Rachit Priyadarshi

Wednesday, May 3, 2023Wednesday, May 3, 2023 [email protected][email protected]

1.1. Why is Network Security Important?Why is Network Security Important?2.2. Common Security ThreatsCommon Security Threats3.3. Types of Network AttackTypes of Network Attack4.4. General Mitigation TechniquesGeneral Mitigation Techniques

Wednesday, May 3, 2023Wednesday, May 3, 2023 [email protected][email protected] 22

Computer networks have grown in both size Computer networks have grown in both size and importance in a very short time.and importance in a very short time.

If the security of the network is If the security of the network is compromised, there could be serious compromised, there could be serious consequences, such as loss of privacy, theft consequences, such as loss of privacy, theft of information, and even legal liability.of information, and even legal liability.

To make the situation even more To make the situation even more challenging, the types of potential threats to challenging, the types of potential threats to network security are always evolving.network security are always evolving.


It refers to any activities designed to It refers to any activities designed to protect your network.protect your network.

Specifically, these activities protect the Specifically, these activities protect the usability, reliability, integrity, and usability, reliability, integrity, and safety of your network and data. safety of your network and data. Effective network security targets a Effective network security targets a variety of threats and stops them from variety of threats and stops them from entering or spreading on your network.entering or spreading on your network.


Over the years, network attack tools and methods Over the years, network attack tools and methods have evolved. As shown in the figure, in 1985 an have evolved. As shown in the figure, in 1985 an attacker had to have sophisticated computer, attacker had to have sophisticated computer, programming, and networking knowledge to make programming, and networking knowledge to make use of rudimentary tools and basic attacks.use of rudimentary tools and basic attacks.

As time went on, and attackers' methods and As time went on, and attackers' methods and tools improved, attackers no longer required the tools improved, attackers no longer required the same level of sophisticated knowledge. This has same level of sophisticated knowledge. This has effectively lowered the entry-level requirements effectively lowered the entry-level requirements for attackers. People who previously would not for attackers. People who previously would not have participated in computer crime are now able have participated in computer crime are now able to do so.to do so.



ThreatThreat - an action or event that might compromise - an action or event that might compromise security. It represents a potential risk to a computer or security. It represents a potential risk to a computer or system.system.

VulnerabilityVulnerability - the existence of a weakness in a design - the existence of a weakness in a design or configuration that can lead to an exploitation or some or configuration that can lead to an exploitation or some other unwanted and unexpected event that can other unwanted and unexpected event that can compromise the security of a system.compromise the security of a system.

TargetTarget ofof EvaluationEvaluation - this is the system that needs to - this is the system that needs to be tested, or evaluated to see if it has vulnerabilities.be tested, or evaluated to see if it has vulnerabilities.

AttackAttack - An actual assault on a system. - An actual assault on a system. ExploitExploit - A way to compromise the security of a system, - A way to compromise the security of a system,

usually a proof of concept about a vulnerability.usually a proof of concept about a vulnerability.


Hacker – Hacker – A general term that has historically A general term that has historically been used to describe a computer been used to describe a computer programming expert. More recently, this term programming expert. More recently, this term is often used in a negative way to describe an is often used in a negative way to describe an individual that attempts to gain unauthorized individual that attempts to gain unauthorized access to network resources with malicious access to network resources with malicious intent.intent.

Cracker – Cracker – A more accurate term to describe A more accurate term to describe someone who tries to gain unauthorized someone who tries to gain unauthorized access to network resources with malicious access to network resources with malicious intent.intent.


White hat White hat – an individual who looks for – an individual who looks for vulnerabilities in systems or networks and then vulnerabilities in systems or networks and then reports these vulnerabilities to the owners of the reports these vulnerabilities to the owners of the system so that they can be fixed. They are ethically system so that they can be fixed. They are ethically opposed to the abuse of computer systems.opposed to the abuse of computer systems.

Black hat Black hat – Another term for individuals who use – Another term for individuals who use their knowledge of computer systems to break into their knowledge of computer systems to break into systems or networks that they are not authorized systems or networks that they are not authorized to use, usually for personal or financial gain. A to use, usually for personal or financial gain. A cracker is an example of a black hat.cracker is an example of a black hat.

Gray hat Gray hat – individual who works both offensively – individual who works both offensively and defensively at various timeand defensively at various time


PhreakerPhreaker – An individual who manipulates the phone – An individual who manipulates the phone network to cause it to perform a function that is not network to cause it to perform a function that is not allowed. A common goal of phreaking is breaking into the allowed. A common goal of phreaking is breaking into the phone network, usually through a payphone, to make free phone network, usually through a payphone, to make free long distance calls. long distance calls.

SpammerSpammer – An individual who sends large quantities of – An individual who sends large quantities of unsolicited e-mail messages. Spammers often use viruses unsolicited e-mail messages. Spammers often use viruses to take control of home computers and use them to send to take control of home computers and use them to send out their bulk messages. out their bulk messages.

PhisherPhisher – Uses e-mail or other means to trick others into – Uses e-mail or other means to trick others into providing sensitive information, such as credit card providing sensitive information, such as credit card numbers or passwords. A phisher masquerades as a numbers or passwords. A phisher masquerades as a trusted party that would have a legitimate need for the trusted party that would have a legitimate need for the sensitive information.sensitive information.


IntegrityIntegrity: guaranteeing that the data are : guaranteeing that the data are those that they are believed to be.those that they are believed to be.

ConfidentialityConfidentiality: ensuring that only : ensuring that only authorised individuals have access to the authorised individuals have access to the resources being exchanged. resources being exchanged.

AvailabilityAvailability: guaranteeing the information : guaranteeing the information system's proper operation. system's proper operation.

AuthenticationAuthentication: ensuring that only : ensuring that only authorized individuals have access to the authorized individuals have access to the resources.resources.


ReconnaissanceReconnaissance Which can be Active or Passive Which can be Active or Passive

in naturein nature Host or Target ScanningHost or Target Scanning

Live system detectionLive system detection Port ScanningPort Scanning

Gaining accessGaining access Operating system level/ Operating system level/

application levelapplication level Network levelNetwork level Denial of service if otherwise Denial of service if otherwise

unsuccessfulunsuccessful Then Maintaining accessThen Maintaining access

By using backdoor or Trojan By using backdoor or Trojan programsprograms

Finally, covering their Finally, covering their attacksattacks




1.1. VulnerabilitiesVulnerabilities2.2. Treats to Physical InfrastructureTreats to Physical Infrastructure3.3. Threats to NetworksThreats to Networks4.4. Social EngineeringSocial Engineering


Vulnerability is the Vulnerability is the degree of degree of weakness which is weakness which is inherent in every inherent in every network and network and device. This device. This includes routers, includes routers, switches, desktops, switches, desktops, servers, and even servers, and even security devices.security devices.

There are three There are three primary primary vulnerabilities or vulnerabilities or weaknesses: weaknesses: Technological Technological

weaknesses weaknesses Configuration Configuration

weaknesses weaknesses Security policy Security policy

weaknessesweaknessesWednesday, May 3, 2023Wednesday, May 3, 2023 [email protected][email protected] 1515

Technology weakness Technology weakness – Computer and network – Computer and network technologies have intrinsic security weaknesses. technologies have intrinsic security weaknesses. These include TCP/IP protocol, operating system, and These include TCP/IP protocol, operating system, and network equipment weaknesses. network equipment weaknesses.

ConfigurationConfiguration weaknessweakness – Network administrators – Network administrators or network engineers need to learn what the or network engineers need to learn what the configuration weaknesses are and correctly configure configuration weaknesses are and correctly configure their computing and network devices to compensate. their computing and network devices to compensate.

PolicyPolicy weaknessweakness – Security risks to the network – Security risks to the network exist if users do not follow the security policy. Some exist if users do not follow the security policy. Some common security policy weaknesses and how those common security policy weaknesses and how those weaknesses are exploited are listed in the figure. weaknesses are exploited are listed in the figure.


When you think of network security, or When you think of network security, or even computer security, you may even computer security, you may imagine attackers exploiting software imagine attackers exploiting software vulnerabilities. A less glamorous, but no vulnerabilities. A less glamorous, but no less important, class of threat is the less important, class of threat is the physical security of devices. An physical security of devices. An attacker can deny the use of network attacker can deny the use of network resources if those resources can be resources if those resources can be physically compromised.physically compromised.


Unstructured Threats Unstructured Threats –consist of –consist of mostly inexperienced individuals mostly inexperienced individuals using easily available hacking tools, using easily available hacking tools, such as shell scripts and password such as shell scripts and password crackers.crackers.

StructuredStructured ThreatsThreats –these people –these people know system vulnerabilities and use know system vulnerabilities and use sophisticated hacking techniques to sophisticated hacking techniques to penetrate unsuspecting businesses. penetrate unsuspecting businesses.

ExternalExternal threatsthreats can arise from can arise from individuals or organizations working individuals or organizations working outside of a company who do not outside of a company who do not have authorized access to the have authorized access to the computer systems or network. They computer systems or network. They work their way into a network mainly work their way into a network mainly from the Internet or dialup access from the Internet or dialup access servers.servers.

InternalInternal threatsthreats occur when occur when someone has authorized access to the someone has authorized access to the network with either an account or network with either an account or physical access. physical access.


The easiest hack involves The easiest hack involves no computer skill at all. If no computer skill at all. If an intruder can trick a an intruder can trick a member of an member of an organization into giving organization into giving over valuable information, over valuable information, such as the location of such as the location of files or passwords, the files or passwords, the process of hacking is process of hacking is made much easier. made much easier.


Kevin Mitnick



1.1. ReconnaissanceReconnaissance2.2. AccessAccess3.3. Denial of ServiceDenial of Service4.4. Virus – worms, trojan and other malicious softwareVirus – worms, trojan and other malicious software


Reconnaissance Reconnaissance is the unauthorized discovery and is the unauthorized discovery and mapping of systems, services, or vulnerabilities. It is also mapping of systems, services, or vulnerabilities. It is also known as information gathering and, in most cases, it known as information gathering and, in most cases, it precedes another type of attack. precedes another type of attack.

Access - Access - System access is the ability for an intruder to gain System access is the ability for an intruder to gain access to a device for which the intruder does not have an access to a device for which the intruder does not have an account or a password. account or a password.

Denial of service (DoS) Denial of service (DoS) is when an attacker disables or is when an attacker disables or corrupts networks, systems, or services with the intent to corrupts networks, systems, or services with the intent to deny services to intended users.deny services to intended users.

Malicious software Malicious software can be inserted onto a host to damage can be inserted onto a host to damage or corrupt a system, replicate itself, or deny access to or corrupt a system, replicate itself, or deny access to networks, systems, or services. Common names for this networks, systems, or services. Common names for this type of software are worms, viruses, and Trojan horses.type of software are worms, viruses, and Trojan horses.


Reconnaissance attacks can consist of the Reconnaissance attacks can consist of the following:following: Internet information queriesInternet information queries Ping sweepsPing sweeps Port scansPort scans Packet sniffersPacket sniffers

Network snooping and packet sniffing are Network snooping and packet sniffing are common terms for eavesdropping. common terms for eavesdropping.

Two common uses of eavesdropping are as Two common uses of eavesdropping are as follows:follows: Information gatheringInformation gathering –Network –Network intruders can identify intruders can identify

usernames, passwords, or information carried in a packet. usernames, passwords, or information carried in a packet. Information theftInformation theft –The theft can occur as data is transmitted –The theft can occur as data is transmitted

over the internal or external network. The network intruder can over the internal or external network. The network intruder can also steal data from networked computers by gaining unauthorized also steal data from networked computers by gaining unauthorized access. Examples include breaking into or eavesdropping on access. Examples include breaking into or eavesdropping on financial institutions and obtaining credit card numbersfinancial institutions and obtaining credit card numbers. .



Using Using switchedswitched networks instead of hubs so that networks instead of hubs so that traffic is not forwarded to all endpoints or network traffic is not forwarded to all endpoints or network hosts.hosts.

Using Using encryptionencryption that meets the data security that meets the data security needs of the organization without imposing an needs of the organization without imposing an excessive burden on system resources or users.excessive burden on system resources or users.

ImplementingImplementing and and enforcingenforcing a a policypolicy directivedirective that forbids the use of protocols with that forbids the use of protocols with known susceptibilities to eavesdropping. For known susceptibilities to eavesdropping. For example, example, SNMPSNMP version 3 can encrypt community version 3 can encrypt community strings, so a company could forbid using SNMP strings, so a company could forbid using SNMP version 1, but permit SNMP version 3.version 1, but permit SNMP version 3.

Password attacks Password attacks can be implemented can be implemented using a packet sniffer to yield user using a packet sniffer to yield user accounts and passwords that are accounts and passwords that are transmitted as clear text. Password transmitted as clear text. Password attacks usually refer to repeated attacks usually refer to repeated attempts to log in to a shared resource, attempts to log in to a shared resource, such as a server or router, to identify a such as a server or router, to identify a user account, password, or both. These user account, password, or both. These repeated attempts are called repeated attempts are called dictionarydictionary attacksattacks or or brute-forcebrute-force attacksattacks..

Trust exploitation attack Trust exploitation attack is to is to compromise a trusted host. If a host in a compromise a trusted host. If a host in a network of a company is protected by a network of a company is protected by a firewall (inside host), but is accessible to firewall (inside host), but is accessible to a trusted host outside the firewall a trusted host outside the firewall (outside host), the inside host can be (outside host), the inside host can be attacked through the trusted outside attacked through the trusted outside host.host.

TRUST EXPLOITATION ATTACKTRUST EXPLOITATION ATTACK


Password attacks

A A man-in-the-middle man-in-the-middle (MITM) (MITM) attack is carried attack is carried out by attackers that out by attackers that manage to position manage to position themselves between two themselves between two legitimate hosts. The legitimate hosts. The attacker may allow the attacker may allow the normal transactions normal transactions between hosts to occur, and between hosts to occur, and only periodically manipulate only periodically manipulate the conversation between the conversation between the two.the two.


Other sorts of MITM attacks are potentially even more Other sorts of MITM attacks are potentially even more harmful. If attackers manage to get into a strategic harmful. If attackers manage to get into a strategic position, they can steal information, hijack an ongoing position, they can steal information, hijack an ongoing session to gain access to private network resources, session to gain access to private network resources, conduct DoS attacks, corrupt transmitted data, or conduct DoS attacks, corrupt transmitted data, or introduce new information into network sessions.introduce new information into network sessions.

WAN MITM attack mitigation is achieved by using WAN MITM attack mitigation is achieved by using VPN VPN tunnelstunnels, which allow the attacker to see only the , which allow the attacker to see only the encrypted, undecipherable text.encrypted, undecipherable text.

LAN MITM attacks use such tools as ettercap and ARP LAN MITM attacks use such tools as ettercap and ARP poisoning. Most LAN MITM attack mitigation can usually poisoning. Most LAN MITM attack mitigation can usually be mitigated by be mitigated by configuring port security configuring port security on LAN on LAN switches.switches.


DoS attacks prevent authorized people from using a DoS attacks prevent authorized people from using a service by using up system resources. Such as :service by using up system resources. Such as : Ping of death Ping of death - A ping is normally 64 or 84 bytes, - A ping is normally 64 or 84 bytes,

while a ping of death could be up to 65,536 bytes.while a ping of death could be up to 65,536 bytes. SYNSYN FloodFlood –A SYN flood attack exploits the TCP three- –A SYN flood attack exploits the TCP three-

way handshake. It involves sending multiple SYN way handshake. It involves sending multiple SYN requests (1,000+) to a targeted server. requests (1,000+) to a targeted server.

DistributedDistributed DoSDoS ( (DDoSDDoS) attacks are designed to ) attacks are designed to saturate network links with illegitimate data. This data saturate network links with illegitimate data. This data can overwhelm an Internet link, causing legitimate can overwhelm an Internet link, causing legitimate traffic to be dropped. traffic to be dropped.

The The SmurfSmurf attackattack –uses spoofed broadcast ping –uses spoofed broadcast ping messages to flood a target system. Imessages to flood a target system. I



DoS and DDoS attacks can be mitigated DoS and DDoS attacks can be mitigated by implementing special by implementing special anti-spoofanti-spoof and and anti-DoS access control listsanti-DoS access control lists..

ISPsISPs can also implement traffic rate, can also implement traffic rate, limiting the amount of nonessential limiting the amount of nonessential traffic that crosses network segments.traffic that crosses network segments.

A common example is to limit the A common example is to limit the amount of ICMP traffic that is allowed amount of ICMP traffic that is allowed into a network, because this traffic is into a network, because this traffic is used only for diagnostic purposes.used only for diagnostic purposes.


The primary vulnerabilities for end-user The primary vulnerabilities for end-user workstations are worm, virus, and Trojan horse workstations are worm, virus, and Trojan horse attacks. attacks. A A wormworm executes code and installs copies of itself in the executes code and installs copies of itself in the

memory of the infected computer, which can, in turn, memory of the infected computer, which can, in turn, infect other hosts. infect other hosts.

A A virusvirus ( (Vital Information Resources Under-SiegeVital Information Resources Under-Siege) ) is malicious software that is attached to another is malicious software that is attached to another program for the purpose of executing a particular program for the purpose of executing a particular unwanted function on a workstation. unwanted function on a workstation.

