Professional Documents
Culture Documents
Overview
What is security?
What to secure?
What is “Security”?
Dictionary.com says:
1. Freedom from risk or danger; safety.
What to secure?
Data
◦ Database record
Resources
o Ex: ATM
Who is vulnerable?
Financial institutions and banks
Pharmaceutical companies
Multinational corporations
Armies and generals have relied on confidentiality for centuries. In fact, in 50 B.C., even Julius
Caesar used a technique called Caesar Code to ensure the confidentiality of his messages.
Integrity
Integrity is defined as the ability of the data (or asset) to not be altered without detection.
An example of integrity applied to networking is a switch configuration: No one can modify the
configuration except with the proper credentials (operators’ usernames and passwords);
moreover, even a modification by the authorized personnel leaves a trail through a syslog
message.
Availability
The final security principle is the availability of service or data. Without data availability, secret and
unaltered data is useless! This principle is well known in the networking arena where redundancy and
high-availability designs are common.
Attacks against availability are called disruption or, in the networking world, denial of service (DoS)
attacks.
The following are popular solutions you can implement to help maintain availability:
Permissions: Implementing permissions on a resource is a way to help ensure
Availability because if you limit who can delete the data, then chances are high it will still be available
when needed.
Backups: Ensure you perform regular backups of critical information so that if the data
Becomes corrupt or unavailable, you can restore it from backup.
Fault tolerance: you can implement data redundancy solutions to ensure the data is available so that if
one of the hard drives fails, the other drives have a copy of the information.
Clustering: to ensure availability of services such as e-mail or database servers,
You can use a high-availability solution such as clustering. Clustering allows y ou to have multiple servers
acting as one unit so if one server fails, the other server takes over the workload
Accountability
Earlier, the last goal of information security was availability, but in recent y ears, an Additional A in CIA
(sometimes referred to as CIAA) has come to stand for accountability.
Accountability is ensuring that employees are accountable for the following are some popular methods
to implement accountability within the organization:
Log files most network services either implement logging by default or can be
Configured to log activity to log files.
Note: Be sure to enable logging for all core services on the Network so that if an incident arises, you can
review the logged data.
Audit files most operating systems have a security auditing feature that allows
You to review the security -related events that occur on a system. In Windows, this is the security
Log in Event Viewer.
Note: Be sure to review the security audit logs on a regular basis.
Username: The most popular method of identifying users on the network is to give them
Each a unique username.
Smartcard: A smartcard is a card the size of a credit card and has a microchip that can contain
data used by System or application
Token: A security token is a small device that is typically used to identify an individual and is
used in the authentication process. Of the different ty pes of tokens, the most popular is a
device that displays a random number on it for 30 to 60 seconds
Biometrics
Biometrics is the concept of using part of y our physical self to authenticate
To the System. For example, you can scan a fingerprint or a retina to authenticate to a
System. You typically use biometrics in highly secure environments because it is difficult
For anyone else to obtain y our physical characteristics.
Authorization
Once the user has been authenticated, they are given access to different resources; this is
known as authorization.
Permissions You may authorize individuals to access a file by giving them permission to
The file or giving a group that the individual is a member of permission to the file.
Router ACLs Another example of implementing authorization is by configuring access
Control lists (ACLs) on a router.
Cyber security
Cyber security is the body of technologies, processes and practices designed to protect
networks, computers, programs and data from attack, damage or unauthorized access. In a
computing context.
Application Security
Information security
Operational security
End-user education
One of the most problematic elements of cyber security is the quickly and constantly
evolving nature of security risks
Understanding Security Principles and Terminology
Types of Security
1. Physical Security
2. Communication Security
3. Computer Security
4. Network Security
1. Physical Security
Physical security is the concept Of being able to control who has physical access to the
assets within the organization.
2. Communication Security
Communication security deals with protecting the information that is traveling between
the source and destination by encrypting the communication.
Computer Security
Computer security is one of the most popular types of security
It deals with securing the Computer systems by implementing a number of best practices
such as authentication, access
Control, data redundancy, malware protection, and sy stem-hardening techniques.
3. Network Security
Network security is another popular Type of security and deals with securing the
network, not a particular system. Network security deals with such things as controlling who
gains access to the network (switch security) and what type of traffic can enter the network
(firewalls). This is complemented by monitoring network traffic for suspicious activity (an
intrusion detection system).
These two needs gave rise to the art of coding the messages in such a way that only the intended people
could have access to the information.
Unauthorized people could not extract any information, even if the messages fell in their hand.
The art and science of concealing the messages to introduce secrecy in information security is
recognized as cryptography.
The word ‘cryptography’ was coined by combining two Greek words, ‘Krypto’ Meaning hidden
and ‘graphene’ meaning writing.
Context of Cryptography
Cryptology, the study of cryptosystems, can be subdivided into two branches:
Cryptography
Cryptanalysis
What is Cryptography?
Cryptography is the art and science of making a cryptosystem that is capable of providing information
security.
Cryptography deals with the actual securing of digital data. It refers to the design of mechanisms based
on mathematical algorithms that provide fundamental Information security services. You can think of
cryptography as the establishment of a large toolkit containing different techniques in security
applications
What is Cryptanalysis?
The art and science of breaking the cipher text is known as cryptanalysis
It involves the study of cryptographic mechanism with the intention to break them.
Cryptanalysis is also used during the design of the new cryptographic techniques
To test their security strength
Cryptography Primitives
Cryptography primitives are nothing but the tools and techniques in Cryptography
1. Encryption
2. Hash functions
3. Message Authentication codes (MAC)
4. Digital Signatures
CRYPTO SYSTEMS
Components of a Cryptosystem
Encryption Algorithm. It is a mathematical process that produces a cipher text for any given plaintext
and encryption key. It is a cryptographic algorithm that takes plaintext and an encryption key as input
and produces a cipher text.
