ccna security_chapter 1_modern network security threats.pdf

Chapter 1 – Modern Network Security Threats

CCNA SecurityCCNA Security

Objectives

•

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com

Fundamental Principles of a Secure network


of a Secure network

Evolution of Network Security

• In July 2001, the Code Red worm attacked web servers globally, infecting over 350,000 hosts.

• The Code Red worm caused a Denial of Service (DoS) to millions of users.



• When the first viruses were unleashed and the first DoS attack occurred, the world began to change for networking professionals.

• To meet the needs of users, network professionals learned techniques to secure networks.

• Refer: 1.1.1.2



Year Security Technology

1984 First IDS for ARPAnet (SRI International IDES)

Late 1988 DEC Packet Filter Firewall

1989 AT&T Bell Labs StatefullFirewall


1991 DEC SEAL ApplicationLayer Firewal

1994 Check Point Firewall

1995 NetRanger IDS

August, 1997 RealSecure IDS

1998 Snort IDS

Late 1999 First IPS

2006 Cisco Zone-based Policy Firewall


• An IDS provides real-time detection of certain types of attacks while they are in progress

• This detection allows network professionals to more quickly mitigate the negative impact of these attacks on network devices and users.

• In the late 1990s, the intrusion prevention system or sensor (IPS) began to replace the IDS solution.


(IPS) began to replace the IDS solution.• IPS devices enable the detection of malicious activity and

have the ability to automatically block the attack in real-time.• In addition to IDS and IPS solutions, firewalls were developed

to prevent undesirable traffic from entering prescribed areas within a network, thereby providing perimeter security.


Evolution of LAN Security




• Three components of information: confidentiality, integrity, availability.• Encrypting Data: Encryption provides confidentiality by hiding plaintext

data.• Data integrity: data is not changed from source to destination• Availability: Data accessibility, is guaranteed by network hardening

mechanisms and backup systems


Evulution of Data Protection Technologies

Year Security Technology

1993 Cisco GRE Tunnels

1996 Site-to-Site IPSec VPNs

1999 SSH


1999 SSH

2000 MPLS VPNs

2001 Remote-access IPSec VPN

2002 Dynamic Multipoint VPN

2005 SSL VPN

Drivers for Network Security

• The word hackers has a variety of meanings.

• For many, it means Internet programmers who try to gain unauthorized access to devices on the Internet.

• It is also used to refer to individuals that run programs to prevent or slow network access


programs to prevent or slow network access to a large number of users, or corrupt or wipe out data on servers.

• But for some, the term hacker has a positive interpretation as a network professional that uses sophisticated Internet programming skills to ensure that networks are not vulnerable to attack.

• Good or bad, hacking is a driving force in network security.


• Hacking started in the 1960s with phone freaking, or phreaking, which refers to using various audio frequencies to manipulate phone systems.

• Wardialing programs automatically scanned telephone numbers within a local area, dialing each one in search of computers, bulletin board systems, and fax machines

• When a phone number was found, password-cracking programs


• When a phone number was found, password-cracking programs were used to gain access.

• Wardriving, users gain unauthorized access to networks via wireless access points.

• A number of other threats have evolved since the 1960s, including network scanning tools such as Nmap and SATAN, as well as remote system administration hacking tools such as Back Orifice.


This virus resulted in


in memory overflows in Internet mail servers.



Robert Morris created the first Internet worm with 99 lines of code.

Network Security Organizations

• SysAdmin, Audit, Network, Security (SANS) Institute• Computer Emergency Response Team (CERT)• International Information Systems Security Certific ation Consortium

(pronounce (ISC)2 as "I-S-C-squared")

Network security professionals must


professionals must collaborate with professional colleagues more frequently than most other professions.


• SANS was established in 1989 as a cooperative research and education organization.

• The focus of SANS is information security training and certification.• SANS develops security courses that can be taken to prepare for

Global Information Assurance Certification (GIAC) in auditing, management, operations, legal issues, security administration, and software security


software security


• CERT is part of the U.S. federally funded Software Engineering Institute (SEI) at Carnegie Mellon University.

• CERT is chartered to work with the Internet community in detecting and resolving computer security incidents.

• CERT responds to major security incidents and analyzes product vulnerabilities.

• CERT focuses on five areas: software assurance, secure systems, organizational security, coordinated response, and education and training.


organizational security, coordinated response, and education and training.


• (ISC)2 provides vendor-neutral education products and career services in more than 135 countries

• The mission of (ISC)2 is to make the cyber world a safe place through elevating information security to the public domain and supporting and developing information security professionals around the world.

• Detail: 1.1.3.4



• In addition to the websites of the various security organizations, one of the most useful tools for the network security professional is Really Simple Syndication (RSS) feeds.

• RSS is a family of XML-based formats used to publish frequently updated information, such as blog entries, news headlines, audio, and video

• RSS uses a standardized format. An RSS feed


• RSS uses a standardized format. An RSS feed includes complete or summarized text, plus metadata, such as publishing dates and authorships..

• By using RSS, a network security professional can acquire up-to-date information on a daily basis and aggregate real-time threat information for review at any time.

Domains of Network Security


Refer: 1.1.4.1


The 12 domains of network security provide a convenient separation for the elements of network security.

One of the most important domains is security policy.

A security policy is a formal statement of the rules by which people must abide who are given access to the technology and information assets of an organization.


Network Security Policies

The policy is used to aid in network design, convey security principles, and facilitate network deployments.

The network security policy outlines rules for network access, determines how policies are enforced, and describes the basic architecture of the organization's network security environment.



A Cisco Self-Defending Network (SDN)uses the network to identify, prevent, and adapt to threats.

Unlike point-solution strategies, where products are purchased individually without consideration for which products work best together, a network-based approach is a strategic approach that meets the current challenges and evolves to address new security needs.

A Cisco SDN begins with a strong, secure, flexible network platform from which a


A Cisco SDN begins with a strong, secure, flexible network platform from which a security solution is built.


Refer: 1.1.5.2



Detail: 1.1.5.3


Virues, Worms, and Trojan Horses


Trojan Horses

Viruses

• A virus is malicious software which attaches to another program to execute a specific unwanted function on a computer.

• A worm executes arbitrary code and installs copies of itself in the memory of the infected computer, which then infects other hosts.

• A Trojan Horse is an application written to look like something else. When a Trojan Horse is downloaded and opened, it attacks the end-user computer from within.


end-user computer from within.• Refer: 1.2.1.1

Viruses

• The term virus refers to an infectious organism that requires a host cell to grow and replicate.


Viruses

• A virus is a malicious code that is attached to legitimate programs or executable files.

• Most viruses require end-user activation and can lay dormant for an extended period and then activate at a specific time or date.

• When activated, the virus might check the disk for other executables, so that it can infect all the files it has not yet infected.

• Today, most viruses are spread by USB memory sticks, CDs, DVDs, network shares, or email. Email viruses are now the most common type of


network shares, or email. Email viruses are now the most common type of virus.

Worms

• Worms are a particularly dangerous type of hostile code. • They replicate themselves by independently exploiting vulnerabilities in

networks. • Worms usually slow down networks. • Worms are responsible for some of the most devastating attacks on the

Internet.


Worms

• Most worm attacks have three major components:– Enabling vulnerability - A worm installs itself using an exploit

mechanism (email attachment, executable file, Trojan Horse) on a vulnerable system.

– Propagation mechanism - After gaining access to a device, the worm replicates itself and locates new targets.

– Payload - Any malicious code that results in some action. Most often this is used to create a backdoor to the infected host.


this is used to create a backdoor to the infected host. • Worms are self-contained programs that attack a system to exploit a known

vulnerability.• Refer: 1.2.2.2

Worms

• There are five basic phases of attack, regardless of whether a worm or virus is deployed.


Trojan Horses

• A Trojan Horse in the world of computing is malware that carries out malicious operations under the guise of a desired function.

• A virus or worm could carry a Trojan Horse.• A Trojan Horse contains hidden, malicious

code that exploits the privileges of the user


code that exploits the privileges of the user that runs it.

