1 CCNA Security Chapter 1: Modern Network Security Threats

1

CCNA Security

Chapter 1: Modern Network Security Chapter 1: Modern Network Security ThreatsThreats

2

Lesson Objectives

Describe the evolution of network security.

Describe the drivers for network security.

Describe the major network security organizations.

Describe the domains of network security.

Describe network security policies.

Describe viruses, worms, and Trojan Horses.

3

Lesson Objectives

Describe how to mitigate threats from viruses, worms, and Trojan Horses.

Describe how network attacks are categorized.

Describe reconnaissance attacks.

Describe access attacks.

Describe Denial of Service attacks.

Describe how to mitigate network attacks.

4

Modern Network Security Threats

1.11.1 Fundamental Principles of a Secure Network Fundamental Principles of a Secure Network

1.2 1.2 Viruses, Worms, and Trojan HorsesViruses, Worms, and Trojan Horses

1.31.3 Attack Methodologies Attack Methodologies

5

1.1 Fundamental Fundamental PrinciplesPrinciples of a

Secure Network

6

1.1 Fundamental PrinciplesFundamental Principles of a Secure Network

1.1.1 1.1.1 EvolutionEvolution of Network Security of Network Security

1.1.2 1.1.2 DriversDrivers for Network Security for Network Security

1.1.3 Network Security Organizations1.1.3 Network Security Organizations

1.1.4 1.1.4 DomainsDomains of Network Security of Network Security

1.1.5 Network Security 1.1.5 Network Security PolicesPolices

7

1.1.1 Evolution of Network Security

In July 2001, the In July 2001, the Code RedCode Red worm attacked worm attacked web servers globally, infecting over web servers globally, infecting over 350,000350,000 hosts.hosts.

In July 2001, the In July 2001, the Code RedCode Red worm attacked worm attacked web servers globally, infecting over web servers globally, infecting over 350,000350,000 hosts.hosts.

8

Evolution of Network Security

““Necessity is the Necessity is the mother mother of invention.”of invention.”““Necessity is the Necessity is the mother mother of invention.”of invention.”

9

Evolution of Network Security

10

Evolution of Network Security

Internal threatsInternal threats can cause even greater can cause even greater damagedamage than than external threatsexternal threats..

11

Evolution of Network Security

ConfidentialityConfidentiality

IntegrityIntegrity

AvailabilityAvailability

12

1.1.2 Drivers for Network Security

Hackers–White hat

–Black hat

Hacking is a Hacking is a driving forcedriving force in in network security.network security.

13

Drivers for Network Security

Hacker:Hacker:

1960s: PhreakingPhreaking,

John Draper

1980s: Wardialing Wardialing

1990s: WardrivingWardriving

……

14

Drivers for Network Security

15

Drivers for Network Security

Network security professionals

16

1.1.3 Network Security Organizations

www.infosyssec.com

www.sans.org

www.cisecurity.org

www.cert.org

www.isc2.org

www.first.org

www.infragard.net

www.mitre.org

www.cnss.gov

17

Network Security Organizations - SANS

18

Network Security Organizations - CERT

19

Systems Security Certified Practitioner (SCCP)

Certification and Accreditation Professional (CAP)

Certified Secure Software Lifecycle Professional (CSSLP)

Certified Information Systems Security Professional (CISSP)

Information security certifications Offered by (ISC)2

Network Security Organizations - ISC2

20

1.1.4 Domains of Network Security

ISO/IEC 17799ISO/IEC 17799

21

Domains of Network Security

22

Network Security Policies(SDN)

23

Network Security Policies

24

Network Security Policies

25

Network Security Policies

ComprehensiveComprehensive

SuccinctSuccinct

26

1.2 Viruses, Worms, 1.2 Viruses, Worms, and Trojan Horsesand Trojan Horses

27

1.2 Viruses, Worms, and Trojan Horses

1.2.1 Virus

1.2.2 Worm

1.2.3 Trojan Horse

1.2.4 Mitigating Virus, Worms, and Trojan Horse

28

1.2.1 Viruses

A A virusvirus is malicious is malicious softwaresoftware which attaches which attaches to another program to to another program to executeexecute a specific a specific unwantedunwanted function on a computer. function on a computer.

29

1.2.2 Worms

A A wormworm executes arbitrary code and installs executes arbitrary code and installs copies copies

of itself in the of itself in the memory memory of the infected computer, of the infected computer, which then which then infectsinfects other hosts. other hosts.

30

Worms

Three major components to most worm attacks:

–Enabling vulnerability

–Propagation mechanism

–Payload

31

Worms

Five basic phases of attack of worm and virus:

探测

渗透

持续

传播

瘫痪

32

1.2.3 Trojan Horses1.2.3 Trojan Horses

A A Trojan HorseTrojan Horse is malware software is malware software that carries that carries

out malicious operations under the out malicious operations under the guiseguise of of a desired function. a desired function.

33

1.2.4 Mitigating Viruses, Worms, and Trojan Horses

Viruses and Trojan HorsesViruses and Trojan Horses tend to take advantage of tend to take advantage of

locallocal root buffer overflows. root buffer overflows.

WormsWorms such as SQL Slammer and Code Red exploit such as SQL Slammer and Code Red exploit

remoteremote root buffer overflows. root buffer overflows.

34

1.2.4 Mitigating Viruses, Worms, and Trojan Horses

The primary means of The primary means of mitigating virus and mitigating virus and Trojan horse attacks is Trojan horse attacks is

anti-virus softwareanti-virus software. .

35

Mitigating Viruses, Worms, and Trojan Horses

Worms are more network-based than viruses.