Cipher text. It is the scrambled version of the plaintext produced by the Encryption algorithm
using a specific the encryption key. The cipher text is not guarded. It flows on public channel. It can be
intercepted or Compromised by anyone who has access to the communication channel.
Decryption Algorithm, It is a mathematical process, that produces a unique plaintext for any given
cipher text and decryption key.
It is a cryptographic algorithm that takes a cipher text and a decryption key as Input, and outputs a
plaintext.
The decryption algorithm essentially Reverses the encryption algorithm and is thus closely related to it.
Encryption Key. It is a value that is known to the sender. The sender inputs the encryption key
into the encryption algorithm along with the Plaintext in order to compute the cipher text
Decryption Key. It is a value that is known to the receiver. The decryption Key is related to the
encryption key, but is not always identical to it. The Receiver inputs the decryption key into the
decryption algorithm along with the cipher text in order to compute the plaintext.
For a given cryptosystem, a collection of all possible decryption keys is called a Key space.
An interceptor: (an attacker) is an unauthorized entity who attempts to determine the plaintext. He can
see the cipher text and may know the decryption algorithm.
Cryptosystems
Classic
Modern Ciphers
Ciphers
Diffie-
Caesar Atbash Rail Fence Route DES 3DES IDEA RSA
Hellman
Before proceeding further, you need to know some facts about historical cryptosystems:
All of these systems are based on symmetric key encryption scheme.
The only security service these systems provide is confidentiality of Information.
Unlike modern systems which are digital and treat data as binary numbers,
The earlier systems worked on alphabets as basic element.
These earlier cryptographic systems are also referred to as Ciphers. In general, a cipher is
simply just a set of steps (an algorithm) for performing both an encryption, and the
corresponding decryption.
Caesar Cipher
It is a mono-alphabetic cipher wherein each letter of the plaintext is substituted
By another letter to form the cipher text. It is a simplest form of substitution cipher Scheme.
Replace each alphabet by another alphabet which is ‘shifted’ by some fixed number
For this type of scheme, both sender and receiver agree on a ‘secret shift number’ For shifting
the alphabet. This number which is between 0 and 25 becomes the key of encryption.
The plaintext letter is then encrypted to the cipher text letter on the sliding Ruler underneath.
The result of this process is depicted in the following
He then replaces the cipher text letter by the plaintext letter on the sliding
Caesar Cipher is not a secure cryptosystem because there are only 26 possible keys to try out.
An attacker can carry out an exhaustive key search with available limited computing resources.
• by Julius Caesar
• example:
Transposition Cipher
Cryptosystems need to process this binary strings to convert in to another binary string.
Based on how these binary strings are processed, a symmetric encryption schemes
Stream Ciphers
In this scheme, the plaintext is processed one bit at a time i.e. one bit of plaintext is taken, and
a series of operations is performed on it to generate one bit of cipher text. Technically,
stream ciphers are block ciphers with a block size of one bit.
Block Ciphers
In this scheme, the plain binary text is processed in blocks (groups) of bits at a time; i.e. a block
of plaintext bits is selected, a series of operations is performed on this block to generate a block
of cipher text bits. The number of bits in a block is fixed. For example, the schemes DES and AES
have block sizes of 64 and 128, respectively.
1. Symmetric Algorithms
2. Asymmetric Algorithms
1. Symmetric Algorithms
Digital Encryption Standard (DES): The popular block cipher of the 1990s. It is now
considered as a ‘broken’ block cipher, due primarily to its small key size.
Triple DES: It is a variant scheme based on repeated DES applications. It is still a
respected block ciphers but inefficient compared to the new faster Block ciphers
available.
Advanced Encryption Standard (AES): It is a relatively new block cipher based on the
encryption algorithm Rijndael that won the AES design competition.
IDEA: It is a sufficiently strong block cipher with a block size of 64 and a key size of 128
bits. A number of applications use IDEA encryption, including early versions of Pretty
Good Privacy (PGP) protocol. The use of IDEA scheme has a restricted adoption due to
patent issues.
Asymmetric Algorithms
Asymmetric Algorithms
Use different keys for encryption and decryption
Decryption key cannot be calculated from the encryption key
Anyone can use the key to encrypt data and send it to the host; only the host can
decrypt the data
Also known as public key algorithms
Ex
Diffie-Hellman, RSA
RC4 RSA
AES Diffie-Hellman
DES ECC
3DES El Gamal
QUAD DSA
Hashing
The following are some common hashing algorithms that have been used in recent y ears:
Message Digest (MD) The MD algorithm was created by Ron Rivest and has
different
Versions, such as MD2, MD4, and MD5. The MD5 algorithm is one of the most common
Hashing algorithms today. It generates a 128-bit hash value.
Secure Hash Algorithm (SHA) Created by the National Security Agency, the SHA
algorithm has different versions, such as SHA-0, SHA-1, and SHA-2.
The most common hashing protocol of the three in use today, SHA-1, creates a 160-bit hash
value.
SHA-256 and SHA-512 these are two newer versions of the SHA algorithm that
Generate 256-bit and 512-bit hash values. They are considered to not be
susceptible to collision attacks.
LANMAN Also known as LM hash, this hashing algorithm is used by older
Microsoft
Operating systems to hash and store the passwords. LM hash is created by
encrypting the password with DES. It is considered an unsecure method of
storing the password hashes.
NT LAN Manager (NTLM) Starting with Windows NT operating sy stems, a new
and improved method of storing the passwords in the registry was used.
Secure Socket Layer (SSL)/Transport Layer Security (TLS) SSL has become the
Popular protocol over the last number of years for encrypting traffic, such as web and email
Traffic. TLS is a more secure protocol that is designed to replace SSL.
Secure MIME (S/MIME): S/MIME is the protocol used to encrypt e-mail messages on
The network.
Internet Protocol Security (IPsec): IPsec is a popular security protocol that is designed
to encrypt all IP traffic, no matter what the application is.
