Internetwork Expert s CCNA Security Bootcamp Common Security Threats http:// Today s s Network Security Challenge The goal of the network is to provide high availability and easy access to data to meet business requirements The goal of security is to protect and restrict access to this data Today s challenge is to find an acceptable balance between the two No security means easy access, but is too risky Too much security impedes access, while risks do not outweigh business goals Copyright 2010 Internetwork Expert
Goals of Network Security Network security s goals are to protect data s Confidentiality Only authorized users should have access to it Integrity The data should not have been tampered with Availability Data should be accessible whenever needed Understanding Threats to Security If you know both yourself and your enemy, you can win a hundred battles without a single loss. Sun Tzu First step in preventing a security breach is to understand what type of threats exist Copyright 2010 Internetwork Expert
External Security Threats Users without physical access to or prior knowledge of the internal network E.g. an attack coming from the Internet Generally more technical in nature Attacker runs blind ping sweeps and port scans to find vulnerabilities Easier to prevent with technical tools Firewall filtering on the network edge, IPS, etc. Our main focus for this class Internal Security Threats Users that already have access to and knowledge of the internal network E.g. a disgruntled employee Generally less technical in nature User physically steals data Harder to prevent with technical tools Firewall can t prevent physical theft Requires additional administrative or physical control to prevent Physical locks, surveillance cameras, ID challenge policy, etc. Copyright 2010 Internetwork Expert
Responding to Security Threats Attack Mitigation is the process of preventing or responding to a breach in network security Attack mitigation can be Proactive Prevent attacks before they occur E.g. a firewall blocking a port Reactive Respond to attack once it has occurred E.g. an IPS shunning an attacker running a port scan Implementing Attack Mitigation The first step of mitigation is to understand possible vulnerabilities and attacks Different tools are available for mitigation depending on whether confidentiality, integrity, or availability is being attacked Copyright 2010 Internetwork Expert
IP Spoofing Attacks Spoofing means that attacker uses either a fake source or destination address IPv4 protocol stack has no built in provisions to ensure that sender or receiver s address is legitimate Spoofing has many possible goals, such as DoS attack (e.g. smurf or fraggle) Control plane attack (e.g. route insertion/deletion or TCP RST) Man-in-the-Middle (MiM) attack (e.g. ARP poisoning, source routing) TCP Spoofing TCP sequence numbers add a layer of complexity when spoofing IP packets Destination only accepts packets from source with correct sequence number or seq num range IP spoofing against TCP sessions is categorized in two ways Non-blind spoofing Attacker is on the same subnet or in transit path of victim, allowing TCP sequence numbers to be seen Blind spoofing Attacker is not on the same subnet or in transit path, requiring sequence numbers to be guessed Successful attack can result in packet injection (e.g. session hijacking) or session termination (reset attack) Copyright 2010 Internetwork Expert
IP Spoofing Mitigation Since there are many ways to implement spoofing for different purposes, there are different ways to mitigate it Access Control Lists (ACLs) RFC 2827 Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing Unicast Reverse Path Forwarding (URPF) ARP Inspection DHCP Snooping IP Source Guard Routing Protocol Authentication BGP TTL Security IP Options checking (source routing) IPsec VPNs Reconnaissance Attacks Used to map the network and discover resources What are the routers, links, routing tables, hosts, etc. Common methods Packet capture (sniffers) Ping sweeps Port scans DNS queries Copyright 2010 Internetwork Expert
Reconnaissance Mitigation How are they mapping the network in the first place? ICMP Echo-reply Unreachable Mask reply Redirect Proxy ARP CDP How to mitigate? Disable unneeded services IPS Control Plane Attacks Availability attack to disrupt the routing & management protocols of the network Common methods Prefix injection/withdrawal BGP reset Telnet passwords SNMP community strings NTP spoofing Copyright 2010 Internetwork Expert
Control Plane Attack Mitigation Why is the control vulnerable? No routing authentication Promiscuous routing neighbors Clear text telnet & SNMP passwords No NTP authentication How to mitigate Routing authentication Unicast updates SSH SNMPv3 NTP authentication DoS/DDoS Attacks Availability attack used to overwhelm links and servers to the point they are unusable Common methods IP spoofing Smurf Fraggle TCP SYN flooding Copyright 2010 Internetwork Expert
DoS/DDoS Attack Mitigation Why are we vulnerable? TCP stack connection limits Flood attack amplification Input packets not RPF checked How to mitigate Half-open session monitoring Disable directed broadcasts RFC 2827 / BOGON / URPF Access Attacks Used to gain unauthorized access to resources Common methods Brute force password attacks Keyloggers Packet sniffers Redirection Layer 3 Man-in-the-Middle (MiM) Copyright 2010 Internetwork Expert
Access Attack Mitigation Why is access vulnerable? Lenient password retry policy Clear text strings in protocol payloads Hosts vulnerable to redirection How to mitigate? AAA & lockouts SSL/IPsec HIPS Application Attacks Targeted at software vulnerabilities Common methods Buffer overflows Worms Viruses Trojans etc. Copyright 2010 Internetwork Expert
Application Attacks Why are we vulnerable? Patch application not enforced Virus scan updates not enforced How to mitigate? NAC HIPS Cisco's Self-Defending Network Network-based approach to protect network devices, endpoints, and the information traveling across the network Opposite of a "point solution" in which security devices are standalone Three main points are that SDN is Integrated Every device in the network is a point of defense. Adaptive Behavioral methods recognize and adapt to new threats as they arise Collaborative Network components work together to provide protection More info at http://www.cisco.com/go/sdn Copyright 2010 Internetwork Expert
Common Security Threats Q&A Copyright 2010 Internetwork Expert