Sie sind auf Seite 1von 75

Chapter 1 Modern Network Security

Threats
CCNA Security

Objectives

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Fundamental Principles of a
Secure network

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Evolution of Network Security


In July 2001, the Code Red worm attacked web servers globally,

infecting over 350,000 hosts.


The Code Red worm caused a Denial of Service (DoS) to millions
of users.

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Evolution of Network Security


When the first viruses were unleashed and the first DoS attack

occurred, the world began to change for networking professionals.


To meet the needs of users, network professionals learned
techniques to secure networks.
Refer to 1.1.1.2

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Evolution of Network Security


Year

Security Technology

1984

First IDS for ARPAnet (SRI


International IDES)

Late 1988

DEC Packet Filter Firewall

1989

AT&T Bell Labs Statefull Firewall

1991

DEC SEAL Application Layer


Firewal

1994

Check Point Firewall

1995

NetRanger IDS

August, 1997

RealSecure IDS

1998

Snort IDS

Late 1999

First IPS

2006

Cisco Zone-based Policy Firewal

2010

Cisco Security Intelligence


Operations

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Evolution of Network Security

An IDS provides real-time detection of certain types of


attacks while they are in progress
This detection allows network professionals to more quickly
mitigate the negative impact of these attacks on network
devices and users.
In the late 1990s, the intrusion prevention system or sensor
(IPS) began to replace the IDS solution.
IPS devices enable the detection of malicious activity and
have the ability to automatically block the attack in real-time.
In addition to IDS and IPS solutions, firewalls were developed
to prevent undesirable traffic from entering prescribed areas
within a network, thereby providing perimeter security.

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Evolution of Network Security

Internal threats fall into two categories: spoofing


and DoS
Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Evolution of Network Security


Evolution of LAN Security

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Evolution of Network Security

Three components of information: confidentiality, integrity,


availability.
Encrypting Data: Encryption provides confidentiality by hiding plaintext
data.
Data integrity: data is not changed from source to destination
Availability: Data accessibility, is guaranteed by network hardening
vin cng ngh
thng tin Bach Khoa - Website: www.bkacad.com
mechanisms andHcbackup
systems

Evolution of Network Security


Evulution of Data Protection Technologies
Year

Security Technology

1993

Cisco GRE Tunnels

1996

Site-to-Site IPSec VPNs

1999

SSH

2000

MPLS VPNs

2001

Remote-access IPSec VPN

2002

Dynamic Multipoint VPN

2005

SSL VPN

2010

Group Encrypted Transport VPN


(GET VPN)

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Drivers for Network Security

The word hackers has a variety of


meanings.
For many, it means Internet programmers
who try to gain unauthorized access to
devices on the Internet.
It is also used to refer to individuals that run
programs to prevent or slow network
access to a large number of users, or
corrupt or wipe out data on servers.
But for some, the term hacker has a positive
interpretation as a network professional that
uses sophisticated Internet programming
skills to ensure that networks are not
vulnerable to attack.

Good or bad, hacking is a driving force in network


security.
Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Drivers for Network Security

Refer
to
1.1.2.2

Hacking started in the 1960s with phone freaking, or phreaking, which refers to
using various audio frequencies to manipulate phone systems.
Wardialing programs automatically scanned telephone numbers within a local area,
dialing each one in search of computers, bulletin board systems, and fax machines
When a phone number was found, password-cracking programs were used to gain
access.
Wardriving, users gain unauthorized access to networks via wireless access points.
A number of other threats have evolved since the 1960s, including network
scanning tools such as Nmap and SATAN, as well as remote system
administration hacking tools such as Back Orifice.
Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Drivers for Network Security

What is the job of a network security professional ?

1. To stay one step ahead of the hackers by


attending training and workshops,
2. Have
access toinstate-of-the
art security tools,
participating
security organizations,
protocols, techniques, and technologies.
subscribing to real-time feeds regarding threats,
Always
remain
aware of
malicious
and
3. and
perusing
security
websites
on aactivities
daily
have the skills and tools to minimize or eliminate
basis.
the threats associated with those activities.

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Drivers for Network Security

This virus resulted in memory overflows in Internet mail


servers.
Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Drivers for Network Security

Robert Morris created the first


Internet worm with 99 lines of
code.
Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Drivers for Network Security

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Drivers for Network Security

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Drivers for Network Security

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Network Security Organizations

SysAdmin, Audit, Network, Security (SANS) Institute


Computer Emergency Response Team (CERT)
International Information Systems Security Certification Consortium
(pronounce (ISC)2 as "I-S-C-squared")

Network security
professionals must
collaborate with
professional colleagues
more frequently than
most other professions.

