CCNA Security Chapter 1 - Modern Security Threats

Three of the more well-established network security organizations are:
 - www.sans.org SysAdmin, Audit, Network, Security (SANS) Institute
 - www.cert.org Computer Emergency Response Team (CERT)
 - www.isc2.org International Information Systems Security Certification Consortium
A number of other network security organizations are also important to network security professionals.

The 12 domains of network security provide a convenient separation for the elements of network security. While it is not important to memorize these 12 domains, it is important to be aware of their existence and formal declaration by the ISO. They will serve as a useful reference in your work as a network security professional.
One of the most important domains is security policy (a broad, end-to-end document designed to be clearly applicable to an organization's operations.
The policy is used to aid in network design, convey security principles, and facilitate network deployments).
It is a complex document meant to govern items such as data access, web browsing, password usage, encryption, and email attachments.
A network security policy drives all the steps to be taken to secure network resources, not just equipment requirements and procedures.

Modern networks face threats such as blended threats (combinated), which combine worm, virus, and Trojan horse characteristics. Such advanced threats can spread throughout regional networks in a matter of minutes. Future threats are anticipated to spread globally within just a few seconds

1) Malware categories
Malicious software (includes computer viruses, worms, trojan horses, spyware, adware, most rootkits, and others).
Malware by categories on March 16, 2011.
The primary vulnerabilities for end user computers are virus, worm, trojan horse:
 - A virus is malicious software which attaches to another program (legitimate programs or executable files) to execute a specific unwanted function on a computer.is attached to legitimat.

 - A worm executes arbitrary code and installs copies of itself in the memory of the infected computer, which then infects other hosts (replicate themselves by independently exploiting vulnerabilities in networks and usually slow down networks).
Whereas a virus requires a host program to run, worms can run by themselves. They do not require user participation and can spread very quickly over the network.
Most worm attacks have three major components:
1) Enabling vulnerability - A worm installs itself using an exploit mechanism (email attachment, executable file, Trojan Horse) on a vulnerable system.
2) Propagation mechanism - After gaining access to a device, the worm replicates itself and locates new targets.
3) Payload - Any malicious code that results in some action. Most often this is used to create a backdoor to the infected host. 

 - A Trojan Horse is malware  that carries out malicious operations under the guise of a desired function (can be carried in a virus or worm). The Trojan Horse concept is flexible. It can cause immediate damage, provide remote access to the system (a back door), or perform actions as instructed remotely, such as "send me the password file once per week."
 - Remote-access Trojan Horse - enables unauthorized remote access
 - Data sending Trojan Horse - provides the attacker with sensitive data such as passwords
 - Destructive Trojan Horse - corrupts or deletes files
 - Proxy Trojan Horse - user's computer functions as a proxy server
 - FTP Trojan Horse -opens port 21
 - Security software disabler Trojan Horse - stops antivirus programs or firewalls from functioning
 - Denial of Service Trojan Horse - slows or halts network activity

The five basic phases of attack allow to describe worms and viruses:
1) Probe phase - Vulnerable targets are identified (find computers with ping (ICMP) scans to map networks, identifies OS and vulnerable software. Hackers can obtain passwords using social engineering, dictionary attack, brute-force attack, or network sniffing.
2) Penetrate phase - Exploit code is transferred to the vulnerable target (execute the exploit code through an attack vector, such as a buffer overflow, ActiveX or Common Gateway Interface (CGI) vulnerabilities, or an email virus).
3) Persist phase - After the attack is successfully launched in the memory, the code tries to persist on the target system (even if the system reboots, by modifying system files, making registry changes, and installing new code).
5) Propagate phase - The attacker attempts to extend the attack to other targets by looking for vulnerable neighboring machines (using file shares or FTP services, active web connections, and file transfers through Internet Relay Chat (IRC).
6) Paralyze phase - Actual damage is done to the system. Files can be erased, systems can crash, information can be stolen, and distributed DoS (DDoS) attacks can be launched.

2) Mitigate Malware
Viruses, worms, and Trojan Horses can slow or stop networks and corrupt or destroy data. Good security policies and antivirus software options are available for mitigating these types of threats.
a) The primary means of mitigating virus and Trojan Horse attacks is antivirus software.

b) Worms are more network-based than viruses. Worm mitigation requires diligence and coordination on the part of network security professionals. The response to a worm infection can be broken down into four phases: containment, inoculation, quarantine, and treatment.
The response to a worm infection can be broken down into four phases:
  1) The containment phase involves limiting the spread of a worm infection to areas of the network that are already affected. ( segmentation of the network with ACL on routers and firewalls)
  2) The inoculation phase runs parallel to or subsequent to the containment phase.
all uninfected systems are patched with the appropriate vendor patch for the vulnerability.
  3) The quarantine phase involves tracking down and identifying infected machines within the contained areas and disconnecting, blocking, or removing them. This isolates these systems appropriately for the treatment phase.
  4) During the treatment phase, actively infected systems are disinfected of the worm. This can involve terminating the worm process, removing modified files or system settings that the worm introduced, and patching the vulnerability the worm used to exploit the system. Alternatively, in more severe cases, the system may need to be reinstalled to ensure that the worm and its byproducts are removed.

