CCNA Security Chapter 1

Network Security
Chapter 1
Modern Network Security Threats
Lecturer: Mohammad Tariq Meeran
Objectives
Network Security Lecturer: Tariq Meeran
2012 Cisco Systems, Inc. All rights reserved.
Cisco Public
Introduction
Network security is now an integral part of
computer networking.
Network security involves protocols,
technologies, devices, tools, and techniques
to secure data and mitigate threats.
Network security solutions emerged in the 1960s
but did not mature into a comprehensive set of
solutions for modern networks until the 2000s.
Cisco Public
Introduction (cont.)
Network security is largely driven by the effort to
stay one step ahead of ill-intentioned hackers.
Network security professionals attempt to prevent
attacks while minimizing the effects of real-time
attacks.
Business continuity is another major driver of
network security.
Network security organizations have been created
to establish formal communities of network
security professionals.
Cisco Public
These organizations set standards, encourage
collaboration, and provide workforce development
opportunities for security professionals.
The complexity of network security makes it
difficult to master all it encompasses. Different
organizations have created domains.
This division allows professionals to focus on more
precise areas of expertise in their training,
research, and employment.
Cisco Public
Network attacks are classified so that it
is easier to learn about them and
address them appropriately.
Viruses, worms, and Trojan Horses
are specific types of network attacks.
More generally, network attacks are
classified as reconnaissance, access,
or Denial of Service attacks.
Cisco Public
Evolution of Network Security

In July 2001, the Code Red worm attacked web servers
globally, infecting over 350,000 hosts.
The worm not only disrupted access to the infected
servers, but also affected the local networks hosting the
servers, making them very slow or unusable.
The Code Red worm caused a Denial of Service (DoS) to
millions of users.
Cisco Public

If the network security professionals
responsible for these Code Red-infected
servers had developed and implemented a
security policy, security patches would
have been applied in a timely manner.
The Code Red worm would have been
stopped and would only merit a footnote in
network security history.
Cisco Public

Network security relates directly to an
organization's business continuity.
Network security breaches can disrupt ecommerce, cause the loss of business data,
threaten people's privacy and compromise the
integrity of information.
These breaches can result in lost revenue for
corporations, theft of intellectual property, and
lawsuits, and can even threaten public safety.
Cisco Public

Maintaining a secure network ensures the safety of
network users and protects commercial interests.
Security professionals must constantly be aware of
new and evolving threats and attacks to networks,
and vulnerabilities of devices and applications.
This information is used to adapt, develop and
implement mitigation techniques. However,
security of the network is ultimately the
responsibility of everyone that uses it.
Cisco Public
10

"Necessity is the mother of invention." This
saying applies perfectly to network security. In
the early days of the Internet, commercial
interests were negligible.
The vast majority of users were research and
development experts. Early users rarely
engaged in activities that would harm other
users.
The Internet was not a secure environment
because it did not need to be.
Cisco Public
11

Early on, networking involved connecting people
and machines through communications media.
The job of a networker was to get devices
connected to improve people's ability to
communicate information and ideas.
The early users of the Internet did not spend
much time thinking about whether or not their
online activities presented a threat to the
network or to their own data.
Cisco Public
12

When the first viruses were unleashed and the
first DoS attack occurred, the world began to
change for networking professionals.
To meet the needs of users, network
professionals learned techniques to secure
networks.
The primary focus of many network
professionals evolved from designing, building,
and growing networks to securing existing
networks.
Cisco Public
13

Today, the Internet is a very different network
compared to its beginnings in the 1960s.
The job of a network security professional
includes ensuring that appropriate personnel are
well-versed in network security tools, processes,
techniques, protocols, and technologies.
It is critical that network security professionals
manage the constantly evolving threats to
networks.
Cisco Public
14
Cisco Public
15

One of the first network security tools was the
intrusion detection system (IDS), first developed
by SRI International in 1984.
An IDS provides real-time detection of certain
types of attacks while they are in progress. This
detection allows network professionals to more
quickly mitigate the negative impact of these
attacks on network devices and users.
In the late 1990s, the intrusion prevention system
or sensor (IPS) began to replace the IDS solution.
Cisco Public
16

In addition to IDS and IPS solutions, firewalls
were developed to prevent undesirable traffic
from entering prescribed areas within a
network, thereby providing perimeter security.
In 1988, Digital Equipment Corporation (DEC)
created the first network firewall in the form of
a packet filter.
These early firewalls inspected packets to see
if they matched sets of predefined rules, with
the option of forwarding or dropping the
packets accordingly.
Cisco Public
17

Packet filtering firewalls inspect each packet in
isolation without examining whether a packet is
part of an existing connection.
In 1989, AT&T Bell Laboratories developed the
first stateful firewall. Like packet filtering firewalls,
stateful firewalls use predefined rules for
permitting or denying traffic.
Unlike packet filtering firewalls, stateful firewalls
keep track of established connections and
determine if a packet belongs to an existing flow
of data.
Cisco Public
18

In addition to dealing with threats from outside
of the network, network professionals must also
be prepared for threats from inside the network.
Internal threats, whether intentional or
accidental, can cause even greater damage
than external threats.
Despite this fact, it has taken more than 20
years after the introduction of tools and
techniques for mitigating external threats to
develop mitigation tools and techniques for
internal threats.
Cisco Public
19

A common scenario for a threat originating from inside the
network is a disgruntled employee with some technical
skills and a willingness to do harm.
Most threats from within the network leverage the
protocols and technologies used on the local area network
(LAN) or the switched infrastructure.
These internal threats basically fall into two categories:
spoofing and DoS.
Cisco Public
20

Spoofing attacks are attacks in which one device
attempts to pose as another by falsifying data.
For example, MAC address spoofing occurs when
one computer accepts data packets based on the
MAC address of another computer.
There are other types of spoofing attacks as well.
DoS attacks make computer resources
unavailable to intended users. Attackers use
various methods to launch DoS attacks.
Cisco Public
21
Evolution of LAN Security
Cisco Public
22

In addition to preventing and denying malicious
traffic, network security also requires that data
stay protected.
Cryptography, the study and practice of
hiding information, is used pervasively in
modern network security.
Today, each type of network communication has
a corresponding protocol or technology
designed to hide that communication from
anyone other than the intended user.
Cisco Public
23

Wireless data can be encrypted (hidden) using
various cryptography applications. The
conversation between two IP phone users can be
encrypted.
The files on a computer can also be hidden with
encryption. These are just a few examples.
Cryptography can be used almost anywhere that
there is data communication.
In fact, the trend is toward all communication
being encrypted.
Cisco Public
24

Cryptography ensures data confidentiality, which
is one of the three components of information
security:
confidentiality, integrity, and availability
Information security deals with protecting
information and information systems from
unauthorized access, use, disclosure, disruption,
modification, or destruction.
Encryption provides confidentiality by hiding
plaintext data.
Cisco Public
25

Data integrity, meaning that the data is
preserved unaltered during any operation,
is achieved by the use of hashing
mechanisms.
Availability, which is data accessibility,
is guaranteed by network hardening
mechanisms and backup systems.
Cisco Public
26
Encrypting Data
Cisco Public
27
Drivers for Network Security

