Professional Documents
Culture Documents
Chapter 1
Modern Network Security Threats
Objectives
Cisco Public
Introduction
Network security is now an integral part of
computer networking.
Network security involves protocols,
technologies, devices, tools, and techniques
to secure data and mitigate threats.
Network security solutions emerged in the 1960s
but did not mature into a comprehensive set of
solutions for modern networks until the 2000s.
Cisco Public
Introduction (cont.)
Network security is largely driven by the effort to
stay one step ahead of ill-intentioned hackers.
Network security professionals attempt to prevent
attacks while minimizing the effects of real-time
attacks.
Business continuity is another major driver of
network security.
Network security organizations have been created
to establish formal communities of network
security professionals.
Network Security Lecturer: Tariq Meeran
Cisco Public
Introduction (cont.)
These organizations set standards, encourage
collaboration, and provide workforce development
opportunities for security professionals.
The complexity of network security makes it
difficult to master all it encompasses. Different
organizations have created domains.
This division allows professionals to focus on more
precise areas of expertise in their training,
research, and employment.
Cisco Public
Introduction (cont.)
Network attacks are classified so that it
is easier to learn about them and
address them appropriately.
Viruses, worms, and Trojan Horses
are specific types of network attacks.
More generally, network attacks are
classified as reconnaissance, access,
or Denial of Service attacks.
Network Security Lecturer: Tariq Meeran
Cisco Public
Cisco Public
Cisco Public
Cisco Public
Cisco Public
10
Cisco Public
11
Cisco Public
12
Cisco Public
13
Cisco Public
14
Cisco Public
15
Cisco Public
16
Cisco Public
17
Cisco Public
18
Cisco Public
19
Cisco Public
20
Cisco Public
21
Cisco Public
22
Cisco Public
23
Cisco Public
24
Cisco Public
25
Cisco Public
26
Encrypting Data
Cisco Public
27
Cisco Public
28
Cisco Public
29
Cisco Public
30
Cisco Public
31
Cisco Public
32
Cisco Public
33
Cisco Public
34
Cisco Public
35
Cisco Public
36
Cisco Public
37
Cisco Public
38
Cisco Public
39
Cisco Public
40
Cisco Public
41
Cisco Public
42
Cisco Public
43
Cisco Public
44
Cisco Public
45
Cisco Public
46
Cisco Public
47
Cisco Public
48
Cisco Public
49
Cisco Public
50
Cisco Public
Cisco Public
52
Cisco Public
53
Cisco Public
54
Cisco Public
55
Cisco Public
56
RSS benefits
subscribe to timely updates from favored websites
RSS feeds can be read using a web-based RSS
reader
The RSS reader software checks the user's
subscribed feeds regularly
Network security professional can acquire up-todate information on a daily basis
Aggregate real-time threat information for review at
any time.
Network Security Lecturer: Tariq Meeran
Cisco Public
57
Cisco Public
58
Cisco Public
59
Cisco Public
60
Cisco Public
61
Cisco Public
62
Cisco Public
63
Cisco Public
64
Cisco Public
65
Cisco Public
66
Cisco Public
67
Cisco Public
68
Cisco Public
69
Cisco Public
70
Cisco Public
71
Cisco Public
72
Cisco Public
73
Cisco Public
74
Cisco Public
75
Cisco Public
76
Cisco Public
77
Cisco Public
78
Cisco Public
79
Cisco Public
80
Cisco Public
81
Cisco Public
Cisco Public
83
Viruses
The primary vulnerabilities for end-user computers
are virus, worm, and Trojan Horse attacks:
A virus is malicious software which attaches to
another program to execute a specific unwanted
function on a computer.
A worm executes arbitrary code and installs copies of
itself in the memory of the infected computer, which
then infects other hosts.
A Trojan Horse is an application written to look like
something else. When a Trojan Horse is downloaded
and opened, it attacks the end-user computer from
within.
