4.1 Introduction to Network Security 4.1.1 Why is Network Security Important?

As the types of threats, attacks, and exploits have evolved, various terms have been coined to describe the individuals involved. Some of the most common terms are as follows: White hat-An individual who looks for vulnerabilities in systems or networks and then reports these vulnerabilities to the owners of the system so that they can be fixed. Hacker lack hat-Another term for individuals who use their knowled!e of computer systems to break into systems or networks that they are not authori"ed to use, usually for personal or financial !ain. A cracker is an example of a black hat. #racker-A more accurate term to describe someone who tries to !ain unauthori"ed access to network resources with malicious intent. $hreaker-An individual who manipulates the phone network to cause it to perform a function that is not allowed. A common !oal of phreakin! is breakin! into the phone network, usually throu!h a payphone, to make free lon! distance calls. Spammer-An individual who sends lar!e %uantities of unsolicited e-mail messa!es. Spammers often use viruses to take control of home computers and use them to send out their bulk messa!es. $hisher-&ses e-mail or other means to trick others into providin! sensitive information, such as credit card numbers or passwords. A phisher mas%uerades as a trusted party that would have a le!itimate need for the sensitive information. 'any attackers use this seven-step process to !ain information and state an attack. Step (. $erform footprint analysis )reconnaissance*. Step +. ,numerate information. An attacker can expand on the footprint by monitorin! network traffic with a packet sniffer such as Wireshark, findin! information such as version numbers of -.$ servers and mail servers. Step /. 'anipulate users to !ain access. Step 0. ,scalate privile!es. After attackers !ain basic access, they use their skills to increase their network privile!es. Step 1. 2ather additional passwords and secrets. With improved access privile!es, attackers use their talents to !ain access to well-!uarded, sensitive information. Step 3. 4nstall backdoors. ackdoors provide the attacker with a way to enter the system without bein! detected. .he most common backdoor is an open listenin! .#$ or &5$ port. Step 6. 7evera!e the compromised system. After a system is compromised, an attacker uses it to sta!e attacks on other hosts in the network. A security policy meets these !oals: 4nforms users, staff, and mana!ers of their obli!atory re%uirements for protectin! technolo!y and information assets Specifies the mechanisms throu!h which these re%uirements can be met $rovides a baseline from which to ac%uire, confi!ure, and audit computer systems and networks for compliance with the policy 4.1.2 Common Security Threats When discussin! network security, three common factors are vulnerability, threat, and attack. .here are three primary vulnerabilities or weaknesses: .echnolo!ical weaknesses #onfi!uration weaknesses Security policy weaknesses #omputer and network technolo!ies have intrinsic security weaknesses. .hese include .#$84$ protocol, operatin! system, and network e%uipment weaknesses.

9etwork administrators or network en!ineers need to learn what the confi!uration weaknesses are and correctly confi!ure their computin! and network devices to compensate. Security risks to the network exist if users do not follow the security policy. Some common security policy weaknesses and how those weaknesses are exploited are listed in the fi!ure. .he four classes of physical threats are: Hardware threats-$hysical dama!e to servers, routers, switches, cablin! plant, and workstations ,nvironmental threats-.emperature extremes )too hot or too cold* or humidity extremes )too wet or too dry* ,lectrical threats-:olta!e spikes, insufficient supply volta!e )brownouts*, unconditioned power )noise*, and total power loss 'aintenance threats-$oor handlin! of key electrical components )electrostatic dischar!e*, lack of critical spare parts, poor cablin!, and poor labelin! security is not sufficiently prepared. Here are some ways to miti!ate physical threats: Hardware threat miti!ation ,nvironmental threat miti!ation ,lectrical threat miti!ation 'echanical threat miti!ation

.hreats to 9etworks: - &nstructured threats - Structured threats - ,xternal threats - 4nternal threats 4.1.3 Types of Network ttacks