The word hackers has a variety of meanings.
For many, it means Internet programmers who
try to gain unauthorized access to devices
on the Internet.
It is also used to refer to individuals that run
programs to prevent or slow network access
to a large number of users, or corrupt or
wipe out data on servers.
Cisco Public
28

But for some, the term hacker has a
positive interpretation as a network
professional that uses sophisticated
Internet programming skills to ensure
that networks are not vulnerable to
attack.
Good or bad, hacking is a driving force
in network security.
Cisco Public
29
Cisco Public
30

The job of a network security professional is to
stay one step ahead of the hackers by:
attending training and workshops

participating in security organizations
subscribing to real-time feeds regarding threats
and perusing security websites on a daily basis
The network security professional must also

have access to state-of-the art security tools,
protocols, techniques, and technologies.
Cisco Public
31

Hacking started in the 1960s with phone freaking,
or phreaking, which refers to using various audio
frequencies to manipulate phone systems.
Phreaking began when AT&T introduced
automatic switches to their phone systems. The
AT&T phone switches used various tones, or tone
dialing, to indicate different functions, such as call
termination and call dialing.
A few AT&T customers realized that by imitating a
tone using a whistle, they could exploit the phone
switches to make free long-distance calls.
Cisco Public
32

As communication systems evolved, so did
hacking methods.
Wardialing became popular in the 1980s with
the use of computer modems.
Wardialing programs automatically scanned
telephone numbers within a local area,
dialing each one in search of computers,
bulletin board systems, and fax machines.
When a phone number was found,
password-cracking programs were used to
gain access.
Cisco Public
33

Wardriving began in the 1990s and is still
popular today. With wardriving, users gain
unauthorized access to networks via wireless
access points.
This is accomplished using a vehicle and a
wireless-enabled portable computer or PDA.
A number of other threats have evolved since
the 1960s, including network scanning tools
such as Nmap and SATAN, as well as remote
system administration hacking tools such as
Back Orifice.
Cisco Public
34

Trillions of dollars are transacted over the Internet on a
daily basis, and the livelihoods of millions depend on
Internet commerce.
For this reason, criminal laws are in place to protect
individual and corporate assets.
There are numerous cases of individuals who have had
to face the court system due to these laws.
The first email virus, the Melissa virus, was written by
David Smith of Aberdeen, New Jersey.
This virus resulted in memory overflows in Internet mail
servers. David Smith was sentenced to 20 months in
federal prison and a US$5,000 fine.
Cisco Public
35

Robert Morris created the first Internet
worm with 99 lines of code.
When the Morris Worm was released,
10% of Internet systems were brought to a
halt.
Robert Morris was charged and received
three years probation (trial), 400 hours of
community service, and a fine of
US$10,000.
Cisco Public
36

One of the most notorious (disreputable) Internet
hackers, Kevin Mitnick, was imprisoned for four
years for hacking credit card accounts in the
early 1990s.
Whether the attack is via spam, a virus, DoS, or
simply breaking into accounts, when the
creativity of hackers is used for malicious
purposes, they often end up going to jail, paying
large fines, and losing access to the very
environment in which they thrive (succeed).
Cisco Public
37

As a result of hacker exploits, the
sophistication of hacker tools, and government
legislation, network security solutions
developed rapidly in the 1990s.
By the late 1990s, many sophisticated network
security solutions had been developed for
organizations to strategically deploy within
their networks.
With these solutions came new job
opportunities and increased compensation in
the field of network security.
Cisco Public
38
Cisco Public
39
Cisco Public
40
Cisco Public
41
Cisco Public
42
Cisco Public
43
Cisco Public
44
The annual income for a network security

professional is on the high end of the scale for
careers in technology because of the depth and
breadth of knowledge required.
Network security professionals must constantly
upgrade their skill set to keep abreast of the
latest threats.
The challenge of gaining and maintaining the
necessary knowledge often translates into a
shortage of network security professionals.
Cisco Public
45

Network security professionals are
responsible for maintaining data assurance
for an organization and ensuring the
integrity and confidentiality of information.
A network security professional might be
responsible for setting up firewalls and
intrusion prevention systems as well as
ensuring encryption of company data.
Cisco Public
46

Implementing enterprise authentication
schemes is another important task.
The job entails maintaining detailed logs of
suspicious activity on the network to use
for reprimanding (warning) or prosecuting
violators.
Cisco Public
47
Network Security Organizations

Three of the more well-established network
security organizations are:
SysAdmin, Audit, Network, Security (SANS)
Institute
Computer Emergency Response Team (CERT)
International Information Systems Security
Certification Consortium (pronounce (ISC)2 as
"I-S-C-squared")
Cisco Public
48
Cisco Public
49
CERT is part of the U.S. federally funded Software

Engineering Institute (SEI) at Carnegie Mellon
University.
CERT is chartered to work with the Internet community
in detecting and resolving computer security incidents.
The Morris Worm motivated the formation of CERT at
the directive of the Defense Advanced Research
Projects Agency (DARPA).
The CERT Coordination Center (CERT/CC) focuses
on coordinating communication among experts during
security emergencies to help prevent future incidents.
Cisco Public
50
CERT responds to major security incidents and

analyzes product vulnerabilities.
CERT works to manage changes relating to
progressive intruder techniques and to the
difficulty of detecting attacks and catching
attackers.
CERT develops and promotes the use of
appropriate technology and systems management
practices to resist attacks on networked systems,
to limit damage, and to ensure continuity of
services.
51
Cisco Public

CERT focuses on five areas: software assurance,
secure systems, organizational security,
coordinated response, and education and training.
Cisco Public
52

(ISC)2 provides vendor-neutral education
products and career services in more than 135
countries. Its membership includes 60,000
certified industry professionals worldwide.
The mission of (ISC)2 is to make the cyber world
a safe place through elevating information
security to the public domain and supporting and
developing information security professionals
around the world.
Cisco Public
53
)ISC)2 develops and maintains the (ISC)2 Common

Body of Knowledge (CBK).
The CBK defines global industry standards, serving
as a common framework of terms and principles
that (ISC)2 credentials are based upon.
Most notably, (ISC)2 is universally recognized for its
four information security certifications, including one
of the most popular certifications in the network
security profession, the Certified Information
Systems Security Professional (CISSP).
Cisco Public
54

(ISC)2 promotes expertise in handling security threats
through its education and certification programs.
As a member, individuals have access to current
industry information and networking opportunities
unique to its network of certified information security
professionals.
Cisco Public
55
One of the most useful tools for the network

security professional is Really Simple Syndication
(RSS) feeds.
RSS is a family of XML-based formats used to
publish frequently updated information, such as
blog entries, news headlines, audio, and video.
RSS uses a standardized format.
An RSS feed includes complete or summarized
text, plus metadata, such as publishing dates and
authorships.
Cisco Public
56
RSS benefits
subscribe to timely updates from favored websites
RSS feeds can be read using a web-based RSS
reader
The RSS reader software checks the user's
subscribed feeds regularly
Network security professional can acquire up-todate information on a daily basis
Aggregate real-time threat information for review at
any time.
Cisco Public
57
For example, the US-CERT Current

Activity web page is a regularly updated
summary of the most frequent, high-impact
types of security incidents being reported
to the US-CERT.
A text-only RSS feed is available at
http://www.us-cert.gov/current/index.rdf.
It reports 24/7, information regarding
security advisories, email scams, backup
vulnerabilities, malware spreading via
social network sites, and other potential
threats.
Cisco Public
58
Domains of Network Security

It is vital for a network security professional
to understand the drivers for network
security and be familiar with the
organizations dedicated to network security.
It is also important to have an understanding
of the various network security domains.
Domains provide an organized framework to
facilitate learning about network security.
Cisco Public
59

There are 12 network security domains
specified by the International Organization
for Standardization (ISO)/International
Electrotechnical Commission (IEC).
Described by ISO/IEC 27002, these 12
domains serve to organize at a high level
the vast realm of information under the
umbrella of network security.
Cisco Public
60
Cisco Public
61
The 12 domains of network security provide a

convenient separation for the elements of
network security.
While it is not important to memorize these 12
domains, it is important to be aware of their
existence and formal declaration by the ISO.
They serve as a useful reference going forward
in your work as a network security professional.
Cisco Public
62

One of the most important domains is
security policy.
A security policy is a formal statement of
the rules by which people must abide who
are given access to the technology and
information assets of an organization.
The concept, development, and
application of a security policy play a
significant role in keeping an organization
secure.
Cisco Public
63
Cisco Public
64
Network Security Policies

The network security policy is a broad, end-to-end
document designed to be clearly applicable to an
organization's operations.
The policy is used to aid in network design,
convey security principles, and facilitate network
deployments.
Cisco Public
65

The network security policy outlines rules for
network access, determines how policies are
enforced, and describes the basic architecture of
the organization's network security environment.
The document is generally several pages.
Because of its breadth of coverage and impact,
it is usually compiled by a committee.
It is a complex document meant to govern items
such as data access, web browsing, password
usage, encryption, and email attachments.
Cisco Public
66

A security policy should keep ill-intentioned
users out and have control over potentially
risky users.
When a policy is created, it must be
understood first what services are available
to which users.
The network security policy establishes a
hierarchy of access permissions, giving
employees only the minimal access
necessary to perform their work.
Cisco Public
67

The network security policy outlines what
assets need to be protected and gives
guidance on how it should be protected.
One possible guideline that administrators
can use when developing the security
policy and determining various mitigation
strategies is the Cisco SecureX
architecture.
Cisco Public
68

The Cisco SecureX architecture is designed to
provide effective security for any user, using any
device, from any location, and at any time.
This new security architecture uses a higherlevel policy language that takes into account the
full context of a situation - who, what, where,
when and how.
With highly distributed security policy
enforcement, security is pushed closer to where
the end user is working.
Cisco Public
69

This architecture includes the
following five major components:
Scanning Engines
Delivery Mechanisms
Security Intelligence Operations (SIO)
Policy Management Consoles
Next-generation Endpoint
Cisco Public
70
Cisco Public
71
Cisco Public
72
Cisco Public
73

Increased user mobility has created complexities for
securing the IT infrastructure.
Deploying piecemeal security solutions can lead to
duplicated efforts and inconsistent access policies, and
requires increased integration and staffing to support.
Cisco SecureX products work together to provide
effective security for any user, using any device, from
any location, at any time.
This is one of the primary reasons for relying on the
Cisco SecureX architecture to help shape the security
policy.
Cisco Public
74
Cisco Public
75
Cisco Public
76
Cisco Public
77
Cisco Public
78
Cisco Public
79

A network security policy drives all the steps to
be taken to secure network resources, not just
equipment requirements and procedures.
One of the most important steps in creating a
policy is identifying critical assets which
includes:
Databases, vital applications

customer and employee information
classified commercial information
shared drives
email servers and web servers.
Cisco Public
80

A security policy is a set of objectives for the
company, rules of behavior for users and
administrators, and requirements for system
and management that collectively ensure the
security of network and computer systems in
an organization.
A security policy is a "living document,"
meaning that the document is never finished and
is continuously updated as technology,
business, and employee requirements change.
Cisco Public
81

For example, an organization's employee laptops
will be subject to various types of attacks, such as
email viruses.
A network security policy explicitly defines how
frequently virus software updates and virus
definition updates must be installed.
Additionally, the network security policy includes
guidelines for what users can and cannot do. This
is normally stipulated as a formal acceptable use
policy (AUP).
The AUP must be as explicit as possible to avoid
ambiguity or misunderstanding.
82
Cisco Public
Cisco Public
83
Viruses
The primary vulnerabilities for end-user computers
are virus, worm, and Trojan Horse attacks:
A virus is malicious software which attaches to
another program to execute a specific unwanted
function on a computer.
A worm executes arbitrary code and installs copies of
itself in the memory of the infected computer, which
then infects other hosts.
A Trojan Horse is an application written to look like
something else. When a Trojan Horse is downloaded
and opened, it attacks the end-user computer from
within.
Cisco Public
84
Virus, Worm and Trojan Horse
Cisco Public
85
Virus
Traditionally, the term virus refers to an
infectious organism that requires a host cell
to grow and replicate.
A University of Southern California student
named Frederick Cohen suggested the term
"computer virus" in 1983.
A computer virus, referred to as a virus in the
rest of this course, is a program that can copy
itself and infect a computer without the
knowledge of the user.
Cisco Public
86
Virus
A virus is a malicious code that is attached to
legitimate programs or executable files.
Most viruses require end-user activation and can
lay dormant for an extended period and then
activate at a specific time or date.
A simple virus may install itself at the first line of
code on an executable file.
When activated, the virus might check the disk
for other executables, so that it can infect all the
files it has not yet infected.
Cisco Public
87
Virus
Viruses can be harmless, such as those that display a
picture on the screen, or they can be destructive, such
as those that modify or delete files on the hard drive.
Viruses can also be programmed to mutate to avoid
detection.
In the past, viruses were usually spread via floppy
disks and computer modems.
Today, most viruses are spread by USB memory
sticks, CDs, DVDs, network shares, or email.
Email viruses are now the most common type of virus.
Cisco Public
88
Virus
Cisco Public
89
Virus Spreading
Cisco Public
90
Worms
Worms are a particularly dangerous type of
hostile code.
They replicate themselves by independently
exploiting vulnerabilities in networks.
Worms usually slow down networks.
Whereas a virus requires a host program to
run, worms can run by themselves.
They do not require user participation and
can spread extremely fast over the
network.
Cisco Public
91
Worms
Worms are responsible for some of the most
devastating attacks on the Internet.
For example, the SQL Slammer Worm of January
2003 slowed down global Internet traffic as a result
of Denial of Service.
Over 250,000 hosts were affected within 30 minutes of
its release.
The worm exploited a buffer overflow bug in
Microsoft's SQL Server.
A patch for this vulnerability was released in mid-2002,
so the servers that were affected were those that did
not have the update patch applied.
Cisco Public
92
Worms
Cisco Public
93
Worms
Despite the mitigation techniques that have
emerged over the years, worms have
continued to evolve with the Internet and still
pose a threat.
While worms have become more sophisticated
over time, they still tend to be based on
exploiting weaknesses in software
applications.
Cisco Public
94
Worms
Most worm attacks have three major
components:
Enabling vulnerability - A worm
installs itself using an exploit
mechanism (email attachment,
executable file, Trojan Horse)
Propagation mechanism - After
gaining access to a device, the worm
replicates itself and locates new
targets.
Payload - Any malicious code that
results in some action. Most often this
is used to create a backdoor.
Cisco Public
95
Worms
When exploring the major worm and virus
attacks over the past 20 years, it is
noticeable that the various phases of
attack methods employed by hackers are
often quite similar.
There are five basic phases of attack,
regardless of whether a worm or virus
is deployed.
Cisco Public
96
Worms
Probe phase - Vulnerable targets are identified.
The goal is to find computers that can be subverted

(threatened).
Internet Control Message Protocol (ICMP) ping
scans are used to map networks.
Then the application scans and identifies operating
systems and vulnerable software.
Hackers can obtain passwords using social
engineering, dictionary attack, brute-force attack, or
network sniffing.
Cisco Public
97
Worms
Penetrate phase - Exploit code is
transferred to the vulnerable target.
The goal is to get the target to execute

the exploit code through an attack
vector, such as a buffer overflow,
ActiveX or Common Gateway Interface
(CGI) vulnerabilities, or an email virus.
Cisco Public
98
Worms
Persist phase - After the attack is
successfully launched in the memory, the
code tries to persist on the target system.
The goal is to ensure that the attacker code

is running and available to the attacker
even if the system reboots.
This is achieved by modifying system files,
making registry changes, and installing
new code.
Cisco Public
99
Worms
Propagate phase - The attacker
attempts to extend the attack to other
targets by looking for vulnerable
neighboring machines.
Propagation vectors include emailing

copies of the attack to other systems,
uploading files to other systems using file
shares or FTP services, active web
connections, and file transfers through
Internet Relay Chat (IRC).
Cisco Public
100
Worms
Paralyze phase - Actual damage is done to the
system.
Files can be erased, systems can crash,

information can be stolen, and distributed DoS
(DDoS) attacks can be launched.
The five basic phases of attack allow security

experts to conveniently describe worms and
viruses according to their particular
implementation mechanism for each phase.
This makes it easier to categorize worms and
viruses.
Cisco Public
101
Worms
Cisco Public
102
Trojan Horse
The term Trojan Horse originated from
Greek mythology (folklore).
Greek warriors offered the people of Troy
(Trojans) a giant hollow horse as a gift.
The Trojans brought the giant horse into
their walled city, unaware that it contained
many Greek warriors.
At night, after most Trojans were asleep,
the warriors burst out of the horse and
overtook the city.
Cisco Public
103
Trojan Horse
A Trojan Horse in the world of computing is

malware that carries out malicious operations
under the guise of a desired function.
A virus or worm could carry a Trojan Horse.
A Trojan Horse contains hidden, malicious code
that exploits the privileges of the user that runs
it.
Games can often have a Trojan Horse attached
to them.
Cisco Public
104
Trojan Horse
Cisco Public
105
Trojan Horse
The Trojan Horse concept is flexible. It can
cause immediate damage, provide remote
access to the system (a back door), or
perform actions as instructed remotely,
such as "send me the password file once
per week."
Custom-written Trojan Horses, such as
Trojan Horses with a specific target, are
difficult to detect.
Cisco Public
106
Trojan Horse
Trojan Horses are
usually classified
according to the
damage that they
cause or the
manner in which
they breach a
system:
Cisco Public
107
Trojan Horse
Remote-access Trojan Horse - enables unauthorized
remote access
Data sending Trojan Horse - provides the attacker with
sensitive data such as passwords
Destructive Trojan Horse - corrupts or deletes files
Proxy Trojan Horse - user's computer functions as a proxy
server
FTP Trojan Horse -opens port 21
Security software disabler Trojan Horse - stops antivirus
programs or firewalls from functioning
Denial of Service Trojan Horse - slows or halts network
activity
Cisco Public
108
Mitigating viruses, worms

and Trojan horses
A majority of the software vulnerabilities that are
discovered relate to buffer overflows.
A buffer is an allocated area of memory used
by processes to store data temporarily.
A buffer overflow occurs when a fixed-length
buffer reaches its capacity and a process
attempts to store data above and beyond that
maximum limit.
This can result in extra data overwriting adjacent
memory locations as well as cause other
unexpected behavior.
Cisco Public
109

and Trojan horses
Buffer overflows are usually the primary
conduit through which viruses, worms, and
Trojan Horses do their damage.
In fact, there are reports that suggest that
one-third of the software vulnerabilities
identified by CERT relate to buffer
overflows.
Cisco Public
110

and Trojan horses
Viruses and Trojan Horses tend to take
advantage of local root buffer overflows.
A root buffer overflow is a buffer overflow
intended to attain root privileges to a system.
Local root buffer overflows require the end user
or system to take some type of action.
A local root buffer overflow is typically initiated by
a user opening an email attachment, visiting a
website, or exchanging a file via instant
messaging.
Cisco Public
111

and Trojan horses
Worms such as SQL Slammer and Code Red exploit
remote root buffer overflows.
Remote root buffer overflows are similar to local root
buffer overflows, except that local end user or system
intervention is not required.
Cisco Public
112

and Trojan horses
Viruses, worms, and Trojan horses can
cause serious problems on networks and
end systems.
Network administrators have several
means of mitigating these attacks.
Note that mitigation techniques are often
referred to in the security community as
countermeasures.
Cisco Public
113

and Trojan horses
The primary means of mitigating virus and
Trojan horse attacks is anti-virus software.
Anti-virus software helps prevent hosts from
getting infected and spreading malicious
code.
It requires much more time to clean up
infected computers than it does to maintain
up-to-date anti-virus software and anti-virus
definitions on the same machines.
Cisco Public
114

and Trojan horses
Anti-virus software is the most widely deployed
security product on the market today.
Several companies that create anti-virus software,
such as Symantec, Computer Associates, McAfee,
and Trend Micro, have been in the business of
detecting and eliminating viruses for more than a
decade.
Many corporations and educational institutions
purchase volume licensing for their users.
Cisco Public
115

and Trojan horses
Anti-virus products have update
automation options so that new virus
definitions and new software updates can
be downloaded automatically or on
demand.
This practice is the most critical
requirement for keeping a network free of
viruses and should be formalized in a
network security policy.
Cisco Public
116

and Trojan horses
Anti-virus products are host-based. These
products are installed on computers and
servers to detect and eliminate viruses.
However, they do not prevent viruses from
entering the network, so a network
security professional needs to be aware of
the major viruses and keep track of
security updates regarding emerging
viruses.
Cisco Public
117

and Trojan horses
Cisco Public
118

and Trojan horses
Worms are more network-based than viruses. Worm
mitigation requires diligence and coordination on the
part of network security professionals.
The response to a worm infection can be broken down
into four phases: containment, inoculation, quarantine,
and treatment.
Cisco Public
119

and Trojan horses
The containment phase involves limiting the
spread of a worm infection to areas of the
network that are already affected.
This requires compartmentalization and
segmentation of the network to slow down or
stop the worm.
Containment requires using both outgoing and
incoming ACLs on routers and firewalls at
control points within the network.
Cisco Public
120

and Trojan horses
The inoculation phase runs parallel to or
subsequent to the containment phase.
During the inoculation phase, all uninfected
systems are patched with the appropriate
vendor patch for the vulnerability.
The inoculation process further deprives the
worm of any available targets.
The mobile environment prevalent (common) on
modern networks poses significant challenges.
Cisco Public
121

and Trojan horses
Laptops are routinely taken out of the
secure network environment and
connected to potentially unsecure
environments, such as home networks.
Without proper patching of the system, a
laptop can be infected with a worm or
virus and then bring it back into the secure
environment of the organization's network
where it can infect other systems.
Cisco Public
122

and Trojan horses
The quarantine phase involves tracking
down and identifying infected machines
within the contained areas and
disconnecting, blocking, or removing
them.
This isolates these systems appropriately for
the treatment phase.
Cisco Public
123

and Trojan horses
During the treatment phase, actively infected
systems are disinfected of the worm.
This can involve:
terminating the worm process,

removing modified files or system settings that
the worm introduced,
patching the vulnerability the worm used to
exploit the system.
in more severe cases, can require completely
reinstalling the system.
Cisco Public
124

and Trojan horses
In the case of the SQL Slammer worm:
Malicious traffic was detected on UDP port

1434.
This port should normally be blocked by a
firewall on the perimeter.
Most infections enter by way of back doors and
do not pass through the firewall;
Therefore, to prevent the spreading of this
worm it would be necessary to block this port
on all devices throughout the internal network.
Cisco Public
125

and Trojan horses
In some cases, the port on which the worm is
spreading might be critical to business operation.
For example, when SQL Slammer was
propagating, some organizations could not block
UDP port 1434 because it was required to
access the SQL Server for legitimate business
transactions.
In such a situation, alternatives must be
considered.
Cisco Public
126

and Trojan horses
If the network devices using the service on the
affected port are known, permitting selective
access is an option.
For example, if only a small number of clients
are using SQL Server, one option is to open
UDP port 1434 to critical devices only.
Selective access is not guaranteed to solve the
problem, but it certainly lowers the probability of
infection.
Cisco Public
127

and Trojan horses
Cisco Public
128
Attack Methodologies
There are many different types of network
attacks other than viruses, worms, and Trojan
Horses.
To mitigate attacks, it is useful to first have the
various types of attacks categorized.
There is no standardized way of categorizing
network attacks.
The method used in this course classifies
attacks in three major categories.
Cisco Public
129
Reconnaissance Attacks
Involve the unauthorized discovery and
mapping of systems, services, or vulnerabilities.
Employ the use of packet sniffers and port
scanners, which are widely available as free
downloads on the Internet.
Is analogous to a thief surveying a
neighborhood for vulnerable homes to break
into, such as an unoccupied residence or a
house with an easy-to-open door or window.
Cisco Public
130
Access Attacks
Exploit known vulnerabilities in authentication
services, FTP services, and web services to
gain entry to web accounts, confidential
databases, and other sensitive information.
Often employs a dictionary attack to guess
system passwords.
There are also specialized dictionaries for
different languages that can be used.
Cisco Public
131
Denial of Service Attacks
Send extremely large numbers of requests
over a network or the Internet.
These excessive requests cause the target
device to run sub-optimally.
Consequently, the attacked device becomes
unavailable for legitimate access and use.
By executing exploits or combinations of
exploits, DoS attacks slow or crash
applications and processes.
Cisco Public
132
Attack Methodologies, Reconnaissance attacks
Reconnaissance Attack details
is also known as information gathering and, in

most cases, precedes an access or DoS attack.
the malicious intruder typically begins by
conducting a ping sweep of the target network to
determine which IP addresses are active.
The intruder then determines which services or
ports are available on the live IP addresses.
Nmap is the most popular application for
performing port scans.
Cisco Public
133
From the port information obtained, the

intruder queries the ports to determine the
type and version of the application and
operating system that is running on the target
host.
The intruders look for vulnerable services that
can be exploited later when there is less
likelihood of being caught.
Cisco Public
134
Reconnaissance attacks use various tools

to gain access to a network:
Packet sniffers
Ping sweeps
Port scans
Internet information queries
Cisco Public
135
A packet sniffer is:
a software application that uses a network

adapter card in promiscuous mode
Promiscuous mode is a mode in which the
network adapter card sends all packets that
are received to an application for processing.
Some network applications distribute network
packets in unencrypted plaintext.
Cisco Public
136
A packet sniffer can:
only work in the same collision domain as

the network being attacked, unless the
attacker has access to the intermediary
switches.
Be freeware and shareware, such as
Wireshark
Cisco Public
137
Cisco Public
138
Ping Sweep
When used as legitimate tools, it runs a

series of tests against hosts and devices to
identify vulnerable services.
The information is gathered by examining IP
addressing and port, or banner, data from
both TCP and UDP ports.
Used to acquire information to compromise
the system.
Cisco Public
139
Ping Sweep (cont.)
is a basic network scanning technique that

determines which range of IP addresses map to
live hosts.
A single ping indicates whether one specified
host computer exists on the network.
It consists of ICMP echo requests sent to
multiple hosts.
It is among the older and slower methods used
to scan a network.
Cisco Public
140
Port Scans
Each service on a host is associated with a

well-known port number.
Scan a range of TCP or UDP port numbers on
a host to detect listening services.
It consists of sending a message to each port
on a host.
The response that the sender receives
indicates whether the port is used.
Cisco Public
141
Attack Methodologies, Reconnaissance

attacks
Internet information queries can reveal:

information such as who owns a particular
domain and what addresses have been
assigned to that domain.
who owns a particular IP address and which
domain is associated with the address.
present a picture of the live hosts in a
particular environment if used together with
ping sweeps.
Cisco Public
142
Cisco Public
143
Reconnaissance attacks are typically the

precursor to further attacks with the
intention of gaining unauthorized access to a
network or disrupting network functionality.
It can be detected by configuring alarms
that are triggered when certain parameters
are exceeded, such as ICMP requests per
second.
Cisco Public
144
A variety of technologies and devices can be

used to monitor this type of activity and generate
an alarm.
Cisco's Adaptive Security Appliance (ASA)
provides intrusion prevention in a standalone
device.
Additionally, the Cisco ISR supports networkbased intrusion prevention through the Cisco
IOS security image.
Cisco Public
145
Attack Methodologies, Access Attacks
Access Attacks
Hackers use access attacks on networks

or systems for three reasons:
retrieve data,
gain access, and
escalate access privileges.
Often employ password attacks to guess

system passwords.
Cisco Public
146
Password attacks can be implemented

using several methods, including bruteforce attacks, Trojan Horse programs,
IP spoofing, and packet sniffers.
However, most password attacks refer
to brute-force attacks, which involve
repeated attempts.
Cisco Public
147
A brute-force attack
Often performed using a program that runs

across the network and attempts to log in to a
shared resource, such as a server.
After an attacker gains access to a resource,
the attacker has the same access rights as the
user whose account was compromised.
If this account has sufficient privileges, the
attacker can create a back door for future
access
Cisco Public
148
As an example, a user can run the

L0phtCrack, or LC5, application to perform a
brute-force attack to obtain a Windows server
password.
When the password is obtained, the attacker
can install a keylogger, which sends a copy
of all keystrokes to a desired destination.
Or, a Trojan Horse can be installed to send a
copy of all packets sent and received by the
target to a particular destination.
Cisco Public
149
Cisco Public
150

There are five types of access attacks:
Password attack - An attacker attempts to guess

system passwords. A common example is a
dictionary attack.
Cisco Public
151
Trust exploitation - An attacker uses

privileges granted to a system in an
unauthorized way, possibly leading to
compromising the target.
Cisco Public
152