3) Network Attack Categories
There are many different types of network attacks other than viruses, worms, and Trojan Horses.
The method used in this course classifies attacks in three major categories:
1) Reconnaissance Attacks (scanning, probing) -  involve the unauthorized discovery and mapping of systems, services, or vulnerabilities (intention of gaining unauthorized access to a network or disrupting network functionality (certain parameters are exceeded, such as the number of ICMP requests per second)).
Reconnaissance attacks often employ the use of packet sniffers and port scanners, which are widely available as free downloads on the Internet. Reconnaissance is analogous to a thief surveying a neighborhood for vulnerable homes to break into, such as an unoccupied residence or a house with an easy-to-open door or window.
Reconnaissance attacks use various tools to gain access to a network:
 - Packet sniffers - uses a network adapter card in promiscuous mode to capture all network packets that are sent across a LAN, can only work in the same collision domain as the network being attacked, unless the attacker has access to the intermediary switches. (Wireshark)
 - Ping sweeps - network scanning technique that determines which range of IP addresses map to live hosts. (IP scanner)
 - Port scans -  scan of a range of TCP or UDP port numbers on a host to detect listening services. (Nmap)
 - Internet information queries (http://whois7.ru/)

2) Access Attacks - exploit known vulnerabilities in authentication services, FTP services, and web services to gain entry to web accounts, confidential databases, and other sensitive information. An access attack can be performed in many different ways. An access attack often employs a dictionary attack to guess system passwords. There are also specialized dictionaries for different languages that can be used.
There are five types of access attacks:
1) Password attack - An attacker attempts to guess system passwords (Brute-force, Trojan Horse, Packet sniffer)
2) Trust exploitation - An attacker uses privileges granted to a system in an unauthorized way, possibly leading to compromising the target. (Domains Active Directory (AD), NIS, NFS)
3) Port redirection - uses a compromised host to pass traffic through a firewall that would otherwise be dropped.
4) Man-in-the-middle attack - An attacker is positioned in the middle of communications between two legitimate entities in order to read or modify the data that passes between the two parties. A popular man-in-the-middle attack involves a laptop acting as a rogue access point to capture and copy all network traffic from a targeted user. Often the user is in a public location on a wireless hotspot.
5) Buffer overflow - A program writes data beyond the allocated buffer memory. Buffer overflows usually arise as a consequence of a bug in a C or C++ program. A result of the overflow is that valid data is overwritten or exploited to enable the execution of malicious code.

3) DOS (Denial of Service) Attacks - attempt to compromise the availability of a network, host, or application. They are considered a major risk because they can easily interrupt a business process and cause significant loss. These attacks are relatively simple to conduct, even by an unskilled attacker.
There are two major reasons a DoS attack occurs:
 - A host or application fails to handle an unexpected condition, such as maliciously formatted input data, an unexpected interaction of system components, or simple resource exhaustion.
 - A network, host, or application is unable to handle an enormous quantity of data, causing the system to crash or become extremely slow.
Examples:
 -  send extremely large numbers of requests over a network or the Internet. These excessive requests cause the target device to run sub-optimally. Consequently, the attacked device becomes unavailable for legitimate access and use.
 - send a poisonous packet. A poisonous packet is an improperly formatted packet designed to cause the receiving device to process the packet in an improper fashion. The poisonous packet causes the receiving device to crash or run very slowly. This attack can cause all communications to and from the device to be disrupted.
A Distributed Denial of Service Attack (DDoS) is similar in intent to a DoS attack, except that a DDoS attack originates from multiple coordinated sources.
Common DoS attacks:
1) Ping of Death - a hacker sends an echo request in an IP packet larger than the maximum packet size of 65,535 bytes. Sending a ping of this size can crash the target computer. A variant of this attack is to crash a system by sending ICMP fragments, which fill the reassembly buffers of the target.
2) Smurf Attack - a perpetrator sends a large number of ICMP requests to directed broadcast addresses, all with spoofed source addresses on the same network as the respective directed broadcast. If the routing device delivering traffic to those broadcast addresses forwards the directed broadcasts, all hosts on the destination networks send ICMP replies, multiplying the traffic by the number of hosts on the networks. On a multi-access broadcast network, hundreds of machines might reply to each packet.
3) TCP SYN Flood - a flood of TCP SYN packets is sent, often with a forged sender address. Each packet is handled like a connection request, causing the server to spawn a half-open connection by sending back a TCP SYN-ACK packet and waiting for a packet in response from the sender address. However, because the sender address is forged, the response never comes. These half-open connections saturate the number of available connections the server is able to make, keeping it from responding to legitimate requests until after the attack ends.

4) Network Attacks Mitigation

1) Reconnaissance - A network security professional can detect when a reconnaissance attack is underway by configured alarms that are triggered when certain parameters are exceeded, such as the number of ICMP requests per second. A variety of technologies and devices can be used to monitor this type of activity and generate an alarm. Cisco's Adaptive Security Appliance (ASA) provides intrusion prevention in a standalone device. Additionally, the Cisco ISR supports network-based intrusion prevention through the Cisco IOS security image.
Reconnaissance attacks can be mitigated in several ways:
 - Implement authentication to ensure proper access.
 - Use encryption to render packet sniffer attacks useless.
 - Use anti-sniffer tools to detect packet sniffer attacks.
 - Implement a switched infrastructure.
 - Use a firewall and IPS (can limit the information that can be discovered with a port scanner).

2) Access attacks in general can be detected by reviewing logs, bandwidth utilization, and process loads. The network security policy should specify that logs are formally maintained for all network devices and servers. By reviewing logs, network security personnel can determine if an unusual number of failed login attempts have occurred.
Techniques are also available for mitigating access attacks:
 - Strong password security
 - Principle of minimum trust
 - Cryptography
 - Applying operating system and application patches

3) DOS Attacks - It is usually not difficult to determine if a DoS attack is occurring. This should also be required by the network security policy. A network utilization graph showing unusual activity could indicate a DoS attack.
Mitigating DDoS attacks requires careful diagnostics, planning, and cooperation from ISPs.

DoS Attack Mitigation Techniques include:
- IPS and firewalls (Cisco ASAs and ISRs),
- Antispoofing technologies,
- Quality of Service – traffic policing.

5) Best practices

Defending your network against attack requires constant vigilance and education.
There are 10 best practices that represent the best insurance for your network:
1. Keep patches up-to-date by installing them weekly or daily.
2. Shut down unnecessary services and ports.
3. Use strong passwords and change them often.
4. Control physical access to systems.
5. Avoid unnecessary web page inputs. (http://en.wikipedia.org/wiki/Code_injection)
6. Perform backups and test the backed up files on a regular basis.
7. Educate employees about the risks of social engineering, and develop strategies to validate identities over the phone, via email, or in person.
8. Encrypt and password protect sensitive data.
9. Implement security hardware and software such as firewalls, IPSs, virtual private network (VPN) devices, antivirus software, and content filtering.
10. Develop a written security policy for the company.

These methods are only a starting point for sound security management. Organizations must remain vigilant at all times to defend against continually evolving threats.

6) Cisco Network Foundation Protection (NFP)
The Cisco Network Foundation Protection (NFP) framework provides comprehensive guidelines for protecting the network infrastructure. These guidelines form the foundation for continuous delivery of service.

NFP logically divides routers and switches into three functional areas:

1) Control Plane - Responsible for routing data correctly. Control plane traffic consists of device-generated packets required for the operation of the network itself such as ARP message exchanges or OSPF routing advertisements.
Secure the Control Plane using:
- AutoSecure - a one-step device lockdown feature to protect the control plane as well as the management and data planes.
- Routing protocol authentication - prevents a router from accepting fraudulent routing updates
- Control Plane Policing (CoPP) - is a Cisco IOS feature designed to allow users to control the flow of traffic that is handled by the route processor of a network device (QoS filter, rate-limit, enables logging of the packets that CoPP or CPPr drop or permit.).

2) Management Plane - Responsible for managing network elements. Management plane traffic is generated either by network devices or network management stations using processes and protocols such as Telnet, SSH, TFTP, FTP, NTP, AAA, SNMP, syslog, TACACS+, RADIUS, and NetFlow.
Secure the Management plane by:
 - Enabling login and password policy
 - Presenting legal notification
 - Ensuring the confidentiality of data using SSH and HTTPS
 - Enabling role-based access control (RBAC) - restricts user access based on the role of the user
 - Authorizing actions
 - Enabling management access reporting

3) Data Plane (Forwarding Plane) - Responsible for forwarding data. Data plane traffic normally consists of user-generated packets being forwarded between endstations. Most traffic travels through the router, or switch, via the data plane. Data plane packets are typically processed in fast-switching cache.
Secure the Data plane using:
 - ACLs (Blocking unwanted traffic or users, Reducing the chance of DoS attacks, Mitigating spoofing attacks, Providing bandwidth control, Classifying traffic to protect the Management and Control planes - ACLs can be applied on VTY line)
 - Antispoofing
 - Layer 2 security including port security, DHCP snooping, dynamic ARP inspection (DAI)
The following are Layer 2 security tools integrated into the Cisco Catalyst switches:
- Port security - Prevents MAC address spoofing and MAC address flooding attacks.
- DHCP snooping - Prevents client attacks on the DHCP server and switch.
- Dynamic ARP Inspection (DAI) - Adds security to ARP by using the DHCP snooping table to minimize the impact of ARP poisoning and spoofing attacks.
- IP Source Guard - Prevents spoofing of IP addresses by using the DHCP snooping table.