. 1
( 19)



>>

Course Booklet


CCNA
Security
Version 1.0




ciscopress.com
ii CCNA Security Course Booklet, Version 1.0


Publisher
CCNA Security Course Booklet Paul Boger

Version 1.0 Associate Publisher
Dave Dusthimer
Cisco Networking Academy
Cisco Representative
Copyright© 2010 Cisco Systems, Inc. Erik Ullanderson
Published by:
Cisco Press
Cisco Press
Program Manager
800 East 96th Street
Anand Sundaram
Indianapolis, IN 46240 USA
All rights reserved. No part of this book may be reproduced or transmitted in any form or by any Executive Editor
means, electronic or mechanical, including photocopying, recording, or by any information storage Mary Beth Ray
and retrieval system, without written permission from the publisher, except for the inclusion of brief
Managing Editor
quotations in a review.
Patrick Kanouse
Printed in the United States of America
First Printing August 2009 Editorial Assistant
Vanessa Evans
Library of Congress Cataloging-in-Publication Data is available upon request.
ISBN-13: 978-1-58713-248-3 Designer
ISBN-10: 1-58713-248-6 Louisa Adair

Composition
Warning and Disclaimer Mark Shirar
This book is designed to provide information about networking. Every effort has been made to
make this book as complete and as accurate as possible, but no warranty or fitness is implied.
The information is provided on an “as is” basis. The authors, Cisco Press, and Cisco Systems, Inc.
shall have neither liability nor responsibility to any person or entity with respect to any loss or dam-
ages arising from the information contained in this book or from the use of the discs or programs
that may accompany it.
The opinions expressed in this book belong to the author and are not necessarily those of Cisco
Systems, Inc.
iii


Trademark Acknowledgments
All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Cisco Press
or Cisco Systems, Inc., cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affect-
ing the validity of any trademark or service mark.


Feedback Information
At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and
precision, undergoing rigorous development that involves the unique expertise of members from the professional technical commu-
nity.
Readers™ feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality
of this book, or otherwise alter it to better suit your needs, you can contact us through email at feedback@ciscopress.com. Please
make sure to include the book title and ISBN in your message.
We greatly appreciate your assistance.




Americas Headquarters Asia Pacific Headquarters Europe Headquarters
Cisco Systems, Inc. Cisco Systems (USA) Pte. Ltd. Cisco Systems International BV
San Jose, CA Singapore Amsterdam, The Netherlands



Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.

CCDE, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the
Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the
Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step,
Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers,
Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and
the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0812R)
iv CCNA Security Course Booklet, Version 1.0


Contents at a Glance
Course Introduction 1

Chapter 1 Modern Network Security Threats 5

Chapter 2 Securing Network Devices 27

Chapter 3 Authentication, Authorization, and Accounting 63

Chapter 4 Implementing Firewall Technologies 87

Chapter 5 Implementing Intrusion Prevention 131

Chapter 6 Securing the Local Area Network 157

Chapter 7 Cryptographic Systems 193

Chapter 8 Implementing Virtual Private Networks 227

Chapter 9 Managing a Secure Network 263

Glossary 297
v


Contents
Course Introduction 1

Chapter 1 Modern Network Security Threats 5
Chapter Introduction 5
1.1 Fundamental Principles of a Secure Network 5
1.1.1 Evolution of Network Security 5
1.1.2 Drivers for Network Security 8
1.1.3 Network Security Organizations 9
1.1.4 Domains of Network Security 11
1.1.5 Network Security Policies 12
1.2 Viruses, Worms, and Trojan Horses 13
1.2.1 Viruses 13
1.2.2 Worms 13
1.2.3 Trojan Horses 15
1.2.4 Mitigating Viruses, Worms, and Trojan Horses 15
1.3 Attack Methodologies 17
1.3.1 Reconnaissance Attacks 17
1.3.2 Access Attacks 19
1.3.3 Denial of Service Attacks 20
1.3.4 Mitigating Network Attacks 22
Chapter Summary 25

Chapter 2 Securing Network Devices 27
Chapter Introduction 27
2.1 Securing Device Access 28
2.1.1 Securing the Edge Router 28
2.1.2 Configuring Secure Administrative Access 30
2.1.3 Configuring Enhanced Security for Virtual Logins 33
2.1.4 Configure SSH 35
2.2 Assigning Administrative Roles 38
2.2.1 Configuring Privilege Levels 38
2.2.2 Configuring Role-Based CLI Access 41
2.3 Monitoring and Managing Devices 43
2.3.1 Securing the Cisco IOS Image and Configuration Files 43
2.3.2 Secure Management and Reporting 46
2.3.3 Using Syslog for Network Security 48
2.3.4 Using SNMP for Network Security 50
2.3.5 Using NTP 52
vi CCNA Security Course Booklet, Version 1.0


2.4 Using Automated Security Features 54
2.4.1 Performing a Security Audit 54
2.4.2 Locking Down a Router Using AutoSecure 56
2.4.3 Locking Down a Router Using SDM 57
Chapter Summary 60

Chapter 3 Authentication, Authorization, and Accounting 63
Chapter Introduction 63
3.1 Purpose of AAA 63
3.1.1 AAA Overview 63
3.1.2 AAA Characteristics 65
3.2 Local AAA Authentication 66
3.2.1 Configuring Local AAA Authentication with CLI 66
3.2.2 Configuring Local AAA Authentication with SDM 68
3.2.3 Troubleshooting Local AAA Authentication 69
3.3 Server-Based AAA 69
3.3.1 Server-Based AAA Characteristics 69
3.3.2 Server-Based AAA Communication Protocols 69
3.3.3 Cisco Secure ACS 71
3.3.4 Configuring Cisco Secure ACS 73
3.3.5 Configuring Cisco Secure ACS Users and Groups 76
3.4 Server-Based AAA Authentication 77
3.4.1 Configuring Server-Based AAA Authentication with CLI 77
3.4.2 Configuring Server-Based AAA Authentication with SDM 78
3.4.3 Troubleshooting Server-Based AAA Authentication 80
3.5 Server-Based AAA Authorization and Accounting 80
3.5.1 Configuring Server-Based AAA Authorization 80
3.5.2 Configuring Server-Based AAA Accounting 82
Chapter Summary 84

Chapter 4 Implementing Firewall Technologies 87
Chapter Introduction 87
4.1 Access Control Lists 88
4.1.1 Configuring Standard and Extended IP ACLs with CLI 88
4.1.2 Using Standard and Extended IP ACLs 91
4.1.3 Topology and Flow for Access Control Lists 92
4.1.4 Configuring Standard and Extended ACLs with SDM 93
4.1.5 Configuring TCP Established and Reflexive ACLs 95
4.1.6 Configuring Dynamic ACLs 98
4.1.7 Configuring Time-Based ACLs 99
4.1.8 Troubleshooting Complex ACL Implementations 101
4.1.9 Mitigating Attacks with ACLs 102
vii


4.2 Firewall Technologies 103
4.2.1 Securing Networks with Firewalls 103
4.2.2 Types of Firewalls 105
4.2.3 Firewalls in Network Design 107
4.3 Context-Based Access Control 108
4.3.1 CBAC Characteristics 108
4.3.2 CBAC Operation 110
4.3.3 Configuring CBAC 112
4.3.4 Troubleshooting CBAC 116
4.4 Zone-Based Policy Firewall 118
4.4.1 Zone-Based Policy Firewall Characteristics 118
4.4.2 Zone-Based Policy Firewall Operation 120
4.4.3 Configuring a Zone-Based Policy Firewall with CLI 121
4.4.4 Configuring Zone-Based Policy Firewall with Manual
SDM 123
4.4.5 Configuring Zone-Based Policy Firewall with SDM
Wizard 126
4.4.6 Troubleshooting Zone-Based Policy Firewall 127
Chapter Summary 129