Port redirection - A compromised system is used as a
jump-off point for attacks against other targets.
An intrusion tool is installed on the compromised system
for session redirection.
Cisco Public
153
Man-in-the-middle attack
An attacker is positioned in the middle of

communications between two legitimate entities
in order to read or modify the data that passes
between the two parties.
A popular man-in-the-middle attack involves a
laptop acting as a rogue access point to
capture and copy all network traffic from a
targeted user.
Often the user is in a public location on a
wireless hotspot.
Cisco Public
154
Man in the middle Attack
Cisco Public
155
Buffer overflow - A program writes data

beyond the allocated buffer memory.
Buffer overflows usually arise as a
consequence of a bug in a C or C++
program.
A result of the overflow is that valid data
is overwritten or exploited to enable the
execution of malicious code.
156
Cisco Public
Access attacks
Can be detected by reviewing logs, bandwidth

utilization, and process loads.
By reviewing logs, security personnel can
determine if an unusual number of failed login
attempts have occurred.
Software packages such as ManageEngine
EventLog Analyzer or Cisco Secure Access
Control Server (CSACS) maintain information
regarding failed login attempts to network
devices.
Cisco Public
157
UNIX and Windows servers also keep a log of failed

login attempts.
Cisco routers and firewall devices can be configured to
prevent login attempts for a given time from a particular
source after a prescribed number of failures in a
specified amount of time.
Man-in-the-middle attacks often involve replicating
data.
An indication of such an attack is an unusual amount
of network activity and bandwidth utilization, as
indicated by network monitoring software.
Cisco Public
158
Cisco Public
159
Attack Methodologies, Denial of Service Attacks
Denial of Service Attacks
Results in some sort of interruption of service to

users, devices, or applications.
Several mechanisms can generate a DoS attack.
The simplest method is to generate large
amounts of what appears to be valid network
traffic.
This type of network DoS attack saturates the
network so that valid user traffic cannot get
through.
Cisco Public
160

A DoS attack takes advantage of the fact that target
systems such as servers must maintain state
information.
Applications may rely on expected buffer sizes and
specific content of network packets.
A DoS attack can
exploit this by sending
packet sizes or data
values that are not
expected by the
receiving application.
Cisco Public
161
There are two major reasons a DoS attack

occurs:
A host or application fails to handle an
unexpected condition, such as maliciously
formatted input data, an unexpected interaction
of system components, or simple resource
exhaustion.
A network, host, or application is unable to
handle an enormous quantity of data, causing
the system to crash or become extremely slow.
Cisco Public
162
DoS attacks attempt to compromise the

availability of a network, host, or
application.
They are considered a major risk
because they can easily interrupt a
business process and cause
significant loss.
These attacks are relatively simple to
conduct, even by an unskilled attacker.
Cisco Public
163
One example of a DoS attack is sending a

poisonous packet.
A poisonous packet is an improperly
formatted packet designed to cause the
receiving device to process the packet in an
improper fashion.
The poisonous packet causes the receiving
device to crash or run very slowly.
This attack can cause all communications to and
from the device to be disrupted.
Cisco Public
164
In another example, an attacker sends a

continuous stream of packets, which
overwhelms the available bandwidth of network
links.
It is impossible to differentiate between the
attacker and legitimate traffic and to trace an
attack quickly back to its source.
If many systems in the Internet core are
compromised, the attacker may be able to take
advantage of virtually unlimited bandwidth to
unleash packet storms toward desired targets.
Cisco Public
165
A Distributed Denial of Service Attack

(DDoS) is similar in intent to a DoS attack,
except that a DDoS attack originates
from multiple coordinated sources.
A DDoS attack also presents the
challenge of requiring the network
defense to identify and stop each
distributed attacker.
Cisco Public
166
As an example, a DDoS attack could proceed as

follows. A hacker scans for systems that are
accessible.
After the hacker accesses several "handler"
systems, the hacker installs zombie software on
them. Zombies then scan and infect agent
systems.
When the hacker accesses the agent systems, the
hacker loads remote-control attack software to
carry out the DDoS attack.
Cisco Public
167
Attack Methodologies, Denial of Service

Attacks
Cisco Public
168

Attacks
Distributed DoS Attack
Cisco Public
169

Attacks
It is useful to detail three common DoS attacks to

get a better understanding of how DoS attacks
work.
Ping of Death
In a ping of death attack, a hacker sends an echo
request in an IP packet larger than the maximum
packet size of 65,535 bytes.
Sending a ping of this size can crash the target
computer.
A variant of this attack is to crash a system by
sending ICMP fragments, which fill the
reassembly buffers of the target.
Cisco Public
170
Ping of Death
Cisco Public
171
Smurf Attack
In a smurf attack, a perpetrator sends a large
number of ICMP requests to directed
broadcast addresses, all with spoofed
source addresses on the same network as
the respective directed broadcast.
If the routing device delivering traffic to those
broadcast addresses forwards the directed
broadcasts, all hosts on the destination
networks send ICMP replies, multiplying the
traffic by the number of hosts on the networks.
Cisco Public
172
Smurf Attack
Cisco Public
173

TCP SYN Flood
In a TCP SYN flood attack, a flood of TCP SYN
packets is sent, often with a forged sender address.
Each packet is handled like a connection request,
causing the server to spawn a half-open connection by
sending back a TCP SYN-ACK packet and waiting for
a packet in response from the sender address.
However, because the sender address is forged, the
response never comes.
These half-open connections saturate the number of
available connections the server is able to make,
keeping it from responding to legitimate requests until
after the attack ends.
Cisco Public
174
TCP SYN Flood
Cisco Public
175
The TCP SYN flood, ping of death, and smurf attacks

demonstrate how devastating a DoS attack can be.
There are five basic ways that DoS attacks can do
harm:
Consumption of resources, such as bandwidth, disk space, or

processor time
Disruption of configuration information, such as routing
information
Disruption of state information, such as unsolicited resetting of
TCP sessions
Disruption of physical network components
Obstruction of communication between the victim and others.
Cisco Public
176
It is usually not difficult to determine if a DoS attack

is occurring.
A large number of complaints about not being able
to access resources is a first sign of a DoS attack.
To minimize the number of attacks, a network
utilization software package should be running at all
times.
This should also be required by the network security
policy.
A network utilization graph showing unusual activity
could indicate a DoS attack.
Cisco Public
177
Keep in mind that DoS attacks could be

a component of a larger offensive.
DoS attacks can lead to problems in the
network segments of the computers
being attacked.
If the attack is conducted on a sufficiently
large scale, entire geographical regions
of Internet connectivity could be
compromised.
Cisco Public
178
Not all service outages, even those that result

from malicious activity, are necessarily DoS
attacks.
In any case, DoS attacks are among the most
dangerous types of attacks, and it is critical that
a network security professional act quickly to
mitigate the effects of such attacks.
Cisco Public
179
Attack Methodologies, Mitigating Network Attacks
There are a variety of network attacks, network

attack methodologies, and categorizations of
network attacks.
The important question is, 'How do I mitigate
these network attacks?
The type of attack, as specified by the
categorization of reconnaissance, access, or
DoS attack, determines the means of
mitigating a network threat.
Cisco Public
180
Reconnaissance attacks can be mitigated in several

ways:
Using strong authentication is a first option for defense

against packet sniffers.
Strong authentication is a method of authenticating users
that cannot easily be circumvented.
A One-Time Password (OTP) is a form of strong
authentication.
OTPs utilize two-factor authentication.
Two-factor authentication combines something one
has, such as a token card, with something one knows,
such as a PIN.
Cisco Public
181

Encryption is also effective for mitigating packet sniffer
attacks.
If traffic is encrypted, it is practically irrelevant if a
packet sniffer is being used because the captured data
is not readable.
Cisco Public
182
Antisniffer software and hardware tools

detect changes in the response time of
hosts to determine whether the hosts are
processing more traffic than their own
traffic loads would indicate.
While this does not completely eliminate
the threat, as part of an overall mitigation
system, it can reduce the number of
instances of threat.
Cisco Public
183
A switched infrastructure is the norm

today, which makes it difficult to capture
any data except that on your immediate
collision domain, which probably contains
only one host.
A switched infrastructure does not
eliminate the threat of packet sniffers, but
can greatly reduce the sniffer's
effectiveness.
Cisco Public
184
It is impossible to mitigate port scanning. But

using an IPS and firewall can limit the
information that can be discovered with a port
scanner.
Ping sweeps can be stopped if ICMP echo and
echo-reply are turned off on edge routers.
However, when these services are turned off,
network diagnostic data is lost.
Cisco Public
185
Network-based IPS and host-based IPS

can usually notify an administrator when a
reconnaissance attack is under way.
This warning enables the administrator to
better prepare for the coming attack or to
notify the ISP from where the
reconnaissance probe is launching from.
Cisco Public
186
Several techniques are also available for

mitigating access attacks.
A surprising number of access attacks are
carried out through simple password guessing or
brute-force dictionary attacks against
passwords.
The use of encrypted or hashed authentication
protocols, along with a strong password policy,
greatly reduces the probability of successful
access attacks.
Cisco Public
187
There are specific practices that help to

ensure a strong password policy:
Disabling accounts after a specific number of

unsuccessful logins.
Not using plaintext passwords. Use either a
one-time password (OTP) or encrypted
password.
Using strong passwords. Strong passwords
are at least eight characters and contain
uppercase letters, lowercase letters, numbers,
and special characters.
Cisco Public
188
The principle of minimum trust should also be

designed into the network structure.
This means that systems should not use one
another unnecessarily.
For example, if an organization has a server
that is used by untrusted devices, such as web
servers, the trusted device (server) should not
trust the untrusted devices (web servers)
unconditionally.
Cisco Public
189
Cryptography is a critical
component of any modern
secure network.
Using encryption for remote
access to a network is
recommended. Also, routing
protocol traffic should be
encrypted as well.
The more that traffic is
encrypted, the less opportunity
hackers have for intercepting
data with man-in-the-middle
attacks.
Cisco Public
190
Companies with a high-profile Internet presence should

plan in advance how to respond to potential DoS
attacks.
Historically, many DoS attacks were sourced from
spoofed source addresses.
These types of attacks can be thwarted using
antispoofing technologies on perimeter routers and
firewalls.
Many DoS attacks today are distributed DoS attacks
carried out by compromised hosts on several networks.
Mitigating DDoS attacks requires careful diagnostics,
planning, and cooperation from ISPs.
Cisco Public
191
The most important elements for

mitigating DoS attacks are firewalls and
IPSs. Both host-based and network-based
IPSs are strongly recommended.
Cisco routers and switches support a
number of antispoofing technologies, such
as port security, DHCP snooping, IP
Source Guard, Dynamic ARP Inspection,
and ACLs.
Cisco Public
192
Lastly, although Quality of Service (QoS) is not

designed as a security technology, one of its
applications, traffic policing, can be used to
limit ingress traffic from any given customer on
an edge router.
This limits the impact a single source can have
on ingress bandwidth utilization.
Cisco Public
193
Defending your network against attack requires

constant vigilance and education. There are 10
best practices that represent the best insurance
for your network.
1. Keep patches up to date by installing them weekly or
daily, if possible, to prevent buffer overflow and
privilege escalation attacks.
2. Shut down unnecessary services and ports.
3. Use strong passwords and change them often.
4. Control physical access to systems.
Cisco Public
194
5. Avoid unnecessary web page inputs. Some

websites allow users to enter usernames and
passwords.
A hacker can enter more than just a username.
For example, entering "jdoe; rm -rf /" might allow
an attacker to remove the root file system from a
UNIX server.
Programmers should limit input characters and
not accept invalid characters such as | ; < > as
input.
Cisco Public
195
6. Perform backups and test the backed up files

on a regular basis.
7. Educate employees about the risks of social
engineering, and develop strategies to validate
identities over the phone, via email, or in person.
8. Encrypt and password-protect sensitive data.
9. Implement security hardware and software such
as firewalls, IPSs, virtual private network (VPN)
devices, anti-virus software, and content filtering.
10. Develop a written security policy for the
company.
Cisco Public
196
Cisco Public
197
These methods are only a starting point for

sound security management.
Organizations must remain vigilant at all times to
defend against continually evolving threats.
Using these proven methods of securing a
network and applying the knowledge gained in
this chapter, you are now prepared to begin
deploying network security solutions.
One of the first deployment considerations
involves securing access to network devices.
Cisco Public
198
NFP
The Cisco Network Foundation Protection (NFP)
framework provides comprehensive guidelines for
protecting the network infrastructure.
These guidelines form the foundation for continuous
delivery of service.
NFP logically divides routers and switches into three
functional areas:
Control Plane:
Responsible for routing data correctly.

Traffic consists of device-generated packets required for
operation
such as ARP message exchanges or OSPF routing advertisements.
Cisco Public
199
NFP
Management Plane
Responsible for managing network elements.

Traffic is generated either by network devices or network
management stations using processes and protocols such as:
Telnet, SSH, TFTP, FTP, NTP, AAA, SNMP, syslog, TACACS+,
RADIUS, and NetFlow.
Data Plane (Forwarding Plane)
Responsible for forwarding data.