IPSec has two modes:
1. Transport mode
2. Tunnel mode.
1. Transport mode
With transport mode, only the pay load of the packet (data portion) is encrypted.
2. Tunnel mode.
With tunnel mode, the header of the packet and the data are encrypted.
Secure Shell (SSH): SSH is designed to be a secure replacement to Telnet, and provides
Authentication and encryption services. SSH can be used to create an encrypted channel so
That communication through the channel is encrypted.
Secure FTP (SFTP): SFTP, also known as FTP Secure (FTPS), is an extension on SSH that allows
secure transfer and management of files through an SSH channel.
Secure Copy Protocol (SCP) Like SFTP, SCP runs on top of an SSH channel in order to encrypt
the communication used to transfer a file.
Wireless You should encrypt wireless communication with WEP, WPA, or the more secure
WPA2.
Understanding Steganography
Steganography is a cryptography concept that involves a person hiding text information inside
Graphic files.
A number of steganography applications can be used to modify a graphic file and
Hide text documents in the graphic file.
sDigital Signatures
Digital signature is technique which is based on public key cryptography with difference In
public key cryptography a pair of keys are used one public key and one private key, The
public key is often user for message encryption and the private key is often used for
decrypting the message However in case of digital signature message is encrypted with the
private key and decrypted with the public key.
-Only a specific person with the corresponding private key encrypt the message or in other
words sign the message however may party who has the signatory’s public key can encrypted
the message in other words can verify the message
Signature Verification may be performed by any party the signatory (sender), the intended
receiver or any other party using the signatory’s public key
A signatory may wish to verify that the computed signature is correct or not. Before sending the
signed message to the intended receiver
The intended receiver (or any other party) verifies the signature to determine its authenticity
upon on receiving the message
Authentication: Authentication means The act of proving who you say you are.
Authentication: means that you know who created and sent the message Digital signature is
used to authenticate the source of messages it ensures the user of the sender
Integrity: Integrity ensures that when a message is sent over a network the data the arrives is
the same as the data that was originally sent Integrity is the assurance that the information is
trustworthy and accurate Digital signature ensure the integrity of message
At the same time it also ensures the identity of the receiver so the receiver can’t repudiate it
later
1. To add a digital signature, open your Microsoft Word document and click where
you’d like to add your signature line.
2. From the Word ribbon, select the Insert tab and then click Signature Line in
the Text group.
3. A Signature Setup pop-up box appears. Enter your information in the text fields
and click OK.
5. A Sign pop-up box appears. At the X, type your name. Next, look at the Signing
as: field. Select the signing certificate. To ensure that this is the correct certificate,
click the Change button.
Monitoring employees.
Protecting programs from malware activity or user errors (accidental deletion, for
example).
Trojan horses
Can make copies of themselves, steal information, or harm their host computer systems
Computer viruses are small software programs that are designed to spread from one computer
to another and to interfere with computer operation.
A virus might corrupt or delete data on your computer, use your email program to spread itself
to other computers, or even erase everything on your hard disk.
Various types of virus :
1. File Virus: This type of virus infects the system by appending itself to the end of a file. It changes
the start of a program so that the control jumps to its code. After the execution of its code, the
control returns back to the main program. Its execution is not even noticed. It is also
called parasitic virus because it leaves no file intact but also leaves the host functional.
2. Boot sector Virus: It infects the boot sector of the system, executing every time system is booted
and before operating system is loaded. It infects other bootable media like floppy disks. These are
also known as memory virus as they do not infect file system.
3. Macro Virus: Unlike most virus which are written in low-level language (like C or assembly
language), these are written in high-level language like Visual Basic. These viruses are triggered
when a program capable of executing a macro is run. For example, macro virus can be contained
in spreadsheet files.
4. Source code Virus: It looks for source code and modifies it to include virus and to help spread it.
5. Polymorphic Virus: A virus signature is a pattern that can identify a virus (a series of bytes that
make up virus code). So in order to avoid detection by antivirus a polymorphic virus changes each
time it is installed. The functionality of virus remains same but its signature is changed.
6. Encrypted Virus: In order to avoid detection by antivirus, this type of virus exists in encrypted
form. It carries a decryption algorithm along with it. So the virus first decrypts and then executes.
7. Stealth Virus: It is a very tricky virus as it changes the code that can be used to detect it. Hence,
the detection of virus becomes very difficult. For example, it can change the read system call such
that whenever user asks to read a code modified by virus, the original form of code is shown
rather than infected code.
8. Tunneling Virus: This virus attempts to bypass detection by antivirus scanner by installing itself in
the interrupt handler chain. Interception programs, which remain in the background of an
operating system and catch viruses, become disabled during the course of a tunneling virus.
Similar viruses install themselves in device drivers.
9. Multipartite Virus: This type of virus is able to infect multiple parts of a system including boot
sector, memory and files. This makes it difficult to detect and contain.
10. Armored Virus: An armored virus is coded to make it difficult for antivirus to unravel and
understand. It uses a variety of techniques to do so like fooling antivirus to believe that it lies
somewhere else than its real location or using compression to complicate its code.
How To know if your computer effected by virus?
After you open and run an infected program or attachment on your computer, you
might not realize that you've introduced a virus until you notice something isn't quite
right.
Your computer restarts on its own and then fails to run normally
A computer worm
Spyware
The presence of spyware is typically hidden from the user and can be difficult to detect.
anti-spyware software.
Key logger
(more often called keylogging or "key loggers") is the action of tracking (or logging) the keys
struck on a keyboard,
Typically in a covert manner so that the person using the keyboard is unaware that their actions
are being monitored. There are numerous keylogging methods, ranging from hardware and
software
1-phishing
2-spam
Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card
details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic
communication
• The purpose a phishing message is to acquire sensitive information about a user. For doing so the
message needs to deceive the intended recipient
1.Never respond to requests for personal information via email. When in doubt, call the
institution that claims to have sent you the email.
