An Introduction to Network Security

The rapid emergence of the Internet, as well as integrated network infrastructure, has resulted in complex, mission-critical networks that introduce a plethora of security concerns. The IINS exam objectives covered in this chapter are as follows:

• Describe and list mitigation methods for common network attacks
• Describe and list mitigation methods for worm, virus, and Trojan horse attacks
• Describe the Cisco Self-Defending Network architecture

Back to book index.

Network Security Threats

IP networks are susceptible to security breaches by intruders using a number of different methods. Through the campus network, by dialup, and, most commonly, through the Internet, attackers can view IP data and attack vulnerable network devices and hosts. The OSI Model enables different Layers to work independently of each other. Each Layer of the OSI Model is responsible for a specific function within the stack, with information flowing upwards or downwards to the next Layer as data is processed.

In terms of network security, this means that if one of the Layers of the OSI Model is compromised, then communications are compromised without the other Layers knowing about it. For example, if the Physical Layer is compromised, then all other Layers could also be compromised in succession. Security should cover all Layers of the OSI Model, because, when it comes to networking, security is only as strong as the weakest link.

Every IP network infrastructure should be based on a sound security policy, which will be described in detail later in this chapter. This security policy should be designed to address all of these potential weaknesses and threats. In addition to this, network vulnerabilities must be constantly monitored, found, and addressed because they define points in the network that are potential security weak points that can be exploited by attackers. These vulnerabilities can be discovered by performing a network evaluation, which can include the following:

1. Scanning a network for active IP addresses and open ports on those IP addresses
2. Scanning identified hosts for known vulnerabilities
3. Using password cracking utilities
4. Reviewing system and security logs
5. Performing virus scans
6. Performing penetration testing to see if specific systems (e.g. servers) can be compromised
7. Scanning for unsecured wireless networks

There are two broad categories of network security threats: internal and external.

Internal Threats

Internal security threats originate within the network. That is, these threats are from authorized users of the network, for example, employees, vendors, and possibly even business partners. According to the Computer Security Institute (CSI), approximately 60 to 80 per cent of network security incidents originate from within the network. The reasons internal threats are so common include the following:

• Internal users have knowledge of the network and its resources. For example, users know the IP addresses of servers and network devices (e.g. routers and switches) as well as the location of documentation (e.g. network shares). Armed with this knowledge, users can attempt to connect to these resources and gain unauthorized access.

• Internal users typically have some level of access granted to them because of their position requirements. For example, network and security administrators have access to network devices and servers because of their requirements. However, these users can also use this access for malicious purposes, such as to cover up audit trails of their activities by deleting logs of their activities from certain systems, etc.

• Traditional network security mechanisms are typically deployed on external-facing networks (e.g. the Internet) to prevent external users from unauthorized access. However, this means that they offer no protection from internal users on the trusted network.

External Threats

External threats are those that originate from external attackers who do not yet have intimate knowledge of the network. The majority of these attackers are not very skilled; however, there are some that do possess considerable skill. Some common types of attackers are listed and described in the following table:

Table 1.1. Common Attacker Types

Attacker Type	Description
White Hat Hacker	While White Hat Hackers possess the skill and knowledge to break into computer systems and do damage, they use their skills to help protect organizations from other malicious attackers.
Black Hat Hacker	Black Hat Hackers are also referred to as Crackers, and they use their skill and knowledge for unethical reasons, such as stealing classified information, etc.
Gray Hat Hacker	Gray Hat Hackers are somewhere in-between White Hat Hackers and Black Hat Hackers. These hackers may work for a legitimate organization, as is the case with White Hat Hackers, but may stray and use their skills for unethical reasons, as is the case with Black Hat Hackers.
Phreaker	Phreakers are simply telecommunications hackers who use their skills to hack into telecommunications networks for their own personal gain, e.g. free long distance service.
Script Kiddy	Script Kiddies are users that do not have the skill to write their own hacking programs and therefore use materials and programs downloaded from the Internet to launch attacks.
Hacktivist	Hacktivists are hackers with political motivations. For example, a Hacktivist may deface the website of the rival of their political candidate during a campaign.
Computer Security Hacker	Computer Security Hackers are people who have significant knowledge on computer and network security systems, and they leverage that knowledge to break firewalls, intrusion prevention systems, etc.
Academic Hacker	Academic Hackers are typically students at higher learning institutions who use the institutions computing programs to write their own hacking programs.
Hobby Hacker	Hobby Hackers focus on personal computing, e.g. unlocking iPhones so they can be used on any carrier network instead of just AT&T.

The CIA Triad

One of the most widely accepted security models is the Confidentiality, Integrity, and Availability (CIA) triad. The CIA triad is generally accepted as defining the primary goals of network security, and these three principles should guide all secure systems. Additionally, the CIA triad provides a measurement tool for security implementations.

The CIA principles are applicable across the entire spectrum of security analysis and should be correlated with an implemented security model. A security model is the symbolic portrayal of the security policy, which will be described in detail later in this chapter. Security models integrate the security policies that should be enforced in the system by mapping the security policy requirements into a set of rules and regulations that should be followed by a computer or network system. The simplest way to remember the difference between security models and security policies is that security policies are a set of conceptual goals and high-level requirements, while the security model is the actual dos and don’ts that make this happen. The following diagram illustrates the CIA triad and its correlation security models:

Figure 1.1. The CIA Triad

Confidentiality

Confidentiality prevents the unauthorized disclosure of sensitive information. While encryption and other cryptography methods can be used to safeguard confidential information, it is also important that people understand their roles when it comes to the protection of sensitive data. Networks that ensure confidentiality typically implement the following policies:

• They employ network security mechanisms, such as firewalls, to prevent unauthorized network resource access;
• They require the use of proper credentials to access specific network resources, such as email, servers, and file shares; and
• They encrypt data so that unauthorized users are unable to view the contents contained therein, even if they were to capture the data packets using a network sniffer.

In order to ensure some level of confidentiality, documents are typically classified and document owners are the people that initially determine the level of classification. There are different levels and types of classification used by the civilian world (the majority of us) and by the military that determine who or what groups have access to what data. The data classification levels used in the military are illustrated in the following table:

Table 1.2. Military Data Classifications

Document Category	Description
Confidential	Data that has a reasonable probability of causing damage if disclosed to an unauthorized party.
Secret	Data that has a reasonable probability of causing serious damage if disclosed to an unauthorized party.
Top-Secret	Data that has a reasonable probability of causing exceptionally grave damage if disclosed to an unauthorized party.

The data classification levels used by organizations are illustrated in the following table:

Table 1.3. Organizationial Data Classifications

Document Category	Description
Sensitive	Data that may be embarrassing, if revealed, but will not cause a security threat.
Private	Information that should be kept secret, and whose accuracy should be maintained.
Confidential	Sensitive information, such as customer network designs, that should be protected with great care.

Once the data has been classified by the owners, custodians, who are given the responsibility of protecting the data by the document owners, verify the integrity of the data and keep up-to-date backup copies of the same. The data is then provided to users, who are expected to access and use the data in accordance with an established security policy. Users should also take measures to ensure the data they are using is in safe hands because confidentiality is susceptible to attacks, such as packet captures and dumpster diving.

Integrity

Integrity prevents the unauthorized modification of data, systems, and information. In addition to this, integrity ensures that information is not altered, intentionally or accidentally, without authorization or while en route to the authorized receiver.

There are numerous integrity attacks. The most common of these are salami attacks, which are a series of minor attacks that together result in a larger attack; data diddling, which entails modifying data before it is stored; trust relationship exploitation, which exploits the trust relationship between devices within an organization; and password attacks, botnets, and session hijacking – all of which will be described in detail later in this chapter.

To ensure data integrity, checksum or hash values from protocols such as Message Digest 5 (MD5) and Secure Hash Algorithm (SHA), which will be described in detail later in this guide, can be used to validate the integrity of received information.

Availability

Availability is the prevention of loss of access to resources and information to ensure that information is available for use when it is needed. This can be performed using numerous methods, such as design redundancy, firewall failover, data backups, spare parts, uninterruptible power supplies (UPS), and security architectures. The most common availability attacks are DoS and DDoS attacks, such as TCP SYN flooding and smurf attacks, which are used to prevent access to legitimate resources and information. These attacks will be described in detail later in this chapter.

Vulnerabilities, Exploits, and Risks

It is important that as a network security administrator you understand the differences between vulnerabilities, exploits, and risks.

Vulnerabilities

Vulnerabilities are weaknesses in computing systems, such as routers, switches, and workstations, that attackers use to gain unauthorized access to the system or the data contained within the system. There are numerous types of vulnerabilities that network security administrators should take into consideration. These vulnerabilities include:

• Physical vulnerabilities – These include earthquakes and other natural disasters, as well as physical security, and all should be taken into consideration. To avoid a possible security breach, network devices should be stored in physically safe locations, such as locked cabinets with restricted access control. Without such security, networks may be vulnerable to attacks; for example, an attacker may gain access to the Console port of the device and perform a password recovery procedure. From there, the attacker can breach other devices in the network.

• Operating System vulnerabilities – These vulnerabilities are based on a system’s design. For example, a recently discovered issue in Windows-based Operating Systems is the Windows Registry Editor Utility String concealment weakness, which makes it possible for malware (which will be described later in this guide) to hide strings in the registry.

• Protocol vulnerabilities – These vulnerabilities are based on the protocols used by a system. For example, the EIGRP implementation in all versions of IOS is vulnerable to a denial-of-service (DoS) attack if it receives a flood of neighbor announcements.

• System code vulnerabilities – These vulnerabilities are based on the code that is executed by a system. For example, programming languages commonly associated with buffer overflows (which will be described in detail in this chapter) include C and C++, which provide no built-in protection against accessing or overwriting data in any part of the memory and do not automatically check that data written to an array (the built-in buffer type) is within the boundaries of that array.

• Poor system configuration vulnerabilities – These vulnerabilities are based on poor system configuration. For example, the password hashed on Cisco IOS routers using the enable password command can easily be decrypted using tools that are easily and readily available online; therefore the enable secret command, which uses Message Digest 5 (MD5) encryption (which will be described in detail later in this guide) is recommended instead.

• Malicious software vulnerabilities – These vulnerabilities are originated by malicious code that includes viruses and Trojan horses, both of which are explained in detail later in this chapter. For example, Back Orifice is a common Trojan horse that provides the attacker a backdoor in which to bypass normal authentication, secure remote access to a computer, obtain access to plaintext, and so on while attempting to remain undetected.

• Human vulnerabilities – These vulnerabilities may or may not be intentional; however, they are vulnerabilities all the same. For example, human trust is a vulnerability from a network security point-of-view. By using social engineering, which is nothing more than creative lying, would-be attackers can gain the trust of employees and use that to obtain valuable information from those employees. This information can then be used to attack and breach the network.

Exploits

Once an attacker has indentified vulnerability, he or she will typically write or use programs designed to take advantage of that vulnerability. These malicious programs are referred to as exploits. Some of the most common exploits take advantage of the following:

• Default passwords – For example, on newer Cisco IOS routers, when the router is first shipped the default username and password pair to log in is cisco/cisco. This default username and password pair could be exploited by attackers and should be removed.

• IP spoofing – In IP spoofing, the attacker fakes the source IP addresses of packets to gain access to a network and access resources in the same manner as legitimate network hosts. Spoofing is easy to accomplish because there are no real checks in TCP/IP to validate that a packet is really coming from the IP address indicated in the IP header.

• Application weaknesses – These exploits occur when attackers find faults in desktop and workstation applications, such as email clients, and execute arbitrary code, implant Trojan horses for future compromise, or crash systems. Further exploitation can occur if the compromised workstation has administrative privileges on the rest of the network.

• Protocol weaknesses – These exploits work mostly with plain text transmission protocols such as Telnet, FTP, and HTTP transfers. For example, using a simple network sniffer, attackers can acquire username and password information from Telnet because the protocol sends this information across the network in clear text.

Risks

Information security risk assessment is the process used to identify and understand risks to the confidentiality, integrity, and availability of information and information systems. A risk assessment consists of the identification and valuation of assets and an analysis of those assets in relation to potential threats and vulnerabilities, resulting in a ranking of risks to mitigate. This information should be used to develop strategies to mitigate those risks. The risk analysis can be performed using either quantitative or qualitative analysis.

A quantitative analysis uses a mathematical formula to model the probability and severity of risk. This method is used to calculate the Annualized Loss Expectancy (ALE), which produces a monetary value that can be used to help justify the expense of security solutions.

A qualitative analysis, on the other hand, uses a scenario model in which scenarios of risk occurrence are identified. This can then be used to help justify the expense of security solutions. Qualitative analysis is more commonly used than quantitative analysis. Most qualitative risk analysis methodologies make use of a number of interrelated elements, including:

• Threats – things that can go wrong or that can attack the system. Examples might include fire or fraud. Threats are ever-present for every system.
• Vulnerabilities – makes a system more prone to attack by a threat or make an attack more likely to have some success or impact. Examples could include system code weaknesses or protocol weaknesses.
• Controls – the countermeasures for vulnerabilities. There are four types:

1. Deterrent controls reduce the likelihood of a deliberate attack.
2. Preventative controls protect vulnerabilities and make an attack unsuccessful.
3. Corrective controls reduce the effect of an attack.
4. Detective controls discover attacks and trigger preventative or corrective controls.

