Transcript CCNPv5 Module 5 Lesson 3

Implementing Secure
Converged Wide
Area Networks
(ISCW)
ISCW-Mod5_L3
© 2007 Cisco Systems, Inc. All rights reserved.
1
Network Attack
Using Intelligence
Lesson 3 – Module 5 – ‘Cisco Device Hardening’
ISCW-Mod5_L3
© 2007 Cisco Systems, Inc. All rights reserved.
2
Module Introduction
 The open nature of the Internet makes it increasingly important for
businesses to pay attention to the security of their networks. As
organisations move more of their business functions to the public
network, they need to take precautions to ensure that attackers do
not compromise their data, or that the data does not end up being
accessed by the wrong people.
 Unauthorised network access by an outside hacker or disgruntled
employee can wreak havoc with proprietary data, negatively affect
company productivity, and stunt the ability to compete.
 Unauthorised network access can also harm relationships with
customers and business partners who may question the ability of
companies to protect their confidential information, as well as lead
to potentially damaging and expensive legal actions.
ISCW-Mod5_L3
© 2007 Cisco Systems, Inc. All rights reserved.
3
Objectives
 At the completion of this third lesson, you will be able
to:
Describe the difference between virus, trojan and worm
threats
Show how these threats are propagated
Explain techniques for dealing with these threats
Describe system software that can aid in defending and
mitigating against host machine attacks
ISCW-Mod5_L3
© 2007 Cisco Systems, Inc. All rights reserved.
4
End Station (Host) Vulnerabilities
 Host machines are particularly vulnerable to attack if
not adequately protected. The main threats are:
Viruses
Trojan horse attacks
Worms
ISCW-Mod5_L3
© 2007 Cisco Systems, Inc. All rights reserved.
5
Viruses
 A computer virus is a malicious computer program
(executable file) that can copy itself and infect a
computer without permission or knowledge of the
user. The original may modify the copies or the
copies may modify themselves, as occurs in a
metamorphic virus
 A virus can only spread from one computer to another when its
host is taken to an uninfected computer, for instance by a user
sending it over a network as a file or as an email payload or
carrying it on a removable medium such as a ‘floppy’ disk, USB
disk (‘memory stick’), or CD / DVD
 Some viruses are programmed to damage the computer by
damaging programs, deleting files, or reformatting the hard disk.
Others are not designed to do any damage, but simply replicate
themselves and perhaps make their presence known by presenting
text, video, or audio messages
Source: Wikepedia – Computer virus
ISCW-Mod5_L3
© 2007 Cisco Systems, Inc. All rights reserved.
6
Trojan Horse
A Trojan horse is a program that - unlike
a virus - contains or installs a malicious
program – the payload or 'trojan‘
 Trojan horses may appear to be useful or interesting
programs, or at the very least harmless to an
unsuspecting user, but are actually harmful when
executed
 There are two common types of Trojan horses
One is otherwise useful software that has been corrupted by a
hacker inserting malicious code that executes while the
program is used
The other type is a standalone program that masquerades as
something else, like a game or image file, in order to trick the
user into some misdirected complicity that is needed to carry
out the program's objectives
ISCW-Mod5_L3
© 2007 Cisco Systems, Inc. All rights reserved.
7
Worms
 A computer worm is a self-replicating executable
computer program. It uses a network to send copies of
itself to other hosts (‘end-user’ machines on the
network) and it may do so without any user
intervention.
 Unlike a virus, it does not need to attach itself to an
existing program. Worms always harm the network (if
only by consuming bandwidth), whereas viruses always
infect or corrupt files on a targeted computer.
ISCW-Mod5_L3
© 2007 Cisco Systems, Inc. All rights reserved.
8
Malicious software containment
 Viruses and Trojan horses can be contained by:
Effective use of antivirus software
Keeping up to date with the latest developments in these
methods of attacks
Keeping up to date with the latest antivirus software and
application versions
Implementing host-based intrusion prevention systems (for
example, Cisco Security Agent)
ISCW-Mod5_L3
© 2007 Cisco Systems, Inc. All rights reserved.