2. If you suspect the message don’t use the links within the email to get to a web page.
3. Never fill out forms in email messages that ask for confidential information
Securing E-mail
Secure e-mail
A cyber-attack is any type of offensive action that targets computer information systems,
infrastructures, computer networks or personal computer devices, using various methods to
steal, alter or destroy data or information systems.
2.Man-in-the-Middle Attack
As the name indicates, a man-in-the-middle attack occurs when someone between you and the
person with whom you are communicating is actively monitoring, capturing, and controlling
your communication transparently. For example, the attacker can re-route a data exchange.
When computers are communicating at low levels of the network layer, the computers might
not be able to determine with whom they are exchanging data.
Spoofing
IP address spoofing
ARP poisoning
Web spoofing
DNS spoofing
Ip Address Spoofing
ARP poisoning
This an attack against the switch by forcing the switch to broadcast the data in all ports
Web Spoofing
Convinces victim that he or she is visiting a real and legitimate site
Considered both a man-in-the-middle attack and a denial-of-service attack
Can redirect corporate e-mail, bank accounts through a hacker’s server where it can be
copied or modified or stealing before sending to final destination
Password attack
Because passwords are the most commonly used mechanism to authenticate users to an
information system, obtaining passwords is a common and effective attack approach. Access to
a person’s password can be obtained by looking around the person’s desk, ‘‘sniffing’’ the
connection to the network to acquire unencrypted passwords, using social engineering, gaining
access to a password database or outright guessing. The last approach can be done in either a
random or systematic manner:
In order to protect yourself from dictionary or brute-force attacks, you need to implement an
account lockout policy that will lock the account after a few invalid password attempts
SQL injection has become a common issue with database-driven websites. It occurs when a
malefactor executes a SQL query to the database via the input data from the client to server.
SQL commands are inserted into data-plane input (for example, instead of the login or
password) in order to run predefined SQL commands. A successful SQL injection exploit can
read sensitive data from the database, modify (insert, update or delete) database data, execute
administration operations (such as shutdown) on the database, recover the content of a given
file, and, in some cases, issue commands to the operating system.
Physical Security
Physical security refers to limiting access to key network resources by keeping the resources
behind a locked door and protected from natural and human-made disasters. Physical security
can protect a network from inadvertent misuses of network equipment by untrained
employees and contractors. It can also protect the network from hackers, competitors, and
walking in off the street and changing equipment configurations.
Security Controls
Computer security is often divided into three distinct master categories, commonly referred to
as controls:
Physical
Technical
Administrative
These three broad categories define the main objectives of proper security implementation.
Within these controls are sub-categories that further detail the controls and how to implement
them.
Physical Controls
Equipment
Data
Power supplies
Wiring
Personnel with access to the location
Visibility
Accessibility
Security of doors
Physical Barriers
Locks
Fencing
Lighting
Preset Lock
Least secure
Cipher locks
Cipher Locks
Options offered by Cipher Locks
Door Delay – Alarm triggered if door is held or propped open for long
Key override – Combination can be set into lock to be used during emergency or for
supervisory needs
Master Keyring – Allows supervisors to change access codes and other features
Hostage Alarm – Hostaged employee can enter specific code to notify security personnel
Biometric Locks
Length and width of hand and fingers scanned by the optical scanner and
compared to archival data
Eye scans
Retinal scans
Iris scans
Retinal scans
Iris scan
Signature Dynamics
Voiceprints
Signature forgery
Device Locks
Example : cable locks, switch controls, slot locks, port controls, cable traps, etc
Cable Lockconsists of a coated steel cable that attaches PCs. laptops, printers, etc to stationary
objects
CompuLock is a system which not only prevents unauthorized access to the interior of the
computer case, but also the common theft of the mouse and keyboard
The above type of lock will help prevent your PC's or server's processor chip, memory chips and
other internal components from being stolen
Technical Controls
Technical controls use technology as a basis for controlling the access and usage of sensitive
data throughout a physical structure and over a network. Technical controls are far-reaching in
scope and encompass such technologies as:
Physical Surveillance
Various intrusion detection systems and physical protection measures require human action
and that is called physical surveillance there are two types of it
Security guards
Guard dogs
Technical Surveillance
Ventilation technique that forces air outward from a facility to help guard against
dust and other pollutants
Standby systems
Surrounding the devices/ wires with metallic shielding can suppress the stray electronic
signals
If facility and surrounding area is disposed to natural disasters, locate elsewhere else ensure
safeguards such as flood drainage, lightning rods, reinforced building, etc
Administrative Controls
Administrative controls define the human factors of security. It involves all levels of personnel
within an organization and determines which users have access to what resources and
information by such means as:
Training and awareness
Disaster preparedness and recovery plans
Personnel recruitment and separation strategies
Personnel registration and accounting
1. Password Management
2. Enhanced Password Security
3. Login Password Retry Lockout
4. No Service Password-Recovery
5. Disable Unused Services
6. EXEC Timeout
7. Keep lives for TCP Sessions
8. Management Interface Use
Switch Attacks
• Overview
• Types of Attacks
Overview
Solution
The cam table attack can be solved by limiting the number of mac addresses that are
allowed on the switch port this can be achieved by using port security
Port Security
The port security is used to limit access to port based on mac address
The port security feature will restrict the input interface to the switch by controlling
and identifying mac address in such the port does not forward packet outside the
group of defined address
When the Frame arrive to the port the port security compared the packet with defined
packet and this is called Mac coding the port based is used to specify what particular
mac address is allowed and the number mac address that are allowed on interface
Summary
Switch, content addressable Memory (cam table associates destination MAC address
with outgoing interface)
If CAM table is full all unknown entries are treated like broadcast traffic
-Attacker floods frames with random source MAC addresses until CAM table fills up
Switch become a hub
Configuration
Switch(config)#inter fa 0/2
Lab 2
CISCO(config)#interface fa0/1
CISCO(config-if)#switchport port-security
CISCO(config-if)#exit
CISCO(config)#interface fa0/2
Summary
port security is a great feature but you cannot run it on all ports
there are a few port types that you can’t configure with port security
1-trunk ports