The correlation of these elements is illustrated in the following diagram:

Figure 1.2. Risk Analysis Model

Denial of Service Attacks

A denial-of-service (DoS) or distributed denial-of-service (DDoS) attack is used to restrict or outright deny service from a legitimate network resource or service, such as a public web server, for example. These attacks reduce the ability to service legitimate clients by overloading the intended target or sending traffic that causes these targets to behave unpredictably, which typically results in the targets locking up or crashing completely.

DoS attacks typically do not pose a significant threat to confidential or sensitive data, but they do deny service from legitimate hosts and are difficult to detect and repel. Furthermore, these attacks may also be used to mask other malicious intrusive activities happening elsewhere in the network. For example, a perpetrator could use a DoS or DDoS attack as a diversion to capture the attention of administrators and officials and then proceed to breach or break into other parts of the network while the administrators are reacting to and trying to repel the attacks.

Although these attacks typically occur from a remote location, which makes them more difficult to isolate and identify, they can also be initiated from within an organization, i.e. within the internal network. However, local DoS attacks are typically much easier to identify and isolate and are much less common than remote DoS attacks. The five basic goals of DoS attacks are:

1. The consumption of computational resources, such as bandwidth, disk space, or CPU time;
2. The disruption of configuration information, such as routing information;
3. The disruption of state information, such as unsolicited resetting of TCP sessions;
4. The disruption of physical network components; and
5. The obstruction of communication media between the intended users and the victim.

There have been numerous DoS attacks that have caused massive damage. For example, Morris Worm, written by Robert Morris, a Cornell University CS graduate student, and launched on 2 November 1988, was the first DoS attack of significance. It was said that this worm caused some 5000 machines to be taken out of commission for several hours.

Another classic case occurred in 2000, when CNN, Yahoo, E-Bay, and Datek were taken down for several hours due to traffic flooding from a Stacheldraht-distributed DoS attack.  And, finally, in 2002, a Ping Flood DDoS attack briefly interrupted web traffic on nine of the 13 DNS ‘root’ servers that control the Internet.

While there are numerous types of DoS attacks, the following section describes the most common types, and it is expected that you are familiar with each as part of the IINS requirements. These attacks are as follows:

• Smurf Attacks
• ARP Poison Attacks
• Teardrop Attacks
• Permanent Denial-of-Service Attacks
• UDP Storm Attacks
• Mail Bomb Attacks
• SSH Process Table Attacks
• SYN Attacks

Smurf Attacks

Smurf attacks are also commonly referred to as a ping flood or ICMP flood attacks. These attacks send large amounts of ICMP packets to a machine in order to attempt to crash the TCP/IP stack on the machine and cause it to stop responding to TCP/IP requests. In smurf attacks, the victim is flooded with ICMP echo-reply packets via a reflector or an amplifier.

The attacker sends numerous ICMP echo-request packets to the broadcast address of the reflector subnet. These packets contain the victim’s address as the source IP address. Every targeted machine that belongs to any of these subnets responds by sending ICMP ‘echo-reply’ packets to the victim, as illustrated in the following diagram:

Figure 1.3. Smurf Attacks

To mitigate this problem, Cisco recommends using Committed Access Rate (CAR) to limit the throughput of ICMP echo-request and echo-reply packets. In addition to this, ICMP packets can also be rate limited using the Modular QoS Command Line (MQC) in later Cisco IOS software versions.

To prevent Cisco routers from being used as reflectors in smurf attacks, the routers should be configured not to forward packets directed to broadcast addresses by using the no ip directed-broadcast interface configuration command. At Layer 2, IP Source Guard, used in conjunction with DHCP Snooping, can also be used to prevent such attacks. These two techniques will be described in detail later in this guide.

ARP Poison Attacks

An Address Resolution Protocol (ARP) Poison attack requires the attacker to have access to the victim’s LAN. The attacker deludes the hosts of a specific LAN by providing them with wrong MAC addresses for hosts with already-known IP addresses, as illustrated below:

Figure 1.4. ARP Poison Attacks

In the diagram illustrated above, Host 1 and Host 2 reside on the same LAN. In addition to this, an attacker has also managed to infiltrate the same LAN as these two hosts. In order for Host 1 to send frames to Host 2, it must first send out an ARP broadcast asking for who is the MAC address of 10.1.1.2, as illustrated in step 1. The attacker sees this broadcast and before Host 2 can respond, the attacker replies to Host 1 providing it with his machine’s MAC address, as illustrated in step 2.  In step 3, Host 1 receives this information and begins forwarding data to the attacker’s machine, assuming it to be Host 2.

To protect against such attacks, Cisco recommends the use of Dynamic ARP Inspection (DAI) in conjunction with DHCP snooping. These concepts will be described in detail later in this guide.

Teardrop Attacks

A teardrop attack involves sending malformed IP fragments with overlapping, over-sized, payloads to the target machine, i.e. a stream of IP fragments with their offset field overloaded. The Internet Protocol allows IP fragmentation so that datagrams can be broken up into pieces small enough to pass over a link with a smaller MTU than the original datagram size; however, these fragments should not be malformed and should never be the initial packets in a data stream. The destination host that tries to reassemble these malformed fragments eventually crashes or reboots. Cisco recommends the use of IP Access Control Lists that allow only non-initial fragments to protect against such attacks.

Permanent Denial-of-Service Attacks

A permanent denial-of-service (PDoS), or phlashing, attack is one that damages a system so badly that it requires replacement or reinstallation of hardware. Unlike the DDoS attack (which will be described later in this section), a PDoS attack exploits security flaws in the remote management interfaces of the victim’s hardware, be it routers, printers, or other devices.

These flaws leave the door open for an attacker to ‘update’ remotely the device firmware to a modified, corrupt, or defective firmware image, therefore ‘bricking’ the device and making it permanently unusable for its original purpose. The PDoS is a pure hardware-targeted attack. While there is no single solution to prevent against PDoS attacks, it is important to keep current with updates on security vulnerabilities posted on vendor websites.

UDP Storm Attacks

In a User Datagram Protocol (UDP) connection, a character generation (commonly referred to as chargen) service generates a series of characters each time it receives a UDP packet, while an echo service echoes any character it receives. Exploiting these two services, the attacker sends a packet with the source spoofed to be that of the victim to another machine.

Next, the echo service of the former machine echoes the data of that packet back to the victim’s machine and the victim’s machine, in turn, responds in the same way. Hence, a constant stream of useless load is created that burdens the network. Such attacks can be mitigated by disabling these and other unnecessary services, such as TCP and UDP small servers, in Cisco IOS.

Mail Bomb Attacks

In a mail bomb attack, the victim’s mail queue is flooded by an abundance of messages, causing system failure. There are two methods of perpetrating a mail bomb attack. These methods are mass mailing and list linking. Mass mailing consists of sending numerous duplicate mails to the same email address. While these types of mail bombs are simple to design and are very common, they can also be easily detected by spam filters, which reduce their overall threat.

In addition to this, there is also a variant of mail bomb attacks referred to as Zip bombing. After most commercial mail servers began checking mail with anti-virus software and filtering certain malicious file types, attackers tried to send Trojan horse viruses compressed into archives, such as ZIP, RAR, or 7-Zip. While these attacks affected legacy mail servers, modern mail servers usually have sufficient intelligence to recognize such attacks, as well as sufficient processing power and memory to process malicious attachments without interruption of service, though some are still susceptible if the ZIP bomb is mass-mailed.

SSH Process Table Attacks

This attack makes hundreds of connections to the intended target device(s) with the Secure Shell (SSH) Protocol without completing the login process. In this way, the SSH daemon on the victim’s system is obliged to start so many SSH processes that it is eventually exhausted and legitimate users are unable to access the service, or device. In Cisco IOS software, such attacks can be mitigated by using restrictive ACLs that permit only legitimate users and subnets SSH to devices. In addition to this, features such as TCP Intercept can also be used.

SYN Attacks

SYN attacks are a type of DoS attack and are also referred to as SYN flood attacks. These attacks occur during the three-way handshake that is used to establish a TCP connection. This handshake is illustrated in the following diagram:

Figure 1.5. SYN Attacks

In the three-way handshake, a client requests a new connection by sending a TCP SYN packet to a server. The server sends a TCP SYN/ACK packet back to the client and places the connection request in a queue. Finally, the client acknowledges the TCP SYN/ACK packet received from the server with a TCP ACK packet.

During a TCP SYN flood, the attacker sends an abundance of TCP SYN packets to the victim, obliging it both to open a lot of TCP connections and to respond to them; however, the attacker does not execute the third step of the three-way handshake that follows, rendering the victim unable to accept any new incoming connections because its queue is full of half-open TCP connections, as illustrated in the following diagram:

Figure 1.6. SYN Flood Disabled Victim

TCP SYN floods are relatively easy to mitigate and to protect against. In addition to using ACLs to rate limit TCP SYN packets, Cisco also recommends the use of the TCP Intercept feature to protect against TCP-based DoS attacks. TCP Intercept will be described in detail later in this guide.

In addition to the DoS attacks described in this section, there are other DoS attacks pertaining exclusively to operating systems (OS) that you should be aware of. A particularly dangerous OS DoS attack is the Land, or Land.C, attack.  In this attack, the perpetrator sends the victim a TCP SYN packet that contains the same IP address as the source and destination addresses. The reason a Land attack works is because it causes the machine to reply to itself continuously, which eventually completely locks the system. This attack can be used against the majority of operating systems used in today’s networks.

A banana attack is another particular type of DoS. This attack involves redirecting outgoing messages from the client back onto the client, thereby preventing outside access as well as flooding the client with the sent packets, which will eventually lock up the target system.

Additionally, an attacker with access to a victim’s computer may slow it until it is unusable or crash it by using a fork bomb. A fork bomb works by creating a large number of processes very quickly in order to saturate the available space in the list of processes kept by the computer’s OS. If the process table becomes saturated, no new programs can start until another process terminates. Even if that happens, it is not likely that a useful program will be started since the instances of the bomb program will each attempt to take any newly available slot themselves.

Distributed Denial of Service Attacks

As bad as DoS attacks may be, DDoS attacks do even more damage. These attacks are generally executed in two phases. In the first phase, the perpetrator compromises computers scattered on the Internet and installs specialized software on these hosts to assist in the attack. In the second phase, the compromised hosts – commonly referred to as zombies – are then instructed (through masters) to begin the attack.

Using control software, each of these zombies can then be used to mount its own DoS attack on the intended target(s). The cumulative effect is to overwhelm the target, or simply exhaust resources, preventing legitimate users from being serviced by the DDoS target(s). The following DDoS attacks are described in this section:

1. Peer-to-Peer Attacks
2. Reflected Attacks
3. Distributed Attacks

Peer-to-Peer Attacks

Attackers have found a way to exploit a number of bugs in peer-to-peer servers to initiate DDoS attacks. Unlike regular botnet (which is a collection of software robots, or bots, that run autonomously and automatically) attacks, with peer-to-peer there is no botnet and the attacker does not have to communicate with the clients it subverts. Instead, the attacker acts as a ‘puppet master,’ instructing clients of large peer-to-peer file sharing hubs to disconnect from their peer-to-peer network and to connect to the victim’s website instead. The targeted web server will be plugged up by the incoming connections.

While peer-to-peer attacks are easy to identify with signatures, the large number of IP addresses that need to be blocked means that this type of attack can overwhelm mitigation defenses. Once the connection is opened to the server, the identifying signature can be sent and detected, and the connection subsequently torn down, which takes server resources and can harm the server. This method of attack can be prevented by specifying, in the peer-to-peer protocol, which ports are and are not allowed. If port 80 is not allowed, then the possibilities for attacks on websites can be very limited. In most cases, it is recommended that peer-to-peer protocols are filtered and blocked entirely.

Reflected Attacks

A distributed reflected denial-of-service (DRDoS) attack involves sending forged requests of some type to a very large number of computers that will reply to the requests. Using Internet protocol spoofing, the source address is set to that of the targeted victim, which means all the replies will go to (and flood) the target.

Smurf attacks can be considered a form of reflected attack, as the flooding host sends echo- request packets to the broadcast address of a network or networks, thereby enticing many hosts to send echo-reply packets to the victim. Many services can be exploited to act as reflectors, with some harder to block than others.

Distributed Attacks

A distributed denial-of-service (DDoS) attack occurs when multiple systems are used to flood the bandwidth or resources of a targeted system, usually one or more web servers. These systems may be compromised by attackers using a variety of methods. Malware can carry DDoS attack mechanisms, as was the case with MyDoom. This attack mechanism was triggered on a specific date and time and involved hard-coding the target IP address prior to release of the malware.

