Network security – chapter 4

1
 Network Security Terms
White hat-An individual who looks for vulnerabilities in systems or networks and then reports
these vulnerabilities to the owners of the system so that they can be fixed. They are ethically
opposed to the abuse of computer systems. A white hat generally focuses on securing IT
systems, whereas a black hat (the opposite) would like to break into them.

Hacker-A general term that has historically been used to describe a computer programming
expert. More recently, this term is often used in a negative way to describe an individual that
attempts to gain unauthorized access to network resources with malicious intent.

Black hat-Another term for individuals who use their knowledge of computer systems to break
into systems or networks that they are not authorized to use, usually for personal or financial
gain. A cracker is an example of a black hat.

Cracker-A more accurate term to describe someone who tries to gain unauthorized access to
network resources with malicious intent.

Phreaker-An individual who manipulates the phone network to cause it to perform a function that
is not allowed. A common goal of phreaking is breaking into the phone network, usually through
a payphone, to make free long distance calls.

Spammer-An individual who sends large quantities of unsolicited e-mail messages. Spammers
often use viruses to take control of home computers and use them to send out their bulk
messages.

Phisher-Uses e-mail or other means to trick others into providing sensitive information, such as
credit card numbers or passwords. A phisher masquerades as a trusted party that would have a
legitimate need for the sensitive information.
2
 •Technology
VULNERABILITY Configuration
Security policy

Network security – Physical

•Hardware

Environmental

3 FACTORS Electrical

maintenance

THREAT Network

ATTACK
Reconnaissance
Access •Unstructured
•Ping sweeps
Denial of Service Structured

Malicious attack Port scans

External

internal

Packet sniffers

•Ping of death Internet information

queries
SYN flood
•Worm
E-mail bombs
Virus
•Password attack Malicious applets
trojan
DDoS
Trust exploitation

Port redirection

Man-In-the-Middle Attack
3
 Three primary vulnerabilities or weaknesses:

1. Technological weaknesses
2. Configuration weaknesses
3. Security policy weaknesses

4
 Four classes of physical threats are:

1. Hardware threats-Physical damage to servers, routers,

switches, cabling plant, and workstations
2. Environmental threats-Temperature extremes (too hot
or too cold) or humidity extremes (too wet or too dry)
3. Electrical threats-Voltage spikes, insufficient supply
voltage (brownouts), unconditioned power (noise), and
total power loss
4. Maintenance threats-Poor handling of key electrical
components (electrostatic discharge), lack of critical
spare parts, poor cabling, and poor labeling

5
 Physical Mitigation
Hardware threat mitigation
• Lock the wiring closet and only allow access to authorized personnel. Block access
through any dropped ceiling, raised floor, window, ductwork, or point of entry other
than the secured access point. Use electronic access control, and log all entry
attempts. Monitor facilities with security cameras.

Environmental threat mitigation

• Create a proper operating environment through temperature control, humidity control,
positive air flow, remote environmental alarming, and recording and monitoring.

Electrical threat mitigation

• Limit electrical supply problems by installing UPS systems and generator sets,
following a preventative maintenance plan, installing redundant power supplies, and
performing remote alarming and monitoring.

Maintenance threat mitigation

• Maintenance-related threat mitigation-Use neat cable runs, label critical cables and
components, use electrostatic discharge procedures, stock critical spares, and control
access to console ports.

