CNPT 3220 Network Security

• Increase of network attacks

• Increased sophistication of attacks
• Increased dependence on the network
• Lack of trained personnel
• Lack of awareness
• Lack of security policies
• Wireless access
• Legislation
• Litigation
• Availability
• Confidentiality
• Integrity
High
Stealth Diagnostics
Packet Forging/
Spoofing
Sweepers DDOS
Back
Doors
Sniffers Sophistication
of Hacker Tools
Exploiting Known
Vulnerabilities Disabling
Audits
Technical
Self Replicating Code Password
Cracking Knowledge
Required
Password Guessing

Low 1980 1990 2000 2010

- from Cisco Systems
 Outsider
Viruses attacks
Physical
4% 2%
security
problems
16%

Disgruntled Human errors

employees 52%
10%

Dishonest
employees
16%

Source: Computer Security Institute

1) Pretend the problem will go away if they ignore it.
2) Authorize reactive, short-term fixes so problems re-emerge
rapidly
3) Fail to realize how much money their information and
organizational reputations are worth.
4) Rely primarily on a firewall.
5) Fail to deal with the operational aspects of security: make a few
fixes and then not allow the follow-through necessary to ensure
the problems stay fixed
6) Fail to understand the relationship of information security to
the business problem - understand physical security but fail to
see the consequences of poor information security.
7) Assign untrained people to maintain security and provide
neither the training nor the time to make it possible to do the
job.

http://www.sans.org/newlook/resources/errors.htm
 There are four general categories of security threats
to the network:
 Unstructured threats
 Structured threats
Internal
 External threats exploitation
Internet Dial-in
 Internal threats exploitation

Compromised
host
 What is the difference?
 Threat:
 A person, thing, event, or idea which poses some danger
to an asset in terms of that asset's confidentiality,
integrity, availability, or legitimate use.
 Attack:
 A realization of a threat
 Any action that attempts to compromise the security of
the information owned by an organization or person
 Reconnaissance attacks
 Access attacks
 Denial of service attacks
 Worms, viruses, and Trojan horses
 Network reconnaissance refers to the overall act of learning
information about a target network by using publicly available
information and applications. Includes:
 Information gathering
 Attempts to illicitly map your network
 Port Scans, Ping Sweeps, Sniffers, and so on.
 Not designed to gain access or attack a specific target.
 The information can be used at a later date to launch one of
the other attack types.
 These types of attacks can be viewed as a warning to an
oncoming incident.
 Scan for open TCP/UDP ports
 Collect server type and version information
 “Clever” port scans
 Do not complete TCP handshake (no final ACK)
 Drown the scan with large number of spoofed probing
packets
 OS fingerprinting
 Network reconnaissance cannot be prevented entirely.
 IDSs at the network and host levels can usually notify an
administrator when a reconnaissance gathering attack (for
example, ping sweeps and port scans) is under way.
 The general description that Cisco uses to group most attack
signatures into.
 These attacks can be broken down into three subcategories:
 Unauthorized Data Retrieval
 Unauthorized System Access
 Unauthorized Access Elevation
 These attacks are not intended to actually manipulate data or
gain access to systems.
 These attacks are designed simply to secretly remove a service
from the public’s view.
 Viruses refer to malicious software that are attached to
another program to execute a particular unwanted function
on a user’s workstation. End-user workstations are the
primary targets.
 A Trojan horse is different only in that the entire application
was written to look like something else, when in fact it is an
attack tool. A Trojan horse is mitigated by antivirus software at
the user level and possibly the network level.
 Find a scanner for latest OS/server vulnerabilities and
scan a wide range of address space
 Use available exploits to gain access
 Hide yourself on attacked host
 Install sniffers to collect passwords on remote sites.
 “A security policy is a formal statement of the
rules by which people who are given access
to an organization’s technology and
information assets must abide.”

 (RFC 2196, Site Security Handbook)

 To create a baseline of your current security posture
 To set the framework for security implementation
 To define allowed and not allowed behaviors
 To help determine necessary tools and procedures
 To communicate consensus and define roles
 To define how to handle security incidents
 The process of providing network security begins with
developing a strong corporate security policy. This includes
the following tasks:
 Identifying the resources that will be secured
 Identifying the "inside" users and hosts that will need
access to other, less-secure network resources
 Identifying corporate services that will be protected but will
be accessible from the unsecured networks
 Developing an authentication scheme, if needed, that can
identify and grant permission for corporate and outside
users
 Developing a plan for auditing the security activities.
 Network security is a continuous
process built around a security
policy. Consists of four steps: Secure
1. Secure the network (configure
firewalls, routers, intrusion Security
protection systems, Policy
Improve Monitor
and so on)
2. Monitor and respond to
malicious activity
3. Test existing security Test
policies and components
4. Manage and improve
network security.