A system may also be compromised with a Trojan – which is a term used to describe malware that appears, to the user, to perform a desirable function but, in fact, facilitates unauthorized access to the user’s computer system – allowing the attacker to download a zombie agent. Attackers can also break into systems using automated tools that exploit flaws in programs that listen for connections from remote hosts.

Stacheldraht is a classic example of a DDoS tool. It utilizes a layered structure where the attacker uses a client program to connect to handlers, which are compromised systems that issue commands to the zombie agents, which in turn facilitate the DDoS attack.

Agents are compromised by the attacker via the handlers, using automated routines to exploit vulnerabilities in programs that accept remote connections running on the targeted remote hosts. Each handler can control up to a thousand agents. These collections of systems compromisers are known as botnets. This concept is illustrated in the following diagram:

Figure 1.7. DDoS Attack

DDoS tools such as Stacheldraht still use classic DoS attack methods centered on IP spoofing and amplification, such as smurf attacks and fraggle attacks. A fraggle attack occurs when the perpetrator sends a large amount of UDP echo traffic to IP broadcast addresses, all of it having a fake source address. This attack is simply a rewrite of the smurf attack code, which uses UDP echo packets instead of ICMP.

It is important to note the difference between a DDoS and DoS attack. If an attacker mounts a smurf attack from a single host, this would be classified as a DoS attack; in fact, any attack against availability would be classed as a DoS attack. On the other hand, if an attacker uses a thousand zombie systems to simultaneously launch smurf attacks against a remote host, this would be classified as a DDoS attack.

To an attacker, the major advantages of using a DDoS attack are that multiple machines can generate more attack traffic than one machine; multiple attack machines are harder to turn off than a single attack machine; and the behaviour of each attack machine can be stealthier, making it harder to track and shut down. These attacker advantages can cause challenges for some defense mechanisms.

Malicious Code Attacks

Malicious code attacks use programs that are written by attackers and are designed to do damage. Trojan horses, viruses, and malicious software (malware) are all examples of malicious code attacks. These programs typically do not require that the attacker be present for them to do damage, and they are among the most dangerous types of attacks. The following are the six types of malicious code attacks:

1. Malware
2. Viruses
3. Trojan Horses
4. Logic Bombs
5. Worms
6. Backdoor

Malware

Two types of malware are viruses and Trojan horses. Viruses are programs that self-replicate, i.e. reproduce themselves without user intervention. In addition to this, some viruses can actually modify themselves to prevent detection, making such attacks very difficult to repel.

A Trojan horse (sometimes referred to simply as a Trojan) is a program that masquerades as one thing but actually does something else instead of, or even in addition to, its intended use. These programs are typically packaged as attractive programs that offer potential victims great benefits, such as a faster computer or spyware removal, for example.

Infamous examples of data-stealing malware include: Bancos, an information stealer that waits for the user to access banking websites then spoofs pages of the bank website to steal sensitive information; Gator, spyware that covertly monitors web-surfing habits, uploads data to a server for analysis, and then serves targeted pop-up ads; LegMir, spyware that steals personal information such as account names and passwords related to online games; and Qhost, a Trojan that modifies the Hosts file to point to a different DNS server when banking sites are accessed and then opens a spoofed login page to steal login credentials for those financial institutions.

Viruses

A computer virus is a computer program that can copy itself and infect a computer without the permission or knowledge of the owner. The word virus is also often, but erroneously, used to refer to other types of malware, adware, and spyware, which cannot self-reproduce.

Adware is software that automatically plays, displays, or downloads advertisements to a computer after the software is installed on it or while the application is being used, while spyware is a type of malware that is installed secretly on computers to collect information about users, their computers, or their browsing habits without their informed consent. There are several examples of infamous viruses.

The Melissa virus, for example, attacked computers in March 1999, infecting machines when users opened a Word document attachment. Though the effect the virus had on individuals’ computers was minimal, users of Outlook Express unintentionally sent the virus on to the first 50 people in their Global Address Book. For companies, however, the virus had a larger impact. More than a million users were affected, and the virus caused $80 million in damage. This was also the first virus to travel through email.

Another classic example is that of the 911 virus. In April 2000, the National Infrastructure Protection Center (NIPC) released an alert about the 911 virus, which erased hard drives and programmed computers to dial 911. In spite of efforts to protect against it, a version of the attack resurfaced in July 2002 with a more alarming result. In that case, the virus targeted WebTV user-group boards; reports say that once the infected attachment was opened, the WebTV device shut down, rebooted, and dialed 911.

Like any other computer program, viruses must be executed in order to function and then the computer must follow the viruses’ instructions, which are referred to as virus payloads. This is not to say that a virus will not run if the user does not explicitly execute it. In most cases, a virus typically has some written code that will trick the computer’s OS into running it, most likely without the user being aware of this.

Once executed, the virus payload can then disrupt or change data files, display erroneous messages, or cause the OS to malfunction. Viruses spread when the payload is transferred from one computer to another, via infected files, for example.

Trojan Horses

While Trojan horses somewhat resemble viruses, they are actually in a category of their own. These programs are often disguised as something else, such as a program designed to make your computer run faster, for example. However, they contain a malicious program and when the program the user installed is called to perform its function, the malicious program can cause all sorts of problems, such as ruining a hard disk.

The most famous Trojan horse to date is probably Back Orifice, which was developed by the hacker group known as Cult of the Dead Cow. Once installed, this program gives the attacker access and control over any computer running a Windows 95/98 or later operating system.

Logic Bombs

Logic bombs are a type of malware that are designed to do damage after a certain condition is met, such as the passing of a certain date, for example. In addition to this, logic bombs may also be left behind after an attack, so that the attacker can destroy any evidence of the attack that the system administrators may find.

One of the most well-known logic bombs was the Chernobyl virus, which spread via infected floppy disks or through infected files and replicated itself by writing to an area of the boot sector of a disk. This virus was set to activate on a certain date and, on that date, it caused severe issues for infected users as it attempted to rewrite the BIOS (Basic Input/Output System) and erase the hard drives of the victims’ computers. The damage was so severe that those who were affected required new BIOS chips from manufactures to repair the damage caused by the virus.

Worms

Worms are self-replicating programs that do not alter files but reside in the active memory on the infected devices and duplicate themselves via the network. Worms use the automated functionality found in operating systems and are invisible to the user. In addition to this, some worms also contain a malicious payload and are noticed only after the network resources are completely consumed or the victim’s computer has been degraded to unusable levels. There have been numerous cases of worms causing severe amounts of damage; however, perhaps the most infamous two worms ever are Code Red and the Love Bug.

The Code Red worm operated in three stages – scanning, flooding, and sleeping. During the scanning phase, the worm searched for vulnerable computers and ran damaging computer code on them. Next, in the flooding phase, the worm sent bogus data packets to the White House website. At its peak, the worm infected 2,000 machines every minute, infecting 359,000 machines in total, and cost $1.2 billion worth of damage. The worm could have affected more computers, but because of a Code Red warning, many people were able to protect their machines. Originally, 35 per cent of the 3.5 million sites that used Microsoft IIS software were vulnerable, but that number dropped to 15 per cent following the warning.

The Love Bug worm flooded the Internet with emails in May 2000 with the subject ILOVEYOU. The body of the deceptive email read, “Kindly check the attached love letter coming from me.” When opened, the email wreaked havoc on computers, replicating it automatically, sending copies to everyone in the user’s address book, and damaging computer files, such as MP3s. Although it was first detected in Asia, this worm spread across the world, infecting US government computers at Congress, the White House, and the Pentagon. Officials estimated that the worm affected 80 per cent of businesses in Australia and a similar percentage in the US.

As we have learned, worms can cause massive amounts of damage and pose one of the most significant threats to networks in general. Because of the potential damage that worms can cause, there is a specific model that is recommended for worm attack mitigation. Worm attacks can be prevented via containment, planning, tools, and techniques.

The first stage of the reaction process is to contain the spread of the worm inside the network. Compartmentalization, which is a core principle of the SAFE Blueprint (which will be described later in this chapter), allows isolation of parts of the network that are not yet infected. Containment may be performed using one of two actions, as illustrated in the following diagram:

Figure 1.8. Containment in Action

The inoculation phase involves patching all systems. If the appropriate signature files or plug-ins are available for tools, it is worthwhile to start scanning the network for vulnerable systems. This activity might allow operations staff to find vulnerable systems before they become infected. It is important to remember that during a worm crisis, there are three types of systems in your network: patched systems, unpatched systems, and infected systems.

The quarantine phase involves finding each infected machine and disconnecting, removing, or blocking them from the network to prevent them from infecting other unpatched machines on the network. To achieve this goal, the infected systems need to be isolated and quarantined. The treatment phase involves the cleaning and the patching of each infected system. Some worm attacks might require complete reinstallations of the core system to ensure that the machine is clean.

The second phase is planning. When these events occur, reaction time is critical, and these processes need to be in place. It is strongly recommended that every organization plan the reaction methodology ahead of the next crisis. This may include contacts, escalation procedures, conference calls, etc. and it should be clearly understood by everyone.

Finally, tools and techniques should be used in the third phase of worm prevention. Because of their nature, it is important to know and understand that there is currently no single guaranteed solution for dealing with worm attacks; however, some of the tools that can be used to defend against worm attacks are as follows:

1. Access Control Lists (ACLs)
2. Unicast Reverse Path Forwarding (uRPF)
3. NetFlow and NetFlow export
4. Routing protocols such as remote-triggered black hole filtering (RTBH)

Access Control Lists (ACLs) serve a dual purpose as security tools. They provide a mechanism to permit or deny traffic as well as a mechanism to detect certain traffic types. The use of ACLs to permit or deny traffic is a well-understood and well-documented security feature. For worm mitigation, it is important to know that ACLs can play a key role in preventing the spread of a worm by blocking its attack vector, which is usually a TCP or UDP port.

The Unicast RPF (uRPF) feature helps to mitigate problems that are caused by the introduction of malformed or forged (spoofed) IP source addresses into a network by discarding IP packets that lack a verifiable IP source address. For Internet Service Providers (ISPs) that provide public access, uRPF deflects such attacks by forwarding only packets that have source addresses that are valid and consistent with the IP routing table. This action protects the network of the ISP, its customers, and the rest of the Internet.

NetFlow is used as the foundational technology for obtaining traffic flow information across a network. A flow is defined by seven unique keys: source IP address, destination IP address, source port, destination port, Layer 3 protocol type, Type of Service (ToS) byte, and input logical interface. By observing traffic flows across the network, it is possible to see events that might be malicious. Some events might cause high traffic volumes, such as a DoS attack; others might be more subtle. In any case, observing the flow of information can detect these events.

While going into the details of RTBH is beyond the scope of this course, you should have a basic understanding of how it works. In essence, a sinkhole is a multifaceted security tool and a portion of the network that is designed to accept and analyze attack traffic. Sinkholes were originally used by ISPs to engulf attack traffic, in many cases drawing attacks away from a customer or other target. In more recent times, sinkholes have been used in enterprise environments to monitor attacks, detect scanning activity from infected machines, and generally monitor for other malicious activity. You are not required to go into specifics on sinkholes and/or their configuration for the IINS course requirements.

In addition to internal preparation and groups, it is also important to realize and understand the importance of external support groups.  Entities that are helpful are the Computer Emergency Response Team Coordination Center (CERT/CC), the Cisco Product Security Incident Response Team (PSIRT), and the various newsgroups that enable administrators to share valuable security information.

The CERT/CC is a US federally funded research and development center that works with the Internet community to facilitate responses to incidents involving the Internet and the hosts that are attacked. CERT/CC is also designed to take proactive steps to ensure that future vulnerabilities and attacks are communicated to the entire Internet community. In addition to this, CERT/CC also conducts research aimed at improving the security of existing systems.

For Cisco customers, the Cisco Product Security Incident Response Team (PSIRT) is available for customers to report any security concerns regarding flaws in Cisco IOS products. The Cisco PSIRT investigates all reports regardless of the Cisco software code version or product lifecycle status. Issues will be prioritized on the potential severity of the vulnerability and other environmental factors. The ultimate resolution of the reported incident may require upgrades to products that are under active support from Cisco.

For vulnerabilities reported to Cisco that may impact multiple vendors (i.e. a generic protocol issue), the PSIRT works with third-party coordination centers, such as CERT/CC, to manage a coordinated industry disclosure. In those situations, the PSIRT will either assist the vulnerability reporter in contacting the coordination center, or may do so on their behalf. For vulnerabilities reported to PSIRT involving another vendor’s product(s), the PSIRT will notify the vendor directly, coordinate with the reporter, or engage a third-party coordination center.

Newsgroups are mailing list type forums that can be used to share ideas and past incidents to keep current with the latest security concerns and protection policies.  While there are numerous newsgroups on the Internet, the CERT/CC recommends (along with several others) the alt.security newsgroup, which lists computer and other security issues; the comp.virus newsgroup, which lists computer viruses and related topics; and comp.security.announce, which provides computer security announcements, including new CERT/CC advisories, summaries, and vendor-initiated bulletins.