Network Security Lecturer: Tariq Meeran
Cisco Public
84
Cisco Public
85
Virus
Traditionally, the term virus refers to an
infectious organism that requires a host cell
to grow and replicate.
A University of Southern California student
named Frederick Cohen suggested the term
"computer virus" in 1983.
A computer virus, referred to as a virus in the
rest of this course, is a program that can copy
itself and infect a computer without the
knowledge of the user.
Network Security Lecturer: Tariq Meeran
Cisco Public
86
Virus
A virus is a malicious code that is attached to
legitimate programs or executable files.
Most viruses require end-user activation and can
lay dormant for an extended period and then
activate at a specific time or date.
A simple virus may install itself at the first line of
code on an executable file.
When activated, the virus might check the disk
for other executables, so that it can infect all the
files it has not yet infected.
Network Security Lecturer: Tariq Meeran
Cisco Public
87
Virus
Viruses can be harmless, such as those that display a
picture on the screen, or they can be destructive, such
as those that modify or delete files on the hard drive.
Viruses can also be programmed to mutate to avoid
detection.
In the past, viruses were usually spread via floppy
disks and computer modems.
Today, most viruses are spread by USB memory
sticks, CDs, DVDs, network shares, or email.
Email viruses are now the most common type of virus.
Cisco Public
88
Virus
Cisco Public
89
Virus Spreading
Cisco Public
90
Worms
Worms are a particularly dangerous type of
hostile code.
They replicate themselves by independently
exploiting vulnerabilities in networks.
Worms usually slow down networks.
Whereas a virus requires a host program to
run, worms can run by themselves.
They do not require user participation and
can spread extremely fast over the
network.
Network Security Lecturer: Tariq Meeran
Cisco Public
91
Worms
Worms are responsible for some of the most
devastating attacks on the Internet.
For example, the SQL Slammer Worm of January
2003 slowed down global Internet traffic as a result
of Denial of Service.
Over 250,000 hosts were affected within 30 minutes of
its release.
The worm exploited a buffer overflow bug in
Microsoft's SQL Server.
A patch for this vulnerability was released in mid-2002,
so the servers that were affected were those that did
not have the update patch applied.
Network Security Lecturer: Tariq Meeran
Cisco Public
92
Worms
Cisco Public
93
Worms
Despite the mitigation techniques that have
emerged over the years, worms have
continued to evolve with the Internet and still
pose a threat.
While worms have become more sophisticated
over time, they still tend to be based on
exploiting weaknesses in software
applications.
Cisco Public
94
Worms
Most worm attacks have three major
components:
Enabling vulnerability - A worm
installs itself using an exploit
mechanism (email attachment,
executable file, Trojan Horse)
Propagation mechanism - After
gaining access to a device, the worm
replicates itself and locates new
targets.
Payload - Any malicious code that
results in some action. Most often this
is used to create a backdoor.
Network Security Lecturer: Tariq Meeran
Cisco Public
95
Worms
When exploring the major worm and virus
attacks over the past 20 years, it is
noticeable that the various phases of
attack methods employed by hackers are
often quite similar.
There are five basic phases of attack,
regardless of whether a worm or virus
is deployed.
Network Security Lecturer: Tariq Meeran
Cisco Public
96
Worms
Probe phase - Vulnerable targets are identified.
Cisco Public
97
Worms
Penetrate phase - Exploit code is
transferred to the vulnerable target.
Cisco Public
98
Worms
Persist phase - After the attack is
successfully launched in the memory, the
code tries to persist on the target system.
Cisco Public
99
Worms
Propagate phase - The attacker
attempts to extend the attack to other
targets by looking for vulnerable
neighboring machines.
Cisco Public
100
Worms
Paralyze phase - Actual damage is done to the
system.
Cisco Public
101
Worms
Cisco Public
102
Trojan Horse
The term Trojan Horse originated from
Greek mythology (folklore).
Greek warriors offered the people of Troy
(Trojans) a giant hollow horse as a gift.
