IPS-1.ppt

8/10/2019 IPS-1.ppt

1/31

2005 Cisco Systems, Inc. All rights reserved. IPS v5.01-1

Defining SecurityFundamentals

8/10/2019 IPS-1.ppt

2/31


Need for NetworkSecurity

8/10/2019 IPS-1.ppt

3/31

2005 Cisco Systems, Inc. All rights reserved. IPS 5.01-3

Threat Capabilities: More Dangerous andEasier to Use

Sophistication

of Hacker Tools

Packet Forging and Spoofing

19901980

Password

Guessing

Self-Replicating

Code Password

Cracking

Back Doors

ScannersSniffers

Stealth Diagnostics

TechnicalKnowledge

Required

High

Low 2000

Exploiting Known Vulnerabilities

Disabling Audits

Hijacking Sessions

8/10/2019 IPS-1.ppt

4/31


Network Security Is a Continuous Process

Network security is acontinuous process

built around a securitypolicy.

Step 1: Secure

Step 2: Monitor

Step 3: Test

Step 4: Improve

Secure

Monitor

and Respond

Test

Manage

and ImproveCorporate

Security

Policy

8/10/2019 IPS-1.ppt

5/31


Network Security Policy

8/10/2019 IPS-1.ppt

6/31


What Is a Security Policy?

A security policy is a formal statement of therules by which people who are given accessto an organizations technology and

information assets must abide.

RFC 2196, Site Securi ty Handb ook

8/10/2019 IPS-1.ppt

7/31 2005 Cisco Systems, Inc. All rights reserved. IPS v5.01-7

Primary NetworkThreats and Attacks

8/10/2019 IPS-1.ppt

8/31 2005 Cisco Systems, Inc. All rights reserved. IPS 5.01-8

Internet

Variety of Attacks

Network attacks canbe as varied as the

systems that they attemptto penetrate.

Internal

ExploitationDial-In

Exploitation

Compromised

Host

8/10/2019 IPS-1.ppt


Network Security Threats

There are four general categories of securitythreats to the network.

Unstructured threats

Structured threats

External threats

Internal threats

8/10/2019 IPS-1.ppt


The Four Primary Attack Categories

All of the following can be used tocompromise your system.

Reconnaissance attacks

Access attacks

Denial of service attacks

Worms, viruses, and Trojan horses

8/10/2019 IPS-1.ppt


Reconnaissance Attacksand Mitigation

8/10/2019 IPS-1.ppt


Reconnaissance Attacks

Reconnaissance refers tothe overall act of learning

about a target network byusing readily availableinformation andapplications.

8/10/2019 IPS-1.ppt


Packet Sniffers

A packet sniffer is a software application that uses a network adapter card in

promiscuous mode to capture all network packets. These are the features ofpacket sniffers.

Packet sniffers exploit information passed in clear text. Protocols thatpass information in clear text include the following:

Telnet

HTTP

Host A Host BRouter A Router B

8/10/2019 IPS-1.ppt


Packet Sniffer Attack Mitigation

Here are techniques and tools that can be used to mitigate sniffer attacks: Authentication: A first option for defense against packet sniffers is to

use strong authentication, such as one-time passwords.

Switched infrastructure: Deploy a switched infrastructure to counter theuse of packet sniffers in your environment.

Antisniffer tools: These tools to consist of software and hardwaredesigned to detect sniffers on a network.

Cryptography: The most effective method for countering packet sniffersdoes not prevent or detect them but rather renders them irrelevant.

Host A Host BRouter A Router B

8/10/2019 IPS-1.ppt


Port Scans and Ping Sweeps

What these attacks attempt to do:

Identify all services on the network

Identify all hosts and devices on the network

Identify the operating systems on the network

Identify vulnerabilities on the network

8/10/2019 IPS-1.ppt


Port Scan and Ping Sweep AttackMitigation

Port scans and ping sweeps cannot be preventedentirely.

IDSs at the network and host levels can usuallynotify an administrator when a reconnaissanceattack such as a port scan or a ping sweep isunderway.

8/10/2019 IPS-1.ppt


Access Attacks andMitigation

8/10/2019 IPS-1.ppt


Password Attacks

Hackers canimplement passwordattacks by using

several methods: Brute-force attacks

Trojan horseprograms

IP spoofing

Packet sniffers

8/10/2019 IPS-1.ppt


Password Attack Mitigation

Password attack mitigation techniques:

Do not allow users to have the same password onmultiple systems.