Backdoor

There are several types of back doors, or backdoors, which are simply programs or deliberate configurations that allow for unauthenticated access to systems, a notorious example being Back Orifice. Legitimate programs such as Virtual Network Computing (VNC) and PC Anywhere, as well as malicious programs, can all provide backdoor access to systems.

In addition, attackers can also use a rootkit, which is a collection of programs that attackers can use to mask their presence, instead of using backdoors. Rootkits are much more difficult to detect than the average backdoor.

For the most part, a good majority of malicious code attacks can be detected by using up-to-date anti-virus software to secure network hosts. In addition to this, Intrusion Prevent Systems, such as the Cisco IPS Sensor, can also be used to detect viruses and other anomalies based on signatures, thus providing an additional layer of network security.

Password Attacks

Password attacks are fairly common and are easy to perform, and often result in successful intrusion. Because of this, it is recommended that a strict password policy be enforced. There are two types of password attacks that can be performed. The first method is brute force password attacks and the second is dictionary-based attacks.

Brute Force Attacks

A brute force attack is the simple act of guessing keys and passwords until the correct one is found. These attacks are typically successful because key lengths used to secure passwords are always finite. For example, 56-bit Data Encryption Standard (DES), which will be described in detail later in this guide, is relatively easy to crack by trying every key combination from 56 zeros to 56 ones. While this may seem daunting for a novice, a skilled attacker can perform this in a matter of minutes. Increasing the key lengths, for example, using 3DES (Triple DES) instead, will significantly reduce the probability that a brute force attack will be successful.

Brute force attacks typically attempt to discover passwords by stealing a copy of the username and hashed (encrypted) password and then methodically encrypting different possible passwords using the same hashing function until a match is found. If a match is found, the password is considered cracked.

Simple hashing functions can be cracked in very little time and offer no real security. The most effective method to secure passwords is to use advanced hashing functions, such as RSA and other public key encryption techniques, all of which will be described in detail later in this guide.

Dictionary-based Attacks

In this type of attack, long lists of words of a particular language, called dictionary files, are searched to find a match to the encrypted password. These attacks are fairly successful on passwords that contain common letters; however, more complex passwords that incorporate letters, numbers, and symbols (such as the password c(n@s3cur!ty, for example) require a different brute force technique and generally take much longer to run and crack.

Other Common Attacks

In addition to the attacks already explained, there are several other common attacks that you are expected to be familiar with. This section describes the following attacks:

1. Spoofing Attacks
2. Man-in-the-Middle Attacks
3. Replay Attacks
4. TCP/IP Hijacking Attacks
5. War Dialing Attacks
6. Vulnerability Scanning
7. Sniffing
8. Privilege Escalation
9. Footprint Analysis
10. Buffer Overflows

Spoofing Attacks

Spoofing attacks involve providing false information about your identity, i.e. pretending to be someone that you are not, in order to gain unauthorized access to systems. The most common type of spoofing is IP spoofing, where the attacker fakes the source IP address of packets to gain access to a network and access resources in the same manner as legitimate network hosts. There are two types of spoofing attacks: blind spoofing attacks, where the attacker can only send and has to make assumptions about replies; and informed (non-blind) spoofing attacks, where the attacker can actually monitor, and therefore participate in, bi-directional communications.

Spoofing is easy to perform because there are no real checks in TCP/IP to validate that a packet is really coming from the IP address indicated in the IP header. Although spoofing is very common, it can be mitigated fairly easily. In Cisco IOS software, for example, Unicast Reverse Path Forwarding (uRPF), which will be described later in this guide, and Access Control Lists (ACLs) can be used to prevent IP spoofing.

In addition to this, firewalls (e.g. the Cisco Adaptive Security Appliance (ASA)), other techniques (e.g. disabling and preventing features such as source routing, which allow users to control the path a packet takes), and using cryptographic algorithms (which will be described in detail later in this guide) can also be used to prevent spoofing attacks.

Man-in-the-Middle Attacks

Man-in-the-middle (MIM or MITM) attacks, also known as bucket-brigade or Janus attacks, are a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all messages going between the two victims and inject new ones.

The following diagram illustrates the establishment of a simple Telnet session from the client computer to the network router:

Figure 1.9. Telnet Session

Because Telnet is TCP-based, the three-way handshake is used to establish the connection between the client and the router (which is acting as the TCP server in this case). In MITM attacks, the attacker monitors the packets moving between the client and the router and analyzes them in order to manipulate the data. This is possible by using tools to predict the correct sequence number in the packet exchanges between the client and the router.

Figure 1.10. MITM Attack

As illustrated in the diagram above, once the TCP connection is intercepted, the attacker acts as a proxy, being able to read, insert, and modify the data in the intercepted communication. MITM attacks are very difficult to prevent. This is because of the fact that there are plenty of tools that can be used to predict TCP sequence numbers available to attackers.

As a safeguard, however, it is recommended that secure TCP-based services such as HTTPS and SSH be used in place of clear text services such as HTTP and Telnet. While these may not completely deter MITM attacks, the added security employed by HTTPS and SSH ensures that the data is not easily viewable as would be if clear text methods were used.

Replay Attacks

Replay attacks are performed by capturing sensitive data and then replaying it back to the host in order to replicate the transaction. Replay attacks can be used to gain unauthorized access to systems by attackers. For example, legitimate users use their credentials to log in to a server housing sensitive information. However, an attacker captures the session information and when the legitimate user logs off, the attacker logs on using the captured session information. The attacker then accesses the file server masquerading as the authorized user and gains access to sensitive files and other information.

These attacks can be reduced by using session tokens and timestamps. A session token is a unique identifier (usually in the form of a hash generated by a hash function) that is generated and sent from a server to a client to identify the current interaction session, while a timestamp is a sequence of characters, denoting the date and time at which a certain event occurred.

TCP/IP Hijacking

TCP/IP hijacking is also referred to as session hijacking. In order to hijack a TCP/IP session, attackers must first intercept a legitimate user’s data and then insert themselves into the session. This is not the same as MITM attacks where the attacker simply changes the packets between the client and the server, because the actual session is hijacked by the attacker in this attack, as illustrated in the following diagram:

Figure 1.11. TCP/IP Hijack

Based on the diagram above, in step 1, the client sends the server data (A) with a TCP sequence number of X + 1. The server acknowledges this data, in step 2, with an ACK number X + 2. The attacker, who has been watching the TCP session between the client and the server, then quickly sends the server a data packet (B) with a TCP sequence number of X + 2, as illustrated in step 3. The server responds to the client with an ACK number X + 2, as illustrated in step 4.

Meanwhile, the attacker injects information into the session, as illustrated in step 5. The server acknowledges the data being sent by the attacker by sending ACK packets to the client, as illustrated in step 6. The client receives these ACK packets for data that he or she has not sent and then becomes confused. The client then attempts to send the last ACK sent back to the server to try to resync the session, as shown in step 7. This continues as the attacker continues to send data to the server, and eventually the client terminates the session and the attacker continues to inject information as desired.

Online tools are readily available and can be used to monitor and hijack basic Telnet and File Transfer Protocol (FTP) sessions quite easily. In addition to this, attackers can also hijack session cookies, which are normally used to store login credentials and other sensitive information, and then use those cookies to access the user’s session. The legitimate user, in this case, receives a ‘session expired’ or ‘login failed’ message and is most likely unaware that anything suspicious even occurred.

Attackers can also hijack sessions during periods of inactivity and before the server terminates the connection based on pre-configured inactivity timeouts. For example, a user logs in to his or her bank account and then locks the computer and walks away to take a break. During this period of inactivity, the server begins to count down to the termination of the session because there is no activity from the user. However, depending on how long the session expiration timer is, it is possible for an attacker to hijack the session before it expires. Again, the user is most likely unaware of this event.

These attacks can be prevented by using encryption (which will be described in detail later in this guide). In addition to this, web servers should also be configured to use unique and pseudo-random session IDs and cookies, along with Secure Sockets Layer (SSL) encryption.

War Dialing Attacks

War dialing entails dialing large blocks of telephone numbers, via modem, with the objective being to locate a computer to which to connect. Because of advances such as Caller ID and Call tracing, war dialing is now a relatively risky method of attack because the attacker can be located fairly quickly.

However, war dialing can also be used as a means of validating security within a company. For example, a company can use war dialing to dial all known company numbers to check for modems that may be connected without their knowledge. These systems may then be secured, or removed if they are not supposed to be there, as they may present an attacker with a back door into the network, which is referred to as Out-of-Band access, or OOB access.

Vulnerability Scanning

Vulnerability scanning refers to the act of probing a host in order to find an exploitable service or process. This is one of the most common attacks because there are a plethora of tools available on the Internet that can be used to perform these attacks.

Using the information gained from vulnerability scanning, attackers can then have a better idea of what type of attack they can launch against that particular host. To prevent against such attacks, security personnel should also perform their own vulnerability scanning and ensure that discovered vulnerable services or ports that should not be open are secured or disabled.

It is also important to keep in mind that while vulnerability scanning tools, such as Network Mapper (Nmap), may be used by attackers, they can also be used by security administrators to ensure that all ports or services that are not being used and could be potential security threats are identified and closed. In fact, Nmap is a great tool for security administrators. Make sure that you familiarize yourself with this tool because unlike most tools Nmap is a free and open source (license) utility for network exploration or security auditing. The following diagram illustrates a typical vulnerability scan using Nmap on a web server:

Figure 1.12. Nmap Vulnerability

Sniffing

Sniffing is eavesdropping on a network. Sniffers, which are tools that enable machines to see all of the packets that are traversing the wire, can be used by attackers to eavesdrop on networks and gain valuable information, such as usernames and passwords, if unsecure services such as Telnet are being used, for example.

Common tools that may be used by network administrators, such as TCPDUMP (Unix) and Snoop (Solaris), and more popular tools such as Wireshark and Ethereal, are also used by attackers to view packets on the wire and acquire valuable information, which the attacker can then use to reassemble viewed web pages, downloaded files, or even emails sent.

While sniffing network traffic typically requires some form of manual configuration – for example, Switched Port Analyzer (SPAN) in Cisco Catalyst switches, which allows administrators to monitor traffic on a port other their own – it is also good security practice to utilize encryption and secure services (e.g. SSH instead of Telnet) where possible to ensure that data being transferred across the wire is safe and secure.

Privilege Escalation

Privilege escalation is the act of exploiting a design flaw in a software application to gain access to resources that normally would have been protected from an application or user. The result is that the application performs actions with more privileges than intended by the application developer or system administrator.

Privilege escalation occurs when an application with elevated privileges has a flaw that allows security to be bypassed or, alternatively, flawed assumptions about how it will be used. Privilege escalation occurs in two forms:

• Vertical privilege escalation, also known as privilege elevation, occurs when a lower privilege user accesses functions or content reserved for higher privilege users. An example of vertical privilege escalation would be a user getting administrator rights to a server that he or she is authorized to use.
• Horizontal privilege escalation, where a normal user accesses functions or content reserved for other normal users. A typical example of horizontal privilege escalation would be a user being able to access the email account of another user.

Footprint Analysis

A footprint analysis is used by an attacker to gather as much information as possible about the intended target through publicly available sources such as the local library or the Internet. This analysis is used by the attacker to provide information on how large the targets may be, the number of potential entry points, and what security mechanisms, if any, are employed to prevent attacks.

When performing a footprint analysis, attackers may use port scanners to determine which hosts are alive on the Internet, which TCP and UDP ports are open on each system, and which operating system is installed on each host. Additionally, attackers may perform a Traceroute to identify the relationship of each host to every other host and network device, as well as to identify potential security mechanisms between the attacker and the target, such as firewalls and any other security devices.

After the port scanning and Traceroute is finished, attackers create a network map that represents their understanding of the target’s Internet footprint. It is important to understand that a footprint analysis is not an actual attack in itself; instead, it is part of a larger process used by attackers to gain unauthorized access to systems.

While going into detail on all the steps in this process is beyond the requirements of the IINS course, the footprint analysis is the first step in a systematic method used by advanced attackers. This systematic method generally covers these seven steps:

1. Perform a footprint analysis
2. Enumerate information
3. Obtain access through user manipulation
4. Escalate privileges
5. Gather additional passwords and secrets
6. Install backdoors
7. Leverage the compromised system

Although some of the steps have been included in earlier sections, you are not required to demonstrate any advanced knowledge of these steps.

Buffer Overflows

Buffers are simply areas of memory that are used to store data or instructions. Buffer overflow attacks involve writing too much data to that particular area of memory, overwriting its contents. This new information may be meaningless and may simply be used to cause an interruption with the server or it could be malicious and contain new instructions that the victim’s computer runs. These instructions can contain information that installs software on the target computer, which allows the intruder unauthorized access to the computer.

Programming languages commonly associated with buffer overflows include C and C++, which provide no built-in protection against accessing or overwriting data in any part of the memory and do not automatically check that data written to an array (the built-in buffer type) is within the boundaries of that array. However, other programs, such as Visual Basic and Java, use bounds checking to prevent against such attacks. Bounds checking is any method of detecting whether a variable is within some bounds before its use. A failed bounds check usually results in the generation of some sort of exception signal.

