Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

Similar documents
AutoSecure. Finding Feature Information. Last Updated: January 18, 2012

Internetwork Expert s CCNA Security Bootcamp. Mitigating Layer 2 Attacks. Layer 2 Mitigation Overview

IPv6- IPv4 Threat Comparison v1.0. Darrin Miller Sean Convery

Chapter 11: Networks

HP High-End Firewalls

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

CSE 565 Computer Security Fall 2018

Network Security. Thierry Sans

Configuring attack detection and prevention 1

Ethical Hacking and Prevention

Exam : JK Title : CompTIA E2C Security+ (2008 Edition) Exam. Version : Demo

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

Curso: Ethical Hacking and Countermeasures

Configuring attack detection and prevention 1

Routing Security DDoS and Route Hijacks. Merike Kaeo CEO, Double Shot Security

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Our Narrow Focus Computer Networking Security Vulnerabilities. IP-level vulnerabilities

HP High-End Firewalls

CTS2134 Introduction to Networking. Module 08: Network Security

Threat Pragmatics. Target 6/19/ June 2018 PacNOG 22, Honiara, Solomon Islands Supported by:

PROTECTING INFORMATION ASSETS NETWORK SECURITY

CSC 6575: Internet Security Fall Attacks on Different OSI Layer Protocols OSI Layer Basic Attacks at Lower Layers

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

IPv6 Security. Pedro Lorga - WALC 2006 (Quito, Ecuador July 06)

Chapter 4. Network Security. Part I

ETHICAL HACKING & COMPUTER FORENSIC SECURITY

Network Security. Evil ICMP, Careless TCP & Boring Security Analyses. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, October 4th, 2018

Flashback.. Internet design goals. Security Part One: Attacks and Countermeasures. Why did they leave it out? Security Vulnerabilities

Network Infrastructure Filtering at the border. stole slides from Fakrul Alam

Table of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1

Chapter 11: It s a Network. Introduction to Networking

Insights on IPv6 Security

Implementing Cisco Network Security (IINS) 3.0

ICS 451: Today's plan

Welcome! APNIC Security Tutorial. Securing edge network devices. Overview

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

AN TOÀN LỚP 4: TCP/IP ATTACKS NGUYEN HONG SON PTITHCM

Insights on IPv6 Security

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

NETWORK SECURITY. Ch. 3: Network Attacks

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

NISCC Technical Note 06/02: Response to Distributed Denial of Service (DDoS) Attacks

Fundamentals of Network Security v1.1 Scope and Sequence

H3C SecPath Series High-End Firewalls

Network Security. Network Vulnerabilities

The big picture. Security. Some consequences. Three types of threat. LAN Eavesdropping. Network-based access control

DDoS Testing with XM-2G. Step by Step Guide

CSC 574 Computer and Network Security. TCP/IP Security

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

Network Protocols. Security. TDC375 Autuman 03/04 John Kristoff - DePaul University 1

Introduction to Computer Security

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

TCP/IP Networking. Training Details. About Training. About Training. What You'll Learn. Training Time : 9 Hours. Capacity : 12

Objectives. Classes of threats to networks. Network Security. Common types of network attack. Mitigation techniques to protect against threats

CSc 466/566. Computer Security. 18 : Network Security Introduction

IPv6 Security Issues and Challenges

SYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet

ECE 435 Network Engineering Lecture 23

Rocky Mountain ISSA Chapter April 5, IPv6 Security. Scott Hogg. Director of Advanced Technology Services - GTRI CCIE #5133, CISSP #4610

Network Infrastructure Filtering at the border. PacNOG19 28th November - 2nd December 2016 Nadi, Fiji

Implementing Cisco IP Routing

R (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.

