1 Modern Network Security Threats

1.0 Chapter Introduction

1.0.1 Chapter introduction
Network Security is the technologies, tools or protocols used to mitigate threats and securing the data.

1.1 Fundamental Principles of a Secure Network

In July of 2001, Code Red worm attacked web servers globally, making Denial of service and making servers very slow. Nowadays, threats are more sophisticated as the technical knowledge needed by the attacker to attack decreasing. Timeline of Threats on previous year 1978 First Spam on ARPAnet 1988 The Morris Internet Worm 1999 Melissa Email Virus 2000 Mafiaboy DoS Attack, Love Bug Worm, L0phtCrack password cracker released 2001 Code Red DoS Attack 2004 Botnet hits U.S. Military Systems 2007 Storm botnet, TJX Credit Card Data Breach 2008 Socit Gnrale Stock Fraud 2011 Sony PlayStation network hacked
In 1984, intrusion detection system (IDS) was introduced to the world. It was replaced by intrusion prevention system and sensor (IPS). IPS is able to detect the malicious activity and automatically block them in real time. Beside these two, firewall was developed to prevent undesirable traffic to a network and providing perimeter security. Packet filtering firewalls inspect each packet in isolation without examining whether a packet is part of an existing connection whereas Stateful firewalls keep track of established connections and determine if a packet belongs to an existing flow of data, providing greater security and more rapid processing. As threat become more sophisticated, deeper filtration into network and application layer traffic is needed. Cisco designed the Security Intelligence Operations (SIO) for this purpose. SIO is a cloud-based service that connects global threat information, reputation-based services, and sophisticated analysis to Cisco network security devices to provide stronger protection with faster response times.

In addition to external threats, internal threats are more damaging. Two Examples are Spoofing and DOS. Spoofing is attack in which one device attempts to pose as another by falsifying data such as MAC Address spoofing. MAC Address spoofing when one computer accepts data packets based on the MAC address of another computer. DoS attacks make computer resources unavailable to intended users. In addition to preventing and denying malicious traffic, network security also requires that data stay protected. Cryptography ensures data confidentiality, which is one of the three components of information security: confidentiality, integrity, and availability. 1.1.2 Drivers for Network Security What is hacker? Meaning 1: It means Internet programmers who access to devices on the Internet illegally. Meaning 2: It refers to individuals who run programs to prevent or slow network access to a large number of users, or corrupt or wipe out data on servers. Meaning 3: They are network professionals that use sophisticated Internet programming skills to ensure that networks are not vulnerable to attack. Wardialing became popular in the 1980s with the use of computer modems. Wardialing programs automatically scanned telephone numbers within a local area, dialing each one in search of computers, bulletin board systems, and fax machines. When a phone number was found, password-cracking programs were used to gain access. Wardriving, users gain unauthorized access to networks via wireless access points by using a wirelessenabled portable computer or PDA. Password-cracking programs are used to authenticate, if necessary, and there is even software to crack the encryption scheme required to associate to the access point. Other threats have evolved since the 1960s. These include network scanning tools such as Nmap and SATAN, as well as remote system administration hacking tools such as Back Orifice. Network Security Professionals are responsible to: 1. Maintaining data assurance for an organization

2. Ensuring the integrity and confidentiality of information 3. Might be responsible for setting up firewalls and intrusion prevention systems as well as ensuring encryption of company data. 4. Implementing enterprise authentication schemes. 5. Maintain familiarity with network security organizations. Network Security Professionals examples are Network Security Engineer, information Security Analyst, Network Security Specialist, Network Security Administrator, Network Security Architect and System Engineer. 1.1.3 Network Security Organizations Three of the more well-established network security organizations are: SysAdmin, Audit, Network, Security (SANS) Institute Computer Emergency Response Team (CERT) International Information Systems Security Certification Consortium (pronounced (ISC)2 as "I-SC-squared")

SANS Focus on information security training and certification. Develops research documents about various aspects of information security. SANS resources are largely free upon request. Develops security courses that can be taken to prepare for Global Information Assurance Certification (GIAC) in auditing, management, operations, legal issues, security administration, and software security.