Attack Categories

The ever-changing nature of attacks is a major challenge facing network administrators. The attackers of today are typically well organized, extremely knowledgeable, and well trained. In addition to this, the size of the Internet provides very easy targets and provides lower risk to attackers, who can use this to launch any number of threats. These threats fall into one of the following categories:

1. Active Attacks
2. Passive Attacks
3. Malicious Code Attacks
4. Password Attacks
5. Insider Attacks
6. Close-in Attacks
7. Distribution Attacks

Active Attacks

Active attacks can be described as attacks where the perpetrator is actively attempting to cause harm to a network or system. In other words, the perpetrator is actively attempting to breach or shut down a particular service, or services. Because the damage from these attacks is very noticeable, these attacks are typically highly visible. Examples of active attacks include DoS and DDoS attacks.

Passive Attacks

During passive attacks, the attacker is not directly affecting the victim’s network. In other words, these attacks are the exact opposite of active attacks. Passive attacks are analogous to eavesdropping on a conversation or using a telescope to spy on someone. Some examples of passive attacks include sniffing and vulnerability scanning.

Malicious Code Attacks

Malicious code attacks are programs that are written by attackers and are designed to do damage. Trojan horses and viruses are examples of malicious code attacks. These attacks typically do not require that the attacker be present for them to do damage, and they are one of the most dangerous types of attacks.

Password Attacks

Password attacks are fairly common, are easy to perform, and often result in successful intrusion. Because of this, it is recommended that a strict password policy be enforced. There are two types of password attacks: brute force and dictionary-based.

Insider Attacks

Insider attacks, as the name implies, are performed by insiders (e.g. employees) who use their legitimate credentials for illegitimate access to network resources. These are the most common types of attacks in present-day networks.

Close-in Attacks

Close-in attacks occur when the attacker is in close proximity to the intended target system. For example, an attacker can initiate an attack if he or she gains physical access to a network device, such as a router, switch, or firewall, for example.

Distribution Attacks

Distribution attacks intentionally introduce backdoors, which will be described in detail later in this chapter, to hardware or software systems during the manufacturing process. Once the flawed systems are distributed to customers, the attacker can use their knowledge of the implanted backdoor to gain unauthorized access to these systems.

Responding to Security Threats

An organization’s internal operational processes are a critical aspect of dealing with any kind of security incident. Although sophisticated software can isolate possible security incidents, there is still a significant degree of human intervention required, making the establishment of reliable incident response procedures vital. The overall framework and process to respond to network threats and breaches is depicted in the following diagram:

Figure 1.13. Responding to Network Threats

The following section describes the steps and procedures that are recommended during each phase of the general incident response model.

Triage

The first phase of incident response is to verify that the event is an actual security incident, such as an attack or worm event. In some cases, an incident could be the result of scheduled maintenance; therefore, it is important that this be validated to prevent raising a false alarm.

After the event is confirmed, take quick action to limit the damage. Doing so might entail steps such as turning off a device or removing a device from the network. However, any actions taken need to be in line with maintaining business continuity. For example, if a web-based company notes an attack on their server, simply removing those servers or turning them off in the event of a possible security incident might actually cost the company more money and have long-lasting ramifications. For this reason, it is important to communicate with other relevant parties within the organization.

Analysis

The second phase is the analysis phase. A key part of this process is incident classification, which involves understanding the type of attack and the damage it is causing. It is important to perform the analysis with as little impact as possible on business functions.

Next, determine the scope of the incident, i.e. the number of devices, data, and other resources affected. It is important to look beyond the initially identified target because the event might be more widespread than initially thought.

In some cases, it might be necessary to perform an IP traceback to the origin of the attack; this activity might involve working through the ISP. In other cases, restoration of business operations might require priority over any IP traceback activities. IP traceback is a name given to any method that can reliably determine the origin of a packet on the Internet.

Measure the impact and ask what the resulting effects of the incident on the organization are. Did it cause a minor problem, or was the impact on the business greater? The results of this analysis will help determine the most appropriate reaction techniques for the incident.

Reaction

The reaction phase involves some action to counter the attack. Each situation will dictate the action to be taken, such as widely deploying ACLs in a worm event; restoring a device to normal operation by reloading the OS from the original media and restoring data from backups in a server compromise; or changing any static passwords because they might have been compromised. In addition to this, it is important to understand that in some situations an entirely reasonable response might be to do nothing at all.

Generally speaking, the highest priority is to regain full business operations. In many cases, it is often less important to spend time finding the perpetrator of the attack.

Restore

This phase entails restoring systems and operations back to pre-attack levels. This may entail rebooting devices, restarting applications, or other similar activities.

Post-Mortem

A post-mortem involves a full, in-depth analysis of the event and the response to the event. The goal is to determine what can be done to build resistance and prevent this type of attack from happening again. Essentially, it is learning from the experience. As a simple example, if a network penetration occurred, it would be prudent to identify what vulnerability was used to obtain access, and then fix all occurrences of that vulnerability. Additionally, it should be determined whether the incident was detected in an acceptable amount of time; if not, measures should be deployed to speed detection in the event of further incidents. The post-mortem is a step that is often ignored. It is critical that it is not forgotten.

The Cisco SAFE Blueprint

Before delving into the specifics of the Cisco SAFE Blueprint, we are going to learn about one of its core elements, which is defense in depth. Defense in depth is simply a security philosophy that uses a layered security approach to eliminate a single point of failure and provide overlapping protection.

In a defense in depth deployment, each layer of security should have some kind of redundancy, and all layers should provide a variety of defense strategies for protecting multiple areas of the network. The defense in depth includes the following recommendations:

• Defend multiple attack targets in the network by protecting the network infrastructure, as well as critical host machines, such as corporate email and web servers, via a Host-based Intrusion Prevention System (HIPS). HIPS will be described in detail later in this guide.

• Create overlapping defenses, such as using both Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). Cisco IDS and IPS systems will be described in detail later in this guide.

• Allow the value of the protected device to mandate the level of security implemented. For example, a server, such as an email server or Active Directory server, or a core network router or switch should be afforded more security than an end-user workstation.

• Use strong encryption mechanisms to ensure data confidentiality. While there are numerous encryption mechanisms available, it is important to keep in mind that some are significantly stronger than others, as will be described in detail later in this guide.

The following diagram illustrates the defense in depth philosophy, which illustrates the implementation of a firewall, two Intrusion Prevention System (IPS) devices, and an Intrusion Detection System (IDS) device:

Figure 1.14. Defense in Depth Philosophy

Cisco SAFE delivers defense in depth by strategically positioning Cisco products and capabilities throughout the network and by using the collaborative capabilities between the platforms. A wide range of security technologies are deployed in multiple layers, under a common strategy and administration. Cisco SAFE is delivered in two forms:

• Design blueprints
• Security solutions

Cisco SAFE design blueprints are simply Cisco Validated Designs (CVDs) and security best practice guides. CVDs provide prescriptive design guidance, which cover the various places in the network (PINs) present in an enterprise network, such as campus, WAN edge, branches, and data center. Design guidance is also provided for technologies such as Unified Communications, network virtualization, and network foundation protection, which are present in multiple places in the network. The selection of platforms and capabilities within those designs is driven by the application of the Cisco Security Control Framework (SCF).

The Cisco SCF is a security framework aimed at ensuring network and service availability, as well as business continuity. The SCF is designed to address current key threats, as well as track new and evolving threats, through the use of best common practices and comprehensive solutions. Cisco SAFE uses SCF to create network designs that ensure network and service availability and business continuity. Cisco SCF drives the selection of the security products and capabilities, and guides their deployment throughout the network where they best enhance visibility and control.

The SCF assumes the existence of security policies developed as a result of threat and risk assessments, and in alignment with business goals and objectives. The security policies and guidelines are expected to define the acceptable and secure use of each service, device, and system in the environment. The security policies should also determine the processes and procedures needed to achieve the business goals and objectives. The collection of processes and procedures defines security operations. It is crucial to business success that security policies, guidelines, and operations do not prevent but rather empower the organization to achieve its goals and objectives.

The success of the security policies ultimately depends on the degree they enhance visibility and control. Simply put, security can be defined as a function of visibility and control. Without any visibility, there is no control; and without any control, there is no security. Therefore, the SCF’s main focus is enhancing visibility and control. In the context of SAFE, SCF drives the selection and deployment of platforms and capabilities to achieve a desirable degree of visibility and control.

SCF defines six security actions that help enforce the security policies and improve visibility and control. Visibility is enhanced through the actions of identify, monitor, and correlate. Control is improved through the actions of harden, isolate, and enforce. These six security actions are illustrated in the following diagram:

Figure 1.15. Cisco Security Control Framework Model

Cisco SAFE uses various forms of network telemetry present on most networking equipment, security appliances, and endpoints to achieve consistent and accurate visibility into network activity. Logging and event information generated by routers, switches, firewalls, intrusion prevention systems, and endpoint protection software are collected, trended, and correlated. By delivering infrastructure-wide security intelligence and collaboration, the architecture can:

• Identify threats by collecting, trending, and correlating logging, flow, and event information, and help identify the presence of security threats, compromises, and data leaks;

• Confirm compromises by tracking an attack as it transits the network, and by having visibility out to the endpoints, allowing the architecture to confirm whether or not the attack was successful;

• Reduce false positives (which will be described in detail later in this guide) and use endpoint and system visibility to help identify whether a target is vulnerable to a given attack;

• Reduce volume of event information via event correlation, which dramatically reduces the number of events, saving security operators precious time to allow them to focus on what is important; and

• Dynamically adjust the severity level of an incident via enhanced visibility.

Cisco SAFE uses the infrastructure-wide intelligence and collaboration capabilities provided by Cisco products to control and mitigate well-known and day-zero attacks. Intrusion protection systems, firewalls, network admission control, endpoint protection software, and monitoring and analysis systems work together to identify and dynamically respond to attacks.

The architecture has the ability to identify the source of the threat, visualize the attack path, and to suggest, and even dynamically enforce, response actions. Possible response actions include the isolation of compromised systems, rate limiting, connection resets, packet filtering, source filtering, and more. The ultimate objectives of threat control and containment are as follows:

• Complete visibility, where infrastructure-wide intelligence provides an accurate view of network topologies, attack paths, and extent of the damage.

• Adaptive response to real-time threats, such that source threats are dynamically identified and blocked in real-time.

• Consistent policy enforcement coverage, meaning that mitigation and containment actions may be enforced at different places in the network for defense in depth.

• Minimizing effects of attacks by immediately triggering response actions as soon as an attack is detected, thereby minimizing damage.

• A common policy and security management platform that simplifies control and administration, and reduces operational expense.

Cisco SAFE Security Solutions

The SCF and the design blueprints provide the foundation for industry security solutions that address the requirements of specific industries, such as retail, financial, healthcare, and manufacturing. Best practices and design recommendations are provided for the following:

1. Infrastructure Device Access
2. Device Resiliency and Survivability
3. Routing Infrastructure
4. Switching Infrastructure
5. Network Policy Enforcement
6. Network Telemetry

Infrastructure Device Access

Key steps to securing both interactive and management access to an infrastructure device are as follows:

• Restrict device accessibility by limiting the accessible ports and restricting the permitted communicators and the permitted methods of access.

• Present legal notification by displaying a legal notice developed in conjunction with company legal counsel for interactive sessions. For example, use an MOTD banner.

• Authenticate access and ensure access is granted only to authenticated users, groups, and services. For example, RADIUS can be used for user, group, and service authentication.

• Authorize actions and restrict the actions and views permitted by any particular user, group, or service. This can be performed after security protocols such as TACACS+. Both RADIUS and TACACS+ security protocols will be described in detail later in this guide.

• Ensure the confidentiality of data and protect locally stored sensitive data from viewing and copying. Evaluate the vulnerability of data in transit over a communication channel to sniffing, session hijacking, and MITM or MIM attacks.

• Log and account for all access, and record who accessed the device, what occurred, and when for auditing purposes.

Device Resiliency and Survivability

The architecture designs use the following best practices to ensure resiliency and survivability of routers and switches:

• Disable unnecessary services by disabling default-enabled services that are not required.

• Restrict access to the infrastructure address space and deploy ACLs at the network edges to shield the infrastructure from unauthorized access, DoS, and other network attacks.

• Protect the control plane and filter, and rate limit traffic destined to the control plane of routers and switches. The control plane manages control traffic such as routing protocols.

• Control switch Content Addressable Memory (CAM) usage and restrict the MAC addresses that are allowed to send traffic on a particular port.

• Implement redundancy and eliminate single points of failure using redundant interfaces, standby devices, and topological redundancy.

Routing Infrastructure

The architecture designs make use of the following measures to secure the routing plane:

• Restrict routing protocol membership and limit routing sessions to trusted peers, and validate origin and integrity of routing updates.

• Control route propagation and enforce route filters to ensure only valid routing information is propagated. Control routing information exchange between routing peers and between redistributing processes.

• Log status changes and the status changes of adjacency or neighbor sessions.