Attack Prevention Technology White Paper

Control Plane Protection

Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks

Security. - All kinds of bad things attackers can do over the network. - Techniques for protecting against these and other attacks

ExamTorrent. Best exam torrent, excellent test torrent, valid exam dumps are here waiting for you

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Configuring NAT for IP Address Conservation

Selected Network Security Technologies

Finding Feature Information

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

CS 161 Computer Security

Fundamentals of Information Systems Security Lesson 8 Mitigation of Risk and Threats to Networks from Attacks and Malicious Code

N exam.420q. Number: N Passing Score: 800 Time Limit: 120 min N CompTIA Network+ Certification

Internet Security: Firewall

ECE 435 Network Engineering Lecture 23

DumpsTorrent. Latest dumps torrent provider, real dumps

Overview. Computer Network Lab, SS Security. Type of attacks. Firewalls. Protocols. Packet filter

IBM i Version 7.3. Security Intrusion detection IBM

CHCSS. Certified Hands-on Cyber Security Specialist (510)

CS System Security 2nd-Half Semester Review

Security Considerations for IPv6 Networks. Yannis Nikolopoulos

Denial of Service. EJ Jung 11/08/10

Technology Scenarios. INE s CCIE Security Bootcamp - 1 -

Prevent DoS using IP source address spoofing

Data Plane Protection. The googles they do nothing.

PROTECTING NETWORK INFRASTRUCTURE - ROUTERS, SWITCHES, ETC.

Implementing Firewall Technologies

SYLLABUS. DIVISION: Business and Engineering Technology REVISED: FALL 2015 CREDIT HOURS: 4 HOURS/WK LEC: 4 HOURS/WK LAB: 0 LEC/LAB COMB: 4

CISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker. Upcoming Dates. Course Description. Course Outline

ASA/PIX Security Appliance

ELEC5616 COMPUTER & NETWORK SECURITY

Wireless Network Security

CISNTWK-440. Chapter 4 Network Vulnerabilities and Attacks

CIH

CIT 380: Securing Computer Systems. Network Security Concepts

Network Security. The Art of War in The LAN Land. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, September 27th, 2018

CISCO NETWORK FOUNDATION PROTECTION: PROTECTING THE CISCO CATALYST SERIES PLATFORM

Actual4Test. Actual4test - actual test exam dumps-pass for IT exams

Transcription:

Internetwork Expert s CCNA Security Bootcamp Common Security Threats http:// Today s s Network Security Challenge The goal of the network is to provide high availability and easy access to data to meet business requirements The goal of security is to protect and restrict access to this data Today s challenge is to find an acceptable balance between the two No security means easy access, but is too risky Too much security impedes access, while risks do not outweigh business goals Copyright 2010 Internetwork Expert

Goals of Network Security Network security s goals are to protect data s Confidentiality Only authorized users should have access to it Integrity The data should not have been tampered with Availability Data should be accessible whenever needed Understanding Threats to Security If you know both yourself and your enemy, you can win a hundred battles without a single loss. Sun Tzu First step in preventing a security breach is to understand what type of threats exist Copyright 2010 Internetwork Expert

External Security Threats Users without physical access to or prior knowledge of the internal network E.g. an attack coming from the Internet Generally more technical in nature Attacker runs blind ping sweeps and port scans to find vulnerabilities Easier to prevent with technical tools Firewall filtering on the network edge, IPS, etc. Our main focus for this class Internal Security Threats Users that already have access to and knowledge of the internal network E.g. a disgruntled employee Generally less technical in nature User physically steals data Harder to prevent with technical tools Firewall can t prevent physical theft Requires additional administrative or physical control to prevent Physical locks, surveillance cameras, ID challenge policy, etc. Copyright 2010 Internetwork Expert

Responding to Security Threats Attack Mitigation is the process of preventing or responding to a breach in network security Attack mitigation can be Proactive Prevent attacks before they occur E.g. a firewall blocking a port Reactive Respond to attack once it has occurred E.g. an IPS shunning an attacker running a port scan Implementing Attack Mitigation The first step of mitigation is to understand possible vulnerabilities and attacks Different tools are available for mitigation depending on whether confidentiality, integrity, or availability is being attacked Copyright 2010 Internetwork Expert