CERT is chartered to work with the Internet community in detecting and resolving computer security incidents. Focuses on coordinating communication among experts during security emergencies to help prevent future incidents. Develops and promotes the use of appropriate technology and systems management practices to resist attacks on networked systems, to limit damage, and to ensure continuity of services. Focuses on five areas: software assurance, secure systems, organizational security, coordinated response, and education and training. CERT disseminates information by publishing articles, research and technical reports, and papers on a variety of security topics.

(ISC)2 Provides vendor-neutral education products and career services in more than 135 countries.

The mission of (ISC)2 is to make the cyber world a safer place by elevating information security to the public domain, and supporting and developing network security professionals around the world. (ISC)2 develops and maintains the (ISC)2 Common Body of Knowledge (CBK). The CBK defines global industry standards, serving as a common framework of terms and principles that (ISC)2 credentials are based upon. The CBK allows professionals worldwide to discuss, debate, and resolve matters pertaining to the field. (ISC)2 promotes expertise in handling security threats through its education and certification programs. As members, individuals have access to current industry information and networking opportunities unique to its network of certified information security professionals.

In addition to the websites of the various security organizations, one of the most useful tools for the network security professional is Really Simple Syndication (RSS) feeds. RSS is a family of XML-based formats used to publish frequently updated information, such as blog entries, news headlines, audio, and video. RSS uses a standardized format. An RSS feed includes complete or summarized text, plus metadata, such as publishing dates and authorships. 1.1.4 Domains of Network Security There are 12 network security domains that developing organizational security standards, management practices and facilitate communication between organizations. 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. Risk Assessment Security policy Organizational of Information security Asset management Human resource security Physical and environment Security Communication and operation management Access control Information system acquisition, development and maintenance Information security incident management Business continuity management Compliance

One of the most important domains is security policy. A security policy is a formal statement of the rules by which people must abide who are given access to the technology and information assets of an organization. 1.1.5 Network security policies

The network security policy outlines rules for network access, determines how policies are enforced, and describes the basic architecture of the organization's network security environment. The network security policy establishes a hierarchy of access permissions, giving employees only the minimal access necessary to perform their work. One possible guideline that administrators can use when developing the security policy and determining various mitigation strategies is the Cisco SecureX architecture. Cisco SecureX architecture is designed to provide effective security for any user, using any device, from any location, and at any time. This architecture includes the following five major components: 1) Scanning Engines Can be a firewall, a proxy or interesting fusion of the two. It can run multiple layers of anti--malware signatures, behavioral analysis and content inspection engines. 2) Delivery Mechanisms These are mechanism by which scanning element are introduces into network. This includes the traditional network appliance, a module in a switch or a router, or an image in a Cisco security loud 3) Security Intelligence Operations (SIO) Encompasses multi-terabyte traffic monitoring databases, servers in multiple data center and engineers with single purpose. It identify and stopping malicious traffic. 4) Policy Management Consoles These consoles are separate from the scanner that enforces security. By doing this, it is possible to have a single point of policy definition that spans multiple enforcement points such as email, instant messaging, and the web. 5) Next-generation Endpoint Critical piece that ties everything together. It can be a multitude of devices. Regardless of the endpoint type, all connection coming on or off of it must b routed by the device through one of the network-based scanning elements previously described.

There are 5 Cisco SecureX product catagories Secure Edge and Branch Products: Cisco ASA Series Adaptive Security Appliance Cisco Intrusion Prevention System (IPS) Integrated Security on the ISR G2

Secure Email and Web Cisco IronPort Web Security Appliance Cisco IronPort Email Security Appliance Cisco ScanSafe Cloud Web Security

Secure Access Cisco Identity Services Engine Network Admission Control Appliance Cisco Secure Access Control System

Secure Mobility VPN Services for Cisco ASA Series Cisco Adaptive Wireless IPS Software Cisco AnyConnect Secure Mobility Solutions

Secure Data Center Cisco ASA 5566-X Adaptive Security Appliance Cisco Catalyst 6500 ASA Services Module Cisco Virtual Security Gateway

The security policy should protect the assets of the organization by answering several security questions: 1. What do you have that others want? 2. What process, data, or information systems are critical to you, your company, or youe organization? 3. What would stop your company or organization from doing business or its mission?