.ypes of 9etwork Attacks ;econnaissance Access 5enial of Service Worms, :iruses, and .ro<an Horses !econnaissance ttacks ;econnaissance attacks can consist of the followin!: 4nternet information %ueries $in! sweeps $ort scans $acket sniffers ""os ttacks 5istributed 5oS )55oS* attacks are desi!ned to saturate network links with ille!itimate data. #$amp%es of ""oS attacks inc%ude the fo%%owin&' S'&;- attack .ribe flood network ).-9* Stacheldraht 'y5oom .he followin! are the recommended steps for worm attack miti!ation: #ontainment-#ontain the spread of the worm in and within the network. #ompartmentali"e uninfected parts of the network. 4noculation-Start patchin! all systems and, if possible, scannin! for vulnerable systems.

=uarantine-.rack down each infected machine inside the network. 5isconnect, remove, or block infected machines from the network. .reatment-#lean and patch each infected system. Some worms may re%uire complete core system reinstallations to clean the system. 4ntrusion prevention systems )4$S* prevent attacks a!ainst the network and should provide the followin! active defense mechanisms in addition to detection: $revention-Stops the detected attack from executin!. ;eaction-4mmuni"es the system from future attacks from a malicious source.

4.2 Securin& Cisco !outers 4.2.1 !outer Security Issues ;outers fulfill the followin! roles: Advertise networks and filter who can use them.

$rovide access to network se!ments and subnetworks.

.he type 6 encryption can be used by the enable password, username, and line password commands includin! vty, line console, and aux port. 4t does not offer very much protection as it only hides the password usin! a simple encryption al!orithm. .o encrypt passwords usin! type 6 encryption, use the service password-encryption !lobal confi!uration command. #isco recommends that .ype 1 encryption be used instead of .ype 6 whenever possible. '51 encryption is a stron! encryption method. 4t should be used whenever possible. 4t is confi!ured by replacin! the keyword password with secret. .he local database usernames should be also confi!ured usin! the username username secret password !lobal confi!uration command. Set the minimum character len!th for all router passwords usin! the security passwords minlen!th !lobal confi!uration command, as shown in the fi!ure. .his command provides enhanced security access to the router by allowin! you to specify a minimum password len!th. 4.2.4 Securin& !emote dministrati(e ccess to !outers

.o secure administrative access to routers and switches, first you will secure the administrative lines ):.>, A&?*, then you will confi!ure the network device to encrypt traffic in an SSH tunnel. 7o!ins may be completely prevented on any line by confi!urin! the router with the lo!in and no password commands. .his is the default confi!uration for :.>s, but not for ..>s and the A&? port. .herefore, if these lines are not re%uired, ensure that they are confi!ured with the lo!in and no password command combination. -or security reasons, :.> lines should be confi!ured to accept connections only with the protocols actually needed. .his is done with the transport input command. -or example, a :.> that was expected to receive only .elnet sessions would be confi!ured with transport input telnet, and a :.> permittin! both .elnet and SSH sessions would have transport input telnet ssh confi!ured.

4.2.4 Securin& !emote

dministrati(e

ccess to !outers

4.2.) *o&&in& !outer

cti(ity

;outers support different levels of lo!!in!. .he ei!ht levels ran!e from @, emer!encies indicatin! that the system is unstable, to 6 for debu!!in! messa!es that include all router information. -or example: ;+)confi!*Aservice timestamps B debu! .imestamp debu! messa!es lo! .imestamp lo! messa!es CcrD ;+)confi!*Aservice timestamps 4.3 Secure !outer Network Ser(ices 4.3.1 +u%nera,%e !outer Ser(ices and Interfaces Services which should typically be disabled are listed below. .hese include: Small services such as echo, discard, and char!en - &se the no service tcp-small-servers or no service udp-small-servers command. EE.$ - &se the no ip bootp server command. -in!er - &se the no service fin!er command. H..$ - &se the no ip http server command. S9'$ - &se the no snmp-server command.

