Académique Documents
Professionnel Documents
Culture Documents
Version 4.0
Cisco Public
Availability vs Security
In todays networks, there is a fine balance between having open networks for sharing information and the need for security You could completely secure your network servers by locking them away, but then no one would be able to share resources
Cisco Public
Cisco Public
Attacker Terminology
White Hat A person who looks for vulnerabilities in networks to try to improve network security Black Hat A person who uses his knowledge to break into computer networks with malicious intent - Often called a Hacker or a Cracker Phreaker A person who manipulates the phone network so that it performs functions that arent allowed Spammer A person who sends large quantities of unsolicited e-mails Phisher A person who uses e-mail and other methods to get people to provide sensitive information without their knowledge
Cisco Public
A policy is a set of principles that guide decision making processes Three characteristics of a good security policy include:
-Inform employees of acceptable and unacceptable use of network resources -Defines how to handle security incidents -Defines roles for employees if there is a security incident
Cisco Public
Attacks are the actual types of actions that can be carried out against a network There are three primary vulnerabilities:
- Technological weaknesses - Configuration weaknesses
Cisco Public
Questions!!!
What are two objectives a security policy must accomplish? What are three characteristics of a good security policy? Who poses more of a threat to your network security, the experienced hacker or the inexperienced person who downloads exploits from the internet?
Cisco Public
Physical Threats
The four classes of physical threats are:
- Hardware threats - Physical damage to servers, routers, switches, cabling plant, and workstations
- Environmental threats -Temperature extremes (too hot or too cold) or humidity extremes (too wet or too dry)
- Electrical threats -Voltage spikes, insufficient supply voltage (brownouts), unconditioned power (noise), and total power loss
- Maintenance threats -Poor handling of key electrical components (electrostatic discharge), lack of critical spare parts, poor cabling, and poor labeling
Cisco Public
Cisco Public
Types of Threats
Unstructured threats consist of mostly inexperienced individuals using easily available hacking tools, such as shell scripts and password crackers
Structured threats involve people who know system vulnerabilities and use sophisticated hacking techniques to penetrate unsuspecting businesses External threats are from individuals or organizations working outside of a company who do not have authorized access to the computer systems or network - They work their way into a network mainly from the Internet or dialup access servers Internal threats occur when someone has authorized access to the network with either an account or physical access.
Cisco Public
10
Social Engineering
The easiest hack involves no computer skill at all - An attacker will try to trick a member of an organization into giving over valuable information, such as the location of files or passwords
Phishing is a type of social engineering attack that involves using email or other types of messages in an attempt to trick others into providing sensitive information, such as credit card numbers or passwords
2006 Cisco Systems, Inc. All rights reserved. Cisco Public
11
Denial of service (DoS) is when an attacker disables or corrupts networks, systems, or services with the intent to deny services to intended users. Worms, Viruses, and Trojan Horses can be inserted onto a host to damage or corrupt a system, replicate itself, or deny access to networks, systems, or services.
Cisco Public
12
Reconnaissance Attacks
Internet Information Queries External attackers can use Internet tools like nslookup and whois, to discover IP address space for a corporation or entity After the IP address space is determined, an attacker can then ping the IP addresses to identify the addresses that are active - To automate this step, an attacker may use a ping sweep tool, like fping or gping, which systematically pings all network addresses in a given range or subnet Next the intruder uses a port scanner like Nmap or Superscan to determine which network services or ports are active on the live IP addresses Internal attackers may attempt to "eavesdrop" on network traffic - Network snooping and packet sniffing are common terms for eavesdropping.
Cisco Public
13
Questions!!!
High levels of fake requests for service preventing users from accessing the company server would be what type of attack?
Preventing users from opening e-mail messages from suspicious sources would be trying to prevent what? What is the best defense against phishing exploits?
Cisco Public
14
Cisco Public
15
Cisco Public
16
Cisco Public
17
The attacker may allow normal transactions between hosts and only periodically manipulate the conversation between the two
Cisco Public
18
Questions!!!
What type of attack is where the software searches using combinations of character sets to compute every possible password? What type of attack is where a trusted host outside the network is compromised and used to stage attacks on a host inside the network? What type of attack is a type of trust exploitation attack that uses a compromised host to pass traffic through a firewall that would otherwise be blocked? What type of attack is when an attacker manages to position himself between two legitimate hosts?
Cisco Public
19
Cisco Public
20
- This ties up the server until it eventually runs out of resources and cannot respond to a valid host request.
Cisco Public
21
Cisco Public
22
Questions!!!
What type of attack attack modifies the IP portion of a ping packet header to indicate that there is more data in the packet than there actually is? What type of attack exploits the TCP three-way handshake? What attack uses spoofed broadcast ping messages to flood a target system?
