Overview of Network Security

2005 Cisco Systems, Inc. All rights reserved.

Learning Objectives

Introduction to Network Security

Introduction to Vulnerabilities, Threats, and Attacks
Attack Examples
Vulnerability Analysis

2005 Cisco Systems, Inc. All rights reserved.

The Closed Network

2005 Cisco Systems, Inc. All rights reserved.

The Network Today

2005 Cisco Systems, Inc. All rights reserved.

Network Security Models

2005 Cisco Systems, Inc. All rights reserved.

Trends that Affect Security

Increase of network attacks

Increased sophistication of attacks

Increased dependence on the network
Lack of trained personnel
Lack of awareness
Lack of security policies
Wireless access
Legislation

Litigation

2005 Cisco Systems, Inc. All rights reserved.

Legal and Governmental

Policy Issues

Organizations that operate vulnerable

networks will face increasing and substantial
liability.
US Federal legislation mandating security
includes the following:
GLB financial
services legislation
Government Information Security Reform
Act

HIPAA
CIPA

2005 Cisco Systems, Inc. All rights reserved.

Attacks, Services and Mechanisms

Security Attack: Any action that compromises

the security of information.

Security Mechanism: A mechanism that is

designed to detect, prevent, or recover from a

security attack.
Security Service: A service that enhances the

security of data processing systems and

information transfers. A security service
makes use of one or more security
mechanisms.

2005 Cisco Systems, Inc. All rights reserved.

Security Attacks

2005 Cisco Systems, Inc. All rights reserved.

Security Attacks
Interruption: This is an attack on availability
Interception: This is an attack on confidentiality
Modification: This is an attack on integrity
Fabrication: This is an attack on authenticity

2005 Cisco Systems, Inc. All rights reserved.

10

Security Goals

Confidentiality

Integrity

2005 Cisco Systems, Inc. All rights reserved.

Avaliability

11

 2005 Cisco Systems, Inc. All rights reserved.

12

Security Services
Confidentiality (privacy)
Authentication (who created or sent the data)
Integrity (has not been altered)
Non-repudiation (the order is final)
Access control (prevent misuse of resources)
Availability (permanence, non-erasure)
Denial of Service Attacks
Virus that deletes files
2005 Cisco Systems, Inc. All rights reserved.

13

Henric Johnson
2005 Cisco Systems, Inc. All rights reserved.

14
14

 2005 Cisco Systems, Inc. All rights reserved.

15

Methods of Defense
Encryption
Software Controls (access limitations in a data
base, in operating system protect each user from
other users)
Hardware Controls (smartcard)
Policies (frequent changes of passwords)

Physical Controls

2005 Cisco Systems, Inc. All rights reserved.

16

Internet standards and RFCs

The Internet society
Internet Architecture Board (IAB)
Internet Engineering Task Force (IETF)

Internet Engineering Steering Group (IESG)

2005 Cisco Systems, Inc. All rights reserved.

17

Internet RFC Publication Process

2005 Cisco Systems, Inc. All rights reserved.

18

Network Vulnerabilities
Technology
Configuration
Policy

2005 Cisco Systems, Inc. All rights reserved.

19

Threat CapabilitiesMore
Dangerous and Easier to Use

2005 Cisco Systems, Inc. All rights reserved.

20

Network Threats
There are four general categories of security threats to the
network:
Unstructured threats
Structured threats
External threats

Internet

Dial-in
exploitation

Internal
exploitation

Internal threats

Compromised
host

2005 Cisco Systems, Inc. All rights reserved.

21

Four Classes of Network Attacks

Reconnaissance attacks
Access attacks
Denial of service attacks
Worms, viruses, and Trojan horses

2005 Cisco Systems, Inc. All rights reserved.

22

Specific Attack Types

All of the following can be used to compromise your system:
Packet sniffers

IP weaknesses
Password attacks
DoS or DDoS
Man-in-the-middle attacks

Application layer attacks

Trust exploitation
Port redirection
Virus

Trojan horse
Operator error
Worms

2005 Cisco Systems, Inc. All rights reserved.

23

Reconnaissance Attacks

Network reconnaissance refers

to the overall act of learning
information about a target
network by using publicly
available information and
applications.