The response to a worm infection can be broken down into four phases: Containment（抑制）Inoculation（接种）Quarantine（隔离）Treatment（治疗）

36

Mitigating Viruses, Worms, and Trojan Horses

Example ( SQL Slammer worm):

37

Mitigating Viruses, Worms, and Trojan Horses

• Host-based intrusion prevention system (HIPS) Cisco Security Agent (CSA)

Cisco Network Admission Control (NAC)

Cisco Security Monitoring, Analysis, and Response System (MARS)

38

1.3 Attack 1.3 Attack MethodologiesMethodologies

39

1.3 Attack Methodologies

1.3.1 1.3.1 Reconnaissance Reconnaissance AttackAttack

1.3.2 1.3.2 AccessAccess Attacks Attacks

1.3.3 1.3.3 Denial of ServiceDenial of Service Attacks Attacks

1.3.4 1.3.4 MitigatingMitigating Network Attacks Network Attacks

40

1.3.1 Reconnaissance Attack

This course classifies attacks in three major categories.

41

Reconnaissance Attack

Reconnaissance attacks use various tools to Reconnaissance attacks use various tools to gain access to a network: gain access to a network:

– Packet sniffersPacket sniffers

– Ping sweepsPing sweeps

– Port scansPort scans

– Internet information queriesInternet information queries

42

Reconnaissance Attack A packet sniffer is a software application.

Uses a network adapter card in promiscuous mode to capture all network packets that are sent across a LAN.

Some network applications distribute network packets in unencrypted plaintext.

Numerous freeware and shareware packet sniffers.

43

Reconnaissance Attack

44

Reconnaissance Attack

Keep in mind that reconnaissance attacks are Keep in mind that reconnaissance attacks are

typically the typically the precursorprecursor to further attacks. to further attacks.

The network-based intrusion prevention The network-based intrusion prevention

functionality supported by Cisco IOS functionality supported by Cisco IOS security security

imagesimages running on ISRs. running on ISRs.

45

1.3.2 Access Attacks

There are There are five typesfive types of access attacks: of access attacks:• Password attack Password attack

• Trust exploitation Trust exploitation

• Port redirection Port redirection

• Man-in-the-middle attack Man-in-the-middle attack

• Buffer overflowBuffer overflow

46

Access Attacks

Password attack

Attackers can implement password attacks using several different methods:

–Brute-force attacks

–Trojan Horse programs

–Packet sniffers

47

Access Attacks

Trust exploitation

48

Access Attacks

Port redirection

49

Access Attacks

Man-in-the-middle attack

50

Access Attacks

Buffer overflow

51

Access Attacks

Detect the Access Attacks:

– Reviewing logsReviewing logs

Check the numbers of failed loginfailed login attempts.

– Bandwidth utilizationBandwidth utilization

Detect the Man-in-the-middle attacks.

– Process loadsProcess loads

Detect the buffer overflowbuffer overflow attacks.

52

1.3.3 Denial of Service Attacks

A DoSDoS attack is a networknetwork attack.

DoS attacks attempt to compromise the availabilitycompromise the availability of a network, host, or application.

There are two major reasons a DoS attack occurs:

–A host or application fails to handle an unexpected condition.

–A network, host, or application is unable to handle an enormous quantity of data.

53

Denial of Service Attacks

Dos

54

Denial of Service Attacks

DDos — Distribute Dos

55

Denial of Service Attacks Ping of Death

A hacker sends an echo request in an IP packet larger than the maximum packet size of 65,535 bytes

– ping -t -l 65550 192.168.1.1

56

Denial of Service Attacks Smurf Attack

57

Denial of Service Attacks

TCP SYN Flood

58

Denial of Service Attacks - Email Attacks

Sends a Sends a copycopy of itself to everyone mail listed. of itself to everyone mail listed.

Email Email BombBomb.  . 

59

DoS - Physical Infrastructure Attacks

Snip your Snip your cablescables! !

Affect Power!Affect Power!

DestructionDestruction of devices! of devices!

60

Social EngineeringSocial Engineering Attacks AttacksSocial EngineeringSocial Engineering Attacks Attacks

61

Tools of the Attacker

The following are a few of the most popular tools used by network attackers:

Enumeration tools (dumpreg, netview and netuser)

Port/address scanners (AngryIP, nmap, Nessus)

Vulnerability scanners (Meta Sploit, Core Impact, ISS)

Packet Sniffers (Snort, Wire Shark, Air Magnet)

Root kits

Cryptographic cracking tools (Cain, WepCrack)

Malicious codes (worms, Trojan horse, time bombs)

System hijack tools (netcat, MetaSploit, Core Impact)

62

1.3.4 Mitigating Network Attacks

Reconnaissance attacksReconnaissance attacks can be mitigated in several ways.

1. Implement authenticationauthentication to ensure proper access.

2. Use encryptioencryptionn to render packet sniffer attacks useless.

3. Use anti-sniffer toolsanti-sniffer tools to detect packet sniffer attacks.

4. Implement a switchedswitched infrastructure.

5. Use a firewall and IPSfirewall and IPS.

63

Mitigating Network Attacks

Several techniques are available for mitigating access access

attacksattacks.

1.1. StrongStrong password security

2. Principle of minimum trustminimum trust

3.3. CryptographyCryptography

4. Applying operating system and application patchespatches

64

Mitigating Network Attacks

The Primary Means of Mitigating DoSDoS Attacks :

1.1. IPSIPS and firewallsfirewalls (Cisco ASAs and ISRs)

2.2. Anti-spoofingAnti-spoofing technologies

3.3. Quality of ServiceQuality of Service – traffic policing

65

10 best practices (1)

66

10 best practices (2)

Avoid unnecessary inputs

Shutdown services and ports Backup

Educate

67

Security of the network is ultimately the responsibility of

everyone

68