8/10/2019 IPS-1.ppt
1/31
2005 Cisco Systems, Inc. All rights reserved. IPS v5.01-1
Defining SecurityFundamentals
8/10/2019 IPS-1.ppt
2/31
2005 Cisco Systems, Inc. All rights reserved. IPS v5.01-2
Need for NetworkSecurity
8/10/2019 IPS-1.ppt
3/31
2005 Cisco Systems, Inc. All rights reserved. IPS 5.01-3
Threat Capabilities: More Dangerous andEasier to Use
Sophistication
of Hacker Tools
Packet Forging and Spoofing
19901980
Password
Guessing
Self-Replicating
Code Password
Cracking
Back Doors
ScannersSniffers
Stealth Diagnostics
TechnicalKnowledge
Required
High
Low 2000
Exploiting Known Vulnerabilities
Disabling Audits
Hijacking Sessions
8/10/2019 IPS-1.ppt
4/31
2005 Cisco Systems, Inc. All rights reserved. IPS 5.01-4
Network Security Is a Continuous Process
Network security is acontinuous process
built around a securitypolicy.
Step 1: Secure
Step 2: Monitor
Step 3: Test
Step 4: Improve
Secure
Monitor
and Respond
Test
Manage
and ImproveCorporate
Security
Policy
8/10/2019 IPS-1.ppt
5/31
2005 Cisco Systems, Inc. All rights reserved. IPS v5.01-5
Network Security Policy
8/10/2019 IPS-1.ppt
6/31
2005 Cisco Systems, Inc. All rights reserved. IPS 5.01-6
What Is a Security Policy?
A security policy is a formal statement of therules by which people who are given accessto an organizations technology and
information assets must abide.
RFC 2196, Site Securi ty Handb ook
8/10/2019 IPS-1.ppt
7/31 2005 Cisco Systems, Inc. All rights reserved. IPS v5.01-7
Primary NetworkThreats and Attacks
8/10/2019 IPS-1.ppt
8/31 2005 Cisco Systems, Inc. All rights reserved. IPS 5.01-8
Internet
Variety of Attacks
Network attacks canbe as varied as the
systems that they attemptto penetrate.
Internal
ExploitationDial-In
Exploitation
Compromised
Host
8/10/2019 IPS-1.ppt
9/31 2005 Cisco Systems, Inc. All rights reserved. IPS 5.01-9
Network Security Threats
There are four general categories of securitythreats to the network.
Unstructured threats
Structured threats
External threats
Internal threats
8/10/2019 IPS-1.ppt
10/31 2005 Cisco Systems, Inc. All rights reserved. IPS 5.01-10
The Four Primary Attack Categories
All of the following can be used tocompromise your system.
Reconnaissance attacks
Access attacks
Denial of service attacks
Worms, viruses, and Trojan horses
8/10/2019 IPS-1.ppt
11/31 2005 Cisco Systems, Inc. All rights reserved. IPS v5.01-11
Reconnaissance Attacksand Mitigation
8/10/2019 IPS-1.ppt
12/31 2005 Cisco Systems, Inc. All rights reserved. IPS 5.01-12
Reconnaissance Attacks
Reconnaissance refers tothe overall act of learning
about a target network byusing readily availableinformation andapplications.
8/10/2019 IPS-1.ppt
13/31 2005 Cisco Systems, Inc. All rights reserved. IPS 5.01-13
Packet Sniffers
A packet sniffer is a software application that uses a network adapter card in
promiscuous mode to capture all network packets. These are the features ofpacket sniffers.
Packet sniffers exploit information passed in clear text. Protocols thatpass information in clear text include the following:
Telnet
HTTP
Host A Host BRouter A Router B
8/10/2019 IPS-1.ppt
14/31 2005 Cisco Systems, Inc. All rights reserved. IPS 5.01-14
Packet Sniffer Attack Mitigation
Here are techniques and tools that can be used to mitigate sniffer attacks: Authentication: A first option for defense against packet sniffers is to
use strong authentication, such as one-time passwords.
Switched infrastructure: Deploy a switched infrastructure to counter theuse of packet sniffers in your environment.
Antisniffer tools: These tools to consist of software and hardwaredesigned to detect sniffers on a network.
Cryptography: The most effective method for countering packet sniffersdoes not prevent or detect them but rather renders them irrelevant.
Host A Host BRouter A Router B
8/10/2019 IPS-1.ppt
15/31 2005 Cisco Systems, Inc. All rights reserved. IPS 5.01-15
Port Scans and Ping Sweeps
What these attacks attempt to do:
Identify all services on the network
Identify all hosts and devices on the network
Identify the operating systems on the network
Identify vulnerabilities on the network
8/10/2019 IPS-1.ppt
16/31 2005 Cisco Systems, Inc. All rights reserved. IPS 5.01-16
Port Scan and Ping Sweep AttackMitigation
Port scans and ping sweeps cannot be preventedentirely.
IDSs at the network and host levels can usuallynotify an administrator when a reconnaissanceattack such as a port scan or a ping sweep isunderway.
8/10/2019 IPS-1.ppt
17/31 2005 Cisco Systems, Inc. All rights reserved. IPS v5.01-17
Access Attacks andMitigation
8/10/2019 IPS-1.ppt
18/31 2005 Cisco Systems, Inc. All rights reserved. IPS 5.01-18
Password Attacks
Hackers canimplement passwordattacks by using
several methods: Brute-force attacks
Trojan horseprograms
IP spoofing
Packet sniffers
8/10/2019 IPS-1.ppt
19/31 2005 Cisco Systems, Inc. All rights reserved. IPS 5.01-19
Password Attack Mitigation
Password attack mitigation techniques:
Do not allow users to have the same password onmultiple systems.
