CCNA Exp4 - Chapter04 - Network Security

Chapter 4 Network Security
CCNA Exploration 4.0
Please purchase a personal license.
Introduction
H c vi n m ng Bach Khoa - Website: www.bkacad.com
Why is Network Security Important?
Why is Network Security Important?
Computer networks have grown in both size and importance in a very

short time. If the security of the network is compromised, there could be serious consequences, such as loss of privacy, theft of information, and even legal liability.
The Increasing Threat to Security

Animation 4.1.1.2
As shown in the figure, in 1985 an attacker had to have sophisticated computer, programming, and networking knowledge to make use of rudimentary tools and basic attacks. As time went on, and attackers' methods and tools improved, attackers no longer required the same level of sophisticated knowledge. This has effectively lowered the entry-level requirements for attackers. People who previously would not have participated in computer crime are now able to do so.
Some of the Security Terms

White hat -An individual who looks for vulnerabilities in systems or networks and then reports these vulnerabilities to the owners of the system so that they can be fixed. Hacker -A general term that has historically been used to describe a computer programming expert. More recently, this term is often used in a negative way to describe an individual that attempts to gain unauthorized access to network resources with malicious intent. Black hat -Another term for individuals who use their knowledge of computer systems to break into systems or networks that they are not authorized to use, usually for personal or financial gain. A cracker is an example of a black hat. Cracker -A more accurate term to describe someone who tries to gain unauthorized access to network resources with malicious intent. Phreaker -An individual who manipulates the phone network to cause it to perform a function that is not allowed. A common goal of phreaking is breaking into the phone network, usually through a payphone, to make free long distance calls. Spammer -An individual who sends large quantities of unsolicited e-mail messages. Spammers often use viruses to take control of home computers and use them to send out their bulk messages. Phisher -Uses e-mail or other means to trick others into providing sensitive information, such as credit card numbers or passwords. A phisher masquerades as a trusted party that would have a legitimate need for the sensitive information.
Think Like a Attacker

Step 1 Perform footprint analysis (reconnaissance). Scan information and build a picture of the security profile or "footprint" of the company. Step 2 Enumerate information. An attacker can expand on the footprint by monitoring network traffic with a packet sniffer such as Wireshark, finding information such as version numbers of FTP servers and mail servers. Step 3 Manipulate users to gain access. Step 4 Escalate privileges. After attackers gain basic access, they use their skills to increase their network privileges. Step 5 Gather additional passwords and secrets. With improved access privileges, attackers use their talents to gain access to well-guarded, sensitive information. Step 6 Install backdoors. Backdoors provide the attacker with a way to enter the system without being detected. The most common backdoor is an open listening TCP or UDP port. Step 7 Leverage the compromised system. After a system is compromised, an attacker uses it to stage attacks on other hosts in the network.
Types of Computer Crime

Insider abuse of network access Virus Mobile device theft Phishing where an organization is fraudulently represented as the sender Instant messaging misuse Denial of service Unauthorized access to information Bots within the organization Theft of customer or employee data Abuse of wireless network System penetration Financial fraud Password sniffing Key logging Website defacement Misuse of a public web application Theft of proprietary information Exploiting the DNS server of an organization Telecom fraud Sabotage
Open versus Closed Networks
The overall security challenge facing network administrators is
balancing two important needs: keeping networks open to support evolving business requirements and protecting private, personal, and strategic business information.
Open Access : An open security model is the easiest to implement . Simple passwords and server security become the foundation of this model. If encryption is used, it is implemented by individual users or on servers. LANs, which are not connected to the Internet or public WANs, are more likely to implement this type of model.
Restrictive Access:
A restrictive security model is more difficult to implement . Firewalls and identity servers become the foundation of this model. LANs, which are connected to the Internet or public WANs, are more likely to implement this type of model.
Closed Access: A closed security model is most difficult to implement. All available security measures are implemented in this design. This model assumes that the protected assets are premium, all users are not trustworthy, and that threats are frequent. Network security departments must clarify that they only implement the policy, which is designed, written, and approved by the corporation.
Developing a Security Policy
A security policy meets these goals:

1. Informs users, staff, and managers of their obligatory requirements for protecting technology and information assets 2. Specifies the mechanisms through which these requirements can be met 3. Provides a baseline from which to acquire, configure, and audit computer systems and networks for compliance with the policy
Developing a Security Policy
ISO/IEC 27002 is intended to be a common basis and practical guideline for developing organizational security standards and effective security management practices. The document consists of 12 sections: 1. Risk assessment 2. Security policy 3. Organization of information security 4. Asset management 5. Human resources security 6. Physical and environmental security 7. Communications and operations management 8. Access control 9. Information systems acquisition, development, and maintenance 10. Information security incident management 11. Business continuity management 12. Compliance
Common Security Threats
Vulnerabilities
Vulnerability is the degree of weakness which is inherent in every network and device. This includes routers, switches, desktops, servers, and even security devices. There are three primary vulnerabilities or weaknesses: 1. Technological weaknesses 2. Configuration weaknesses 3. Security policy weaknesses
Vulnerabilities
Threats to Physical Infrastructure
The four classes of physical threats are: 1. Hardware threats -Physical damage to servers, routers, switches, cabling plant, and workstations 2. Environmental threats -Temperature extremes (too hot or too cold) or humidity extremes (too wet or too dry) 3. Electrical threats -Voltage spikes, insufficient supply voltage (brownouts), unconditioned power (noise), and total power loss 4. Maintenance threats -Poor handling of key electrical components (electrostatic discharge), lack of critical spare parts, poor cabling, and poor labeling Here are some ways to mitigate physical threats: 1. Hardware threat mitigation 2. Environmental threat mitigation 3. Electrical threat mitigation
Physical Threat Mitigation
Hardware
Environmental
Physical Threat Mitigation
Electrical
Maintenance
Threats to Networks
There are four primary classes of threats to network security: 1. Unstructured Threats 2. Structured Threats 3. External Threats 4. Internal Threats
Unstructured threats
Unstructured threats consist of mostly inexperienced individuals using easily available hacking tools such as shell scripts and password crackers.
Structured threats
Structured threats come from hackers that are more highly motivated and technically competent. These people know system vulnerabilities, and can understand and develop exploit-code and scripts. They understand, develop, and use sophisticated hacking techniques to penetrate unsuspecting businesses.
External threats
External threats can arise from individuals or organizations working outside of a company. They do not have authorized access to the computer systems or network.
Internal threats
Internal threats occur when someone has authorized access to the network with either an account on a server or physical access to the network.
Social Engineering
The easiest hack involves no computer skill at all. If an intruder can trick
a member of an organization into giving over valuable information, such as the location of files or passwords, the process of hacking is made much easier. This type of attack is called social engineering, and it preys on personal vulnerabilities that can be discovered by talented attackers.
Social Engineering
Phishing is a type of social engineering attack that involves using e-mail or other types of messages in an attempt to trick others into providing sensitive information, such as credit card numbers or passwords. The phisher masquerades as a trusted party that has a seemingly legitimate need for the sensitive information. Phishing attacks can be prevented by educating users and implementing reporting guidelines when they receive suspicious e-mail. Administrators can also block access to certain web sites and configure filters that block suspicious e-mail.
Types of Network Attacks
Types of Network Attacks
Animation 4.1.3.1
1- Reconaissance Attacks
Reconaissance Attacks
Animation 4.1.3.2 Reconnaissance is the unauthorized discovery and mapping of systems,

services, or vulnerabilities. It is also known as information gathering and, in most cases, it precedes another type of attack.
Reconaissance Attacks
Network snooping and packet sniffing are common terms for eavesdropping. Eavesdropping is listening in to a conversation, spying, prying, or snooping. Types of Eavesdropping A common method for eavesdropping on communications is to capture TCP/IP or other protocol packets and decode the contents using a protocol analyzer or similar utility 2 common uses of eavesdropping are as follows: 1. Information gathering 2. Information theft Tools Used to Perform Eavesdropping Network or protocol analyzers Packet capturing utilities on networked computers Methods to Counteract Attacks Implementing and enforcing a policy directive that forbids the use of protocols with known susceptibilities to eavesdropping Using encryption that meets the data security needs of the organization without imposing an excessive burden on the system resources or the users Using switched networks
2- Access Attacks
Access attacks
Access attacks exploit known vulnerabilities in authentication services, FTP services, and web services to gain entry to web accounts, confidential databases, and other sensitive information. Access attacks can consist of the following: Password Attacks Trust Exploitation Port Redirection Man-in-the-middle Attack Social Engineering Phishing
Password Attacks
Password attacks can be implemented using a packet sniffer to yield user accounts and passwords that are transmitted as clear text. Password attacks usually refer to repeated attempts to log in to a shared resource, such as a server or router, to identify a user account, password, or both. These repeated attempts are called dictionary attacks or brute-force attacks. Password attacks can be mitigated by educating users to use long, complex passwords.
Password Attacks
Dictionary Attacks
A rainbow table is a lookup table offering a time-memory tradeoff used in recovering the plaintext password from a password hash generated by a hash function, often a cryptographic hash function.
To conduct a dictionary attack, attackers can use tools such as

