ccna security_chapter 1_modern network security threats.pdf
TRANSCRIPT
Chapter 1 – Modern Network Security Threats
CCNA SecurityCCNA Security
Objectives
•
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Fundamental Principles of a Secure network
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
of a Secure network
Evolution of Network Security
• In July 2001, the Code Red worm attacked web servers globally, infecting over 350,000 hosts.
• The Code Red worm caused a Denial of Service (DoS) to millions of users.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Evolution of Network Security
• When the first viruses were unleashed and the first DoS attack occurred, the world began to change for networking professionals.
• To meet the needs of users, network professionals learned techniques to secure networks.
• Refer: 1.1.1.2
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Evolution of Network Security
Year Security Technology
1984 First IDS for ARPAnet (SRI International IDES)
Late 1988 DEC Packet Filter Firewall
1989 AT&T Bell Labs StatefullFirewall
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
1991 DEC SEAL ApplicationLayer Firewal
1994 Check Point Firewall
1995 NetRanger IDS
August, 1997 RealSecure IDS
1998 Snort IDS
Late 1999 First IPS
2006 Cisco Zone-based Policy Firewall
Evolution of Network Security
• An IDS provides real-time detection of certain types of attacks while they are in progress
• This detection allows network professionals to more quickly mitigate the negative impact of these attacks on network devices and users.
• In the late 1990s, the intrusion prevention system or sensor (IPS) began to replace the IDS solution.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
(IPS) began to replace the IDS solution.• IPS devices enable the detection of malicious activity and
have the ability to automatically block the attack in real-time.• In addition to IDS and IPS solutions, firewalls were developed
to prevent undesirable traffic from entering prescribed areas within a network, thereby providing perimeter security.
Evolution of Network Security
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Evolution of Network Security
Evolution of LAN Security
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Evolution of Network Security
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
• Three components of information: confidentiality, integrity, availability.• Encrypting Data: Encryption provides confidentiality by hiding plaintext
data.• Data integrity: data is not changed from source to destination• Availability: Data accessibility, is guaranteed by network hardening
mechanisms and backup systems
Evolution of Network Security
Evulution of Data Protection Technologies
Year Security Technology
1993 Cisco GRE Tunnels
1996 Site-to-Site IPSec VPNs
1999 SSH
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
1999 SSH
2000 MPLS VPNs
2001 Remote-access IPSec VPN
2002 Dynamic Multipoint VPN
2005 SSL VPN
Drivers for Network Security
• The word hackers has a variety of meanings.
• For many, it means Internet programmers who try to gain unauthorized access to devices on the Internet.
• It is also used to refer to individuals that run programs to prevent or slow network access
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
programs to prevent or slow network access to a large number of users, or corrupt or wipe out data on servers.
• But for some, the term hacker has a positive interpretation as a network professional that uses sophisticated Internet programming skills to ensure that networks are not vulnerable to attack.
• Good or bad, hacking is a driving force in network security.
Drivers for Network Security
• Hacking started in the 1960s with phone freaking, or phreaking, which refers to using various audio frequencies to manipulate phone systems.
• Wardialing programs automatically scanned telephone numbers within a local area, dialing each one in search of computers, bulletin board systems, and fax machines
• When a phone number was found, password-cracking programs
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
• When a phone number was found, password-cracking programs were used to gain access.
• Wardriving, users gain unauthorized access to networks via wireless access points.
• A number of other threats have evolved since the 1960s, including network scanning tools such as Nmap and SATAN, as well as remote system administration hacking tools such as Back Orifice.
Drivers for Network Security
This virus resulted in
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
in memory overflows in Internet mail servers.
Drivers for Network Security
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Robert Morris created the first Internet worm with 99 lines of code.
Drivers for Network Security
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Drivers for Network Security
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Drivers for Network Security
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Network Security Organizations
• SysAdmin, Audit, Network, Security (SANS) Institute• Computer Emergency Response Team (CERT)• International Information Systems Security Certific ation Consortium
(pronounce (ISC)2 as "I-S-C-squared")
Network security professionals must
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
professionals must collaborate with professional colleagues more frequently than most other professions.
Network Security Organizations
• SANS was established in 1989 as a cooperative research and education organization.
• The focus of SANS is information security training and certification.• SANS develops security courses that can be taken to prepare for
Global Information Assurance Certification (GIAC) in auditing, management, operations, legal issues, security administration, and software security
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
software security
Network Security Organizations
• CERT is part of the U.S. federally funded Software Engineering Institute (SEI) at Carnegie Mellon University.
