The primary vulnerabilities for end user computers are virus, worm, and Trojan Horse attacks:

- A virus is malicious software which attaches to another program to execute a specific unwanted
function on a computer.
- A worm executes arbitrary code and installs copies of itself in the memory of the infected
computer, which then infects other hosts.
- A Trojan Horse is an application written to look like something else. When a Trojan Horse is
downloaded and opened, it attacks the end user computer from within.
Virus
- A computer virus is a program that can copy itself and infect a computer without the knowledge
of the user.
- A virus is a malicious code that is attached to legitimate programs or executable files.
- Most viruses require end user activation and can lay dormant for an extended period and then
activate at a specific time or date.
- A simple virus may install itself at the first line of code on an executable file. When activated,
the virus might check the disk for other executables, so that it can infect all the files it has not
yet infected.
- Viruses can be harmless, such as those that display a picture on the screen, or they can be
destructive, such as those that modify or delete files on the hard drive. Viruses can also be
programmed to mutate to avoid detection.
In the past, viruses were usually spread via floppy disks and computer modems. Today, most viruses are
spread by USB memory sticks, CDs, DVDs, network shares, or email. Email viruses are now the most
common type of virus.
Worms
- Worms are a particularly dangerous type of hostile code.
- They replicate themselves by independently exploiting vulnerabilities in networks. Worms
usually slow down networks.
- Whereas a virus requires a host program to run, worms can run by themselves. They do not
require user participation and can spread very quickly over the network.
- A worm installs itself using an exploit mechanism (email attachment, executable file, Trojan
Horse) on a vulnerable system.
- After gaining access to a device, the worm replicates itself and locates new targets.
- Worms are self-contained programs that attack a system to exploit a known vulnerability. Upon
successful exploitation, the worm copies itself from the attacking host to the newly exploited
system and the cycle begins again.


Trojan Horse
- The term Trojan Horse originated from Greek mythology.
- Greek warriors offered the people of Troy (Trojans) a giant hollow horse as a gift. The Trojans
brought the giant horse into their walled city, unaware that it contained many Greek warriors.
At night, after most Trojans were asleep, the warriors burst out of the horse and overtook the
city.
- A Trojan Horse in the world of computing is malware that carries out malicious operations under
the guise of a desired function.
- A Trojan Horse contains hidden, malicious code that exploits the privileges of the user that runs
it.
- Games can often have a Trojan Horse attached to them. When running the game, the game
works, but in the background, the Trojan Horse has been installed on the user's system and
continues running after the game has been closed.
- The Trojan Horse concept is flexible. It can cause immediate damage, provide remote access to
the system (a back door), or perform actions as instructed remotely, such as "send me the
password file once per week."
- Custom-written Trojan Horses, such as Trojan Horses with a specific target, are difficult to
detect.
Trojan Horses are usually classified according to the damage that they cause or the manner in which
they breach a system:
- Remote-access Trojan Horse - enables unauthorized remote access
- Data sending Trojan Horse - provides the attacker with sensitive data such as passwords
- Destructive Trojan Horse - corrupts or deletes files
- Proxy Trojan Horse - user's computer functions as a proxy server
- FTP Trojan Horse -opens port 21
- Security software disabler Trojan Horse - stops antivirus programs or firewalls from functioning
- Denial of Service Trojan Horse - slows or halts network activity
Mitigating Virus/Trojan Horse:-
- The primary means of mitigating virus and Trojan Horse attacks is antivirus software. Antivirus
software helps prevent hosts from getting infected and spreading malicious code.
- It requires much more time to clean up infected computers than it does to maintain up-to-date
antivirus software and antivirus definitions on the same machines.
- Antivirus software is the most widely deployed security product on the market today.
- Several companies that create antivirus software, such as Symantec, Computer Associates,
McAfee, and Trend Micro, have been in the business of detecting and eliminating viruses for
more than a decade.
- Antivirus products have update automation options so that new virus definitions and new
software updates can be downloaded automatically or on demand.
Mitigating Worm
- Worms are more network-based than viruses. Worm mitigation requires diligence and
coordination on the part of network security professionals.
- The response to a worm infection can be broken down into four phases: containment,
inoculation, quarantine, and treatment.

