Introduction to Network — #16 Network Security
Cisco Networking Academy, Hands-on Course!
16.0 — Introduction
16.0.1 — Why should I take this module?
You may have already set up a network, or you may be getting ready to do just that. Here is something to think about. Setting up a network without securing it is like opening all the doors and windows to your home and then going on vacation. Anyone could come by, gain entry, steal or break items, or just make a mess. As you have seen on the news, it is possible to break into any network!
As a network administrator, it is part of your job to make it difficult for threat actors to gain access to your network. This module gives you an overview of types of network attacks and what you can do to reduce a threat actor’s chances of succeeding. It also has Packet Tracer activities to let you practice some basic techniques for network security.
16.0.2 — What will I learn to do in this module?
Module Title: Network Security Fundamentals
Module Objective: Configure switches and routers with device hardening features to enhance security.
16.1 — Security Threats and Vulnerabilities
16.1.1 — Types of Threats
Attacks on a network can be devastating and can result in a loss of time and money due to damage, or theft of important information or assets.
Intruders can gain access to a network through software vulnerabilities, hardware attacks, or through guessing someone’s username and password. Intruders who gain access by modifying software or exploiting software vulnerabilities are called threat actors.
After the threat actor gains access to the network, four types of threats may arise.
Information Theft
Is breaking into a computer to obtain confidential information. Information can be used or sold for various purposes such as when someone is stealing proprietary information of an organization, like research and development data.
Data Loss and Manipulation
Is breaking into a computer to destroy or alter data records. An example of data loss is a threat actor sending a virus that reformats a computer hard drive. An example of data manipulation is breaking into a records system to change information, such as the price of an item.
Identity Theft
Is a form of information theft where personal information is stolen for the purpose of taking over the identity of someone. Using this information, a threat actor can obtain legal documents, apply for credit, and make unauthorized online purchases. Identify theft is a growing problem costing billions of dollars per year.
Disruption of service
Is preventing legitimate users from accessing services to which they are entitled. Examples include denial of service (DoS) attacks on servers, network devices, or network communications links.
16.1.2 — Types of Vulnerabilities
Vulnerability is the degree of weakness in a network or a device. Some degree of vulnerability is inherent in routers, switches, desktops, servers, and even security devices. Typically, the network devices under attack are the endpoints, such as servers and desktop computers.
Technological Vulnerabilities
Configuration Vulnerabilities
Policy Vulnerabilities
16.1.3 — Physical Security
An equally important vulnerable area of the network to consider is the physical security of devices. If network resources can be physically compromised, a threat actor can deny the use of network resources.
The four classes of physical threats are as follows:
- Hardware threats — This includes physical damage to servers, routers, switches, cabling plant, and workstations.
- Environmental threats — This includes temperature extremes (too hot or too cold) or humidity extremes (too wet or too dry).
- Electrical threats — This includes voltage spikes, insufficient supply voltage (brownouts), unconditioned power (noise), and total power loss.
- Maintenance threats — This includes poor handling of key electrical components (electrostatic discharge), lack of critical spare parts, poor cabling, and poor labeling.
Plan Physical Security to Limit Damage to Equipment
16.2 — Network Attacks
16.2.1 — Types of Malware
Viruses
A computer virus is a type of malware that propagates by inserting a copy of itself into, and becoming part of, another program. It spreads from one computer to another, leaving infections as it travels.
Viruses can range in severity from causing mildly annoying effects, to damaging data or software and causing denial of service (DoS) conditions.
Viruses spread when the software or document they are attached to is transferred from one computer to another using the network, a disk, file sharing, or infected email attachments.
Worms
Computer worms are similar to viruses in that they replicate functional copies of themselves and can cause the same type of damage.
Trojan Horses
A Trojan horse is another type of malware named after the wooden horse the Greeks used to infiltrate Troy.
Trojan horses are also known to create back doors to give malicious users access to the system.
Trojan horses do not reproduce by infecting other files. They self-replicate. Trojan horses must spread through user interaction such as opening an email attachment or downloading and running a file from the internet.
16.2.2 — Reconnaissance Attacks
Network attacks can be classified into three major categories:
- Reconnaissance attacks — The discovery and mapping of systems, services, or vulnerabilities.
- Access attacks — The unauthorized manipulation of data, system access, or user privileges.
- Denial of service — The disabling or corruption of networks, systems, or services.
For reconnaissance attacks, external threat actors can use internet tools, such as the nslookup and whois utilities.
To help automate this step, a threat actor may use a ping sweep tool, such as fping or gping.
