Professional Documents
Culture Documents
Study Guide
Chapter 4: Network Security
4.0. What is the most important step The application of an effective security policy.
1 that an organization can take to
protect its network?
4.1. What balance must an organization Today’s networks must balance the accessibility to
1 find? network resources with the protection of sensitive
data from theft.
As the types of threats, attacks, and White hat-An individual who looks for
exploits have evolved, various terms vulnerabilities in systems or networks and then
have been coined to describe the reports these vulnerabilities to the owners of the
individuals involved. Describe some system so that they can be fixed. They are ethically
of the most common terms. opposed to the abuse of computer systems. A
white hat generally focuses on securing IT systems,
whereas a black hat (the opposite) would like to
break into them.
Hacker-A general term that has historically been
used to describe a computer programming expert.
More recently, this term is often used in a negative
way to describe an individual that attempts to gain
unauthorized access to network resources with
malicious intent.
Black hat-Another term for individuals who use
their knowledge of computer systems to break into
systems or networks that they are not authorized
to use, usually for personal or financial gain. A
cracker is an example of a black hat.
Cracker-A more accurate term to describe
someone who tries to gain unauthorized access to
network resources with malicious intent.
Phreaker-An individual who manipulates the
phone network to cause it to perform a function
that is not allowed. A common goal of phreaking is
breaking into the phone network, usually through a
payphone, to make free long distance calls.
Spammer-An individual who sends large quantities
of unsolicited e-mail messages. Spammers often
use viruses to take control of home computers and
use them to send out their bulk messages.
Phisher-Uses e-mail or other means to trick others
into providing sensitive information, such as credit
card numbers or passwords. A phisher
masquerades as a trusted party that would have a
CCNA EXP 4 CH.4 Network Security REVISED FEB 2009
legitimate need for the sensitive information.
Describe the seven-step process Step 1. Perform footprint analysis
Hackers often use to gain (reconnaissance). A company webpage can lead to
information and start an attack. information, such as the IP addresses of servers.
From there, an attacker can build a picture of the
security profile or "footprint" of the company.
Step 2. Enumerate information. An attacker can
expand on the footprint by monitoring network
traffic with a packet sniffer such as Wireshark,
finding information such as version numbers of FTP
servers and mail servers. A cross-reference with
vulnerability databases exposes the applications of
the company to potential exploits.
Step 3. Manipulate users to gain access.
Sometimes employees choose passwords that are
easily crackable. In other instances, employees can
be duped by talented attackers into giving up
sensitive access-related information.
Step 4. Escalate privileges. After attackers gain
basic access, they use their skills to increase their
network privileges.
Step 5. Gather additional passwords and secrets.
With improved access privileges, attackers use
their talents to gain access to well-guarded,
sensitive information.
Step 6. Install backdoors. Backdoors provide the
attacker with a way to enter the system without
being detected. The most common backdoor is an
open listening TCP or UDP port.
Step 7. Leverage the compromised system. After a
system is compromised, an attacker uses it to
stage attacks on other hosts in the network.
What are some of the most Insider abuse of network access
commonly reported acts of Virus
computer crime that have network Mobile device theft
security implications? Phishing where an organization is fraudulently
represented as the sender
Instant messaging misuse
Denial of service
Unauthorized access to information
Bots within the organization
Theft of customer or employee data
Abuse of wireless network
System penetration
Financial fraud
Password sniffing
Key logging
Website defacement
Misuse of a public web application
Theft of proprietary information
Exploiting the DNS server of an organization
Telecom fraud
Sabotage
Describe Open, Restrictive, & Closed Open – Permit everything that is not explicitly
Networks. denied:
CCNA EXP 4 CH.4 Network Security REVISED FEB 2009
• Easy to configure & administer
• Easy for end users to access network
resources
• Security cost is least expensive
Restrictive – Combination of specific permissions
& specific restrictions:
• More difficult to configure & administer
• More difficult for end users to access
network resources
• Security cost is more expensive
Closed – That which is not explicitly permitted is
denied:
• Most difficult to configure & administer
• Most difficult for end users to access network
resources
• Security cost is most expensive
What is the first step any Develop a security policy.
organization should take to protect
its data and itself from a liability
challenge?
What is a security policy? RFC2196 states that a "security policy is a formal
statement of the rules by which people who are
given access to an organization's technology and
information assets must abide."
A security policy should meet what • Informs users, staff, and managers of their
goals? obligatory requirements for protecting
technology and information assets
• Specifies the mechanisms through which
these requirements can be met
• Provides a baseline from which to acquire,
configure, and audit computer systems and
networks for compliance with the policy
What is ISO/IEC 27002? The International Organization for Standardization
(ISO) and the International Electrotechnical
Commission (IEC) have published a security
standard document called ISO/IEC 27002. This
document refers specifically to information
technology and outlines a code of practice for
information security management. It is intended to
be a common basis and practical guideline for
developing organizational security standards and
effective security management practices.