4-802.1xports
The attacker can do so if he is capable to imitate either ISL or DOT1Q and then appears as
switch with trunk port and become a member of all vlans
#inter fa 1/2
STP vulnerabilities
In this the attacker will force the spanning tree recalculation by sending BPDU which indicates
that attacker has low bridge priority, then the attacker will become the root bridge
After the attacker become the root bridge then the user will configure switch port analyzer
software where he will analyze all switch port traffic
To avoid spanning tree attack we use root guard and bpdu guard
The idea behind the root guard is whenever the root bridge is elected we prevent other root
bridge to become the root bridge
This configuration can be implemented on the port which are heading to no root bridges
Switch(config)#inter fa 0/24
the attacker sends unlimited flood of DHCP requests with spoofed source MAC addresses
Dhcp server leases one ip address per Mac address until pool is depleted or no more addresses
are in pool
the attacker then setup a rogue Dhcp server on their System and response to new DHCP
request from client on the network and this attack will allow the attack to receive all traffic
Solution
since the attack generating unlimited DHCP Request one of the way to solve is to use port
security because if we are generating thousands of DHCP request then we need to limit the
number of mac address requested received through the interface
Port Security
Attacker can’t generate DCP requests with lots of source MAC addresses
Some DHCP Implementation do’t use client source MAC address but instead use client
hardware address "inside DHCP request payload(ip value )
attacker can keep source MAC address in Ethernet frame the same but change the source MAC
address in the DHCP packet
Solution
DHCP Snooping
The DHCP Snooping track all the DHCP communication which is going between the client and
server
This means when the client send the request then switch will look the reply coming back
When the reply come back it will looks what is the client identifier and what is the mac address
was assigning
in here we checking the mapping between mac address and ip addresses
Additional DHCP requests are dropped on interfaces that already have ip to MAC interfaces that
already have Ip to MAC binding in the snooping table
With DHCP snooping we had created what we call binding table the binding table will be used
for filtering ongoing traffic
1. mac address
2. lease time
3. binding type
4. vlan number
5. port id
configuration
switch1(config)#config ter
switch1(config)#inter fa 0/2
the above command means it limit the request rate 3 if more than that is requested port
goes down
!
Chapter 5 Mitigating Security Threats
Understanding Operating System Hardening
Operating system hardening is the process of removing unnecessary features of the operating
system, disabling unnecessary services, and removing unnecessary accounts.
The purpose of removing unnecessary features from the system is to reduce the attack surface,
which are the components of a system that the hacker can hack into.
Understanding Hardening
The term hardenings usually applied to operating systems. The idea is to “lock down” the
operating system as much as is practical. For example, ensure that all unneeded services are
turned off, all unneeded software is uninstalled, patches are updated, user accounts are
checked for security, and so forth
Services are programs that run when the operating system boots, and they are often are
running in the background without users interacting directly with them. Many services are quite
important—even critical. However, a service can provide an attack vector that someone could
exploit against your system, so be sure to enable only those services that are absolutely
required. Part of operating system hardening is disabling unnecessary services. To display all
the services on your Windows computer (any version—from XP to Windows 8 or Windows
Server 2012), you first select the Control Panel and then select Administrative Tools
the Remote Registry service is shown. This service is used to allow technical support personnel
to access that system’s Registry remotely. The service can be quite useful in some situations,
but it can also function as a means for an attacker to get into your system. If you don’t need it,
turn it off
only necessary services are running on them. Here are some tips:
File and Print Servers: These are primarily vulnerable to denial-of-service (DoS)and access
attacks.
Networks with PC-Based Systems: In a network that has PC-based systems, make sure that
NetBIOS services are disabled on servers or that an effective firewall is in place between the
server and the Internet. Many of the popular attacks that are occurring on systems today
take place through the NetBIOS services via ports 135, 137, 138, and 139. On Unix systems,
make sure that port 111, the Remote Procedure Call (RPC) port, is closed.
Linux Service
Uninstall Unnecessary Software
The first step to hardening a system is to be sure to uninstall any unnecessary software from
the system. First focus on uninstalling unnecessary third-party software that may be installed
on the system. For example, when you purchase a new computer from a store, often the
system comes with a bunch of software preinstalled that you never use. From a company
security viewpoint,
the system should be reformatted and a fresh install of the operating sy stem applied,
A patch is an update to a system. Sometimes a patch adds new functionality; in other cases,
it corrects a bug in the software. In Windows, you can select Control Panel ➢
Administrative Tools ➢System Security and view updates. Doing so allows you to see
Updates that are currently installed, update settings, and any issues.
If you are running a Standalone system (a home system or perhaps a laptop used for
travel), you should elect to have updates automatically installed
User account control is a very important part of operating system hardening. It is important
that only active accounts be operational and that they be properly managed. This means
disabling unnecessary accounts. Most network administrators focus on domain accounts.
Nevertheless, operating system hardening requires that you pay attention to local accounts
as well. A number of hacking techniques begin by compromising local accounts.
You should disable all accounts that are not needed immediately—on servers and
workstations alike. Here are some types of accounts that you should disable:
Employees Who Have Left the Company: Be sure to disable immediately accounts for any
employee who has left the company. This should be done the minute employment is
terminated. It does not matter why the employee left the company—whether they left on
good terms after giving 2 weeks’ notice, they were fired, or they retired after 30 years of
loyal service—their accounts still get disabled immediately.
Temporary Employees: It is not uncommon to create short-term accounts for brief periods
of time for access by temporary employees. These also need to be disabled the moment
they are no longer needed.
Default Guest Accounts: In many operating systems, a guest account is created during
installation and intended for use by those needing only limited access and lacking their own
account on the system. This account presents a door into the system that should not be
there, and all who have worked with the operating system knows of its existence, thus
making it a likely target for attacker
Use a minimum of 10 symbols, including numbers, both uppercase and lowercase letters, and
special symbols.