4t is also important to disable services that allow certain packets to pass throu!h the router, send special packets, or are used for remote router confi!uration. .he correspondin! commands to disable these services are: #isco 5iscovery $rotocol )#5$* - &se the no cdp run command. ;emote confi!uration - &se the no service confi! command. Source routin! - &se the no ip source-route command. #lassless routin! - &se the no ip classless command. .he interfaces on the router can be made more secure by usin! certain commands in interface confi!uration mode: &nused interfaces - &se the shutdown command.

9o S'&;- attacks - &se the no ip directed-broadcast command. Ad hoc routin! - &se the no ip proxy-arp command.

4.3.2 Securin& !outin& -rotoco%s .he best way to protect routin! information on the network is to authenticate routin! protocol packets usin! messa!e di!est al!orithm 1 )'51*.

4.3.3 *ockin& "own .our !outer with Cisco

uto Secure

#isco AutoSecure uses a sin!le command to disable non-essential system processes and services, eliminatin! potential security threats. >ou can confi!ure AutoSecure in privile!ed ,?,# mode usin! the auto secure command in one of these two modes: 4nteractive mode - .his mode prompts you with options to enable and disable services and other security features. .his is the default mode. 9on-interactive mode - .his mode automatically executes the auto secure command with the recommended #isco default settin!s. .his mode is enabled with the no-interact command option. 4.4 /sin& Cisco S"0 4.4.1 Cisco S"0 1(er(iew

4.4.2 Confi&urin& your !outer to Support Cisco S"0 .o confi!ure #isco S5' on a router already in use, without disruptin! network traffic, follow these steps:

Step (. Access the routerFs #isco #74 interface usin! .elnet or the console connection Step +. ,nable the H..$ and H..$S servers on the router Step / #reate a user account defined with privile!e level (1 )enable privile!es*. Step 0 #onfi!ure SSH and .elnet for local lo!in and privile!e level (1.

4.4.3 Startin& Cisco S"0 #isco S5' is stored in the router flash memory. 4t can also be stored on a local $#. .o launch the #isco S5' use the H..$S protocol and put the 4$ address of the router into the browser. .he fi!ure shows the browser with an address of https:88(GH.(3+.+@.( and the launch pa!e for #isco S5'. .he http:88 prefix can be used if SS7 is not available. When the username and password dialo! box appears )not shown*, enter a username and password for the privile!ed )privile!e level (1* account on the router. 4.4.4 The Cisco S"0 Interface .he one-step lockdown wi"ard is accessed from the #onfi!ure 2&4 interface by clickin! the Security Audit task. .he one-step lockdown wi"ard tests your router confi!uration for potential security problems and automatically makes any necessary confi!uration chan!es to correct any problems found. 4.) Secure !outer 0ana&ement 4.).1 0aintainin& Cisco I1S Software Ima&es #isco recommends followin! a four-phase mi!ration process to simplify network operations and mana!ement. When you follow a repeatable process, you can also benefit from reduced costs in operations, mana!ement, and trainin!. .he four phases are: $lan-Set !oals, identify resources, profile network hardware and software, and create a preliminary schedule for mi!ratin! to new releases. 5esi!n-#hoose new #isco 4ES releases and create a strate!y for mi!ratin! to the releases. 4mplement-Schedule and execute the mi!ration. Eperate-'onitor the mi!ration pro!ress and make backup copies of ima!es that are runnin! on your network. .he followin! tools do not re%uire a #isco.com lo!in: #isco 4ES ;eference 2uide-#overs the basics of the #isco 4ES software family #isco 4ES software technical documents-5ocumentation for each release of #isco 4ES software #isco -eature 9avi!ator--inds releases that support a set of software features and hardware, and compares releases