Disable accounts after a certain number of unsuccessfullogin attempts.

Do not use plain text passwords. A cryptographicpassword is recommended.

Use strong passwords. Strong passwords are at least

eight characters long and contain uppercase letters,lowercase letters, numbers, and special characters.

Force periodic password changes.

8/10/2019 IPS-1.ppt


Denial of ServiceAttacks and Mitigation

8/10/2019 IPS-1.ppt

21/31


Denial of Service Attacks

Denial of service attacksoccur when an intruderattacks your network in away that damages orcorrupts your computersystem or denies you andothers access to your

networks, systems, orservices.

8/10/2019 IPS-1.ppt

22/31


IP Spoofing

IP spoofing occurs when a hacker inside or outside a networkimpersonates the conversations of a trusted computer.

Two general techniques are used during IP spoofing:

A hacker uses an IP address that is within the range oftrusted IP addresses.

A hacker uses an authorized external IP address that istrusted.

Here are uses for IP spoofing:

IP spoofing is usually limited to the injection of maliciousdata or commands into an existing stream of data.

If a hacker changes the routing tables to point to the spoofedIP address, then the hacker can then receive all the networkpackets that are addressed to the spoofed address andreply, just as any trusted user can.

8/10/2019 IPS-1.ppt

23/31


IP Spoofing Attack Mitigation

The threat of IP spoofing can be reduced, but noteliminated, through these measures:

Access control: The most common method forpreventing IP spoofing is to properly configure accesscontrol.

RFC 2827 filtering: Prevent any outbound traffic onyour network that does not have a source address inyour organizations own IP range.

Require additional authentication that does not useIP-based authentication. Examples of this techniqueinclude the following:

Cryptography (recommended)

Strong, two-factor, one-time passwords

8/10/2019 IPS-1.ppt

24/31


DoS and DDoS Attacks

DoS attacks focus on making a serviceunavailable for normal use. They have thefollowing characteristics:

Differ from most other attacks because they aregenerally not targeted at gaining access to yournetwork or the information on your network

Require very little effort to execute

Are among the most difficult to completely eliminate

8/10/2019 IPS-1.ppt

25/31


DoS and DDoS Attack Mitigation

The threat of DoS attacks can be reduced bythree methods.

Antispoof features: Proper configuration of

antispoof features on routers and firewalls Anti-DoS features: Proper configuration of

anti-DoS features on routers, firewalls, andintrusion detection systems

Traffic rate limiting: Implementation of traffic ratelimiting with the ISP of the network

8/10/2019 IPS-1.ppt

26/31


Management Protocolsand Functions

8/10/2019 IPS-1.ppt

27/31


Configuration Management

Configuration management protocols include SSH,SSL, and Telnet.

Telnet issues include the following:

The data within a Telnet session is sent as cleartext and may be intercepted by anyone with apacket sniffer located along the data pathbetween the device and the management server.

The data may include sensitive information,such as the configuration of the device itself,passwords, and so on.

8/10/2019 IPS-1.ppt

28/31


Configuration ManagementRecommendations

When possible, the following practices areadvised:

Use IPSec, SSH, SSL, or any other encrypted and

authenticated transport. ACLs should be configured to allow only

management servers to connect to the device. Allattempts from other IP addresses should be deniedand logged.

Use RFC 2827 filtering at the perimeter router tomitigate the chance of an outside attackerspoofing the addresses of the management hosts.

8/10/2019 IPS-1.ppt

29/31


Management Protocols

The following management protocols can becompromised:

SNMP: The community string information for

simple authentication is sent in clear text. Syslog: Data is sent as clear text between the

managed device and the management host.

TFTP: Data is sent as clear text between the

requesting host and the TFTP server. NTP: Many NTP servers on the Internet do not

require any authentication of peers.

8/10/2019 IPS-1.ppt

30/31


Management Protocol Recommendations

SNMP recommendations:

Configure SNMP only with read-only community strings.

Set up access control on the device you wish to manage.

Use SNMP version 3 or above.

Logging recommendations:

Encrypt syslog traffic within an IPSec tunnel.

Implement RFC 2827 filtering.

Set up access control on the firewall.

TFTP recommendations:

Encrypt TFTP traffic within an IPSec tunnel. NTP recommendations:

Implement your own master clock.

Set up access control that specifies which network devicesare allowed to synchronize with other network devices.

8/10/2019 IPS-1.ppt

31/31

IPS-1.ppt

Documents

Transcript of IPS-1.ppt