Chapter 5 Implementing Intrusion Prevention 131
Chapter Introduction 131
5.1 IPS Technologies 131
5.1.1 IDS and IPS Characteristics 131
5.1.2 Host-Based IPS Implementations 133
5.1.3 Network-Based IPS Implementations 135
5.2 IPS Signatures 137
5.2.1 IPS Signature Characteristics 137
5.2.2 IPS Signature Alarms 139
5.2.3 Tuning IPS Signature Alarms 142
5.2.4 IPS Signature Actions 143
5.2.5 Managing and Monitoring IPS 145
5.3 Implementing IPS 147
5.3.1 Configuring Cisco IOS IPS with CLI 147
5.3.2 Configuring Cisco IOS IPS with SDM 149
5.3.3 Modifying Cisco IOS IPS Signatures 151
5.4 Verify and Monitor IPS 153
5.4.1 Verifying Cisco IOS IPS 153
5.4.2 Monitoring Cisco IOS IPS 153
Chapter Summary 155
viii CCNA Security Course Booklet, Version 1.0


Chapter 6 Securing the Local Area Network 157
Chapter Introduction 157
6.1 Endpoint Security 157
6.1.1 Introducing Endpoint Security 157
6.1.2 Endpoint Security with IronPort 160
6.1.3 Endpoint Security with Network Admission Control 161
6.1.4 Endpoint Security with Cisco Security Agent 163
6.2 Layer 2 Security Considerations 165
6.2.1 Introducing Layer 2 Security 165
6.2.2 MAC Address Spoofing Attacks 165
6.2.3 MAC Address Table Overflow Attacks 166
6.2.4 STP Manipulation Attacks 167
6.2.5 LAN Storm Attack 167
6.2.6 VLAN Attacks 168
6.3 Configuring Layer 2 Security 169
6.3.1 Configuring Port Security 169
6.3.2 Verifying Port Security 171
6.3.3 Configuring BPDU Guard and Root Guard 172
6.3.4 Configuring Storm Control 173
6.3.5 Configuring VLAN Trunk Security 174
6.3.6 Configuring Cisco Switched Port Analyzer 175
6.3.7 Configuring Cisco Remote Switched Port Analyzer 176
6.3.8 Recommended Practices for Layer 2 177
6.4 Wireless, VoIP, and SAN Security 177
6.4.1 Enterprise Advanced Technology Security
Considerations 177
6.4.2 Wireless Security Considerations 178
6.4.3 Wireless Security Solutions 179
6.4.4 VoIP Security Considerations 180
6.4.5 VoIP Security Solutions 183
6.4.6 SAN Security Considerations 185
6.4.7 SAN Security Solutions 187
Chapter Summary 190

Chapter 7 Cryptographic Systems 193
Chapter Introduction 193
7.1 Cryptographic Services 193
7.1.1 Securing Communications 193
7.1.2 Cryptography 195
7.1.3 Cryptanalysis 198
7.1.4 Cryptology 199
ix


7.2 Basic Integrity and Authenticity 200
7.2.1 Cryptographic Hashes 200
7.2.2 Integrity with MD5 and SHA-1 201
7.2.3 Authenticity with HMAC 202
7.2.4 Key Management 203
7.3 Confidentiality 205
7.3.1 Encryption 205
7.3.2 Data Encryption Standard 208
7.3.3 3DES 209
7.3.4 Advanced Encryption Standard 210
7.3.5 Alternate Encryption Algorithms 211
7.3.6 Diffie-Hellman Key Exchange 211
7.4 Public Key Cryptography 213
7.4.1 Symmetric Versus Asymmetric Encryption 213
7.4.2 Digital Signatures 214
7.4.3 Rivest, Shamir, and Alderman 217
7.4.4 Public Key Infrastructure 217
7.4.5 PKI Standards 219
7.4.6 Certificate Authorities 221
7.4.7 Digital Certificates and CAs 222
Chapter Summary 225

Chapter 8 Implementing Virtual Private Networks 227
Chapter Introduction 227
8.1 VPNs 227
8.1.1 VPN Overview 227
8.1.2 VPN Topologies 229
8.1.3 VPN Solutions 230
8.2 GRE VPNs 233
8.2.1 Configuring a Site-to-Site GRE Tunnel 233
8.3 IPsec VPN Components and Operation 234
8.3.1 Introducing IPsec 234
8.3.2 IPsec Security Protocols 237
8.3.3 Internet Key Exchange 239
8.4 Implementing Site-to-Site IPsec VPNs with CLI 242
8.4.1 Configuring a Site-to-Site IPsec VPN 242
8.4.2 Task 1 - Configure Compatible ACLs 243
8.4.3 Task 2 - Configure IKE 243
8.4.4 Task 3 - Configure the Transform Sets 244
8.4.5 Task 4 - Configure the Crypto ACLs 245
8.4.6 Task 5 - Apply the Crypto Map 246
8.4.7 Verify and Troubleshoot the IPsec Configuration 248
x CCNA Security Course Booklet, Version 1.0


8.5 Implementing Site-to-Site IPsec VPNs with SDM 248
8.5.1 Configuring IPsec Using SDM 248
8.5.2 VPN Wizard - Quick Setup 249
8.5.3 VPN Wizard - Step-by-Step Setup 250
8.5.4 Verifying, Monitoring, and Troubleshooting VPNs 252
8.6 Implementing Remote-Access VPNs 252
8.6.1 The Changing Corporate Landscape 252
8.6.2 Introducing Remote-Access VPNs 253
8.6.3 SSL VPNs 254
8.6.4 Cisco Easy VPN 256
8.6.5 Configure a VPN Server with SDM 257
8.6.6 Connect with a VPN Client 259
Chapter Summary 260

Chapter 9 Managing a Secure Network 263
Chapter Introduction 263
9.1 Principles of Secure Network Design 264
9.1.1 Ensuring a Network is Secure 264
9.1.2 Threat Identification and Risk Analysis 265
9.1.3 Risk Management and Risk Avoidance 269
9.2 Cisco Self-Defending Network 269
9.2.1 Introducing the Cisco Self-Defending Network 269
9.2.2 Solutions for the Cisco SDN 271
9.2.3 Cisco Integrated Security Portfolio 274
9.3 Operations Security 274
9.3.1 Introducing Operations Security 274
9.3.2 Principles of Operations Security 275
9.4 Network Security Testing 277
9.4.1 Introducing Network Security Testing 277
9.4.2 Network Security Testing Tools 278
9.5 Business Continuity Planning and Disaster Recovery 280
9.5.1 Continuity Planning 280
9.5.2 Disruptions and Backups 280
9.6 System Development Life Cycle 281
9.6.1 Introducing the SDLC 281
9.6.2 Phases of the SDLC 282
xi


9.7 Developing a Comprehensive Security Policy 284
9.7.1 Security Policy Overview 284
9.7.2 Structure of a Security Policy 285
9.7.3 Standards, Guidelines, and Procedures 286
9.7.4 Roles and Responsibilities 287
9.7.5 Security Awareness and Training 288
9.7.6 Laws and Ethics 290
9.7.7 Responding to a Security Breach 292
Chapter Summary 294

Glossary 297
xii CCNA Security Course Booklet, Version 1.0


Command Syntax Conventions
The conventions used to present command syntax in this book are the same conventions
used in the IOS Command Reference. The Command Reference describes these conven-
tions as follows:
Boldface indicates commands and keywords that are entered literally as shown. In


actual configuration examples and output (not general command syntax), boldface indi-
cates commands that are manually input by the user (such as a show command).
Italic indicates arguments for which you supply actual values.