Even better, use passphrases consisting of a minimum of 15 symbols using letters and numbers.
Your name, the name of your spouse or partner name, or other names
A string of numbers or letters like “1234” or “abcd”, or simple patterns of letters on the
Your phone number or your license plate number, anybody’s birth date, or other information
easily obtained about you (e.g., your address, town or alma mater)
It is vital to remember your password without writing it down somewhere, so choose a strong
If you have a lot of passwords, you can use password management tools, but you must choose
If you suspect that someone else may know your current password, change it immediately.
Change your password periodically (every 90 days for a strong password, every 180 days for a
Avoid using the same password for multiple websites containing sensitive information.
passphrases.
Enforce password history, with at least 10 previous passwords remembered.
Set a maximum password age of 90 days for passwords and 180 days for passphrases.
Enable the setting that requires passwords to meet complexity requirements. This setting can
For domain admin accounts, use strong passphrases with a minimum of 15 characters.
Types of Firewall
You probably know that you need firewall security; in fact, you may even already have a
firewall management program in place. But what exactly is firewall security, and what does
firewall management entail?
The word firewall originally referred literally to a wall, which was constructed to halt the
spread of a fire. In the world of computer firewall protection, a firewall refers to a network
device which blocks certain kinds of network traffic, forming a barrier between a trusted and
an untrusted network. It is analogous to a physical firewall in the sense that firewall security
attempts to block the spread of computer attacks.
This type of firewall has a list of firewall security rules which can block traffic based on IP
protocol, IP address and/or port number. Under this firewall management program, all web
traffic will be allowed, including web-based attacks. In this situation, you need to have
intrusion prevention, in addition to firewall security, in order to differentiate between good
web traffic (simple web requests from people browsing your website) and bad web traffic
(people attacking your website).
A packet filtering firewall has no way to tell the difference. An additional problem with packet
filtering firewalls which are not stateful is that the firewall can't tell the difference between a
legitimate return packet and a packet which pretends to be from an established connection,
which means your firewall management system configuration will have to allow both kinds of
packets into the network.
This is similar to a packet filtering firewall, but it is more intelligent about keeping track of
active connections, so you can define firewall management rules such as "only allow packets
into the network that are part of an already established outbound connection." You have
solved the established connection issue described above, but you still can't tell the difference
between "good" and "bad" web traffic. You need intrusion prevention to detect and block
web attacks.
An application firewall actually examines the data in the packet, and can therefore look at
application layer attacks. This kind of firewall security is similar to intrusion prevention
technology, and, therefore, may be able to provide some of the same functionality.
There are three caveats, however: first, for some vendors, the definition of "deep" extends to
some particular depth in the packet and does not necessarily examine the entire packet. This
can result in missing some kinds of attacks. Second, depending on the hardware, a firewall
may not have adequate processing power to handle the deep packet inspection for your
network. Be sure to ask questions about how much bandwidth it can handle while performing
such inspection. And finally, embedded firewall management technology may not have the
flexibility to handle all attacks.
Application-aware firewall
Similar to deep packet inspection, except that the firewall understands certain protocols and
can parse them, so that signatures or rules can specifically address certain fields in the
protocol. The flexibility of this approach to computer firewall protection is great and permits
the signatures or rules to be both specific and comprehensive. There are no specific
drawbacks to this approach to firewall security as generally it will yield improvements over a
standard "deep packet inspection" approach. However, some actual attacks may be
overlooked (false negatives) because the firewall security parsing routines are not robust
enough to handle variations in real-world traffic.
An application proxy acts as an intermediary for certain application traffic (such as HTTP, or
web, traffic), intercepting all requests and validating them before passing them along. Again,
an application proxy firewall is similar to certain kinds of intrusion prevention. The
implementation of a full application proxy is, however, quite difficult, and each proxy can only
handle one protocol (e.g. web or incoming email).
As you can see, there are areas of overlap between intrusion prevention and certain types of
firewall security. The terminology in this field is still being worked out, so it can be confusing
at times. Learn more about Secure Works'
Flood Guards
Network-based Firewalls
Control traffic flows based on the application
Microsoft SQL Server, Twitter, YouTube
Intrusion Prevention Systems
Identify the application
Apply application-specific vulnerability signatures to the traffic
Host-based firewalls
Work with the OS to determine the application
• A layer of security between your internal network and the Internet • Protects external-facing
services • Usually less trusted than the Internal network connection
VPN concentrator
Load balancer
Proxy
• Receives the user requests and sends the request on their behalf (the proxy)
components are running at 150 Mbps today. To help accomplish higher transfer rates, 802.11n
uses two new features:
multiple input multiple output (MIMO)
channel bonding.
Antenna Types
Wireless networking technologies use two major antennae types, omnidirectional and
directional.
Omnidirectional antennas can send and receive signals in any direction, covering a 360-degree
radius from the antenna.
The advantage of omnidirectional is that it can communicate with
devices in any direction, but the downfall is that it is using all the power to cover multiple
directions, so the distance it can reach is lower than with directional. Directional antennas can
only send and receive signals in a single direction. Although the directional antenna is only
communicating in a single direction, it can cover a longer range in that direction.
Authentication and Encryption
A number of wireless authentication and encryption protocols have been developed over the
years.
The purpose of these protocols is to help secure y our wireless network, and you should
consider them for implementation on y our wireless network.
WEP
Wired Equivalent Privacy (WEP) was designed to give the wireless world a level of security
Equivalent to that of the wired networking world
WEP was designed to add security to wireless networks by requiring anyone who wishes to
connect to the wireless network to input a wireless key (a value configured on the wireless
access point that needs to be inputted by anyone wishing to connect).
To configure y our wireless network with WEP, simply specify a shared key, or passphrase, on
the wireless access point
WPA
Wi-Fi Protected Access (WPA) was designed to improve upon security and to fix some of the
flaws found in WEP. WPA uses a 128-bit key and the Temporal Key Integrity Protocol (TKIP),
which is a protocol used to change the encryption key s for every packet that is sent. This will
make it much harder for hackers to crack the key,
WPA
Wi-Fi Protected Access (WPA) was designed to improve upon security and to fix some of the
flaws found in WEP. WPA uses a 128-bit key and the Temporal Key Integrity Protocol (TKIP),
which is a protocol used to change the encryption key s for every packet that is sent.
it supports authentication using the Extensible Authentication Protocol (EAP), a very secure
authentication protocol that supports a number of authentication methods such as Kerberos,
token cards, certificates, and smartcards.
EAP messages are encapsulated inside 802.1x packets for network access authentication with
wired or wireless networks.
it supports authentication using the Extensible Authentication Protocol (EAP), a very secure
authentication protocol that supports a number of authentication methods such as Kerberos,
token cards, certificates, and smartcards.
EAP messages are encapsulated inside 802.1x packets for network access authentication with
wired or wireless networks.
Variations of the EAP protocol, two common protocols are LEAP and PEAP:
LEAP The Lightweight Extensible Authentication Protocol (LEAP) is Cisco’s proprietary
EAP solution that Cisco created before the IEEE created 802.1x.
PEAP Protected Extensible Authentication Protocol (PEAP) is used to encapsulate EAP
messages over a secure tunnel that uses Transport Layer Security (TLS). The purpose of this
protocol is that EAP assumes the packets are sent over a secure network; with PEAP,TLS is used
to create a secure tunnel between two points.
When configuring WPA on the wireless network, note that WPA operates in two different
modes, WPA Personal and WPA Enterprise:
WPA Personal WPA Personal is also known as WPA-PSK, which means WPA preshared key.
With WPA Personal, you will configure the access point with a starting key value,
known as the preshared key, which is then used to encrypt the traffic.
This mode is used most by home users and small businesses.
WPA Enterprise WPA Enterprise, also known as WPA-802.1x, is a WPA implementation that
uses a central authentication server such as a RADIUS server for authentication and auditing
features.
WPA2
WPA2 improves upon the security of WPA and should be used instead of WPA if
you have the choice.
WPA2 uses Counter Mode with Cipher Block Chaining Message Authentication Code Protocol
(CCMP or CCM mode Protocol) for data privacy, integrity, and authentication on a WPA2
wireless network.
WPA2 uses CCMP with the Advanced Encryption Standard (AES)
protocol for encryption of wireless traffic instead of TKIP and also supports additional features
such as added protection for ad hoc networks and key caching.
Securing a Wireless Network
Security Best Practices
1-Change Admin Password
All routers have a default admin password, so be sure
to change the password from the default.
Service Set Identifier (SSID)
Service Set Identifier (SSID)
The Service Set Identifier (SSID) is a name that y ou give the wireless network, and in order for
someone to connect to y our wireless network, that person needs to know the SSID. Any client
who
wishes to connect to y our wireless network will need to specify the SSID name in their wireless
network card settings. Therefore, it is important that y ou change the SSID from the default.
Remember that the SSID should be changed from the default and the SSID broadcasting
disabled. Also note that you can use a tool such as NetStumbler or Kismet to do a wireless
survey to get a list of wireless networks that are nearby.
to summarize the SSID issue, be sure to change the SSID to something hard to guess (don’t
use y our company name if you are setting up the wireless network for the company), and be
sure to disable SSID broadcasting on the router.
In addition to network monitoring, you must monitor the event logs. Event logs
are system logs that record various events that occur.
Event logs comprise a broad category that includes some logs that are not
relevant to security issue
The two most important logs for security purposes are the following:
Many applications will record their errors in this log. It can be useful particularly if
the log
is on a server that has database server software like SQL Server installed.
Security Log: The most important things that you will find in the security log are
successful
And unsuccessful logon attempts. This log also records events related to resource
use, such as
are recorded in the security log. Logon auditing can be turned off, but it never
should be.
In Windows a security log is the access log. Linux provides separate logs for
successful and
Failed login attempts. By default, Windows does not log both successes and
failures, but for
Viewer.
2-Resource Monitoring
3- Task schedule
The log file are the files that contain messages about the system, including the
kernael, service and application running on it
You should check a number of logs for entries that might indicate an intrusion.
The primary ones you should examine are listed here:
/var/log/faillog Open a shell prompt, and use the fail log utility to view a list of
file.
/var/log/tmp Open a shell prompt, and use the last command to view a list of
users who have authenticated to the system.
book. However, there are some essential concepts identified on the CompTIA
Security + exam that are discussed in this section:
MAC Limiting and Filtering: Limit access to the network to MAC addresses that
are known, and filter out those that are not.
Adding port authentication to MAC filtering takes security for the network
down to the switch port level and increases your security exponentially
Disable Unused Ports remember: a port is a connection, like a channel. For
example,
SMTP uses port 25. For that reason these are sometimes called application
ports.
All ports not in use should be disabled. Otherwise, they present an open door
for an attacker to enter
Security Audits
Monitoring should take place on several levels. There should be basic, ongoing
monitoring
that is not labor intensive. Software solutions are available that will accomplish
this for
The scope of the audit and its frequency are determined by the organization
Security incidents will occur no matter how well you design your security
system.
Some of these incidents will be minor, whereas others will be quite serious.
Regardless of the severity of the incident, it must be reported
Alarms
Respond right now. Alarm rates can indicate trends that are occurring.
Alerts
Slightly below alarms in terms of security issues are alerts. Alerts are issues to
which you need to pay attention but are not about to bring the system down
at any moment. (Think of them as storm watches instead of storm warnings.)
In Event Viewer, for example, system events are identified either as errors,
information, or warnings.
What is Wireshark?