6
Network threats

7
Unstructured Threats
• Unstructured threats consist of mostly inexperienced individuals using easily available hacking
tools, such as shell scripts and password crackers. Even unstructured threats that are only
executed with the intent of testing an attacker's skills can do serious damage to a network. For
example, if a company website is hacked, the reputation of the company may be damaged. Even
if the website is separated from the private information that sits behind a protective firewall, the
public does not know that. What the public perceives is that the site might not be a safe
environment to conduct business.
Structured Threats
• Structured threats come from individuals or groups that are more highly motivated and technically
competent. These people know system vulnerabilities and use sophisticated hacking techniques
to penetrate unsuspecting businesses. They break into business and government computers to
commit fraud, destroy or alter records, or simply to create havoc. These groups are often involved
with the major fraud and theft cases reported to law enforcement agencies. Their hacking is so
complex and sophisticated that only specially trained investigators understand what is happening.
• In 1995, Kevin Mitnick was convicted of accessing interstate computers in the United States for
criminal purposes. He broke into the California Department of Motor Vehicles database, routinely
took control of New York and California telephone switching hubs, and stole credit card numbers.
He inspired the 1983 movie "War Games."
External Threats
• External threats can arise from individuals or organizations working outside of a company who do
not have authorized access to the computer systems or network. They work their way into a
network mainly from the Internet or dialup access servers. External threats can vary in severity
depending on the expertise of the attacker-either amateurish (unstructured) or expert (structured).
Internal Threats
• Internal threats occur when someone has authorized access to the network with either an account
or physical access. Just as for external threats, the severity of an internal threat depends on the
expertise of the attacker.

8
 Network attacks

Malicious attack

9
 Types of Network Attacks

There are four primary classes of attacks.

Reconnaissance
• Reconnaissance is the unauthorized discovery and mapping of systems, services, or
vulnerabilities. It is also known as information gathering and, in most cases, it precedes another
type of attack. Reconnaissance is similar to a thief casing a neighborhood for vulnerable homes
to break into, such as an unoccupied residence, easy-to-open doors, or open windows.

Access
• System access is the ability for an intruder to gain access to a device for which the intruder does
not have an account or a password. Entering or accessing systems usually involves running a
hack, script, or tool that exploits a known vulnerability of the system or application being
attacked.

Denial of Service
• Denial of service (DoS) is when an attacker disables or corrupts networks, systems, or services
with the intent to deny services to intended users. DoS attacks involve either crashing the system
or slowing it down to the point that it is unusable. But DoS can also be as simple as deleting or
corrupting information. In most cases, performing the attack involves simply running a hack or
script. For these reasons, DoS attacks are the most feared.

Malicious attack - Worms, Viruses, and Trojan Horses

• Malicious software can be inserted onto a host to damage or corrupt a system, replicate itself, or
deny access to networks, systems, or services. Common names for this type of software are
worms, viruses, and Trojan horses.

10
 Network Reconnaissance Example
• Sample IP address query

Sample domain
name query

11
 Network Reconnaissance
– Network Mitigation
reconnaissance
cannot be prevented
entirely.
– IDSs at the network
and host levels can
usually notify an
administrator when a
reconnaissance
gathering attack (for
example, ping sweeps
and port scans) is
under way.

12
 Packet Sniffers
Host A Host B
Router A Router B

• A packet sniffer is a software application that uses a network adapter card in promiscuous
mode to capture all network packets. The following are the packet sniffer features:
– Packet sniffers exploit information passed in clear text. Protocols that pass information in the clear include the
following:
• Telnet
• FTP
• SNMP
• POP
– Packet sniffers must be on the same collision domain.

13
 Packet Sniffer Mitigation
Host A Host B
Router A Router B

• The following techniques and tools can be used to mitigate

sniffers:
– Authentication—Using strong authentication, such as one-time
passwords, is a first option for defense against packet sniffers.
– Switched infrastructure—Deploy a switched infrastructure to counter the
use of packet sniffers in your environment.
– Antisniffer tools—Use these tools to employ software and hardware
designed to detect the use of sniffers on a network.
– Cryptography—The most effective method for countering packet sniffers
does not prevent or detect packet sniffers, but rather renders them
irrelevant. 14
 IP Spoofing
– IP spoofing occurs when a hacker inside or outside a
network impersonates the conversations of a trusted
computer.
– Two general techniques are used during IP spoofing:
• A hacker uses an IP address that is within the range of trusted IP
addresses.
• A hacker uses an authorized external IP address that is trusted.
– Uses for IP spoofing include the following:
• IP spoofing is usually limited to the injection of malicious data or
commands into an existing stream of data.
• A hacker changes the routing tables to point to the spoofed IP
address, then the hacker can receive all the network packets that
are addressed to the spoofed address and reply just as any trusted
user can.

