CCNA Security - Chapter 1 - Modern Network Security Threats PDF

Chapter 1 Modern Network Security
Threats
CCNA Security
Objectives
Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com
Fundamental Principles
of a Secure network
Evolution of Network Security

In July 2001, the Code Red worm attacked web servers globally,
infecting over 350,000 hosts.

The Code Red worm caused a Denial of Service (DoS) to millions
of users.

When the first viruses were unleashed and the first DoS attack
occurred, the world began to change for networking professionals.

To meet the needs of users, network professionals learned
techniques to secure networks.
Refer: 1.1.1.2

Year
Security Technology
1984
First IDS for ARPAnet (SRI

International IDES)
Late 1988
DEC Packet Filter Firewall
1989
AT&T Bell Labs Statefull

Firewall
1991
DEC SEAL Application

Layer Firewal
1994
Check Point Firewall
1995
NetRanger IDS
August, 1997
RealSecure IDS
1998
Snort IDS
Late 1999
First IPS
2006
Cisco Zone-based Policy

Firewall
An IDS provides real-time detection of certain types of

attacks while they are in progress
This detection allows network professionals to more quickly
mitigate the negative impact of these attacks on network
devices and users.
In the late 1990s, the intrusion prevention system or sensor
(IPS) began to replace the IDS solution.
IPS devices enable the detection of malicious activity and
have the ability to automatically block the attack in real-time.
In addition to IDS and IPS solutions, firewalls were developed
to prevent undesirable traffic from entering prescribed areas
within a network, thereby providing perimeter security.

Evolution of LAN Security
Three components of information: confidentiality, integrity, availability.

Encrypting Data: Encryption provides confidentiality by hiding plaintext
data.
Data integrity: data is not changed from source to destination
Availability: Data accessibility, is guaranteed by network hardening
mechanisms and backup systems

Evulution of Data Protection Technologies
Year
Security Technology
1993
Cisco GRE Tunnels
1996
Site-to-Site IPSec VPNs
1999
SSH
2000
MPLS VPNs
2001
Remote-access IPSec VPN
2002
Dynamic Multipoint VPN
2005
SSL VPN
Drivers for Network Security
The word hackers has a variety of

meanings.
For many, it means Internet programmers
who try to gain unauthorized access to
devices on the Internet.
It is also used to refer to individuals that run
programs to prevent or slow network access
to a large number of users, or corrupt or
wipe out data on servers.
But for some, the term hacker has a positive
interpretation as a network professional that
uses sophisticated Internet programming
skills to ensure that networks are not
vulnerable to attack.
Good or bad, hacking is a driving force in
network security.

Hacking started in the 1960s with phone freaking, or phreaking,
which refers to using various audio frequencies to manipulate

phone systems.
Wardialing programs automatically scanned telephone numbers
within a local area, dialing each one in search of computers, bulletin
board systems, and fax machines
When a phone number was found, password-cracking programs
were used to gain access.
Wardriving, users gain unauthorized access to networks via
wireless access points.
A number of other threats have evolved since the 1960s, including
network scanning tools such as Nmap and SATAN, as well as
remote system administration hacking tools such as Back Orifice.
This virus
resulted
in
memory
overflows
in
Internet
mail
servers.
Robert Morris created the first

Internet worm with 99 lines of
code.
Network Security Organizations
SysAdmin, Audit, Network, Security (SANS) Institute

Computer Emergency Response Team (CERT)
International Information Systems Security Certification Consortium
(pronounce (ISC)2 as "I-S-C-squared")
Network security
professionals must
collaborate with
professional colleagues
more frequently than
most other professions.

SANS was established in 1989 as a cooperative research and
education organization.
The focus of SANS is information security training and certification.
SANS develops security courses that can be taken to prepare for
Global Information Assurance Certification (GIAC) in auditing,
management, operations, legal issues, security administration, and
software security
CERT is part of the U.S. federally funded Software Engineering Institute