The Trojans brought the giant horse into
their walled city, unaware that it contained
many Greek warriors.
At night, after most Trojans were asleep,
the warriors burst out of the horse and
overtook the city.
Network Security Lecturer: Tariq Meeran
Cisco Public
103
Trojan Horse
Cisco Public
104
Trojan Horse
Cisco Public
105
Trojan Horse
The Trojan Horse concept is flexible. It can
cause immediate damage, provide remote
access to the system (a back door), or
perform actions as instructed remotely,
such as "send me the password file once
per week."
Custom-written Trojan Horses, such as
Trojan Horses with a specific target, are
difficult to detect.
Network Security Lecturer: Tariq Meeran
Cisco Public
106
Trojan Horse
Trojan Horses are
usually classified
according to the
damage that they
cause or the
manner in which
they breach a
system:
Network Security Lecturer: Tariq Meeran
Cisco Public
107
Trojan Horse
Remote-access Trojan Horse - enables unauthorized
remote access
Data sending Trojan Horse - provides the attacker with
sensitive data such as passwords
Destructive Trojan Horse - corrupts or deletes files
Proxy Trojan Horse - user's computer functions as a proxy
server
FTP Trojan Horse -opens port 21
Security software disabler Trojan Horse - stops antivirus
programs or firewalls from functioning
Denial of Service Trojan Horse - slows or halts network
activity
Cisco Public
108
Cisco Public
109
Cisco Public
110
Cisco Public
111
Cisco Public
112
Cisco Public
113
Cisco Public
114
Cisco Public
115
Cisco Public
116
Cisco Public
117
Cisco Public
118
Cisco Public
119
Cisco Public
120
Cisco Public
121
Cisco Public
122
Cisco Public
123
Cisco Public
124
Cisco Public
125
Cisco Public
126
Cisco Public
127
Cisco Public
128
Attack Methodologies
There are many different types of network
attacks other than viruses, worms, and Trojan
Horses.
To mitigate attacks, it is useful to first have the
various types of attacks categorized.
There is no standardized way of categorizing
network attacks.
The method used in this course classifies
attacks in three major categories.
Cisco Public
129
Attack Methodologies
Reconnaissance Attacks
Involve the unauthorized discovery and
mapping of systems, services, or vulnerabilities.
Employ the use of packet sniffers and port
scanners, which are widely available as free
downloads on the Internet.
Is analogous to a thief surveying a
neighborhood for vulnerable homes to break
into, such as an unoccupied residence or a
house with an easy-to-open door or window.
Network Security Lecturer: Tariq Meeran
Cisco Public
130
Attack Methodologies
Access Attacks
Exploit known vulnerabilities in authentication
services, FTP services, and web services to
gain entry to web accounts, confidential
databases, and other sensitive information.
Often employs a dictionary attack to guess
system passwords.
There are also specialized dictionaries for
different languages that can be used.
Cisco Public
131
Attack Methodologies
Denial of Service Attacks
Send extremely large numbers of requests
over a network or the Internet.
These excessive requests cause the target
device to run sub-optimally.
Consequently, the attacked device becomes
unavailable for legitimate access and use.
By executing exploits or combinations of
exploits, DoS attacks slow or crash
applications and processes.
Network Security Lecturer: Tariq Meeran
Cisco Public
132
Cisco Public
133
Cisco Public
134
Packet sniffers
Ping sweeps
Port scans
Internet information queries
Cisco Public
135
Cisco Public
136
Cisco Public
137
Cisco Public
138
Ping Sweep
Cisco Public
139
Cisco Public
140
Port Scans
Cisco Public
141
Cisco Public
142
Cisco Public
143
Cisco Public
144
Cisco Public
145
Access Attacks
Cisco Public
146
Cisco Public
147
A brute-force attack
Cisco Public
148
Cisco Public
149
Cisco Public
150
Cisco Public
151
Cisco Public
152
Cisco Public
153
Man-in-the-middle attack
Cisco Public
154
Cisco Public
155
Cisco Public
Access attacks
Cisco Public
157
Cisco Public
158
Cisco Public
159
Cisco Public
160
Cisco Public
161
Cisco Public
162
Cisco Public
163
Cisco Public
164
Cisco Public
165
Cisco Public
166
Cisco Public
167
Cisco Public
168
Cisco Public
169
Cisco Public
170
Ping of Death
Cisco Public
171
Smurf Attack
In a smurf attack, a perpetrator sends a large
number of ICMP requests to directed
broadcast addresses, all with spoofed
source addresses on the same network as
the respective directed broadcast.
