or to
notify the ISP from where the
reconnaissance probe is launching from.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 187
Attack Methodologies, Mitigating Network Attacks
Several techniques are also available for
mitigating access attacks.
A surprising number of access attacks are
carried out through simple password guessing or
brute-force dictionary attacks against
passwords.
The use of encrypted or hashed authentication
protocols, along with a strong password policy,
greatly reduces the probability of successful
access attacks.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 188
Attack Methodologies, Mitigating Network Attacks
There are specific practices that help to
ensure a strong password policy:
Disabling accounts after a specific number of
unsuccessful logins.
Not using plaintext passwords. Use either a
one-time password (OTP) or encrypted
password.
Using strong passwords. Strong passwords
are at least eight characters and contain
uppercase letters, lowercase letters, numbers,
and special characters.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 189
Attack Methodologies, Mitigating Network Attacks
The principle of minimum trust should also be
designed into the network structure.
This means that systems should not use one
another unnecessarily.
For example, if an organization has a server
that is used by untrusted devices, such as web
servers, the trusted device (server) should not
trust the untrusted devices (web servers)
unconditionally.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 190
Attack Methodologies, Mitigating Network Attacks
Cryptography is a critical
component of any modern
secure network.
Using encryption for remote
access to a network is
recommended. Also, routing
protocol traffic should be
encrypted as well.
The more that traffic is
encrypted, the less opportunity
hackers have for intercepting
data with man-in-the-middle
attacks.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 191
Attack Methodologies, Mitigating Network Attacks
Companies with a high-profile Internet presence should
plan in advance how to respond to potential DoS
attacks.
Historically, many DoS attacks were sourced from
spoofed source addresses.
These types of attacks can be thwarted using
antispoofing technologies on perimeter routers and
firewalls.
Many DoS attacks today are distributed DoS attacks
carried out by compromised hosts on several networks.
Mitigating DDoS attacks requires careful diagnostics,
planning, and cooperation from ISPs.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 192
Attack Methodologies, Mitigating Network Attacks
The most important elements for
mitigating DoS attacks are firewalls and
IPSs. Both host-based and network-based
IPSs are strongly recommended.
Cisco routers and switches support a
number of antispoofing technologies, such
as port security, DHCP snooping, IP
Source Guard, Dynamic ARP Inspection,
and ACLs.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 193
Attack Methodologies, Mitigating Network Attacks
Lastly, although Quality of Service (QoS) is not
designed as a security technology, one of its
applications, traffic policing, can be used to
limit ingress traffic from any given customer on
an edge router.
This limits the impact a single source can have
on ingress bandwidth utilization.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 194
Attack Methodologies, Mitigating Network Attacks
Defending your network against attack requires
constant vigilance and education. There are 10
best practices that represent the best insurance
for your network.
1. Keep patches up to date by installing them weekly or
daily, if possible, to prevent buffer overflow and
privilege escalation attacks.
2. Shut down unnecessary services and ports.
3. Use strong passwords and change them often.
4. Control physical access to systems.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 195
Attack Methodologies, Mitigating Network Attacks
5. Avoid unnecessary web page inputs. Some
websites allow users to enter usernames and
passwords.
A hacker can enter more than just a username.
For example, entering "jdoe; rm -rf /" might allow
an attacker to remove the root file system from a
UNIX server.
Programmers should limit input characters and
not accept invalid characters such as | ; < > as
input.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 196
Attack Methodologies, Mitigating Network Attacks
6. Perform backups and test the backed up files
on a regular basis.
7. Educate employees about the risks of social
engineering, and develop strategies to validate
identities over the phone, via email, or in person.
8. Encrypt and password-protect sensitive data.
9. Implement security hardware and software such
as firewalls, IPSs, virtual private network (VPN)
devices, anti-virus software, and content filtering.
10. Develop a written security policy for the
company.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 197
Attack Methodologies, Mitigating Network Attacks
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 198
Attack Methodologies, Mitigating Network Attacks
These methods are only a starting point for
sound security management.
Organizations must remain vigilant at all times to
defend against continually evolving threats.
Using these proven methods of securing a
network and applying the knowledge gained in
this chapter, you are now prepared to begin
deploying network security solutions.
One of the first deployment considerations
involves securing access to network devices.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 199
NFP
The Cisco Network Foundation Protection (NFP)
framework provides comprehensive guidelines for
protecting the network infrastructure.
These guidelines form the foundation for continuous
delivery of service.
NFP logically divides routers and switches into three
functional areas:
Control Plane:
Responsible for routing data correctly.
Traffic consists of device-generated packets required for
operation
such as ARP message exchanges or OSPF routing advertisements.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 200
NFP
Management Plane
Responsible for managing network elements.
Traffic is generated either by network devices or network
management stations using processes and protocols such as:
Telnet, SSH, TFTP, FTP, NTP, AAA, SNMP, syslog, TACACS+,
RADIUS, and NetFlow.
Data Plane (Forwarding Plane) –
Responsible for forwarding data.
Traffic normally consists of user-generated packets being
forwarded between end stations.
Most traffic travels through the router, or switch, via the data
plane.