15
 IP Spoofing Mitigation
• The threat of IP spoofing can be reduced, but not
eliminated, through the following measures:
– Access control—The most common method for preventing IP
spoofing is to properly configure access control.

– RFC 2827 filtering—You can prevent users of your network

from spoofing other networks (and be a good Internet citizen at
the same time) by preventing any outbound traffic on your
network that does not have a source address in your
organization's own IP range.

– Additional authentication that does not use IP-based

authentication—Examples of this include the following:
• Cryptographic (recommended)
• Strong, two-factor, one-time passwords

16
DoS

17
DDoS Example

18
 DoS Mitigation
• The threat of DoS attacks can be reduced
through the following three methods:
– Antispoof features—Proper configuration of
antispoof features on your routers and
firewalls
– Anti-DoS features—Proper configuration of
anti-DoS features on routers and firewalls
– Traffic rate limiting—Implement traffic rate
limiting with the networks ISP

19
 Password Attacks
• Hackers can
implement password
attacks using several
different methods:
– Brute-force attacks
– Dictionary Attacks
– Trojan horse programs
– IP spoofing
– Packet sniffers

20
 Password Attack Example
• L0phtCrack can take the
hashes of passwords and
generate the clear text
passwords from them.
Passwords are computed
using two different
methods:
– Dictionary cracking
– Brute force
computation

21
 Password Attacks Mitigation
• The following are mitigation techniques:
– Do not allow users to use the same password on
multiple systems.
– Disable accounts after a certain number of
unsuccessful login attempts.
– Do not use plain text passwords.cryptographic
password is recommended.
– Use “strong” passwords. Strong passwords are at
least eight characters long and contain uppercase
letters, lowercase letters, numbers, and special
characters.

22
 Man-in-the-Middle Attacks
Host A Host B
Data in clear text

Router A Router B

– A man-in-the-middle attack requires that the hacker have access

to network packets that come across a network.
– A man-in-the-middle attack is implemented using the following:
• Network packet sniffers
• Routing and transport protocols
– Possible man-in-the-middle attack uses include the following:
• Theft of information
• Hijacking of an ongoing session
• Traffic analysis
• DoS
• Corruption of transmitted data
• Introduction of new information into network sessions

23
 Man-in-the-Middle Mitigation

A man-in-the-middle attack
can only see cipher text

IPSec tunnel
Host A Host B

Router A ISP Router B

• Man-in-the-middle attacks can be effectively mitigated

only through the use of cryptography (encryption).

24
 Application Layer Attacks
• Application layer attacks have the following
characteristics:
– Exploit well known weaknesses, such as protocols,
that are intrinsic to an application or system (for
example, sendmail, HTTP, and FTP)
– Often use ports that are allowed through a firewall (for
example, TCP port 80 used in an attack against a
web server behind a firewall)
– Can never be completely eliminated, because new
vulnerabilities are always being discovered

25
 Application Layer Attacks
Mitigation
• Some measures you can take to reduce your
risks are as follows:
– Read operating system and network log files, or have
them analyzed by log analysis applications.
– Subscribe to mailing lists that publicize vulnerabilities.
– Keep your operating system and applications current
with the latest patches.
– IDSs can scan for known attacks, monitor and log
attacks, and in some cases, prevent attacks.