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Network Security Organizations


SANS was established in 1989 as a cooperative research and

education organization.
The focus of SANS is information security training and certification.
SANS develops security courses that can be taken to prepare for
Global Information Assurance Certification (GIAC) in auditing,
management, operations, legal issues, security administration, and
software security

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Network Security Organizations

CERT is part of the U.S. federally funded Software Engineering Institute


(SEI) at Carnegie Mellon University.
CERT is chartered to work with the Internet community in detecting and
resolving computer security incidents.
CERT responds to major security incidents and analyzes product
vulnerabilities.
CERT focuses on 5 areas: software assurance, secure systems,
organizational security, coordinated response, and education and
training.

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Network Security Organizations

(ISC)2 provides vendor-neutral education products and career services in


more than 135 countries
The mission of (ISC)2 is to make the cyber world a safe place through
elevating information security to the public domain and supporting and
developing information security professionals around the world.
Detail: 1.1.3.4

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Network Security Organizations

In addition to the websites of the various security


organizations, one of the most useful tools for the
network security professional is Really Simple
Syndication (RSS) feeds.
RSS is a family of XML-based formats used to
publish frequently updated information, such as blog
entries, news headlines, audio, and video
RSS uses a standardized format. An RSS feed
includes complete or summarized text, plus
metadata, such as publishing dates and
authorships..
By using RSS, a network security professional can
acquire up-to-date information on a daily basis and
aggregate real-time threat information for review at
any time.

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Domains of Network Security

Domains of Network Security

Refer: 1.1.4.1
Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Domains of Network Security

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Domains of Network Security


The 12 domains of network security provide a convenient separation for the
elements of network security.
One of the most important domains is security policy.

A security policy is a formal statement of the rules by which


people must abide who are given access to the technology and
information assets of an organization

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Network Security Policies


The policy is used to aid in network design, convey security principles, and
facilitate network deployments.
The network security policy outlines rules for network access, determines how
policies are enforced, and describes the basic architecture of the organization's
network security environment.

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Network Security Policies


A Cisco Self-Defending Network (SDN) uses the network to identify, prevent, and adapt
to threats.
Unlike point-solution strategies, where products are purchased individually without
consideration for which products work best together, a network-based approach is a
strategic approach that meets the current challenges and evolves to address new security
needs.
A Cisco SDN begins with a strong, secure, flexible network platform from which a
security solution is built.

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Network Security Policies


Refer to 1.1.5.2

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Network Security Policies


Detail: 1.1.5.3

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Network Security Policies

A security policy is a "living document,"


meaning that the document is never
finished and is continuously updated as
technology, business, and employee
requirements change.
Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Viruses, Worms, and


Trojan Horses

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Viruses
A virus is malicious software which attaches to another program to

execute a specific unwanted function on a computer.


A worm executes arbitrary code and installs copies of itself in the
memory of the infected computer, which then infects other hosts.
A Trojan Horse is an application written to look like something
else. When a Trojan Horse is downloaded and opened, it attacks
the end-user computer from within.
Refer: 1.2.1.1

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Viruses

The term virus refers to an infectious organism that


requires a host cell to grow and replicate.

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Viruses

A virus is a malicious code that is attached to legitimate programs or


executable files.
Most viruses require end-user activation and can lay dormant for an
extended period and then activate at a specific time or date.
When activated, the virus might check the disk for other executables, so
that it can infect all the files it has not yet infected.
Today, most viruses are spread by USB memory sticks, CDs, DVDs,
network shares, or email. Email viruses are now the most common type of
virus.

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Worms

Worms are a particularly dangerous type of hostile code.


They replicate themselves by independently exploiting vulnerabilities in
networks.
Worms usually slow down networks.
Worms are responsible for some of the most devastating attacks on the
Internet.

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Worms

Most worm attacks have three major components:


Enabling vulnerability - A worm installs itself using an exploit
mechanism (email attachment, executable file, Trojan Horse) on a
vulnerable system.
Propagation mechanism - After gaining access to a device, the worm
replicates itself and locates new targets.
Payload - Any malicious code that results in some action. Most often
this is used to create a backdoor to the infected host.
Worms are self-contained programs that attack a system to exploit a known
vulnerability.
Refer to 1.2.2.2

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Worms

There are five basic phases of attack, regardless of whether a worm or


virus is deployed.

