© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public ITE I Chapter 6 1 Network Security Accessing the WAN – Chapter 4 Cisco Thai Nguyen Networking Academy © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public ITE 1 Chapter 6 2 Objectives  In this chapter, you will learn to: – Identify security threats to enterprise networks – Describe methods to mitigate security threats to enterprise networks – Configure basic router security – Disable unused router services and interfaces – Use the Cisco SDM one-step lockdown feature – Manage files and software images with the Cisco IOS Integrated File System (IFS) Cisco Thai Nguyen Networking Academy © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public ITE 1 Chapter 6 3 Why is Network Security Important?  Computer networks have grown in both size and importance in a very short time. –If the security of the network is compromised, there could be serious consequences, such as loss of privacy, theft of information, and even legal liability.  In this chapter You will learn about –different types of threats, –the development of organizational security policies, mitigation techniques, –Cisco software tools to help secure networks. –managing Cisco IOS software images. •Although this may not seem like a security issue, Cisco software images and configurations can be deleted. Devices compromised in this way pose security risks. Cisco Thai Nguyen Networking Academy © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public ITE 1 Chapter 6 4 The Increasing Threat to Security  Over the years, tools and methods have evolved. –In 1985 an attacker had to have sophisticated computer, knowledge to make tools and basic attacks. –As time went on, and attackers' tools improved, attackers no longer required the same level knowledge.  Some of the most common terms are as follows: –White hat - An individual who looks for vulnerabilities in systems and reports these so that they can be fixed. –Black hat - An individuals who use their knowledge to break into systems that they are not authorized to use. –Hacker - An individual that attempts to gain unauthorized access to network with malicious intent. –Cracker - Someone who tries to gain unauthorized access to network resources with malicious intent. –Phreaker - Individual who manipulates phone network, through a payphone, to make free long distance calls. –Spammer - An individual who sends large quantities of unsolicited e-mail messages. –Phisher - Uses e-mail or other means to trick others into providing information, such as credit card numbers. Cisco Thai Nguyen Networking Academy © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public ITE 1 Chapter 6 5 Think Like a Attacker  Many attackers use this seven-step process to gain information and state an attack. –Step 1. Perform footprint analysis (reconnaissance). •Company webpage can lead to information, such as IP addresses of servers. –Step 2. Enumerate information. •An attacker can expand on the footprint by monitoring network traffic with a packet sniffer such as Wireshark, finding information such as version of servers. –Step 3. Manipulate users to gain access. •Sometimes employees choose passwords that are easily crackable. –Step 4. Escalate privileges. •After attackers gain basic access, they use their skills to increase privileges. –Step 5. Gather additional passwords and secrets. •With improved privileges, attackers gain access to sensitive information. –Step 6. Install backdoors. •Backdoors provide the attacker to enter the system without being detected. –Step 7. Leverage the compromised system. •After a system is compromised, attacker uses it to attack others in the network. Cisco Thai Nguyen Networking Academy © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public ITE 1 Chapter 6 6 Types of Computer Crime  These are the most commonly reported acts of computer crime that have network security implications. In certain countries, some of these activities may not be a crime, but are still a problem. –Insider abuse of network access –Virus –Mobile device theft –Phishing where an organization is fraudulently represented as the sender –Instant messaging misuse –Denial of service –Unauthorized access to information –Bots within the organization –Theft of customer or employee data –Abuse of wireless network –System penetration –Financial fraud –Password sniffing –Key logging –Website defacement –Misuse of a public web application –Theft of proprietary information –Exploiting the DNS server of an organization –Telecom fraud –Sabotage Cisco Thai Nguyen Networking Academy © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public ITE 1 Chapter 6 7 Open versus Closed Networks  The overall security challenge facing network administrators is balancing two important needs: –keep networks open to support business requirements –Protect private, personal, and business information.  Network security models is a progressive scale –From open-any service is permitted unless it is expressly denied. –To restrictive-services are denied by default unless deemed necessary. –An extreme alternative for managing security is to completely close a network from the outside world. •Because there is no outside connectivity, networks are considered safe from outside attacks. •However, internal threats still exist. A closed network does little to prevent attacks from within the enterprise. Cisco Thai Nguyen Networking Academy © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public ITE 1 Chapter 6 8 Developing a Security Policy  First step an organization should take to protect its data and a liability challenge is to develop a security policy.  A security policy meets these goals: –Informs users, staff, and managers of their requirements for protecting information assets –Specifies the mechanisms through which these requirements can be met –Provides a baseline from which to acquire, configure, and audit computer systems for compliance  Assembling a security policy can be daunting. The ISO and IEC have published a security standard document called ISO/IEC 27002. The document consists of 12 sections: –Risk assessment –Security policy –Organization of information security –Asset management –Human resources security –Physical and environmental security –Communications and operations management –Access control –Information systems acquisition, development, and maintenance –Information security incident management –Business continuity management –Compliance Cisco Thai Nguyen Networking Academy © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public ITE 1 Chapter 6 9 Vulnerabilities  When discussing network security, 3 factors are vulnerability, threat, attack. –Vulnerability: it is the degree of weakness which is inherent in every network and device. •Routers, switches, desktops, and servers. –Threats: They are the people interested in taking advantage of each security weakness. –Attack: The threats use a variety of tools, and programs to launch attacks against networks.  