Ccna+sec+ch01+ +overview+security

1© 2009 Cisco Systems, Inc. All rights reserved.
Network
Security
Module 1 – Overview ofModule 1 – Overview of
Network SecurityNetwork Security

Learning Objectives
1.1 Introduction to Network Security
1.2 Introduction to Vulnerabilities, Threats,
and Attacks
1.3 Attack Examples
1.4 Vulnerability Analysis

Module 1 – Overview of
Network Security
1.1 Introduction to Network
Security

Network Security
• Network security is the process by which digital
information assets are protected.
• The goals of security are to protect confidentiality,protect confidentiality,
maintain integrity, and assure availabilitymaintain integrity, and assure availability. With this in
mind, it is imperative that all networks be protected
from threats and vulnerabilities in order for a business
to achieve its fullest potential.
• Typically, these threats are persistent due to
vulnerabilities, which can arise from misconfiguredcan arise from misconfigured
hardware or software, poor network design, inherenthardware or software, poor network design, inherent
technology weaknesses, or end-user carelessnesstechnology weaknesses, or end-user carelessness.

The Closed Network

The Network Today

Identifying Potential Risks
• A risk analysis should identify the risks to the
network, network resources, and data. The
intent of a risk analysis is to identify the
components of the network, evaluate the
importance of each component, and then apply
an appropriate level of security. This helps to
maintain a workable balance between security
and required network access.
Asset Identification
Vulnerability Assessment
Threat Identification

Network Security Models

Open Security Model

Restricted Security Model

Closed Security Model

Technology that affect Security

Trends that Affect Security
• Increase of network attacks
• Increased sophistication of attacks
• Increased dependence on the network
• Lack of trained personnel
• Lack of awareness
• Lack of security policies
• Wireless access
• Legislation
• Litigation

ISO/IEC 17799
–Security policy
–Organization of
information security
–Asset management
–Human resources
security
–Physical and
environmental security
–Communications and
operations
management
–Access control
–Information systems
acquisition,
development and
maintenance
–Information security
incident management
–Business continuity
management
–Compliance
–Risk Assesment

Network Security
1.2 Introduction to Vulnerabilities,
Threats, and Attacks

Network Vulnerabilities
• Vulnerability is a weakness which is inherent in
every network and device. This includes routers,
switches, desktops, servers, and even security
devices themselves.
• Threats are the people eager, willing, and
qualified to take advantage of each security
weakness, and they continually search for new
exploits and weaknesses.
• Finally, the threats use a variety of tools, scripts,
and programs to launch attacks against networks
and network devices.

Network Vulnerabilities
• Technology: Computer and network technologies
have intrinsic security weaknesses. These include TCP/IP
protocol, operating system, and network equipment
weaknesses
• Configuration: Network administrators or network
engineers need to learn what the configuration
weaknesses are and correctly configure their computing
and network devices to compensate.
• Policy: The network may pose security risks to the
network if users do not follow the security policy.

Technology Weaknesses

Configuration Weaknesses

Security Policy Weaknesses

Threat Capabilities—More
Dangerous and Easier to Use

Variety of Threats

The four primary attack categories

Attack Evolution

Network Security
1.3 Attack Examples

Network Threats
• There are four general categories of security threats
to the network:
–Unstructured threats
–Structured threats
–External threats
–Internal threats
Internet
External
exploitation
Internal
exploitation
Dial-in
exploitation
Compromised
host

Four Classes of Network Attacks
Reconnaissance attacks
Access attacks
Denial of service attacks
Worms, viruses, and Trojan horses

Specific Attack Types
• All of the following can be used to compromise your system:
Packet sniffers
IP weaknesses
Password attacks
DoS or DDoS
Man-in-the-middle attacks
Application layer attacks
Trust exploitation
Port redirection
Virus
Trojan horse
Operator error
Worms

Reconnaissance Attacks
• Network reconnaissance
refers to the overall act
of learning information
about a target network
by using publicly
available information
and applications.

Reconnaissance Attack

Reconnaissance Attack Example
Sample
domain
name
query
• Sample IP
address
query

Reconnaissance Attack Mitigation
Network
reconnaissance
cannot be prevented
entirely.
IDSs at the network
and host levels can
usually notify an
administrator when a
reconnaissance
gathering attack (for
example, ping sweeps
and port scans) is
under way.