Internet Queries
The threat actor is looking for initial information about a target. Various tools can be used, including Google search, the websites of organizations, whois, and more.
Ping Sweeps
The threat actor initiates a ping sweep to determine which IP addresses are active.
Port Scans
Threat actor performing a port scan on the discovered active IP addresses.
16.2.3 — Access Attacks
Access attacks exploit known vulnerabilities in authentication services, FTP services, and web services to gain entry to web accounts, confidential databases, and other sensitive information.
Access attacks can be classified into four types: password attacks, trust exploitation, port redirection, and man-in-the middle.
Password Attacks
Threat actors can implement password attacks using several different methods:
- Brute-force attacks
- Trojan horse attacks
- Packet sniffers
Trust Exploitation
In a trust exploitation attack, a threat actor uses unauthorized privileges to gain access to a system, possibly compromising the target. Click Play in the figure to view an example of trust exploitation.
Port Redirection
In a port redirection attack, a threat actor uses a compromised system as a base for attacks against other targets. The example in the figure shows a threat actor using SSH (port 22) to connect to a compromised host A. Host A is trusted by host B and, therefore, the threat actor can use Telnet (port 23) to access it.
Man-in-the-Middle
In a man-in-the-middle attack, the threat actor is positioned in between two legitimate entities in order to read or modify the data that passes between the two parties. The figure displays an example of a man-in-the-middle attack.
16.2.4 — Denial of Service Attacks
Denial of service (DoS) attacks are the most publicized form of attack and among the most difficult to eliminate. However, because of their ease of implementation and potentially significant damage, DoS attacks deserve special attention from security administrators.
DoS Attack
DoS attacks are a major risk because they interrupt communication and cause significant loss of time and money. These attacks are relatively simple to conduct, even by an unskilled threat actor.
DDoS Attack
A DDoS is similar to a DoS attack, but it originates from multiple, coordinated sources. For example, a threat actor builds a network of infected hosts, known as zombies. A network of zombies is called a botnet. The threat actor uses a command and control (CnC) program to instruct the botnet of zombies to carry out a DDoS attack.
16.3 — Network Attacks Mitigations
16.3.1 — The Defense in Depth Approach
To mitigate network attacks, you must first secure devices including routers, switches, servers, and hosts. Most organizations employ a defense-in-depth approach (also known as a layered approach) to security.
All network devices including the router and switches are also hardened as indicated by the combination locks on their respective icons. This indicates that they have been secured to prevent threat actors from gaining access and tampering with the devices.
16.3.2 — Keep Backups
Backing up device configurations and data is one of the most effective ways of protecting against data loss. A data backup stores a copy of the information on a computer to removable backup media that can be kept in a safe place.
Backups should be performed on a regular basis as identified in the security policy. Data backups are usually stored offsite to protect the backup media if anything happens to the main facility. Windows hosts have a backup and restore utility. It is important for users to back up their data to another drive, or to a cloud-based storage provider.
16.3.3 — Upgrade, Update, and Patch
Keeping up to date with the latest developments can lead to a more effective defense against network attacks. As new malware is released, enterprises need to keep current with the latest versions of antivirus software.
One solution to the management of critical security patches is to make sure all end systems automatically download updates, as shown for Windows 10 in the figure. Security patches are automatically downloaded and installed without user intervention.
16.3.4 — Authentication, Authorization, and Accounting
All network devices should be securely configured to provide only authorized individuals with access. Authentication, authorization, and accounting (AAA, or “triple A”) network security services provide the primary framework to set up access control on network devices.
AAA is a way to control who is permitted to access a network (authenticate), what actions they perform while accessing the network (authorize), and making a record of what was done while they are there (accounting).
16.3.5 — Firewalls
A firewall is one of the most effective security tools available for protecting users from external threats. A firewall protects computers and networks by preventing undesirable traffic from entering internal networks.
Firewall Operation
Firewall Topology with DMZ
A firewall could allow outside users controlled access to specific services. For example, servers accessible to outside users are usually located on a special network referred to as the demilitarized zone (DMZ), as shown in the figure. The DMZ enables a network administrator to apply specific policies for hosts connected to that network.