The containment phase
- involves limiting the spread of a worm infection to areas of the network that are already
affected.
- This requires compartmentalization and segmentation of the network to slow down or stop the
worm and prevent currently infected hosts from targeting and infecting other systems.
- Containment requires using both outgoing and incoming ACLs on routers and firewalls at control
points within the network.

The inoculation phase
- runs parallel to or subsequent to the containment phase.
- During the inoculation phase, all uninfected systems are patched with the appropriate vendor
patch for the vulnerability. The inoculation process further deprives the worm of any available
targets.
- A network scanner can help identify potentially vulnerable hosts.
- The mobile environment prevalent on modern networks poses significant challenges.
- Laptops are routinely taken out of the secure network environment and connected to
potentially unsecure environments, such as home networks.
- Without proper patching of the system, a laptop can be infected with a worm or virus and then
bring it back into the secure environment of the organization's network where it can infect other
systems.

The quarantine phase
- involves tracking down and identifying infected machines within the contained areas and
disconnecting, blocking, or removing them.
- This isolates these systems appropriately for the treatment phase.


Treatment phase
- Actively infected systems are disinfected of the worm. This can involve terminating the worm
process, removing modified files or system settings that the worm introduced, and patching the
vulnerability the worm used to exploit the system.
- Alternatively, in more severe cases, the system may need to be reinstalled to ensure that the
worm and its byproducts are removed.

ATTACKS:
There are many different types of network attacks other than viruses, worms, and Trojan Horses. To
mitigate attacks, it is useful to first categorize the various types of attacks. By categorizing network
attacks, it is possible to address types of attacks rather than individual attacks. There is no standardized
way of categorizing network attacks. The method used in this course classifies attacks in three major
categories.

Reconnaissance Attacks
Reconnaissance attacks involve the unauthorized discovery and mapping of systems, services, or
vulnerabilities. Reconnaissance attacks often employ the use of packet sniffers and port scanners, which
are widely available as free downloads on the Internet. Reconnaissance is analogous to a thief surveying
a neighborhood for vulnerable homes to break into, such as an unoccupied residence or a house with an
easy-to-open door or window.

Access Attacks
Access attacks exploit known vulnerabilities in authentication services, FTP services, and web services to
gain entry to web accounts, confidential databases, and other sensitive information. An access attack
can be performed in many different ways. An access attack often employs a dictionary attack to guess
system passwords. There are also specialized dictionaries for different languages that can be used.

Denial of Service Attacks
Denial of service attacks send extremely large numbers of requests over a network or the Internet.
These excessive requests cause the target device to run sub-optimally. Consequently, the attacked
device becomes unavailable for legitimate access and use. By executing exploits or combinations of
exploits, DoS attacks slow or crash applications and processes.

Reconnaissance
- Also known as information gathering and, in most cases, precedes an access or DoS attack.
- In a reconnaissance attack, the malicious intruder typically begins by conducting a ping sweep of
the target network to determine which IP addresses are active. The intruder then determines
which services or ports are available on the live IP addresses. Nmap is the most popular
application for performing port scans.
- From the port information obtained, the intruder queries the ports to determine the type and
version of the application and operating system that is running on the target host.
- In many cases, the intruders look for vulnerable services that can be exploited later when there
is less likelihood of being caught.
Reconnaissance attacks use various tools to gain access to a network:
- Packet sniffers
- Ping sweeps
- Port scans
- Internet information queries

A packet sniffer is a software application that uses a network adapter card in promiscuous mode to
capture all network packets that are sent across a LAN. Promiscuous mode is a mode in which the
network adapter card sends all packets that are received to an application for processing. Some network
applications distribute network packets in unencrypted plaintext. Because the network packets are not
encrypted, they can be understood by any application that can pick them off the network and process
them.
- Packet sniffers can only work in the same collision domain as the network being attacked, unless
the attacker has access to the intermediary switches.
- Numerous freeware and shareware packet sniffers, such as Wireshark, are available and do not
require the user to understand anything about the underlying protocols.