Packet Sniffers
• A packet sniffer is a software application that uses a network
adapter card in promiscuous mode to capture all network packets.
The following are the packet sniffer features:
Packet sniffers exploit information passed in clear text. Protocols that
pass information in the clear include the following:
•Telnet
•FTP
•SNMP
•POP
Packet sniffers must be on the same collision domain.
Host A Host B
Router A Router B

Sniffers

Packet Sniffer Mitigation
• The following techniques and tools can be used to mitigate
sniffers:
Authentication—Using strong authentication, such as one-time
passwords, is a first option for defense against packet sniffers.
Switched infrastructure —Deploy a switched infrastructure to counter
the use of packet sniffers in your environment.
Antisniffer tools—Use these tools to employ software and hardware
designed to detect the use of sniffers on a network.
Cryptography—The most effective method for countering packet
sniffers does not prevent or detect packet sniffers, but rather renders
them irrelevant.
Host A Host B
Router A Router B

Port Scans

Port Scan Example

Ping Sweeps

Queries

Access Attacks
• Access attacks exploit known vulnerabilities in
authentication services, FTP services, and Web services
to gain entry to Web accounts, confidential databases,
and other sensitive information . Access attacks can
consist of the following:
–Password attacks (Dictionary cracking, Brute-force
computation)
–Trust Exploitation
–Port Redirection
–Man-in-the-middle Attack
–Social Engineering
–Phishing

Access Attacks

Port Redirection

Password Attacks
• Hackers can
implement password
attacks using several
different methods:
Brute-force attacks
Dictionary Attacks
Trojan horse programs
IP spoofing
Packet sniffers

Password Attacks Mitigation
• The following are mitigation techniques:
Do not allow users to use the same password on
multiple systems.
Disable accounts after a certain number of
unsuccessful login attempts.
Do not use plain text passwords. OTP or a
cryptographic password is recommended.
Use “strong” passwords. Strong passwords are at
least eight characters long and contain uppercase
letters, lowercase letters, numbers, and special
characters.

Man-in-the-Middle Attacks
A man-in-the-middle attack requires that the hacker have access
to network packets that come across a network.
A man-in-the-middle attack is implemented using the following:
Network packet sniffers
Routing and transport protocols
Possible man-in-the-middle attack uses include the following:
Theft of information
Hijacking of an ongoing session
Traffic analysis
DoS
Corruption of transmitted data
Introduction of new information into network sessions
Host A Host B
Router A Router B
Data in clear text

Man-in-the-Middle Mitigation
• Man-in-the-middle attacks can be effectively mitigated
only through the use of cryptography (encryption).
Host A Host B
Router A ISP Router B
A man-in-the-middle attack
can only see cipher text
IPSec tunnel

DoS Attacks
• They prevent authorized people from using a
service by using up system resources. The
following are examples of common DoS threats:
–Ping of death
–SYN flood attack
–Packet fragmentation and reassembly
–E-mail bombs
–Malicious applets
–Misconfiguring routers

DoS Attacks

DDoS
• DDoS attacks are designed to saturate network
links with spurious data. This data can overwhelm
an Internet link, causing legitimate traffic to be
dropped. DDoS uses attack methods similar to
standard DoS attacks but operates on a much
larger scale. Typically hundreds or thousands of
attack points attempt to overwhelm a target.
Examples of DDoS attacks include the following:
–Smurf
–Tribe Flood Network (TFN)
–Stacheldraht

DDoS Attack Example

DoS Attack Mitigation
• The threat of DoS attacks can be reduced
through the following three methods:
1. Antispoof features —Proper configuration of
antispoof features on your routers and
firewalls
2. Anti-DoS features —Proper configuration of
anti-DoS features on routers and firewalls
3. Traffic rate limiting —Implement traffic rate
limiting with the networks ISP

IP Spoofing
IP spoofing occurs when a hacker inside or outside a network
impersonates the conversations of a trusted computer.
Two general techniques are used during IP spoofing:
A hacker uses an IP address that is within the range of
trusted IP addresses.
A hacker uses an authorized external IP address that is
trusted.
Uses for IP spoofing include the following:
IP spoofing is usually limited to the injection of malicious
data or commands into an existing stream of data.
A hacker changes the routing tables to point to the
spoofed IP address, then the hacker can receive all
the network packets that are addressed to the
spoofed address and reply just as any trusted user
can.