Data plane packets are typically processed in fast-switching
cache.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 201
NFP
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 202
NFP
Control plane security can be implemented using
the following features:
Cisco AutoSecure - Cisco AutoSecure provides a one-
step device lockdown feature to protect the control
plane as well as the management and data planes.
It is a script that is initiated from the CLI to configure the
security posture of routers.
The script disables nonessential system processes and
services.
It first makes recommendations to address security
vulnerabilities and then modifies the router
configuration.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 203
NFP
Routing protocol authentication - Routing
protocol authentication, or Neighbor
authentication, prevents a router from accepting
fraudulent routing updates.
Most routing protocols support neighbor
authentication.
Control Plane Policing (CoPP) - CoPP is a Cisco
IOS feature designed to allow users to control
the flow of traffic that is handled by the route
processor of a network device.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 204
NFP
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 205
NFP
CoPP is designed to prevent
unnecessary traffic from overwhelming
the route processor.
The CoPP feature treats the control
plane as a separate entity with its own
ingress (input) and egress (output) ports.
A set of rules can be established and
associated with the ingress and egress
ports of the control plane.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 206
NFP
Management plane traffic is generated either by
network devices or network management
stations using processes and protocols such as
Telnet, SSH, TFTP, and FTP, etc.
The management plane is a very attractive
target to hackers.
For this reason, the management module was
built with several technologies designed to
mitigate such risks.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 207
NFP
The information flow between management
hosts and the managed devices can be out-of-
band (OOB) (information flows within a network
on which no production traffic resides)
or in-band (information flows across the
enterprise production network, the Internet, or
both).
Management plane security can be implemented
using the following features:
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 208
NFP
Login and password policy - Restricts device
accessibility. Limits the accessible ports and
restricts the "who" and "how" methods of access.
Present legal notification - Displays legal notices.
These are often developed by legal counsel of a
corporation.
Ensure the confidentiality of data - Protects locally
stored sensitive data from being viewed or copied.
Uses management protocols with strong
authentication to mitigate confidentiality attacks
aimed at exposing passwords and device
configurations.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 209
NFP
Role-based access control (RBAC) - Ensures
access is only granted to authenticated users,
groups, and services. RBAC and authentication,
authorization, and accounting (AAA) services
provide mechanisms to effectively manage access
control.
Authorize actions - Restricts the actions and views
that are permitted by any particular user, group, or
service.
Enable management access reporting - Logs and
accounts for all access. Records who accessed
the device, what occurred, and when it occurred.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 210
NFP
RBAC restricts user access based on the role
of the user.
Roles are created according to job or task
functions, and assigned access permissions to
specific assets.
Users are then assigned to roles, and are
granted the permissions that are defined for
that role.
In Cisco IOS, the role-based CLI access
feature implements RBAC for router
management access.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 211
NFP
The feature creates different "views" that define which
commands are accepted and what configuration
information is visible.
For scalability, users, permissions, and roles are
usually created and maintained in a central repository
server.
This makes the access control policy available to
multiple devices.
The central repository server can be a AAA server,
such as the Cisco Secure Access Control System
(ACS), which provides AAA services to a network for
management purposes.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 212
NFP
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 213
NFP
Data plane traffic consists mostly of user-
generated packets being forwarded through the
router via the data plane.
Data plane security can be implemented using
ACLs, antispoofing mechanisms, and Layer 2
security features.
ACLs perform packet filtering to control which
packets move through the network and where
those packets are allowed to go.
ACLs are used to secure the data plane in a
variety of ways, including:
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 214
NFP
Blocking unwanted traffic or users - ACLs can
filter incoming or outgoing packets on an
interface.
They can be used to control access based on
source addresses, destination addresses, or
user authentication.
Reducing the chance of DoS attacks - ACLs can
be used to specify whether traffic from hosts,
networks, or users access the network.
The TCP intercept feature can also be
configured to prevent servers from being flooded
with requests for a connection.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 215
NFP
Mitigating spoofing attacks - ACLs allow security
practitioners to implement recommended
practices to mitigate spoofing attacks.
Providing bandwidth control - ACLs on a slow
link can prevent excess traffic.
Classifying traffic to protect the Management
and Control planes - ACLs can be applied on
VTY line.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 216
NFP
ACLs can also be used as an antispoofing
mechanism by discarding traffic that has an
invalid source address.
This forces attacks to be initiated from valid,
reachable IP addresses, allowing the packets to
be traced to the originator of an attack.
Features such as Unicast Reverse Path
Forwarding (uRPF) can be used to complement
the antispoofing strategy.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 217
NFP
Cisco Catalyst switches can use integrated features to help
secure the Layer 2 infrastructure. The following are Layer 2
security tools integrated into the Cisco Catalyst switches:
Port security - Prevents MAC address spoofing and MAC address
flooding attacks.
DHCP snooping - Prevents client attacks on the DHCP server
and switch.
Dynamic ARP Inspection (DAI) - Adds security to ARP by using
the DHCP snooping table to minimize the impact of ARP
poisoning and spoofing attacks.
IP Source Guard - Prevents spoofing of IP addresses by using
the DHCP snooping table.
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 218
NFP
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 219
Summary
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 220
Summary
© 2012 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Lecturer: Tariq Meeran 221
Summary