1.2 Viruses, Worms and Trojan horse

1.2.1 Virus
The primary vulnerabilities for end user computers are virus, worm, and Trojan Horse attacks: A virus is malicious software that attaches to program or exe file to execute unwanted function on a computer. A worm executes arbitrary code and installs copies of itself in the memory of the infected computer, which then infects other hosts. A Trojan Horse is an application written to look like something else. When a Trojan Horse is downloaded and opened, it attacks the end user computer from within.

Virus and worms differences Virus need host program run but worms are not. Worms do not require user participation but virus does. Worms usually slow down but virus are not.

1.2.2 Worms
Most worm attacks have three major components: Enabling vulnerability - A worm installs itself using an exploit mechanism (email attachment, executable file, Trojan Horse) on a vulnerable system. Propagation mechanism - After gaining access to a device, the worm replicates itself and locates new targets. Payload - Any malicious code that results in some action. Most often this is used to create a backdoor to the infected host.
There are various phase of attack methods employed by hackers by the following: Probe Phase Vulnerable targets are identified. The goal is to find computers that can be subverted. Penetrate Phase Exploit code is transferred to the vulnerable target. The goal is to get the target to execute the exploit code through an attack vector, such as a buffer overflow, ActiveX or Common Gateway Interface (CGI) vulnerabilities, or an email virus.

Persist Phase After the attack is successfully launched in the memory, the code tries to persist on the target system. The goal is to ensure that the attacker code is running and available to the attacker even if the system reboots. Propagate Phase The attacker attempts to extend the attack to other targets by looking for vulnerable neighboring machines. Paralyze Phase Actual damage is done to the system. Files can be erased, systems can crash, information can be stolen, and distributed DoS (DDoS) attacks can be launched.

1.2.3 Trojan Horse

Trojan Horses are usually classified according to the damage that they cause or the manner in which they breach a system: Remote-access Trojan Horse - enables unauthorized remote access Data sending Trojan Horse - provides the attacker with sensitive data such as passwords Destructive Trojan Horse - corrupts or deletes files Proxy Trojan Horse - user's computer functions as a proxy server FTP Trojan Horse -opens port 21 Security software disabler Trojan Horse - stops antivirus programs or firewalls from functioning Denial of Service Trojan Horse - slows or halts network activity

1.2.4 Mitigating Viruses, worms, and Trojan Horse

A majority of the software vulnerabilities that are discovered relate to buffer overflows. A buffer is an allocated area of memory used by processes to store data temporarily. A buffer overflow occurs when a fixed-length buffer reaches its capacity and a process attempts to store data above and beyond that maximum limit. This can result in extra data overwriting adjacent memory locations as well as causing other unexpected behaviors

Viruses and Trojan Horses tend to take advantage of local root buffer overflows. A root buffer overflow is a buffer overflow intended to attain root privileges to a system. Local root buffer overflows require the end user or system to take some type of action. A local root buffer overflow is typically initiated by a user opening an email attachment, visiting a website, or exchanging a file via instant messaging. Worms such as SQL Slammer and Code Red exploit remote root buffer overflows. Remote root buffer overflows are similar to local root buffer overflows, except that local end user or system intervention is not required. The primary means of mitigating virus and Trojan Horse attacks is antivirus software.