Cisco Public
23
Device Hardening
Device Hardening Involves taking your router or server and reducing the attack surface - Change default usernames and passwords - Only allow access to system resources to authorized users - Turn off all unnecessary applications and services
Cisco Public
24
Cisco Public
25
Intrusion Prevention Systems (IPS) - prevent attacks against the network and on top of detection provides:
- Prevention - Stops the detected attack from executing. - Reaction - Immunizes the system from future attacks from a malicious source.
Cisco Public
26
HIDS vs HIPS
A Host-based Intrusion Detection System (HIDS) is usually implemented as a passive technology
-This system will send logs to a management console after the attack has occurred and the damage is done.
A Host-based Intrusion Prevention System (HIPS) is an inline technology that actually stops the attack, prevents damage, and blocks the propagation of worms and viruses. -Active detection can be set to shut down the network connection or to stop impacted services automatically. -Cisco provides HIPS using the Cisco Security Agent software.
- HIPS software (called agent software) is installed on each host, either the server or desktop, to monitor activity performed on and against the host
-The agent software will send logs and alerts to a centralized management server
Cisco Public
27
Questions!!!
What is the process called that involves taking your router or server and reducing the attack surface? What type of device is used to detect attacks against a network and sends logs to a management console? What type of device will prevent attacks against the network stop an attack while it is occurring?
Cisco Public
28
Cisco Public
29
Cisco Public
30
Cisco Public
31
Cisco Public
32
The most commonly used active method is to audit host-level log files Most operating systems include auditing functionality
System administrators must enable the audit system for every host on the network and take the time to check and interpret the log file entries Implement IDS
2006 Cisco Systems, Inc. All rights reserved. Cisco Public
33
Cisco Public
34
This starts the cycle over again which is what makes the Network Security Wheel a circular continuous process
Cisco Public
35
Questions!!!
What are the four stages of the Security Wheel? What are some things that can be done during the first stage? At what stage of the Security Wheel does intrusion detection occur?
Cisco Public
36
37
Cisco Public
38
Cisco Public
39
Cisco Public
40
Cisco Public
41
Cisco Public
42
Cisco Public
43
- no transport input turns off all types of connections to vty - transport input ssh defines only ssh for vty connections The exec-timeout 3 command below will cause the vty connection to be dropped after 3 minutes of inactivity
Cisco Public
44
We name our host, then define the domain name so that we can enable ssh We create our asymmetric keys to be used for the encryption and were asked what we want our key size to be (Cisco recommends 1,024)
We next define a local user, and then configure ssh on our vty lines
Finally, the time-out in seconds and number of login attempts is configured
2006 Cisco Systems, Inc. All rights reserved. Cisco Public
45
Using SSH
To establish an SSH connection, you have to use an ssh terminal like PuTTY or TeraTerm
Youll choose the SSH option and use TCP port 22
Cisco Public
46
47
Cisco Public
48
Questions!!!
When setting encryption for use with SSH, what key size does Cisco recommend?
What is the port number for SSH? What command is used to disable DNS? What command will automatically disable non-essential system processes and services?
Cisco Public
49
- Step 3. Prevent unauthorized reception of RIP updates - Use MD5 to prevent anyone from intercepting RIP updates
Cisco Public
50
Cisco Public
51
Cisco Public
52
- Step 1. Access the router's Cisco CLI interface using Telnet or the console connection - Step 2. Enable the HTTP and HTTPS servers on the router - Step 3 Create a user account defined with privilege level 15 (enable privileges)
- Step 4 Configure SSH and Telnet for local login and privilege level 15
Cisco Public
53
Cisco Public
54
Cisco Public
55
Cisco Public
56
Questions!!!
What is the privilege level required in order to use SDM? How do you access the control page in order to use SDM? What two locations can SDM be run from?
Cisco Public
57
Cisco Public
58
Cisco Public
59
Flash Memory
Using the dir command we see the contents of flash memory
Cisco Public
60
Cisco Public
61
NVRAM
Next, we view NVRAM by changing the file directory we are viewing the cd nvram command
The pwd command allows us to identify which directory we are working in Finally, dir shows us the contents of nvram
Cisco Public
62
Cisco Public
63
Cisco Public
64
Cisco Public
65
Cisco Public
66
Questions!!!
What are the two most important pieces of information we get out of using the dir command for flash memory? What are two important conditions a Cisco Administrator should verify before attempting to upgrade a IOS image from a TFTP server and what commands are used?
Cisco Public
67
Cisco Public
68
Cisco Public
69
Password Recovery
Cisco Public
70
Questions!!!
How do we access the router for password recovery (through what port)? What do we change in order to recover a password? From what to what?
Cisco Public
71
Cisco Public
72