There are 3 primary vulnerabilities: –Technological weaknesses •Computer and network technologies have intrinsic security weaknesses. These include operating system, and network equipment. –Configuration weaknesses •Network administrators need to learn what the configuration weaknesses are. –Security policy weaknesses •Security risks to the network exist if users do not follow the security policy. Cisco Thai Nguyen Networking Academy © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public ITE 1 Chapter 6 10 Threats to Physical Infrastructure  A less glamorous, but no less important, class of threat is the physical security of devices. An attacker can deny the use of network resources if those resources can be physically compromised.  The four classes of physical threats are: –Hardware threats - Physical damage to servers, routers, switches, cabling plant, and workstations –Environmental threats - Temperature extremes (too hot or too cold) or humidity extremes (too wet or too dry) –Electrical threats - Voltage spikes, insufficient supply voltage (brownouts), unconditioned power (noise), and total power loss –Maintenance threats - Poor handling of key electrical components (electrostatic discharge), lack of critical spare parts, poor cabling, and poor labeling  Here are some ways to mitigate physical threats: [...]... the legitimate website •3 The attacker can alter the legitimate webpage and apply any transformations to the data they want to make 4 The attacker forwards the requested to the victim WAN MITM attack mitigation is achieved using VPN –LAN MITM attacks use tools ettercap and ARP poisoning •It can be mitigated by using port security on LAN switches ITE 1 Chapter 6 © 2006 Cisco Systems, Inc All rights... DoS attacks are the most publicized form of attack and also among the most difficult to eliminate –DoS attacks prevent authorized people from using a service by consuming system resources Ping of Death –A ping is normally 64 ( 84 bytes with the header) The IP packet size could be up to 65,535 bytes –A ping of this size may crash an older computer SYN Flood –A SYN flood attack exploits the TCP 3-way handshake... measures on a continuous basis To begin the Security Wheel process, first develop a security policy that enables the application of security measures A security policy includes the following: –Identifies the security objectives of the organization –Documents the resources to be protected –Identifies the network infrastructure with current maps and inventories –Identifies the critical resources that need to... personnel –Authorizes security personnel to monitor, probe, and investigate –Defines and authorizes the consequences of violations The security policy is for everyone, including employees, contractors, suppliers, and customers who have access to the network –However, the security policy should treat each of these groups differently –Each group should only be shown the portion of the policy appropriate to their... two hosts –An attacker may catch a victim with a phishing e-mail or by defacing a website For instance http:www.legitimate.com becomes http:www.attacker.com/http://www.legitimate.com •1 When a victim requests a webpage, the host of the victim makes the request to the host of the attacker's •2 The attacker's host receives the request and fetches the real page from the legitimate website •3 The attacker... uninterruptible power supply (UPS) Update the router IOS whenever advisable –However, the latest version of an operating system may not be the most stable version available –To get the best security performance from your operating system, use the latest stable release that meets the feature requirements of your network Backup the router configuration and IOS –Keep a secure copy of the router image and router configuration... illegitimate data –Typically, there are 3 components to a DDoS attack •A Client who is typically a person who launches the attack •A Handler is a compromised host that control multiple Agents •An Agent is a compromised host that responsible for generating packets that toward the intended victim Examples of DDoS attacks include the following: –SMURF attack –Tribe flood network (TFN) –Stacheldraht –MyDoom The Smurf... infects any other versions of command.com –A Trojan horse is that the entire application was written to look like something else, when in fact it is an attack tool •Example of a Trojan horse is a software that runs a game While the user is occupied with the game, the Trojan horse mails a copy of itself to every address in the user's address book These kinds of applications can be contained through the effective... features, called the Cisco Adaptive Security Appliance (ASA) The Cisco ASA integrates firewall, voice security, SSL and IPsec VPN, and IPS in one device Cisco IPS 42 00 Series Sensors –For larger networks, an inline intrusion prevention system is provided by the Cisco IPS 42 00 series sensors This sensor identifies, classifies, and stops malicious traffic on the network Cisco NAC Appliance The Cisco NAC... Attacks There are four primary classes of attacks Reconnaissance –Reconnaissance is the unauthorized discovery and mapping of systems, services, or vulnerabilities –It is also known as information gathering –Reconnaissance is similar to a thief casing a neighborhood for vulnerable homes to break into Access –System access is the ability for an intruder to gain access to a device for which the intruder . information –Bots within the organization –Theft of customer or employee data –Abuse of wireless network –System penetration –Financial fraud –Password sniffing –Key logging –Website defacement. the host of the victim makes the request to the host of the attacker's. •2. The attacker's host receives the request and fetches the real page from the legitimate website. •3. The. The attacker can alter the legitimate webpage and apply any transformations to the data they want to make. 4. The attacker forwards the requested to the victim . WAN MITM attack mitigation