Internet information queries can reveal information such as who owns a particular domain and what
addresses have been assigned to that domain. They can also reveal who owns a particular IP address
and which domain is associated with the address.

A ping sweep is a basic network scanning technique that determines which range of IP addresses map to
live hosts. A single ping indicates whether one specified host computer exists on the network. A ping
sweep consists of ICMP echo requests sent to multiple hosts. If a given address is live, the address
returns an ICMP echo reply. Ping sweeps are among the older and slower methods used to scan a
network.

Each service on a host is associated with a well-known port number. Port scanning is a scan of a range of
TCP or UDP port numbers on a host to detect listening services. It consists of sending a message to each
port on a host. The response that the sender receives indicates whether the port is used.

Ping sweeps of addresses revealed by Internet information queries can present a picture of the live
hosts in a particular environment. After such a list is generated, port scanning tools can cycle through all
well-known ports to provide a complete list of all services that are running on the hosts that the ping
sweep discovered. Hackers can then examine the characteristics of active applications, which can lead to
specific information that is useful to a hacker whose intent is to compromise that service.

Keep in mind that reconnaissance attacks are typically the precursor to further attacks with the
intention of gaining unauthorized access to a network or disrupting network functionality. A network
security professional can detect when a reconnaissance attack is underway by configured alarms that
are triggered when certain parameters are exceeded, such as the number of ICMP requests per second.
A variety of technologies and devices can be used to monitor this type of activity and generate an alarm.
Cisco's Adaptive Security Appliance (ASA) provides intrusion prevention in a standalone device.
Additionally, the Cisco ISR supports network-based intrusion prevention through the Cisco IOS security
image.


Access Attacks
Hackers use access attacks on networks or systems for three reasons: retrieve data, gain access, and
escalate access privileges.

Access attacks often employ password attacks to guess system passwords. Password attacks can be
implemented using several methods, including brute-force attacks, Trojan Horse programs, IP spoofing,
and packet sniffers. However, most password attacks refer to brute-force attacks, which involve
repeated attempts based on a built-in dictionary to identify a user account or password.

A brute-force attack is often performed using a program that runs across the network and attempts to
log in to a shared resource, such as a server. After an attacker gains access to a resource, the attacker
has the same access rights as the user whose account was compromised. If this account has sufficient
privileges, the attacker can create a back door for future access without concern for any status and
password changes to the compromised user account.

As an example, a user can run the L0phtCrack, or LC5, application to perform a brute-force attack to
obtain a Windows server password. When the password is obtained, the attacker can install a keylogger,
which sends a copy of all keystrokes to a desired destination. Or, a Trojan Horse can be installed to send
a copy of all packets sent and received by the target to a particular destination, thus enabling the
monitoring of all the traffic to and from that server.
There are five types of access attacks:

Password attack - An attacker attempts to guess system passwords. A common example is a dictionary
attack.
Trust exploitation - An attacker uses privileges granted to a system in an unauthorized way, possibly
leading to compromising the target.
Port redirection - A compromised system is used as a jump-off point for attacks against other targets. An
intrusion tool is installed on the compromised system for session redirection.
Man-in-the-middle attack - An attacker is positioned in the middle of communications between two
legitimate entities in order to read or modify the data that passes between the two parties. A popular
man-in-the-middle attack involves a laptop acting as a rogue access point to capture and copy all
network traffic from a targeted user. Often the user is in a public location on a wireless hotspot.
Buffer overflow - A program writes data beyond the allocated buffer memory. Buffer overflows usually
arise as a consequence of a bug in a C or C++ program. A result of the overflow is that valid data is
overwritten or exploited to enable the execution of malicious code.