1.3.1 Reconnaissance Attack

1. In a reconnaissance attack, Ping sweep is conducted to target network to determine active ip address. 2. The intruder then determines which services or ports are available on the live IP addresses. 3. From the port information obtained, the intruder queries the ports to determine the type and version of the application and operating system that is running on the target host. Nmap is the most popular application for performing port scans. Reconnaissance attacks use various tools to gain access to a network: Packet sniffers Ping sweeps Port scans Internet information queries

A packet sniffer is a software application that uses a network adapter card in promiscuous mode to capture all network packets that are sent across a LAN. Promiscuous mode is a mode in which the network adapter card sends all packets that are received to an application for processing. A ping sweep is a basic network scanning technique that determines which range of IP addresses map to live hosts. A ping sweep consists of ICMP echo requests sent to multiple hosts. If a given address is live, the address returns an ICMP echo reply. Ping sweeps are among the older and slower methods used to scan a network. Each service on a host is associated with a well-known port number. Port scanning is a scan of a range of TCP or UDP port numbers on a host to detect listening services. It consists of sending a message to each port on a host. The response that the sender receives indicates whether the port is used.

Ping sweeps of addresses revealed by Internet information queries can present a picture of the live hosts in a particular environment. After such a list is generated, port scanning tools can cycle through all well-known ports to provide a complete list of all services that are running on the hosts that the ping sweep discovered. Hackers can then examine the characteristics of active applications, which can lead to specific information that is useful to a hacker whose intent is to compromise that service. A network security professional can detect when a reconnaissance attack is underway by configured alarms that are triggered when certain parameters are exceeded, such as the number of ICMP requests per second. 1.3.2 Access Attacks Hackers use access attacks on networks or systems for three reasons: retrieve data, gain access, and escalate access privileges. There are five types of access attacks: Password attack An attacker attempts to guess system passwords. A common example is a dictionary attack. Trust exploitation An attacker uses privileges granted to a system in an unauthorized way, possibly leading to compromising the target. Port redirection A compromised system is used as a jump-off point for attacks against other targets. An intrusion tool is installed on the compromised system for session redirection. Man-in-the-middle attack An attacker is positioned in the middle of communications between two legitimate entities in order to read or modify the data that passes between the two parties. A popular man-in-the-middle attack involves a laptop acting as a rogue access point to capture and copy all network traffic from a targeted user. Often the user is in a public location on a wireless hotspot. Buffer overflow A program writes data beyond the allocated buffer memory. Buffer overflows usually arise as a consequence of a bug in a C or C++ program. A result of the overflow is that valid data is overwritten or exploited to enable the execution of malicious code. Access attacks in general can be detected by reviewing logs, bandwidth utilization, and process loads.

1.3.3 Denial of Service Attacks There are two major reasons a DoS attack occurs: A host or application fails to handle an unexpected condition, such as maliciously formatted input data, an unexpected interaction of system components, or simple resource exhaustion. A network, host, or application is unable to handle an enormous quantity of data, causing the system to crash or become extremely slow.

One example of a DoS attack is sending a poisonous packet. A poisonous packet is an improperly formatted packet designed to cause the receiving device to process the packet in an improper fashion. The poisonous packet causes the receiving device to crash or run very slowly. This attack can cause all communications to and from the device to be disrupted. As an example, a DDoS attack could proceed as follows: A hacker scans for systems that are accessible. After the hacker accesses several "handler" systems, the hacker installs zombie software on them. Zombies then scan and infect agent systems. When the hacker accesses the agent systems, the hacker loads remote-control attack software to carry out the DDoS attack.

It is useful to detail three common DoS attacks to get a better understanding of how DoS attacks work. Ping of Death In a ping of death attack, a hacker sends an echo request in an IP packet larger than the maximum packet size of 65,535 bytes. Sending a ping of this size can crash the target computer. A variant of this attack is to crash a system by sending ICMP fragments, which fill the reassembly buffers of the target. Smurf Attack In a smurf attack, a perpetrator sends a large number of ICMP requests to directed broadcast addresses, all with spoofed source addresses on the same network as the respective directed broadcast. If the routing device delivering traffic to those broadcast addresses forwards the directed broadcasts, all hosts on the destination networks send ICMP replies, multiplying the traffic by the number of hosts on the networks. On a multi-access broadcast network, hundreds of machines might reply to each packet. TCP SYN Flood In a TCP SYN flood attack, a flood of TCP SYN packets is sent, often with a forged sender address. Each packet is handled like a connection request, causing the server to spawn a half-open connection by sending back a TCP SYN-ACK packet and waiting for a packet in response from the sender address. However, because the sender address is forged, the response never comes. These half-open

