Lesson 1 Security Fundamentals © 2005 Cisco Systems, Inc. All rights reserved. CSI v2.11-1

Need for Network Security © 2005 Cisco Systems, Inc. All rights reserved. CSI v2.11-2

© 2005 Cisco Systems, Inc. All rights reserved. CSI v The Closed Network Remote Site Closed Network PSTN Frame Relay X.25 Leased Line

© 2005 Cisco Systems, Inc. All rights reserved. CSI v The Network Today Mobile and Remote Users Partner Site Remote Site Open Network Internet-Based Intranet (VPN) PSTN Internet-Based Extranet (VPN) Internet-Based Intranet (VPN) Remote Site Mobile and Remote Users

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Threats: More Dangerous and Easier to Use Sophistication of Hacker Tools Packet Forging/ Spoofing Password Guessing Self-Replicating Code Password Cracking Back Doors Scanners Sniffers Stealth Diagnostics Technical Knowledge Required High Low 2000 Hijacking Sessions Exploiting Known Vulnerabilities Disabling Audits

© 2005 Cisco Systems, Inc. All rights reserved. CSI v The Role of Security Is Changing As businesses become more open to supporting Internet-powered initiatives such as e-commerce, customer care, supply-chain management, and extranet collaboration, network security risks are increasing.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Supply ChainCustomer Care E- Commerce E-LearningWorkforce Optimization The E-Business Challenge Expanded Access, Heightened Security Risks Internet Access Corporate Intranet Internet Presence Internet Business Value Business Security Requirements In-depth defense Multiple components Integration into e-business infrastructure Comprehensive blueprint

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Governmental and Legal Policy Issues Many governments have formed cross-border task forces to deal with privacy issues. The outcome of international privacy efforts is expected to take several years to develop. National laws regarding privacy are expected to continue to evolve worldwide.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Network Security Is a Continuous Process Network security is a continuous process built around a four-step security policy. Step 1: Secure Step 2: Monitor Step 3: Test Step 4: Improve Secure Monitor and Respond Test Manage and Improve Corporate Security Policy

Network Security Policy © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v What Is a Security Policy? A security policy is a formal statement of the rules by which people who are given access to an organizations technology and information assets must abide. – RFC 2196, Site Security Handbook

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Why Create a Security Policy? To create a baseline of your current security posture To set the framework for security implementation To define allowed and not-allowed behaviors To help determine necessary tools and procedures To communicate consensus and define roles To define how to handle security incidents To inform users of their responsibilities To define assets and how to use them To state the ramifications of misuse

© 2005 Cisco Systems, Inc. All rights reserved. CSI v What Should the Security Policy Contain? Statement of authority and scope Acceptable use policy Identification and authentication policy Internet use policy Campus access policy Remote access policy Incident handling procedure

Primary Network Threats and Attacks © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Internet Variety of Attacks Network attacks can be as varied as the systems that they attempt to penetrate. External Exploitation Internal Exploitation Dial-in Exploitation Compromised Host

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Network Security Threats There are four general categories of security threats to the network: Unstructured Structured External Internal

© 2005 Cisco Systems, Inc. All rights reserved. CSI v The Four Primary Attack Categories All of the following can be used to compromise your system: Reconnaissance attacks Access attacks Denial of service attacks Worms, viruses, and Trojan horses

Reconnaissance Attacks and Mitigation © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Reconnaissance Attacks Reconnaissance is the overall act of learning information about a target network by using readily available information and applications.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Packet Sniffers A packet sniffer is a software application that uses a network adapter card in promiscuous mode to capture all network packets. Packet sniffers exploit information that is passed in clear text. Packet sniffers must be on the same collision domain. Packet sniffers can be general-purpose or designed specifically for attack. Host AHost B Router ARouter B

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Packet Sniffer Attack Mitigation The following techniques and tools can be used to mitigate sniffer attacks: Authentication: A first option for defense against packet sniffers is to use strong authentication, such as one-time passwords. Switched infrastructure: Deploy a switched infrastructure to counter the use of packet sniffers in your environment. Antisniffer tools: Use these tools to employ software and hardware that are designed to detect the use of sniffers on a network. Cryptography: This is the most effective method for countering packet sniffersit does not prevent or detect packet sniffers, but rather, renders them irrelevant. Host AHost B Router ARouter B X

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Port Scans and Ping Sweeps These attacks can attempt to: Identify all services on the network Identify all hosts and devices on the network Identify the operating systems on the network Identify vulnerabilities on the network