L0phtCrack or Cain. These programs repeatedly attempt to log in as a user using words derived from a dictionary. Another password attack method uses rainbow tables. A rainbow table is precomputed series of passwords which is constructed by building chains of possible plaintext passwords. Each chain is developed by starting with a randomly selected "guess" of the plaintext password and then successively applying variations on it.
Password Attacks
Brute-force Attacks
A brute-force attack tool is more sophisticated because it searches exhaustively using combinations of character sets to compute every possible password made up of those characters. The downside is that more time is required for completion of this type of attack. Bruteforce attack tools have been known to solve simple passwords in less than a minute. Longer, more complex passwords may take days or weeks to resolve. Note: Instead of attempting a brute force attack directly on system, crackers attempt to first exploit some wekness in the OS and obtain the encrypted password database, sush as shadow password file on UNIX or the SAM database on Windows.
Trust Exploitation
The goal of a trust exploitation attack is to compromise a trusted host, using it to stage attacks on other hosts in a network. If a host in a network of a company is protected by a firewall (inside host), but is accessible to a trusted host outside the firewall (outside host), the inside host can be attacked through the trusted outside host. Trust exploitation-based attacks can be mitigated through tight constraints on trust levels within a network, for example, private VLANs can be deployed in public-service segments where multiple public servers are available. Systems on the outside of a firewall should never be absolutely trusted by systems on the inside of a firewall. Such trust should be limited to specific protocols and should be authenticated by something other than an IP address, where possible.
Port Redirection
A port redirection attack is a type of trust exploitation attack that uses a compromised host to pass traffic through a firewall that would otherwise be blocked. The utility that can provide this type of access is netcat. When a system is under attack, a host-based intrusion detection system (IDS) can help detect an attacker and prevent installation of such utilities on a host.
Man-in-the-Middle Attack
A man-in-the-middle (MITM) attack is carried out by attackers that manage to position themselves between two legitimate hosts. The attacker may allow the normal transactions between hosts to occur, and only periodically manipulate the conversation between the two. LAN MITM attacks use such tools as Ettercap and ARP poisoning. Most LAN MITM attack mitigation can usually be mitigated by configuring port security on LAN switches. WAN MITM attack mitigation is achieved by using VPN tunnels, which allow the attacker to see only the encrypted, undecipherable text.
3- Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attacks
DoS Attacks
DoS attacks are the most publicized form of attack and also among the most difficult to eliminate. But because of their ease of implementation and potentially significant damage, DoS attacks deserve special attention from security administrators. DoS and DDoS attacks can be mitigated by implementing special anti-spoof and anti-DoS access control lists. ISPs can also implement traffic rate, limiting the amount of nonessential traffic that crosses network segments. A common example is to limit the amount of ICMP traffic that is allowed into a network, because this traffic is used only for diagnostic purposes.
DoS Attacks
Ping of Death Attack
A ping of death attack gained popularity back in the late 1990s. It took advantage of vulnerabilities in older operating systems. This attack modified the IP portion of a ping packet header to indicate that there is more data in the packet than there actually was. A ping is normally 64 to 84 bytes, while a ping of death could be up to 65,535 bytes. Sending a ping of this size may crash an older target computer. Most networks are no longer susceptible to this type of attack.
DoS Attacks
SYN Flood Attack
A SYN flood attack exploits the TCP three-way handshake. It involves sending multiple SYN requests (1,000+) to a targeted server. The server replies with the usual SYN-ACK response, but the malicious host never responds with the final ACK to complete the handshake. This ties up the server until it eventually runs out of resources and cannot respond to a valid host request. Other types of DoS attacks include: E-mail bombs - Programs send bulk e-mails to individuals, lists, or domains, monopolizing e-mail services. Malicious applets - These attacks are Java, JavaScript, or ActiveX programs that cause destruction or tie up computer resources.
DDos Attacks
Distributed DoS (DDoS) attacks are designed to saturate network links with illegitimate data. This data can overwhelm an Internet link, causing legitimate traffic to be dropped. DDoS uses attack methods similar to standard DoS attacks, but operates on a much larger scale. Typically, hundreds or thousands of attack points attempt to overwhelm a target. Examples of DDoS attacks include the following: SMURF attack Tribe flood network (TFN) Stacheldraht MyDoom
DDos Attacks
Smurf Attack
The Smurf attack uses spoofed broadcast ping messages to flood a
target system. It starts with an attacker sending a large number of ICMP echo requests to the network broadcast address from valid spoofed source IP addresses. Turning off directed broadcast capability in the network infrastructure prevents the network from being used as a bounce site. Directed broadcast capability is now turned off by default in Cisco IOS software since version 12.0.
4- Malicious Code Attacks
Malicious Code Attacks
The primary vulnerabilities for end-user workstations are worm, virus, and Trojan horse attacks. A worm executes code and installs copies of itself in the memory of the infected computer, which can, in turn, infect other hosts. A virus is malicious software that is attached to another program for the purpose of executing a particular unwanted function on a workstation. A Trojan horse is different from a worm or virus only in that the entire application was written to look like something else, when in fact it is an attack tool.