Switching Infrastructure

Baseline switching security is concerned with ensuring the availability of the Layer 2 switching network. To that end, the architecture designs implement the following:

• Design the Layer-2 infrastructure, limiting the size of the broadcast domains.

• Use existing features to secure Spanning Tree Protocol (STP).

• Implement VLAN best common practices, for example, restricting VLANs on Trunk links.

Network Policy Enforcement

The architecture designs implement the following measures:

• Control traffic destined to the infrastructure space by using ACLs.
• Implement ACLs and other mechanisms to block packets with spoofed IP addresses.

Network Telemetry

This section highlights the baseline forms of telemetry recommended for network devices as follows:

• Implement Network Time Protocol (NTP) to ensure that the dates and times in logs and alarms are synchronized.

• Maintain local device traffic statistics by using device global and interface traffic statistics.

• Maintain system status information by using memory, CPU, and process status information.

• Log and collect system status, traffic statistics, and device access information.

• Log and account for all access, and record who accessed the device, what occurred, and when for auditing purposes.

• Establish the mechanisms to allow the capture of packets in transit for analysis and correlation purposes, SPAN, for example.

The Cisco PPDIOO Model

Cisco also offers an integrated security solution, which goes above and beyond the ‘one size fits all’ model. In addition to this, Cisco products are designed to deliver value throughout the entire network lifecycle, which includes the stages of Prepare, Plan, Design, Implement, Operate, and Optimize, commonly referred to as PPDIOO.

The Cisco PPDIOO model encompasses all steps from network vision to optimization, which enables Cisco to provide a broader portfolio of support and end-to-end solutions to its customers. The PPDIOO model is illustrated in the following diagram:

Figure 1.16. Cisco PPDIOO Model

In conjunction with the PPDIOO model, Cisco also offers the Cisco Lifecycle Security Services, which has five distinct services. These services include the following:

1. Strategy and Assessment Services
2. Deployment and Migration Services
3. Remote Management Services
4. Security Intelligence Services
5. Security Optimization Services

Strategy and Assessments Services

Strategy and assessments are part of the Prepare and Plan phases of the PPDIOO model. Cisco offers a comprehensive set of assessment services based on a structured IT governance, risk management, and compliance approach to information security.

These services help the customer to understand the needs and gaps, and recommend remediation based on industry and international best practices, as well as help the customer strategically to plan the evolution of an information security program, including updates to security policy, processes, and technology.

Deployment and Migration Services

These services are part of the Design and Implement phases of the PPDIOO model. Cisco offers deployment services to support the customer in planning, designing, and implementing Cisco security products and solutions. In addition, Cisco has services to support the customer in evolving its security policy and process-based controls to make people and the security architecture more effective.

Remote Management Services

These services are part of the Operate phase of the PPDIOO model. Cisco Remote Management Services engineers become an extension of the customer’s IT staff, proactively monitoring the security technology infrastructure and providing incident, problem, change, configuration, and release management, as well as management reporting 24 hours a day, 365 days a year.

Security Intelligence Services

These services are also a part of the Operate phase of the PPDIOO model. The Cisco Security Intelligence Services provide early warning intelligence, analysis, and proven mitigation techniques to help security professionals respond to the latest threats. The customer’s IT staff can use the latest threat alerts, vulnerability analysis, and applied mitigation techniques developed by Cisco experts, who use in-depth knowledge and sophisticated tools to verify anomalies and develop techniques that help ensure timely, accurate, and quick resolution to potential vulnerabilities and attacks.

Security Optimization Services

These services are part of the Optimize phase of the PPDIOO model. Cisco Security Optimization Services is an integrated service offering designed to assess, develop, and optimize the customer’s security infrastructure on an ongoing basis. Through quarterly site visits and continual analysis and tuning, the Cisco security team becomes an extension of the customer’s security staff, supporting them in long-term business security and risk management, as well as near-term tactical solutions to evolving security threats.

The Cisco Self-Defending Network

The Cisco Self-Defending Network integrates a collection of security solutions to identify, prevent and adapt to threats. The ultimate goal of the Cisco Self-Defending Network is that the network has the ability and the intelligence to protect itself from threats. However, this can only happen if the components of the network are working together to ensure this level of security, intelligence, and adaptability.

In addition to this, it is also important to understand that because network devices must work together and be integrated in order for the Cisco Self-Defending Network to do its job, it is very probable that there will be no third-party network components on the organization’s network participating in the Cisco Self-Defending Network.

While it is important to know that the Cisco Self-Defending Network is a large, complex roadmap made up of many Cisco components, it is also important to understand that an organization is not required to have all the components. However, you should be familiar with the suite of security products and components that make up the Cisco Self-Defending Network. The following section provides a list of some of the most common components that can be found within the Cisco Self-Defending Network:

Anomaly Detection and Mitigation

• The Cisco Traffic Anomaly Detector XT 5600 delivers multi-Gigabit performance to protect the largest enterprise environments by rapidly detecting and alerting users to potential distributed denial-of-service (DDoS), worms, and other attacks. Detection is based on sophisticated anomaly detection capabilities that compare current activity to profiles of known ‘normal’ behaviour, enabling the Traffic Anomaly Detector XT to identify even day-zero attacks that have never been seen before.

• The Cisco Guard XT 5650 delivers multi-Gigabit performance to protect the largest enterprises from DDoS attacks by performing per-flow-level attack analysis, identification, and mitigation to block specific attack traffic.

Email Security

• Cisco IronPort Email Security Appliances are easy-to-deploy solutions that defend email systems against spam, viruses, phishing, and a wide variety of other threats.

• The Cisco Spam and Virus Blocker is a dedicated anti-spam, anti-virus, and anti-phishing security appliance, designed specifically for small businesses, that virtually eliminates email threats right out of the box. It blocks spam, requires minimal administration, and connects to one of the largest databases of email security threats to bolster its accuracy.

Endpoint Security

• Cisco NAC Appliance (formerly Cisco Clean Access) is an easily deployed Network Admission Control (NAC) product that uses the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources. With NAC Appliance, network administrators can authenticate, authorize, evaluate, and remediate wired, wireless, and remote users and their machines prior to network access. It identifies whether networked devices such as laptops, IP phones, or game consoles are compliant with the network’s security policies and repairs any vulnerability before permitting the device access to the network.

• Cisco Security Agent is the first endpoint security solution that combines zero-update attack protection, data loss prevention, and signature-based antivirus in a single agent. This unique blend of capabilities defends servers and desktops against sophisticated day-zero attacks and enforces acceptable-use and compliance policies within a simple management infrastructure.

• Cisco Trust Agent is a core component of the NAC solution. This client software must be installed on hosts whose host policy state is to be validated before permitting network access. Cisco Trust Agent allows NAC to determine if the Cisco Security Agent or antivirus software is installed and current, and can determine current operating systems and patch levels.

Firewall

• The Cisco ASA 5500 provides advanced application-aware firewall services with identity-based access control, DoS attack protection, and much more.

• Cisco Firewall Services Module (FWSM) – a high-speed, integrated firewall module for Cisco Catalyst 6500 switches and Cisco 7600 Series routers – provides the fastest firewall data rates in the industry: 5-Gbps throughput, 100,000 CPS, and 1M concurrent connections.

• Cisco IOS Firewall helps ensure the network’s availability and the security of company resources by protecting the network infrastructure against network- and application-layer attacks, viruses, and worms. It protects unified communications by guarding Session Initiation Protocol (SIP) endpoints and call-control resources. Cisco IOS Firewall is a stateful firewall solution, certified by Common Criteria (EAL4).

Identity Management

• Cisco Security Monitoring, Analysis, and Response System (MARS) provides security monitoring for network devices and host applications supporting both Cisco and other vendors. Security monitoring with MARS greatly reduces false positives by providing an end-to-end topological view of the network, which helps improve threat identification, mitigation responses, and compliance.

• Cisco Secure Access Control Server (ACS) is an access policy control platform that helps organizations to comply with growing regulatory and corporate requirements. By integrating with other access control systems, it helps improve productivity and contain costs. It supports multiple scenarios simultaneously, including device administration (i.e. it authenticates administrators, authorizes commands, and provides an audit trail); remote access (i.e. it works with VPN and other remote network access devices to enforce access policies); wireless (i.e. it authenticates and authorizes wireless users and hosts and enforces wireless-specific policies); and Network Admission Control, by communicating with posture and audit servers to enforce admission control policies

Intrusion Prevention System

• Cisco IPS 4200 Series Sensors detect threats to intellectual property and customer data, with modular inspection throughout the network stack; stop sophisticated attackers by detecting behavioural anomalies, evasion, and attacks against vulnerabilities; prevent threats with confidence using the industry’s most comprehensive set of threat prevention actions; focus response with dynamic threat ratings and detailed logging; and provide protection from the latest threats and vulnerabilities.

• The second-generation Cisco IDSM-2 protects switched environments by integrating full-featured IPS functions directly into the network infrastructure through the widely deployed Cisco Catalyst chassis. This integration allows the user to monitor traffic directly off the switch backplane – a logical platform for additional services such as firewall, VPN, and IPS. The Cisco IDSM-2 with Cisco IPS Sensor Software v6.0 helps users stop more threats with greater confidence through multi-vector threat identification and accurate prevention.

Security Management

• Cisco Adaptive Security Device Manager (ASDM) is a powerful yet easy-to-use application that delivers integrated security management. It accelerates security policy creation while reducing management overhead and human error with wizards, debugging tools, and monitoring services. Its secure design enables anytime, anywhere management access to Cisco ASA 5500 Series Adaptive Security Appliances, Cisco PIX security appliances, and Cisco Catalyst 6500 Series Firewall Services Module (FWSM).

• Cisco Router and Security Device Manager (SDM) is a web-based device-management tool for Cisco routers that can improve the productivity of network managers, simplify router deployments, and help troubleshoot complex network and VPN connectivity issues. Network and security administrators and channel partners can use Cisco SDM for faster and easier deployment of Cisco routers for integrated services such as dynamic routing, WAN access, WLAN, firewall, VPN, SSL VPN, IPS, and QoS.

• Cisco IronPort M-Series security management appliances offer complete security control and flexible management at the network gateway. By delivering top performance for all application security gateways, these appliances provide a single location for organizations to manage, store, and monitor all corporate policy settings and audit information.

Virtual Private Networks (VPN)

• The Cisco Easy VPN solution helps integrate VPN remote devices within a single deployment and with a consistent policy and key management method, which simplifies remote site administration. Cisco Easy VPN consists of two components: the Easy VPN Remote feature and the Easy VPN Server feature.

• Simple to deploy and operate, the Cisco VPN Client allows organizations to establish end-to-end, encrypted VPN tunnels for secure connectivity for mobile employees or teleworkers. This thin design, IP security (IPSec) implementation is compatible with all Cisco virtual private network (VPN) products.

Web Security

• The Cisco-IronPort S-Series web security appliance is the industry’s first and only secure web gateway to combine traditional URL filtering, reputation filtering, malware filtering, and data security on a single platform to address these risks. By combining innovative technologies, the Cisco IronPort S-Series helps organizations address the growing challenges of both securing and controlling web traffic.

It is important to remember that the products listed above are not the entire suite of products available. However, these are common products that you should be familiar with. The three core characteristics of the Cisco Self-Defending Network are that it is integrated, collaborative, and adaptive. These characteristics are defined in the following section:

Integrated Security

This is the first phase of the Self-Defending Network. Security is built into the existing network, as opposed to being added to an existing network. In other words, security is incorporated into network devices, such as routers and switches, thus providing for an integrated security infrastructure within the components, rather than as an add-on. This allows all components in the network to act as a point of defense.

Collaborative Security Systems

This is the second phase of the Self-Defending Network. IT personnel focusing on security collaborate with IT personnel focusing on network operations. This phase allows for a security system that collaborates amongst all network and security components. In addition to this, the system also has the capability to collaborate with policy-enforcement endpoints.

Adaptive Threat Defense

This is the third and final phase of the Self-Defending Network. In the Cisco Self-Defending Network, security solutions have the flexibility to adapt to threats. This phase provides the capability for networks to evolve dynamically and intelligently to adapt and respond proactively to emerging threats at multiple layers of the network based on a new set of Anti-x (i.e. Anti-Virus, Anti-Spyware, etc.) technologies. The Cisco Threat Defense System offers security solutions and intelligent networking technologies to identify and prevent both known and unknown threats from internal and external network environments.

To begin creating the Cisco Self-Defending Network, the network platforms used must have integrated security features. Then, additional security features – depending on business objectives – are integrated and layered on top of the secure foundation. These features are divided into three categories: Threat Containment, Protected Communications, and Management, which are illustrated in the following diagram:

Figure 1.17. Adaptive Threat Defense

Threat containment

Threat containment includes strategies to contain and control threats. These strategies include, but are not limited to, the following:

1. Endpoint threat control, which is used to defend endpoints against threats such as viruses, spyware, adware, and other malicious attacks.

2. Infrastructure threat control, which is used to protect servers and shared applications from both internal and external threats.

3. Email threat control, which is used to protect against threats from emails; for example, malicious attachments or links received via email.