Dos Attack
A DoS attack is a network attack that results in some sort of interruption of service to users, devices, or
applications. Several mechanisms can generate a DoS attack. The simplest method is to generate large
amounts of what appears to be valid network traffic. This type of network DoS attack saturates the
network so that valid user traffic cannot get through.
One example of a DoS attack is sending a poisonous packet. A poisonous packet is an improperly
formatted packet designed to cause the receiving device to process the packet in an improper fashion.
The poisonous packet causes the receiving device to crash or run very slowly. This attack can cause all
communications to and from the device to be disrupted.
In another example, an attacker sends a continuous stream of packets, which overwhelms the available
bandwidth of network links. In most cases, it is impossible to differentiate between the attacker and
legitimate traffic and to trace an attack quickly back to its source. If many systems in the Internet core
are compromised, the attacker may be able to take advantage of virtually unlimited bandwidth to
unleash packet storms toward desired targets.
A Distributed Denial of Service Attack (DDoS) is similar in intent to a DoS attack, except that a DDoS
attack originates from multiple coordinated sources. A DDoS attack requires the network security
professional to identify and stop attacks from distributed sources while managing an increase in traffic.
As an example, a DDoS attack could proceed as follows:
- A hacker scans for systems that are accessible.
- After the hacker accesses several "handler" systems, the hacker installs zombie software on
them.
- Zombies then scan and infect agent systems.
- When the hacker accesses the agent systems, the hacker loads remote-control attack software
to carry out the DDoS attack.

It is useful to detail three common DoS attacks to get a better understanding of how DoS attacks work.

Ping of Death
In a ping of death attack, a hacker sends an echo request in an IP packet larger than the maximum
packet size of 65,535 bytes. Sending a ping of this size can crash the target computer. A variant of this
attack is to crash a system by sending ICMP fragments, which fill the reassembly buffers of the target.

Smurf Attack
In a smurf attack, a perpetrator sends a large number of ICMP requests to directed broadcast addresses,
all with spoofed source addresses on the same network as the respective directed broadcast. If the
routing device delivering traffic to those broadcast addresses forwards the directed broadcasts, all hosts
on the destination networks send ICMP replies, multiplying the traffic by the number of hosts on the
networks. On a multi-access broadcast network, hundreds of machines might reply to each packet.
TCP SYN Flood
In a TCP SYN flood attack, a flood of TCP SYN packets is sent, often with a forged sender address. Each
packet is handled like a connection request, causing the server to spawn a half-open connection by
sending back a TCP SYN-ACK packet and waiting for a packet in response from the sender address.
However, because the sender address is forged, the response never comes. These half-open
connections saturate the number of available connections the server is able to make, keeping it from
responding to legitimate requests until after the attack ends.
The TCP SYN flood, ping of death, and smurf attacks demonstrate how devastating a DoS attack can be.
There are five basic ways that DoS attacks can do harm:
- Consumption of resources, such as bandwidth, disk space, or processor time
- Disruption of configuration information, such as routing information
- Disruption of state information, such as unsolicited resetting of TCP sessions
- Disruption of physical network components
- Obstruction of communication between the victim and others.















Reconnaissance attacks can be mitigated in several ways.

- Using strong authentication is a first option for defense against packet sniffers. Strong
authentication is a method of authenticating users that cannot easily be circumvented. A One-
Time Password (OTP) is a form of strong authentication. OTPs utilize two-factor authentication.
Two-factor authentication combines something one has, such as a token card, with something
one knows, such as a PIN. Automated teller machines (ATMs) use two-factor authentication.

- Encryption is also effective for mitigating packet sniffer attacks. If traffic is encrypted, using a
packet sniffer of little use because captured data is not readable.

- Anti-sniffer software and hardware tools detect changes in the response time of hosts to
determine whether the hosts are processing more traffic than their own traffic loads would
indicate. While this does not completely eliminate the threat, as part of an overall mitigation
system, it can reduce the number of instances of threat.

- A switched infrastructure is the norm today, which makes it difficult to capture any data except
for that data that is in your immediate collision domain, which probably contains only one host.
A switched infrastructure does not eliminate the threat of packet sniffers, but can greatly reduce
the sniffer's effectiveness.

- It is impossible to mitigate port scanning. But using an IPS and firewall can limit the information
that can be discovered with a port scanner. Ping sweeps can be stopped if ICMP echo and echo-
reply are turned off on edge routers. However, when these services are turned off, network
diagnostic data is lost. Additionally, port scans can be run without full ping sweeps. The scans
simply take longer because inactive IP addresses are also scanned.

- Network-based IPS and host-based IPS can usually notify an administrator when a
reconnaissance attack is under way. This warning enables the administrator to better prepare
for the coming attack or to notify the ISP from where the reconnaissance probe is being
launched.