Worms Attack
The anatomy of a worm attack is as follows: The enabling vulnerability -A worm installs itself by exploiting known vulnerabilities in systems, such as naive end users who open unverified executable attachments in e-mails. Propagation mechanism -After gaining access to a host, a worm copies itself to that host and then selects new targets. Payload -Once a host is infected with a worm, the attacker has access to the host, often as a privileged user. Attackers could use a local exploit to escalate their privilege level to administrator.

Worms Attack
The following are the recommended steps for worm attack mitigation: Containment -Contain the spread of the worm in and within the network. Compartmentalize uninfected parts of the network. Inoculation -Start patching all systems and, if possible, scanning for vulnerable systems. Quarantine -Track down each infected machine inside the network. Disconnect, remove, or block infected machines from the network. Treatment -Clean and patch each infected system. Some worms may require complete core system reinstallations to clean the system.

Viruses and Trojan Horses
A virus is malicious software that is attached to another program to

execute a particular unwanted function on a workstation. A Trojan horse is different only in that the entire application was written to look like something else, when in fact it is an attack tool.
General Mitigation Techniques
Device Hardening
When a new operating system is installed on a computer, the security settings are set to the default values. In most cases, this level of security is inadequate. There are some simple steps that should be taken that apply to most operating systems: Default usernames and passwords should be changed immediately. Access to system resources should be restricted to only the individuals that are authorized to use those resources. Any unnecessary services and applications should be turned off and uninstalled, when possible.
Antivirus Software
Install host antivirus software to protect against known viruses. Antivirus software can detect most viruses and many Trojan horse applications, and prevent them from spreading in the network. Antivirus software does this in two ways: It scans files, comparing their contents to known viruses in a virus dictionary. Matches are flagged in a manner defined by the end user. It monitors suspicious processes running on a host that might indicate infection. This monitoring may include data captures, port monitoring, and other methods.
Personal Firewall
Personal computers connected to the Internet through a dialup connection, DSL, or cable modems are as vulnerable as corporate networks. Personal firewalls reside on the PC of the user and attempt to prevent attacks. Personal firewalls are not designed for LAN implementations, such as appliance-based or server-based firewalls, and they may prevent network access if installed with other networking clients, services, protocols, or adapters.
Operating System Patches
The most effective way to mitigate a worm and its variants is to download security updates from the operating system vendor and patch all vulnerable systems. This is difficult with uncontrolled user systems in the local network, and even more troublesome if these systems are remotely connected to the network via a virtual private network (VPN) or remote access server (RAS).
Intrusion Detection and Prevention
Intrusion detection systems (IDS) detect attacks against a network and send logs to a management console. Intrusion prevention systems (IPS) prevent attacks against the network and should provide the following active defense mechanisms in addition to detection: Prevention -Stops the detected attack from executing. Reaction -Immunizes the system from future attacks from a malicious source. Either technology can be implemented at a network level or host level, or both for maximum protection.
Host-based Intrusion Detection Systems
Host-based intrusion is typically implemented as inline or passive technology, depending on the vendor. 1. Passive technology, which was the first generation technology, is called a hostbased intrusion detection system (HIDS). HIDS sends logs to a management console after the attack has occurred and the damage is done. 2. Inline technology, called a host-based intrusion prevention system (HIPS), actually stops the attack, prevents damage, and blocks the propagation of worms and viruses. Cisco provides HIPS using the Cisco Security Agent software. HIPS software must be installed on each host, either the server or desktop, to monitor activity performed on and against the host.
Common Security Appliances and Applications
Security is a top consideration whenever planning a network. In the past, the one device that would come to mind for network security was the firewall. A firewall by itself is no longer adequate for securing a network. An integrated approach involving firewall, intrusion prevention, and VPN is necessary. An integrated approach to security, and the necessary devices to make it happen, follows these building blocks: Threat control Secure communications Network admission control (NAC) Cisco ASA 5500 Series Adaptive Security Appliance Cisco IPS 4200 Series Sensors Cisco NAC Appliance Cisco Security Agent (CSA)
The Network Security Wheel

To begin the Security Wheel process,
first develop a security policy that enables the application of security measures. A security policy includes the following: Identifies the security objectives of the organization. Documents the resources to be protected. Identifies the network infrastructure with current maps and inventories. Identifies the critical resources that need to be protected, such as research and development, finance, and human resources. This is called a risk analysis.
The Enterprise Security Policy
What is a Security Policy?
A security policy benefits an organization in the following ways: Provides a means to audit existing network security and compare the requirements to what is in place. Plan security improvements, including equipment, software, and procedures. Defines the roles and responsibilities of the company executives, administrators, and users. Defines which behavior is and is not allowed. Defines a process for handling network security incidents. Enables global security implementation and enforcement by acting as a standard between sites. Creates a basis for legal action if necessary.
Functions of a Security Policy
The security policy is for everyone, including employees, contractors,