In the past, such tools were either very expensive, proprietary, or both. However,
with the advent of Wireshark, all that has changed.
Wireshark is perhaps one of the best open source packet analyzers available
today.
Beside these examples Wireshark can be helpful in many other situations too.
1.1.2. Features
However, to really appreciate its power you have to start using it.
Figure 1.1, “Wireshark captures packets and lets you examine their
contents.” showsWireshark having captured some packets and waiting for you to
examine them.
Figure 1.1. Wireshark captures packets and lets you examine their contents.
1.4. A brief history of Wireshark
In late 1997 Gerald Combs needed a tool for tracking down network problems
and wanted to learn more about networking so he started writing Ethereal (the
original name of the Wireshark project) as a way to solve both problems.
Ethereal was initially released after several pauses in development in July 1998 as
version 0.2.0. Within days patches, bug reports,o
The “Filter” toolbar
The filter toolbar lets you quickly edit and apply display filters. More information
on display filters is available in Section 6.3, “Filtering packets while viewing”.
The packet list pane displays all the packets in the current capture file.
While dissecting a packet, Wireshark will place information from the protocol
dissectors into the columns. As higher level protocols might overwrite information
from lower levels, you will typically see the information from the highest possible
level only.
For example, let’s look at a packet containing TCP inside IP inside an Ethernet
packet. The Ethernet dissector will write its data (such as the Ethernet addresses),
the IP dissector will overwrite this by its own (such as the IP addresses), the TCP
dissector will overwrite the IP information, and so on.
There are a lot of different columns available. Which columns are displayed can
be selected by preference settings, see Section 10.5, “Preferences”.
No. The number of the packet in the capture file. This number won’t change,
even if a display filter is used.
Time The timestamp of the packet. The presentation format of this
timestamp can be changed, see Section 6.12, “Time display formats and time
references”.
Source The address where this packet is coming from.
Destination The address where this packet is going to.
Protocol The protocol name in a short (perhaps abbreviated) version.
Length The length of each packet.
Info Additional information about the packet content.
The first column shows how each packet is related to the selected packet. For
example, in the image above the first packet is selected, which is a DNS request.
Wireshark shows a rightward arrow for the request itself, followed by a leftward
arrow for the response in packet 2. Why is there a dashed line? There are more
DNS packets further down that use the same port numbers. Wireshark treats
them as belonging to the same conversation and draws a line connecting them.
The packet bytes pane shows the data of the current packet (selected in the
“Packet List” pane) in a hexdump style.
Depending on the packet data, sometimes more than one page is available, e.g.
when Wireshark has reassembled some packets into a single chunk of data.
(SeeSection 7.7, “Packet Reassembly” for details). In this case you can see each
data source by clicking its corresponding tab at the bottom of the pane.
The context menu (right mouse click) of the tab labels will show a list of all
available pages. This can be helpful if the size in the pane is too small for all the
tab labels.
4.2. Prerequisites
Setting up Wireshark to capture packets for the first time can be tricky. A
comprehensive guide “How To setup a Capture” is available
athttps://wiki.wireshark.org/CaptureSetup.
If you have any problems setting up your capture environment you should have a
look at the guide mentioned above.
This tutorial will get you up to speed with the basics of capturing packets, filtering
them, and inspecting them. You can use Wireshark to inspect a suspicious
program’s network traffic, analyze the traffic flow on your network, or
troubleshoot network problems.
Getting Wireshark
You can download Wireshark for Windows or Mac OS X from its official website. If
you’re using Linux or another UNIX-like system, you’ll probably find Wireshark in
its package repositories. For example, if you’re using Ubuntu, you’ll find
Wireshark in the Ubuntu Software Center.
Just a quick warning: Many organizations don’t allow Wireshark and similar tools
on their networks. Don’t use this tool at work unless you have permission.
Capturing Packets
After downloading and installing Wireshark, you can launch it and click the name
of an interface under Interface List to start capturing packets on that interface.
For example, if you want to capture traffic on the wireless network, click your
wireless interface. You can configure advanced features by clicking Capture
Options, but this isn’t necessary for now.
As soon as you click the interface’s name, you’ll see the packets start to appear in
real time. Wireshark captures each packet sent to or from your system. If you’re
capturing on a wireless interface and have promiscuous mode enabled in your
capture options, you’ll also see other the other packets on the network.
Click the stop capture button near the top left corner of the window when you
want to stop capturing traffic.
Color Coding
You’ll probably see packets highlighted in green, blue, and black. Wireshark uses
colors to help you identify the types of traffic at a glance. By default, green is TCP
traffic, dark blue is DNS traffic, light blue is UDP traffic, and black identifies TCP
packets with problems — for example, they could have been delivered out-of-
order.
Sample Captures
Opening a capture file is easy; just click Open on the main screen and browse for a
file. You can also save your own captures in Wireshark and open them later.
Filtering Packets
If you’re trying to inspect something specific, such as the traffic a program sends
when phoning home, it helps to close down all other applications using the
network so you can narrow down the traffic. Still, you’ll likely have a large amount
of packets to sift through. That’s where Wireshark’s filters come in.
The most basic way to apply a filter is by typing it into the filter box at the top of
the window and clicking Apply (or pressing Enter). For example, type “dns” and
you’ll see only DNS packets. When you start typing, Wireshark will help you
autocomplete your filter.
You can also click the Analyze menu and select Display Filters to create a new
filter.
Another interesting thing you can do is right-click a packet and select Follow TCP
Stream.
You’ll see the full conversation between the client and the server.
Close the window and you’ll find a filter has been applied automatically —
Wireshark is showing you the packets that make up the conversation.
Inspecting Packets
Click a packet to select it and you can dig down to view its details.
You can also create filters from here — just right-click one of the details and use
the Apply as Filter submenu to create a filter based on it.
To check other ports
not(tcp.port==80)and not (tcp.port==443) and not (udp.srcport==137 and
udp.dstport==137)