A A TrojanTrojan horsehorse is different from a worm or virus only in is different from a worm or virus only in that the entire application was written to look like that the entire application was written to look like something else, when in fact it is an attack tool.something else, when in fact it is an attack tool.


The following are the recommended steps for worm attack The following are the recommended steps for worm attack mitigation:mitigation: ContainmentContainment –Contain the spread of the worm in and –Contain the spread of the worm in and

within the network. Compartmentalize uninfected parts of within the network. Compartmentalize uninfected parts of the network.the network.

Inoculation –Inoculation –StartStart patching all systems and, if possible, patching all systems and, if possible, scanning for vulnerable systems.scanning for vulnerable systems.

QuarantineQuarantine –Track down each infected machine inside –Track down each infected machine inside the network. Disconnect, remove, or block infected the network. Disconnect, remove, or block infected machines from the network.machines from the network.

TreatmentTreatment –Clean and patch each infected system. –Clean and patch each infected system. Some worms may require complete core system Some worms may require complete core system reinstallations to clean the system.reinstallations to clean the system.




1.1. Host and Server Based SecurityHost and Server Based Security2.2. Intrusion Detection and Prevention Intrusion Detection and Prevention

r Based Security Common Securityr Based Security Common Security3.3. Appliances and ApplicationsAppliances and Applications


There are some simple steps that should be taken that There are some simple steps that should be taken that apply to most operating systems:apply to most operating systems: Default usernames and passwords should be changed Default usernames and passwords should be changed

immediately. immediately. Access to system resources should be restricted to Access to system resources should be restricted to

only the individuals that are authorized to use those only the individuals that are authorized to use those resources. resources.

Any unnecessary services and applications should be Any unnecessary services and applications should be turned off and uninstalled, when possible.turned off and uninstalled, when possible.

Install host antivirus software to protect against known Install host antivirus software to protect against known viruses. viruses.

Install Personal Firewall to prevent attacks on PCs.Install Personal Firewall to prevent attacks on PCs. Install Operating System PatchesInstall Operating System Patches


Intrusion detection systems (IDS) Intrusion detection systems (IDS) detect attacks detect attacks against a network and send logs to a management console. against a network and send logs to a management console.

Intrusion prevention systems (IPS) Intrusion prevention systems (IPS) prevent attacks prevent attacks against the network and should provide the following active against the network and should provide the following active defense mechanisms in addition to detection:defense mechanisms in addition to detection: PreventionPrevention –Stops the detected attack from executing. –Stops the detected attack from executing. ReactionReaction –Immunizes the system from future attacks –Immunizes the system from future attacks

from a malicious source. from a malicious source. Host-based intrusion prevention system (HIPS), Host-based intrusion prevention system (HIPS),

actually stops the attack, prevents damage, and blocks the actually stops the attack, prevents damage, and blocks the propagation of worms and viruses. HIPS software must be propagation of worms and viruses. HIPS software must be installed on each host, either the server or desktop, to installed on each host, either the server or desktop, to monitor activity performed on and against the host.monitor activity performed on and against the host.


Threat control Threat control –Regulates network access, isolates infected –Regulates network access, isolates infected systems, prevents intrusions, and protects assets by counteracting systems, prevents intrusions, and protects assets by counteracting malicious traffic, such as worms and viruses. Devices that provide malicious traffic, such as worms and viruses. Devices that provide threat control solutions are:threat control solutions are: Cisco ASA 5500 Series Adaptive Security Appliances Cisco ASA 5500 Series Adaptive Security Appliances Integrated Services Routers (ISR) Integrated Services Routers (ISR) Network Admission Control Network Admission Control Cisco Security Agent for Desktops Cisco Security Agent for Desktops Cisco Intrusion Prevention SystemsCisco Intrusion Prevention Systems

The The Cisco NAC appliance Cisco NAC appliance uses the network infrastructure to uses the network infrastructure to enforce security policy compliance on all devices seeking to access enforce security policy compliance on all devices seeking to access network computing resources.network computing resources.

Cisco Security Agent Cisco Security Agent software provides threat protection software provides threat protection capabilities for server, desktop, and point-of-service (POS) capabilities for server, desktop, and point-of-service (POS) computing systems. CSA defends these systems against targeted computing systems. CSA defends these systems against targeted attacks, spyware, rootkits, and day-zero attacks.attacks, spyware, rootkits, and day-zero attacks.




Rachit Priyadarshi

Documents