9
Worm Attack, Mitigation and Response

The anatomy of a worm attack has three parts:
The enabling vulnerability: A worm installs itself on a vulnerable
system
Propagation mechanism: After gaining access to devices, a
worm replicates and selects new targets
Payload: Once the worm infects the device, the attacker has
access to the host – often as a privileged user. Attackers use
a local exploit to escalate their privilege level to
administrator.
ISCW-Mod5_L3
© 2007 Cisco Systems, Inc. All rights reserved.
10
Worm attack mitigation
 Worm attack mitigation requires diligence on the part of system
and network administration staff.
 Coordination between system administration, network engineering,
and security operations personnel is critical in responding
effectively to a worm incident.
 Recommended steps for worm attack mitigation:
Containment: Contain the spread of the worm into your network and
within your network. Compartmentalise uninfected parts of your
network.
Inoculation: Start patching all systems and, if possible, scanning for
vulnerable systems.
Quarantine: Track down each infected machine inside your network.
Disconnect, remove, or block infected machines from the network.
Treatment: Clean and patch each infected system. Some worms may
require complete core system reinstallations to clean the system.
ISCW-Mod5_L3
© 2007 Cisco Systems, Inc. All rights reserved.
11
Worm attack response

Six typical incident response methodologies to worms
are as follows:
1. Preparation: Acquire the resources to respond
2. Identification: Identify the worm
3. Classification: Classify the type of worm
4. Traceback: Trace the worm back to the attack’s origin
5. Reaction: Isolate and repair the affected systems
6. Post mortem: Document and analyse the process that you
used for future use
ISCW-Mod5_L3
© 2007 Cisco Systems, Inc. All rights reserved.
12
Application Layer Attacks and Mitigation
 Application layer attacks have the following
characteristics:
They exploit well-known weaknesses, such as
those in protocols, that are intrinsic to an
application or system (for example, sendmail,
HTTP, and FTP)
They often use ports that are allowed through a
firewall (for example, TCP port 80 used in an
attack against a web server behind a firewall)
They can never be completely eliminated
because new vulnerabilities are always being
discovered
ISCW-Mod5_L3
© 2007 Cisco Systems, Inc. All rights reserved.
13
Netcat
 Netcat is a tool that reads or writes data on any TCP/UDP
connections, relays TCP connections, and can act as a TCP/UDP
server.
#nc -h
connect to somewhere:
nc [-options] hostname port[s] [ports] ...
listen for inbound:
nc -l -p port [-options] [hostname] [port]
options:
-g gateway
source-routing hop point[s], up to 8
-G num
source-routing pointer: 4, 8, 12, ...
-i secs
delay interval for lines sent, ports scanned
-l
listen mode, for inbound connects
-n
numeric-only IP addresses, no DNS
-o file
hex dump of traffic
-p port
local port number
-r
randomize local and remote ports
-s addr
local source address
-u
UDP mode
-v
verbose [use twice to be more verbose]
port numbers can be individual or ranges: lo-hi [inclusive]
ISCW-Mod5_L3
© 2007 Cisco Systems, Inc. All rights reserved.
14
Netcat Example
ISCW-Mod5_L3
© 2007 Cisco Systems, Inc. All rights reserved.
15
Mitigation of Application Layer Attacks
 Measures you can take to reduce risks include:
Read operating system and network log files or have the files
analysed by log analysis applications
Subscribe to mailing lists that publicise vulnerabilities
Keep all operating systems and applications current with the
latest patches
Use IDS/IPS that can scan for known attacks, monitor and log
attacks, and, in some cases, prevent attacks
ISCW-Mod5_L3
© 2007 Cisco Systems, Inc. All rights reserved.
16
Configuration Management protocols
 Configuration management protocols include SSH, SSL and the
more insecure Telnet
 Whichever is chosen for remote access to the managed device,
ACLs should be configured to allow only management servers to
connect to the device. All attempts from other IP addresses should
be denied and logged
 Ideally use secure management protocols when configuring all
network devices. Protocols, such as Telnet and SNMPv2, must be
made secure by protecting the data with IPsec
 The access lists should permit management access, such as SSH
or HTTPS, only from the legitimate management hosts
Also implement RFC 3704 filtering at the ingress router to reduce the
chance of an attacker from outside the network spoofing the addresses
of the management hosts
ISCW-Mod5_L3
© 2007 Cisco Systems, Inc. All rights reserved.
