Network Security

Network and Information Security Basics

Do I Know this Already

Which security term refers to a person, property, or data of value to a company?
Risk Asset Threat prevention Mitigation technique

11/12/2012

Do I Know this Already

Which asset characteristic refers to risk that results from a threat and lack of a countermeasure?
High availability Liability Threat prevention Vulnerability

11/12/2012

Do I Know this Already

Which three items are the primary network security objectives for a company?
Revenue generation Confidentiality Integrity Availability

11/12/2012

Do I Know this Already

Which data classification label is usually not found in a government organisation?
Unclassified Classified but not important Sensitive but unclassified For official use only Secret

11/12/2012

Do I Know this Already

Which of the following represents a physical control?
Change control policy Background checks Electronic lock Access list

11/12/2012

Do I Know this Already

What is the primary motivation for most attacks against networks today?
Political Financial Theological Curiosity

11/12/2012

Do I Know this Already

Which type of an attack involves lying about the source address of a frame or packet?
Man-in-the-middle attack Denial-of-service attack Reconnaissance attack Spoofing attack

11/12/2012

Do I Know this Already

Which two approaches to security provide the most the most secure results on day one?
Role based Defence in depth Authentication Least privilege

11/12/2012

Do I Know this Already

Which of the following might you find in a network that is based on defence-in-depth security implementation? (choose all that apply)
Firewall IPS Access list Current patches on servers

11/12/2012

10

Do I Know this Already

In relation to production networks, which of the following are viable options when dealing with risk? (Choose all that apply)
Ignore it Transfer it Mitigate it Remove it

11/12/2012

11

Network Security Objectives

Viewing Network from different perspectives:
Senior Manager view the network as a business tool to facilitate the goals of the company Network technician view as the centre of the universe End Users view as a tool to get their job done or source for recreation So an important point to remember is that the users themselves represent a risk and that security training users is a key part of comprehensive security policy
11/12/2012 12

Network Security Objectives

Network security objectives usually involve three basic concept:
Confidentiality Integrity Availability

11/12/2012

13

Classifying Assets
One reason to classify an asset is so that you can take specific action, based on policy, with regard to assets in a given class. Consider, for example, virtual private networks (VPN) . We classify (that is, identify) the traffic that should be sent over a VPN tunnel.

11/12/2012

14

Classifying Assets
By classifying data and labelling it (such as labelling top secret data on a hard disk)
We can then focus the appropriate amount of protection or security on that data More security for top secret data than for unclassified data, for instance.

The benefit is that when new data is put into the system, you can classify it as confidential or secret and so on and it will then receive the same level of protection that you set up for that type of data
11/12/2012 15

Classifying Vulnerabilities
Understanding the weaknesses/vulnerabilities in a system or network is a huge step toward correcting the vulnerability or putting in appropriate countermeasures to mitigate threats against those vulnerabilities

11/12/2012

16

Classifying Vulnerabilities
Potential network vulnerabilities abound, with many resulting from one or more of the following:
Policy flaws Design errors Protocol weaknesses Misconfiguration Software vulnerabilities Human factors Malicious software Hardware vulnerabilities Physical access to network resources
11/12/2012 17

Classifying Countermeasures
After a company has identified its assets and considered the risks involved to that asset from a threat against a vulnerability The company can then decide to implement countermeasures to reduce the risk of a successful attack Common control methods used to implement countermeasures include the following: Administrative Physical Logical
11/12/2012 18

Potential Attackers
We could devote an entire book to attacks that have been launched in the past 15 minutes somewhere in the world against a network resource. Instead of trying to list the thousands of attacks that could threaten vulnerable networks, lets begin by looking at the types of adversaries that may be behind attacks:
Terrorists Criminals Government agencies Nation-states Hackers Disgruntled employees Competitors Anyone with access to a computing device (sad, but true)
11/12/2012 19

Attack Methods
Reconnaissance
This is the discovery process used to find information about the network. It could include scans of the network to find out which IP addresses respond, and further scans to see which ports are open. This is usually the first step taken, to discover what is on the network and to determine potential vulnerabilities.
11/12/2012 20

Attack Methods
Social engineering This is a tough one because it leverages our weakest (very likely) vulnerability in a secure network: the user. If the attacker can get the user to reveal information, it is much easier for the attacker than using some other method of reconnaissance.
11/12/2012 21

Attack Methods
Privilege escalation This is the process of taking some level of access (whether authorized or not) and achieving an even greater level of access. An example is an attacker who gains user mode access to a router and then uses a brute-force attack against the router, determining what the enable secret is for privilege level 15 access.
11/12/2012 22

Attack Methods
Back doors
When attackers gain access to a system, they usually want future access, as well, and they want it to be easy. A backdoor application can be installed to either allow future access or to collect information to use in further attacks. Many back doors are installed by users clicking something without realizing the link they click or the file they open is a threat. Back doors can also be implemented as a result of a virus or a worm (often referred to as malware ).