26
Vulnerabilities Exist at all OSI
Layers

27
Mitigating
Attacks with
ACLs

© 2012 Cisco and/or its affiliates. All rights reserved. 28

• ACLs can be used to mitigate many network threats:
– IP address spoofing, inbound and outbound
– DoS TCP SYN attacks
– DoS smurf attacks

• ACLs can also filter the following traffic:

– ICMP messages, inbound and outbound
– traceroute

© 2012 Cisco and/or its affiliates. All rights reserved. 29

• Deny all IP packets containing the
following IP addresses in their
source field:
– Any local host addresses (127.0.0.0/8)
– Any reserved private addresses (RFC
1918)
– Any addresses in the IP multicast address
range (224.0.0.0/4)

Inbound on S0/0/0
R1(config)# access-list 150 deny ip 0.0.0.0 0.255.255.255 any
R1(config)# access-list 150 deny ip 10.0.0.0 0.255.255.255 any
R1(config)# access-list 150 deny ip 127.0.0.0 0.255.255.255 any
R1(config)# access-list 150 deny ip 172.16.0.0 0.15.255.255 any
R1(config)# access-list 150 deny ip 192.168.0.0 0.0.255.255 any
R1(config)# access-list 150 deny ip 224.0.0.0 15.255.255.255 any
R1(config)# access-list 150 deny ip host 255.255.255.255 any

© 2012 Cisco and/or its affiliates. All rights reserved. 30

• Do not allow any outbound IP
packets with a source address other
than a valid IP address of the
internal network.
– Create an ACL that permits only those
packets that contain source addresses
from inside the network and denies all
others.

Inbound on Fa0/1
R1(config)# access-list 105 permit ip 192.168.1.0 0.0.0.255 any

© 2012 Cisco and/or its affiliates. All rights reserved. 31

• DNS, SMTP, and FTP are common services that often must be
allowed through a firewall.

Outbound on Fa0/0
R1(config)# access-list 180 permit udp any host 192.168.20.2 eq domain
R1(config)# access-list 180 permit tcp any host 192.168.20.2 eq smtp
R1(config)# access-list 180 permit tcp any host 192.168.20.2 eq ftp
R1(config)# access-list 180 permit tcp host 200.5.5.5 host 192.168.20.2 eq telnet
R1(config)# access-list 180 permit tcp host 200.5.5.5 host 192.168.20.2 eq 22
R1(config)# access-list 180 permit udp host 200.5.5.5 host 192.168.20.2 eq syslog
R1(config)# access-list 180 permit udp host 200.5.5.5 host 192.168.20.2 eq snmptrap

© 2012 Cisco and/or its affiliates. All rights reserved. 32

• Hackers use ICMP packets for pings sweeps and DoS flood
attacks, and use ICMP redirect messages to alter host routing
tables.
– Both ICMP echo and redirect messages should be blocked inbound by the
router.

© 2012 Cisco and/or its affiliates. All rights reserved. 33

• Several inbound ICMP messages are required for proper network
operation:
– Echo reply - Allows internal users to ping external hosts.
– Source quench - Requests the sender to decrease the traffic rate.
– Unreachable - Unreachable messages are generated for packets that are
administratively denied by an ACL.

Inbound on S0/0/0
R1(config)# access-list 150 permit icmp any any echo-reply
R1(config)# access-list 150 permit icmp any any source-quench
R1(config)# access-list 150 permit icmp any any unreachable
R1(config)# access-list 150 deny icmp any any
R1(config)# access-list 150 permit ip any any

© 2012 Cisco and/or its affiliates. All rights reserved. 34

• Several outbound ICMP messages are required for proper
network operation:
– Echo - Allows users to ping external hosts.
– Parameter problem - Informs the host of packet header problems.
– Packet too big - Required for packet MTU discovery.
– Source quench - Throttles down traffic when necessary.

Inbound on Fa0/0
R1(config)# access-list 105 permit icmp 192.168.1.0 0.0.0.255 any echo
R1(config)# access-list 105 permit icmp 192.168.1.0 0.0.0.255 any parameter-problem
R1(config)# access-list 105 permit icmp 192.168.1.0 0.0.0.255 any packet-too-big
R1(config)# access-list 105 permit icmp 192.168.1.0 0.0.0.255 any source-quench
R1(config)# access-list 105 deny icmp any any
R1(config)# access-list 105 permit ip any any

© 2012 Cisco and/or its affiliates. All rights reserved. 35

 Malicious Code Attacks
• A worm executes code and installs copies of itself in the
memory of the infected computer, which can, in turn,
infect other hosts.