Several techniques are also available for mitigating access attacks.

- A surprising number of access attacks are carried out through simple password guessing or
brute-force dictionary attacks against passwords. The use of encrypted or hashed authentication
protocols, along with a strong password policy, greatly reduces the probability of successful
access attacks. There are specific practices that help to ensure a strong password policy:

- Disable accounts after a specific number of unsuccessful logins. This practice helps to prevent
continuous password attempts.

- Do not use plaintext passwords. Use either a one-time password (OTP) or encrypted password.

- Use strong passwords. Strong passwords are at least eight characters and contain uppercase
letters, lowercase letters, numbers, and special characters.

- The network should be designed using the principle of minimum trust. This means that systems
should not use one another unnecessarily. For example, if an organization has a server that is
used by untrusted devices, such as web servers, the trusted device (server) should not trust the
untrusted devices (web servers) unconditionally.

- Cryptography is a critical component of any modern secure network. Using encryption for
remote access to a network is recommended. Routing protocol traffic should be encrypted as
well. The more that traffic is encrypted, the less opportunity hackers have for intercepting data
with man-in-the-middle attacks.







Companies with a high-profile Internet presence should plan in advance how to respond to potential
DoS attacks.
- Historically, many DoS attacks were sourced from spoofed source addresses. These types of
attacks can be thwarted using antispoofing technologies on perimeter routers and firewalls.
Many DoS attacks today are distributed DoS attacks carried out by compromised hosts on
several networks. Mitigating DDoS attacks requires careful diagnostics, planning, and
cooperation from ISPs.

- The most important elements for mitigating DoS attacks are firewalls and IPSs. Both host-based
and network-based IPSs are strongly recommended.

- Cisco routers and switches support a number of antispoofing technologies, such as port security,
DHCP snooping, IP Source Guard, Dynamic ARP Inspection, and ACLs.

- Lastly, although Quality of Service (QoS) is not designed as a security technology, one of its
applications, traffic policing, can be used to limit ingress traffic from any given customer on an
edge router. This limits the impact a single source can have on ingress bandwidth utilization.











Defending your network against attack requires constant vigilance and education. There are 10 best
practices that represent the best insurance for your network:

1. Keep patches up-to-date by installing them weekly or daily, if possible, to prevent buffer overflow and
privilege escalation attacks.
2. Shut down unnecessary services and ports.
3. Use strong passwords and change them often.
4. Control physical access to systems.
5. Avoid unnecessary web page inputs. Some websites allow users to enter usernames and passwords. A
hacker can enter more than just a username. For example, entering "jdoe; rm -rf /" might allow an
attacker to remove the root file system from a UNIX server. Programmers should limit input characters
and not accept invalid characters such as | ; < > as input.
6. Perform backups and test the backed up files on a regular basis.
7. Educate employees about the risks of social engineering, and develop strategies to validate identities
over the phone, via email, or in person.
8. Encrypt and password protect sensitive data.
9. Implement security hardware and software such as firewalls, IPSs, virtual private network (VPN)
devices, antivirus software, and content filtering.
10. Develop a written security policy for the company.
These methods are only a starting point for sound security management. Organizations must remain
vigilant at all times to defend against continually evolving threats.
Using these proven methods of securing a network and applying the knowledge gained in this chapter,
you are now prepared to begin deploying network security solutions. One of the first deployment
considerations involves securing access to network devices.





The Cisco Network Foundation Protection (NFP) framework

NFP provides comprehensive guidelines for protecting the network infrastructure. These guidelines
form the foundation for continuous delivery of service.
NFP logically divides routers and switches into three functional areas:
Control Plane - Responsible for routing data correctly. Control plane traffic consists of
device-generated packets required for the operation of the network itself such as ARP
message exchanges or OSPF routing advertisements.

Management Plane - Responsible for managing network elements. Management plane
traffic is generated either by network devices or network management stations using
processes and protocols such as Telnet, SSH, TFTP, FTP, NTP, AAA, SNMP, syslog, TACACS+,
RADIUS, and NetFlow.