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Port scans and ping sweeps cannot be prevented entirely. IDSs at the network and host levels can usually notify an administrator when a reconnaissance attack such as a port scan or ping sweep is under way. Port Scan and Ping Sweep Attack Mitigation

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Internet Information Queries Sample IP address query Sample Domain Name Query

Access Attacks and Mitigation © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Access Attacks In access attacks, intruders typically attack networks and systems to: Retrieve data Gain access Escalate their access privileges

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Password Attacks Hackers can use several methods to implement password attacks: Brute-force attacks Trojan horse programs IP spoofing Packet sniffers

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Password Attack Mitigation The following are techniques for mitigating password attacks: Do not allow users to use the same password on multiple systems. Disable accounts after a certain number of unsuccessful login attempts. Do not use plain-text passwords. An OTP or a cryptographic password is recommended. Use strong passwords. Strong passwords are at least eight characters long and contain uppercase letters, lowercase letters, numbers, and special characters. Force periodic password changes.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Trust Exploitation A hacker leverages existing trust relationships. Several trust models exist. –Windows Domains Active directory –Linux and UNIX NFS NIS+ System A User = psmith; Pat Smith System B Compromised by Hacker User = psmith; Pat Smith Hacker User = psmith; Pat Smithson System A trusts System B. System B trusts everyone. System A trusts everyone. Hacker Gains Access to System A

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Trust Exploitation Attack Mitigation Systems inside a firewall should never absolutely trust systems outside a firewall. Such trust should be limited to specific protocols and should be validated by something other than an IP address when possible. System A User = psmith; Pat Smith System B Compromised by Hacker User = psmith; Pat Smith Hacker User = psmith; Pat Smithson Hacker Blocked

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Port Redirection Port redirection is a type of trust- exploitation attack that uses a compromised host to pass traffic through a firewall that would otherwise be dropped. It is mitigated primarily through the use of proper trust models. Antivirus software and a host-based IDS can help detect hackers and prevent them from installing port redirection utilities on the host. Host B Attacker Source: A Destination: B Port: 23 Compromised Host A Source: Attacker Destination: A Port: 22 Source: Attacker Destination: B Port: 23

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Man-in-the-Middle Attacks A man-in-the-middle attack requires that the hacker have access to network packets that come across a network. A man-in-the-middle attack is implemented using the following: –Network packet sniffers –Routing and transport protocols Purposes of man-in-the-middle attacks include the following: –Theft of information –Hijacking of an ongoing session –Traffic analysis –DoS –Corruption of transmitted data –Introduction of new information into network sessions Host AHost B Router ARouter B Data in Clear Text

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Man-in-the-Middle Attack Mitigation Man-in-the-middle attacks can be effectively mitigated only through the use of cryptography (encryption). Host AHost B Router AISPRouter B The hacker can see only cipher text. IPSec Tunnel

Denial of Service Attacks and Mitigation © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Denial of Service Attacks Denial of service attacks occur when an intruder attacks your network in a way that damages or corrupts your computer system or denies you and others access to your networks, systems, or services.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v IP Spoofing IP spoofing occurs when a hacker, inside or outside a network, impersonates the conversations of a trusted computer. Two general techniques are used during IP spoofing: –A hacker uses an IP address that is within the range of trusted IP addresses. –A hacker uses an authorized external IP address that is trusted. Uses for IP spoofing include the following: –IP spoofing is usually limited to the injection of malicious data or commands into an existing stream of data. –If a hacker changes the routing tables to point to the spoofed IP address, then the hacker can receive all the network packets that are addressed to the spoofed address and reply, just as any trusted user can.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v IP Spoofing Attack Mitigation The threat of IP spoofing can be reduced, but not eliminated, through the following measures: Access control: The most common method for preventing IP spoofing is to properly configure access control. RFC 2827 filtering: Prevent any outbound traffic on your network that does not have a source address in your organizations own IP range. Require additional authentication that does not use IP-based authentication, for example: –Cryptographic authentication (recommended) –Strong, two-factor one-time passwords

© 2005 Cisco Systems, Inc. All rights reserved. CSI v DoS and DDoS Attacks DoS attacks focus on making a service unavailable for normal use. They have the following characteristics: Different from most other attacks because they are generally not targeted at gaining access to your network or the information on your network Require very little effort to execute Among the most difficult to completely eliminate

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Handler Systems Client System 4. The client issues commands to handlers that control agents in a mass attack. 1. Scan for systems to hack. Agent Systems 3. Agents are loaded with remote control attack software. DDoS Example 2. Install software to scan, compromise, and infect agents.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v DoS and DDoS Attack Mitigation The threat of DoS attacks can be reduced through the following three methods: Antispoof features: Proper configuration of antispoof features on routers and firewalls Anti-DoS features: Proper configuration of anti-DoS features on routers, firewalls, and IDSs Traffic rate limiting: Implement traffic rate limiting with the ISP of the network

