Chapter 1: Introduction to Network Security

Objectives
The CCNA Security Topics Covered in this chapter
include:
Threats to Network Security
Network Security Objectives
Classification of Data
Security Controls
Incident Response
Law and Ethics
2
What Does "Secure" Mean?
Protect your most valuable assets
Placing them in a safe place
Our goal
We learn how to protect our computer-related assets,
not protecting our money and gold bullion.
What to protect
Hardware
Software
Data
External Threats
Social Engineering
Denial of Service Attacks
SYN Flood Attacks
Smurf Attacks
Distributed Denial of Service Attacks
Man-in-the-middle (MITM) Attacks
Session Hijacking
Brute Force Attack
6
Internal Threats
Inside users already have knowledge of the network and its
available resources.
Inside users typically have some level of access granted to
them because of the nature of their job.
Traditional network security mechanisms such as Intrusion
Prevention Systems (IPS) and firewalls are ineffective against
much of the network misuse originating internally.
7
The CIA Triad
Confidentiality

Integrity

Availability
8
Network Security Objectives
9
Confidentiality
Protecting data at rest

Protecting data in motion


10
Integrity
Hashes

Cyclic Redundancy Checks (CRC)


11
Availability
Is the data available?

High Availability

Fault tolerance


12
Security Controls
Administrative

Technical controls

Physical


13
Administrative Controls
Security policies
Audits
Awareness training
Change control
Job rotation
Separation of duties
Background checks


14
Technical Controls
Firewalls
IPS
ACLs
VPNs
Identity management
Tokens
Network admission control


15
Physical Controls
Locks
UPS
Security guards
Motion sensors
Alarms
Safes
Diesel Generators


16
Classification of Controls
Preventive
A preventive control attempts to prevent access to data
or a system.
Deterrent
A deterrent control attempts to prevent a security
incident by influencing the potential attacker not to
launch an attack.
Detective
A detective control can detect when access to data or a
system occurs.
Classification of Data
All data is not equal
Some compliance measures require classification
Some data might prove embarassing if made public
Protect the most critical data
18
Classification of Data
Military classification systems
Private sector classification systems
Not all classification schemes fit all organizations
Whats our goal? Protect the most critical data and
classify accordingly
19
Military Data Classification
Unclassified
Sensitive but Unclassified
Confidential
Secret
Top Secret
20
Private Sector Data Classification
Public
Sensitive
Private
Confidential
21
Incident Response
to successfully prosecute an attacker, litigators typically
require the following elements to present an effective
argument:
Motive
Means
Opportunity

22
Types of Law
Criminal law
Applies to crimes that have been committed and that might result in fines
and/or imprisonment for someone found guilty.
Civil law
Addresses wrongs that have been committed.
Example of civil litigation might involve patent infringement. Consequences
to someone found to be in violation of a civil law might include an order to
cease and desist the illegal activity and/or to pay damages.
Administrative law
typically involves the enforcement of regulations by government agencies.
Example: a company that misappropriated retirement funds might be found
in violation of an administrative law. If a party is found to be in violation of
an administrative law, the consequences typically are monetary, with the
money being divided between the government agency and the victim.
23
Ethics
A set of standards and principles that are deemed to be
higher than the law.
24
Network Attack Methodologies
Vulnerability
A weakness in the security system.
Threat
Is a set of circumstances that has the potential to cause
loss or harm.
Control
a control is an action, device, procedure, or technique
that removes or reduces a vulnerability.
A threat is blocked by control of a
vulnerability.

Types of threat
Interception
Interruption
Modification
Fabrication
Threats to Network Security
External Threats

Internal Threats

Defense in Depth
31
Defense in Depth
Defense in depth means having many layers of defense

Firewall

Intrusion Prevention/Detection

Network Admission Control

VPN

Web Application Firewall


32
Types of Hackers
White hat hacker
Black hat hacker
Gray hat hacker
Phreaker
Script kiddy
Hacktivist
Computer security hacker
Academic hacker
Hobby hacker
Five broad categories of attacks
Passive
Active
Close-in
Insider
Distribution
Defending Against Different Classes of Attacks
Hacking methodologies
Reconnaissance
Scanning (addresses, ports, vulnerabilities)
Gaining access
Maintaining Access
Covering Tracks

Specific Network Attacks
ARP Attack
Brute Force Attack
Worms
Flooding
Sniffers
Spoofing
Redirected Attacks
Tunneling Attack
Covert Channels
Denial-of-Service Facts
Commonly used against information
stores like web sites
Simple and usually quite effective
Does not pose a direct threat to sensitive
data
The attacker tries to prevent a service
from being used and making that service
unavailable to legitimate users
Attackers typically go for high visibility
targets such as the web server, or for
infrastructure targets like routers and
network links
Uh-Oh.
Another DoS
attack!
Denial-of-Service Example
If a mail server is capable of receiving and delivering 10
messages a second, an attacker simply sends 20 messages
per second. The legitimate traffic (as well as a lot of the
malicious traffic) will get dropped, or the mail server
might stop responding entirely.
This type of an attack may be used as a diversion while
another attack is made to actually compromise systems
In addition, administrators are likely to make mistakes
during an attack and possibly change a setting that
creates a vulnerability that can be further exploited

Types of Denial-of-Service Attacks
Buffer Overflow Attacks
SYN Flood Attack
Teardrop Attacks
Smurf Attack
DNS Attacks
Email Attacks
Physical Infrastructure
Attacks
Viruses/Worms
DoS - Buffer Overflow Attacks
The most common DoS attack sends more traffic to a
device than the program anticipates that someone might
send Buffer Overflow.
DoS - SYN Flood Attack
When connection sessions are initiated between a
client and server in a network, a very small space
exists to handle the usually rapid "hand-shaking"
exchange of messages that sets up a session.
The session-establishing packets include a SYN field
that identifies the sequence order.
To cause this kind of attack, an attacker can send
many packets, usually from a spoofed address, thus
ensuring that no response is sent.
DoS - Teardrop Attack
Exploits the way that the Internet
Protocol (IP) requires a packet that is
too large for the next router to handle
be divided into fragments.
The fragmented packet identifies an
offset to the beginning of the first
packet that enables the entire packet
to be reassembled by the receiving
system.
In the teardrop attack, an attacker's IP
puts a confusing value in the second
or later fragment. If the receiving
operating system cannot cope with
such fragmentation, then it can cause
the system to crash.
DoS - Smurf Attack
The attacker sends an IP ping
request to a network site.
The ping packet requests that it
be broadcast to a number of hosts
within that local network.
The packet also indicates that the
request is from a different site, i.e.
the victim site that is to receive the
denial of service.

This is called IP Spoofing--the victim site becomes the address of
the originating packet.
The result is that lots of ping replies flood back to the victim host.
If the flood is big enough then the victim host will no longer be
able to receive or process "real" traffic.
DoS - DNS Attacks
A famous DNS attack was
a DDoS "ping" attack. The
attackers broke into
machines on the Internet
(popularly called "zombies")
and sent streams of forged
packets at the 13 DNS
root servers via intermediary
legitimate machines.
The goal was to clog the servers, and communication links on the way to
the servers, so that useful traffic was gridlocked. The assault is not DNS-
specific--the same attack has been used against several popular Web
servers in the last few years.
DoS - Email Attacks
When using Microsoft Outlook, a script reads your address
book and sends a copy of itself to everyone listed there,
thus propagating itself around the Internet.
The script then modifies the computers registry so that the
script runs itself again when restarted.
DoS - Physical Infrastructure
Attacks
Someone can just simply snip your cables! Fortunately this
can be quickly noticed and dealt with.
Other physical infrastructure attacks can include recycling
systems, affecting power to systems and actual destruction
of computers or storage devices.

DoS - Viruses/Worms
Viruses or worms, which replicate across a network in
various ways, can be viewed as denial-of-service attacks
where the victim is not usually specifically targeted but
simply a host unlucky enough to get the virus.
Available bandwidth can become saturated as the
virus/worm attempts to replicate itself and find new
victims.
Malicious Code Attacks
Malicious code attacks refers to
viruses, worms, Trojan horses,
logic bombs, and other
uninvited software
Damages personal computers,
but also attacks systems that are
more sophisticated
Actual costs attributed to the
presence of malicious code have
resulted primarily from system
outages and staff time involved
in repairing the systems
Costs can be significant
Packet Sniffing Attacks
Most organization LANs are Ethernet networks
On Ethernet-based networks, any machine on the network can see the
traffic for every machine on that network
Sniffer programs exploit this characteristic, monitoring all traffic and
capturing the first 128 bytes or so of every unencrypted FTP or Telnet
session (the part that contains user passwords)
Social Engineering Attacks
Hacker-speak for tricking a person into revealing some
confidential information
Social Engineering is defined as an attack based on
deceiving users or administrators at the target site
Done to gain illicit access to systems or useful information
The goals of social engineering are fraud, network
intrusion, industrial espionage, identity theft, etc.

Best Practices
Routinely apply patches to operating systems and applications.
Disable unneeded services and ports on hosts.
Require strong passwords, and enable password expiration.
Protect the physical access to computing and networking equipment.
Enforce secure programming practices, such as limiting valid
characters that can be entered into an applications dialog box.
Regularly back up data, and routinely verify the integrity of the
backups.
Train users on good security practices, and educate them about social
engineering tactics.
Use strong encryption for sensitive data.
Defend against technical attacks by deploying hardware- and software-
based security systems (for example, firewalls, IPS sensors, and
antivirus software).
Create a documented security policy for company-wide use.