Protected Communications

Protected communications includes methodologies and technologies used to provide confidential and authenticated communications channels. The Cisco Secure Communications offers a set of products that can be categorized into one of two broad categories:

• Remote access communications security secures data transmission from remote users accessing the corporate network and resources via secure tunnels.

• Site-to-site communications security secures data transmission between different sites within an organization.

Management

Management includes products that allow for a system-wide control of policies and configuration. These solutions facilitate the following:

• Efficiency in rolling out new policies to multiple devices, while maintaining configuration consistency amongst these devices

• A comprehensive view of the Cisco Self-Defending Networks end-to-end security status

• The ability to respond quickly and efficiently to attacks

• Synchronization with an organizational security policy

Network Admission Control (NAC)

A network admission control (NAC) solution is required to ensure that endpoints are complying with predetermined security policies. These policies, which may include the latest anti-virus and operating system patches, are used to prevent vulnerable and noncompliant hosts from obtaining network access.

NAC uses the Network Access Devices (NADs) to protect the infrastructure from any endpoint seeking network access. Only trusted endpoints that are in compliance with security policy are granted access to the network. Noncompliant devices, on the other hand, are denied access and are quarantined for remediation. This policy compliance limits the potential damage from known and unknown threats alike.

It is important to remember that NAC is a part of the Cisco Self-Defending Network that enables the network to automatically identify, detect, and prevent emerging security threats. NAC is focused on proactive, not reactive, security solutions and is offered in two forms:

1. Cisco NAC Appliance
2. Cisco NAC Framework

Cisco NAC Appliance

Cisco NAC Appliance, formerly known as Cisco Clean Access, is the most widely used NAC solution from Cisco. This solution is based on the dedicated NAC Appliance and does not rely on partners and vendors because it offers self-containment endpoint assessment, policy management, and remediation services. The NAC Appliance solution accommodates LAN, WAN, Wireless, and Remote Access scenarios, amongst others. The Cisco NAC Appliance solution consists of the following three options:

1. Clean Access Server
2. Clean Access Agent
3. Clean Access Manager

The Clean Access Server is a network device that triggers assessment when users attempt network access, and it can enforce network access privileges based on endpoint compliance. The Clean Access Server is primarily used as an enforcement device that can block users at the port level, effectively restricting access to the trusted network until they pass the inspection. The Clean Access Server can be implemented either in-band or out-of-band in Layer 2 or Layer 3 mode, and as a virtual or real IP gateway for endpoints.

The Clean Access Manager is a web-based GUI application that is used to create security policies, establish roles, perform compliance checks, manage users, and define remediation rules. The Clean Access Manager communicates with the Clean Access Server, which is the primary component used for enforcement in the NAC Appliance architecture.

The Clean Access Agent (CAA) is an optional component (i.e. read-only agent software) that runs on a client’s endpoint to provide posture information and streamline remediation functions. CAA can also inspect the local host and provide information by analyzing the registry, services, and other files. In addition to this, CAA can determine whether or not the endpoint has the required patches, anti-virus, and other security software, such as Cisco Security Agent (CSA). Unlike the Clean Access Manager and Server, which users must purchase, CAA is distributed freely by Cisco.

The following diagram illustrates Cisco NAC Appliance in-band deployment:

Figure 1.18. Cisco NAC Framework

Cisco NAC Framework

The Cisco NAC Framework solution uses the existing network infrastructure and third-party vendor solutions to enforce security policy compliance on all endpoints. This solution is designed for highly specialized network environments. The NAC framework can be implemented on NAC-enabled Network Access Devices (NADs), such as Cisco routers, switches, Wireless Access Points, and firewalls, to grant access to compliant endpoints that are attempting to access the network, while placing noncompliant endpoints into quarantine.

It is import to remember that the NAC Framework solution does not require investment in new devices because it utilizes existing NADs. Therefore, an overlay system is not required to perform admission control. The four primary components of the NAC framework solution include the following:

1. Endpoint Software
2. Network Access Devices (NADs)
3. Access Control and Policy Server
4. Management System

• Endpoint security software includes products such as anti-virus software, Cisco Security Agent, Cisco Trust Agent, and other personal firewalls, such as the Windows Firewall. Policy enforcement and admission control decisions are made on the basis of application and OS status. Cisco and NAC program partners integrate CTA with their security software clients.

• NADs are Layer 2 or Layer 3 Cisco devices (e.g. routers and switches) that are used for policy enforcement and admission control based on endpoint compliance. NADs are primarily used as enforcement devices and can block users at Layer 2 or Layer 3, allowing access only to trusted endpoints and restricting or quarantining noncompliant endpoints. NADs relay credential information to the access control and policy server(s), where the admission decisions are made. Based on the various policies defined, the NAD will enforce the appropriate posture states: permit, deny, quarantine, or restrict.

• Access control and policy servers, such as the Cisco Secure Access Control System (ACS), as well as third-party vendor servers, are responsible for evaluating the endpoint security information that is relayed from the NAD and determining the proper access to be applied. Typically, Cisco Secure ACS is used as the AAA (Authentication, Authorization, and Accounting) server, in conjunction with the RADIUS protocol. Both AAA and RADIUS will be described in greater detail later in this guide.

• Cisco security management systems provide monitoring and reporting tools for the NAC Framework solution. These tools include CiscoWorks VPN and Security Management Solution (CiscoWorks VMS), CiscoWorks Security Information Manager Solution (CiscoWorks SIMS), and, most commonly, the Cisco Security Manager, which you are expected to be familiar with.

The Cisco Security Manager (CSM) is a tool that is used to centrally provision all aspects of device configuration and policies for Cisco Firewalls (e.g. ASA and Firewall Switch Module), Virtual Private Networks (VPNs), and Intrusion Prevention System (IPS) services. CSM can be used to provision networks with less than 10 devices or scale to configure networks with 1000 devices or more. CSM provides a powerful and user-friendly, easy-to-use interface, by incorporating three simple-use views into the management system for users to manage devices and policies, which are the device-centric, policy-centric, and topology-centric views.

The device-centric view (DCV) enables users to view the properties of devices being managed, add/delete devices from the CSM inventory, and centrally manage all device policies, properties, interfaces, and other related device parameters.

The policy-centric view (PCV) enables users to create and manage shared, reusable policies at the system level that can be shared amongst multiple devices. With PCV, users can also view all shared policies that are defined for a particular type, as well as create, view, and edit policies, and modify their device assignments.

Finally, the topology-centric view (TCV), also referred to as the Map view, enables users to create customized topology-based visual maps of the network, allowing users to manage policies directly from the topology view. TCV also allows users to view network connections between devices, link topologies, and configure VPN and other access control settings directly from the view maps.

While going into further detail on the NAC Framework is beyond the scope of the IINS course requirements, the following table shows the differences between the Cisco NAC Appliance and the Cisco NAC Framework:

Table 1.4. Cisco NAC Appliance and Framework

Cisco NAC Appliance	Cisco NAC Framework
Based on dedicated appliance-leveraging CCA products. NAC Appliance is self-sufficient.	An embedded approach implemented in NAC-enabled NADs.
Can identify, authentication, scan, and remediate endpoints without requiring other products.	Can identify, authenticate, and scan endpoints via Cisco-enabled NADs, while remediation is performed by Cisco ACS server or other third-party partner products, such as Trend Micro, for example.
Includes preconfigured checks for Microsoft from Windows Update, and most major anti-virus software packages are sent regularly to the Clean Access Server.	Vendors in the NAC Framework solution are required to implement an Application Programming Interface (API) to perform these functions.
Uses a Simple Network Management Protocol (SNMP) trap to pre-assign incoming users to a quarantined authentication VLAN. SNMP will be described in detail later in this guide.	Uses 802.1x and Extensible Authentication Protocol (EAP) to perform verification prior to VLAN assignment. These technologies will be described in detail later in this guide.
Forwards authentication requests to a back-end server, such as a RADUIS or Active Directory server.	Requires the use of Cisco Secure ACS as the AAA authentication server.
CCA is used to provide posture information, whereas CSA provides protection.	Third-party plug-ins provide posture information to the CTA, and CSA provides protection.

 

Operations Security

Operations security is used to secure hardware, software, and various media while investigating anomalies in the network. Recommendations for operations security are divided into four broad categories:

1. Separation of Duties
2. Rotation of Duties
3. Trusted Recovery
4. Configuration and Change Control

Separation of Duties

This recommendation proposes that information systems personnel (e.g. network security administrators, etc.) be assigned responsibilities in such a way that no one single employee can compromise a system’s security. The separation of duties can be accomplished by using a dual-operator system in which specific tasks require two people, a good example being opening the safe in a bank. Additionally, organizations can employ a two-person control system in which two employees have to approve one another’s work.

Rotation of Duties

The rotation of duties recommendation proposes that multiple employees periodically rotate duties, with the basis that the potential of a single employee to cause an ongoing security breach is lessened if duties are rotated between employees. Whilst this is not feasible in most corporations (e.g. banks, or service providers) it may work very well for companies that offer security guard or armored truck services, for example.

Trusted Recovery

This recommendation is centered on ensuring that recovery procedures are in place and that sensitive and critical data can be restored in the event of a system failure. It is imperative that the data that is recovered is restored to its original form. This includes privileges, restrictions, and any other related attributes.

Configuration and Change Control

Change control is one of the most widely adopted recommendations. Most organizations have some form of change control process, be it automated or manual, where proposed changes to systems, network devices, or polices are reviewed by other personnel before being approved. The primary goals of change control are to minimize system or network disruptions, back out of changes quickly and in a structured manner, and use resources more efficiently and effectively.

Security Documentation

This section provides details on the necessary documentation that you should be familiar with regarding security, which includes security policies, standards, procedures, baselines, and guidelines. All of these documents work together to provide a security system that complies with industry best practices and regulations. Security policies are used to describe the ‘whats’ of information security, while standards, procedures, baselines, and guidelines describe the ‘hows’ for the implementation of the security policy.

Security Policies

Security policies are a set of rules, practices, and procedures that dictate how sensitive information is managed, protected, and distributed. In addition to this, security policies state exactly what the security level should be by setting the goals of what the security mechanisms are going to, or supposed to, accomplish.

Security policies are typically written by higher management and describe information security. The main reason for security policies is to ensure that everyone complies with the same set of rules. A security policy should state the level of control users must observe and balance that with productivity goals. In other words, security policies should not be so restrictive that they impede the productivity and operation of users. However, a security policy should also not be so loose that no one has any accountability. There are three broad categories of security policies. These are regulatory policies, advisory policies, and informative policies.

1. Regulatory policies are mandatory enforcements of compliance with industry regulations and legislations (laws). These policies ensure that the organization is following the industry standards as regulated by the law.

2. Advisory policies drive confidentiality and the integrity of information systems. These policies are also used to outline the ramifications of noncompliance.

3. Finally, informative policies are non-enforceable policies that provide generic guidelines for best practices and acceptable behaviour. Within these categories, several different types of security policies can be created.

Some common examples of security policies are:

• Acceptable Use Policies
• Ethics Policies
• Information Sensitivity Policies
• Email Policies
• Password Policies
• Risk Assessment Policies

Acceptable use policies outline the acceptable use of computer equipment, such as PCs, laptops, and other electronic devices. The rules in this policy are intended to protect both the employer and the employee. Inappropriate use may expose the company to risks, such as viruses, the compromising of network systems and services, and even legal issues.

Ethics policies emphasize the employee and consumer’s expectations to be subject to fair business practices, thus establishing a culture of trust, openness, and integrity. Such policies typically guide business behaviour to ensure ethical conduct.

Information sensitivity policies are used to assist employees in understanding what information can be disclosed to nonemployees, partners, customers, or other parties, such as news agencies. In addition to this, these policies typically provide information on who is authorized to provide such information, which may include electronic information and information on paper.

Email policies cover the use of any email sent from an organization’s email address and apply to all employees, vendors, and agents that are acting on behalf of that organization. Such policies may also include acceptable email address use and disclosure. For example, the policy may prevent employees, vendors, and agents from using their company email address to register on social networking sites such as Facebook and MySpace.

Password policies are used to establish a standard for the creation of string passwords, the protection of those passwords, and the frequency of change for the passwords. For example, a company password policy may state that passwords should be at least eight characters in length and must contain letters (both uppercase and lowercase), numbers, and special characters.

Risk assessment policies are used to empower the information security group(s) to perform information security risk analysis periodically, in order to determine the areas of vulnerability and to initiate the proper remediation.

Standards

Standards are industry-recognized best practices, frameworks, agreed principles, concepts, and designs, which are designed to implement, achieve, and maintain the required levels of processes and procedures. These documents define systems’ parameters and processes and typically vary by industry. However, it is important to know that in the context of security information management and regulatory compliance, there are two notable standards: the ISO 17799/20002 and COBIT.

The International Organization for Standardization 17799/20002 is an internationally recognized and accepted standard for implementing IT security and best practices for information security management.  This standard focuses on the security of information systems and addresses related control objectives.

