Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192
You see this a lot—typically, in medium-sized to large enterprise networks, the various strategies
for security are based on a some recipe of internal and perimeter routers plus firewall
devices. Internal routers provide additional security to the network by screening traffic to various
parts of the protected corporate network, and they do this by using access lists. You can
see where each of these types of devices is found in Figure 6.1.
I’ll use the terms
trusted network
and
untrusted network
throughout this chapter, so it’s
important that you can see where they are found in a typical secured network. The demilitarized
zone (DMZ) can be global (real) Internet addresses or private addresses, depending on
how you configure your firewall, but this is typically where you’ll find the HTTP, DNS, email,
and other Internet-type corporate servers.
305
FIGURE 6 . 1
A typical secured network
Instead of having routers, we can (as you already know) use virtual local area networks
(VLANs) with switches on the inside trusted network. Multilayer switches containing their
own security features can sometimes replace internal (LAN) routers to provide higher performance
in VLAN architectures.
Let’s discuss the security threats a typical secured internetwork faces; then I’ll provide some
ways of protecting the internetwork using the Cisco IOS Firewall feature set and access lists.
Recognizing Security Threats
Yes, it’s true: Security attacks vary considerably in their complexity and threat level, and some
even happen because of WUI, or witless user ignorance. (This term isn’t an exam objective, but
it does occur more than you’d think!)
You see, it all comes down to planning, or rather, lack thereof. Basically, the vital tool that
the Internet has become today was absolutely unforeseen by those who brought it into being.
This is a big reason why security is now such an issue—most IP implementations are innately
insecure. No worries though, because Cisco has a few tricks up its sleeve to help us with this.
But first, let’s examine some common attack profiles:
Application layer attacks
These attacks commonly zero in on well-known holes in the
software that’s typically found running on servers. Favorite targets include FTP, sendmail,
and HTTP. Because the permissions level granted to these accounts is most often “privileged,”
bad guys simply access and exploit the machine that’s running one of the applications
I just mentioned.
Perimeter
(premises)
router Firewall
Internal
(local network)
router
Internet
Mail
server
Untrusted
network
Corporate
trusted)
network
DMZ
Web
server
6.1 Describe today’s increasing network security threats
306
Chapter 6
Identify security threats to a network and describe general methods
Autorooters
You can think of these as a kind of hacker automaton. Bad guys use something
called a
rootkit
to probe, scan, and then capture data on a strategically positioned computer
that’s poised to give them “eyes” into entire systems—automatically!
Backdoors
These are simply paths leading into a computer or network. Through simple
invasions, or via more elaborate “Trojan horse” code, bad guys can use their implanted
inroads into a specific host or even a network whenever they want to—until you detect
and stop them, that is!
Denial of service (DoS) and distributed denial of service (DDoS) attacks
Basically, a service is
made unavailable by overwhelming the system that normally provides it. A denial of service
attack is characterized by a flood of packets that are requesting a TCP connection to a server and
there are several different flavors:
TCP SYN flood
Begins when a client initiates a seemingly run-of-the-mill TCP connection
and sends a SYN message to a server. The server predictably responds by sending a SYNACK
message back to the client machine, which then establishes the connection by returning
an ACK message. Sounds fine, but it’s actually during this process—when the connection is
only halfway open—that the victim machine is literally flooded with a deluge of half-open
connections and pretty much becomes paralyzed.
”Ping of death“ attacks
You probably know that TCP/IP’s maximum packet size is
65,536 octets. It’s okay if you didn’t know that—just understand that this attack is executed
by simply pinging with oversized packets, causing a device to keep rebooting incessantly,
freeze up, or just totally crash.
Tribe Flood Network (TFN) and Tribe Flood Network 2000 (TFN2K)
These nasty little
numbers are more complex in that they initiate synchronized DoS attacks from multiple
sources and can target multiple devices. This is achieved, in part, by something known as
“IP spoofing,” which I’ll be describing soon.