suppliers, and customers who have access to the network. However, the security policy should treat each of these groups differently. Each group should only be shown the portion of the policy appropriate to their work and level of access to the network.
Components of a Security Policy
The SANS Institute (http://www.sans.org) provides guidelines

developed in cooperation with a number of industry leaders, including Cisco, for developing comprehensive security policies for organizations large and small. Not all organizations need all of these policies.
Securing Cisco Routers
The Role of Routers in Network Security
Router security is a critical element in any security deployment. Routers are definite targets for network attackers. If an attacker can compromise and access a router, it can be a potential aid to them. Knowing the roles that routers fulfill in the network helps you understand their vulnerabilities. Routers fulfill the following roles: Advertise networks and filter who can use them. Provide access to network segments and subnetworks.
Routers are Targets
Because routers provide gateways to other networks, they are obvious targets, and are subject to a variety of attacks. Here are some examples of various security problems: Compromising the access control can expose network configuration details, thereby facilitating attacks against other network components. Compromising the route tables can reduce performance, deny network communication services, and expose sensitive data. Misconfiguring a router traffic filter can expose internal network components to scans and attacks, making it easier for attackers to avoid detection.
Routers are Targets
Attackers can compromise routers in different ways, so there is no single approach that network administrators can use to combat them. The ways that routers are compromised are similar to the types of attacks you learned about earlier in this chapter, including trust exploitation attacks, IP spoofing, session hijacking, and MITM attacks.
Securing Your Network
Securing routers at the network perimeter is an important first step in securing the network. Think about router security in terms in these categories: Physical security Update the router IOS whenever advisable Backup the router configuration and IOS Harden the router to eliminate the potential abuse of unused ports and services
Applying Cisco IOS Security Features to Routers
Before you configure security features on a router, you need a plan for all the Cisco IOS security configuration steps.
Manager Router Security
Basic router security consists of configuring passwords. A strong password is the most fundamental element in controlling secure access to a router. For this reason, strong passwords should always be configured. A recommended method for creating strong complex passwords is to use passphrases. A passphrase is basically a sentence or phrase that serves as a more secure password. Make sure that the phrase is long enough to be hard to guess but easy to remember and type accurately. Note: Password-leading spaces are ignored, but all spaces after the first character are not ignored.
Configuring Router Passwords

By default, Cisco IOS software leaves passwords in plain text when
they are entered on a router. This is not secure since anyone walking behind you when you are looking at a router configuration could snoop over your shoulder and see the password. For example: R1(config)# username Student password cisco123 R1(config)# do show run | include username username Student password 0 cisco123 R1(config)# The 0 displayed in the running configuration, indicates that password is not hidden. Cisco IOS provides 2 password protection schemes: 1. Simple encryption called a type 7 scheme. It uses the Ciscodefined encryption algorithm and will hide the password using a simple encryption algorithm. 2. Complex encryption called a type 5 scheme. It uses a more secure MD5 hash.
The type 7 encryption can be used by the enable password, username, and line password commands including vty, line console, and aux port. It does not offer very much protection as it only hides the password using a simple encryption algorithm. Although not as secure as the type 5 encryption, it is still better than no encryption. To encrypt passwords using type 7 encryption, use the service passwordencryption global configuration command as displayed in the figure.
R1(config)# username Student secret cisco R1(config)# do show run | include username username Student secret 5 $1$z245$lVSTJzuYgdQDJiacwP2Tv/ R1(config)#
Cisco recommends that Type 5 encryption be used instead of Type 7 whenever possible. MD5 encryption is a strong encryption method. It should be used whenever possible. It is configured by replacing the keyword password with secret. A router will always use the secret password over the enable password. For this reason, the enable password command should never be configured as it may give away a system password. Note: Some processes may not be able to use type 5 encrypted passwords. For example, PAP and CHAP require clear text passwords and cannot use MD5 encrypted passwords.
Cisco IOS Software Release 12.3(1) and later allow administrators to

set the minimum character length for all router passwords using the security passwords min-length global configuration command, as shown in the figure. This command affects any new user passwords, enable passwords and secrets, and line passwords created after the command was executed. The command does not affect existing router passwords.
Securing Administrative Access to Routers
To secure administrative access to routers and switches, first you will

