Professional Documents
Culture Documents
over 350,000 hosts, as shown in the figure. The worm not only disrupted
access to the infected servers, but also affected the local networks hosting
the servers, making them very slow or unusable. The Code Red worm
caused a denial of service to millions of users.
If the network security professionals responsible for these Code Redinfected servers had developed and implemented a security policy,
security patches would have been applied in a timely manner. The Code
Red worm would have been stopped and would only merit a footnote in
network security history.
External threats
Internal threats
White hat
Term used to describe individuals that use their abilities to find vulnerabilities in
systems or networks, and then report these vulnerabilities to the owners of the
system so that they can be fixed.
Black hat
Term for individuals that use their knowledge of computer systems to break into
systems or networks that they are not authorized to use.
Hacker
Cracker
Term that describes someone which attempts to gain unauthorized access with
malicious intent.
Phreaker
Spammer
Phisher
The primary threats for end devices are viruses, worms, and Trojan horses:
A worm executes arbitrary code and installs copies of itself in the memory
of the infected computer. The main purpose of a worm is to automatically
replicate itself and spread across the network from system to system.
Despite the mitigation techniques that have emerged over the years, worms
have continued to evolve with the Internet and still pose a threat. While worms
have become more sophisticated over time, they still tend to be based on
exploiting weaknesses in software applications. Most worm attacks have three
major components, as shown in the figure:
Payload - Any malicious code that results in some action. Most often this
is used to create a backdoor to the infected host.
When studying the malicious software attacks over the past 20 years, it
becomes clear that the various phases of attack methods employed by
hackers have similarities.
scans are used to map networks. Then the application scans and identifies
operating systems and vulnerable software. Hackers can obtain passwords
using social engineering, dictionary attacks, brute-force attacks, or
network sniffing.
The term Trojan horse originated from Greek mythology. Greek warriors
offered the people of Troy (Trojans) a giant hollow horse as a gift, as shown in
the figure. The Trojans brought the giant horse into their walled city, unaware
that it contained many Greek warriors. At night, after most Trojans were
asleep, the warriors burst out of the horse and overtook the city.
Data sending Trojan Horse - Provides the attacker with sensitive data,
such as passwords
FTP Trojan Horse (opens port 21) - Security software disabler Trojan
Horse (stops antivirus programs or firewalls from functioning)
Viruses and Trojan horses tend to take advantage of local root buffer
overflows. A root buffer overflow is a buffer overflow intended to attain
root privileges to a system. Local root buffer overflows require the end
user or system to take some type of action. A local root buffer overflow is
typically initiated by a user opening an email attachment, visiting a
website, or exchanging a file via instant messaging.
Worms such as SQL Slammer and Code Red exploited remote root buffer
overflows. Remote root buffer overflows are similar to local root buffer
overflows, except that local end user or system intervention is not
required.
The primary means of mitigating virus and Trojan horse attacks is antivirus
software. Antivirus software helps prevent hosts from getting infected and
spreading malicious code. It requires much more time to clean up infected
computers than it does to maintain up-to-date antivirus software and
antivirus definitions on the same machines.
figure.
Containment Phase
Inoculation Phase
Quarantine Phase
Treatment Phase
Reconnaissance Attacks
Access Attacks
DoS Attacks
Packet sniffers
Port scans
DNS queries can reveal information, such as who owns a particular domain
and what addresses have been assigned to that domain. Use tools such as
whois, nslookup,
Packet sniffers can only work in the same collision domain as the network
being attacked, unless the attacker has access to the intermediary
switches. Numerous freeware and shareware packet sniffers, such as
Wireshark, are available.
When used as legitimate tools, ping sweep and port scan applications run
a series of tests against hosts and devices to identify vulnerable services.
The information is gathered by examining IP addressing and port, or
banner, data on both Transmission Control Protocol (TCP) and User
Datagram Protocol (UDP) ports. An attacker uses this information to
compromise the system.
access rights as the user account that was compromised. If this account
has sufficient privileges, the attacker can create a back door for future
access without concern for any status and password changes to the
compromised user account.
Because these servers all reside on the same segment, a compromise of one
system can lead to the compromise of other systems if those other systems
also trust systems that are attached to the same network.
Another example of trust exploitation is a Demilitarized Zone (DMZ) host that
has a trust relationship with an inside host that is connected to the inside
firewall interface.
The inside host trusts the DMZ host. When the DMZ host is compromised, the
attacker can leverage that trust relationship to attack the inside host.
Windows:
Domains
Active directory
NIS
NIS+
Assuming a system is under attack, an IPS can help detect a hacker and
prevent installation of such utilities on a host.
The host outside the network can reach the host on the public services
segment (Host A), but not the host on the inside (Host B). The host on the
public services segment can reach the host on both the outside and the
inside. If hackers are able to compromise the public services segment host,
they can install software to redirect traffic from the outside host directly to
the inside host. Though neither communication violates the rules that are
implemented in the firewall, the outside host has now achieved connectivity
to the inside host through the port redirection process on the public services
host. An example of an application that provides that type of access is Netcat.
The network security policy should specify that logs are formally
maintained for all network devices and servers, as shown in the figure. By
reviewing logs, network security personnel can determine if an unusual
number of failed login attempts have occurred. Software packages such as
ManageEngineEventLog Analyzer or Cisco Secure Access Control Server
(ACS) (CSACS) maintain information regarding failed login attempts to
network devices. UNIX and Windows servers also keep a log of failed login
attempts. Cisco routers and firewall devices can be configured to prevent
login attempts for a given time, from a particular source, and after a
prescribed number of failures within a specified amount of time.