2005 Cisco Systems, Inc. All rights reserved.

24

Reconnaissance Attack Example

Sample IP
address
query

Sample
domain
name
query
2005 Cisco Systems, Inc. All rights reserved.

25

Reconnaissance Attack Mitigation

Network reconnaissance
cannot be prevented entirely.
IDSs at the network and host
levels can usually notify an
administrator when a
reconnaissance gathering
attack (for example, ping
sweeps and port scans) is
under way.

2005 Cisco Systems, Inc. All rights reserved.

26

Packet Sniffers
Host A

Router A

Router B

Host B

A packet sniffer is a software application that uses a network adapter card

in promiscuous mode to capture all network packets. The following are the
packet sniffer features:
Packet sniffers exploit information passed in clear text. Protocols that pass
information in the clear include the following:
Telnet
FTP

SNMP
POP
Packet sniffers must be on the same collision domain.

2005 Cisco Systems, Inc. All rights reserved.

27

Packet Sniffer Mitigation

Host A

Router A

Router B

Host B

The following techniques and tools can be used to mitigate sniffers:

AuthenticationUsing strong authentication, such as one-time passwords, is a first
option for defense against packet sniffers.
Switched infrastructureDeploy a switched infrastructure to counter the use of
packet sniffers in your environment.
Antisniffer toolsUse these tools to employ software and hardware designed to
detect the use of sniffers on a network.
CryptographyThe most effective method for countering packet sniffers does not
prevent or detect packet sniffers, but rather renders them irrelevant.

2005 Cisco Systems, Inc. All rights reserved.

28

IP Spoofing
IP spoofing occurs when a hacker inside or outside a network
impersonates the conversations of a trusted computer.
Two general techniques are used during IP spoofing:
A hacker uses an IP address that is within the range of trusted IP
addresses.

A hacker uses an authorized external IP address that is trusted.

Uses for IP spoofing include the following:
IP spoofing is usually limited to the injection of malicious data or
commands into an existing stream of data.
A hacker changes the routing tables to point to the spoofed IP
address, then the hacker can receive all the network packets that
are addressed to the spoofed address and reply just as any
trusted user can.

2005 Cisco Systems, Inc. All rights reserved.

29

IP Spoofing Mitigation
The threat of IP spoofing can be reduced, but not eliminated, through
the following measures:
Access controlThe most common method for preventing IP spoofing
is to properly configure access control.
RFC 2827 filteringYou can prevent users of your network from
spoofing other networks (and be a good Internet citizen at the same
time) by preventing any outbound traffic on your network that does
not have a source address in your organization's own IP range.
Additional authentication that does not use IP-based authentication
Examples of this include the following:
Cryptographic (recommended)
Strong, two-factor, one-time passwords

2005 Cisco Systems, Inc. All rights reserved.

30

DoS Attacks

2005 Cisco Systems, Inc. All rights reserved.

31

DDoS Attack Example

2005 Cisco Systems, Inc. All rights reserved.

32

DoS Attack Mitigation

The threat of DoS attacks can be reduced through
the following three methods:
Antispoof featuresProper configuration of antispoof
features on your routers and firewalls

Anti-DoS featuresProper configuration of

anti-DoS features on routers and firewalls
Traffic rate limitingImplement traffic rate limiting with the
networks ISP

2005 Cisco Systems, Inc. All rights reserved.

33

Password Attacks
Hackers can implement
password attacks using
several different methods:
Brute-force attacks
Dictionary Attacks
Trojan horse programs
IP spoofing
Packet sniffers

2005 Cisco Systems, Inc. All rights reserved.

34

Password Attack Example

L0phtCrack can take the hashes
of passwords and generate the
clear text passwords from
them. Passwords are computed
using two different methods:

Dictionary cracking
Brute force computation

2005 Cisco Systems, Inc. All rights reserved.

35

Password Attacks Mitigation

The following are mitigation techniques:
Do not allow users to use the same password on multiple systems.
Disable accounts after a certain number of unsuccessful login
attempts.

Do not use plain text passwords. OTP or a cryptographic password

is recommended.
Use strong passwords. Strong passwords are at least eight
characters long and contain uppercase letters, lowercase letters,
numbers, and special characters.

2005 Cisco Systems, Inc. All rights reserved.

36

Man-in-the-Middle Attacks
Host A

Host B
Data in clear text
Router A

Router B

A man-in-the-middle attack requires that the hacker have access

to network packets that come across a network.
A man-in-the-middle attack is implemented using the following:
Network packet sniffers
Routing and transport protocols
Possible man-in-the-middle attack uses include the following:
Theft of information

Hijacking of an ongoing session

Traffic analysis
DoS
Corruption of transmitted data
Introduction of new information into network sessions

2005 Cisco Systems, Inc. All rights reserved.

37

Man-in-the-Middle Mitigation

A man-in-the-middle attack
can only see cipher text

IPSec tunnel
Host A

Host B

Router A

ISP

Router B

Man-in-the-middle attacks can be effectively mitigated

only through the use of cryptography (encryption).

2005 Cisco Systems, Inc. All rights reserved.

38

Application Layer Attacks

Application layer attacks have the following characteristics:
Exploit well known weaknesses, such as protocols, that are
intrinsic to an application or system (for example, sendmail,
HTTP, and FTP)
Often use ports that are allowed through a firewall (for example,
TCP port 80 used in an attack against a web server behind a
firewall)
Can never be completely eliminated, because new vulnerabilities
are always being discovered

2005 Cisco Systems, Inc. All rights reserved.

39

Application Layer Attacks Mitigation

Some measures you can take to reduce your risks are as
follows:
Read operating system and network log files, or have them
analyzed by log analysis applications.

Subscribe to mailing lists that publicize vulnerabilities.

Keep your operating system and applications current with the
latest patches.
IDSs can scan for known attacks, monitor and log attacks, and in
some cases, prevent attacks.

2005 Cisco Systems, Inc. All rights reserved.

40

Trust Exploitation

2005 Cisco Systems, Inc. All rights reserved.

41

Trust Exploitation Mitigation

Systems on the outside of a
firewall should never be
absolutely trusted by
systems on the inside of a
firewall.

SystemA
User = psmith; Pat Smith

Hacker
blocked

SystemB
compromised
by a hacker
User = psmith; Pat
Smith

Such trust should be

limited to specific protocols
and should be validated by
something other than an IP
address where possible.

Hacker
User = psmith; Pat Smithson

2005 Cisco Systems, Inc. All rights reserved.

42

Port Redirection

2005 Cisco Systems, Inc. All rights reserved.

43

Unauthorized Access

Unauthorized access includes any unauthorized attempt to access a private resource:

Not a specific type of attack
Refers to most attacks executed in networks today
Initiated on both the outside and inside of a network

The following are mitigation techniques for unauthorized access attacks:

Eliminate the ability of a hacker to gain access to a system
Prevent simple unauthorized access attacks, which is the primary function of a firewall

2005 Cisco Systems, Inc. All rights reserved.

44

Virus and Trojan Horses

Viruses refer to malicious software that are attached to another
program to execute a particular unwanted function on a users
workstation. End-user workstations are the primary targets.
A Trojan horse is different only in that the entire application was
written to look like something else, when in fact it is an attack
tool. A Trojan horse is mitigated by antivirus software at the user
level and possibly the network level.

2005 Cisco Systems, Inc. All rights reserved.

45