11/12/2012

23

Attack Methods

Covert channel
This method uses programs or communications in unintended ways. For example, if the security policy says that web traffic is allowed but peer-topeer messaging is not, users can attempt to tunnel their peer-to-peer traffic inside of HTTP traffic.
11/12/2012 24

Attack Methods
Trust exploitation
If the firewall has three interfaces, and the outside interface allows all traffic to the demilitarized zone (DMZ) , but not to the inside network, and the DMZ allows access to the inside network from the DMZ, an attacker could leverage that by gaining access to the DMZ and using that location to launch his attacks from there to the inside network. Other trust models, if incorrectly configured, may allow unintentional access to an attacker including active directory and NFS ( network file system in UNIX).

11/12/2012

25

Password attacks
These could be brute force, where the attackers system attempts thousands of possible passwords looking for the right match. This is best protected against by specifying limits on how many unsuccessful authentication attempts may occur within a specified time frame. Password attacks can also be done through malware, man-in-the-middle attacks using packet sniffers, or by using key loggers.
11/12/2012 26

Botnet
A botnet is a collection of infected computers that are ready to take instructions from the attacker. For example, if the attacker has the malicious backdoor software installed on 10,000 computers, from his central location he could instruct those computers to all send TCP SYN requests or ICMP echo requests repeatedly to the same destination. To add insult to injury, he could also spoof the source IP address of the request so that reply traffic is sent to yet another victim. A covert channel is generally used by the attacker to manage the individual devices that make up the botnet.

11/12/2012

27

DoS and DDoS

Denial-of-service attack and distributed denial-ofservice attack. An example is using a botnet to attack a target system. If an attack is launched from a single device with the intent to cause damage to an asset, the attack could be considered a DoS attempt, as opposed to a DDoS. Both types of attacks want the same result, and it just depends on how many source machines are used in the attack as to whether it is called a DoS or DDoS.
11/12/2012 28

Guidelines for Secure Network Architecture

Rule of least privilege This rule states that minimal access is only provided to the required network resources, and not any more than that. An example of this is an access list applied to an interface for filtering that says deny all. Before this, specific entries could be added allowing only the bare minimum of required protocols, and only then between the correct source and destination addresses.
11/12/2012 29

Defense in depth This concept suggests that you have security implemented on nearly every point of your network. An example is filtering at a perimeter router, filtering again at a firewall, using IPSs to analyze traffic before it reaches your servers, and using host-based security precautions at the servers, as well. This is defense in depth. Using authentication and authorization mechanisms could also be part of a defense-in-depth approach. The concept behind defense in depth is that if a single system fails, it does not mean that security has completely been removed from the equation.

11/12/2012

30

Separation of duties By placing specific individuals into specific roles, there can be checks and balances in place regarding the implementation of the security policy. Rotating individuals into different roles periodically will also assist in verifying that vulnerabilities are being addressed, because a person who moves into a new role will be required to review the policies in place.
11/12/2012 31

Auditing This refers to accounting and keeping records about what is occurring on the network. Most of this can be automated through the features of authentication, authorization, and accounting (AAA) (covered later in this book). When events happen on the network, the records of those events can be sent to an accounting server. When the separation-of-duties approach is used, those who are making changes on the network should not have direct access to modify or delete the accounting records that are kept on the accounting server.

11/12/2012

32

Attack Vectors Be aware that attacks are not launched only from individuals outside your company. They are also launched from people and devices inside your company who have current user accounts. Perhaps the user is curious, or maybe a back door is installed on the computer that the user is on. In either case, it is important to implement a security policy that takes nothing for granted, and to be prepared to mitigate risk at several levels. You can implement a security policy that takes nothing for granted by requiring authentication from users before their computer is allowed on the network (for which you could use 802.1x and Cisco Access Control Server [ACS] ). This means that the workstation the user is on must go through a profiling before being allowed on the network. You could use Network Admission Control (NAC) or an Identity Service Engine (ISE) to enforce such a policy. In addition, you could use security measures at the switch port, such as port security and others. We cover many of these topics, in great detail, in later chapters.

11/12/2012

33

Man-in-the-Middle Attacks A man-in-the-middle attack results when attackers place themselves in line between two devices that are communicating, with the intent to perform reconnaissance or to manipulate the data as it moves between them. This can happen at Layer 2 or Layer 3. The main purpose is eavesdropping, so the attacker can see all the traffic. If this happens at Layer 2, the attacker spoofs Layer 2 MAC addresses to make the devices on a LAN believe that the Layer 2 address of the attacker is the Layer 2 address of their default gateway. This is called ARP poisoning . Frames that are supposed to go to the default gateway are forwarded by the switch to the Layer 2 address of the attacker on the same network. As a courtesy, the attacker can forward the frames to the correct destination so that the client will have the connectivity needed and the attacker now sees all the data between the two devices. To mitigate this risk, you could use techniques such as Dynamic Address Resolution Protocol (ARP) Inspection (DAI) on switches to prevent spoofing of the Layer 2 addresses. The attacker could also implement the attack by placing a switch into the network and manipulating the Spanning Tree Protocol (STP) to become the root switch (and thus gain the ability to see any traffic that needs to be sent through the root switch). You can mitigate this through techniques such as root guard and other spanning-tree controls discussed later in this book.

11/12/2012

34

11/12/2012

35

11/12/2012

36

11/12/2012

37

11/12/2012

38

11/12/2012

39

11/12/2012

40

11/12/2012

41