secure the administrative lines (VTY, AUX), then you will configure the network device to encrypt traffic in an SSH tunnel.
Remote Administrative Access with Telnet and SSH
Remote Administrative Access with Telnet and SSH
Another useful tactic is to configure VTY timeouts using the exec-timeout command. This prevents an idle session from consuming the VTY indefinitely. Although its effectiveness against deliberate attacks is relatively limited, it provides some protection against sessions accidentally left idle. Similarly, enabling TCP keepalives on incoming connections by using the service tcp-keepalives-in command can help guard against both malicious attacks and orphaned sessions caused by remote system crashes.
Implementing SSH to Secure Remote Administrative Access
SSH has replaced Telnet as the best practice for providing remote router administration with connections that support strong privacy and session integrity. SSH uses port TCP 22. Not all Cisco IOS images support SSH. Only cryptographic images can. Typically, these images have image IDs of k8 or k9 in their image names. Cisco routers are capable of acting as the SSH client and server. By default, both of these functions are enabled on the router when SSH is enabled. As a client, a router can SSH to another router. As a server, a router can accept SSH client connections.
Configuring SSH Security
To enable SSH on the router, the following parameters must be configured: Hostname Domain name Asymmetrical keys Local authentication Optional configuration parameters include: Timeouts Retries
Activity 4.2.4.5
Logging Router Activity
R2(config)#service timestamps ? debug Timestamp debug messages log Timestamp log messages <cr> R2(config)#service timestamps
Logs allow you to verify that a router is working properly or to determine whether the router has been compromised. In some cases, a log can show what types of probes or attacks are being attempted against the router or the protected network. A syslog server provides a better solution because all network devices can forward their logs to one central station where an administrator can review them. An example of a syslog server application is Kiwi Syslog Daemon. Accurate time stamps are important to logging. Time stamps allow you to trace network attacks more credibly. A Network Time Protocol (NTP) server may have to be configured to provide a synchronized time source for all devices
Secure Router Network Services
Vulnerable Router Services and Interfaces
SNMP, NTP, and DNS Vulnerabilities
Versions of SNMP prior to version 3 shuttle information in clear text. Normally, SNMP version 3 should be used. Disabling NTP on an interface does not prevent NTP messages from traversing the router. To reject all NTP messages at a particular interface, use an access list. Turn off DNS name resolution with the command no ip domain-lookup. It is also a good idea to give the router a name, using the command hostname.
Routing Protocol Authentication Overview
In general, routing systems can be attacked in two ways: 1. Disruption of peers 2. Falsification of routing information A straightforward way to attack the routing system is to attack the routers running the routing protocols, gain access to the routers and inject false information. Be aware that anyone "listening" can capture routing updates.
Routing Protocol Authentication Overview
The figure shows how each router in the update chain creates a signature. The three components of such a system include: 1. Encryption algorithm, which is generally public knowledge 2. Key used in the encryption algorithm, which is a secret shared by the routers authenticating their packets 3. Contents of the packet itself
Configuring RIPv2 with Routing Protocol Authentication
Overview of Routing Protocol Authentication for EIGRP and OSPF
Locking Down Your Router with Cisco Auto Secure
Cisco AutoSecure uses a single command to disable non-essential system processes and services, eliminating potential security threats. You can configure AutoSecure in privileged EXEC mode using the auto secure command in one of these two modes: 1. Interactive mode - This mode prompts you with options to enable and disable services and other security features. This is the default mode. 2. Non-interactive mode - This mode automatically executes the auto secure command with the recommended Cisco default settings. This mode is enabled with the no-interact command option.
Using Cisco SDM
What is Cisco SDM?

The Cisco Router and
Security Device Manager (SDM) is an easy-to-use, web-based devicemanagement tool designed for configuring LAN, WAN, and security features on Cisco IOS software-based routers. The SDM files can be installed on the router, a PC, or on both. An advantage of installing SDM on the PC is that it saves router memory, and allows you to use SDM to manage other routers on the network.
Cisco SDM Features
Cisco SDM smart wizards can intelligently detect incorrect
configurations and propose fixes, such as allowing DHCP traffic through a firewall if the WAN interface is DHCP-addressed. Online help embedded within Cisco SDM contains appropriate background information, in addition to step-by-step procedures to help users enter correct data in Cisco SDM.
Configuring Your Router to Support Cisco SDM
Starting Cisco SDM
Cisco SDM Home Page Overview
About Your Router Area
Configuration Overview Area

Interfaces and Connections
Firewall Policies VPN
View Running Config
Routing
Intrusion Prevention
Cisco SDM Wizards
Check http://www.cisco.com/go/sdm for the latest information about the Cisco SDM wizards and the interfaces they support.
http://www.cisco.com/cdc_content_elements/flash/sdm/demo.htm?NO_NAV
Locking Down a Router with Cisco SDM
AutoSecure features that are implemented differently in Cisco SDM include the following: 1. Disables SNMP, and does not configure SNMP version 3. 2. Enables and configures SSH on crypto Cisco IOS images 3. Does not enable Service Control Point or disable other access and file transfer services, such as FTP.
Locking Down a Router with Cisco SDM

