Defining Security

Fundamentals

2005 Cisco Systems, Inc. All rights reserved.

IPS v5.01-1

Need for Network

Security

2005 Cisco Systems, Inc. All rights reserved.

IPS v5.01-2

Threat Capabilities: More Dangerous and

Easier to Use
Sophistication
of Hacker Tools

High
Stealth Diagnostics

Packet Forging and Spoofing

Sniffers
Hijacking Sessions

Scanners
Back Doors

Exploiting Known Vulnerabilities

Disabling Audits

Self-Replicating
Code

Password
Cracking

Technical
Knowledge
Required

Password
Guessing

Low

1980

2005 Cisco Systems, Inc. All rights reserved.

1990

2000
IPS 5.01-3

Network Security Is a Continuous Process

Network security is a
continuous process
built around a security
policy.
Step 1: Secure
Step 2: Monitor

Secure

Manage
and Improve

Corporate
Security
Policy

Monitor
and Respond

Step 3: Test

Step 4: Improve

2005 Cisco Systems, Inc. All rights reserved.

Test

IPS 5.01-4

Network Security Policy

2005 Cisco Systems, Inc. All rights reserved.

IPS v5.01-5

What Is a Security Policy?

A security policy is a formal statement of the
rules by which people who are given access
to an organizations technology and
information assets must abide.
RFC 2196, Site Security Handbook

2005 Cisco Systems, Inc. All rights reserved.

IPS 5.01-6

Primary Network
Threats and Attacks

2005 Cisco Systems, Inc. All rights reserved.

IPS v5.01-7

Variety of Attacks

Internal
Exploitation

Internet
Dial-In
Exploitation

Network attacks can

be as varied as the
systems that they attempt
to penetrate.

2005 Cisco Systems, Inc. All rights reserved.

Compromised
Host

IPS 5.01-8

Network Security Threats

There are four general categories of security
threats to the network.
Unstructured threats
Structured threats
External threats

Internal threats

2005 Cisco Systems, Inc. All rights reserved.

IPS 5.01-9

The Four Primary Attack Categories

All of the following can be used to
compromise your system.
Reconnaissance attacks
Access attacks
Denial of service attacks

Worms, viruses, and Trojan horses

2005 Cisco Systems, Inc. All rights reserved.

IPS 5.01-10

Reconnaissance Attacks
and Mitigation

2005 Cisco Systems, Inc. All rights reserved.

IPS v5.01-11

Reconnaissance Attacks

Reconnaissance refers to
the overall act of learning
about a target network by
using readily available
information and
applications.

2005 Cisco Systems, Inc. All rights reserved.

IPS 5.01-12

Packet Sniffers
Host A

Router A

Router B

Host B

A packet sniffer is a software application that uses a network adapter card in

promiscuous mode to capture all network packets. These are the features of
packet sniffers.
Packet sniffers exploit information passed in clear text. Protocols that
pass information in clear text include the following:
Telnet
HTTP

2005 Cisco Systems, Inc. All rights reserved.

IPS 5.01-13

Packet Sniffer Attack Mitigation

Host A

Router A

Router B

Host B

Here are techniques and tools that can be used to mitigate sniffer attacks:
Authentication: A first option for defense against packet sniffers is to
use strong authentication, such as one-time passwords.
Switched infrastructure: Deploy a switched infrastructure to counter the
use of packet sniffers in your environment.
Antisniffer tools: These tools to consist of software and hardware
designed to detect sniffers on a network.
Cryptography: The most effective method for countering packet sniffers
does not prevent or detect them but rather renders them irrelevant.

2005 Cisco Systems, Inc. All rights reserved.

IPS 5.01-14

Port Scans and Ping Sweeps

What these attacks attempt to do:

Identify all services on the network
Identify all hosts and devices on the network
Identify the operating systems on the network
Identify vulnerabilities on the network
2005 Cisco Systems, Inc. All rights reserved.

IPS 5.01-15

Port Scan and Ping Sweep Attack

Mitigation
Port scans and ping sweeps cannot be prevented
entirely.
IDSs at the network and host levels can usually
notify an administrator when a reconnaissance
attack such as a port scan or a ping sweep is
underway.

2005 Cisco Systems, Inc. All rights reserved.

IPS 5.01-16

Access Attacks and

Mitigation

2005 Cisco Systems, Inc. All rights reserved.

IPS v5.01-17

Password Attacks
Hackers can
implement password
attacks by using
several methods:
Brute-force attacks
Trojan horse
programs
IP spoofing
Packet sniffers

2005 Cisco Systems, Inc. All rights reserved.

IPS 5.01-18

Password Attack Mitigation

Password attack mitigation techniques:
Do not allow users to have the same password on
multiple systems.
Disable accounts after a certain number of unsuccessful
login attempts.

