© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Cisco Device Hardening Mitigating Network Attacks

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Cisco Self-Defending Network

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Cisco Self-Defending Network Cisco strategy to dramatically improve the network ability to identify, prevent, and adapt to threats There are three categories: –Secure connectivity: VPN solutions including VPN concentrators, VPN- enabled routers, and firewall VPNs –Threat defense: Appliance and Cisco IOS-based firewalls Cisco IDSs and IPSs –Trust and identity: NAC, Cisco Secure ACS, and 802.1x technology

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Evolution of Cisco Self-Defending Network

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Types of Network Attacks

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Types of Network Attacks Attacks that require less intelligence about the target network: Reconnaissance Access attacks DoS and distributed DoS

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Types of Network Attacks (Cont.) Attacks that typically require more intelligence or insider access: Worms, viruses, and Trojan horses Application layer attacks Threats to management protocols

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Reconnaissance Attacks and Mitigation

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Reconnaissance Attacks and Mitigation Reconnaissance refers to the overall act of learning information about a target network by using readily available information and applications. Reconnaissance attacks include: –Packet sniffers –Port scans –Ping sweeps –Internet information queries

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Packet Sniffers A packet sniffer is a software application that uses a network adapter card in promiscuous mode to capture all network packets. Packet sniffers: –Exploit information passed in plaintext. Protocols that pass information in plaintext are Telnet, FTP, SNMP, POP, and HTTP. –Must be on the same collision domain. –Used legitimately, or can be designed specifically for attack.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Packet Sniffer Mitigation The mitigation techniques and tools include: Authentication Cryptography Antisniffer tools Switched infrastructure

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Port Scans and Ping Sweeps Port scans and ping sweeps attempt to identify: All services All hosts and devices The operating systems Vulnerabilities

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Port Scan and Ping Sweep Mitigation Port scans and ping sweeps cannot be prevented without compromising network capabilities. However, damage can be mitigated using intrusion prevention systems at network and host levels.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Internet Information Queries Sample IP address query Attackers can use Internet tools such as WHOIS as weapons.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Access Attacks and Mitigation

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Access Attacks Intruders use access attacks on networks or systems for these reasons: –Retrieve data –Gain access –Escalate their access privileges Access attacks include: –Password attacks –Trust exploitation –Port redirection –Man-in-the-middle attacks –Buffer overflow

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Password Attacks Hackers implement password attacks using the following: Brute-force attacks Trojan horse programs IP spoofing Packet sniffers

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Password Attack Example L0phtCrack takes the hashes of passwords and generates the plaintext passwords from them. Passwords are compromised using one of two methods: –Dictionary cracking –Brute-force computation

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Password Attack Mitigation Password attack mitigation techniques: Do not allow users to use the same password on multiple systems. Disable accounts after a certain number of unsuccessful login attempts. Do not use plaintext passwords. Use strong passwords. (Use mY8!Rthd8y rather than mybirthday)

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Trust Exploitation A hacker leverages existing trust relationships. Several trust models exist: –Windows: Domains Active directory –Linux and UNIX: NIS NIS+

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Trust Exploitation Attack Mitigation

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Port Redirection

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Man-in-the-Middle Attacks and Their Mitigation A man-in-the-middle attack requires that the hacker have access to network packets that come across a network. A man-in-the-middle attack is implemented using the following: –Network packet sniffers –Routing and transport protocols Man-in-the-middle attacks can be effectively mitigated only through the use of cryptographic encryption.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v DoS Attacks and Mitigation

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v DoS Attacks and Mitigation A DoS attack damages or corrupts your computer system or denies you and others access to your networks, systems, or services. Distributed DoS technique performs simultanous attacks from many distributed sources. DoS and Distributed DoS attacks can use IP spoofing.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Distributed DoS Attacks DoS and distributed DoS attacks focus on making a service unavailable for normal use. DoS and distributed DoS attacks have these characteristics: –Generally not targeted at gaining access to your network or the information on your network –Require very little effort to execute –Difficult to eliminate, but their damage can be minimized

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Distributed DoS Example

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v DoS and Distributed DoS Attack Mitigation The threat of DoS attacks can be reduced using: Anti-spoof features on routers and firewalls Anti-DoS features on routers and firewalls Traffic rate limiting at the ISP level

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IP Spoofing in DoS and Distributed DoS IP spoofing occurs when a hacker inside or outside a network impersonates the conversations of a trusted computer. IP spoofing can use either a trusted IP address in the network or a trusted external IP address. Uses for IP spoofing include: –Injecting malicious data or commands into an existing data stream –Diverting all network packets to the hacker who can then reply as a trusted user by changing the routing tables IP spoofing may only be one step in a larger attack.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IP Spoofing Attack Mitigation The threat of IP spoofing can be reduced, but not eliminated, using these measures: Access control configuration Encryption RFC 3704 filtering Additional authentication requirement that does not use IP address-based authentication; examples are: –Cryptographic (recommended) –Strong, two-factor, one-time passwords

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Worm, Virus, and Trojan Horse Attacks and Mitigation

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Worm, Virus, and Trojan Horse Attacks and Mitigation The primary vulnerabilities for end-user workstations are: Worms Viruses Trojan horse attacks

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Virus and Trojan Horse Attack Mitigation Viruses and Trojan horses can be contained by: Effective use of antivirus software Keeping up-to-date with the latest developments in these methods of attacks Keeping up-to-date with the latest antivirus software and application versions Implementing host-based intrusion prevention systems (e.g., CSA)

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v The Anatomy of a Worm Attack 1. The enabling vulnerability 2. Propagation mechanism 3.Payload

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Mitigating Worm Attacks Four steps to mitigate worm attacks : 1. Contain 2. Inoculate 3. Quarantine 4.Treat

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Application Layer Attacks and Mitigation

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Application Layer Attacks Application layer attacks have these characteristics: Exploit well-known weaknesses, such as those in protocols, that are intrinsic to an application or system (e.g., sendmail, HTTP, and FTP) Often use ports that are allowed through a firewall (e.g., TCP port 80 used in an attack against a web server behind a firewall) Can never be completely eliminated, because new vulnerabilities are always being discovered

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Netcat Netcat is a tool that reads or writes data on any TCP/UDP connections, relays TCP connections, and can act as a TCP/UDP server #nc -h connect to somewhere: nc [-options] hostname port[s] [ports]... listen for inbound: nc -l -p port [-options] [hostname] [port] options: -g gateway source-routing hop point[s], up to 8 -G num source-routing pointer: 4, 8, 12,... -i secs delay interval for lines sent, ports scanned -l listen mode, for inbound connects -n numeric-only IP addresses, no DNS -o file hex dump of traffic -p port local port number -r randomize local and remote ports -s addr local source address -u UDP mode -v verbose [use twice to be more verbose] port numbers can be individual or ranges: lo-hi [inclusive]

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Netcat Example

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Mitigation of Application Layer Attacks Measures you can take to reduce your risks include: Read operating system and network log files, or have them analyzed by log analysis applications. Subscribe to mailing lists that publicize vulnerabilities. Keep your operating system and applications current with the latest patches. Use IDS/IPS that can scan for known attacks, monitor and log attacks, and, in some cases, prevent attacks.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Management Protocols and Vulnerabilities

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuration Management Configuration management protocols include SSH, SSL, and Telnet. Telnet issues include: –The data within a Telnet session is sent as plaintext. –The data may include sensitive information.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuration Management Recommendations These practices are recommended: Use IPSec, SSH, SSL, or any other encrypted and authenticated transport. ACLs should be configured to allow only management servers to connect to the device. All attempts from other IP addresses should be denied and logged. RFC 3704 filtering at the perimeter router should be used to mitigate the chance of an outside attacker spoofing the addresses of the management hosts.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Management Protocols These management protocols can be compromised: SNMP: The community string information for simple authentication is sent in plaintext. syslog: Data is sent as plaintext between the managed device and the management host. TFTP: Data is sent as plaintext between the requesting host and the TFTP server. NTP: Many NTP servers on the Internet do not require any authentication of peers.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Management Protocol Best Practices Management Protocol Recommendations SNMPConfigure SNMP with only read-only community strings. Set up access control on the device you wish to manage. Use SNMP version 3. SyslogEncrypt syslog traffic within an IPsec tunnel. Implement RFC 3704 filtering. Set up access control on the firewall. TFTPEncrypt TFTP traffic within an IPsec tunnel. NTPImplement your own master clock. Use NTP version 3 or above. Set up access control that specifies which network devices are allowed to synchronize with other network devices.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Determining Vulnerabilities and Threats

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Determining Vulnerabilities and Threats The following tools are useful when determining general network vulnerabilities: Blues PortScanner Ethereal Microsoft Baseline Security Analyzer Nmap

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Blues Port Scanner and Ethereal Blues PortScanner Ethereal

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Microsoft Baseline Security Analyzer

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Summary The Cisco Self-Defending Network initiative provides a comprehensive approach to network security. Packet sniffer attacks can be mitigated by cryptography, switched infrastructure, and antisniffer tools. Port scans and ping sweeps are mitigated by network and host IPS. Password attacks can be mitigated by strong password rules, disabling accounts after unsuccessful logins, and never sending passwords in plaintext. Trust exploitation and port redirection are defended against by a proper use of trust model. Man-in-the-middle attacks can be mitigated through cryptography. IP spoofing attacks can be defended against by access control, RFC 3704 filtering, and additional authentication. DoS and distributed DoS attacks can be mitigated through antispoof features, anti-DoS features and traffic rate limiting.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Summary (Cont.) Worm attacks can be mitigated by containment, inoculation, quarantine, and treatment. Viruses and Trojan horse attacks can be defended against using up- to-date antivirus software. Application layer attacks can be mitigated by IPS, as well as operating system and application hardening. Management protocol attacks can be mitigated by selecting secure protocols and filtering the management traffic. The following tools help discover network vulnerabilities: –Netcat –Blues PortScanner –Ethereal –Microsoft Baseline Security Analyzer –Nmap

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v