Vertical bars (|) separate alternative, mutually exclusive elements.



Square brackets ([ ]) indicate an optional element.



Braces ({ }) indicate a required choice.



Braces within brackets ([{ }]) indicate a required choice within an optional element.

xiii


About this Course Booklet
Your Cisco Networking Academy Course Booklet is designed as a study resource you can
easily read, highlight, and review on the go, wherever the Internet is not available or practical:
The text is extracted directly, word-for-word, from the online course so you can high-


light important points and take notes in the “Your Chapter Notes” section.
Headings with the exact page correlations provide a quick reference to the online


course for your classroom discussions and exam preparation.
An icon system directs you to the online curriculum to take full advantage of the


images imbedded within the Networking Academy online course interface and reminds
you to perform the labs and Packet Tracer activities for each chapter.

Refer to Packet
Refer to
Lab Activity Tracer Activity
for this chapter for this chapter




The Course Booklet is a basic, economical paper-based resource to help you succeed with
the Cisco Networking Academy online course.
Course Introduction




0.0 Course Introduction

0.0.1.1 Welcome
Welcome to the CCNA Security course. The goal of this course is to develop a detailed under-
standing of network security principles as well as the tools and configurations available. These
online course materials will assist you in developing the skills necessary to design and support net-
work security.


More than Just Information
This computer-based learning environment is an important part of the overall course experience
for students and instructors in the Networking Academies. These online course materials are de-
signed to be used along with several other instructional tools and activities. These include:
Class presentation, discussion and practice with your teacher



Hands-on labs that use networking equipment within the Networking Academy classroom



Online scored assessments and grade book



Packet Tracer simulation tool





A Global Community
When you participate in the Networking Academies, you are joining a global community linked by
common goals and technologies. Schools in over 160 countries participate in the program. You can
see an interactive network map of the global Cisco Networking Academy community at
http://www.academynetspace.com
The material in this course addresses a range of technologies that facilitate how people work, live,
play and learn by communicating with voice, video, and other data. We have worked with instruc-
tors around the world to create these materials. It is important that you work with your instructor
and fellow students to adapt the material in this course to your local situation.


Keep in Touch
These on-line instructional materials, and the rest of the course tools, are part of the larger Cisco
Networking Academy. The portal for the program is located at http://www.cisco.com/web/learn-
ing/netacad/index.htm. This portal is where you access tools, informational updates and other rele-
vant links, including the assessment server and student grade book.
2 CCNA Security Course Booklet, Version 1.0




Mind Wide Open„
An important goal in education is to enrich you, the student, by expanding what you know and can
do. It is important to realize, however, that the instructional materials and the instructor can only
facilitate the change. You must make the commitment yourself to learn new skills. Below are a few
suggestions to help you learn:
1.Take notes. Professionals in the networking field often keep Engineering Journals in which they
write down the things they observe and learn. Taking notes is an important way to help your un-
derstanding improve over time.
2. Think about it. The course provides information both to change what you know, and what you
can do. As you go through the course, ask yourself what makes sense and what doesn™t. Stop and
ask questions when you are confused. Try to find out more about topics which interest you. If you
are not sure why something is being taught, consider asking your instructor or a friend. Think
about how the different parts of the course fit together.
3. Practice. Learning new skills requires practice. We believe this is so important to e-learning that
we have a special name for it. We call it e-Doing. It is very important that you complete the activi-
ties in the online instructional materials and that you complete the hands-on labs and Packet Tracer
activities.
4. Practice again. Have you ever thought you knew how to do something and then, when it was
time to show it on a test or at work, you discovered you really hadn™t mastered it? Just like learning
any new skill, such as a sport, game, or language, learning a professional skill requires patience and
repeated practice before you can say you have truly learned it. The on-line instructional materials in
this course provide repeated practice for many skills. Take full advantage of them. Work with your
instructor to create additional practice opportunities using Packet Tracer and other tools.
5. Teach it. Teaching a friend or colleague is often a good way to improve your own learning.
To teach well, you need to work through details you may have overlooked on your first reading.
Conversations about the course material with fellow students, colleagues, and the instructor can
help solidify your understanding of networking concepts.
6. Make changes as you go. The course is designed to provide feedback through interactive activ-
ities and quizzes, the online assessment system, and through interactions with your instructor. You
can use this feedback to better understand where your strengths and weaknesses are. If there is an
area you are having trouble with, focus on studying or practicing more in that area. Seek feedback
from your instructor and other students.


Explore the World of Networking
This version of the course includes a special tool called Packet Tracer. Packet Tracer is a network-
ing learning tool that supports a wide range of physical and logical simulations. It also provides vi-
sualization tools to help you to understand the internal workings of a network. The Packet Tracer
activities included with the course consist of network simulations, games, activities, and chal-
lenges that provide a broad range of learning experiences.
Course Introduction 3




Create your own worlds
You can also use Packet Tracer to create your own experiments and networking scenarios. We
hope that, over time, you consider using Packet Tracer “ not only for experiencing the activities
included with the course, but also to become an author, explorer, and experimenter.


0.0.1.2
More and more, we interact and share ideas using a network built on IP services. With more being
done in this environment security is a constantly growing requirement. Behind the scenes, the
architects of secure communications are network security specialists.
We expect the network applications and services we use to be available and secure. And, as the
underlying networks become more complex with more services offered, securing these networks
becomes a top priority. We rely on network security specialists to ensure our networks can meet
our expectations. A well secured network protects our investment in networking technology and
provides our organizations with a competitive edge. Career opportunities in network security are
growing quickly, as organizations large and small understand the importance of maintaining a
secure network.


0.0.1.3
Upon successful completion of this course, you will be able to:
Describe the security threats facing modern network infrastructures.



Secure Cisco routers.



Implement AAA on Cisco routers using local router databases and external servers.



Mitigate threats to Cisco routers and networks using ACLs.



Implement secure network management and reporting.



Mitigate common Layer 2 attacks.



Implement the Cisco IOS firewall feature set.



Implement the Cisco IOS IPS feature set.



Implement site-to-site IPsec VPNs.

4 CCNA Security Course Booklet, Version 1.0




Chapter Summary
Refer to Packet Refer to
Tracer Activity Lab Activity
for this chapter for this chapter




Your Chapter Notes
CHAPTER 1

Modern Network Security Threats




Chapter Introduction
Network security is now an integral part of computer networking. Network security involves pro-
tocols, technologies, devices, tools, and techniques to secure data and mitigate threats. Network
security solutions emerged in the 1960s but did not mature into a comprehensive set of solutions
for modern networks until the 2000s.
Network security is largely driven by the effort to stay one step ahead of ill-intentioned hackers.
Just as medical doctors attempt to prevent new illness while treating existing problems, network
security professionals attempt to prevent attacks while minimizing the effects of real-time attacks.
Business continuity is another major driver of network security.
Network security organizations have been created to establish formal communities of network se-
curity professionals. These organizations set standards, encourage collaboration, and provide
workforce development opportunities for security professionals. It is important for network secu-
rity professionals to be aware of the resources provided by these organizations.
The complexity of network security makes it difficult to master all it encompasses. Different or-
ganizations have created domains that subdivide the world of network security into more manage-
able pieces. This division allows professionals to focus on more precise areas of expertise in their
training, research, and employment.
Network security policies are created by companies and government organizations to provide a
framework for employees to follow during their day-to-day work. Network security professionals
at the management level are responsible for creating and maintaining the network security policy.
All network security practices relate to and are guided by the network security policy.
Just as network security is composed of domains of network security, network attacks are classi-
fied so that it is easier to learn about them and address them appropriately. Viruses, worms, and
Trojan Horses are specific types of network attacks. More generally, network attacks are classified
as reconnaissance, access, or Denial of Service attacks.
Mitigating network attacks is the job of a network security professional. In this chapter, the learner
masters the underlying theory of network security, which is necessary to understand before begin-
ning an in-depth practice of network security. The methods of network attack mitigation are intro-
duced here, and the implementation of these methods comprises the remainder of this course.
A hands-on lab for the chapter, Researching Network Attacks and Security Audit, guides learners
through researching network attacks and security audit tools. The lab is found in the lab manual on
Academy Connection at cisco.netacad.net.