Do not use plain text passwords. A cryptographic

password is recommended.
Use strong passwords. Strong passwords are at least
eight characters long and contain uppercase letters,
lowercase letters, numbers, and special characters.
Force periodic password changes.

2005 Cisco Systems, Inc. All rights reserved.

IPS 5.01-19

Denial of Service
Attacks and Mitigation

2005 Cisco Systems, Inc. All rights reserved.

IPS v5.01-20

Denial of Service Attacks

Denial of service attacks

occur when an intruder
attacks your network in a
way that damages or
corrupts your computer
system or denies you and
others access to your
networks, systems, or
services.

2005 Cisco Systems, Inc. All rights reserved.

IPS 5.01-21

IP Spoofing
IP spoofing occurs when a hacker inside or outside a network
impersonates the conversations of a trusted computer.
Two general techniques are used during IP spoofing:
A hacker uses an IP address that is within the range of
trusted IP addresses.
A hacker uses an authorized external IP address that is
trusted.
Here are uses for IP spoofing:
IP spoofing is usually limited to the injection of malicious
data or commands into an existing stream of data.
If a hacker changes the routing tables to point to the spoofed
IP address, then the hacker can then receive all the network
packets that are addressed to the spoofed address and
reply, just as any trusted user can.

2005 Cisco Systems, Inc. All rights reserved.

IPS 5.01-22

IP Spoofing Attack Mitigation

The threat of IP spoofing can be reduced, but not
eliminated, through these measures:
Access control: The most common method for
preventing IP spoofing is to properly configure access
control.
RFC 2827 filtering: Prevent any outbound traffic on
your network that does not have a source address in
your organizations own IP range.
Require additional authentication that does not use
IP-based authentication. Examples of this technique
include the following:
Cryptography (recommended)
Strong, two-factor, one-time passwords
2005 Cisco Systems, Inc. All rights reserved.

IPS 5.01-23

DoS and DDoS Attacks

DoS attacks focus on making a service
unavailable for normal use. They have the
following characteristics:
Differ from most other attacks because they are
generally not targeted at gaining access to your
network or the information on your network

Require very little effort to execute

Are among the most difficult to completely eliminate

2005 Cisco Systems, Inc. All rights reserved.

IPS 5.01-24

DoS and DDoS Attack Mitigation

The threat of DoS attacks can be reduced by
three methods.
Antispoof features: Proper configuration of
antispoof features on routers and firewalls
Anti-DoS features: Proper configuration of
anti-DoS features on routers, firewalls, and
intrusion detection systems
Traffic rate limiting: Implementation of traffic rate
limiting with the ISP of the network

2005 Cisco Systems, Inc. All rights reserved.

IPS 5.01-25

Management Protocols
and Functions

2005 Cisco Systems, Inc. All rights reserved.

IPS v5.01-26

Configuration Management
Configuration management protocols include SSH,
SSL, and Telnet.
Telnet issues include the following:
The data within a Telnet session is sent as clear
text and may be intercepted by anyone with a
packet sniffer located along the data path
between the device and the management server.
The data may include sensitive information,
such as the configuration of the device itself,
passwords, and so on.

2005 Cisco Systems, Inc. All rights reserved.

IPS 5.01-27

Configuration Management
Recommendations
When possible, the following practices are
advised:
Use IPSec, SSH, SSL, or any other encrypted and
authenticated transport.
ACLs should be configured to allow only
management servers to connect to the device. All
attempts from other IP addresses should be denied
and logged.
Use RFC 2827 filtering at the perimeter router to
mitigate the chance of an outside attacker
spoofing the addresses of the management hosts.
2005 Cisco Systems, Inc. All rights reserved.

IPS 5.01-28

Management Protocols
The following management protocols can be
compromised:
SNMP: The community string information for
simple authentication is sent in clear text.
Syslog: Data is sent as clear text between the
managed device and the management host.
TFTP: Data is sent as clear text between the
requesting host and the TFTP server.
NTP: Many NTP servers on the Internet do not
require any authentication of peers.

2005 Cisco Systems, Inc. All rights reserved.

IPS 5.01-29

Management Protocol Recommendations

SNMP recommendations:
Configure SNMP only with read-only community strings.
Set up access control on the device you wish to manage.
Use SNMP version 3 or above.
Logging recommendations:
Encrypt syslog traffic within an IPSec tunnel.
Implement RFC 2827 filtering.
Set up access control on the firewall.
TFTP recommendations:
Encrypt TFTP traffic within an IPSec tunnel.
NTP recommendations:
Implement your own master clock.
Set up access control that specifies which network devices
are allowed to synchronize with other network devices.
2005 Cisco Systems, Inc. All rights reserved.

IPS 5.01-30