.he followin! tools re%uire valid #isco.com lo!in accounts: 5ownload Software-#isco 4ES software downloads u! .oolkit-Searches for known software fixes based on software version, feature set, and keywords Software Advisor-#ompares releases, matches #isco 4ES software and #isco #atalyst ES features to releases, and finds out which software release supports a !iven hardware device #isco 4ES &p!rade $lanner--inds releases by hardware, release, and feature set, and downloads ima!es of #isco 4ES software 4.).2 0ana&in& Cisco I1S Ima&es #isco 4ES devices provide a feature called the #isco 4ES 4nte!rated -ile System )4-S*. .his system allows you to create, navi!ate, and manipulate directories on a #isco device. .he directories available depend on the platform. A sh file system Adir 88flash A cd nvram: , dir /!* -refi$es -or instance, the .-.$ example in the fi!ure is: tftp:88(G+.(3H.+@.+108confi!s8backup-confi!. .he expression Itftp:I is called the prefix. ,verythin! after the double-slash )88* defines the location. (G+.(3H.+@.+10 is the location of the .-.$ server. Iconfi!sI is the master directory. Ibackup-confi!I is the filename. #opy the runnin! confi!uration from ;A' to the startup confi!uration in 9:;A': ;+A copy runnin!-confi! startup-confi! ;+A copy system:runnin!-confi! nvram:startup-confi! #opy the runnin! confi!uration from ;A' to a remote location: ;+A copy runnin!-confi! tftp: ;+A copy system:runnin!-confi! tftp: #opy a confi!uration from a remote source to the runnin! confi!uration: ;+A copy tftp: runnin!-confi! ;+A copy tftp: system:runnin!-confi! #opy a confi!uration from a remote source to the startup confi!uration: ;+A copy tftp: startup-confi! ;+A copy tftp: nvram:startup-confi!

Ether feature set possibilities include )others from ipbase*: i - 5esi!nates the 4$ feature set < - 5esi!nates the enterprise feature set )all protocols* s - 5esi!nates a $7&S feature set )extra %ueuin!, manipulation, or translations* 13i - 5esi!nates 13-bit 4$sec 5,S encryption / - 5esi!nates the firewall845S k+ - 5esi!nates the /5,S 4$sec encryption )(3H bit* 4.).3 T2T- 0ana&ed Cisco I1S Ima&es efore chan!in! a #isco 4ES ima!e on the router, you need to complete these tasks: 5etermine the memory re%uired for the update and, if necessary, install additional memory. Set up and test the file transfer capability between the administrator host and the router. Schedule the re%uired downtime, normally outside of business hours, for the router to perform the update. When you are ready to do the update, carry out these steps: Shut down all interfaces on the router not needed to perform the update. ack up the current operatin! system and the current confi!uration file to a .-.$ server. 7oad the update for either the operatin! system or the confi!uration file. .est to confirm that the update works properly. 4f the tests are successful, you can then re-enable the interfaces you disabled. 4f the tests are not successful, back out the update, determine what went wron!, and start a!ain. 4.).4 3ackin& up and /p&radin& Software Ima&e .o copy a #isco 4ES ima!e software from flash memory to the network .-.$ server, you should follow these su!!ested steps. Step (. $in! the .-.$ server to make sure you have access to it.

Step +. :erify that the .-.$ server has sufficient disk space to accommodate the #isco 4ES software ima!e. &se the show flash: command on the router to determine the si"e of the #isco 4ES ima!e file. Step /. #opy the current system ima!e file from the router to the network .-.$ server, usin! the copy flash: tftp: command in privile!ed ,?,# mode. .he command re%uires that you to enter the 4$ address of the remote host and the name of the source and destination system ima!e files.

4.).) !eco(erin& Software Ima&es Step (. #onnect the devices. Step /. ,nter the tftpdnld command at the ;E'mon prompt. Another method for restorin! a #isco 4ES ima!e to a router is by usin! ?modem. However, the file transfer is accomplished usin! the console cable and is therefore very slow when compared to the tftpdnld command. Step (. #onnect the $# of the system administrator to the console port on the affected router. Epen a terminal emulation session between the router ;( and the $# of the system administrator. Step +. oot the router and issue the xmodem command at the ;E'mon command prompt. .he command syntax is xmodem J-cyrK JfilenameK. .he cyr option varies dependin! on the confi!uration. -or instance, -c specifies #;#-(3, y specifies the >modem protocol, and r copies the ima!e to ;A'. .he filename is the name of the file to be transferred. Step /. .he fi!ure shows the process for sendin! a file usin! Hyper.erminal. 4n this case, Select .ransfer D Send -ile. Step 0. rowse to the location of the #isco 4ES ima!e you want to transfer and choose the ?modem protocol. #lick Send. A dialo! box appears displayin! the status of the download. 4t takes several seconds before the host and the router be!in transferrin! the information. 4.).4 Trou,%eshootin& Cisco I1S Confi&urations Show, debu!