• The Trojan Horse concept is flexible.• It can cause immediate damage, provide

remote access to the system (a back door), or perform actions as instructed remotely, such as "send me the password file once per week.“

Trojan Horses

• Trojan Horses are usually classified according to t he damage that they cause or the manner in which they breach a system:– Remote-access Trojan Horse (enables unauthorized remote

access)– Data sending Trojan Horse (provides the attacker with sensitive

data such as passwords)– Destructive Trojan Horse (corrupts or deletes files)


– Destructive Trojan Horse (corrupts or deletes files)– Proxy Trojan Horse (user's computer functions as a proxy

server)– FTP Trojan Horse (opens port 21)– Security software disabler Trojan Horse (stops anti-virus

programs or firewalls from functioning)– Denial of Service Trojan Horse (slows or halts network activity)

Mitigating Viruses, Worms, Trojan Horses

• A majority of the software vulnerabilities that are discovered relate to buffer overflows.

• A buffer is an allocated area of memory used by processes to store data temporarily.



Mitigating Viruses and Trojan• The primary means of mitigating virus and Trojan horse attacks is

anti-virus software.• Anti-virus products are host-based.• These products are installed on computers and servers to detect

and eliminate viruses.



Mitigating Worms• The containment phase involves limiting the spread of a worm infection

to areas of the network that are already affected.• The inoculation phase runs parallel to or subsequent to the

containment phase.• The quarantine phase involves tracking down and identifying infected

machines within the contained areas and disconnecting, blocking, or


machines within the contained areas and disconnecting, blocking, or removing them.

• During the treatment phase, actively infected systems are disinfected of the worm


• In the case of the SQL Slammer worm, malicious traffic was detected on UDP port 1434.

• This port should normally be blocked by a firewall on the perimeter.• Some organizations could not block UDP port 1434 because it was

required to access the SQL Server for legitimate business transactions.



• Cisco Security Agent (CSA) is a host-based intrusion prevention system that can be integrated with anti-virus software from various vendors.

• Another solution for mitigating threats is Cisco Network Admission Control (NAC).

• Cisco Security Monitoring, Analysis, and Response System (MARS) provides security monitoring for network security devices and host applications created by Cisco and other providers


Attach Methodologies


Methodologies

Type of attacks

• There are many different types of network attacks other than viruses, worms, and Trojan Horses:

Refer: 1.3.1.1• Reconnaissance Attacks

– Reconnaissance attacks involve the unauthorized discovery and mapping of systems, services, or vulnerabilities.

– Reconnaissance is analogous to a thief surveying a neighborhood for vulnerable homes to break into, such as an unoccupied residence or a


vulnerable homes to break into, such as an unoccupied residence or a house with an easy-to-open door or window.

• Access Attacks– Access attacks exploit known vulnerabilities in authentication services,

FTP services, and web services to gain entry to web accounts, confidential databases, and other sensitive information.

• Denial of Service Attacks– Denial of service attacks send extremely large numbers of requests

over a network or the Internet

Reconnaissance Attacks

• Reconnaissance is also known as information gathering and, in most cases, precedes an access or DoS attack.

• In a reconnaissance attack, the malicious intruder typically begins by conducting a ping sweep of the target network to determine which IP addresses are active.

• Reconnaissance attacks use various tools to gain access to a network:– Packet sniffers– Ping sweeps


– Ping sweeps– Port scans– Internet information queries

Refer: 1.3.1.2


• A packet sniffer is a software application that uses a network adapter card in promiscuous mode to capture all network packets that are sent across a LAN.

• Packet sniffers can only work in the same collision domain as the network being attacked, unless the attacker has access to the intermediary switches.

• Numerous freeware and shareware packet sniffers, such as Wireshark, are available and do not require the user to understand anything about the


available and do not require the user to understand anything about the underlying protocols.

• Refer: 1.3.1.3


• Refer: 1.3.1.4



• Keep in mind that reconnaissance attacks are typically the precursor to further attacks with the intention of gaining unauthorized access to a network or disrupting network functionality.

• A network security professional can detect when a reconnaissance attack is underway by configured alarms that are triggered when certain parameters are exceeded, such as ICMP requests per second.