• CERT is chartered to work with the Internet community in detecting and resolving computer security incidents.
• CERT responds to major security incidents and analyzes product vulnerabilities.
• CERT focuses on five areas: software assurance, secure systems, organizational security, coordinated response, and education and training.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
organizational security, coordinated response, and education and training.
Network Security Organizations
• (ISC)2 provides vendor-neutral education products and career services in more than 135 countries
• The mission of (ISC)2 is to make the cyber world a safe place through elevating information security to the public domain and supporting and developing information security professionals around the world.
• Detail: 1.1.3.4
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Network Security Organizations
• In addition to the websites of the various security organizations, one of the most useful tools for the network security professional is Really Simple Syndication (RSS) feeds.
• RSS is a family of XML-based formats used to publish frequently updated information, such as blog entries, news headlines, audio, and video
• RSS uses a standardized format. An RSS feed
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
• RSS uses a standardized format. An RSS feed includes complete or summarized text, plus metadata, such as publishing dates and authorships..
• By using RSS, a network security professional can acquire up-to-date information on a daily basis and aggregate real-time threat information for review at any time.
Domains of Network Security
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Refer: 1.1.4.1
Domains of Network Security
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Domains of Network Security
The 12 domains of network security provide a convenient separation for the elements of network security.
One of the most important domains is security policy.
A security policy is a formal statement of the rules by which people must abide who are given access to the technology and information assets of an organization.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Network Security Policies
The policy is used to aid in network design, convey security principles, and facilitate network deployments.
The network security policy outlines rules for network access, determines how policies are enforced, and describes the basic architecture of the organization's network security environment.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Network Security Policies
A Cisco Self-Defending Network (SDN)uses the network to identify, prevent, and adapt to threats.
Unlike point-solution strategies, where products are purchased individually without consideration for which products work best together, a network-based approach is a strategic approach that meets the current challenges and evolves to address new security needs.
A Cisco SDN begins with a strong, secure, flexible network platform from which a
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
A Cisco SDN begins with a strong, secure, flexible network platform from which a security solution is built.
Network Security Policies
Refer: 1.1.5.2
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Network Security Policies
Detail: 1.1.5.3
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Network Security Policies
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Virues, Worms, and Trojan Horses
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Trojan Horses
Viruses
• A virus is malicious software which attaches to another program to execute a specific unwanted function on a computer.
• A worm executes arbitrary code and installs copies of itself in the memory of the infected computer, which then infects other hosts.
• A Trojan Horse is an application written to look like something else. When a Trojan Horse is downloaded and opened, it attacks the end-user computer from within.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
end-user computer from within.• Refer: 1.2.1.1
Viruses
• The term virus refers to an infectious organism that requires a host cell to grow and replicate.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Viruses
• A virus is a malicious code that is attached to legitimate programs or executable files.
• Most viruses require end-user activation and can lay dormant for an extended period and then activate at a specific time or date.
• When activated, the virus might check the disk for other executables, so that it can infect all the files it has not yet infected.
• Today, most viruses are spread by USB memory sticks, CDs, DVDs, network shares, or email. Email viruses are now the most common type of
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
network shares, or email. Email viruses are now the most common type of virus.
Worms
• Worms are a particularly dangerous type of hostile code. • They replicate themselves by independently exploiting vulnerabilities in
networks. • Worms usually slow down networks. • Worms are responsible for some of the most devastating attacks on the
Internet.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Worms
• Most worm attacks have three major components:– Enabling vulnerability - A worm installs itself using an exploit
mechanism (email attachment, executable file, Trojan Horse) on a vulnerable system.
– Propagation mechanism - After gaining access to a device, the worm replicates itself and locates new targets.
– Payload - Any malicious code that results in some action. Most often this is used to create a backdoor to the infected host.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
this is used to create a backdoor to the infected host. • Worms are self-contained programs that attack a system to exploit a known
vulnerability.• Refer: 1.2.2.2
Worms
• There are five basic phases of attack, regardless of whether a worm or virus is deployed.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Trojan Horses
• A Trojan Horse in the world of computing is malware that carries out malicious operations under the guise of a desired function.
• A virus or worm could carry a Trojan Horse.• A Trojan Horse contains hidden, malicious
code that exploits the privileges of the user
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
code that exploits the privileges of the user that runs it.
• The Trojan Horse concept is flexible.• It can cause immediate damage, provide
remote access to the system (a back door), or perform actions as instructed remotely, such as "send me the password file once per week.“
Trojan Horses
• Trojan Horses are usually classified according to t he damage that they cause or the manner in which they breach a system:– Remote-access Trojan Horse (enables unauthorized remote
access)– Data sending Trojan Horse (provides the attacker with sensitive
data such as passwords)– Destructive Trojan Horse (corrupts or deletes files)
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
– Destructive Trojan Horse (corrupts or deletes files)– Proxy Trojan Horse (user's computer functions as a proxy
server)– FTP Trojan Horse (opens port 21)– Security software disabler Trojan Horse (stops anti-virus
programs or firewalls from functioning)– Denial of Service Trojan Horse (slows or halts network activity)
Mitigating Viruses, Worms, Trojan Horses
• A majority of the software vulnerabilities that are discovered relate to buffer overflows.
• A buffer is an allocated area of memory used by processes to store data temporarily.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Mitigating Viruses, Worms, Trojan Horses
Mitigating Viruses and Trojan• The primary means of mitigating virus and Trojan horse attacks is
anti-virus software.• Anti-virus products are host-based.• These products are installed on computers and servers to detect
and eliminate viruses.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Mitigating Viruses, Worms, Trojan Horses
Mitigating Worms• The containment phase involves limiting the spread of a worm infection
to areas of the network that are already affected.• The inoculation phase runs parallel to or subsequent to the
containment phase.• The quarantine phase involves tracking down and identifying infected
machines within the contained areas and disconnecting, blocking, or
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
machines within the contained areas and disconnecting, blocking, or removing them.
• During the treatment phase, actively infected systems are disinfected of the worm
Mitigating Viruses, Worms, Trojan Horses
• In the case of the SQL Slammer worm, malicious traffic was detected on UDP port 1434.
• This port should normally be blocked by a firewall on the perimeter.• Some organizations could not block UDP port 1434 because it was
required to access the SQL Server for legitimate business transactions.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Mitigating Viruses, Worms, Trojan Horses
• Cisco Security Agent (CSA) is a host-based intrusion prevention system that can be integrated with anti-virus software from various vendors.
• Another solution for mitigating threats is Cisco Network Admission Control (NAC).
• Cisco Security Monitoring, Analysis, and Response System (MARS) provides security monitoring for network security devices and host applications created by Cisco and other providers
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Attach Methodologies
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Methodologies
Type of attacks
• There are many different types of network attacks other than viruses, worms, and Trojan Horses:
Refer: 1.3.1.1• Reconnaissance Attacks
– Reconnaissance attacks involve the unauthorized discovery and mapping of systems, services, or vulnerabilities.
– Reconnaissance is analogous to a thief surveying a neighborhood for vulnerable homes to break into, such as an unoccupied residence or a
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
vulnerable homes to break into, such as an unoccupied residence or a house with an easy-to-open door or window.
• Access Attacks– Access attacks exploit known vulnerabilities in authentication services,
FTP services, and web services to gain entry to web accounts, confidential databases, and other sensitive information.
• Denial of Service Attacks– Denial of service attacks send extremely large numbers of requests
over a network or the Internet
Reconnaissance Attacks
• Reconnaissance is also known as information gathering and, in most cases, precedes an access or DoS attack.
• In a reconnaissance attack, the malicious intruder typically begins by conducting a ping sweep of the target network to determine which IP addresses are active.
• Reconnaissance attacks use various tools to gain access to a network:– Packet sniffers– Ping sweeps
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
– Ping sweeps– Port scans– Internet information queries
Refer: 1.3.1.2
Reconnaissance Attacks
• A packet sniffer is a software application that uses a network adapter card in promiscuous mode to capture all network packets that are sent across a LAN.
• Packet sniffers can only work in the same collision domain as the network being attacked, unless the attacker has access to the intermediary switches.
• Numerous freeware and shareware packet sniffers, such as Wireshark, are available and do not require the user to understand anything about the
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
available and do not require the user to understand anything about the underlying protocols.
• Refer: 1.3.1.3
Reconnaissance Attacks
• Refer: 1.3.1.4
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Reconnaissance Attacks
• Keep in mind that reconnaissance attacks are typically the precursor to further attacks with the intention of gaining unauthorized access to a network or disrupting network functionality.