connections saturate the number of available connections the server is able to make, keeping it from responding to legitimate requests until after the attack ends. The TCP SYN flood, ping of death, and smurf attacks demonstrate how devastating a DoS attack can be. There are five basic ways that DoS attacks can do harm: Consumption of resources, such as bandwidth, disk space, or processor time Disruption of configuration information, such as routing information Disruption of state information, such as unsolicited resetting of TCP sessions Disruption of physical network components Obstruction of communication between the victim and others.

1.3.4 Mitigating Network Attacks Reconnaissance Attack mitigation technique include: Implement authentication to ensure proper access. Use encryption to render packet sniffer attacks useless. Use anti-sniffer tools to detect packet sniffer attacks. Implement a switched infrastructure. Use a firewall and IPS.

Access Attack mitigation techniques include: Strong password security Principle of minimum trust Cryptography Applying operating system and application patches

DOS Attack mitigation techniques include: IPS and firewalls (Cisco ASAs and ISRs) Antispoofing technologies Quality of Service traffic policing

There are 10 best practices that represent the best insurance for your network: 1. Keep patches up-to-date by installing them weekly or daily, if possible, to prevent buffer overflow and privilege escalation attacks.

2. Shut down unnecessary services and ports. 3. Use strong passwords and change them often. 4. Control physical access to systems. 5. Avoid unnecessary web page inputs. Some websites allow users to enter usernames and passwords. A hacker can enter more than just a username. For example, entering "jdoe; rm -rf /" might allow an attacker to remove the root file system from a UNIX server. Programmers should limit input characters and not accept invalid characters such as | ; < > as input. 6. Perform backups and test the backed up files on a regular basis. 7. Educate employees about the risks of social engineering, and develop strategies to validate identities over the phone, via email, or in person. 8. Encrypt and password protect sensitive data. 9. Implement security hardware and software such as firewalls, IPSs, virtual private network (VPN) devices, antivirus software, and content filtering. 10. Develop a written security policy for the company.

The Cisco Network Foundation Protection (NFP) framework provides comprehensive guidelines for protecting the network infrastructure. These guidelines form the foundation for continuous delivery of service.

1.4.1 NFP NFP logically divides routers and switches into three functional areas: Control Plane Responsible for routing data correctly. Control plane traffic consists of device-generated packets required for the operation of the network itself such as ARP message exchanges or OSPF routing advertisements. Management Plane Responsible for managing network elements. Management plane traffic is generated either by network devices or network management stations using processes and protocols such as Telnet, SSH, TFTP, FTP, NTP, AAA, SNMP, syslog, TACACS+, RADIUS, and NetFlow. Data Plane (Forwarding Plane) Responsible for forwarding data. Data plane traffic normally consists of user-generated packets being forwarded between end stations. Most traffic travels through the router, or switch, via the data plane. Data plane packets are typically processed in fast-switching cache.

Control plane traffic consists of device-generated packets required for the operation of the network itself. Control plane security can be implemented using the following features: Cisco AutoSecure Cisco AutoSecure provides a one-step device lockdown feature to protect the control plane as well as the management and data planes. It is a script that is initiated from the CLI to configure the security posture of routers. The script disables nonessential system processes and services. It first makes recommendations to address security vulnerabilities and then modifies the router configuration. Routing protocol authentication Routing protocol authentication, or Neighbor authentication, prevents a router from accepting fraudulent routing updates. Most routing protocols support neighbor authentication. Control Plane Policing (CoPP) CoPP is a Cisco IOS feature designed to allow users to control the flow of traffic that is handled by the route processor of a network device. CoPP is designed to prevent unnecessary traffic from overwhelming the route processor. The CoPP feature treats the control plane as a separate entity with its own ingress (input) and egress (output) ports. A set of rules can be established and associated with the ingress and egress ports of the control plane. CoPP consists of the following features: Control Plane Policing (CoPP) lets users configure a QoS filter that manages the traffic flow of control plane packets. This protects the control plane against reconnaissance and DoS attacks. Control Plane Protection (CPPr) an extension of CoPP but allows for policing granularity. For example, CPPr can filter and ratelimit the packets that are going to the control plane of the router and discard malicious and error packets (or both). Control Plane Logging enables logging of the packets that CoPP or CPPr drop or permit. It provides the logging mechanism needed to deploy, monitor, and troubleshoot CoPP features efficiently.