IP Spoofing Attacks Spoofing means that attacker uses either a fake source or destination address IPv4 protocol stack has no built in provisions to ensure that sender or receiver s address is legitimate Spoofing has many possible goals, such as DoS attack (e.g. smurf or fraggle) Control plane attack (e.g. route insertion/deletion or TCP RST) Man-in-the-Middle (MiM) attack (e.g. ARP poisoning, source routing) TCP Spoofing TCP sequence numbers add a layer of complexity when spoofing IP packets Destination only accepts packets from source with correct sequence number or seq num range IP spoofing against TCP sessions is categorized in two ways Non-blind spoofing Attacker is on the same subnet or in transit path of victim, allowing TCP sequence numbers to be seen Blind spoofing Attacker is not on the same subnet or in transit path, requiring sequence numbers to be guessed Successful attack can result in packet injection (e.g. session hijacking) or session termination (reset attack) Copyright 2010 Internetwork Expert

IP Spoofing Mitigation Since there are many ways to implement spoofing for different purposes, there are different ways to mitigate it Access Control Lists (ACLs) RFC 2827 Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing Unicast Reverse Path Forwarding (URPF) ARP Inspection DHCP Snooping IP Source Guard Routing Protocol Authentication BGP TTL Security IP Options checking (source routing) IPsec VPNs Reconnaissance Attacks Used to map the network and discover resources What are the routers, links, routing tables, hosts, etc. Common methods Packet capture (sniffers) Ping sweeps Port scans DNS queries Copyright 2010 Internetwork Expert

Reconnaissance Mitigation How are they mapping the network in the first place? ICMP Echo-reply Unreachable Mask reply Redirect Proxy ARP CDP How to mitigate? Disable unneeded services IPS Control Plane Attacks Availability attack to disrupt the routing & management protocols of the network Common methods Prefix injection/withdrawal BGP reset Telnet passwords SNMP community strings NTP spoofing Copyright 2010 Internetwork Expert

Control Plane Attack Mitigation Why is the control vulnerable? No routing authentication Promiscuous routing neighbors Clear text telnet & SNMP passwords No NTP authentication How to mitigate Routing authentication Unicast updates SSH SNMPv3 NTP authentication DoS/DDoS Attacks Availability attack used to overwhelm links and servers to the point they are unusable Common methods IP spoofing Smurf Fraggle TCP SYN flooding Copyright 2010 Internetwork Expert

DoS/DDoS Attack Mitigation Why are we vulnerable? TCP stack connection limits Flood attack amplification Input packets not RPF checked How to mitigate Half-open session monitoring Disable directed broadcasts RFC 2827 / BOGON / URPF Access Attacks Used to gain unauthorized access to resources Common methods Brute force password attacks Keyloggers Packet sniffers Redirection Layer 3 Man-in-the-Middle (MiM) Copyright 2010 Internetwork Expert

Access Attack Mitigation Why is access vulnerable? Lenient password retry policy Clear text strings in protocol payloads Hosts vulnerable to redirection How to mitigate? AAA & lockouts SSL/IPsec HIPS Application Attacks Targeted at software vulnerabilities Common methods Buffer overflows Worms Viruses Trojans etc. Copyright 2010 Internetwork Expert

Application Attacks Why are we vulnerable? Patch application not enforced Virus scan updates not enforced How to mitigate? NAC HIPS Cisco's Self-Defending Network Network-based approach to protect network devices, endpoints, and the information traveling across the network Opposite of a "point solution" in which security devices are standalone Three main points are that SDN is Integrated Every device in the network is a point of defense. Adaptive Behavioral methods recognize and adapt to new threats as they arise Collaborative Network components work together to provide protection More info at http://www.cisco.com/go/sdn Copyright 2010 Internetwork Expert

Common Security Threats Q&A Copyright 2010 Internetwork Expert

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback