Professional Documents
Culture Documents
Modern Network
Security Threats
CCNA Security
Presentation_ID
Cisco Confidential
Chapter 1: Objectives
In this chapter you will:
Describe the various drivers for network security technologies and applications.
Describe the techniques used to mitigate viruses, worms, and Trojan Horses.
Describe the techniques used to mitigate reconnaissance attacks, access attacks, and DoS attacks.
Explain how to secure the three functional areas of Cisco routers and switches.
Presentation_ID
Cisco Confidential
1.1 Fundamentals of a
Secure Network
Presentation_ID
Cisco Confidential
Presentation_ID
Cisco Confidential
Presentation_ID
Cisco Confidential
Presentation_ID
Cisco Confidential
Threats to Networks
Network attack vectors
include:
External threats
Internal threats
Presentation_ID
Cisco Confidential
Presentation_ID
Cisco Confidential
Presentation_ID
Cisco Confidential
The Hacker
Defining the word Hacker
General term that has
historically been used to
describe a computer
programming expert.
Internet programmers who
try to gain unauthorized
access to devices on the
Internet.
Individuals who run
programs to prevent or
slow network access to a
large number of users, or
corrupt or wipe out data on
servers.
Presentation_ID
Cisco Confidential
10
Black hat
Term for individuals that use their knowledge of computer systems to
break into systems or networks that they are not authorized to use.
Hacker
General term that has historically been used to describe a computer
programming expert.
Cracker
Term that describes someone which attempts to gain unauthorized
access with malicious intent.
Presentation_ID
Cisco Confidential
11
Hacker Titles
Phreaker
An individual that manipulates the phone network
cause it to perform a function that is normally not
allowed, such as to make free, long distance calls.
Captain Crunch (John Drapper)
Spammer
Individual that sends large quantities of unsolicited
email messages.
Spammers often use viruses to take control of
home computers to send out their bulk messages.
Phisher
Individual uses email or other means in an attempt
to trick others into providing sensitive information,
such as credit card numbers or passwords.
Presentation_ID
Cisco Confidential
12
Evolution of Hacking
1960s Phone freaks
1980s Wardialing
1988 First Internet worm
1993 First Def Con hacking conference
1995 First 5 year federal prison sentence for hacking
1995 Kevin Mitnick sentenced to 4 years in prison for hacking cred card accounts.
1995 SATAN released
1997 Nmap released
1997 First malicious scripts (script kiddies) and used by less education hackers
1998 Wardriving
2002 Melissa virus creator gets 20 months in jail
2006 Vishing, smishing
2009 First malicious iPhone worm
2011 Script kiddies hacked NBC News Twitter account posting fake updates
Presentation_ID
Cisco Confidential
13
Presentation_ID
Cisco Confidential
14
Presentation_ID
Cisco Confidential
15
Presentation_ID
Cisco Confidential
16
Presentation_ID
Cisco Confidential
17
Presentation_ID
Cisco Confidential
18
Presentation_ID
Cisco Confidential
19
Presentation_ID
Cisco Confidential
20
Security Policy
One of the most important
domains is the security
policy domain.
A security policy is a formal
statement of the rules by
which people must abide
who are given access to
the technology and
information assets of an
organization.
Presentation_ID
Cisco Confidential
21
Presentation_ID
Cisco Confidential
22
Presentation_ID
Cisco Confidential
23
Presentation_ID
Cisco Confidential
24
Viruses
Presentation_ID
Cisco Confidential
25
Viruses
A computer virus is a malicious computer program (executable
file) that can copy itself and infect a computer without
permission or knowledge of the user.
A virus can only spread from one computer to another by:
Sending it over a network as a file or as an email payload.
Carrying it on a removable medium.
Cisco Confidential
26
Worms
Worms Characteristics
Worms are a particularly
dangerous type of hostile
code.
They replicate themselves by
independently exploiting
vulnerabilities in networks.
Worms usually slow down
networks.
Presentation_ID
Cisco Confidential
27
Worms
Worm Components
Enabling vulnerability
Propagation mechanism
Payload
Presentation_ID
When the device is infected with a worm, the attacker has access
to the host, often as a privileged user.