Traffic normally consists of user-generated packets being
forwarded between end stations.
Most traffic travels through the router, or switch, via the data
plane.
Data plane packets are typically processed in fast-switching
cache.
Cisco Public
200
NFP
Cisco Public
201
NFP
Control plane security can be implemented using
the following features:
Cisco AutoSecure - Cisco AutoSecure provides a onestep device lockdown feature to protect the control
plane as well as the management and data planes.
It is a script that is initiated from the CLI to configure the
security posture of routers.
The script disables nonessential system processes and
services.
It first makes recommendations to address security
vulnerabilities and then modifies the router
configuration.
Cisco Public
202
NFP
Routing protocol authentication - Routing
protocol authentication, or Neighbor
authentication, prevents a router from accepting
fraudulent routing updates.
Most routing protocols support neighbor
authentication.
Control Plane Policing (CoPP) - CoPP is a Cisco
IOS feature designed to allow users to control
the flow of traffic that is handled by the route
processor of a network device.
Cisco Public
203
NFP
Cisco Public
204
NFP
CoPP is designed to prevent
unnecessary traffic from overwhelming
the route processor.
The CoPP feature treats the control
plane as a separate entity with its own
ingress (input) and egress (output) ports.
A set of rules can be established and
associated with the ingress and egress
ports of the control plane.
Cisco Public
205
NFP
Management plane traffic is generated either by
network devices or network management
stations using processes and protocols such as
Telnet, SSH, TFTP, and FTP, etc.
The management plane is a very attractive
target to hackers.
For this reason, the management module was
built with several technologies designed to
mitigate such risks.
Cisco Public
206
NFP
The information flow between management
hosts and the managed devices can be out-ofband (OOB) (information flows within a network
on which no production traffic resides)
or in-band (information flows across the
enterprise production network, the Internet, or
both).
Management plane security can be implemented
using the following features:
Cisco Public
207
NFP
Login and password policy - Restricts device
accessibility. Limits the accessible ports and
restricts the "who" and "how" methods of access.
Present legal notification - Displays legal notices.
These are often developed by legal counsel of a
corporation.
Ensure the confidentiality of data - Protects locally
stored sensitive data from being viewed or copied.
Uses management protocols with strong
authentication to mitigate confidentiality attacks
aimed at exposing passwords and device
configurations.
Cisco Public
208
NFP
Role-based access control (RBAC) - Ensures
access is only granted to authenticated users,
groups, and services. RBAC and authentication,
authorization, and accounting (AAA) services
provide mechanisms to effectively manage access
control.
Authorize actions - Restricts the actions and views
that are permitted by any particular user, group, or
service.
Enable management access reporting - Logs and
accounts for all access. Records who accessed
the device, what occurred, and when it occurred.
Cisco Public
209
NFP
RBAC restricts user access based on the role
of the user.
Roles are created according to job or task
functions, and assigned access permissions to
specific assets.
Users are then assigned to roles, and are
granted the permissions that are defined for
that role.
In Cisco IOS, the role-based CLI access
feature implements RBAC for router
management access.
Cisco Public
210
NFP
The feature creates different "views" that define which
commands are accepted and what configuration
information is visible.
For scalability, users, permissions, and roles are
usually created and maintained in a central repository
server.
This makes the access control policy available to
multiple devices.
The central repository server can be a AAA server,
such as the Cisco Secure Access Control System
(ACS), which provides AAA services to a network for
management purposes.
Cisco Public
211
NFP
Cisco Public
212
NFP
Data plane traffic consists mostly of usergenerated packets being forwarded through the
router via the data plane.
Data plane security can be implemented using
ACLs, antispoofing mechanisms, and Layer 2
security features.
ACLs perform packet filtering to control which
packets move through the network and where
those packets are allowed to go.
ACLs are used to secure the data plane in a
variety of ways, including:
Cisco Public
213
NFP
Blocking unwanted traffic or users - ACLs can
filter incoming or outgoing packets on an
interface.
They can be used to control access based on
source addresses, destination addresses, or
user authentication.
Reducing the chance of DoS attacks - ACLs can
be used to specify whether traffic from hosts,
networks, or users access the network.
The TCP intercept feature can also be
configured to prevent servers from being flooded
with requests for a connection.
214
Cisco Public
NFP
Mitigating spoofing attacks - ACLs allow security
practitioners to implement recommended
practices to mitigate spoofing attacks.
Providing bandwidth control - ACLs on a slow
link can prevent excess traffic.
Classifying traffic to protect the Management
and Control planes - ACLs can be applied on
VTY line.
Cisco Public
215
NFP
ACLs can also be used as an antispoofing
mechanism by discarding traffic that has an
invalid source address.
This forces attacks to be initiated from valid,
reachable IP addresses, allowing the packets to
be traced to the originator of an attack.
Features such as Unicast Reverse Path
Forwarding (uRPF) can be used to complement
the antispoofing strategy.
Cisco Public
216
NFP
Cisco Catalyst switches can use integrated features to help
secure the Layer 2 infrastructure. The following are Layer 2
security tools integrated into the Cisco Catalyst switches:
Port security - Prevents MAC address spoofing and MAC address
flooding attacks.
DHCP snooping - Prevents client attacks on the DHCP server
and switch.
Dynamic ARP Inspection (DAI) - Adds security to ARP by using
the DHCP snooping table to minimize the impact of ARP
poisoning and spoofing attacks.
IP Source Guard - Prevents spoofing of IP addresses by using
the DHCP snooping table.
Cisco Public
217
NFP
Cisco Public
218
Summary
Cisco Public
219
Summary
Cisco Public
220
Summary
Cisco Public
221

CCNA Security Chapter 1

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CCNA Security Chapter 1

Uploaded by

Copyright:

Available Formats

Network Security

Lecturer: Mohammad Tariq Meeran

Network Security Lecturer: Tariq Meeran

2012 Cisco Systems, Inc. All rights reserved.

Network Security Lecturer: Tariq Meeran

2012 Cisco Systems, Inc. All rights reserved.

2012 Cisco Systems, Inc. All rights reserved.

Network Security Lecturer: Tariq Meeran

2012 Cisco Systems, Inc. All rights reserved.

2012 Cisco Systems, Inc. All rights reserved.

Evolution of Network Security

Network Security Lecturer: Tariq Meeran

2012 Cisco Systems, Inc. All rights reserved.

Evolution of Network Security

Network Security Lecturer: Tariq Meeran

2012 Cisco Systems, Inc. All rights reserved.

Evolution of Network Security

2012 Cisco Systems, Inc. All rights reserved.

Evolution of Network Security

2012 Cisco Systems, Inc. All rights reserved.

Evolution of Network Security

2012 Cisco Systems, Inc. All rights reserved.

Evolution of Network Security

Network Security Lecturer: Tariq Meeran

2012 Cisco Systems, Inc. All rights reserved.

Evolution of Network Security

Network Security Lecturer: Tariq Meeran

2012 Cisco Systems, Inc. All rights reserved.

Evolution of Network Security

Network Security Lecturer: Tariq Meeran

2012 Cisco Systems, Inc. All rights reserved.

Evolution of Network Security

Network Security Lecturer: Tariq Meeran

2012 Cisco Systems, Inc. All rights reserved.

Evolution of Network Security

2012 Cisco Systems, Inc. All rights reserved.

Evolution of Network Security

2012 Cisco Systems, Inc. All rights reserved.

Evolution of Network Security

2012 Cisco Systems, Inc. All rights reserved.

Evolution of Network Security

2012 Cisco Systems, Inc. All rights reserved.

Evolution of Network Security

Network Security Lecturer: Tariq Meeran

2012 Cisco Systems, Inc. All rights reserved.

Evolution of Network Security

2012 Cisco Systems, Inc. All rights reserved.

Evolution of Network Security

Evolution of LAN Security

Network Security Lecturer: Tariq Meeran

2012 Cisco Systems, Inc. All rights reserved.

Evolution of Network Security

Network Security Lecturer: Tariq Meeran

2012 Cisco Systems, Inc. All rights reserved.

Evolution of Network Security

2012 Cisco Systems, Inc. All rights reserved.

Evolution of Network Security

2012 Cisco Systems, Inc. All rights reserved.

Evolution of Network Security

Network Security Lecturer: Tariq Meeran

2012 Cisco Systems, Inc. All rights reserved.

Evolution of Network Security

Network Security Lecturer: Tariq Meeran

2012 Cisco Systems, Inc. All rights reserved.