Professional Documents
Culture Documents
1
Network Security Terms
White hat-An individual who looks for vulnerabilities in systems or networks and then reports
these vulnerabilities to the owners of the system so that they can be fixed. They are ethically
opposed to the abuse of computer systems. A white hat generally focuses on securing IT
systems, whereas a black hat (the opposite) would like to break into them.
Hacker-A general term that has historically been used to describe a computer programming
expert. More recently, this term is often used in a negative way to describe an individual that
attempts to gain unauthorized access to network resources with malicious intent.
Black hat-Another term for individuals who use their knowledge of computer systems to break
into systems or networks that they are not authorized to use, usually for personal or financial
gain. A cracker is an example of a black hat.
Cracker-A more accurate term to describe someone who tries to gain unauthorized access to
network resources with malicious intent.
Phreaker-An individual who manipulates the phone network to cause it to perform a function that
is not allowed. A common goal of phreaking is breaking into the phone network, usually through
a payphone, to make free long distance calls.
Spammer-An individual who sends large quantities of unsolicited e-mail messages. Spammers
often use viruses to take control of home computers and use them to send out their bulk
messages.
Phisher-Uses e-mail or other means to trick others into providing sensitive information, such as
credit card numbers or passwords. A phisher masquerades as a trusted party that would have a
legitimate need for the sensitive information.
2
•Technology
VULNERABILITY Configuration
Security policy
Environmental
3 FACTORS Electrical
maintenance
THREAT Network
ATTACK
Reconnaissance
Access •Unstructured
•Ping sweeps
Denial of Service Structured
internal
Packet sniffers
Port redirection
Man-In-the-Middle Attack
3
Three primary vulnerabilities or weaknesses:
1. Technological weaknesses
2. Configuration weaknesses
3. Security policy weaknesses
4
Four classes of physical threats are:
5
Physical Mitigation
Hardware threat mitigation
• Lock the wiring closet and only allow access to authorized personnel. Block access
through any dropped ceiling, raised floor, window, ductwork, or point of entry other
than the secured access point. Use electronic access control, and log all entry
attempts. Monitor facilities with security cameras.
6
Network threats
7
Unstructured Threats
• Unstructured threats consist of mostly inexperienced individuals using easily available hacking
tools, such as shell scripts and password crackers. Even unstructured threats that are only
executed with the intent of testing an attacker's skills can do serious damage to a network. For
example, if a company website is hacked, the reputation of the company may be damaged. Even
if the website is separated from the private information that sits behind a protective firewall, the
public does not know that. What the public perceives is that the site might not be a safe
environment to conduct business.
Structured Threats
• Structured threats come from individuals or groups that are more highly motivated and technically
competent. These people know system vulnerabilities and use sophisticated hacking techniques
to penetrate unsuspecting businesses. They break into business and government computers to
commit fraud, destroy or alter records, or simply to create havoc. These groups are often involved
with the major fraud and theft cases reported to law enforcement agencies. Their hacking is so
complex and sophisticated that only specially trained investigators understand what is happening.
• In 1995, Kevin Mitnick was convicted of accessing interstate computers in the United States for
criminal purposes. He broke into the California Department of Motor Vehicles database, routinely
took control of New York and California telephone switching hubs, and stole credit card numbers.
He inspired the 1983 movie "War Games."
External Threats
• External threats can arise from individuals or organizations working outside of a company who do
not have authorized access to the computer systems or network. They work their way into a
network mainly from the Internet or dialup access servers. External threats can vary in severity
depending on the expertise of the attacker-either amateurish (unstructured) or expert (structured).
Internal Threats
• Internal threats occur when someone has authorized access to the network with either an account
or physical access. Just as for external threats, the severity of an internal threat depends on the
expertise of the attacker.
8
Network attacks
Malicious attack
9
Types of Network Attacks
Access
• System access is the ability for an intruder to gain access to a device for which the intruder does
not have an account or a password. Entering or accessing systems usually involves running a
hack, script, or tool that exploits a known vulnerability of the system or application being
attacked.
Denial of Service
• Denial of service (DoS) is when an attacker disables or corrupts networks, systems, or services
with the intent to deny services to intended users. DoS attacks involve either crashing the system
or slowing it down to the point that it is unusable. But DoS can also be as simple as deleting or
corrupting information. In most cases, performing the attack involves simply running a hack or
script. For these reasons, DoS attacks are the most feared.
10
Network Reconnaissance Example
• Sample IP address query
Sample domain
name query
11
Network Reconnaissance
– Network Mitigation
reconnaissance
cannot be prevented
entirely.
– IDSs at the network
and host levels can
usually notify an
administrator when a
reconnaissance
gathering attack (for
example, ping sweeps
and port scans) is
under way.
12
Packet Sniffers
Host A Host B
Router A Router B
• A packet sniffer is a software application that uses a network adapter card in promiscuous
mode to capture all network packets. The following are the packet sniffer features:
– Packet sniffers exploit information passed in clear text. Protocols that pass information in the clear include the
following:
• Telnet
• FTP
• SNMP
• POP
– Packet sniffers must be on the same collision domain.
13
Packet Sniffer Mitigation
Host A Host B
Router A Router B
15
IP Spoofing Mitigation
• The threat of IP spoofing can be reduced, but not
eliminated, through the following measures:
– Access control—The most common method for preventing IP
spoofing is to properly configure access control.
16
DoS
17
DDoS Example
18
DoS Mitigation
• The threat of DoS attacks can be reduced
through the following three methods:
– Antispoof features—Proper configuration of
antispoof features on your routers and
firewalls
– Anti-DoS features—Proper configuration of
anti-DoS features on routers and firewalls
– Traffic rate limiting—Implement traffic rate
limiting with the networks ISP
19
Password Attacks
• Hackers can
implement password
attacks using several
different methods:
– Brute-force attacks
– Dictionary Attacks
– Trojan horse programs
– IP spoofing
– Packet sniffers
20
Password Attack Example
• L0phtCrack can take the
hashes of passwords and
generate the clear text
passwords from them.
Passwords are computed
using two different
methods:
– Dictionary cracking
– Brute force
computation
21
Password Attacks Mitigation
• The following are mitigation techniques:
– Do not allow users to use the same password on
multiple systems.
– Disable accounts after a certain number of
unsuccessful login attempts.
– Do not use plain text passwords.cryptographic
password is recommended.
– Use “strong” passwords. Strong passwords are at
least eight characters long and contain uppercase
letters, lowercase letters, numbers, and special
characters.
22
Man-in-the-Middle Attacks
Host A Host B
Data in clear text
Router A Router B
23
Man-in-the-Middle Mitigation
A man-in-the-middle attack
can only see cipher text
IPSec tunnel
Host A Host B
24
Application Layer Attacks
• Application layer attacks have the following
characteristics:
– Exploit well known weaknesses, such as protocols,
that are intrinsic to an application or system (for
example, sendmail, HTTP, and FTP)
– Often use ports that are allowed through a firewall (for
example, TCP port 80 used in an attack against a
web server behind a firewall)
– Can never be completely eliminated, because new
vulnerabilities are always being discovered
25
Application Layer Attacks
Mitigation
• Some measures you can take to reduce your
risks are as follows:
– Read operating system and network log files, or have
them analyzed by log analysis applications.
– Subscribe to mailing lists that publicize vulnerabilities.
– Keep your operating system and applications current
with the latest patches.
– IDSs can scan for known attacks, monitor and log
attacks, and in some cases, prevent attacks.
26
Vulnerabilities Exist at all OSI
Layers
27
Mitigating
Attacks with
ACLs
Inbound on S0/0/0
R1(config)# access-list 150 deny ip 0.0.0.0 0.255.255.255 any
R1(config)# access-list 150 deny ip 10.0.0.0 0.255.255.255 any
R1(config)# access-list 150 deny ip 127.0.0.0 0.255.255.255 any
R1(config)# access-list 150 deny ip 172.16.0.0 0.15.255.255 any
R1(config)# access-list 150 deny ip 192.168.0.0 0.0.255.255 any
R1(config)# access-list 150 deny ip 224.0.0.0 15.255.255.255 any
R1(config)# access-list 150 deny ip host 255.255.255.255 any
Inbound on Fa0/1
R1(config)# access-list 105 permit ip 192.168.1.0 0.0.0.255 any
Outbound on Fa0/0
R1(config)# access-list 180 permit udp any host 192.168.20.2 eq domain
R1(config)# access-list 180 permit tcp any host 192.168.20.2 eq smtp
R1(config)# access-list 180 permit tcp any host 192.168.20.2 eq ftp
R1(config)# access-list 180 permit tcp host 200.5.5.5 host 192.168.20.2 eq telnet
R1(config)# access-list 180 permit tcp host 200.5.5.5 host 192.168.20.2 eq 22
R1(config)# access-list 180 permit udp host 200.5.5.5 host 192.168.20.2 eq syslog
R1(config)# access-list 180 permit udp host 200.5.5.5 host 192.168.20.2 eq snmptrap
Inbound on S0/0/0
R1(config)# access-list 150 permit icmp any any echo-reply
R1(config)# access-list 150 permit icmp any any source-quench
R1(config)# access-list 150 permit icmp any any unreachable
R1(config)# access-list 150 deny icmp any any
R1(config)# access-list 150 permit ip any any
Inbound on Fa0/0
R1(config)# access-list 105 permit icmp 192.168.1.0 0.0.0.255 any echo
R1(config)# access-list 105 permit icmp 192.168.1.0 0.0.0.255 any parameter-problem
R1(config)# access-list 105 permit icmp 192.168.1.0 0.0.0.255 any packet-too-big
R1(config)# access-list 105 permit icmp 192.168.1.0 0.0.0.255 any source-quench
R1(config)# access-list 105 deny icmp any any
R1(config)# access-list 105 permit ip any any
36
Anatomy of a worm attack
• The enabling vulnerability-A worm installs itself by exploiting
known vulnerabilities in systems, such as naive end users who open
unverified executable attachments in e-mails.
• A Trojan horse is different only in that the entire application was written to
look like something else, when in fact it is an attack tool. An example of a
Trojan horse is a software application that runs a simple game on a
workstation. While the user is occupied with the game, the Trojan horse
mails a copy of itself to every address in the user's address book. The other
users receive the game and play it, thereby spreading the Trojan horse to
the addresses in each address book.
38
General Mitigation techniques
39
Network Security Wheel
40
Step 1. Secure
Step 1. Secure
• Secure the network by applying the security policy and implementing the following security
solutions:
Threat defense
• Stateful inspection and packet filtering-Filter network traffic to allow only valid traffic and
services.Stateful inspection refers to a firewall keeping information on the state of a connection in
a state table so that it can recognize changes in the connection that could mean an attacker is
attempting to hijack a session or otherwise manipulate a connection.
• Intrusion prevention systems-Deploy at the network and host level to actively stop malicious
traffic.
• Vulnerability patching-Apply fixes or measures to stop the exploitation of known vulnerabilities.
• Disable unnecessary services-The fewer services that are enabled, the harder it is for attackers
to gain access.
Secure connectivity
• VPNs-Encrypt network traffic to prevent unwanted disclosure to unauthorized or malicious
individuals.
• Trust and identity-Implement tight constraints on trust levels within a network. For example,
systems on the outside of a firewall should never be absolutely trusted by systems on the inside of
a firewall.
• Authentication-Give access to authorized users only. One example of this is using one-time
passwords.
• Policy enforcement-Ensure that users and end devices are in compliance with the corporate
policy.
41
Step 2. Monitor
Step 2. Monitor
42
Step 3. Test
Step 3. Test
43
Step 4. Improve
Step 4. Improve
44
Why Create a Security Policy?
– To create a baseline of your current security posture
– To set the framework for security implementation
– To define allowed and not allowed behaviors
– To help determine necessary tools and procedures
– To communicate consensus and define roles
– To define how to handle security incidents
45
security policy in an organization
46
general security policies that an organization
may invoke:
• Statement of authority and scope-Defines who in the organization
sponsors the security policy, who is responsible for implementing it, and
what areas are covered by the policy.
• Acceptable use policy (AUP)-Defines the acceptable use of equipment
and computing services, and the appropriate employee security measures
to protect the organization corporate resources and proprietary information.
• Identification and authentication policy-Defines which technologies the
company uses to ensure that only authorized personnel have access to its
data.
• Internet access policy-Defines what the company will and will not tolerate
with respect to the use of its Internet connectivity by employees and guests.
• Campus access policy-Defines acceptable use of campus technology
resources by employees and guests.
• Remote access policy-Defines how remote users can use the remote
access infrastructure of the company.
• Incident handling procedure-Specifies who will respond to security
incidents, and how they are to be handled.
47
Additional policy
• Account access request policy-Formalizes the account and access request
process within the organization. Users and system administrators who bypass the
standard processes for account and access requests can lead to legal action against
the organization.
• Acquisition assessment policy-Defines the responsibilities regarding corporate
acquisitions and defines the minimum requirements of an acquisition assessment that
the information security group must complete.
• Audit policy-Defines audit policies to ensure the integrity of information and
resources. This includes a process to investigate incidents, ensure conformance to
security policies, and monitor user and system activity where appropriate
• Information sensitivity policy-Defines the requirements for classifying and securing
information in a manner appropriate to its sensitivity level.
• Password policy-Defines the standards for creating, protecting, and changing strong
passwords.
• Risk assessment policy-Defines the requirements and provides the authority for the
information security team to identify, assess, and remediate risks to the information
infrastructure associated with conducting business.
• Global web server policy-Defines the standards required by all web hosts.
48
e-mail policies
• Automatically forwarded e-mail policy-Documents the
policy restricting automatic e-mail forwarding to an
external destination without prior approval from the
appropriate manager or director.
• E-mail policy-Defines content standards to prevent
tarnishing the public image of the organization.
• Spam policy-Defines how spam should be reported and
treated.
Remote access policies
• Dial-in access policy-Defines the appropriate dial-in
access and its use by authorized personnel.
• Remote access policy-Defines the standards for
connecting to the organization network from any host or
network external to the organization.
• VPN security policy-Defines the requirements for VPN
connections to the network of the organization. 49
Router security
• Physical security
• Update the router IOS whenever advisable
• Backup the router configuration and IOS
• Harden the router to eliminate the potential
abuse of unused ports and services
50
AAA Model—
Network Security Architecture
– Authentication
• Who are you?
• “I am user student and my password
validateme proves it.”
– Authorization
• What can you do? What can you access?
• “I can access host 2000_Server with
Telnet.”
– Accounting
• What did you do? How long did you do it?
How often did you do it?
• “I accessed host 2000_Server with Telnet
15 times.”
51
Authentication, Authorization
and Accounting
Authentication is proving who you are before the identity
management system can determine what you are authorized to
do.
52