(SEI) at Carnegie Mellon University.
CERT is chartered to work with the Internet community in detecting and
resolving computer security incidents.
CERT responds to major security incidents and analyzes product
vulnerabilities.
CERT focuses on five areas: software assurance, secure systems,
organizational security, coordinated response, and education and training.
(ISC)2 provides vendor-neutral education products and career services in

more than 135 countries
The mission of (ISC)2 is to make the cyber world a safe place through
elevating information security to the public domain and supporting and
developing information security professionals around the world.
Detail: 1.1.3.4
In addition to the websites of the various security

organizations, one of the most useful tools for the
network security professional is Really Simple
Syndication (RSS) feeds.
RSS is a family of XML-based formats used to
publish frequently updated information, such as blog
entries, news headlines, audio, and video
RSS uses a standardized format. An RSS feed
includes complete or summarized text, plus
metadata, such as publishing dates and
authorships..
By using RSS, a network security professional can
acquire up-to-date information on a daily basis and
aggregate real-time threat information for review at
any time.
Domains of Network Security
Refer: 1.1.4.1

The 12 domains of network security provide a convenient separation for the
elements of network security.
One of the most important domains is security policy.
A security policy is a formal statement of the rules by which people must abide
who are given access to the technology and information assets of an
organization.
Network Security Policies

The policy is used to aid in network design, convey security principles, and
facilitate network deployments.
The network security policy outlines rules for network access, determines how
policies are enforced, and describes the basic architecture of the organization's
network security environment.

A Cisco Self-Defending Network (SDN) uses the network to identify, prevent, and adapt
to threats.
Unlike point-solution strategies, where products are purchased individually without
consideration for which products work best together, a network-based approach is a
strategic approach that meets the current challenges and evolves to address new security
needs.
A Cisco SDN begins with a strong, secure, flexible network platform from which a
security solution is built.

Refer: 1.1.5.2

Detail: 1.1.5.3
Virues, Worms, and

Trojan Horses
Viruses
A virus is malicious software which attaches to another program to
execute a specific unwanted function on a computer.

A worm executes arbitrary code and installs copies of itself in the
memory of the infected computer, which then infects other hosts.
A Trojan Horse is an application written to look like something else.
When a Trojan Horse is downloaded and opened, it attacks the
end-user computer from within.
Refer: 1.2.1.1
Viruses
The term virus refers to an infectious organism that

requires a host cell to grow and replicate.
Viruses
A virus is a malicious code that is attached to legitimate programs or

executable files.
Most viruses require end-user activation and can lay dormant for an
extended period and then activate at a specific time or date.
When activated, the virus might check the disk for other executables, so
that it can infect all the files it has not yet infected.
Today, most viruses are spread by USB memory sticks, CDs, DVDs,
network shares, or email. Email viruses are now the most common type of
virus.
Worms
Worms are a particularly dangerous type of hostile code.

They replicate themselves by independently exploiting vulnerabilities in
networks.
Worms usually slow down networks.
Worms are responsible for some of the most devastating attacks on the
Internet.
Worms
Most worm attacks have three major components:

Enabling vulnerability - A worm installs itself using an exploit
mechanism (email attachment, executable file, Trojan Horse) on a
vulnerable system.
Propagation mechanism - After gaining access to a device, the worm
replicates itself and locates new targets.
Payload - Any malicious code that results in some action. Most often
this is used to create a backdoor to the infected host.
Worms are self-contained programs that attack a system to exploit a known
vulnerability.
Refer: 1.2.2.2
Worms
There are five basic phases of attack, regardless of whether a worm or

virus is deployed.
Trojan Horses
A Trojan Horse in the world of computing is
malware that carries out malicious

operations under the guise of a desired
function.
A virus or worm could carry a Trojan Horse.
A Trojan Horse contains hidden, malicious
code that exploits the privileges of the user
that runs it.
The Trojan Horse concept is flexible.
It can cause immediate damage, provide
remote access to the system (a back door),
or perform actions as instructed remotely,
such as "send me the password file once
per week.
Trojan Horses
Trojan Horses are usually classified according to the damage
that they cause or the manner in which they breach a system:
Remote-access Trojan Horse (enables unauthorized remote
access)
Data sending Trojan Horse (provides the attacker with sensitive
data such as passwords)
Destructive Trojan Horse (corrupts or deletes files)
Proxy Trojan Horse (user's computer functions as a proxy
server)
FTP Trojan Horse (opens port 21)
Security software disabler Trojan Horse (stops anti-virus
programs or firewalls from functioning)
Denial of Service Trojan Horse (slows or halts network activity)
Mitigating Viruses, Worms, Trojan Horses

A majority of the software vulnerabilities that are discovered relate
to buffer overflows.
A buffer is an allocated area of memory used by processes to store
data temporarily.
Mitigating Viruses and Trojan

The primary means of mitigating virus and Trojan horse attacks is
anti-virus software.
Anti-virus products are host-based.
These products are installed on computers and servers to detect
and eliminate viruses.

