ITN Module 16: Network Security Fundamentals
How would one verify the types of services currently on in the Cisco IOS?
- "show ip ports all" command - "show control-plane host open-ports" command on older devices
Describe AAA.
- Authentication, authorization, and accounting (AAA or "triple A") techniques to: + authenticate those permitted to access a network + authorize the actions they perform while accessing the network + account for what was done while they are there
On what special network are servers that are accessible to outside users usually located?
- DMZ (de-miliarized zone)
What is SSH? What are the 5 steps to enable it?
- Secure Shell 1) Configure a unique device hostname 2) Configure the IP domain name, with the "ip domain name xxxxx" command 3) Generate a key to encrypt SSH traffic, with the "crypto key generate rsa general-keys modulus ___" command + ex. use the "crypto key generate rsa general-keys modulus 1024" to have a key of 1024 bits + 360-2048 bits, min recommended is 1024 + longer= more secure but longer to encrypt/decrypt 4) Verify or create a local database entry w/ the "username" global configuration command and "secret parameter + ex. "username Bob secret cisco" 5) Authenticate against the local database, w/ the "login local" line conf command 6) Enable vty inbound sessions with the "transport input ssh", "transport input telnet", or "transport input ssh telnet" commands
Describe the 3 types of vulnerabilities for networks and devices.
- Technological + TCP/IP weakness + OS weakness (documented in CERT archives) + network equipment (password weakness, authentication, routing protocols, firewall holes) - Configuration + user account info transmitted insecurely + system accounts with weak passwords + misconfigured internet services (exploited JavaScript, FTP, webs servers, HTTP servers, etc.) + unsecure default product settings + misconfigured equipment (access lists, routing protocols, or SNMP community strings - Policy + inconsistently enforced or unwritten policies + politics + bad authentication or default passwords + unmonitored/unaudited activity + software/hardware installations of topology changes that violate policies + no disaster recovery plan for natural disaster or threat attacks
Describe the security devices and services that are implemented to protect an organization's users and assets against TCP/IP threats.
- VPN + routers using secure encrypted tunnels to provide secure VPN services with corporate sites and remote access support for remote users - ASA Firewall + a dedicated device that provides stateful firewall services + ensures that internal traffic can go out and come back + keeps external traffic from initiating connections to inside hosts - IPS (intrusion prevention system + monitors incoming and outgoing traffic looking for malware, network attack signatures, etc. + can immediately stop threats that it recognizes - ESA/WSA (email security appliance/web security appliance) + ESA filters spam and suspicious emails + WSA filters known and suspicious internet malware sites - AAA Server + contains a secure database of who is authorized to access and manage network devices + network devices use this database to authenticate administrative users
Describe a DDOS attack.
- a Denial of service attack that uses multiple coordinated sources to overload a server with request - controls a botnet, a network of interconnected hosts (zombies)
How can one disable Telnet on Cisco routers?
- by specifying only SSH in the line configuration command (would be "transport input ssh")
What are several steps that can be taken to help ensure that passwords remain secret on a Cisco router and switch?
- encrypt all plaintext passwords - set a minimum acceptable password length, with the "security passwords min-length" command - deter brute-force password guessing attacks with the "login block-for # attempts # within #" command (ex. "login block-for 120 attempts 3 within 60" command blocks vty login attempts for 120 seconds if there are three failed login attempts within 60 seconds - disable an inactive privileged EXEC mode access after a specified amount of time, with the "exec-timeout minutes seconds" line configuration command (for line console, vty, and auxillary lines)
What do access attacks do? Why are they done?
- exploit known vulnerabilities in authentication services, FTP services, and web services - to gain entry to web accounts, confidential databases, and other sensitive information
Describe the 4 considerations for backups.
- frequency + regular basis + preferably monthly or weekly (full) and frequent (partial) + per security policy - storage + validate integrity of backup data and file restoration procedures - security + transported to approved offsite location regularly, per security policy - validation + password protected, including to restore the data
Describe the 4 classes of physical threats to networks.
- hardware + physical damage to components and devices - environmental + extreme temperatures or extreme humidity - electrical + voltage spikes or brownouts, noise, and blackouts - maintenance + poor handling of key electrical components (discharge, lack of spare parts, poor cabling, poor labeling)
What are the 4 types of threats that may arise from threat actors?
- information theft - data loss and manipulation - identity theft - disruption of service
What are the 3 types of reconnaissance attacks.
- internet queries + external threat actors use internet tools, such as the nslookup and whois utilities, to easily determine the IP address space assigned to a given corporation or entity - ping sweeps + threat actor initiates a ping sweep to determine which IP addresses are active (usually automated and systematic, "fping" or "gping") - port scan + threat actor performs a port scan on the discovered active IP addresses
Describe the 4 types of firewalls.
- packet filtering + prevents or allows access based of IP or MAC addresses - application filtering + prevents or allows access by specific application types + based on port numbers - URL filtering + prevents or allows access to websites based on specific URLs or keywords - Stateful packet inspection (SPI) + incoming packets must be legitimate responses to request from internal hosts + unsolicited only accepted if specifically permitted + can recognized and filter out specific types of attacks (like DoS)
Describe the 4 types of access attacks.
- password + brute-force + trojan horse + packet sniffers - trust exploitation + threat actor uses unauthorized privileges to gain access to a system, possibly compromising the target. Targets one target to get to another - port redirection + threat actor uses a compromised system as a base for attacks against other targets that trust the compromised system + it uses ports to do this, such as a threat actor using SSH (port 22) to connect to a compromised host that uses Telnet (port 23) to access another systems unencrypted data - man-in-the-middle + threat actor is positioned in between two legitimate entities in order to read or modify the data that passes between the two parties
Describe the 3 types of network attacks.
- reconnaissance attacks + discovery and mapping of systems access, or user privileges - access attacks + unauthorized manipulation of data, system access, or user privileges - denial of service (DOS) + disabling or corruption of networks, systems, or services
What are the 3 types of malware?
- viruses - worms - trojan horses
How can one disable HTTP?
- with the "no ip http server" global configuration command