CCNA Security Chapter 1
Modern Network Security Threats
1.0.1 What does Network Security
involve?
What do Network security
organizations do?
What are some types of network
attacks?
1.1.1 Why is Network Security
important to organizations and
businesses?
What is the difference between
an intrusion detection system
(IDS) and an intrusion prevention
system (IPS)?
Explain the difference between
packet-filtering firewalls and
stateful firewalls?
Page 1 of 8
Network security involves protocols,
technologies, devices, tools, and
techniques to secure data and mitigate
threats.
set standards, encourage collaboration,
and provide workforce development
opportunities for security professionals
Viruses, worms, and Trojan Horses are
specific types of network attacks. More
generally, network attacks are classified
as reconnaissance, access, or Denial of
Service attacks
Network security breaches can disrupt e-
commerce, cause the loss of business
data and threaten people's privacy (with
the potential legal consequences), and
compromise the integrity of information.
These breaches can result in lost revenue
for corporations, theft of intellectual
property, and lawsuits, and can even
threaten public safety.
An IDS provides real-time detection of
certain types of attacks while they are in
progress.
IPS devices enable the detection of
malicious activity and have the ability to
automatically block the attack in real-time.
Packet filtering firewalls inspect each
packet in isolation without examining
whether a packet is part of an existing
connection. Packet filtering firewalls
inspect packets to see if they matched
sets of predefined rules, with the option of
CCNA Security Chapter 1
Modern Network Security Threats
What are the two main types of
internal threats to the network?
What is Cryptography?
Describe the three components of Confidentiality, Integrity and Availability
Information Security?
1.1.2 What is a hacker? Bad or Good
Page 2 of 8
forwarding or dropping the packets
accordingly. Stateful firewalls also use
predefined rules for permitting or denying
traffic.
Unlike packet filtering firewalls, stateful
firewalls keep track of established
connections and determine if a packet
belongs to an existing flow of data,
providing greater security and more rapid
processing.
Spoofing attacks where one device
attempts to pose as another by falsifying
data.
DoS attacks make computer resources
unavailable to intended users.
the study and practice of hiding
information
Confidentiality means hiding plaintext
data.
Integrity, means that the data is
preserved unaltered during any operation.
Availability means that data is always
accessible.
Bad hackers work to gain unauthorized
access to devices on the Internet or that
run programs to prevent or slow network
access to a large number of users, or
corrupt or wipe out data on servers.
Good hackers work to ensure that
networks are not vulnerable to attack.
CCNA Security Chapter 1
Modern Network Security Threats
Describe Nmap
Describe SATAN
Describe Back Orifice 2000
What is the main need for laws
safeguarding network security?
1.1.3 What are some of the network
security organizations?
Page 3 of 8
Nmap ("Network Mapper") is a free and
open source utility for network exploration
or security auditing. that uses raw IP
packets in novel ways to determine what
hosts are available on the network, what
services those hosts are offering, what
operating systems and what type of
packet filters/firewalls are in use, and
dozens of other characteristics.
The Security Administrator Tool for
Analyzing Networks (SATAN) is a testing
and reporting toolbox that collects a
variety of information about networked
hosts.
BO2K is the most powerful network
administration tool available for the
Microsoft environment that puts network
administrators solidly back in control of
the system, network, registry, passwords,
file system, and processes.
Trillions of dollars are transacted over the
Internet on a daily basis, and the
livelihoods of millions depend on Internet
commerce.
SysAdmin, Audit, Network, Security
(SANS) Institute
Computer Emergency Response Team
(CERT)
International Information Systems Security
Certification Consortium
Mitre Corporation
FIRST
Center for Internet Security (CIS)
CCNA Security Chapter 1
Modern Network Security Threats

1.1.4 What are the 12 network security * risk assessment

domains specified by the * security policy;
ISO/IEC? * organization of information security;
* asset management;
* human resources security;
* physical and environmental security;
* communications and operations
management;
* access control;
* information systems acquisition,
development and maintenance;
* information security incident
management;
* business continuity management;
* compliance.
1,1,5 What is a Security Policy? A security policy is a formal statement of
the rules by which people must abide who
are given access to the technology and
information assets of an organization.
The policy is used to aid in network
design, convey security principles, and
facilitate network deployments
The network security policy outlines what
assets need to be protected and gives
guidance on how it should be protected.
The policy should specify that logs are
formally maintained for all network
devices and servers.

Describe the Cisco Self- A Cisco Self-Defending Network (SDN)

Defending Network. uses the network to identify, prevent, and
adapt to threats.
A Cisco SDN begins with a strong,
secure, flexible network platform from
which a security solution is built.