If the routing device delivering traffic to those
broadcast addresses forwards the directed
broadcasts, all hosts on the destination
networks send ICMP replies, multiplying the
traffic by the number of hosts on the networks.
Network Security Lecturer: Tariq Meeran
Cisco Public
172
Smurf Attack
Cisco Public
173
Cisco Public
174
Cisco Public
175
Cisco Public
176
Cisco Public
177
Cisco Public
178
Cisco Public
179
Cisco Public
180
Cisco Public
181
Cisco Public
182
Cisco Public
183
Cisco Public
184
Cisco Public
185
Cisco Public
186
Cisco Public
187
Cisco Public
188
Cisco Public
189
Cryptography is a critical
component of any modern
secure network.
Using encryption for remote
access to a network is
recommended. Also, routing
protocol traffic should be
encrypted as well.
The more that traffic is
encrypted, the less opportunity
hackers have for intercepting
data with man-in-the-middle
attacks.
Network Security Lecturer: Tariq Meeran
Cisco Public
190
Cisco Public
191
Cisco Public
192
Cisco Public
193
Cisco Public
194
Cisco Public
195
Cisco Public
196
Cisco Public
197
Cisco Public
198
NFP
The Cisco Network Foundation Protection (NFP)
framework provides comprehensive guidelines for
protecting the network infrastructure.
These guidelines form the foundation for continuous
delivery of service.
NFP logically divides routers and switches into three
functional areas:
Control Plane:
Cisco Public
199
NFP
Management Plane
Cisco Public
200
NFP
Cisco Public
201
NFP
Control plane security can be implemented using
the following features:
Cisco AutoSecure - Cisco AutoSecure provides a onestep device lockdown feature to protect the control
plane as well as the management and data planes.
It is a script that is initiated from the CLI to configure the
security posture of routers.
The script disables nonessential system processes and
services.
It first makes recommendations to address security
vulnerabilities and then modifies the router
configuration.
Cisco Public
202
NFP
Routing protocol authentication - Routing
protocol authentication, or Neighbor
authentication, prevents a router from accepting
fraudulent routing updates.
Most routing protocols support neighbor
authentication.
Control Plane Policing (CoPP) - CoPP is a Cisco
IOS feature designed to allow users to control
the flow of traffic that is handled by the route
processor of a network device.
Cisco Public
203
NFP
Cisco Public
204
NFP
CoPP is designed to prevent
unnecessary traffic from overwhelming
the route processor.
The CoPP feature treats the control
plane as a separate entity with its own
ingress (input) and egress (output) ports.
A set of rules can be established and
associated with the ingress and egress
ports of the control plane.
Network Security Lecturer: Tariq Meeran
Cisco Public
205
NFP
Management plane traffic is generated either by
network devices or network management
stations using processes and protocols such as
Telnet, SSH, TFTP, and FTP, etc.
The management plane is a very attractive
target to hackers.
For this reason, the management module was
built with several technologies designed to
mitigate such risks.
Cisco Public
206
NFP
The information flow between management
hosts and the managed devices can be out-ofband (OOB) (information flows within a network
on which no production traffic resides)
or in-band (information flows across the
enterprise production network, the Internet, or
both).
Management plane security can be implemented
using the following features:
Cisco Public
207
NFP
Login and password policy - Restricts device
accessibility. Limits the accessible ports and
restricts the "who" and "how" methods of access.