Mitigating Worms
The containment phase involves limiting the spread of a worm infection

to areas of the network that are already affected.
The inoculation phase runs parallel to or subsequent to the
containment phase.
The quarantine phase involves tracking down and identifying infected
machines within the contained areas and disconnecting, blocking, or
removing them.
During the treatment phase, actively infected systems are disinfected
of the worm

In the case of the SQL Slammer worm, malicious traffic was
detected on UDP port 1434.

This port should normally be blocked by a firewall on the perimeter.
Some organizations could not block UDP port 1434 because it was
required to access the SQL Server for legitimate business
transactions.
Cisco Security Agent (CSA) is a host-based intrusion prevention system

that can be integrated with anti-virus software from various vendors.
Another solution for mitigating threats is Cisco Network Admission Control
(NAC).
Cisco Security Monitoring, Analysis, and Response System (MARS)
provides security monitoring for network security devices and host
applications created by Cisco and other providers
Attach
Methodologies
Type of attacks
There are many different types of network attacks other than viruses,
worms, and Trojan Horses:
Refer: 1.3.1.1
Reconnaissance Attacks
Reconnaissance attacks involve the unauthorized discovery and
mapping of systems, services, or vulnerabilities.
Reconnaissance is analogous to a thief surveying a neighborhood for
vulnerable homes to break into, such as an unoccupied residence or a
house with an easy-to-open door or window.
Access Attacks
Access attacks exploit known vulnerabilities in authentication services,
FTP services, and web services to gain entry to web accounts,
confidential databases, and other sensitive information.
Denial of Service Attacks
Denial of service attacks send extremely large numbers of requests
over a network or the Internet
Reconnaissance is also known as information gathering and, in most

cases, precedes an access or DoS attack.
In a reconnaissance attack, the malicious intruder typically begins by
conducting a ping sweep of the target network to determine which IP
addresses are active.
Reconnaissance attacks use various tools to gain access to a network:
Packet sniffers
Ping sweeps
Port scans
Internet information queries
Refer: 1.3.1.2
A packet sniffer is a software application that uses a network adapter card

in promiscuous mode to capture all network packets that are sent across a
LAN.
Packet sniffers can only work in the same collision domain as the network
being attacked, unless the attacker has access to the intermediary
switches.
Numerous freeware and shareware packet sniffers, such as Wireshark, are
available and do not require the user to understand anything about the
underlying protocols.
Refer: 1.3.1.3
Refer: 1.3.1.4
Keep in mind that reconnaissance attacks are typically the precursor to

further attacks with the intention of gaining unauthorized access to a
network or disrupting network functionality.
A network security professional can detect when a reconnaissance attack
is underway by configured alarms that are triggered when certain
parameters are exceeded, such as ICMP requests per second.
A Cisco ISR supports the security technologies that enable these types of
alarms to be triggered.
Host-based intrusion prevention systems and standalone network-based
intrusion detection systems can also be used to notify when a
reconnaissance attack is occurring.
Access Attacks
Hackers use access attacks on networks or systems for three reasons:

retrieve data, gain access, and escalate access privileges.
Access attacks often employ password attacks to guess system
passwords.
Password attacks can be implemented using several methods, including
brute-force attacks, Trojan Horse programs, IP spoofing, and packet
sniffers
A brute-force attack is often performed using a program that runs across
the network and attempts to log in to a shared resource, such as a server.
Refer: 1.3.2.1
Access Attacks
There are five types of access attacks:
Password attack
An attacker attempts to guess system passwords.
Access Attacks
Refer: 1.3.2.2
Trust exploitation
An attacker uses privileges granted to a system in an unauthorized way
Access Attacks
Port redirection
A compromised system is used as a jump-off point for attacks against other

targets
Access Attacks
Man-in-the-middle attack
An attacker is positioned in the middle of communications between two

legitimate entities in order to read or modify the data that passes between
the two parties.
Access Attacks
Buffer overflow
A program writes data beyond the allocated buffer memory.

A result of the overflow is that valid data is overwritten or exploited to
enable the execution of malicious code.
Access Attacks
Access attacks in general can be detected by reviewing logs, bandwidth

utilization, and process loads.
Example: ManageEngine EventLog Analyzer or Cisco Secure Access
Control Server (CSACS)

Refer: 1.3.3.1
A DoS attack is a network attack that devices can not provide service for
user because of overflow buffer or CPU and so on.
There are two major reasons a DoS attack occurs:
A host or application fails to handle an unexpected condition, such as
maliciously formatted input data, an unexpected interaction of system
components, or simple resource exhaustion.
A network, host, or application is unable to handle an enormous
quantity of data, causing the system to crash or become extremely
slow.
Refer: 1.3.3.2
DoS attack
Refer: 1.3.3.2
A Distributed Denial of Service

Attack (DDoS)

Ping of Death
In a ping of death attack, a hacker sends an echo request in an IP

packet larger than the maximum packet size of 65,535 bytes.
Sending a ping of this size can crash the target computer.
A variant of this attack is to crash a system by sending ICMP
fragments, which fill the reassembly buffers of the target.
Refer: 1.3.3.3:

Smurt Attack
In a smurf attack, a perpetrator sends a large number of ICMP requests
to directed broadcast addresses, all with spoofed source addresses on
the same network as the respective directed broadcast.

TCP SYN Flood
In a TCP SYN flood attack, a flood of TCP SYN packets is sent, often
with a forged sender address.
There are five basic ways that DoS attacks can do harm:
Consumption of resources, such as bandwidth, disk space, or processor
time
Disruption of configuration information, such as routing information
Disruption of state information, such as unsolicited resetting of TCP
sessions
Disruption of physical network components
Obstruction of communication between the victim and others.
Mitigating Network Attacks

The important question is, 'How do I mitigate
these network attacks?'

Mitigating Reconnaissance Attack

Mitigating Access Attack

Mitigating DoS Attack

10 best practices represent the best insurance for network:
1.
Keep patches up to date by installing them weekly or daily, if possible, to

prevent buffer overflow and privilege escalation attacks.
2. Shut down unnecessary services and ports.
3. Use strong passwords and change them often
4. Control physical access to systems.
5. Avoid unnecessary web page inputs.
6. Perform backups and test the backed up files on a regular basis.
7. Educate employees about the risks of social engineering, and develop
strategies to validate identities over the phone, via email, or in person.
8. Encrypt and password-protect sensitive data.
9. Implement security hardware and software such as firewalls, IPSs, virtual
private network (VPN) devices, anti-virus software, and content filtering.
10. Develop a written security policy for the company.
Summary

CCNA Security - Chapter 1 - Modern Network Security Threats PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CCNA Security - Chapter 1 - Modern Network Security Threats PDF

Uploaded by

Copyright:

Available Formats

Chapter 1 Modern Network Security

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Evolution of Network Security

infecting over 350,000 hosts.

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Evolution of Network Security

occurred, the world began to change for networking professionals.

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Evolution of Network Security

First IDS for ARPAnet (SRI

DEC Packet Filter Firewall

AT&T Bell Labs Statefull

DEC SEAL Application

Check Point Firewall

Cisco Zone-based Policy

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Evolution of Network Security

An IDS provides real-time detection of certain types of

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Evolution of Network Security

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Evolution of Network Security

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Evolution of Network Security

Three components of information: confidentiality, integrity, availability.

Evolution of Network Security

Cisco GRE Tunnels

Site-to-Site IPSec VPNs

Remote-access IPSec VPN

Dynamic Multipoint VPN

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Drivers for Network Security

The word hackers has a variety of

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Drivers for Network Security

which refers to using various audio frequencies to manipulate

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Drivers for Network Security

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Drivers for Network Security

Robert Morris created the first

Drivers for Network Security

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Drivers for Network Security

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Drivers for Network Security

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Network Security Organizations

SysAdmin, Audit, Network, Security (SANS) Institute

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Network Security Organizations

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Network Security Organizations

CERT is part of the U.S. federally funded Software Engineering Institute

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Network Security Organizations

(ISC)2 provides vendor-neutral education products and career services in

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Network Security Organizations

In addition to the websites of the various security

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com