IP Spoofing Mitigation
• The threat of IP spoofing can be reduced, but not
eliminated, through the following measures:
Access control —The most common method for preventing
IP spoofing is to properly configure access control.
RFC 2827 filtering —You can prevent users of your network
from spoofing other networks (and be a good Internet citizen
at the same time) by preventing any outbound traffic on your
network that does not have a source address in your
organization's own IP range.
Additional authentication that does not use IP-based
authentication—Examples of this include the following:
Cryptographic (recommended)
Strong, two-factor, one-time passwords

Application Layer Attacks
• Application layer attacks have the following
characteristics:
Exploit well known weaknesses, such as protocols,
that are intrinsic to an application or system (for
example, sendmail, HTTP, and FTP)
Often use ports that are allowed through a firewall
(for example, TCP port 80 used in an attack against a
web server behind a firewall)
Can never be completely eliminated, because new
vulnerabilities are always being discovered

Application Layer Attacks
Mitigation
• Some measures you can take to reduce your risks
are as follows:
Read operating system and network log files, or
have them analyzed by log analysis applications.
Subscribe to mailing lists that publicize vulnerabilities.
Keep your operating system and applications current
with the latest patches.
IDSs can scan for known attacks, monitor and
log attacks, and in some cases, prevent attacks.

Virus and Trojan Horses
Viruses refer to malicious software that are
attached to another program to execute a
particular unwanted function on a user’s
workstation. End-user workstations are the
primary targets.
A Trojan horse is different only in that the
entire application was written to look like
something else, when in fact it is an attack
tool. A Trojan horse is mitigated by antivirus
software at the user level and possibly the
network level.

Virus Attacks

Worm attack mitigation

Vulnerabilities Exist at all OSI
Layers

Attacks Mitigation

Opportunities

Network Security
1.4 Vulnerability Analysis

Network Security Policy
• The network security policy is a broad, end-to-
end document designed to be clearly
applicable to an organization's operations. The
policy is used to aid in network design, convey
security principles, and facilitate network
deployments.
• The network security policy outlines rules for
network access, determines how policies are
enforced, and describes the basic architecture
of the organization's network security
environment.

Policy Identification
• The policy should identify the assets that require
protection. This will help the designer provide
the correct level of protection for sensitive
computing resources, and identify the flow of
sensitive data in the network.
• The policy should identify possible attackers.
This will give the designer insight into the level
of trust assigned to internal and external users,
ideally identified by more specific categories
such as business partners, customers of an
organization, outsourcing IT partners.

Network security Policies

Cisco SDN

SDN Topology
Cisco NAC
Appliance & Cisco
Security Agent
Cisco IOS
Firewall, VPN
Software, access
control & Filtering
Cisco IOS
Firewall, VPN
Software, access
control & Filtering
Cisco IOS
Firewall, Cisco
adaptive security
appliance
Traffic
inspection and
threat
mitigation
Cisco security
monitoring,
analisys, and
response system
Cisco security
Manager provides
policy-based
management

Auto Secure
To secure the management and forwarding planes of the router, use the
auto secure command in privileged EXEC mode.
auto secure [management | forwarding] [no-interact]
Syntax Description
• management (Optional) Only the management plane will be secured.
• forwarding (Optional) Only the forwarding plane will be secured.
• no-interact (Optional) The user will not be prompted for any
interactive configurations. If this keyword is not enabled, the
command will show the user the noninteractive configuration and the
interactive configurations thereafter.

NSA Router Security Guide

CIS RAT Report

Host Analysis
• Network Mapper (Nmap) – Nmap is a very popular free tool
used for security scanning and auditing. It can rapidly
perform a port scan of a single host or a range of hosts.
Nmap was originally written to be run on UNIX systems,
and it is now available for use on Microsoft Windows
platforms .
• Nessus – Nessus is a vulnerability scanner that is available
for UNIX and Microsoft Windows platforms. New
vulnerability testing capabilities can be added to Nessus
through the installation of modular plugins. Nessus
includes a built in port scanner, or it can be used along
with Nmap. Once the Nessus scan is finished, a report is
created. This report displays the results of the scan and
provides steps that can be taken to mitigate vulnerabilities.

Microsoft Baseline Security Analyzer
• The Microsoft Baseline Security Analyzer (MBSA) can
be used to scan hosts running Windows 2000,
Windows Vista, Windows XP, and Windows Server
2003 & 2008 operating systems to determine potential
security risks.
• MBSA scans for common system misconfigurations
and missing security updates. MBSA includes both a
graphical and command line interface that can perform
local or remote scans.
• After a system scan, the MBSA provides a report
outlining potential vulnerabilities and the steps
required to correct them.

Ccna+sec+ch01+ +overview+security

In this document