Present legal notification - Displays legal notices.
These are often developed by legal counsel of a
corporation.
Ensure the confidentiality of data - Protects locally
stored sensitive data from being viewed or copied.
Uses management protocols with strong
authentication to mitigate confidentiality attacks
aimed at exposing passwords and device
configurations.
Network Security Lecturer: Tariq Meeran
Cisco Public
208
NFP
Role-based access control (RBAC) - Ensures
access is only granted to authenticated users,
groups, and services. RBAC and authentication,
authorization, and accounting (AAA) services
provide mechanisms to effectively manage access
control.
Authorize actions - Restricts the actions and views
that are permitted by any particular user, group, or
service.
Enable management access reporting - Logs and
accounts for all access. Records who accessed
the device, what occurred, and when it occurred.
Network Security Lecturer: Tariq Meeran
Cisco Public
209
NFP
RBAC restricts user access based on the role
of the user.
Roles are created according to job or task
functions, and assigned access permissions to
specific assets.
Users are then assigned to roles, and are
granted the permissions that are defined for
that role.
In Cisco IOS, the role-based CLI access
feature implements RBAC for router
management access.
Network Security Lecturer: Tariq Meeran
Cisco Public
210
NFP
The feature creates different "views" that define which
commands are accepted and what configuration
information is visible.
For scalability, users, permissions, and roles are
usually created and maintained in a central repository
server.
This makes the access control policy available to
multiple devices.
The central repository server can be a AAA server,
such as the Cisco Secure Access Control System
(ACS), which provides AAA services to a network for
management purposes.
Network Security Lecturer: Tariq Meeran
Cisco Public
211
NFP
Cisco Public
212
NFP
Data plane traffic consists mostly of usergenerated packets being forwarded through the
router via the data plane.
Data plane security can be implemented using
ACLs, antispoofing mechanisms, and Layer 2
security features.
ACLs perform packet filtering to control which
packets move through the network and where
those packets are allowed to go.
ACLs are used to secure the data plane in a
variety of ways, including:
Network Security Lecturer: Tariq Meeran
Cisco Public
213
NFP
Blocking unwanted traffic or users - ACLs can
filter incoming or outgoing packets on an
interface.
They can be used to control access based on
source addresses, destination addresses, or
user authentication.
Reducing the chance of DoS attacks - ACLs can
be used to specify whether traffic from hosts,
networks, or users access the network.
The TCP intercept feature can also be
configured to prevent servers from being flooded
with requests for a connection.
214
Cisco Public
NFP
Mitigating spoofing attacks - ACLs allow security
practitioners to implement recommended
practices to mitigate spoofing attacks.
Providing bandwidth control - ACLs on a slow
link can prevent excess traffic.
Classifying traffic to protect the Management
and Control planes - ACLs can be applied on
VTY line.
Cisco Public
215
NFP
ACLs can also be used as an antispoofing
mechanism by discarding traffic that has an
invalid source address.
This forces attacks to be initiated from valid,
reachable IP addresses, allowing the packets to
be traced to the originator of an attack.
Features such as Unicast Reverse Path
Forwarding (uRPF) can be used to complement
the antispoofing strategy.
Cisco Public
216
NFP
Cisco Catalyst switches can use integrated features to help
secure the Layer 2 infrastructure. The following are Layer 2
security tools integrated into the Cisco Catalyst switches:
Port security - Prevents MAC address spoofing and MAC address
flooding attacks.
DHCP snooping - Prevents client attacks on the DHCP server
and switch.
Dynamic ARP Inspection (DAI) - Adds security to ARP by using
the DHCP snooping table to minimize the impact of ARP
poisoning and spoofing attacks.
IP Source Guard - Prevents spoofing of IP addresses by using
the DHCP snooping table.
Cisco Public
217
NFP
Cisco Public
218
Summary
Cisco Public
219
Summary
Cisco Public
220
Summary
Cisco Public
221