Attackers could use a local exploit to escalate their privilege level to
administrator.
Cisco Confidential
28
Cisco Confidential
Presentation_ID
Cisco Confidential
30
Trojan Horses
Cisco Confidential
31
Trojan Horses
Presentation_ID
Cisco Confidential
32
Buffer Overflows
Buffer - An allocated area of memory used by processes to store
data temporarily.
Buffer overflow - Occurs when a fixed-length buffer reaches its
capacity and a process attempts to store data beyond that
maximum limit. This can result in extra data overwriting adjacent
memory locations, as well as causing other unexpected
behaviors. A majority of the software vulnerabilities that are
discovered relate to buffer overflows. Buffer overflows are usually
the primary conduit through which viruses, worms, and Trojan
Horses do their damage.
Presentation_ID
Cisco Confidential
34
Antivirus Software
Presentation_ID
Cisco Confidential
35
Presentation_ID
Cisco Confidential
36
Worm Mitigation
Worm attack mitigation requires diligence on the part of
system and network administration staff.
There is a four phase process to mitigate an active worm
attacks.
Presentation_ID
Cisco Confidential
37
Inoculation Phase
Runs parallel to or subsequent to the containment phase.
All uninfected systems are patched with the appropriate vendor
patch for the vulnerability.
The inoculation process further deprives the worm of any available
targets.
Presentation_ID
Cisco Confidential
38
Treatment Phase
Presentation_ID
Cisco Confidential
39
Presentation_ID
Cisco Confidential
40
Attack Methodologies
Types of Attacks
There are four categories of attacks:
Presentation_ID
Cisco Confidential
41
Attack Methodologies
Ping sweeps
Port scans
Packet sniffers
Presentation_ID
Cisco Confidential
42
Attack Methodologies
Presentation_ID
Cisco Confidential
43
Attack Methodologies
Packet Sniffer
A packet sniffer is a software
application that uses a network
adapter card in promiscuous mode
to capture all network packets that
are sent across a LAN.
Packet sniffers can only work in the
same collision domain as the
network being attacked.
Promiscuous mode is a mode in
which the network adapter card
sends all packets that are received
on the physical network wire to an
application for processing.
Wireshark is an example of a packet
sniffer.
Presentation_ID
Cisco Confidential
44
Attack Methodologies
Presentation_ID
Cisco Confidential
45
Attack Methodologies
Presentation_ID
Cisco Confidential
46
Attack Methodologies
Presentation_ID
Cisco Confidential
47
Attack Methodologies
Access Attacks
Access attacks exploit known vulnerabilities in authentication
services, FTP services, and web services to gain entry to web
accounts, confidential databases, and other sensitive
information for these reasons:
Retrieve data
Gain access
Escalate their access privileges
Presentation_ID
Cisco Confidential
48
Attack Methodologies
Presentation_ID
Cisco Confidential
49
Types of Attacks
Password Attacks
Hackers implement password attacks using the following:
IP spoofing
Packet sniffers
Manipulating users
Presentation_ID
Cisco Confidential
50
Types of Attacks
Trust Exploitation
Trust exploitation refers to an individual taking advantage of a
trust relationship within a network.
An example of when trust exploitation takes place is when a
perimeter network is connected to a corporate network.
Presentation_ID
Cisco Confidential
52
Types of Attacks
Presentation_ID
Cisco Confidential
53
Types of Attacks
Trust Exploitation
A hacker leverages existing trust relationships.
Several trust models exist:
Windows:
Domains
Active directory
Linux and UNIX:
NIS
Presentation_ID
NIS+
Cisco Confidential
54
Types of Attacks
Port Redirection
A port redirection attack is a type of trust exploitation attack that
uses a compromised host to pass traffic through a firewall that
would otherwise have been dropped.
Port redirection bypasses the firewall rule sets by changing the
normal source port for a type of network traffic.
You can mitigate port redirection by using proper trust models that
are network-specific.
Assuming a system is under attack, an IPS can help detect a
hacker and prevent installation of such utilities on a host.
