1 Describe today’s increasing network security threats and explain the need to implement a comprehensive security policy to mitigate the threats

85711.book Page 305 Thursday, September 27, 2007 10:35 AM



6.1 Describe today’s increasing network security threats



FIGURE 6.1



305



A typical secured network

Corporate

trusted)

network

Untrusted

network



Perimeter

(premises)

router



Firewall



Internal

(local network)

router



Internet



Web

server

DMZ

Mail

server



Instead of having routers, we can (as you already know) use virtual local area networks

(VLANs) with switches on the inside trusted network. Multilayer switches containing their

own security features can sometimes replace internal (LAN) routers to provide higher performance in VLAN architectures.

Let’s discuss the security threats a typical secured internetwork faces; then I’ll provide some

ways of protecting the internetwork using the Cisco IOS Firewall feature set and access lists.



Recognizing Security Threats

Yes, it’s true: Security attacks vary considerably in their complexity and threat level, and some

even happen because of WUI, or witless user ignorance. (This term isn’t an exam objective, but

it does occur more than you’d think!)

You see, it all comes down to planning, or rather, lack thereof. Basically, the vital tool that

the Internet has become today was absolutely unforeseen by those who brought it into being.

This is a big reason why security is now such an issue—most IP implementations are innately

insecure. No worries though, because Cisco has a few tricks up its sleeve to help us with this.

But first, let’s examine some common attack profiles:

Application layer attacks These attacks commonly zero in on well-known holes in the

software that’s typically found running on servers. Favorite targets include FTP, sendmail,

and HTTP. Because the permissions level granted to these accounts is most often “privileged,” bad guys simply access and exploit the machine that’s running one of the applications I just mentioned.



85711.book Page 306 Thursday, September 27, 2007 10:35 AM



306



Chapter 6



Identify security threats to a network and describe general methods



Autorooters You can think of these as a kind of hacker automaton. Bad guys use something

called a rootkit to probe, scan, and then capture data on a strategically positioned computer

that’s poised to give them “eyes” into entire systems—automatically!

Backdoors These are simply paths leading into a computer or network. Through simple

invasions, or via more elaborate “Trojan horse” code, bad guys can use their implanted

inroads into a specific host or even a network whenever they want to—until you detect

and stop them, that is!

Denial of service (DoS) and distributed denial of service (DDoS) attacks Basically, a service is

made unavailable by overwhelming the system that normally provides it. A denial of service

attack is characterized by a flood of packets that are requesting a TCP connection to a server and

there are several different flavors:

TCP SYN flood Begins when a client initiates a seemingly run-of-the-mill TCP connection

and sends a SYN message to a server. The server predictably responds by sending a SYNACK message back to the client machine, which then establishes the connection by returning

an ACK message. Sounds fine, but it’s actually during this process—when the connection is

only halfway open—that the victim machine is literally flooded with a deluge of half-open

connections and pretty much becomes paralyzed.

”Ping of death“ attacks You probably know that TCP/IP’s maximum packet size is

65,536 octets. It’s okay if you didn’t know that—just understand that this attack is executed by simply pinging with oversized packets, causing a device to keep rebooting incessantly, freeze up, or just totally crash.

Tribe Flood Network (TFN) and Tribe Flood Network 2000 (TFN2K) These nasty little

numbers are more complex in that they initiate synchronized DoS attacks from multiple

sources and can target multiple devices. This is achieved, in part, by something known as

“IP spoofing,” which I’ll be describing soon.

Stacheldraht This attack is actually a mélange of methods, and it translates from the German

term for barbed wire. It basically incorporates TFN and adds a dash of encryption. It all begins

with a huge invasion at the root level, followed up with a DoS attack finale.

IP spoofing This is pretty much what it sounds like it is—a bad guy from within or outside of

your network masquerades as a trusted host machine by doing one of two things: presenting

with an IP address that’s inside your network’s scope of trusted addresses or using an approved,

trusted external IP address. Because the hacker’s true identity is veiled behind the spoofed

address, this is often just the beginning of your problems.

Man-in-the-middle attacks Interception! But it’s not a football, it’s a bunch of your network’s packets—your precious data! A common guilty party could be someone working for

your very own ISP using a tool known as a sniffer (discussed later) and augmenting it with

routing and transport protocols.

Network reconnaissance Before breaking into a network, hackers often gather all the information they can about it, because the more they know about the network, the better they can

compromise it. They accomplish their objectives through methods like port scans, DNS queries,

and ping sweeps.



85711.book Page 307 Thursday, September 27, 2007 10:35 AM



6.1 Describe today’s increasing network security threats



307



Packet sniffers This is the tool I mentioned earlier, but I didn’t tell you what it is, and it may

come as a surprise that it’s actually software. Here’s how it works—a network adapter card

is set to promiscuous mode so that it will send all packets snagged from the network’s physical

layer through to a special application to be viewed and sorted out. A packet sniffer can nick

some highly valuable, sensitive data including, but not limited to, passwords and usernames,

making them prized among identity thieves.

Password attacks These come in many flavors, and even though they can be achieved via

more sophisticated types of attacks like IP spoofing, packet sniffing, and Trojan horses, their

sole purpose is to—surprise—discover user passwords so that the thief can pretend to be a

valid user and then access that user’s privileges and resources.

Brute force attack Another software-oriented attack that employs a program running on a

targeted network that tries to log in to some type of shared network resource like a server. For

the hacker, it’s ideal if the accessed accounts have a lot of privileges because then the bad guys

can form backdoors to use to gain access later and bypass the need for passwords entirely.

Port redirection attacks This approach requires a host machine that the hacker has broken into

and uses to get wonky traffic (that normally wouldn’t be allowed passage) through a firewall.

Trojan horse attacks and viruses These two are actually pretty similar—both Trojan

horses and viruses infect user machines with malicious code and mess it up with varying

degrees of paralysis, destruction, even death! But they do have their differences—viruses are

really just nasty programs attached to command.com, which just happens to be the main

interpreter for all Windows systems. Viruses then run amok, deleting files and infecting any

flavor of command.com they find on the now-diseased machine. The difference between a

virus and a Trojan horse is that Trojans are actually complete applications encased inside

code that makes them appear to be completely different entities—say, a simple, innocent

game—than the ugly implements of destruction they truly are!

Trust exploitation attacks These happen when someone exploits a trust relationship inside

your network. For example, a company’s perimeter network connection usually shelters

important things like SMTP, DNS, and HTTP servers, making the servers really vulnerable

because they’re all on the same segment.

To be honest, I’m not going to go into detail on how to mitigate each and every one of the

security threats I just talked about, not only because that would be outside the scope of this

book, but also because the methods I am going to teach you will truly protect you from being

attacked in general. You will learn enough tricks to make all but the most determined bad guys

give up on you and search for easier prey. So basically, think of this as a chapter on how to

practice “safe networking.”



Exam Objectives

Remember the basic strategy for security. In medium-sized to large enterprise networks, the

various strategies for security are based on some recipe of internal and perimeter routers plus

firewall devices.



85711.book Page 308 Thursday, September 27, 2007 10:35 AM



308



Chapter 6



Identify security threats to a network and describe general methods



Remember the four typical denial of service attacks. There are four typical denial of service

attacks used on today’s networks: TCP SYN flood, ping of death, Tribe Flood Network and

Stacheldraht.



6.2 Explain general methods to mitigate

common security threats to network

devices, hosts, and applications

Cisco has a very cool product called the Adaptive Security Appliance, or ASA. But there’s a

catch or two—it’s a pretty pricey little beauty that scales in cost depending on the modules you

choose (for example, intrusion prevention). Plus, the ASA is actually above the objectives of

this book. I just personally think is the best product on the market.

Cisco IOS software runs on upwards of 80 percent of the Internet backbone routers out there;

it’s probably the most critical part of network infrastructure. So, let’s just keep it real and use the

Cisco IOS’s software-based security, known as the Cisco IOS Firewall feature set, for our endto-end Internet, intranet, and remote-access network security solutions. Let’s take a look.



Cisco’s IOS Firewall

Here’s where you’re going to find out how to mitigate some of the more common security

threats on the list I gave you earlier in this chapter by using these Cisco IOS Firewall features:

Stateful IOS Firewall inspection engine This is your perimeter protection feature because it

gives your internal users secure access control on a per-application basis. People often call

it Context-based Access Control (CBAC).

Intrusion detection A deep packet inspection tool that lets you monitor, intercept, and

respond to abuse in real time by referencing 102 of the most common attack and intrusion

detection signatures.

Firewall voice traversal An application-level feature based on the protocol’s understanding

of call flow as well as the relevant open channels. It supports both the H.323v2 and Session

Initiation Protocol (SIP) voice protocols.

ICMP inspection Basically permits responses to ICMP packets like ping and traceroute that

come from inside your firewall while denying other ICMP traffic.

Authentication proxy A feature that makes users authenticate anytime they want to access

the network’s resources through HTTP, HTTPS, FTP, and Telnet. It keeps personal network

access profiles for users and automatically gets them for you from a RADIUS or TACACS+

server and applies them as well.



85711.book Page 309 Thursday, September 27, 2007 10:35 AM



6.2 Explain general methods to mitigate common security threats



309



Destination URL policy management A buffet of features that’s commonly referred to as

URL Filtering.

Per-user firewalls Personalized, user-specific, downloadable firewalls obtained through service

providers. You can also get personalized ACLs and other settings via AAA server profile storage.

Cisco IOS router and firewall provisioning Allows for no-touch router provisioning, version

updates, and security policies.

Denial of service (DoS) detection and prevention A feature that checks packet headers and

drops any packets it finds suspicious.

Dynamic port mapping A sort of adapter that permits applications supported by firewalls

on nonstandard ports.

Java applet blocking Protects you from any strange, unrecognized Java applets.



Basic and Advanced Traffic Filtering

You can use standard, extended, even dynamic ACLs like Lock-and-Key traffic filtering with

Cisco’s IOS Firewall. And you get to apply access controls to any network segment you want.

Plus, you can specify the exact kind of traffic you want to allow to pass through any segment.

Policy-based, multi-interface support Allows you to control user access by IP address and

interface depending on your security policy.

Network Address Translation (NAT) Conceals the internal network from the outside,

increasing security.

Time-based access lists Determine security policies based upon the exact time of day and the

particular day of the week.

Peer router authentication Guarantees that routers are getting dependable routing information from actual, trusted sources. (For this to work, you need a routing protocol that supports

authentication, like RIPv2, EIGRP, or OSPF.)

Now that you’ve been briefed on security threats, relevant features of the Cisco IOS Firewall, and how to use that software to your advantage, let’s dive deep into the world of access

lists and learn how to use ACLs to mitigate security threats. They really are powerful tools, so

pay attention!



Exam Objectives

Remember the basic services that the Cisco IOS Firewall provides. The Cisco IOS Firewall

provides at a minimum stateful IOS firewall inspection engine, intrusion detection, firewall

voice traversal, ICMP inspection and authentication proxy, among many other services.