• A Cisco ISR supports the security technologies that enable these types of alarms to be triggered.


alarms to be triggered.• Host-based intrusion prevention systems and standalone network-based

intrusion detection systems can also be used to notify when a reconnaissance attack is occurring.

Access Attacks

• Hackers use access attacks on networks or systems for three reasons: retrieve data, gain access, and escalate access privileges.

• Access attacks often employ password attacks to guess system passwords.

• Password attacks can be implemented using several methods, including brute-force attacks, Trojan Horse programs, IP spoofing, and packet sniffers

• A brute-force attack is often performed using a program that runs across


• A brute-force attack is often performed using a program that runs across the network and attempts to log in to a shared resource, such as a server.

• Refer: 1.3.2.1

Access Attacks

• There are five types of access attacks:

• An attacker attempts to guess system passwords.

Password attack


Access Attacks

• Refer: 1.3.2.2

• An attacker uses privileges granted to a system in an unauthorized way

Trust exploitation


Access Attacks

• A compromised system is used as a jump-off point for attacks against other targets

Port redirection


Access Attacks

• An attacker is positioned in the middle of communications between two legitimate entities in order to read or modify the data that passes between the two parties.

Man-in-the-middle attack


Access Attacks

• A program writes data beyond the allocated buffer memory. • A result of the overflow is that valid data is overwritten or exploited to

enable the execution of malicious code.

Buffer overflow


Access Attacks

• Access attacks in general can be detected by reviewing logs, bandwidth utilization, and process loads.

• Example: ManageEngine EventLog Analyzer or Cisco Secure Access Control Server (CSACS)


Denial of Service Attacks

Refer: 1.3.3.1


• A DoS attack is a network attack that devices can not provide service for user because of overflow buffer or CPU and so on.

• There are two major reasons a DoS attack occurs:– A host or application fails to handle an unexpected condition, such as

maliciously formatted input data, an unexpected interaction of system components, or simple resource exhaustion.

– A network, host, or application is unable to handle an enormous quantity of data, causing the system to crash or become extremely slow.


• Refer: 1.3.3.2

DoS attack



• Refer: 1.3.3.2

A Distributed Denial of Service Attack (DDoS)



• Ping of Death– In a ping of death attack, a hacker sends an echo request in an IP

packet larger than the maximum packet size of 65,535 bytes.– Sending a ping of this size can crash the target computer.– A variant of this attack is to crash a system by sending ICMP

fragments, which fill the reassembly buffers of the target.• Refer: 1.3.3.3:



• Smurt Attack– In a smurf attack, a perpetrator sends a large number of ICMP requests

to directed broadcast addresses, all with spoofed source addresses on the same network as the respective directed broadcast.



• TCP SYN Flood– In a TCP SYN flood attack, a flood of TCP SYN packets is sent, often

with a forged sender address.




There are five basic ways that DoS attacks can do harm:• Consumption of resources, such as bandwidth, disk space, or processor

time• Disruption of configuration information, such as routing information• Disruption of state information, such as unsolicited resetting of TCP

sessions• Disruption of physical network components• Obstruction of communication between the victim and others.

Mitigating Network Attacks

The important question is, 'How do I mitigate these network attacks?'



Mitigating Reconnaissance Attack



Mitigating Access Attack



Mitigating DoS Attack


10 best practices represent the best insurance for network:

1. Keep patches up to date by installing them weekly or daily, if possible, to prevent buffer overflow and privilege escalation attacks.

2. Shut down unnecessary services and ports.3. Use strong passwords and change them often4. Control physical access to systems.5.


5. Avoid unnecessary web page inputs.6. Perform backups and test the backed up files on a regular basis.7. Educate employees about the risks of social engineering, and develop

strategies to validate identities over the phone, via email, or in person.8. Encrypt and password-protect sensitive data.9. Implement security hardware and software such as firewalls, IPSs, virtual

private network (VPN) devices, anti-virus software, and content filtering.10. Develop a written security policy for the company.


Summary


ccna security_chapter 1_modern network security threats.pdf

Documents

network professionals

network devices

network hardening mechanisms

perimeter security

data integrity

ids solution

data accessibility

encrypting data