1.2.1 Describe the three primary A virus is malicious software which

vulnerabilities for end-users: attaches to another program to execute a
specific unwanted function on a computer.
Page 4 of 8
CCNA Security Chapter 1
Modern Network Security Threats

A worm executes arbitrary code and

installs copies of itself in the memory of
the infected computer, which then infects
other hosts.
A Trojan Horse is an application written
to look like something else. When a
Trojan Horse is downloaded and opened,
it attacks the end-user computer from
within.

1.2.2 Describe the three major Enabling vulnerability - A worm installs

components to most worm itself using an exploit mechanism (email
attacks: attachment, executable file, Trojan Horse)
on a vulnerable system.
Propagation mechanism - After gaining
access to a device, the worm replicates
itself and locates new targets.
Payload - Any malicious code that results
in some action. Most often this is used to
create a backdoor to the infected host.

Describe the five basic phases of Probe phase

a worm or virus attack: Penetrate phase
Persist phase
Propagate phase
Paralyze phase

1.2.3 Describe the types of Trojan Remote-access Trojan Horse (enables

Horse attacks: unauthorized remote access)
Data sending Trojan Horse (provides the
attacker with sensitive data such as
passwords)
Destructive Trojan Horse (corrupts or
deletes files)
Proxy Trojan Horse (user's computer
functions as a proxy server)
FTP Trojan Horse (opens port 21)
Security software disabler Trojan Horse
(stops anti-virus programs or firewalls
Page 5 of 8
CCNA Security Chapter 1
Modern Network Security Threats

from functioning)
Denial of Service Trojan Horse (slows or
halts network activity)

1.2.4 Describe the four phases of worm The response to a worm infection can be
mitigation: broken down into: containment,
inoculation, quarantine, and treatment
phases.

Describe Cisco Security Agent: A host-based intrusion prevention system

that can be integrated with anti-virus
software from various vendors.

Describe the Cisco Network A turnkey solution to control network

Admission Control (NAC): access. It admits only hosts that are
authenticated and have had their security
posture examined and approved for the
network.

Describe Cisco MARS Cisco Security Monitoring, Analysis, and

Response System provides security
monitoring for network security devices
and host applications made by Cisco and
other providers. MARS makes precise
recommendations for threat removal,
including the ability to visualize the attack
path and identify the source of the threat
with detailed topological graphs that
simplify security response.

1.3.1 Describe the three major Reconnaissance attacks involve the

catagories of network attacks: unauthorized discovery and mapping of
systems, services, or vulnerabilities.
methods may include: Packet sniffers,
Ping sweeps, Port scans, or Internet
information queries.
Access attacks exploit known
vulnerabilities in authentication services,
FTP services, and web services to gain
Page 6 of 8
CCNA Security Chapter 1
Modern Network Security Threats

entry. Used to retrieve data, gain access,

and escalate access privileges. May
include: Password attack, Trust
exploitation, Port redirection, Man-in-the-
middle attack, or Buffer overflow
Denial of Service attacks send extremely
large numbers of requests over a network
or the Internet to cause the target device
to run suboptimally and causing the
attacked device to become unavailable for
legitimate access and use.

1.3.3 Describe the five basic ways that Consumption of computational

DoS attacks can do harm:
resources, such as bandwidth, disk space,
or processor time
Disruption of configuration information,
such as routing information
Disruption of state information, such as
unsolicited resetting of TCP sessions
Disruption of physical network
components
Obstruction of communication between
the victim and others.

1.3.4 How can Reconnaissance attacks Using strong authentication

be mitigated? Encrypt network traffic
Use Antisniffer software
Implement a switched infrastructure
Use a firewall and IPS

How can Access attacks be Strong password security

mitigated? Principle of minimum trust
Cryptography
Applying operating system and application
patches

How can DoS or DDoS attacks be IPS and firewalls (Cisco ASAs and ISRs)
mitigated? Anti-spoofing technologies
Quality of Service – traffic policing
Page 7 of 8
CCNA Security Chapter 1
Modern Network Security Threats
Describe the 10 best practices to
secure your network:
Page 8 of 8
1. Keep patches up to date by installing
them weekly or daily, if possible, to
prevent buffer overflow and privilege
escalation attacks.
2. Shut down unnecessary services and
ports.
3. Use strong passwords and change
them often.
4. Control physical access to systems.
5. Avoid unnecessary web page inputs.
Some websites allow users to enter
usernames and passwords. A hacker can
enter more than just a username. For
example, entering "jdoe; rm -rf /" might
allow an attacker to remove the root file
system from a UNIX server. Programmers
should limit input characters and not
accept invalid characters such as | ; < >
as input.
6. Perform backups and test the backed
up files on a regular basis.
7. Educate employees about the risks of
social engineering, and develop strategies
to validate identities over the phone, via
email, or in person.
8. Encrypt and password-protect sensitive
data.
9. Implement security hardware and
software such as firewalls, IPSs, virtual
private network (VPN) devices, anti-virus
software, and content filtering.
10. Develop a written security policy for
the company.