The Control Objectives for Information and related Technology (COBIT) is a recognized set of best practices framework and an open standard for IT controls and security developed by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI). COBIT is used mainly by the IT audit community to demonstrate risk mitigation and avoidance mechanisms. In addition to this, COBIT focuses on information system processes and addresses information security management process requirements.

Procedures

Procedures are low-level documents that provide instructions on how the security policy and standards will be implemented. These documents are very detailed in order to provide users with all necessary information required to implement and enforce the security policy, as well as apply the standards and guidelines of the security program as a whole.

Baselines

Baselines are the minimal level of security required in a system; for example, ensuring that all routers in a network are running a specific version of Cisco IOS software, or that all computers are running a specific service pack for their operating system. The baseline document would also provide instructions on where to download this software and how it should be installed.

The Security Wheel

The security wheel is used to show the process of striving towards achieving a secured network infrastructure. This model contains five steps:

1. Developing a Security Policy
2. Securing the Network
3. Monitoring and Responding
4. Testing
5. Managing and Improving

Developing a Security Policy

It is important to have a security policy. Such a policy should be well defined, implemented, and documented, but at the same time it should be simple and straightforward enough so that employees, etc. can still conduct business within the defined parameters.

Securing the Network

Security solutions should be implemented to secure the network. Such solutions include, but are not limited to, authentication, encryption, firewalls, and intrusion prevention. These solutions should prevent unauthorized access and protect information and information systems.

Monitoring and Responding

Monitoring and responding involves system auditing and real-time intrusion detection and prevention systems. Monitoring is used to detect violations of the security policy, and responding is used to take action against these violations.

Testing

Testing is used to validate the effectiveness of the security policy through practices such as system auditing and vulnerability scanning using products such as Nmap, for example. Nmap is a security scanner used to discover computers and services on a computer network in order to create a map of the network.

In addition to this, Nmap can also perform host discovery (i.e. identifying computers on a network), port scanning (i.e. listing the open ports on one or more target computers), version detection (i.e. determining the application name and version number on remote devices), and operating system detection (i.e. determining the operating system and some hardware characteristics of network devices).

Managing and Improving

Using information from the monitoring and testing phases, improvements can, and may need to, be made to the current security implementation. In such cases, the security policy should be modified when new vulnerabilities and risks are identified.

The different phases of the security wheel are illustrated in the following diagram:

Figure 1.19. The Security Wheel

Guidelines and Best Practices

The final section of this chapter will address general security guidelines and will conclude with Cisco-recommended best practices.

Guidelines

Guidelines are recommended actions and operational guides for users. Unlike standards, which are mandatory, guidelines are simply used as reference material. When addressing security policies, standards, procedures, baselines, and guidelines, it is important to know that security policies are strategic in nature, while standards, procedures, baselines, and guidelines are all tactical documents. These documents are all intertwined and work together, as illustrated in the following diagram:

Figure 1.20. Cisco Security Guidelines

Best Practices

When dealing with network security, Cisco recommends the following best practices to guide you in your role as a network security administrator:

1. Routinely apply patches to operating systems and applications. Keep in mind that this does not have to be a manual process. For example, Windows-based machines have the capability to automatically download patches and updates. Ensure that such features are enabled and that users are aware of how to use them.

2. Disable unneeded services and ports on hosts. Unneeded services can be potential security holes. For example, on Cisco IOS routers, unnecessary services that should be disabled include TCP and UDP small servers, as well as the finger service – which is used to provide information about a device.

3. Require strong passwords and enable password expiration. In other words, ensure passwords are not indefinite and have some kind of expiration so that users change them periodically. Also, specify a minimum length for passwords and enforce a policy where passwords must contain numbers, letters, and special characters.

4. Protect physical access to computing and networking equipment. Lock or restrict access to cabinets or rooms that contain network devices, such as routers, switches, and firewalls.

5. Enforce secure programming practices, such as limiting valid characters that can be entered into an applications dialog box. For example, users should not be able to type in and execute .exe commands or files on a production server.

6. Train users on good security practices and educate them about social engineering tactics. Keep in mind that most people are very trusting. Attackers often take advantage of this; therefore, ensure that users are aware of what information they can and cannot give out.

7. Use strong encryption for sensitive data. Some encryption algorithms are stronger than others. Ensure that the most suitable (i.e. in line with business objectives) methods are used.

8. Defend against technical attacks by deploying both hardware and software-based security solutions, for example, firewalls (hardware) and anti-virus (software) solutions.

9. Create a documented security policy for company-wide use. It is important that this document is easily understood by everyone but, at the same time, it is not too vague.

Chapter Summary

The following section is a summary of the major points you should be aware of in this chapter:

Network Security Threats

• Every IP network infrastructure should be based on a sound security policy
• Network vulnerabilities must be constantly monitored, found, and addressed
• These vulnerabilities via a network evaluation, which includes:

1. Scanning a network for active IP addresses and open ports on those IP addresses
2. Scanning identified hosts for known vulnerabilities
3. Using password cracking utilities
4. Reviewing system and security logs
5. Performing virus scans
6. Performing penetration testing to see if specific systems (e.g. servers) can be compromised
7. Scanning for unsecured wireless networks

• There are two broad categories of network security threats: internal and external threats
• Internal security threats originate within the network
• External threats are those that originate from external attackers

The CIA Triad

• The CIA triad is generally accepted as defining the primary goals of network security
• Confidentiality prevents the unauthorized disclosure of sensitive information
• Integrity prevents the unauthorized modification of data, systems and information
• Availability is the prevention of loss of access to resources and information

Vulnerabilities, Exploits and Risks

• Vulnerabilities are weaknesses in computing systems
• Examples of vulnerabilities include:

1. Physical vulnerabilities
2. Operating System vulnerabilities
3. Protocol vulnerabilities
4. System code vulnerabilities
5. Poor system configuration vulnerabilities
6. Malicious software vulnerabilities
7. Human vulnerabilities

• Exploits are malicious programs that take advantage of vulnerabilities
• Common exploits take advantage of the following:

1. Default Passwords
2. IP Spoofing
3. Application weaknesses
4. Protocol weaknesses

• Information security risk assessment is the process used to identify and understand risks
• Risk analysis can be performed using either quantitative or qualitative analysis
• A quantitative analysis uses a mathematical formula
• A qualitative analysis, on the other hand, uses a scenario model

Denial of Service Attacks

• A DoS or DDoS attack is used to deny service from a legitimate resource or service
• DoS attacks typically do not pose a significant threat to sensitive data
• The five basic goals of DoS attacks are:

1. The consumption of computational resources, such as bandwidth, disk space, or CPU time
2. The disruption of configuration information, such as routing information
3. The disruption of state information, such as unsolicited resetting of TCP sessions
4. The disruption of physical network components
5. The obstruction of communication media between the intended users and the victim

• Common examples of Denial of Service attacks are:

1. Smurf Attacks
2. ARP Poison Attacks
3. Teardrop Attacks
4. Permanent Denial of Service Attacks
5. UDP Storm Attacks
6. Mailbomb Attacks
7. SSH Process Table Attacks
8. SYN Attacks

Distributed Denial of Service Attacks

• Distributed Denial of Service attacks are generally executed in two phases
• In the first phase, the perpetrator compromises computers
• In the second phase, the compromised hosts begin the attack
• Common examples of DDoS attacks are:

1. Peer-to-peer attacks
2. Reflected attacks
3. Distributed attacks

Malicious Code Attacks

• Malicious code attacks use programs that are written by attackers to do damage
• Most programs do not require that the attacker be present for them to do damage
• There are six types of malicious code attacks, and these are:

1. Malware
2. Viruses
3. Trojan Horses
4. Logic Bombs
5. Worms
6. Backdoor

• Worm attacks can be prevented by via containment, planning, tools and techniques
• Some of the tools that can be used to defend against worm attacks are:

1. Access Control Lists (ACLs)
2. Unicast Reverse Path Forwarding (uRPF)
3. NetFlow and NetFlow export
4. Routing protocols such as remote-triggered black hole filtering (RTBH)

Password Attacks

• Password attacks are fairly common and are easy to perform and often result in success
• There two types of password attacks are brute force dictionary-based attacks
• A brute force attack is the simple act of guessing keys and passwords
• Dictionary-based attacks search dictionary files to find a match to the encrypted password

Other Common Attacks

• Other common network security attacks include:

1. Spoofing Attacks
2. Man-in-the-Middle Attacks
3. Replay Attacks
4. TCP/IP Hijacking Attacks
5. WarDialing Attacks
6. Vulnerability Scanning
7. Sniffing
8. Privilege Escalation
9. Footprint Analysis
10. Buffer Overflows

Attack Categories

Network security threats fall into one of the following categories:

1. Active Attacks
2. Passive Attacks
3. Malicious Code Attacks
4. Password Attacks
5. Insider Attacks
6. Close-in Attacks
7. Distribution Attacks

Responding to Security Threats

• The overall framework and process to respond to threats includes the following steps:

1. Triage
2. Analysis
3. Reaction
4. Restore
5. Post-Mortem

The Cisco SAFE Blueprint

• Defense in depth is a security philosophy that that uses a layered security approach
• In a defense in depth deployment, each layer of security should have redundancy
• The defense in depth includes the following recommendations:

1. Defend multiple attack targets in the network
2. Create overlapping defenses
3. Allow the value of the protected device to mandate the level of security implemented.
4. Use strong encryption mechanisms to ensure data confidentiality

• Cisco SAFE delivers defense in depth by strategically via Cisco products and capabilities
• Cisco SAFE is delivered in two forms:

1. Design blueprints
2. Security solutions

• Cisco SAFE design blueprints are simply CVDs and security best practice guides
• The selection of platforms and capabilities in CVDs is driven by the SCF
• The SCF is aimed at ensuring network and service availability and business continuity

Cisco SAFE Security Solutions

• Best practices and design recommendations are provided for the following:

1. Infrastructure device access
2. Device resiliency and survivability
3. Routing infrastructure
4. Switching infrastructure
5. Network policy enforcement
6. Network telemetry

The Cisco PPDIOO Model

• The Cisco PPDIOO model encompasses all steps from network vision to optimization
• PPDIOO stands for prepare, plan, design, implement, operate, and optimize
• The Cisco Lifecycle Security Services, which has five distinct services, which are:

1. Strategy and Assessments Services
2. Deployment and Migration Services
3. Remote Management Services
4. Security Intelligence Services
5. Security Optimization Services

The Cisco Self Defending Network

• SDN integrates a collection of security solutions to identify, prevent and adapt to threats
• The three core characteristics of the Cisco Self Defending Network are:

1. Integrated Security
2. Collaborative Security Systems
3. Adaptive Threat Defense

• To begin creating the SDN, the platforms used must have integrated security features
• These features are divided into three categories:

1. Threat Containment
2. Protected Communications
3. Management

Network Admission Control (NAC)

• NAC uses NADs to protect the infrastructure from any endpoint seeking network access
• NAC is a part of the Cisco Self Defending Network
• NAC is focused on proactive security solutions and is offered in two forms:

1. Cisco NAC Appliance
2. Cisco NAC Framework

• The Cisco NAC appliance solution consists of the following three options:

1. Clean Access Server
2. Clean Access Agent
3. Clean Access Manager

• The four primary components of the NAC framework solution are:

1. Endpoint software
2. Network Access Devices (NADs)
3. Access Control and Policy Server
4. Management System

Operations Security

• Operations security is used to secure hardware, software and various media
• Recommendations for operations security are divided into four categories:

1. Separation of Duties
2. Rotation of Duties
3. Trusted Recovery
4. Configuration and Change Control

Security Documentation

• Security policies are used to describe the ‘whats’ of information security
• Standards, procedures, baselines and guidelines describe the ‘hows’ of the security policy
• Security policies are a set of rules, practices, and procedures
• Security policies are typically written by higher manageme
• Some common examples of security policies are:

1. Acceptable Use Policies
2. Ethics Policies
3. Information Sensitivity Policies
4. Email Policies
5. Password Policies
6. Risk Assessment Policies

• Standards are industry-recognized best practices, frameworks, and agreed principles
• Standard define systems parameters and processes and typically vary by industry
• Procedures are low-level documents
• Procedures provide instructions on security policy and standard implementation
• Baselines are the minimal level of security required in a system

The Security Wheel

• The security wheel shows the process of striving towards achieving a secured network
• The security wheel contains five steps, which are:

1. Developing a security policy
2. Securing the network
3. Monitoring and Responding
4. Testing
5. Managing and Improving

Guidelines and Best Practices

• Guidelines are recommended actions and operational guides for users
• Guidelines are simply used as reference material
• Cisco recommends the following best:

1. Routinely apply patches to operating systems and applications.
2. Disable unneeded services and ports on hosts.
3. Require strong passwords and enable password expiration.
4. Protect physical access to computing and networking equipment.
5. Enforce secure programming practices
6. Train users on good security practices and educate them about social engineering tactics
7. Use strong encryption for sensitive data
8. Defend against attacks by deploying both hardware and software-based security solutions
9. Create a documented security policy for company-wide use.