• A virus is malicious software that is attached to another

program for the purpose of executing a particular
unwanted function on a workstation.

• A Trojan horse is different from a worm or virus only in

that the entire application was written to look like
something else, when in fact it is an attack tool.

36
 Anatomy of a worm attack
• The enabling vulnerability-A worm installs itself by exploiting
known vulnerabilities in systems, such as naive end users who open
unverified executable attachments in e-mails.

• Propagation mechanism-After gaining access to a host, a worm

copies itself to that host and then selects new targets.

• Payload-Once a host is infected with a worm, the attacker has

access to the host, often as a privileged user. Attackers could use a
local exploit to escalate their privilege level to administrator.

• worms are self-contained programs that attack a system and try to

exploit a specific vulnerability in the target. Upon successful
exploitation of the vulnerability, the worm copies its program from
the attacking host to the newly exploited system to begin the cycle
again.
37
 Virus & Trojan
• A virus is malicious software that is attached to another program to execute
a particular unwanted function on a workstation. An example is a program
that is attached to command.com (the primary interpreter for Windows
systems) and deletes certain files and infects any other versions of
command.com that it can find.
• A virus normally requires a delivery mechanism-a vector-such as a zip file or
some other executable file attached to an e-mail, to carry the virus code
from one system to another. The key element that distinguishes a computer
worm from a computer virus is that human interaction is required to facilitate
the spread of a virus.

• A Trojan horse is different only in that the entire application was written to
look like something else, when in fact it is an attack tool. An example of a
Trojan horse is a software application that runs a simple game on a
workstation. While the user is occupied with the game, the Trojan horse
mails a copy of itself to every address in the user's address book. The other
users receive the game and play it, thereby spreading the Trojan horse to
the addresses in each address book.

38
General Mitigation techniques

39
Network Security Wheel

40
 Step 1. Secure
Step 1. Secure

• Secure the network by applying the security policy and implementing the following security
solutions:
Threat defense
• Stateful inspection and packet filtering-Filter network traffic to allow only valid traffic and
services.Stateful inspection refers to a firewall keeping information on the state of a connection in
a state table so that it can recognize changes in the connection that could mean an attacker is
attempting to hijack a session or otherwise manipulate a connection.
• Intrusion prevention systems-Deploy at the network and host level to actively stop malicious
traffic.
• Vulnerability patching-Apply fixes or measures to stop the exploitation of known vulnerabilities.
• Disable unnecessary services-The fewer services that are enabled, the harder it is for attackers
to gain access.
Secure connectivity
• VPNs-Encrypt network traffic to prevent unwanted disclosure to unauthorized or malicious
individuals.
• Trust and identity-Implement tight constraints on trust levels within a network. For example,
systems on the outside of a firewall should never be absolutely trusted by systems on the inside of
a firewall.
• Authentication-Give access to authorized users only. One example of this is using one-time
passwords.
• Policy enforcement-Ensure that users and end devices are in compliance with the corporate
policy.

41
 Step 2. Monitor
Step 2. Monitor

• Monitoring security involves both active and passive methods of

detecting security violations. The most commonly used active
method is to audit host-level log files. Most operating systems
include auditing functionality. System administrators must enable
the audit system for every host on the network and take the time to
check and interpret the log file entries.
• Passive methods include using IDS devices to automatically detect
intrusion. This method requires less attention from network security
administrators than active methods. These systems can detect
security violations in real time and can be configured to
automatically respond before an intruder does any damage.
• An added benefit of network monitoring is the verification that the
security measures implemented in step 1 of the Security Wheel
have been configured and are working properly.

42
 Step 3. Test

Step 3. Test

• The security measures are proactively tested. Specifically, the

functionality of the security solutions implemented in step 1 and the
system auditing and intrusion detection methods implemented in
step 2 are verified. Vulnerability assessment tools such as SATAN,
Nessus, or Nmap are useful for periodically testing the network
security measures at the network and host level.

43
 Step 4. Improve

Step 4. Improve

• The improvement phase of the Security Wheel involves analyzing

the data collected during the monitoring and testing phases. This
analysis contributes to developing and implementing improvement
mechanisms that augment the security policy and results in adding
items to step 1. To keep a network as secure as possible, the cycle
of the Security Wheel must be continually repeated, because new
network vulnerabilities and risks are emerging every day.
• With the information collected from the monitoring and testing
phases, IDSs can be used to implement improvements to the
security. The security policy should be adjusted as new security
vulnerabilities and risks are discovered.

44
Why Create a Security Policy?
– To create a baseline of your current security posture
– To set the framework for security implementation
– To define allowed and not allowed behaviors
– To help determine necessary tools and procedures
– To communicate consensus and define roles
– To define how to handle security incidents

45
security policy in an organization

46
general security policies that an organization
may invoke:
• Statement of authority and scope-Defines who in the organization
sponsors the security policy, who is responsible for implementing it, and
what areas are covered by the policy.
• Acceptable use policy (AUP)-Defines the acceptable use of equipment
and computing services, and the appropriate employee security measures
to protect the organization corporate resources and proprietary information.
• Identification and authentication policy-Defines which technologies the
company uses to ensure that only authorized personnel have access to its
data.
• Internet access policy-Defines what the company will and will not tolerate
with respect to the use of its Internet connectivity by employees and guests.
• Campus access policy-Defines acceptable use of campus technology
resources by employees and guests.
• Remote access policy-Defines how remote users can use the remote
access infrastructure of the company.
• Incident handling procedure-Specifies who will respond to security
incidents, and how they are to be handled.

47
 Additional policy
• Account access request policy-Formalizes the account and access request
process within the organization. Users and system administrators who bypass the
standard processes for account and access requests can lead to legal action against
the organization.
• Acquisition assessment policy-Defines the responsibilities regarding corporate
acquisitions and defines the minimum requirements of an acquisition assessment that
the information security group must complete.
• Audit policy-Defines audit policies to ensure the integrity of information and
resources. This includes a process to investigate incidents, ensure conformance to
security policies, and monitor user and system activity where appropriate
• Information sensitivity policy-Defines the requirements for classifying and securing
information in a manner appropriate to its sensitivity level.
• Password policy-Defines the standards for creating, protecting, and changing strong
passwords.
• Risk assessment policy-Defines the requirements and provides the authority for the
information security team to identify, assess, and remediate risks to the information
infrastructure associated with conducting business.
• Global web server policy-Defines the standards required by all web hosts.

48
e-mail policies
• Automatically forwarded e-mail policy-Documents the
policy restricting automatic e-mail forwarding to an
external destination without prior approval from the
appropriate manager or director.
• E-mail policy-Defines content standards to prevent
tarnishing the public image of the organization.
• Spam policy-Defines how spam should be reported and
treated.
Remote access policies
• Dial-in access policy-Defines the appropriate dial-in
access and its use by authorized personnel.
• Remote access policy-Defines the standards for
connecting to the organization network from any host or
network external to the organization.
• VPN security policy-Defines the requirements for VPN
connections to the network of the organization. 49
 Router security

• Physical security
• Update the router IOS whenever advisable
• Backup the router configuration and IOS
• Harden the router to eliminate the potential
abuse of unused ports and services

50
 AAA Model—
Network Security Architecture

– Authentication
• Who are you?
• “I am user student and my password
validateme proves it.”
– Authorization
• What can you do? What can you access?
• “I can access host 2000_Server with
Telnet.”
– Accounting
• What did you do? How long did you do it?
How often did you do it?
• “I accessed host 2000_Server with Telnet
15 times.”

51
 Authentication, Authorization
and Accounting
Authentication is proving who you are before the identity
management system can determine what you are authorized to
do.

Authorization is the process an identity management system

uses to determine what a user is allowed to do.

Accounting is the process of keeping track of the changes a

user implemented in a computing system.

52