Refer to 4.4.6
Secure Router Management
Maintaining Cisco IOS Software Image
An update replaces one release with another without upgrading the feature set. The software might be updated to fix a bug or to replace a release that is no longer supported. Updates are free. An upgrade replaces a release with one that has an upgraded feature set. The software might be upgraded to add new features or technologies, or replace a release that is no longer supported. Upgrades are not free.
Cisco recommends following a four-phase migration process to simplify network operations and management. When you follow a repeatable process, you can also benefit from reduced costs in operations, management, and training. The four phases are: 1. Plan -Set goals, identify resources, profile network hardware and software, and create a preliminary schedule for migrating to new releases. 2. Design -Choose new Cisco IOS releases and create a strategy for migrating to the releases. 3. Implement -Schedule and execute the migration. 4. Operate -Monitor the migration progress and make backup copies of images that are running on your network.
There are a number of tools available on Cisco.com to aid in migrating Cisco IOS software. You can use the tools to get information about releases, feature sets, platforms, and images. The following tools do not require a Cisco.com login: 1. Cisco IOS Reference Guide -Covers the basics of the Cisco IOS software family 2. Cisco IOS software technical documents -Documentation for each release of Cisco IOS software 3. Software Center -Cisco IOS software downloads 4. Cisco IOS Software Selector -Finds required features for a given technology
The following tools require valid Cisco.com login accounts: 1. Bug Toolkit -Searches for known software fixes based on software version, feature set, and keywords 2. Cisco Feature Navigator -Finds releases that support a set of software features and hardware, and compares releases 3. Software Advisor -Compares releases, matches Cisco IOS software and Cisco Catalyst OS features to releases, and finds out which software release supports a given hardware device 4. Cisco IOS Upgrade Planner -Finds releases by hardware, release, and feature set, and downloads images of Cisco IOS software
Cisco IOS File Systems and Devices
The pound symbol (#)indicates that this is a bootable disk. An asterisks (*) indicates that this is the current default file system.
Cisco IOS devices provide a feature called the Cisco IOS Integrated
File System (IFS). This system allows you to create, navigate, and manipulate directories on a Cisco device. The directories available depend on the platform. Although there are several file systems listed, of interest to us will be the tftp, flash and nvram file systems. Network file systems include using FTP, trivial FTP (TFTP), or Remote Copy Protocol (RCP).
To view the contents of NVRAM, you must change the current default
file system using the cd change directory command. The pwd present working directory command verifies that we are located in the NVRAM directory. Finally, the dir command lists the contents of NVRAM.
URL Prefixes for Cisco Devices
Commands for Managing Configuration Files
R2# copy running-config startup-config

R2# copy system:running-config nvram:startup-config R2# copy running-config tftp: R2# copy system:running-config tftp: R2# copy tftp: running-config R2# copy tftp: system:running-config R2# copy tftp: startup-config R2# copy tftp: nvram:startup-config
Cisco IOS File Naming Conventions
Other feature set possibilities include: i - Designates the IP feature set j - Designates the enterprise feature set (all protocols)s - Designates a PLUS feature set (extra queuing, manipulation, or translations) 56i - Designates 56-bit IPsec DES encryption 3 - Designates the firewall/IDS k2 - Designates the 3DES IPsec encryption (168 bit)
Using TFTP Servers to Manage IOS Images
Before changing a Cisco IOS image on the router, you need to complete these tasks: Determine the memory required for the update and, if necessary, install additional memory. Set up and test the file transfer capability between the administrator host and the router. Schedule the required downtime, normally outside of business hours, for the router to perform the update.
When you are ready to do the update, carry out these steps: Shut down all interfaces on the router not needed to perform the update. Back up the current operating system and the current configuration file to a TFTP server. Load the update for either the operating system or the configuration file. Test to confirm that the update works properly. If the tests are successful, you can then re-enable the interfaces you disabled. If the tests are not successful, back out the update, determine what went wrong, and start again.
Backing Up IOS Software Image
Upgrading IOS Software Images
Note: Make sure that the Cisco IOS image loaded is appropriate for
the router platform. If the wrong Cisco IOS image is loaded, the router could be made unbootable, requiring ROM monitor (ROMmon) intervention.
Recovering Software Images
Restoring IOS Software Images
Using xmodem to Restore an IOS Image
Troubleshooting Cisco IOS Configurations
Cisco IOS Troubleshooting Commands
The debug command allows you to trace the execution of a process. Use the show command to verify configurations.
Using the show Command
The show command displays static information. Use show commands when gathering facts for isolating problems in an
internetwork, including problems with interfaces, nodes, media, servers, clients, or applications. The Cisco IOS command guide lists 1,463 show commands.
Using the debug Command
By default, the network server sends the output from debug

commands and system error messages to the console. Remember that you can redirect debug output to a syslog server. Note: Debugging output is assigned high priority in the CPU process queue and can therefore interfere with normal production processes on a network. For this reason, use debug commands during quiet hours and only to troubleshoot specific problems.
Considerations when using the debug Command
With proper, selective, and temporary use of debug commands, you can obtain potentially useful information without needing a protocol analyzer or other third-party tool.
Commands Related to the debug Command
Recovering a Lost Router Password
About Password Recovery
Have you ever forgotten the password to a router? Maybe not, but sometime in your career, you can expect someone to forget, and you will need to recover it. In a router, a configuration register, represented by a single hexadecimal value, tells the router what specific steps to take when powered on. Configuration registers have many uses, and password recovery is probably the most used.
Router Password Recovery Procedure