Worm, Virus, and Trojan Horse Attacks and Mitigation © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Worm, Virus, and Trojan Horse Attacks The primary vulnerabilities for end-user workstations are worm, virus, and Trojan horse attacks. A worm executes arbitrary code and installs copies of itself in the infected computers memory, which infects other hosts. A virus is malicious software that is attached to another program to execute a particular unwanted function on a users workstation. A Trojan horse is different only in that the entire application is written to look like something else, when in fact it is an attack tool.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Worm Attacks 1. Enabling vulnerability 2. Propagation mechanism 3.Payload

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Worm Attack Mitigation Containment: Contain the spread of the worm by compartmentalizing infected parts of your network. Inoculation: Patch all systems and scan for vulnerable systems. Quarantine: Track down each infected host, then disconnect, remove, or block infected hosts from the network. Treatment: Clean and patch each infected system.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Virus and Trojan Horse Attacks A virus is malicious software that is attached to another program to execute a particular unwanted function on a users workstation. End-user workstations are the primary targets. A Trojan horse is different only in that the entire application is written to look like something else, when in fact it is an attack tool.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Virus and Trojan Horse Attack Mitigation These kinds of applications can be contained by: Effective use of antivirus software Keeping up-to-date with the latest developments in these sorts of attacks Keeping up-to-date with the latest antivirus software and application versions Effective use of intrusion protection

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Application-Layer Attacks Application-layer attacks have the following characteristics: Exploit well-known weaknesses, such as those in protocols, that are intrinsic to an application or system (for example, sendmail, HTTP, and FTP) Often use ports that are allowed through a firewall (for example, TCP port 80 used in an attack against a web server behind a firewall) Can never be completely eliminated, because new vulnerabilities are always being discovered 7 Application 6 Presentation 5 Session 4 Transport 3 Network 2 Data Link 1 Physical

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Application-Layer Attack Mitigation Measures you can take to reduce your risks include the following: Read operating system and network log files or have them analyzed by log analysis applications. Subscribe to mailing lists that publicize vulnerabilities. Keep your operating system and applications current with the latest patches. Use IDSs, which can scan for known attacks, monitor and log attacks, and, in some cases, prevent attacks.

Management Protocols and Functions © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Configuration Management Configuration management protocols include SSH, SSL, and Telnet. Telnet issues include the following: –The data within a Telnet session is sent as clear text and can be intercepted by anyone with a packet sniffer located along the data path between the device and the management server. –The data may include sensitive information, such as the configuration of the device itself, passwords, and so on.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Configuration Management Recommendations When possible, follow these practices: Use IPSec, SSH, SSL, or any other encrypted and authenticated transport. ACLs should be configured to allow only management servers to connect to the device. All attempts from other IP addresses should be denied and logged. RFC 2827 filtering at the perimeter router should be used to mitigate the chance of an outside attacker spoofing the addresses of the management hosts.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Management Protocols These management protocols can be compromised. SNMP: The community string information for simple authentication is sent in clear text. Syslog: Data is sent as clear text between the managed device and the management host. TFTP: Data is sent as clear text between the requesting host and the TFTP server. NTP: Many NTP servers on the Internet do not require any authentication of peers.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Management Protocol Recommendations SNMP recommendations: –Configure SNMP with only read-only community strings. –Set up access control on the device you wish to manage. –Use SNMP Version 3 or above. Logging recommendations: –Encrypt syslog traffic within an IPSec tunnel. –Implement RFC 2827 filtering. –Set up access control on the firewall. TFTP recommendations: –Encrypt TFTP traffic within an IPSec tunnel. NTP recommendations: –Implement your own master clock. –Use NTP Version 3 or above. –Set up access control that specifies which network devices are allowed to synchronize with other network devices.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Summary The need for network security has increased as networks have become more complex and interconnected. The following are the components of a complete security policy: –Statement of authority and scope –Acceptable use policy –Identification and authentication policy –Internet use policy –Campus access policy –Remote access policy –Incident handling procedure Security is an ongoing process. A security policy comprises four phases: secure, monitor, test, and improve.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Summary (Cont.) The following are the four types of security threats: –Structured –Unstructured –Internal –External The following are the four primary attack categories: –Reconnaissance attacks –Access attacks –Denial of service attacks –Worms, viruses, and Trojan horses Configuration management and management protocols are an important part of securing a network.