Data Plane (Forwarding Plane) - Responsible for forwarding data. Data plane traffic normally
consists of user-generated packets being forwarded between endstations. Most traffic
travels through the router, or switch, via the data plane. Data plane packets are typically
processed in fast-switching cache.

Control plane traffic consists of device-generated packets required for the operation of the network
itself. Control plane security can be implemented using the following features:
- Cisco AutoSecure
- Routing protocol authentication
- Control Plane Policing
Management plane traffic is generated either by network devices or network management stations
using processes and protocols such as Telnet, SSH, TFTP, and FTP, etc. The management plane is a very
attractive target to hackers. For this reason, the management module was built with several
technologies designed to mitigate such risks.

The information flow between management hosts and the managed devices can be out-of-band (OOB)
(information flows within a network on which no production traffic resides) or in-band (information
flows across the enterprise production network, the Internet, or both).


Management plane security can be implemented using the following features:
- Login and password policy - Restricts device accessibility. Limits the accessible ports and restricts
the "who" and "how" methods of access.
- Present legal notification - Displays legal notices. These are often developed by legal counsel of
a corporation.
- Ensure the confidentiality of data - Protects locally stored sensitive data from being viewed or
copied. Uses management protocols with strong authentication to mitigate confidentiality
attacks aimed at exposing passwords and device configurations.
- Role-based access control (RBAC) - Ensures access is only granted to authenticated users,
groups, and services. RBAC and authentication, authorization, and accounting (AAA) services
provide mechanisms to effectively manage access control.
- Authorize actions - Restricts the actions and views that are permitted by any particular user,
group, or service.
- Enable management access reporting - Logs and accounts for all access. Records who accessed
the device, what occurred, and when it occurred.

- RBAC restricts user access based on the role of the user. Roles are created according to job or
task functions, and assigned access permissions to specific assets. Users are then assigned to
roles, and are granted the permissions that are defined for that role.

- In Cisco IOS, the role-based CLI access feature implements RBAC for router management access.
The feature creates different "views" that define which commands are accepted and what
configuration information is visible. For scalability, users, permissions, and roles are usually
created and maintained in a central repository server. This makes the access control policy
available to multiple devices. The central repository server can be a AAA server, such as the
Cisco Secure Access Control System (ACS), which provides AAA services to a network for
management purposes.








Data plane traffic consists mostly of user-generated packets being forwarded through the router via the
data plane. Data plane security can be implemented using ACLs, antispoofing mechanisms, and Layer 2
security features.
ACLs perform packet filtering to control which packets move through the network and where those
packets are allowed to go. ACLs are used to secure the data plane in a variety of ways, including:
Blocking unwanted traffic or users - ACLs can filter incoming or outgoing packets on an interface. They
can be used to control access based on source addresses, destination addresses, or user authentication.
Reducing the chance of DoS attacks - ACLs can be used to specify whether traffic from hosts, networks,
or users access the network. The TCP intercept feature can also be configured to prevent servers from
being flooded with requests for a connection.
Mitigating spoofing attacks - ACLs allow security practitioners to implement recommended practices to
mitigate spoofing attacks.
Providing bandwidth control - ACLs on a slow link can prevent excess traffic.
Classifying traffic to protect the Management and Control planes - ACLs can be applied on VTY line.
ACLs can also be used as an antispoofing mechanism by discarding traffic that has an invalid source
address. This forces attacks to be initiated from valid, reachable IP addresses, allowing the packets to be
traced to the originator of an attack.
Features such as Unicast Reverse Path Forwarding (uRPF) can be used to complement the antispoofing
strategy.
Cisco Catalyst switches can use integrated features to help secure the Layer 2 infrastructure. The
following are Layer 2 security tools integrated into the Cisco Catalyst switches:
Port security - Prevents MAC address spoofing and MAC address flooding attacks.
DHCP snooping - Prevents client attacks on the DHCP server and switch.
Dynamic ARP Inspection (DAI) - Adds security to ARP by using the DHCP snooping table to minimize the
impact of ARP poisoning and spoofing attacks.
IP Source Guard - Prevents spoofing of IP addresses by using the DHCP snooping table.