Step 1. Connect to the console port. Step 2. If you have lost the enable password, you would still have
access to user EXEC mode. Type show version at the prompt, and record the configuration register setting. Step 3. Use the power switch to turn off the router, and then turn the router back on. Step 4. Press Break on the terminal keyboard within 60 seconds of power up to put the router into ROMmon. Step 5. Type confreg 0x2142 at the rommon 1> prompt. This causes the router to bypass the startup configuration where the forgotten enable password is stored. Step 6. Type reset at the rommon 2> prompt. The router reboots, but ignores the saved configuration. Step 7. Type no after each setup question, or press Ctrl-C to skip the initial setup procedure. Step 8. Type enable at the Router> prompt. This puts you into enable mode, and you should be able to see the Router# prompt.

Step 9. Type copy startup-config running-config to copy the
NVRAM into memory. Be careful! Do not type copy running-config startup-config or you will erase your startup configuration. Step 10. Type show running-config. Step 11. Type configure terminal. The hostname(config)# prompt appears. Step 12. Type enable secret password to change the enable secret password. For example: R1(config)# enable secret cisco Step 13. Issue the no shutdown command on every interface that you want to use. Step 14. Type config-register configuration_register_setting. The configuration_register_setting is either the value you recorded in Step 2 or 0x2102 . For example: R1(config)#config-register 0x2102 Step 15. Press Ctrl-Z or type end to leave configuration mode. The hostname# prompt appears. Step 16. Type copy running-config startup-config to commit the changes.
Labs
Summary

CCNA Exp4 - Chapter04 - Network Security

Uploaded by

Document Informationclick to expand document information

Copyright:

Available Formats

CCNA Exp4 - Chapter04 - Network Security

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CCNA Exp4 - Chapter04 - Network Security

Uploaded by

Copyright:

Available Formats

Chapter 4 Network Security

CCNA Exploration 4.0

Please purchase a personal license.

H c vi n m ng Bach Khoa - Website: www.bkacad.com

Why is Network Security Important?

Why is Network Security Important?

Computer networks have grown in both size and importance in a very

The Increasing Threat to Security

Some of the Security Terms

H c vi n m ng Bach Khoa - Website: www.bkacad.com

Think Like a Attacker

Types of Computer Crime

H c vi n m ng Bach Khoa - Website: www.bkacad.com

Open versus Closed Networks

The overall security challenge facing network administrators is

Open versus Closed Networks

Open versus Closed Networks

Open versus Closed Networks

Developing a Security Policy

A security policy meets these goals:

Developing a Security Policy

H c vi n m ng Bach Khoa - Website: www.bkacad.com

Common Security Threats

H c vi n m ng Bach Khoa - Website: www.bkacad.com

Threats to Physical Infrastructure

H c vi n m ng Bach Khoa - Website: www.bkacad.com

Physical Threat Mitigation

H c vi n m ng Bach Khoa - Website: www.bkacad.com

Physical Threat Mitigation

H c vi n m ng Bach Khoa - Website: www.bkacad.com

H c vi n m ng Bach Khoa - Website: www.bkacad.com

H c vi n m ng Bach Khoa - Website: www.bkacad.com

H c vi n m ng Bach Khoa - Website: www.bkacad.com

Types of Network Attacks

Types of Network Attacks

H c vi n m ng Bach Khoa - Website: www.bkacad.com

H c vi n m ng Bach Khoa - Website: www.bkacad.com

Animation 4.1.3.2 Reconnaissance is the unauthorized discovery and mapping of systems,

H c vi n m ng Bach Khoa - Website: www.bkacad.com

H c vi n m ng Bach Khoa - Website: www.bkacad.com

To conduct a dictionary attack, attackers can use tools such as

3- Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attacks

H c vi n m ng Bach Khoa - Website: www.bkacad.com

The Smurf attack uses spoofed broadcast ping messages to flood a

4- Malicious Code Attacks

H c vi n m ng Bach Khoa - Website: www.bkacad.com

Malicious Code Attacks

H c vi n m ng Bach Khoa - Website: www.bkacad.com

Malicious Code Attacks

H c vi n m ng Bach Khoa - Website: www.bkacad.com

Malicious Code Attacks

Malicious Code Attacks

A virus is malicious software that is attached to another program to

General Mitigation Techniques

H c vi n m ng Bach Khoa - Website: www.bkacad.com

H c vi n m ng Bach Khoa - Website: www.bkacad.com

Operating System Patches

H c vi n m ng Bach Khoa - Website: www.bkacad.com

Intrusion Detection and Prevention