Chapter 11
Trojan Horses
(you have got a virus message) MALWARE. looks legit, but is not. users are tricked into loading and executing it on their systems. After it is activated, it can irritate the user (popping up windows or changing desktops), steal or delete data.rojan horses are also known to create back doors to give malicious users access to the system. Unlike viruses and worms, Trojan horses do NOT REPRODUCE OR SELF-REPLICATE. Trojan horses must spread through user interaction such as opening an e-mail attachment or downloading and running a file from the Internet.
Testing the Loopback
127.0.0.1. enables a user to test one's own network to ensure the IP stack is functioning properly.
Trace Messages
A trace returns a list of HOPS as a packet is routed through a network(Each time packets are passed to the next network device, a hop occurs.) CAN INDICATE WHERE THERE IS A FAILURE. Command: Windows=tracert Router CLI=traceroute
Authentication, Authorization, and Accounting
Authentication, authorization, and accounting (AAA) network security services provide the primary framework to set up ACCESS CONTROL on a network device. AAA is a way to control who is permitted to access a network (authenticate), what they can do while they are there (authorize), and what actions they perform while accessing the network (accounting). The concept of AAA is similar to the use of a credit card. The credit card identifies who can use it, how much that user can spend, and keeps account of what items the user spent money on, as shown in the figure.
Worms
Computer worms are similar to viruses in that they REPLICATE functional copies of themselves and can cause the same type of damage. Can GROW on their own, dont require program or human help. A worm does NOT need to attach to a program to infect a host and enter a computer through a vulnerability in the system. Worms take advantage of system features to travel through the network unaided.
Cisco Security Appliances
DEDICATED firewall devices are specialized computers that do NOT have peripherals or hard drives. Appliance-based firewalls can inspect traffic FASTER and are LESS prone to FAILURE
Physical security plan
DOORS, MINOTOR, CAMERAS Lock up equipment and prevent unauthorized access from the doors, ceiling, raised floor, windows, ducts, and vents. Monitor and control closet entry with electronic logs. Use security cameras.
Server-based firewall
Firewall applications that generally provide a solution that COMBINES an SPI firewall and ACCESS CONTROL, based on IP address or application. Server-based firewalls can be LESS secure than dedicated, appliance-based firewalls because of the security weaknesses of the general purpose OS.
Physical Security of devices
HARDWARE (damage), ENVIROMENT(too wet/dry) , ELECTRICAL(power), MAINTENANCE(poor cabling). The four classes of physical threats are: Hardware threats - physical damage to servers, routers, switches, cabling plant, and workstations Environmental threats - temperature extremes (too hot or too cold) or humidity extremes (too wet or too dry) Electrical threats - voltage spikes, insufficient supply voltage (brownouts), unconditioned power (noise), and total power loss Maintenance threats - poor handling of key electrical components (electrostatic discharge), lack of critical spare parts, poor cabling, and poor labeling
Types of Malware
MALWARE (designed to steal data). VIRUS, WORMS, TROJAN HORSE.
IOS Ping Indicators
The most common indicators are: ! - RECEIPT of an ICMP echo reply message . - indicates a time EXPIRED while waiting for an ICMP echo reply message U - UNREACABLE message was received The "." (period) may indicate that a connectivity problem occurred somewhere along the path. It may also indicate that a router along the path did not have a route to the destination and did not send an ICMP destination unreachable message. It also may indicate that the ping was blocked by device security. When sending a ping on an Ethernet LAN, it is common for the first echo request to timeout if the ARP process is required. The "U" indicates that a router along the path responded with an ICMP unreachable message. The router either did not have a route to the destination address, or that the ping request was blocked.
Ping
USES ICMP. verifies Layer 3 connectivity. Using the ping command is an effective way to test CONNECTIVITY.
Given a scenario of a small network where a user has a network problem, can you describe the steps you would follow to identify the cause of the problem and work out the most likely cause?
addresses, cables, firewall, settings, ping, show ip interfaces brief
personal firewall
like we do at school. Client-side firewalls that typically filter using SPI (Stateful packet inspection). The user may be prompted to allow certain applications to connect or may define a list of automatic exceptions. Personal firewalls are often used when a host device is connected DIRECTLY to an ISP modem. It may interfere with Internet access if not properly configured. It is not recommended to use more than one personal firewall at a time since they can conflict with one another.
What are the two most common PC command line tools for troubleshooting network connections and what does each one do?
ping(connectivity) and tracert(returns a list of hops )
Extended Traceroute
this command allows the ADMINISTRATOR to ADJUST PARAMETERS related to the command operation. Helpful when TROUBLESHOOTING routing LOOPS and locating the problem, determining the exact next-hop router, or to help determine where packets are getting dropped by a router, or denied by a firewall. traceroute sends IP packets with a TTL value (30 by default). Each hop usually decreases this value by 1. If a router in the middle receives a packet with a TTL=1, it will send an ICMP "time exceeded" message to the source and traceroute command output displays an asterisk (*). The error message indicates that a router in the path has seen and discarded the packet. An ICMP "destination unreachable" error message indicates that a router has received the packet, but discarded it because it could not be delivered. In IOS, the extended traceroute command closed when any of the following occur: 1. The destination responds with an ICMP echo reply 2. The user interrupts the trace with the escape sequence Note: In IOS, you can invoke this escape sequence by pressing Ctrl+Shift+6. In Windows, the escape sequence is invoked by pressing Ctrl+C.
Extended Ping
type ping in PRIVILEGE EXEC mode, without a destination IP address. a series of prompts are then presented. Pressing Enter accepts the indicated default values. used to determine the TYPE of CONNECTIVITY problem. Note: The ping ipv6 command is used for IPv6 extended pings.
Network firewalls
Reside between 2 or more networks, control the TRAFFIC between them, and help prevent unauthorized access.
Viruses
MALWARE. inserting a copy of itself into AND BECOMES PART OF ANOTHER PROGRAM. It spreads from one computer to another, leaving INFECTIONS as it travels. Viruses can range in severity from causing mildly annoying effects to damaging data or software and causing denial-of-service (DoS) conditions. MAY BE THERE A LONG TIME, BUT DOES NOT OPEN UNTILL USER OPENS IT. Almost all viruses are attached to an executable file, which means the virus may exist on a system but will not be active or able to spread until a user runs or OPENS the malicious host file or program. When the host code is executed, the viral code is executed as well. Normally, the host program keeps functioning after it is infected by the virus. However, some viruses OVERWRITE other programs with copies of themselves, which destroys the host program altogether. Viruses SPREAD when the software or document they are attached to is transferred from one computer to another using the network, a disk, file sharing, or infected e-mail attachments.
Network Baseline
MONITORING and TROUBLESHOOTING network PERFORMANCE. Creating an effective network performance baseline is accomplished over a period of TIME. Measuring performance at varying times (SUCH AS PING) will assist in creating a better picture of overall network performance. The output derived from network commands contributes data to the network baseline. One method for starting a baseline is to copy and paste the results from an executed ping, trace, or other relevant commands into a text file. These text files can be time stamped with the date and saved into an archive for later retrieval and comparison. Among items to consider are error messages and the response times from host to host. If there is a considerable increase in response times, there may be a latency issue to address. Corporate networks should have extensive baselines. Professional-grade software tools are available for storing and maintaining baseline information.
cisco router
Most home integrated routers have BUILT-IN BASIC FIREWALL capabilities that support packet, application, and web site filtering. Higher-end routers that run special operating systems like Cisco Internetwork Operating System (IOS) also have firewall capabilities that can be configured.
Firewalls
PAUS PROTECTING. PACKET (IP or MAC), APPLICTION (port number) , URL, SPI(packets must be legit).. one of the most effective security tools available for PROTECTING users from external threats. Firewall products use various techniques for determining what is permitted or denied access to a network: PACKET (IP or MAC), APPLICTION (port number) , URL, SPI(packets must be legit). Packet filtering - Prevents or allows access based on IP or MAC addresses Application filtering - Prevents or allows access by specific application types based on port numbers URL filtering - Prevents or allows access to websites based on specific URLs or keywords Stateful packet inspection (SPI) - Incoming packets must be legitimate responses to requests from internal hosts. Unsolicited packets are blocked unless permitted specifically. SPI can also include the capability to recognize and filter out specific types of attacks, such as denial of service (DoS)
• What are the techniques that a firewall uses to block packets and how does each one work?
PAUS. PACKET, APPLCIATION, URL, SPI Packet filtering - permit or deny based on IP or MAC address Application filtering - permit or deny based on port number URL filtering - permit or deny based on URL or keywords Stateful packet inspection (SPI) - checks incoming packets are legitimate