Management plane traffic is generated either by network devices or network management stations using processes and protocols such as Telnet, SSH, TFTP, and FTP, etc. The management plane is a very attractive target to hackers. For this reason, the management module was built with several technologies designed to mitigate such risks. The information flow between management hosts and the managed devices can be out-ofband (OOB) (information flows within a network on which no production traffic resides) or inband (information flows across the enterprise production network, the Internet, or both). Management plane security can be implemented using the following features: Login and password policy Restricts device accessibility. Limits the accessible ports and restricts the "who" and "how" methods of access. Present legal notification Displays legal notices. These are often developed by legal counsel of a corporation. Ensure the confidentiality of data

Protects locally stored sensitive data from being viewed or copied. Uses management protocols with strong authentication to mitigate confidentiality attacks aimed at exposing passwords and device configurations. Role-based access control (RBAC) Ensures access is only granted to authenticated users, groups, and services. RBAC and authentication, authorization, and accounting (AAA) services provide mechanisms to effectively manage access control. Authorize actions Restricts the actions and views that are permitted by any particular user, group, or service. Enable management access reporting Logs and accounts for all access. Records who accessed the device, what occurred, and when it occurred. RBAC restricts user access based on the role of the user. Roles are created according to job or task functions, and assigned access permissions to specific assets. Users are then assigned to roles, and are granted the permissions that are defined for that role. In Cisco IOS, the role-based CLI access feature implements RBAC for router management access. The feature creates different "views" that define which commands are accepted and what configuration information is visible. For scalability, users, permissions, and roles are usually created and maintained in a central repository server. This makes the access control policy available to multiple devices. The central repository server can be a AAA server, such as the Cisco Secure Access Control System (ACS), which provides AAA services to a network for management purposes.

Data plane traffic consists mostly of user-generated packets being forwarded through the router via the data plane. Data plane security can be implemented using ACLs, antispoofing mechanisms, and Layer 2 security features. ACLs perform packet filtering to control which packets move through the network and where those packets are allowed to go. ACLs are used to secure the data plane in a variety of ways, including: Blocking unwanted traffic or users ACLs can filter incoming or outgoing packets on an interface. They can be used to control access based on source addresses, destination addresses, or user authentication. Reducing the chance of DoS attacks ACLs can be used to specify whether traffic from hosts, networks, or users access the network. The TCP intercept feature can also be configured to prevent servers from being flooded with requests for a connection. Mitigating spoofing attacks

ACLs allow security practitioners to implement recommended practices to mitigate spoofing attacks. Providing bandwidth control ACLs on a slow link can prevent excess traffic. Classifying traffic to protect the Management and Control planes ACLs can be applied on VTY line. ACLs can also be used as an antispoofing mechanism by discarding traffic that has an invalid source address. This forces attacks to be initiated from valid, reachable IP addresses, allowing the packets to be traced to the originator of an attack. Features such as Unicast Reverse Path Forwarding (uRPF) can be used to complement the antispoofing strategy. Cisco Catalyst switches can use integrated features to help secure the Layer 2 infrastructure. The following are Layer 2 security tools integrated into the Cisco Catalyst switches: Port security Prevents MAC address spoofing and MAC address flooding attacks. DHCP snooping Prevents client attacks on the DHCP server and switch. Dynamic ARP Inspection (DAI) Adds security to ARP by using the DHCP snooping table to minimize the impact of ARP poisoning and spoofing attacks. IP Source Guard Prevents spoofing of IP addresses by using the DHCP snooping table.