Network Security Fundamentals

Steps to enable SSH on router/switch

1. Configure a unique hostname. 2. Configure the domain name of the network. 3. Configure a user account to use AAA or local database for authentication. 4. Generate RSA keys. 5. Enable VTY SSH sessions.

Types of Firewalls

1. Packet filtering - Prevents or allows access based on IP or MAC addresses 2. Application filtering - Prevents or allows access by specific application types based on port numbers 3. URL filtering - Prevents or allows access to websites based on specific URLs or keywords 4. Stateful packet inspection (SPI) - Incoming packets must be legitimate responses to requests from internal hosts. Unsolicited packets are blocked unless permitted specifically. SPI can also include the capability to recognize and filter out specific types of attacks, such as denial of service (DoS)

Network attack categories

1. Reconnaissance attacks - The discovery and mapping of systems, services, or vulnerabilities. 2. Access attacks - The unauthorized manipulation of data, system access, or user privileges. 3. Denial of service - The disabling or corruption of networks, systems, or services.

Network security devices

1. VPN - A router is used to provide secure VPN services with corporate sites and remote access support for remote users using secure encrypted tunnels. 2. ASA Firewall - This dedicated device provides stateful firewall services. It ensures that internal traffic can go out and come back, but external traffic cannot initiate connections to inside hosts. 3. IPS - An intrusion prevention system (IPS) monitors incoming and outgoing traffic looking for malware, network attack signatures, and more. If it recognizes a threat, it can immediately stop it. 4. ESA/WSA - The email security appliance (ESA) filters spam and suspicious emails. The web security appliance (WSA) filters known and suspicious internet malware sites. -AAA Server - This server contains a secure database of who is authorized to access and manage network devices. The network devices authenticate administrative users using this database.

Which backup policy consideration is concerned with using strong passwords to protect the backups and for restoring data? A: Frequency B: storage C: security D: validation

D: Validation

Types of Threats

Information theft -is breaking into a computer to obtain confidential information. Information can be used or sold for various purposes such as when someone is stealing proprietary information of an organization, like research and development data. Data loss and manipulation -is breaking into a computer to destroy or alter data records. An example of data loss is a threat actor sending a virus that reformats a computer hard drive. An example of data manipulation is breaking into a records system to change information, such as the price of an item. Identity theft -is a form of information theft where personal information is stolen for the purpose of taking over the identity of someone. Using this information, a threat actor can obtain legal documents, apply for credit, and make unauthorized online purchases. Identify theft is a growing problem costing billions of dollars per year. Disruption of service -is preventing legitimate users from accessing services to which they are entitled. Examples include denial of service (DoS) attacks on servers, network devices, or network communications links.

Policy Vulnerabilities

Lack of written security policy -A security policy cannot be consistently applied or enforced if it is not written down. Politics -Political battles and turf wars can make it difficult to implement a consistent security policy. Lack of authentication continuity -Poorly chosen, easily cracked, or default passwords can allow unauthorized access to the network. Logical access controls not applied -Inadequate monitoring and auditing allow attacks and unauthorized use to continue, wasting company resources. This could result in legal action or termination against IT technicians, IT management, or even company leadership that allows these unsafe conditions to persist. Software and hardware installation and changes do not follow policy -Unauthorized changes to the network topology or installation of unapproved application create or enable holes in security. Disaster recovery plan is nonexistent -The lack of a disaster recovery plan allows chaos, panic, and confusion to occur when a natural disaster occurs or a threat actor attacks the enterprise.

Cisco AutoSecure / General Device Security

Router# auto secure --- AutoSecure Configuration --- *** AutoSecure configuration enhances the security of the router but it will not make router absolutely secure from all security attacks *** Simple steps that must be applies to most OSes: 1. Default usernames and passwords should be changed immediately. 2. Access to system resources should be restricted to only the individuals that are authorized to use those resources. 3. Any unnecessary services and applications should be turned off and uninstalled when possible.