1.1 Fundamental Principles of a Secure Network
1.1.1 Evolution of Network Security
In July 2001, the Code Red worm attacked web servers globally, infecting over 350,000 hosts. The
worm not only disrupted access to the infected servers, but also affected the local networks hosting
6 CCNA Security Course Booklet, Version 1.0




the servers, making them very slow or unusable. The Code Red worm caused a Denial of Service
(DoS) to millions of users.
If the network security professionals responsible for these Code Red-infected servers had devel-
oped and implemented a security policy, security patches would have been applied in a timely
manner. The Code Red worm would have been stopped and would only merit a footnote in net-
work security history.
Network security relates directly to an organization™s business continuity. Network security
breaches can disrupt e-commerce, cause the loss of business data, threaten people™s privacy (with
the potential legal consequences), and compromise the integrity of information. These breaches
can result in lost revenue for corporations, theft of intellectual property, and lawsuits, and can even
threaten public safety.
Maintaining a secure network ensures the safety of network users and protects commercial inter-
ests. To keep a network secure requires vigilance on the part of an organization™s network security
professionals. Security professionals must constantly be aware of new and evolving threats and at-
tacks to networks, and vulnerabilities of devices and applications. This information is used to
adapt, develop and implement mitigation techniques. However, security of the network is ulti-
mately the responsibility of everyone that uses it. For this reason, it is the job of the network secu-
rity professional to ensure that all users receive security awareness training. Maintaining a secure,
protected network provides a more stable, functional work environment for everyone.
“Necessity is the mother of invention.” This saying applies perfectly to network security. In the
early days of the Internet, commercial interests were negligible. The vast majority of users were
research and development experts. Early users rarely engaged in activities that would harm other
users. The Internet was not a secure environment because it did not need to be.
Early on, networking involved connecting people and machines through communications media.
The job of a networker was to get devices connected to improve people™s ability to communicate
information and ideas. The early users of the Internet did not spend much time thinking about
whether or not their online activities presented a threat to the network or to their own data.
When the first viruses were unleashed and the first DoS attack occurred, the world began to
change for networking professionals. To meet the needs of users, network professionals learned
techniques to secure networks. The primary focus of many network professionals evolved from de-
signing, building, and growing networks to securing existing networks.
Today, the Internet is a very different network compared to its beginnings in the 1960s. The job of
a network professional includes ensuring that appropriate personnel are well versed in network se-
curity tools, processes, techniques, protocols, and technologies. It is critical that network security
professionals maintain a healthy paranoia to manage the constantly evolving collection of threats
to networks.
As network security became an integral part of everyday operations, devices dedicated to particu-
lar network security functions emerged.
One of the first network security tools was the intrusion detection system (IDS), first developed by
SRI International in 1984. An IDS provides real-time detection of certain types of attacks while
they are in progress. This detection allows network professionals to more quickly mitigate the neg-
ative impact of these attacks on network devices and users. In the late 1990s, the intrusion preven-
tion system or sensor (IPS) began to replace the IDS solution. IPS devices enable the detection of
malicious activity and have the ability to automatically block the attack in real-time.
In addition to IDS and IPS solutions, firewalls were developed to prevent undesirable traffic from
entering prescribed areas within a network, thereby providing perimeter security. In 1988, Digital
Chapter 1: Modern Network Security Threats 7




Equipment Corporation (DEC) created the first network firewall in the form of a packet filter.
These early firewalls inspected packets to see if they matched sets of predefined rules, with the op-
tion of forwarding or dropping the packets accordingly. Packet filtering firewalls inspect each
packet in isolation without examining whether a packet is part of an existing connection. In 1989,
AT&T Bell Laboratories developed the first stateful firewall. Like packet filtering firewalls, state-
ful firewalls use predefined rules for permitting or denying traffic. Unlike packet filtering firewalls,
stateful firewalls keep track of established connections and determine if a packet belongs to an ex-
isting flow of data, providing greater security and more rapid processing.
The original firewalls were software features added to existing networking devices, such as
routers. Over time, several companies developed standalone, or dedicated, firewalls that enable
routers and switches to offload the memory and processor intensive activity of filtering packets.
For organizations that do not require a dedicated firewall, modern routers, like the Cisco Integrated
Services Router (ISR), can be used as sophisticated stateful firewalls.
In addition to dealing with threats from outside of the network, network professionals must also be
prepared for threats from inside the network. Internal threats, whether intentional or accidental,
can cause even greater damage than external threats because of direct access to and knowledge of
the corporate network and data. Despite this fact, it has taken more than 20 years after the intro-
duction of tools and techniques for mitigating external threats to develop mitigation tools and tech-
niques for internal threats.
A common scenario for a threat originating from inside the network is a disgruntled employee
with some technical skills and a willingness to do harm. Most threats from within the network
leverage the protocols and technologies used on the local area network (LAN) or the switched in-
frastructure. These internal threats basically fall into two categories: spoofing and DoS.
Spoofing attacks are attacks in which one device attempts to pose as another by falsifying data.
For example, MAC address spoofing occurs when one computer accepts data packets based on the
MAC address of another computer. There are other types of spoofing attacks as well.
DoS attacks make computer resources unavailable to intended users. Attackers use various meth-
ods to launch DoS attacks.
As a network security professional, it is important to understand the methods designed specifically
for targeting these types of threats and ensuring the security of the LAN.
In addition to preventing and denying malicious traffic, network security also requires that data
stay protected. Cryptography, the study and practice of hiding information, is used pervasively in
modern network security. Today, each type of network communication has a corresponding proto-
col or technology designed to hide that communication from anyone other than the intended user.
Wireless data can be encrypted (hidden) using various cryptography applications. The conversa-
tion between two IP phone users can be encrypted. The files on a computer can also be hidden
with encryption. These are just a few examples. Cryptography can be used almost anywhere that
there is data communication. In fact, the trend is toward all communication being encrypted.
Cryptography ensures data confidentiality, which is one of the three components of information
security: confidentiality, integrity, and availability. Information security deals with protecting in-
formation and information systems from unauthorized access, use, disclosure, disruption, modifi-
cation, or destruction. Encryption provides confidentiality by hiding plaintext data. Data integrity,
meaning that the data is preserved unaltered during any operation, is achieved by the use of hash-
ing mechanisms. Availability, which is data accessibility, is guaranteed by network hardening
mechanisms and backup systems.
8 CCNA Security Course Booklet, Version 1.0