• A network security professional can detect when a reconnaissance attack is underway by configured alarms that are triggered when certain parameters are exceeded, such as ICMP requests per second.
• A Cisco ISR supports the security technologies that enable these types of alarms to be triggered.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
alarms to be triggered.• Host-based intrusion prevention systems and standalone network-based
intrusion detection systems can also be used to notify when a reconnaissance attack is occurring.
Access Attacks
• Hackers use access attacks on networks or systems for three reasons: retrieve data, gain access, and escalate access privileges.
• Access attacks often employ password attacks to guess system passwords.
• Password attacks can be implemented using several methods, including brute-force attacks, Trojan Horse programs, IP spoofing, and packet sniffers
• A brute-force attack is often performed using a program that runs across
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
• A brute-force attack is often performed using a program that runs across the network and attempts to log in to a shared resource, such as a server.
• Refer: 1.3.2.1
Access Attacks
• There are five types of access attacks:
• An attacker attempts to guess system passwords.
Password attack
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Access Attacks
• Refer: 1.3.2.2
• An attacker uses privileges granted to a system in an unauthorized way
Trust exploitation
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Access Attacks
• A compromised system is used as a jump-off point for attacks against other targets
Port redirection
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Access Attacks
• An attacker is positioned in the middle of communications between two legitimate entities in order to read or modify the data that passes between the two parties.
Man-in-the-middle attack
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Access Attacks
• A program writes data beyond the allocated buffer memory. • A result of the overflow is that valid data is overwritten or exploited to
enable the execution of malicious code.
Buffer overflow
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Access Attacks
• Access attacks in general can be detected by reviewing logs, bandwidth utilization, and process loads.
• Example: ManageEngine EventLog Analyzer or Cisco Secure Access Control Server (CSACS)
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Denial of Service Attacks
Refer: 1.3.3.1
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
• A DoS attack is a network attack that devices can not provide service for user because of overflow buffer or CPU and so on.
• There are two major reasons a DoS attack occurs:– A host or application fails to handle an unexpected condition, such as
maliciously formatted input data, an unexpected interaction of system components, or simple resource exhaustion.
– A network, host, or application is unable to handle an enormous quantity of data, causing the system to crash or become extremely slow.
Denial of Service Attacks
• Refer: 1.3.3.2
DoS attack
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Denial of Service Attacks
• Refer: 1.3.3.2
A Distributed Denial of Service Attack (DDoS)
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Denial of Service Attacks
• Ping of Death– In a ping of death attack, a hacker sends an echo request in an IP
packet larger than the maximum packet size of 65,535 bytes.– Sending a ping of this size can crash the target computer.– A variant of this attack is to crash a system by sending ICMP
fragments, which fill the reassembly buffers of the target.• Refer: 1.3.3.3:
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Denial of Service Attacks
• Smurt Attack– In a smurf attack, a perpetrator sends a large number of ICMP requests
to directed broadcast addresses, all with spoofed source addresses on the same network as the respective directed broadcast.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Denial of Service Attacks
• TCP SYN Flood– In a TCP SYN flood attack, a flood of TCP SYN packets is sent, often
with a forged sender address.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Denial of Service Attacks
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
There are five basic ways that DoS attacks can do harm:• Consumption of resources, such as bandwidth, disk space, or processor
time• Disruption of configuration information, such as routing information• Disruption of state information, such as unsolicited resetting of TCP
sessions• Disruption of physical network components• Obstruction of communication between the victim and others.
Mitigating Network Attacks
The important question is, 'How do I mitigate these network attacks?'
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Mitigating Network Attacks
Mitigating Reconnaissance Attack
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Mitigating Network Attacks
Mitigating Access Attack
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Mitigating Network Attacks
Mitigating DoS Attack
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
10 best practices represent the best insurance for network:
1. Keep patches up to date by installing them weekly or daily, if possible, to prevent buffer overflow and privilege escalation attacks.
2. Shut down unnecessary services and ports.3. Use strong passwords and change them often4. Control physical access to systems.5.
Mitigating Network Attacks
5. Avoid unnecessary web page inputs.6. Perform backups and test the backed up files on a regular basis.7. Educate employees about the risks of social engineering, and develop
strategies to validate identities over the phone, via email, or in person.8. Encrypt and password-protect sensitive data.9. Implement security hardware and software such as firewalls, IPSs, virtual
private network (VPN) devices, anti-virus software, and content filtering.10. Develop a written security policy for the company.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Mitigating Network Attacks
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Summary
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com