4.).5 !eco(erin& a *ost !outer -assword .he enable password and the enable secret password protect access to privile!ed ,?,# and confi!uration modes. .he enable password can be recovered, but the enable secret password is encrypted and must be replaced with a new password. .he confi!uration re!ister is a concept that you will learn more about later in your studies. .he confi!uration re!ister is similar to your $# 4ES settin!s, which control the bootup process. Amon! other thin!s, the 4ES tells the $# from which hard disk to boot. 4n a router, a confi!uration re!ister, represented by a sin!le hexadecimal value, tells the router what specific steps to take when powered on. #onfi!uration re!isters have many uses, and password recovery is probably the most used. Step (. #onnect to the console port. Step +. 4f you have lost the enable password, you would still have access to user ,?,# mode. .ype show version at the prompt, and record the confi!uration re!ister settin!. ;DAshow version Cshow command output omittedD #onfi!uration re!ister is @x+(@+ ;(D .he confi!uration re!ister is usually set to @x+(@+ or @x(@+. 4f you can no lon!er access the router )because of a lost lo!in or .A#A#S password*, you can safely assume that your confi!uration re!ister is set to @x+(@+. Step /. &se the power switch to turn off the router, and then turn the router back on. Step 0. 4ssue a reak si!nal from the terminal within 3@ seconds of power up to put the router into ;E'mon. A reak si!nal is sent usin! a break key se%uence appropriate for the terminal pro!ram and the operatin! system.

#lick

ypass Startup in the fi!ure.

Step 1. .ype confre! @x+(0+ at the rommon (D prompt. .his causes the router to bypass the startup confi!uration where the for!otten enable password is stored. Step 3. .ype reset at the rommon +D prompt. .he router reboots, but i!nores the saved confi!uration. Step 6. .ype no after each setup %uestion, or press #trl-# to skip the initial setup procedure. Step H. .ype enable at the ;outerD prompt. .his puts you into enable mode, and you should be able to see the ;outerA prompt. Step G. .ype copy startup-confi! runnin!-confi! to copy the 9:;A' into memory. e carefulL 5o not type copy runnin!-confi! startup-confi! or you will erase your startup confi!uration. Step (@. .ype show runnin!-confi!. 4n this confi!uration, the shutdown command appears under all interfaces because all the interfaces are currently shut down. 'ost importantly thou!h, you can now see the passwords )enable password, enable secret, vty, console passwords* either in encrypted or unencrypted format. >ou can reuse unencrypted passwords. >ou must chan!e encrypted passwords to a new password. #lick ;eset $asswords in the fi!ure. Step ((. .ype confi!ure terminal. .he ;()confi!*A prompt appears. Step (+. .ype enable secret password to chan!e the enable secret password. -or example: ;()confi!*A enable secret cisco Step (/. 4ssue the no shutdown command on every interface that you want to use. >ou can issue a show ip interface brief command to confirm that your interface confi!uration is correct. ,very interface that you want to use should display up up. Step (0. .ype confi!-re!ister confi!urationMre!isterMsettin!. .he confi!urationMre!isterMsettin! is either the value you recorded in Step + or @x+(@+ . -or example: ;()confi!*Aconfi!-re!ister @x+(@+ Step (1. $ress #trl-N or type end to leave confi!uration mode. .he ;(A prompt appears. Step (3. .ype copy runnin!-confi! startup-confi! to commit the chan!es.