17
Management Protocols
 These management protocols can be compromised:
SNMP: The community string information for simple
authentication is sent in plaintext.
syslog: Data is sent as plaintext between the managed device
and the management host.
TFTP: Data is sent as plaintext between the requesting host
and the TFTP server.
NTP: Many NTP servers on the Internet do not require any
authentication of peers.
ISCW-Mod5_L3
© 2007 Cisco Systems, Inc. All rights reserved.
18
Management Protocol Best Practices
 The following two slides summarise the best
practices to be followed when implementing a
secure management solution
 Recommendations for the correct use of SNMP
tools include:
Configure SNMP with only read-only community strings
Set up access control on the device you want to manage
via SNMP to allow access by only the appropriate
management hosts
Use SNMP version 3. This version provides secure access
to devices through a combination of authenticating and
encrypting management packets over the network
ISCW-Mod5_L3
© 2007 Cisco Systems, Inc. All rights reserved.
19
Management Protocol Best Practices
 Syslog: Encrypt syslog traffic within an IPsec tunnel.
 Implement RFC 3704 filtering at the perimeter router when
allowing syslog access from devices outside a firewall.
 Implement ACLs on the firewall to allow syslog data from only the
managed devices themselves to reach the management hosts.
 TFTP: When possible, encrypt TFTP traffic within an IPsec tunnel
in order to reduce the chance of interception.
 NTP: Implement your own master clock for private network
synchronisation.
 Use NTP version 3 or above because these versions support a
cryptographic authentication mechanism between peers. NTP v3 is
currently supported by most vendors, including Cisco Systems.
The latest version 4 is not defined by any RFC and therefore not
widely supported.
 Use ACLs that specify which network devices are allowed to
synchronise with other network devices.
ISCW-Mod5_L3
© 2007 Cisco Systems, Inc. All rights reserved.
20
Determining Vulnerabilities and Threats
 There are several tools and techniques that can be
used to find vulnerabilities in your network
 Once any vulnerabilities have been identified, mitigation
steps can be considered and utilised as appropriate
 Some common tools include:
Blue’s PortScanner
Wireshark (formerly Ethereal)
Microsoft Baseline Security Analyzer
Nmap
ISCW-Mod5_L3
© 2007 Cisco Systems, Inc. All rights reserved.
21
Blue’s Port Scanner
Blue’s Port Scanner is a fast
network scanner that can scan
over 300 ports per second on a
NT or Windows 2000 machine.
it comes with a Windows XP style interface, and offers TCP
and UDP scanning as well as a
Anti-Flood function
Blue’s
Port Scanner
http://www.securityconfig.com/software/specializedscanners/blues_port_scanner.html
ISCW-Mod5_L3
© 2007 Cisco Systems, Inc. All rights reserved.
22
Wireshark (Ethereal)
 Wireshark is the world's
foremost network protocol
analyser, and is the
standard in many
industries. It is the
continuation of a project
that started in 1998.
Hundreds of developers
around the world have
contributed to it, and it is
still under active
development.
Wireshark
http://www.wireshark.org/about.html
ISCW-Mod5_L3
© 2007 Cisco Systems, Inc. All rights reserved.
23
Microsoft Baseline Security Analyzer
ISCW-Mod5_L3
© 2007 Cisco Systems, Inc. All rights reserved.
24
Nmap
 Nmap ("Network Mapper") is a
free open source utility for network
exploration or security auditing.
 It is designed to rapidly scan large
networks, although it works fine
against single hosts. Nmap uses
raw IP packets in novel ways to
determine what hosts are
available on the network, what
services (application name and
version) those hosts are offering,
what operating systems (and OS
versions) they are running, what
type of packet filters/firewalls are
in use, and dozens of other
characteristics.
 Nmap runs on most types of
computers and both console and
graphical versions are available.
 Nmap is free and open source
ISCW-Mod5_L3
© 2007 Cisco Systems, Inc. All rights reserved.
25
ISCW-Mod5_L3
© 2007 Cisco Systems, Inc. All rights reserved.
26