A DoS attack takes advantage of the fact that target systems, such as
servers, must maintain state information. Applications may rely on
expected buffer sizes and specific content of network packets. A DoS
attack can exploit this by sending packet sizes or data values that are not
expected by the receiving application.
After the hacker accesses several "handler" systems, the hacker installs
zombie software on them.
When the hacker accesses the agent systems, the hacker loads remotecontrol attack software to carry out the DDoS attack.
Click Play in Figures 1 and 2 to view the animations of a DoS attack and a
DDoS attack, respectively.
Ping of Death
Smurf Attack
As shown in Figure 3, a TCP SYN flood attack sends a flood of TCP SYN
packets, often with a forged sender address. Each packet is handled like a
connection request, causing the server to initiate a half-open connection
by sending back a TCP SYN-ACK packet and waiting for a packet in
response from the sender address. However, because the sender address
is forged, the response never comes. These half-open connections
saturate the number of available connections the server is able to make,
There are five basic ways that DoS attacks can do harm:
1. Consumption of resources, such as bandwidth, disk space, or processor
time.
2. Disruption of configuration information, such as routing information.
3. Disruption of state information, such as unsolicited resetting of TCP
sessions.
4. Disruption of physical network components.
5. Obstruction of communication between the victim and others.
Several techniques are also available for mitigating access attacks, as shown
in the figure.
Use strong passwords. Strong passwords are at least eight characters and
contain uppercase letters, lowercase letters, numbers, and special
characters.
The network should be designed using the principle of minimum trust. This
means that systems should not use one another unnecessarily. For
example, if an organization has a trusted server that is used by untrusted
devices, such as web servers, the trusted server should not trust the
untrusted devices unconditionally.
Antispoofing technologies
These features often involve limits on the amount of halfopen TCP connections that a system allows at any given
time.
Port scanning and ping sweeping is not a crime and there is no way to stop these
scans and sweeps when a computer is connected to the Internet.
Ping sweeps can be stopped if ICMP echo and echo-reply are turned off on
edge routers.
However, when these services are turned off, network diagnostic data is
lost.
Authentication
Cryptography
Anti-sniffer tools
Switched infrastructure
Use strong passwords that are, at least, eight characters long and
contain uppercase letters, lowercase letters, numbers, and special
characters.
Encryption
Cryptographic (recommended)
You can prevent your network users from spoofing other networks
(and be a good Internet citizen at the same time) by preventing
any outbound traffic on your network that does not have a source
address in your the IP range of your organization. This filtering
denies any traffic that does not have the source address that was
expected on a particular interface. For example, if an ISP is
providing a connection to the IP address 15.1.1.0/24, the ISP
could filter traffic so that only traffic sourced from address
15.1.1.0/24 can enter the ISP router from that interface. Note that
unless all ISPs implement this type of filtering, the effectiveness
is significantly reduced.
RFC 2827 defines filters to drop packets that come from source
addresses within 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 172.16.0.0/12,
192.168.0.0/16, 224.0.0.0/4, or 240.0.0.0/4. This source address is
a so-called Martian Address.
Additional Authentication
The most effective method for mitigating the threat of IP spoofing is to
eliminate the attacks effectiveness. IP spoofing can function correctly
only when devices use IP address-based authentication; therefore, if
you use additional authentication methods, IP spoofing attacks are
irrelevant. Cryptographic authentication is the best form of additional
authentication. However, when cryptographic authentication is not
possible, strong two-factor authentication using OTPs can also be
effective.
Mitigating Network Attacks
10 Best Practices
1. Keep patches current by installing them weekly or daily, if
possible, to prevent buffer overflow and privilege escalation
attacks.
2. Shut down unnecessary services and ports.
3. Use strong passwords and change them often.
4. Control physical access to systems.
5. Avoid unnecessary web page inputs.
http://www.networkworld.com/news/2010/091610-socialnetworks.html?source=NWWNLE_nlt_daily_pm_2010-09-16
http://searchsecurity.techtarget.com/news/1519804/Phishin
g-attacks-target-users-of-Facebook-other-social-networks?
asrc=EM_NLN_12420860&track=NL-102&ad=784799&
Control plane logging - Enables the logging of packets that CoPP or CPPr
drop or permit. It provides the logging mechanism needed to deploy,
monitor, and troubleshoot CoPP features efficiently.
Note: Further detail on securing the control plane is beyond the scope of
this course.
Authorize actions - Restricts the actions and views that are permitted by
any particular user, group, or service.
RBAC restricts user access based on the role of the user. Roles are created
according to job or task functions, and assigned access permissions to
specific assets. Users are then assigned to roles, and are granted the
permissions that are defined for that role.
In Cisco IOS, the role-based CLI access feature implements RBAC for router
management access. The feature creates different views that define
which commands are accepted and what configuration information is
visible. For scalability, users, permissions, and roles are usually created
ACLs perform packet filtering to control which packets move through the
network and where those packets are allowed to go. ACLs are used to
secure the data plane in a variety of ways, including:
Classifying traffic to protect the Management and Control planes ACLs can be applied on the vtylines.
Cisco Catalyst switches can use integrated features to help secure the
Layer 2 infrastructure. The following Layer 2 security tools are integrated
into the Cisco Catalyst switches:
Port security - Prevents MAC address spoofing and MAC address flooding
attacks.
DHCP snooping - Prevents client attacks on the DHCP server and switch.