Disable accounts after a certain number of unsuccessfullogin attempts.
Do not use plain text passwords. A cryptographicpassword is recommended.
Use strong passwords. Strong passwords are at least
eight characters long and contain uppercase letters,lowercase letters, numbers, and special characters.
Force periodic password changes.
8/10/2019 IPS-1.ppt
20/31 2005 Cisco Systems, Inc. All rights reserved. IPS v5.01-20
Denial of ServiceAttacks and Mitigation
8/10/2019 IPS-1.ppt
21/31
2005 Cisco Systems, Inc. All rights reserved. IPS 5.01-21
Denial of Service Attacks
Denial of service attacksoccur when an intruderattacks your network in away that damages orcorrupts your computersystem or denies you andothers access to your
networks, systems, orservices.
8/10/2019 IPS-1.ppt
22/31
2005 Cisco Systems, Inc. All rights reserved. IPS 5.01-22
IP Spoofing
IP spoofing occurs when a hacker inside or outside a networkimpersonates the conversations of a trusted computer.
Two general techniques are used during IP spoofing:
A hacker uses an IP address that is within the range oftrusted IP addresses.
A hacker uses an authorized external IP address that istrusted.
Here are uses for IP spoofing:
IP spoofing is usually limited to the injection of maliciousdata or commands into an existing stream of data.
If a hacker changes the routing tables to point to the spoofedIP address, then the hacker can then receive all the networkpackets that are addressed to the spoofed address andreply, just as any trusted user can.
8/10/2019 IPS-1.ppt
23/31
2005 Cisco Systems, Inc. All rights reserved. IPS 5.01-23
IP Spoofing Attack Mitigation
The threat of IP spoofing can be reduced, but noteliminated, through these measures:
Access control: The most common method forpreventing IP spoofing is to properly configure accesscontrol.
RFC 2827 filtering: Prevent any outbound traffic onyour network that does not have a source address inyour organizations own IP range.
Require additional authentication that does not useIP-based authentication. Examples of this techniqueinclude the following:
Cryptography (recommended)
Strong, two-factor, one-time passwords
8/10/2019 IPS-1.ppt
24/31
2005 Cisco Systems, Inc. All rights reserved. IPS 5.01-24
DoS and DDoS Attacks
DoS attacks focus on making a serviceunavailable for normal use. They have thefollowing characteristics:
Differ from most other attacks because they aregenerally not targeted at gaining access to yournetwork or the information on your network
Require very little effort to execute
Are among the most difficult to completely eliminate
8/10/2019 IPS-1.ppt
25/31
2005 Cisco Systems, Inc. All rights reserved. IPS 5.01-25
DoS and DDoS Attack Mitigation
The threat of DoS attacks can be reduced bythree methods.
Antispoof features: Proper configuration of
antispoof features on routers and firewalls Anti-DoS features: Proper configuration of
anti-DoS features on routers, firewalls, andintrusion detection systems
Traffic rate limiting: Implementation of traffic ratelimiting with the ISP of the network
8/10/2019 IPS-1.ppt
26/31
2005 Cisco Systems, Inc. All rights reserved. IPS v5.01-26
Management Protocolsand Functions
8/10/2019 IPS-1.ppt
27/31
2005 Cisco Systems, Inc. All rights reserved. IPS 5.01-27
Configuration Management
Configuration management protocols include SSH,SSL, and Telnet.
Telnet issues include the following:
The data within a Telnet session is sent as cleartext and may be intercepted by anyone with apacket sniffer located along the data pathbetween the device and the management server.
The data may include sensitive information,such as the configuration of the device itself,passwords, and so on.
8/10/2019 IPS-1.ppt
28/31
2005 Cisco Systems, Inc. All rights reserved. IPS 5.01-28
Configuration ManagementRecommendations
When possible, the following practices areadvised:
Use IPSec, SSH, SSL, or any other encrypted and
authenticated transport. ACLs should be configured to allow only
management servers to connect to the device. Allattempts from other IP addresses should be deniedand logged.
Use RFC 2827 filtering at the perimeter router tomitigate the chance of an outside attackerspoofing the addresses of the management hosts.
8/10/2019 IPS-1.ppt
29/31
2005 Cisco Systems, Inc. All rights reserved. IPS 5.01-29
Management Protocols
The following management protocols can becompromised:
SNMP: The community string information for
simple authentication is sent in clear text. Syslog: Data is sent as clear text between the
managed device and the management host.
TFTP: Data is sent as clear text between the
requesting host and the TFTP server. NTP: Many NTP servers on the Internet do not
require any authentication of peers.
8/10/2019 IPS-1.ppt
30/31
2005 Cisco Systems, Inc. All rights reserved. IPS 5.01-30
Management Protocol Recommendations
SNMP recommendations:
Configure SNMP only with read-only community strings.
Set up access control on the device you wish to manage.
Use SNMP version 3 or above.
Logging recommendations:
Encrypt syslog traffic within an IPSec tunnel.
Implement RFC 2827 filtering.
Set up access control on the firewall.
TFTP recommendations:
Encrypt TFTP traffic within an IPSec tunnel. NTP recommendations:
Implement your own master clock.
Set up access control that specifies which network devicesare allowed to synchronize with other network devices.
8/10/2019 IPS-1.ppt
31/31
Top Related