Presentation_ID
Cisco Confidential
55
Types of Attacks
Presentation_ID
Cisco Confidential
56
Types of Attacks
Theft of information
Hijacking of an ongoing session to gain access to your internal
network resources
Traffic analysis to obtain information about your network and
network users
DoS
Corruption of transmitted data
Introduction of new information into network sessions
Presentation_ID
Cisco Confidential
57
Types of Attacks
Presentation_ID
Cisco Confidential
58
Types of Attacks
Presentation_ID
Cisco Confidential
59
Attack Methodologies
Presentation_ID
Cisco Confidential
60
DoS Attacks
DoS Attack
A DoS attack is a network attack that
results in some sort of interruption of
service to users, devices, or
applications.
There are two major reasons a DoS
attack occurs:
A host or application fails to handle an
unexpected condition, such as
maliciously formatted input data, an
unexpected interaction of system
components, or simple resource
exhaustion.
A network, host, or application is
unable to handle an enormous quantity
of data, causing the system to crash or
become extremely slow.
Presentation_ID
Cisco Confidential
61
DoS Attacks
Presentation_ID
Cisco Confidential
62
DoS Attacks
Cisco Confidential
63
DoS Attacks
Ping of Death
Legacy attack that sent an echo request in an IP packet larger
than the maximum packet size of 65,535 bytes. Sending a ping of
this size can crash the target computer.
A variant of this attack is to crash a system by sending ICMP
fragments, which fills the reassembly buffers of the target.
Presentation_ID
Cisco Confidential
64
DoS Attacks
Smurf Attack
A Smurf Attack is a DDoS attack in which large numbers of ICMP
packets with the intended victim's spoofed source IP are
broadcast to a computer network.
This attack sends a large number of ICMP requests to directed
broadcast addresses, all with spoofed source addresses on the
same network as the respective directed broadcast.
Presentation_ID
Cisco Confidential
65
DoS Attacks
Presentation_ID
Cisco Confidential
66
DoS Attacks
Presentation_ID
Cisco Confidential
67
DoS Attacks
Presentation_ID
Cisco Confidential
68
DoS Attacks
Presentation_ID
Cisco Confidential
69
Presentation_ID
Cisco Confidential
70
Presentation_ID
Cisco Confidential
71
Presentation_ID
Cisco Confidential
72
Presentation_ID
Cisco Confidential
73
10 Best Practices
1. Keep patches current by installing them weekly or daily, if
possible, to prevent buffer overflow and privilege escalation
attacks.
2. Shut down unnecessary services and ports.
3. Use strong passwords and change them often.
4. Control physical access to systems.
5. Avoid unnecessary web page inputs.
Presentation_ID
Cisco Confidential
81
Cisco Confidential
82
Presentation_ID
Cisco Confidential
83
Presentation_ID
Cisco Confidential
84
Presentation_ID
Cisco Confidential
85
Control Plane
Presentation_ID
Cisco Confidential
86
Cisco Confidential
87
Management Plane
Cisco Confidential
88
Data Plane
Reduce the change of a DoS attack ACLs can be used to specify whether
traffic from hosts, networks, or users
access the network.
Presentation_ID
Cisco Confidential
89
Presentation_ID
Cisco Confidential
90
Summary
Network security is now an integral part of computer networking.
Network security involves protocols, technologies, devices, tools, and
techniques to secure data and mitigate threats.
Network security is largely driven by the effort to stay one step ahead
of ill-intentioned hackers.
Network security organizations have been created to establish formal
communities of network security professionals.
The complexity of network security makes it difficult to master all it
encompasses.
Different organizations have created domains that subdivide the world
of network security into more manageable pieces.
This division allows professionals to focus on more precise areas of
expertise in their training, research, and employment.
Presentation_ID
Cisco Confidential
91
Summary Cont.
Network security policies are created by companies and government
organizations to provide a framework for employees to follow during
their day-to-day work.
Network security professionals at the management level are
responsible for creating and maintaining the network security policy.
Network attacks are classified easily learn about them and address
them appropriately.
Viruses, worms, and Trojan horses are specific types of network
attacks. More generally, network attacks are classified as
reconnaissance, access, or DoS attacks.
Mitigating network attacks is the job of a network security professional.
Presentation_ID
Cisco Confidential
92
Presentation_ID
Cisco Confidential
93
Presentation_ID
Cisco Confidential
94