What are the sections of ISO/IEC Risk assessment
27002 Security policy
Organization of information security
Asset management
Human resources security
Physical and environmental security
Communications and operations management
Access control
Information systems acquisition, development, and
maintenance
Information security incident management
Describe SYN flood attack. Exploits the TCP three-way handshake. It involves
sending multiple SYN requests (1,000+) to a
targeted server. The server replies with the usual
SYN-ACK response, but the malicious host never
responds with the final ACK to complete the
handshake. This ties up the server until it
eventually runs out of resources and cannot
respond to a valid host request.
What are some other DoS attacks? E-mail bombs - Programs send bulk e-mails to
individuals, lists, or domains, monopolizing e-mail
services.
Malicious applets - These attacks are Java,
JavaScript, or ActiveX programs that cause
destruction or tie up computer resources.
Describe DDoS Attacks. Distributed DoS (DDoS) attacks are designed to
saturate network links with illegitimate data. This
data can overwhelm an Internet link, causing
legitimate traffic to be dropped. DDoS uses attack
methods similar to standard DoS attacks, but
operates on a much larger scale. Typically,
hundreds or thousands of attack points attempt to
overwhelm a target.
What are the three typical • There is a Client who is typically a person
components to a DDoS attack? who launches the attack.
• A Handler is a compromised host that is
running the attacker program and each
Handler is capable of controlling multiple
Agents
• An Agent is a compromised host that is
running the attacker program and is
responsible for generating a stream of
packets that is directed toward the intended
victim
What are some Examples of DDoS SMURF attack
attacks? Tribe flood network (TFN)
Stacheldraht
MyDoom
Describe Smurf attacks. Uses spoofed broadcast ping messages to flood a
target system. It starts with an attacker sending a
large number of ICMP echo requests to the network
broadcast address from valid spoofed source IP
addresses. A router could perform the Layer 3
broadcast-to-Layer 2 broadcast function, most
hosts will each respond with an ICMP echo reply,
multiplying the traffic by the number of hosts
responding. On a multi-access broadcast network,
there could potentially be hundreds of machines
replying to each echo packet.
CCNA EXP 4 CH.4 Network Security REVISED FEB 2009
How might DoS and DDoS attacks By implementing special anti-spoof and anti-DoS
be mitigated? access control lists. ISPs can also implement traffic
rate, limiting the amount of nonessential traffic
that crosses network segments. A common
example is to limit the amount of ICMP traffic that
is allowed into a network, because this traffic is
used only for diagnostic purposes.
Describe Malicious Code Attacks. A worm executes code and installs copies of itself
in the memory of the infected computer, which
can, in turn, infect other hosts.
A virus is malicious software that is attached to
another program for the purpose of executing a
particular unwanted function on a workstation.
A Trojan horse is different from a worm or virus
only in that the entire application was written to
look like something else, when in fact it is an attack
tool.
Describe the anatomy of a worm The enabling vulnerability-A worm installs itself
attack. by exploiting known vulnerabilities in systems,
such as naive end users who open unverified
executable attachments in e-mails.
Propagation mechanism-After gaining access to
a host, a worm copies itself to that host and then
selects new targets.
Payload-Once a host is infected with a worm, the
attacker has access to the host, often as a
privileged user. Attackers could use a local exploit
to escalate their privilege level to administrator.
How might Worm attacks be The recommended steps for worm attack
mitigated? mitigation:
Containment-Contain the spread of the worm in
and within the network. Compartmentalize
uninfected parts of the network.
Inoculation-Start patching all systems and, if
possible, scanning for vulnerable systems.
Quarantine-Track down each infected machine
inside the network. Disconnect, remove, or block
infected machines from the network.
Treatment-Clean and patch each infected system.
Some worms may require complete core system
reinstallations to clean the system.
How might Viruses & Trojan Horse Through the effective use of antivirus software at
attacks be mitigated? the user level, and potentially at the network level.
Antivirus software can detect most viruses and
many Trojan horse applications and prevent them
from spreading in the network. Keeping up to date
with the latest developments in these sorts of
attacks can also lead to a more effective posture
toward these attacks.
4.1. Describe Device Hardening. Changing default values.
4 • Default usernames and passwords should be
changed immediately.
• Access to system resources should be
restricted to only the individuals that are
R>#show version
<show command output omitted>
Configuration register is 0x2102
R1>
R1(config)#config-register 0x2102