1.1.2 Drivers for Network Security
The word hackers has a variety of meanings. For many, it means Internet programmers who try to
gain unauthorized access to devices on the Internet. It is also used to refer to individuals that run
programs to prevent or slow network access to a large number of users, or corrupt or wipe out data
on servers. But for some, the term hacker has a positive interpretation as a network professional
that uses sophisticated Internet programming skills to ensure that networks are not vulnerable to
attack. Good or bad, hacking is a driving force in network security.
From a business perspective, it is important to minimize the effects of hackers with bad intentions.
Businesses lose productivity when the network is slow or unresponsive. Business profits are im-
pacted by data loss and data corruption.
The job of a network security professional is to stay one step ahead of the hackers by attending
training and workshops, participating in security organizations, subscribing to real-time feeds re-
garding threats, and perusing security websites on a daily basis. The network security professional
must also have access to state-of-the art security tools, protocols, techniques, and technologies.
Network security professionals should have many of the same traits as law enforcement profes-
sionals. They should always remain aware of malicious activities and have the skills and tools to
minimize or eliminate the threats associated with those activities.
Hacking has the unintended effect of putting network security professionals at the top when it
comes to employability and compensation. However, relative to other technology professions, net-
work security has the steepest learning curve and the greatest demand for engaging in constant
professional development.
Hacking started in the 1960s with phone freaking, or phreaking, which refers to using various
audio frequencies to manipulate phone systems. Phreaking began when AT&T introduced auto-
matic switches to their phone systems. The AT&T phone switches used various tones, or tone dial-
ing, to indicate different functions, such as call termination and call dialing. A few AT&T
customers realized that by mimicking a tone using a whistle, they could exploit the phone switches
to make free long-distance calls.
As communication systems evolved, so did hacking methods. Wardialing became popular in the
1980s with the use of computer modems. Wardialing programs automatically scanned telephone
numbers within a local area, dialing each one in search of computers, bulletin board systems, and fax
machines. When a phone number was found, password-cracking programs were used to gain access.
Wardriving began in the 1990s and is still popular today. With wardriving, users gain unauthorized
access to networks via wireless access points. This is accomplished using a vehicle and a wireless-
enabled portable computer or PDA. Password-cracking programs are used to authenticate, if nec-
essary, and there is even software to crack the encryption scheme required to associate to the
access point.
A number of other threats have evolved since the 1960s, including network scanning tools such as
Nmap and SATAN, as well as remote system administration hacking tools such as Back Orifice.
Network security professionals must be familiar with all of these tools.
Trillions of dollars are transacted over the Internet on a daily basis, and the livelihoods of millions
depend on Internet commerce. For this reason, criminal laws are in place to protect individual and
corporate assets. There are numerous cases of individuals who have had to face the court system
due to these laws.
The first email virus, the Melissa virus, was written by David Smith of Aberdeen, New Jersey. This
virus resulted in memory overflows in Internet mail servers. David Smith was sentenced to 20
months in federal prison and a US$5,000 fine.
Chapter 1: Modern Network Security Threats 9




Robert Morris created the first Internet worm with 99 lines of code. When the Morris Worm was
released, 10% of Internet systems were brought to a halt. Robert Morris was charged and received
three years probation, 400 hours of community service, and a fine of US$10,000.
One of the most notorious Internet hackers, Kevin Mitnick, was incarcerated for four years for
hacking credit card accounts in the early 1990s.
Whether the attack is via spam, a virus, DoS, or simply breaking into accounts, when the creativity
of hackers is used for malicious purposes, they often end up going to jail, paying large fines, and
losing access to the very environment in which they thrive.
As a result of hacker exploits, the sophistication of hacker tools, and government legislation, net-
work security solutions developed rapidly in the 1990s. By the late 1990s, many sophisticated net-
work security solutions had been developed for organizations to strategically deploy within their
networks. With these solutions came new job opportunities and increased compensation in the
field of network security.
The annual income for a network security professional is on the high end of the scale for careers in
technology because of the depth and breadth of knowledge required. Network security profession-
als must constantly upgrade their skill set to keep abreast of the latest threats. The challenge of
gaining and maintaining the necessary knowledge often translates into a shortage of network secu-
rity professionals.
Network security professionals are responsible for maintaining data assurance for an organization
and ensuring the integrity and confidentiality of information. A network security professional
might be responsible for setting up firewalls and intrusion prevention systems as well as ensuring
encryption of company data. Implementing enterprise authentication schemes is another important
task. The job entails maintaining detailed logs of suspicious activity on the network to use for rep-
rimanding or prosecuting violators. As a network security professional, it is also important to
maintain familiarity with network security organizations. These organizations often have the latest
information on threats and vulnerabilities.



1.1.3 Network Security Organizations
Network security professionals must collaborate with professional colleagues more frequently than
most other professions. This includes attending workshops and conferences that are often affiliated
with, sponsored or organized by local, national, or international technology organizations.
Three of the more well-established network security organizations are:

SysAdmin, Audit, Network, Security (SANS) Institute



Computer Emergency Response Team (CERT)



International Information Systems Security Certification Consortium (pronounce (ISC)2 as


“I-S-C-squared”)

A number of other network security organizations are also important to network security profes-
sionals. InfoSysSec is a network security organization that hosts a security news portal, providing
the latest breaking news pertaining to alerts, exploits, and vulnerabilities. The Mitre Corporation
maintains a list of common vulnerabilities and exposures (CVE) used by prominent security or-
ganizations. FIRST is a security organization that brings together a variety of computer security in-
cident response teams from government, commercial, and educational organizations to foster
cooperation and coordination in information sharing, incident prevention and rapid reaction. Fi-
nally, the Center for Internet Security (CIS) is a non-profit enterprise that develops security config-
10 CCNA Security Course Booklet, Version 1.0




uration benchmarks through a global consensus to reduce the risk of business and e-commerce dis-
ruptions.
SANS was established in 1989 as a cooperative research and education organization. The focus of
SANS is information security training and certification. SANS develops research documents about
various aspects of information security.
A range of individuals, from auditors and network administrators to chief information security of-
ficers, share learned lessons and solutions to various challenges. At the heart of SANS are security
practitioners in varied global organizations, from corporations to universities, working together to
help the entire information security community.
SANS resources are largely free upon request. This includes the popular Internet Storm Center, the
Internet™s early warning system; NewsBites, the weekly news digest; @RISK, the weekly vulnera-
bility digest; flash security alerts; and more than 1,200 award-winning, original research papers.
SANS develops security courses that can be taken to prepare for Global Information Assurance
Certification (GIAC) in auditing, management, operations, legal issues, security administration,
and software security. GIAC validates the skills of security professionals, ranging from entry-level
information security to advanced subject areas like auditing, intrusion detection, incident handling,
firewalls and perimeter protection, data forensics, hacker techniques, Windows and UNIX operat-
ing system security, and secure software and application coding.
CERT is part of the U.S. federally funded Software Engineering Institute (SEI) at Carnegie Mellon
University. CERT is chartered to work with the Internet community in detecting and resolving
computer security incidents. The Morris Worm motivated the formation of CERT at the directive
of the Defense Advanced Research Projects Agency (DARPA). The CERT Coordination Center
(CERT/CC) focuses on coordinating communication among experts during security emergencies
to help prevent future incidents.
CERT responds to major security incidents and analyzes product vulnerabilities. CERT works to
manage changes relating to progressive intruder techniques and to the difficulty of detecting at-
tacks and catching attackers. CERT develops and promotes the use of appropriate technology and
systems management practices to resist attacks on networked systems, to limit damage, and to en-
sure continuity of services.
CERT focuses on five areas: software assurance, secure systems, organizational security, coordi-
nated response, and education and training.
CERT disseminates information by publishing articles, research and technical reports, and papers
on a variety of security topics. CERT works with the news media to raise awareness of the risks on
the Internet and the steps that users can take to protect themselves. CERT works with other major
technology organizations, such as FIRST and IETF, to increase the commitment to security and
survivability. CERT also advises U.S. government organizations, such as the National Threat As-
sessment Center, the National Security Council, and the Homeland Security Council.
(ISC)2 provides vendor-neutral education products and career services in more than 135 countries.
Its membership includes 60,000 certified industry professionals worldwide.
The mission of (ISC)2 is to make the cyber world a safe place through elevating information secu-
rity to the public domain and supporting and developing information security professionals around
the world.
(ISC)2 develops and maintains the (ISC)2 Common Body of Knowledge (CBK). The CBK defines
global industry standards, serving as a common framework of terms and principles that (ISC)2 cre-
dentials are based upon. The CBK allows professionals worldwide to discuss, debate, and resolve
matters pertaining to the field.
Chapter 1: Modern Network Security Threats 11




Most notably, (ISC)2 is universally recognized for its four information security certifications, in-
cluding one of the most popular certifications in the network security profession, the Certified In-
formation Systems Security Professional (CISSP). These credentials help to ensure that employers.
with certified employees, maintain the safety of information assets and infrastructures.
(ISC)2 promotes expertise in handling security threats through its education and certification pro-
grams. As a member, individuals have access to current industry information and networking op-
portunities unique to its network of certified information security professionals.
In addition to the websites of the various security organizations, one of the most useful tools for
the network security professional is Really Simple Syndication (RSS) feeds.
RSS is a family of XML-based formats used to publish frequently updated information, such as
blog entries, news headlines, audio, and video. RSS uses a standardized format. An RSS feed in-
cludes complete or summarized text, plus metadata, such as publishing dates and authorships.
RSS benefits professionals who want to subscribe to timely updates from favored websites or to
aggregate feeds from many sites into one place. RSS feeds can be read using a web-based RSS
reader, typically built into a web browser. The RSS reader software checks the user™s subscribed
feeds regularly for new updates and provides an interface to monitor and read the feeds. By using
RSS, a network security professional can acquire up-to-date information on a daily basis and ag-
gregate real-time threat information for review at any time.
For example, the US-CERT Current Activity web page is a regularly updated summary of the most
frequent, high-impact types of security incidents being reported to the US-CERT. A text-only RSS
feed is available at http://www.us-cert.gov/current/index.rdf. This feed reports at all hours of the
day and night, with information regarding security advisories, email scams, backup vulnerabilities,
malware spreading via social network sites, and other potential threats.


1.1.4 Domains of Network Security
It is vital for a network security professional to understand the drivers for network security and be
familiar with the organizations dedicated to network security. It is also important to have an under-
standing of the various network security domains. Domains provide an organized framework to fa-
cilitate learning about network security.
There are 12 network security domains specified by the International Organization for Standard-
ization (ISO)/International Electrotechnical Commission (IEC). Described by ISO/IEC 27002,
these 12 domains serve to organize at a high level the vast realm of information under the umbrella
of network security. These domains have some significant parallels with domains defined by the
CISSP certification.
The 12 domains are intended to serve as a common basis for developing organizational security
standards and effective security management practices, and to help build confidence in inter-orga-
nizational activities.
The 12 domains of network security provide a convenient separation for the elements of network
security. While it is not important to memorize these 12 domains, it is important to be aware of
their existence and formal declaration by the ISO. They serve as a useful reference going forward
in your work as a network security professional.
One of the most important domains is security policy. A security policy is a formal statement of the
rules by which people must abide who are given access to the technology and information assets of
an organization. The concept, development, and application of a security policy play a significant
role in keeping an organization secure. It is the responsibility of a network security professional to
weave the security policy into all aspects of business operations within an organization.
12 CCNA Security Course Booklet, Version 1.0




1.1.5 Network Security Policies
The network security policy is a broad, end-to-end document designed to be clearly applicable to
an organization™s operations. The policy is used to aid in network design, convey security princi-
ples, and facilitate network deployments.
The network security policy outlines rules for network access, determines how policies are en-
forced, and describes the basic architecture of the organization™s network security environment.
The document is generally several pages. Because of its breadth of coverage and impact, it is usu-
ally compiled by a committee. It is a complex document meant to govern items such as data ac-
cess, web browsing, password usage, encryption, and email attachments.
A security policy should keep ill-intentioned users out and have control over potentially risky
users. When a policy is created, it must be understood first what services are available to which
users. The network security policy establishes a hierarchy of access permissions, giving employees
only the minimal access necessary to perform their work.
The network security policy outlines what assets need to be protected and gives guidance on how
it should be protected. This will then be used to determine the security devices and mitigation
strategies and procedures that should be implemented on the network.
A Cisco Self-Defending Network (SDN) uses the network to identify, prevent, and adapt to
threats. Unlike point-solution strategies, where products are purchased individually without con-
sideration for which products work best together, a network-based approach is a strategic approach
that meets the current challenges and evolves to address new security needs.
A Cisco SDN begins with a strong, secure, flexible network platform from which a security solu-
tion is built. A Cisco SDN topology includes Cisco Security Manager, a Monitoring, Analysis, and
Response System (MARS), one or more IPSs, one or more firewalls, several routers, and VPN
concentrators. Some of these might appear as blades in a Catalyst 6500 switch or as modules in an
Integrated Services Router (ISR), perhaps even as software installed on servers or as standalone
devices.
The Cisco Integrated Security Portfolio is designed to meet the requirements and diverse deploy-
ment models of any network and any environment. Many products are available to meet these needs.
Most customers do not adopt all the components of the Cisco SDN at one time. For this reason, the
Cisco SDN provides products that can be deployed independently and solutions that can link these
products together as confidence builds in each product and subsystem.
Elements of a Cisco SDN approach can be integrated into a network security policy. By leveraging
the Cisco SDN approach when creating and amending the security policy, it can help create a hier-
archical structure to the document.
While the security policy should be comprehensive, it should also be succinct enough to be usable
by the technology practitioners in the organization.
One of the most important steps in creating a policy is identifying critical assets. These can include
databases, vital applications, customer and employee information, classified commercial informa-
tion, shared drives, email servers, and web servers.
A security policy is a set of objectives for the company, rules of behavior for users and administra-
tors, and requirements for system and management that collectively ensure the security of network
and computer systems in an organization. A security policy is a “living document,” meaning that
the document is never finished and is continuously updated as technology, business, and employee
requirements change.
Chapter 1: Modern Network Security Threats 13




For example, an organization™s employee laptops will be subject to various types of attacks, such
as email viruses. A network security policy explicitly defines how frequently virus software up-
dates and virus definition updates must be installed. Additionally, the network security policy in-
cludes guidelines for what users can and cannot do. This is normally stipulated as a formal
acceptable use policy (AUP). The AUP must be as explicit as possible to avoid ambiguity or mis-
understanding. For example, an AUP might list the Usenet newsgroups that are prohibited.
A network security policy drives all the steps to be taken to secure network resources. As you
move through this course, the security policy will be revisited to ensure that you understand its in-
tegral nature in a well-run organization.



1.2 Viruses, Worms, and Trojan Horses
1.2.1 Viruses
The primary vulnerabilities for end-user computers are virus, worm, and Trojan Horse attacks:

A virus is malicious software which attaches to another program to execute a specific


unwanted function on a computer.
A worm executes arbitrary code and installs copies of itself in the memory of the infected


computer, which then infects other hosts.
A Trojan Horse is an application written to look like something else. When a Trojan Horse is


downloaded and opened, it attacks the end-user computer from within.
Traditionally, the term virus refers to an infectious organism that requires a host cell to grow and
replicate. A University of Southern California student named Frederick Cohen suggested the term
“computer virus” in 1983. A computer virus, referred to as a virus in the rest of this course, is a
program that can copy itself and infect a computer without the knowledge of the user.
A virus is a malicious code that is attached to legitimate programs or executable files. Most viruses
require end-user activation and can lay dormant for an extended period and then activate at a spe-
cific time or date. A simple virus may install itself at the first line of code on an executable file.
When activated, the virus might check the disk for other executables, so that it can infect all the
files it has not yet infected. Viruses can be harmless, such as those that display a picture on the
screen, or they can be destructive, such as those that modify or delete files on the hard drive.
Viruses can also be programmed to mutate to avoid detection.
In the past, viruses were usually spread via floppy disks and computer modems. Today, most
viruses are spread by USB memory sticks, CDs, DVDs, network shares, or email. Email viruses
are now the most common type of virus.


1.2.2 Worms
Worms
Worms are a particularly dangerous type of hostile code. They replicate themselves by independ-
ently exploiting vulnerabilities in networks. Worms usually slow down networks.
Whereas a virus requires a host program to run, worms can run by themselves. They do not require
user participation and can spread extremely fast over the network.
Worms are responsible for some of the most devastating attacks on the Internet. For example, the
SQL Slammer Worm of January 2003 slowed down global Internet traffic as a result of Denial of
14 CCNA Security Course Booklet, Version 1.0




Service. Over 250,000 hosts were affected within 30 minutes of its release. The worm exploited a
buffer overflow bug in Microsoft™s SQL Server. A patch for this vulnerability was released in mid-
2002, so the servers that were affected were those that did not have the update patch applied. This
is a great example of why it is so important for the security policy of an organization to require
timely updates and patches for operating systems and applications.
Despite the mitigation techniques that have emerged over the years, worms have continued to
evolve with the Internet and still pose a threat. While worms have become more sophisticated over
time, they still tend to be based on exploiting weaknesses in software applications. Most worm at-
tacks have three major components:

Enabling vulnerability - A worm installs itself using an exploit mechanism (email


attachment, executable file, Trojan Horse) on a vulnerable system.
Propagation mechanism - After gaining access to a device, the worm replicates itself and


locates new targets.
Payload - Any malicious code that results in some action. Most often this is used to create a


backdoor to the infected host.
Worms are self-contained programs that attack a system to exploit a known vulnerability. Upon
successful exploitation, the worm copies itself from the attacking host to the newly exploited sys-
tem and the cycle begins again.
When exploring the major worm and virus attacks over the past 20 years, it is noticeable that the
various phases of attack methods employed by hackers are often quite similar. There are five basic
phases of attack, regardless of whether a worm or virus is deployed.

Probe phase - Vulnerable targets are identified. The goal is to find computers that can be


subverted. Internet Control Message Protocol (ICMP) ping scans are used to map networks.
Then the application scans and identifies operating systems and vulnerable software. Hackers
can obtain passwords using social engineering, dictionary attack, brute-force attack, or
network sniffing.
Penetrate phase - Exploit code is transferred to the vulnerable target. The goal is to get the


target to execute the exploit code through an attack vector, such as a buffer overflow, ActiveX
or Common Gateway Interface (CGI) vulnerabilities, or an email virus.
Persist phase - After the attack is successfully launched in the memory, the code tries to


persist on the target system. The goal is to ensure that the attacker code is running and
available to the attacker even if the system reboots. This is achieved by modifying system
files, making registry changes, and installing new code.
Propagate phase - The attacker attempts to extend the attack to other targets by looking for


vulnerable neighboring machines. Propagation vectors include emailing copies of the attack to
other systems, uploading files to other systems using file shares or FTP services, active web
connections, and file transfers through Internet Relay Chat (IRC).
Paralyze phase - Actual damage is done to the system. Files can be erased, systems can


crash, information can be stolen, and distributed DoS (DDoS) attacks can be launched.
The five basic phases of attack allow security experts to conveniently describe worms and viruses
according to their particular implementation mechanism for each phase. This makes it easier to
categorize worms and viruses.
Viruses and worms are two methods of attack. Another method is the Trojan Horse, which lever-
ages viruses or worms with the added element of masquerading as a benign program.
Chapter 1: Modern Network Security Threats 15




1.2.3 Trojan Horses
Trojan Horse
The term Trojan Horse originated from Greek mythology. Greek warriors offered the people of
Troy (Trojans) a giant hollow horse as a gift. The Trojans brought the giant horse into their walled
city, unaware that it contained many Greek warriors. At night, after most Trojans were asleep, the
warriors burst out of the horse and overtook the city.
A Trojan Horse in the world of computing is malware that carries out malicious operations under
the guise of a desired function. A virus or worm could carry a Trojan Horse. A Trojan Horse con-
tains hidden, malicious code that exploits the privileges of the user that runs it. Games can often
have a Trojan Horse attached to them. When running the game, the game works, but in the back-
ground, the Trojan Horse has been installed on the user™s system and continues running after the
game has been closed.
The Trojan Horse concept is flexible. It can cause immediate damage, provide remote access to the
system (a back door), or perform actions as instructed remotely, such as “send me the password
file once per week.”
Custom-written Trojan Horses, such as Trojan Horses with a specific target, are difficult to detect.
Trojan Horses are usually classified according to the damage that they cause or the manner in
which they breach a system:

Remote-access Trojan Horse (enables unauthorized remote access)



Data sending Trojan Horse (provides the attacker with sensitive data such as passwords)



Destructive Trojan Horse (corrupts or deletes files)



Proxy Trojan Horse (user™s computer functions as a proxy server)



FTP Trojan Horse (opens port 21)



Security software disabler Trojan Horse (stops anti-virus programs or firewalls from


functioning)
Denial of Service Trojan Horse (slows or halts network activity)




1.2.4 Mitigating Viruses, Worms, and Trojan Horses
A majority of the software vulnerabilities that are discovered relate to buffer overflows. A buffer is
an allocated area of memory used by processes to store data temporarily. A buffer overflow occurs
when a fixed-length buffer reaches its capacity and a process attempts to store data above and be-
yond that maximum limit. This can result in extra data overwriting adjacent memory locations as
well as cause other unexpected behavior. Buffer overflows are usually the primary conduit through
which viruses, worms, and Trojan Horses do their damage. In fact, there are reports that suggest
that one-third of the software vulnerabilities identified by CERT relate to buffer overflows.
Viruses and Trojan Horses tend to take advantage of local root buffer overflows. A root buffer
overflow is a buffer overflow intended to attain root privileges to a system. Local root buffer over-
flows require the end user or system to take some type of action. A local root buffer overflow is
typically initiated by a user opening an email attachment, visiting a website, or exchanging a file
via instant messaging.
Worms such as SQL Slammer and Code Red exploit remote root buffer overflows. Remote root
buffer overflows are similar to local root buffer overflows, except that local end user or system in-
tervention is not required.
16 CCNA Security Course Booklet, Version 1.0




Viruses, worms, and Trojan horses can cause serious problems on networks and end systems. Net-
work administrators have several means of mitigating these attacks. Note that mitigation tech-
niques are often referred to in the security community as countermeasures.
The primary means of mitigating virus and Trojan horse attacks is anti-virus software. Anti-virus
software helps prevent hosts from getting infected and spreading malicious code. It requires much
more time to clean up infected computers than it does to maintain up-to-date anti-virus software
and anti-virus definitions on the same machines.
Anti-virus software is the most widely deployed security product on the market today. Several
companies that create anti-virus software, such as Symantec, Computer Associates, McAfee, and
Trend Micro, have been in the business of detecting and eliminating viruses for more than a
decade. Many corporations and educational institutions purchase volume licensing for their users.
The users are able to log in to a website with their account and download the anti-virus software
on their desktops, laptops, or servers.
Anti-virus products have update automation options so that new virus definitions and new software
updates can be downloaded automatically or on demand. This practice is the most critical require-
ment for keeping a network free of viruses and should be formalized in a network security policy.
Anti-virus products are host-based. These products are installed on computers and servers to detect
and eliminate viruses. However, they do not prevent viruses from entering the network, so a net-
work security professional needs to be aware of the major viruses and keep track of security up-
dates regarding emerging viruses.
Worms are more network-based than viruses. Worm mitigation requires diligence and coordination
on the part of network security professionals. The response to a worm infection can be broken
down into four phases: containment, inoculation, quarantine, and treatment.
The containment phase involves limiting the spread of a worm infection to areas of the network
that are already affected. This requires compartmentalization and segmentation of the network to
slow down or stop the worm and prevent currently infected hosts from targeting and infecting
other systems. Containment requires using both outgoing and incoming ACLs on routers and fire-
walls at control points within the network.
The inoculation phase runs parallel to or subsequent to the containment phase. During the inocula-
tion phase, all uninfected systems are patched with the appropriate vendor patch for the vulnerabil-
ity. The inoculation process further deprives the worm of any available targets. A network scanner
can help identify potentially vulnerable hosts. The mobile environment prevalent on modern net-
works poses significant challenges. Laptops are routinely taken out of the secure network environ-
ment and connected to potentially unsecure environments, such as home networks. Without proper
patching of the system, a laptop can be infected with a worm or virus and then bring it back into
the secure environment of the organization™s network where it can infect other systems.
The quarantine phase involves tracking down and identifying infected machines within the con-
tained areas and disconnecting, blocking, or removing them. This isolates these systems appropri-
ately for the treatment phase.
During the treatment phase, actively infected systems are disinfected of the worm. This can in-
volve terminating the worm process, removing modified files or system settings that the worm in-
troduced, and patching the vulnerability the worm used to exploit the system. Or, in more severe
cases, can require completely reinstalling the system to ensure that the worm and its byproducts
are removed.
In the case of the SQL Slammer worm, malicious traffic was detected on UDP port 1434. This port
should normally be blocked by a firewall on the perimeter. However, most infections enter by way
Chapter 1: Modern Network Security Threats 17




of back doors and do not pass through the firewall; therefore, to prevent the spreading of this
worm it would be necessary to block this port on all devices throughout the internal network.
In some cases, the port on which the worm is spreading might be critical to business operation. For
example, when SQL Slammer was propagating, some organizations could not block UDP port
1434 because it was required to access the SQL Server for legitimate business transactions. In such
a situation, alternatives must be considered.
If the network devices using the service on the affected port are known, permitting selective access
is an option. For example, if only a small number of clients are using SQL Server, one option is to
open UDP port 1434 to critical devices only. Selective access is not guaranteed to solve the prob-
lem, but it certainly lowers the probability of infection.
A comprehensive option for mitigating the effects of viruses, worms, and Trojan Horses is a host-
based intrusion prevention system (HIPS).
Cisco Security Agent (CSA) is a host-based intrusion prevention system that can be integrated
with anti-virus software from various vendors. CSA protects the operating system from threats on
the network. CSA provides a more comprehensive and centralized solution that is not dependent
on end users being vigilant about updating anti-virus software and using host-based firewalls.
Another solution for mitigating threats is Cisco Network Admission Control (NAC). The Cisco
NAC Appliance is a turnkey solution to control network access. It admits only hosts that are au-
thenticated and have had their security posture examined and approved for the network. This solu-
tion is a natural fit for organizations with medium-sized networks that need simplified, integrated
tracking of operating systems, anti-virus patches, and vulnerability updates. The Cisco NAC Ap-
pliance does not need to be part of a Cisco network to function.
Cisco Security Monitoring, Analysis, and Response System (MARS) provides security monitoring
for network security devices and host applications created by Cisco and other providers. MARS
makes precise recommendations for threat removal, including the ability to visualize the attack path
and identify the source of the threat with detailed topological graphs that simplify security response.
Viruses, worms, and Trojan Horses can slow or stop networks and corrupt or destroy data. Soft-
ware and hardware options are available for mitigating these threats. Network security profession-
als must maintain constant vigilance. It is not enough just to react to threats. A good network
security professional examines the whole network to find vulnerabilities and fix them before an at-
tack occurs.



1.3 Attack Methodologies
1.3.1 Reconnaissance Attacks
There are many different types of network attacks other than viruses, worms, and Trojan Horses.
To mitigate attacks, it is useful to first have the various types of attacks categorized. By categoriz-
ing network attacks, it is possible to address types of attacks rather than individual attacks. There
is no standardized way of categorizing network attacks. The method used in this course classifies
attacks in three major categories.
Reconnaissance Attacks
Reconnaissance attacks involve the unauthorized discovery and mapping of systems, services, or
vulnerabilities. Reconnaissance attacks often employ the use of packet sniffers and port scanners,
which are widely available as free downloads on the Internet. Reconnaissance is analogous to a
thief surveying a neighborhood for vulnerable homes to break into, such as an unoccupied resi-
dence or a house with an easy-to-open door or window.
18 CCNA Security Course Booklet, Version 1.0




Access Attacks
Access attacks exploit known vulnerabilities in authentication services, FTP services, and web
services to gain entry to web accounts, confidential databases, and other sensitive information. An
access attack can be performed in many different ways. An access attack often employs a diction-
ary attack to guess system passwords. There are also specialized dictionaries for different lan-
guages that can be used.
Denial of Service Attacks
Denial of service attacks send extremely large numbers of requests over a network or the Internet.
These excessive requests cause the target device to run suboptimally. Consequently, the attacked
device becomes unavailable for legitimate access and use. By executing exploits or combinations
of exploits, DoS attacks slow or crash applications and processes.
Reconnaissance attacks
Reconnaissance is also known as information gathering and, in most cases, precedes an access or
DoS attack. In a reconnaissance attack, the malicious intruder typically begins by conducting a
ping sweep of the target network to determine which IP addresses are active. The intruder then de-
termines which services or ports are available on the live IP addresses. Nmap is the most popular
application for performing port scans. From the port information obtained, the intruder queries the
ports to determine the type and version of the application and operating system that is running on
the target host. In many cases, the intruders look for vulnerable services that can be exploited later
when there is less likelihood of being caught.
Reconnaissance attacks use various tools to gain access to a network:

Packet sniffers



Ping sweeps



Port scans



Internet information queries



A packet sniffer is a software application that uses a network adapter card in promiscuous mode to
capture all network packets that are sent across a LAN. Promiscuous mode is a mode in which the
network adapter card sends all packets that are received to an application for processing. Some
network applications distribute network packets in unencrypted plaintext. Because the network
packets are not encrypted, they can be understood by any application that can pick them off the
network and process them.
Packet sniffers can only work in the same collision domain as the network being attacked, unless
the attacker has access to the intermediary switches.
Numerous freeware and shareware packet sniffers, such as Wireshark, are available and do not re-
quire the user to understand anything about the underlying protocols.
When used as legitimate tools, ping sweep and port scan applications run a series of tests against
hosts and devices to identify vulnerable services. The information is gathered by examining IP ad-
dressing and port, or banner, data from both TCP and UDP ports. An attacker uses ping sweeps
and port scans to acquire information to compromise the system.
A ping sweep is a basic network scanning technique that determines which range of IP addresses
map to live hosts. A single ping indicates whether one specified host computer exists on the net-
work. A ping sweep consists of ICMP echo requests sent to multiple hosts. If a given address is
live, the address returns an ICMP echo reply. Ping sweeps are among the older and slower meth-
ods used to scan a network.
Chapter 1: Modern Network Security Threats 19




Each service on a host is associated with a well-known port number. Port scanning is a scan of a
range of TCP or UDP port numbers on a host to detect listening services. It consists of sending a mes-
sage to each port on a host. The response that the sender receives indicates whether the port is used.
Internet information queries can reveal information such as who owns a particular domain and
what addresses have been assigned to that domain. They can also reveal who owns a particular IP
address and which domain is associated with the address.
Ping sweeps of addresses revealed by Internet information queries can present a picture of the live

. 1
( 19)



>>