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Trojan Horses
A Trojan Horse in the world of computing is

malware that carries out malicious


operations under the guise of a desired
function.
A virus or worm could carry a Trojan Horse.
A Trojan Horse contains hidden, malicious
code that exploits the privileges of the user
that runs it.
The Trojan Horse concept is flexible.
It can cause immediate damage, provide
remote access to the system (a back door),
or perform actions as instructed remotely,
such as "send me the password file once
per week.

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Trojan Horses

Trojan Horses are usually classified according to the damage that they cause or
the manner in which they breach a system:
Remote-access Trojan Horse (enables unauthorized remote access)
Data sending Trojan Horse (provides the attacker with sensitive data such as
passwords)
Destructive Trojan Horse (corrupts or deletes files)
Proxy Trojan Horse (user's computer functions as a proxy server)
FTP Trojan Horse (opens port 21)
Security software disabler Trojan Horse (stops anti-virus programs or firewalls
from functioning)
Denial of Service Trojan Horse (slows or halts network activity)
Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Mitigating Viruses, Worms, Trojan Horses


A majority of the software vulnerabilities that are discovered relate

to buffer overflows.
A buffer is an allocated area of memory used by processes to store
data temporarily.

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Mitigating Viruses, Worms, Trojan Horses

Mitigating Viruses and Trojan


The primary means of mitigating virus and Trojan horse attacks is
anti-virus software.
Anti-virus products are host-based.
These products are installed on computers and servers to detect
and eliminate viruses.

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Mitigating Viruses, Worms, Trojan Horses


Mitigating Worms

The containment phase involves limiting the spread of a worm infection


to areas of the network that are already affected.
The inoculation phase runs parallel to or subsequent to the
containment phase.
The quarantine phase involves tracking down and identifying infected
machines within the contained areas and disconnecting, blocking, or
removing them.
During the treatment phase, actively infected systems are disinfected
of the worm

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Mitigating Viruses, Worms, Trojan Horses


In the case of the SQL Slammer worm, malicious traffic was

detected on UDP port 1434.


This port should normally be blocked by a firewall on the perimeter.
Some organizations could not block UDP port 1434 because it was
required to access the SQL Server for legitimate business
transactions.

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Mitigating Viruses, Worms, Trojan Horses

Cisco Security Agent (CSA) is a host-based intrusion prevention system


that can be integrated with anti-virus software from various vendors.
Another solution for mitigating threats is Cisco Network Admission Control
(NAC).
Cisco Security Monitoring, Analysis, and Response System (MARS)
provides security monitoring for network security devices and host
applications created by Cisco and other providers

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Attack
Methodologies

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Type of attacks

There are many different types of network attacks other than viruses,
worms, and Trojan Horses:
Refer: 1.3.1.1
Reconnaissance Attacks
Reconnaissance attacks involve the unauthorized discovery and
mapping of systems, services, or vulnerabilities.
Reconnaissance is analogous to a thief surveying a neighborhood for
vulnerable homes to break into, such as an unoccupied residence or a
house with an easy-to-open door or window.
Access Attacks
Access attacks exploit known vulnerabilities in authentication services,
FTP services, and web services to gain entry to web accounts,
confidential databases, and other sensitive information.
Denial of Service Attacks
Denial of service attacks send extremely large numbers of requests
over a network or the Internet

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Reconnaissance Attacks

Reconnaissance is also known as information gathering and, in most


cases, precedes an access or DoS attack.
In a reconnaissance attack, the malicious intruder typically begins by
conducting a ping sweep of the target network to determine which IP
addresses are active.
Reconnaissance attacks use various tools to gain access to a network:
Packet sniffers
Ping sweeps
Port scans
Internet information queries
Refer: 1.3.1.2

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Reconnaissance Attacks

A packet sniffer is a software application that uses a network adapter card


in promiscuous mode to capture all network packets that are sent across a
LAN.
Packet sniffers can only work in the same collision domain as the network
being attacked, unless the attacker has access to the intermediary
switches.
Numerous freeware and shareware packet sniffers, such as Wireshark, are
available and do not require the user to understand anything about the
underlying protocols.
Refer: 1.3.1.3

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Reconnaissance Attacks

Refer: 1.3.1.4

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Reconnaissance Attacks

Keep in mind that reconnaissance attacks are typically the precursor to


further attacks with the intention of gaining unauthorized access to a
network or disrupting network functionality.
A network security professional can detect when a reconnaissance attack
is underway by configured alarms that are triggered when certain
parameters are exceeded, such as ICMP requests per second.
A Cisco ISR supports the security technologies that enable these types of
alarms to be triggered.
Host-based intrusion prevention systems and standalone network-based
intrusion detection systems can also be used to notify when a
reconnaissance attack is occurring.