Enable SSH

Router# configure terminal Router(config)# hostname R1 R1(config)# ip domain name span.com R1(config)# crypto key generate rsa general-keys modulus 1024 The name for the keys will be: Rl.span.com % The key modulus size is 1024 bits % Generating 1024 bit RSA keys, keys will be non-exportable...[OK] Dec 13 16:19:12.079: %SSH-5-ENABLED: SSH 1.99 has been enabled R1(config)# R1(config)# username Bob secret cisco R1(config)# line vty 0 4 R1(config-line)# login local R1(config-line)# transport input ssh R1(config-line)# exit R1(config)#

Disable Unused Services

Show open ports and connections like (netstat) Command: show ip ports all OR Command: show control-plane host open-ports IOS versions prior to IOS-XE use the show control-plane host open-ports command. Disabling http cmd: no ip http server Only allowing ssh connection cmd: transport input ssh

Additional Password Security

Steps to take on a cisco router for PW security: 1. Encrypting all plaintext passwords 2. Setting a minimum acceptable password length 3. Deterring brute-force password guessing attacks 4. Disabling an inactive privileged EXEC mode accessafter a specified amount of time. Router(config)# service password-encryption Router(config)# security password min-length 8 Router(config)# login block-for 120 attempts 3 within 60 Router(config)# line vty 0 4 Router(config-line)# password cisco Router(config-line)# exec-timeout 5 30 Router(config-line)# transport input ssh Router(config-line)# end Router# Router# show running-config | section line vty line vty 0 4 password 7 03095A0F034F exec-timeout 5 30 login transport input ssh Router#

Technological Vulnerabilities

TCP/IP Protocol Weakness -Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), and Internet Control Message Protocol (ICMP) are inherently insecure. -Simple Network Management Protocol (SNMP) and Simple Mail Transfer Protocol (SMTP) are related to the inherently insecure structure upon which TCP was designed. Operating System Weakness -Each operating system has security problems what must be addressed. -UNIX, Linux, Mac OS, Mac OS X, Windows Server 2012, Windows 7, Windows 8 -They are documented in the Computer Emergency Response Team (CERT) archives at http://www.cert.org Network Equipment Weakness -Various types of network equipment, such as routers, firewalls, and switches have security weaknesses that must be recognized and protected against. Their weaknesses include password protection, lack of authentication, routing protocols, and firewall holes.

Physical Security

The four classes of physical threats are as follows: 1. Hardware threats - This includes physical damage to servers, routers, switches, cabling plant, and workstations. 2. Environmental threats - This includes temperature extremes (too hot or too cold) or humidity extremes (too wet or too dry). 3. Electrical threats - This includes voltage spikes, insufficient supply voltage (brownouts), unconditioned power (noise), and total power loss. 4. Maintenance threats - This includes poor handling of key electrical components (electrostatic discharge), lack of critical spare parts, poor cabling, and poor labeling. -------------------------- Figure: Step 1. Lock up equipment to prevent unauthorized access from the doors, ceiling, raised floor, windows, ducts, and vents Step 2. Monitor and control closet entry with electronic tags Step 3. Use security cameras

Configuration Vulnerabilities

Unsecured user accounts -User account information may be transmitted insecurely across the network, exposing usernames and passwords to threat actors. System accounts with easily guessed passwords -This common problem is the result of poorly created user passwords. Misconfigured internet services -Turning on JavaScript in web browsers enables attacks by way of JavaScript controlled by threat actors when accessing untrusted sites. Other potential sources of weaknesses include misconfigured terminal services, FTP, or web servers (e.g., Microsoft Internet Information Services (IIS), and Apache HTTP Server. Unsecured default settings within products -Many products have default settings that create or enable holes in security. Misconfigured network equipment -Misconfigurations of the equipment itself can cause significant security problems. For example, misconfigured access lists, routing protocols, or SNMP community strings can create or enable holes in security.

Trojan Horses

-A Trojan horse is another type of malware named after the wooden horse the Greeks used to infiltrate Troy. -It is a harmful piece of software that looks legitimate. Users are typically tricked into loading and executing it on their systems. -After it is activated, it can achieve any number of attacks on the host, from irritating the user (with excessive pop-up windows or changing the desktop) to damaging the host (deleting files, stealing data, or activating and spreading other malware, such as viruses). -Trojan horses are also known to create back doors to give malicious users access to the system. -Unlike viruses and worms, Trojan horses do not reproduce by infecting other files. -They self-replicate. -Trojan horses must spread through user interaction such as opening an email attachment or downloading and running a file from the internet.

Viruses

-A computer virus is a type of malware that propagates by inserting a copy of itself into, and becoming part of, another program. -It spreads from one computer to another, leaving infections as it travels. -Viruses can range in severity from causing mildly annoying effects, to damaging data or software and causing denial of service (DoS) conditions. -Almost all viruses are attached to an executable file, which means the virus may exist on a system but will not be active or able to spread until a user runs or opens the malicious host file or program. When the host code is executed, the viral code is executed as well. -Normally, the host program keeps functioning after the virus infects it. However, some viruses overwrite other programs with copies of themselves, which destroys the host program altogether. -Viruses spread when the software or document they are attached to is transferred from one computer to another using the network, a disk, file sharing, or infected email attachments.

Firewalls

-A firewall is one of the most effective security tools available for protecting users from external threats. -A firewall protects computers and networks by preventing undesirable traffic from entering internal networks. -Network firewalls reside between two or more networks, control the traffic between them, and help prevent unauthorized access. -A firewall could allow outside users controlled access to specific services. For example, servers accessible to outside users are usually located on a special network referred to as the demilitarized zone (DMZ) -The DMZ enables a network administrator to apply specific policies for hosts connected to that network.

Access Attacks

-Access attacks exploit known vulnerabilities in authentication services, FTP services, and web services to gain entry to web accounts, confidential databases, and other sensitive information. -An access attack allows individuals to gain unauthorized access to information that they have no right to view Access Attack Types: Password Attacks -Brute-force attacks -Trojan horse attacks -Packet sniffers Trust Exploitation -In a trust exploitation attack, a threat actor uses unauthorized privileges to gain access to a system, possibly compromising the target. -System A trusts System B. System B trusts everyone. The threat actor wants to gain access to System A. Therefore, the threat actor compromises System B first and then can use System B to attack System A. Port Redirection -In a port redirection attack, a threat actor uses a compromised system as a base for attacks against other targets. -The example in the figure shows a threat actor using SSH (port 22) to connect to a compromised host A. Host A is trusted by host B and, therefore, the threat actor can use Telnet (port 23) to access it. Man-in-the-Middle -In a man-in-the-middle attack, the threat actor is positioned in between two legitimate entities in order to read or modify the data that passes between the two parties.

Authentication, Authorization, and Accounting

-All network devices should be securely configured to provide only authorized individuals with access. -Authentication, authorization, and accounting (AAA, or "triple A") network security services provide the primary framework to set up access control on network devices. -AAA is a way to control who is permitted to access a network (authenticate), what actions they perform while accessing the network (authorize), and making a record of what was done while they are there (accounting). -The concept of AAA is similar to the use of a credit card. The credit card identifies who can use it, how much that user can spend, and keeps account of what items the user spent money on

Endpoint Security

-An endpoint, or host, is an individual computer system or device that acts as a network client. -Common endpoints are laptops, desktops, servers, smartphones, and tablets. -Securing endpoint devices is one of the most challenging jobs of a network administrator because it involves human nature. -A company must have well-documented policies in place and employees must be aware of these rules. -Employees need to be trained on proper use of the network. -Policies often include the use of antivirus software and host intrusion prevention. -More comprehensive endpoint security solutions rely on network access control.

Keep Backups

-Backing up device configurations and data is one of the most effective ways of protecting against data loss. -A data backup stores a copy of the information on a computer to removable backup media that can be kept in a safe place. -Infrastructure devices should have backups of configuration files and IOS images on an FTP or similar file server. -If the computer or a router hardware fails, the data or configuration can be restored using the backup copy. -Backups should be performed on a regular basis as identified in the security policy. -Data backups are usually stored offsite to protect the backup media if anything happens to the main facility. -Windows hosts have a backup and restore utility. -It is important for users to back up their data to another drive, or to a cloud-based storage provider. Backup considerations and descriptions: Frequency -Perform backups on a regular basis as identified in the security policy. -Full backups can be time-consuming, therefore perform monthly or weekly backups with frequent partial backups of changed files. Storage -Always validate backups to ensure the integrity of the data and validate the file restoration procedures. Security -Backups should be transported to an approved offsite storage location on a daily, weekly, or monthly rotation, as required by the security policy. Validation -Backups should be protected using strong passwords. The password is required to restore the data.

Worms

-Computer worms are similar to viruses in that they replicate functional copies of themselves and can cause the same type of damage. -In contrast to viruses, which require the spreading of an infected host file, worms are standalone software and do not require a host program or human help to propagate. -A worm does not need to attach to a program to infect a host and enter a computer through a vulnerability in the system. Worms take advantage of system features to travel through the network unaided.

Denial of Service Attacks

-Denial of service (DoS) attacks are the most publicized form of attack and among the most difficult to eliminate. -DoS attacks take many forms. Ultimately, they prevent authorized people from using a service by consuming system resources. -To help prevent DoS attacks it is important to stay up to date with the latest security updates for operating systems and applications. DoS Attack -DoS attacks are a major risk because they interrupt communication and cause significant loss of time and money. -These attacks are relatively simple to conduct, even by an unskilled threat actor. DDoS Attack -A DDoS is similar to a DoS attack, but it originates from multiple, coordinated sources. -For example, a threat actor builds a network of infected hosts, known as zombies. -A network of zombies is called a botnet. -The threat actor uses a command and control (CnC) program to instruct the botnet of zombies to carry out a DDoS attack.

Reconnaissance Attacks

-For reconnaissance attacks, external threat actors can use internet tools, such as the nslookup and whois utilities, to easily determine the IP address space assigned to a given corporation or entity. -After the IP address space is determined, a threat actor can then ping the publicly available IP addresses to identify the addresses that are active. -To help automate this step, a threat actor may use a ping sweep tool, such as fping or gping. This systematically pings all network addresses in a given range or subnet. -This is similar to going through a section of a telephone book and calling each number to see who answers. Reconnaissance attack tools: 1. Internet Queries -The threat actor is looking for initial information about a target. Various tools can be used, including Google search, the websites of organizations, whois, and more. 2. Ping Sweeps -The threat actor initiates a ping sweep to determine which IP addresses are active. 3. Port Scans -threat actor performs a port scan on the discovered active IP addresses. -Can use NMAP, ZENMAP etc......

Upgrade, Update, and Patch

-Keeping up to date with the latest developments can lead to a more effective defense against network attacks. -As new malware is released, enterprises need to keep current with the latest versions of antivirus software. -The most effective way to mitigate a worm attack is to download security updates from the operating system vendor and patch all vulnerable systems. -Administering numerous systems involves the creation of a standard software image (operating system and accredited applications that are authorized for use on client systems) that is deployed on new or upgraded systems. -However, security requirements change, and already deployed systems may need to have updated security patches installed. -One solution to the management of critical security patches is to make sure all end systems automatically download updates -Security patches are automatically downloaded and installed without user intervention. TURN ON THE AUTOMATIC UPDATES

The Defense-in-Depth Approach

-To mitigate network attacks, you must first secure devices including routers, switches, servers, and hosts. Most organizations employ a defense-in-depth approach (also known as a layered approach) to security. This requires a combination of networking devices and services working in tandem. Figure: All network devices including the router and switches are also hardened as indicated by the combination locks on their respective icons. This indicates that they have been secured to prevent threat actors from gaining access and tampering with the devices.