Stacheldraht
This attack is actually a mélange of methods, and it translates from the German
term for barbed wire. It basically incorporates TFN and adds a dash of encryption. It all begins
with a huge invasion at the root level, followed up with a DoS attack finale.
IP spoofing
This is pretty much what it sounds like it is—a bad guy from within or outside of
your network masquerades as a trusted host machine by doing one of two things: presenting
with an IP address that’s inside your network’s scope of trusted addresses or using an approved,
trusted external IP address. Because the hacker’s true identity is veiled behind the spoofed
address, this is often just the beginning of your problems.
Man-in-the-middle attacks
Interception! But it’s not a football, it’s a bunch of your network’s
packets—your precious data! A common guilty party could be someone working for
your very own ISP using a tool known as a
sniffer
(discussed later) and augmenting it with
routing and transport protocols.
Network reconnaissance
Before breaking into a network, hackers often gather all the information
they can about it, because the more they know about the network, the better they can
compromise it. They accomplish their objectives through methods like port scans, DNS queries,
and ping sweeps.
307
Packet sniffers
This is the tool I mentioned earlier, but I didn’t tell you what it is, and it may
come as a surprise that it’s actually software. Here’s how it works—a network adapter card
is set to promiscuous mode so that it will send all packets snagged from the network’s physical
layer through to a special application to be viewed and sorted out. A packet sniffer can nick
some highly valuable, sensitive data including, but not limited to, passwords and usernames,
making them prized among identity thieves.
Password attacks
These come in many flavors, and even though they can be achieved via
more sophisticated types of attacks like IP spoofing, packet sniffing, and Trojan horses, their
sole purpose is to—surprise—discover user passwords so that the thief can pretend to be a
valid user and then access that user’s privileges and resources.
Brute force attack
Another software-oriented attack that employs a program running on a
targeted network that tries to log in to some type of shared network resource like a server. For
the hacker, it’s ideal if the accessed accounts have a lot of privileges because then the bad guys
can form backdoors to use to gain access later and bypass the need for passwords entirely.
Port redirection attacks
This approach requires a host machine that the hacker has broken into
and uses to get wonky traffic (that normally wouldn’t be allowed passage) through a firewall.
Trojan horse attacks and viruses
These two are actually pretty similar—both Trojan
horses and viruses infect user machines with malicious code and mess it up with varying
degrees of paralysis, destruction, even death! But they do have their differences—viruses are
really just nasty programs attached to
command.com
, which just happens to be the main
interpreter for all Windows systems. Viruses then run amok, deleting files and infecting any
flavor of
command.com
they find on the now-diseased machine. The difference between a
virus and a Trojan horse is that Trojans are actually complete applications encased inside
code that makes them appear to be completely different entities—say, a simple, innocent
game—than the ugly implements of destruction they truly are!
Trust exploitation attacks
These happen when someone exploits a trust relationship inside
your network. For example, a company’s perimeter network connection usually shelters
important things like SMTP, DNS, and HTTP servers, making the servers really vulnerable
because they’re all on the same segment.
To be honest, I’m not going to go into detail on how to mitigate each and every one of the
security threats I just talked about, not only because that would be outside the scope of this
book, but also because the methods I am going to teach you will truly protect you from being
attacked in general. You will learn enough tricks to make all but the most determined bad guys
give up on you and search for easier prey. So basically, think of this as a chapter on how to
practice “safe networking.”
Exam Objectives
Remember the basic strategy for security.
In medium-sized to large enterprise networks, the
various strategies for security are based on some recipe of internal and perimeter routers plus
firewall devices.
Identify security threats to a network and describe general methods
Remember the four typical denial of service attacks.
There are four typical denial of service
attacks used on today’s networks: TCP SYN flood, ping of death, Tribe Flood Network and
Stacheldraht.
No comments:
Post a Comment