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Access Attacks

Hackers use access attacks on networks or systems for three reasons:


retrieve data, gain access, and escalate access privileges.
Access attacks often employ password attacks to guess system
passwords.
Password attacks can be implemented using several methods, including
brute-force attacks, Trojan Horse programs, IP spoofing, and packet
sniffers
A brute-force attack is often performed using a program that runs across
the network and attempts to log in to a shared resource, such as a server.
Refer: 1.3.2.1

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Access Attacks

There are five types of access attacks:

Password attack

An attacker attempts to guess system passwords.

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Access Attacks

Refer: 1.3.2.2

Trust exploitation

An attacker uses privileges granted to a system in an unauthorized way

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Access Attacks
Port redirection

A compromised system is used as a jump-off point for attacks against


other targets

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Access Attacks
Man-in-the-middle attack

An attacker is positioned in the middle of communications between two


legitimate entities in order to read or modify the data that passes between
the two parties.

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Access Attacks
Buffer overflow

A program writes data beyond the allocated buffer memory.


A result of the overflow is that valid data is overwritten or exploited to
enable the execution of malicious code.

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Access Attacks

Access attacks in general can be detected by reviewing logs, bandwidth


utilization, and process loads.
Example: ManageEngine EventLog Analyzer or Cisco Secure Access
Control Server (CSACS)

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Denial of Service Attacks


Refer: 1.3.3.1

A DoS attack is a network attack that devices can not provide service for
user because of overflow buffer or CPU and so on.
There are two major reasons a DoS attack occurs:
A host or application fails to handle an unexpected condition, such as
maliciously formatted input data, an unexpected interaction of system
components, or simple resource exhaustion.
A network, host, or application is unable to handle an enormous
quantity of data, causing the system to crash or become extremely
slow.
Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Denial of Service Attacks

Refer: 1.3.3.2

DoS attack

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Denial of Service Attacks

Refer: 1.3.3.2

A Distributed Denial of Service Attack (DDoS)

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Denial of Service Attacks


Ping of Death

In a ping of death attack, a hacker sends an echo request in an IP


packet larger than the maximum packet size of 65,535 bytes.
Sending a ping of this size can crash the target computer.
A variant of this attack is to crash a system by sending ICMP
fragments, which fill the reassembly buffers of the target.
Refer: 1.3.3.3:

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Denial of Service Attacks


Smurf Attack
In a smurf attack, a perpetrator sends a large number of ICMP requests
to directed broadcast addresses, all with spoofed source addresses on
the same network as the respective directed broadcast.

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Denial of Service Attacks


TCP SYN Flood
In a TCP SYN flood attack, a flood of TCP SYN packets is sent, often
with a forged sender address.

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Denial of Service Attacks

There are five basic ways that DoS attacks can do harm:
1. Consumption of resources, such as bandwidth, disk space, or processor
time
2. Disruption of configuration information, such as routing information
3. Disruption of state information, such as unsolicited resetting of TCP
sessions
4. Disruption of physical network components
5. Obstruction of communication between the victim and others.
Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Mitigating Network Attacks


The important question is, 'How do I mitigate
these network attacks?'

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Mitigating Network Attacks


Mitigating Reconnaissance Attack

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Mitigating Network Attacks


Mitigating Access Attack

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Mitigating Network Attacks


Mitigating DoS Attack

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Mitigating Network Attacks


10 best practices represent the best insurance for network:
1.

Keep patches up to date by installing them weekly or daily, if possible,


to prevent buffer overflow and privilege escalation attacks.
2. Shut down unnecessary services and ports.
3. Use strong passwords and change them often
4. Control physical access to systems.
5. Avoid unnecessary web page inputs.
6. Perform backups and test the backed up files on a regular basis.
7. Educate employees about the risks of social engineering, and develop
strategies to validate identities over the phone, via email, or in person.
8. Encrypt and password-protect sensitive data.
9. Implement security hardware and software such as firewalls, IPSs,
virtual private network (VPN) devices, anti-virus software, and content
filtering.
10. Develop a written security policy for the company.
Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Mitigating Network Attacks

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Summary

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com

Hc vin cng ngh thng tin Bach Khoa - Website: www.bkacad.com