16.3.6 — Types of Firewalls
Firewall products come packaged in various forms. These products use different techniques for determining what will be permitted or denied access to a network. They include the following:
- Packet filtering — Prevents or allows access based on IP or MAC addresses
- Application filtering — Prevents or allows access by specific application types based on port numbers
- URL filtering — prevents or allows access to websites based on specific URLs or keywords
- Stateful packet inspection (SPI) — Incoming packets must be legitimate responses to requests from internal hosts. Unsolicited packets are blocked unless permitted specifically. SPI can also include the capability to recognize and filter out specific types of attacks, such as denial of service (DoS)
16.3.7 — Endpoint Security
An endpoint, or host, is an individual computer system or device that acts as a network client. Common endpoints are laptops, desktops, servers, smartphones, and tablets. Securing endpoint devices is one of the most challenging jobs of a network administrator because it involves human nature. A company must have well-documented policies in place and employees must be aware of these rules. Employees need to be trained on proper use of the network. Policies often include the use of antivirus software and host intrusion prevention. More comprehensive endpoint security solutions rely on network access control.
16.4 — Device Security
16.4.1 — Cisco AutoSecure
The security settings are set to the default values when a new operating system is installed on a device. In most cases, this level of security is inadequate. For Cisco routers, the Cisco AutoSecure feature can be used to assist securing the system, as shown in the example.
In addition, there are some simple steps that should be taken that apply to most operating systems:
- Default usernames and passwords should be changed immediately.
- Access to system resources should be restricted to only the individuals that are authorized to use those resources.
- Any unnecessary services and applications should be turned off and uninstalled when possible.
16.4.2 — Passwords
To protect network devices, it is important to use strong passwords. Here are standard guidelines to follow:
- Use a password length of at least eight characters, preferably 10 or more characters. A longer password is a more secure password.
- Make passwords complex. Include a mix of uppercase and lowercase letters, numbers, symbols, and spaces, if allowed.
- Avoid passwords based on repetition, common dictionary words, letter or number sequences, usernames, relative or pet names, biographical information, such as birthdates, ID numbers, ancestor names, or other easily identifiable pieces of information.
- Deliberately misspell a password. For example, Smith = Smyth = 5mYth or Security = 5ecur1ty.
- Change passwords often. If a password is unknowingly compromised, the window of opportunity for the threat actor to use the password is limited.
- Do not write passwords down and leave them in obvious places such as on the desk or monitor.
Weak Password
Strong Password
16.4.3 — Additional Password Security
Strong passwords are only useful if they are secret. There are several steps that can be taken to help ensure that passwords remain secret on a Cisco router and switch including these:
- Encrypting all plaintext passwords
- Setting a minimum acceptable password length
- Deterring brute-force password guessing attacks
- Disabling an inactive privileged EXEC mode access after a specified amount of time.
The service password-encryption global configuration command prevents unauthorized individuals from viewing plaintext passwords in the configuration file.
Use the security passwords min-length length command in global configuration mode.
Use the login block-for # attempts # within # global configuration command to deter this type of attack. In the figure for example, the login block-for 120 attempts 3 within 60 command will block vty login attempts for 120 seconds if there are three failed login attempts within 60 seconds.
you can reduce this setting using the exec-timeout minutes seconds line configuration command.
16.4.4 — Enable SSH
For this reason, it is highly recommended to enable Secure Shell (SSH) on devices for secure remote access.
It is possible to configure a Cisco device to support SSH using the following six steps:
Step 1. Configure a unique device hostname. A device must have a unique hostname other than the default.
Step 2. Configure the IP domain name. Configure the IP domain name of the network by using the global configuration mode command ip domain name name.
Step 3. Generate a key to encrypt SSH traffic. SSH encrypts traffic between source and destination. However, to do so, a unique authentication key must be generated by using the global configuration command crypto key generate rsa general-keys modulus bits. The modulus bits determines the size of the key and can be configured from 360 bits to 2048 bits. The larger the bit value, the more secure the key. However, larger bit values also take longer to encrypt and decrypt information. The minimum recommended modulus length is 1024 bits.
Step 4. Verify or create a local database entry. Create a local database username entry using the username global configuration command. In the example, the parameter secret is used so that the password will be encrypted using MD5.
Step 5. Authenticate against the local database. Use the login local line configuration command to authenticate the vty line against the local database.
Step 6. Enable vty inbound SSH sessions. By default, no input session is allowed on vty lines. You can specify multiple input protocols including Telnet and SSH using the transport input {ssh | telnet} command.
16.4.5 — Disable Unused Service
Cisco routers and switches start with a list of active services that may or may not be required in your network.
For example, IOS-XE typically will have only HTTPS and DHCP ports open. You can verify this with the show ip ports all command, as shown in the example.
IOS versions prior to IOS-XE use the show control-plane host open-ports command.
Both of these services should be disabled. As shown in the example, disable HTTP with the no ip http server global configuration command. Disable Telnet by specifying only SSH in the line configuration command, transport input ssh.
References:
