Additional Cisco Catalyst Switch Security Features

No single network device secures an entire network from all potential attacks. Rather, multiple hardware and or software solutions work in tandem to help secure the overall network. For example, virtual private networks (VPN) and firewalls can help protect sensitive traffic from eavesdroppers and prevent unwanted traffic from entering a network. As described earlier in this chapter, a Layer 2 Cisco Catalyst switch can also aid in network security. The additional Cisco Catalyst switch security...

Additional Forms of Attack

Buffer overflows are not the only concern. The larger issue is that a buffer overflow may be used to initiate malicious code such as viruses, worms, and Trojan horses so that they may gain access to your system and begin to do their damage. Two of the most destructive worms that have been unleashed on the Internet are SQL Slammer and Code Red. The destruction these worms caused was made possible by remote root buffer overflows. In contrast to worms, viruses are more likely to take advantage of...

Anatomy of a Hash Function

A variety of hash functions exist, but they all share the common characteristic that they are built for speed and are designed to yield very few hash collisions in their expected input domains. A hash collision (sometimes called a hash clash) happens when two distinct inputs entered into a hash function produce identical outputs. Each hash function has the potential for collisions, but if you are working with a well-designed hash function, collisions should occur less frequently. In terms of...

Application Guidelines

When it comes to application design, security should not be an afterthought. It is best to approach application design with a focus on two key ideas. First, be sure to apply the least-privilege principle, limiting access where possible. Second, applications should employ modularization and multiple tiers of application functionality, spread over multiple servers. By following these two steps in your design, you can create a much more secure application. Even the best single security mechanism...

Application of Cryptographic Hashes

Let's examine a cryptographic hash to better understand how it works. Suppose Anthony presents Tom with a rather difficult math problem that he claims to have solved. Tom wants to try to solve the problem himself, but he also wants to be sure that Topic Anthony is telling the truth about having solved it. Anthony writes down his solution and then appends a random nonce, computes its hash, and tells Tom this hash value. The nonce that Anthony uses in this case is a random or pseudorandom number...

Application of Hash Functions

Hash functions may be used for a variety of applications therefore, they are often tailored to a given need. Cryptographic hash functions begin with the assumption that an adversary can deliberately try to find inputs with the same hash value. The creation of a well-designed cryptographic hash involves a one-way operation in which no practical way exists to calculate a particular data input that will result in a desired hash value. This one-way nature makes the hash very difficult to forge....

Authentication and Integrity

One of the more practical uses of a digital signature in today's networks is for authentication and integrity checking. An example of this is the verification of authenticity in a message sent across a network. Many times messages sent across the network include information about the entity sending the message. However, the authenticity of that information might be called into question. Digital signatures give us a mechanism to authenticate the source of such messages. With digital signatures,...

Best Practices for Securing Endpoints

As mentioned earlier, trusted operating systems exist, but they are expensive and can be cumbersome to support. For the most part these are used for military or government purposes, acting as critical servers or workstations. For most modern operating systems, regardless of vendor, the default configuration is still quite untrustworthy. Significant improvements have occurred in the last ten years, but the sophistication of attacks has also greatly improved. As an administrator, you should...

Book Features

To help you customize your study time using this book, the core chapters have several features that help you make the best use of your time Do I Know This Already quiz Each chapter begins with a quiz that helps you determine how much time you need to spend studying that chapter. Foundation Topics These are the core sections of each chapter. They explain the protocols, concepts, and configuration for the topics in that chapter. Exam Preparation Tasks At the end of the Foundation Topics section...

Cisco Security Device Manager Overview

Monitor Firewall Switch Ips

Cisco IOS routers support many features (including security features) that require complex configurations. To aid in a number of these configuration tasks, Cisco introduced the Cisco Security Device Manager (SDM) interface. This section introduces SDM, discusses how to configure and launch SDM, and how to navigate the SDM wizards. Cisco SDM provides a graphical user interface (GUI) for configuring a wide variety of features on an IOS router, as shown in Figure 3-3. Not only does SDM offer...

Command Reference to Check Your Memory

This section includes the most important configuration and EXEC commands covered in this chapter. To see how well you have memorized the commands as a side effect of your other studies, cover the left side of the table with a piece of paper, read the descriptions on the right side, and see whether you remember the commands. Table 3-13 Chapter 3 Configuration Command Reference Table 3-13 Chapter 3 Configuration Command Reference A global configuration mode command that configures a router's...

Command Syntax Conventions

The conventions used to present command syntax in this book are the same conventions used in the IOS Command Reference. The Command Reference describes these conventions as follows Bold indicates commands and keywords that are entered literally as shown. In actual configuration examples and output (not general command syntax), bold indicates commands that the user enters (such as a show command). Italic indicates arguments for which you supply actual values. Vertical bars (I) separate...

Components of a PKI

Creating a large PKI involves more than simply the CA and users who obtain certificates. It also involves substantial organizational and legal work. When we consider this in its entirety, we see that five main areas constitute the PKI CAs to provide management of keys PKI users (people, devices, servers) Supporting organizational framework (practices) and user authentication through Local Registration Authorities (LRA) A number of vendors provide effective CA servers. These act as a managed...

Configuring AAA Using the Local User Database

Unauthorized access to a network creates the potential for network intruders to gain access to sensitive network equipment and services. The Cisco AAA architecture provides a means to address this threat through systematic, scalable access security. Of course, network users and would-be intruders are not the only ones to try to access the network. Network administrators also need access to network equipment, and AAA offers a secure means to provide this. Authentication, Authorization, and...

Contents

Chapter 1 Understanding Network Security Principles 5 Do I Know This Already Quiz 5 Why Network Security Is a Necessity 9 Types of Threats 9 Scope of the Challenge 10 Nonsecured Custom Applications 11 The Three Primary Goals of Network Security 12 Confidentiality 12 Integrity 12 Availability 13 Categorizing Data 13 Classification Models 13 Classification Roles 15 Controls in a Security Solution 16 Responding to a Security Incident 17 Legal and Ethical Ramifications 18 Legal Issues to Consider...

Creating a Cisco Self Defending Network

Many modern security threats rapidly propagate across the Internet and internal networks. As a result, security components need to be able to respond rapidly to emerging threats. To combat these threats, Cisco offers the Cisco Self-Defending Network, which is its vision for using the network to recognize threats and then prevent and adapt to them. This section describes the implementation of the Cisco Self-Defending Network approach, which leverages Cisco products and solutions. As computing...

Cryptographic Hash Functions

Put simply, a cryptographic hash function takes an input and returns a fixed-length string, which is called the hash value or hash sum. These hash functions, as mentioned in the preceding section, may be used for a variety of purposes, including cryptography. A hash value, as complex as it may become, is, on the surface, simply a concise representation of a longer message or document from which it was derived. The output of the hash function, often called the message digest, is a sort of...

Cryptographic Solution

The mention of cryptography may conjure up images of intrigue and cloak-and-dagger spy movies, but in the real world, cryptography is at the heart of many security implementations. Cryptographic solutions provide confidentiality and integrity of data in circumstances where data might be exposed to threats from untrusted individuals. To create a successful security policy, you must understand the basic functionality of cryptography and how you can use encryption and hashing to provide...

Data Classification Characteristics

Table 1-4 offers a few characteristics by which data can be classified. Table 1-4 Data Classification Characteristics Table 1-4 Data Classification Characteristics How valuable the data is to the organization How long the data will be considered relevant When determining a classification approach, define how many classification levels you need. Having too many classification levels can prove difficult to administer, whereas having too few classification levels lacks the granularity needed to...

Defense in Depth

Because a security solution is only as strong as its weakest link, network administrators are challenged to implement a security solution that protects a complex network. As a result, rather than deploying a single security solution, Cisco recommends multiple, overlapping solutions. These overlapping solutions target different aspects of security, such as securing against insider attacks and securing against technical attacks. These solutions should also be subjected to routine testing and...

Defining Endpoint Security

Before you can take steps to defend your endpoints, you must better understand what endpoint security is and what it consists of. We will begin by exploring the fundamental principles involved in host security, as well as discuss the need to defend endpoints from viruses, worms, Trojan horses, and other security threats. Cisco bases its strategy for securing hosts, as well as the more overarching network and enterprise security needs, on three broad elements (see Table 7-2). The Cisco Security...

Defining Voice Fundamentals

This section begins by defining voice over IP and considering why it is needed in today's corporate environment. Because voice packets are flowing across a data infrastructure, various protocols are required to set up, maintain, and tear down a call. This section defines several popular voice protocols, in addition to hardware components that make up a voice over IP network. VoIP sends packetized voice over an IP network. Typically, the IP network serves as a data network as well, resulting in...

Definition of Key Terms

Define the following key terms from this chapter, and check your answers in the glossary confidentiality, integrity, availability, preventive control, deterrent control, detective control, vulnerability, exploit, phreaker, Defense in Depth, IP spoofing, data diddling, salami attack, denial of service (DoS) This chapter covers the following topics Increasing operations security This section explains the day-to-day procedures for deploying, maintaining, and retiring information security...

Developing a Secure Network

Day-to-day network operations include adding new components to the network, monitoring and maintaining existing components, and retiring other components. While you perform these operations, security should be a consideration, so this chapter discusses how security practices can be integrated into such day-to-day operations. Also, network security practices and procedures should be governed by a documented security policy, so this chapter discusses the elements and use of an effective security...

Digital Signature Scheme

Three algorithms generally make up a digital signature scheme The key generation algorithm, which is used to randomly produce the key pair (public private keys) used by the signer The signing algorithm, which, upon input of a message and a signing key, produces a signature The signature verifying algorithm, which, upon input of a message, a verifying key, and a signature, is used to either accept or reject the signature

Do I Know This Already Quiz

The Do I Know This Already quiz helps you determine your level of knowledge of this chapter's topics before you begin. Table 11-1 details the major topics discussed in this chapter and their corresponding quiz questions. Table 11-1 Do I Know This Already Section-to-Question Mapping Table 11-1 Do I Know This Already Section-to-Question Mapping Using SDM to Configure Cisco IOS IPS 1. Which two statements are true about the differences between IDS and IPS (Choose two.) a. IPS operates in...

Double Tagging

On an IEEE 802.1Q trunk, one VLAN is designated as the native VLAN. The native VLAN does not add any tagging to frames traveling from one switch to another switch. If an attacker's PC belonged to the native VLAN, the attacker could leverage this native VLAN characteristic to send traffic that has two 802.1Q tags. Specifically, the traffic's outer tag is for the native VLAN, and the traffic's inner tag (which is not examined by the switch's ingress port) is for the target VLAN to which the...

Eapmd5

EAP-MD5 is a standards-based EAP type. This EAP type uses an MD5-Challenge message. This is much like the challenge message used in PPP CHAP (Point-to-Point Protocol Challenge Handshake Authentication Protocol), which uses MD5 (Message Digest 5) as its hashing algorithm. Figure 6-16 shows the messages exchanged in an EAP-MD5 authentication. Notice that the authentication begins when the PC (the supplicant) sends an EAP over LAN (EAPOL) message (specifically, an EAPOL-start message) to the...

Exam Engine and Questions on the CD

The CD in the back of the book includes exam engine software that displays and grades a set of exam-realistic questions. The question database includes exam-realistic questions, including drag-and-drop and many scenario-based questions that require the same level of analysis as the questions on the IINS exam. Using the exam engine, you can either study by practicing using the questions in Study Mode or take a simulated (timed) IINS exam. The installation process requires two major steps. The CD...

Examining Application Vulnerabilities

It is important to take the proper steps to address the vulnerabilities faced by your operating system, such as applying service packs and hot fixes and tuning it for secure operation. However, the majority of attacks target applications or, perhaps more specifically, the data they are protecting (or both). These attacks against applications can be categorized as either direct or indirect Direct An attacker tricks the application into performing a task using the application's privileges....

Examining Authentication Using Certificates

After the parties involved have installed certificates signed by the same CA, they may authenticate each other, as shown in Figure 14-11. This is done when the two parties exchange certificates. The CA's part in this process is finished, so it is not involved in this exchange. Figure 14-10 Certificate Enrollment Process Figure 14-10 Certificate Enrollment Process Out-of-Band Authentication of User Public Key Out-of-Band Authentication of User Public Key Figure 14-11 Authentication Using...

Examining Endpoint Security

To devise a successful strategy to defend your endpoints, you must begin with knowledge of the defenses that are available. This section describes the current endpoint protection methods, such as Host-based Intrusion Prevention System (HIPS), integrity checkers, operating system protection, and the Cisco NAC Appliance. As part of our discussion, we will cover endpoint security and explore the fundamental principles involved in host security. We will also examine specific threats to endpoints,...

Examining Features of Digital Certificates and CAs

A number of authentication mechanisms are available to organizations. The following characteristics are unique to the use of a PKI Authentication of each party involved begins with the parties each obtaining the CA's certificate and their own certificate. To be secure, this process involves out-of-band verification. When it is complete, the presence of the CA is no longer required until the expiration of one of the certificates that is involved. PKI systems use asymmetric keys. One key is...

Examining Identity Management

CA-based solutions give an organization a means of identity management. This is accomplished in two primary ways Through the CA's acting as the trusted third party in PKI implementations. Through the use of the X.509 standard, which describes the identity and how to store an authentication key. Information about the format of the X.509 certificate and the syntax of the fields in the certificate is described in Abstract Syntax Notation 1 (ASN.1). The concept of a trusted third party embodied in...

Examining the Cisco NAC Appliance

Several technologies can defend endpoints from the common threats they face. The Cisco NAC Appliance is one device that can be used to enhance and complement other endpoint security measures. Effectively the Cisco NAC comes in two flavors. The first is the Cisco NAC framework, which is a software module embedded within NAC-enabled devices. In this framework a number of both Cisco and other NAC-aware vendor products may be used to provide security. The second flavor is the Cisco NAC Appliance....

Examining the Features of the Diffie Hellman Key Exchange Algorithm

The Diffie-Hellman (DH) Key Exchange Algorithm was invented by Whitfield Diffie and Martin Hellman in 1976. The Diffie-Hellman algorithm derives its strength from the difficulty of calculating the discrete logarithms of very large numbers. The functional usage of this algorithm is to provide secure key exchange over insecure channels such as the Internet. DH is also often used to provide keying material for other symmetric algorithms, such as DES, 3DES, or AES. The DH algorithm serves as the...

Examining the PKI Topology of Cross Certified CAs

Cross-certifying represents another form of hierarchical PKI topology. This structure has a number of flat, single-root CAs. Each of these CAs establishes a trust relationship horizontally by cross-certifying its own CA certificates, as shown in Figure 14-7. Mutual Cross-Signing of CA Certificates Mutual Cross-Signing of CA Certificates

Examining the PKI Topology of Hierarchical CAs

For organizations that want to avoid the pitfalls of the single-root CA, more complex CA structures can be devised and implemented. This section examines the hierarchical CA structure and its application, as shown in Figure 14-6. The hierarchical CA structure is a more robust and complicated implementation of the PKI. In this topology, CAs may issue certificates to both end users and subordinate CAs. These subordinate CAs then may issue their certificates to end users, other CAs, or both. This...

Exploring Asymmetric Encryption Algorithms

Asymmetric algorithms employ a two-key technology a public key and a private key. Often this is simply called public-key encryption. In this key pair, the public key may be distributed freely, whereas the private key must be closely guarded. If it is compromised, the system as a whole fails. In fact, calling this just public-key encryption oversimplifies this process, because both keys are required, with the complementary key being used to provide decryption. Figure 14-1 shows the use of...

Exploring Firewall Technology

Securing all aspects of your network can be a daunting task. For an organization with ecommerce, intranet, and extranet sites, as well as e-mail, this only adds to the complexity of the task. Of course, there are costs to providing a high level of security, in terms of both staff and equipment needed to implement a network security policy. These costs must be weighed against the possibility of network security breaches. For many organizations, the Cisco IOS Firewall meets their need to provide...

Exploring Hash Algorithms and HMACs

Figure 13-1 is an example of how a simple sentence can be transformed using a hash function to yield a cryptographic result. You can see that changing a single word alters the hash output. Changing a single word in the text alters the output of the hash function. Changing a single word in the text alters the output of the hash function. Although you might not need to hash a simple sentence like this, many other applications exist in terms of network security. Hashes can be employed to help...

Exploring PKI and Asymmetric Encryption

Asymmetric encryption algorithms accomplish two primary objectives confidentiality and authentication. Asymmetric algorithms are slower than symmetric algorithms because they are more complex mathematically. Because asymmetric algorithms are slower, they are usually used as key exchange protocols. This chapter discusses the principles behind asymmetric encryption and provides examples of major asymmetric encryption algorithms, including Rivest, Shamir, and Adleman (RSA) Diffie-Hellman (DH) and...

Exploring Security Fundamentals

As new vulnerabilities and new methods of attack are discovered, a relatively unsophisticated user can potentially launch a devastating attack against an unprotected network. This section begins by describing the challenges posed by the current security landscape. You will learn about the three primary goals of security confidentiality, integrity, and availability. This section also explains traffic classification and security controls. You will learn how to...

Exploring the History of RSA

The algorithm that would become RSA was first described in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman of MIT. A quick look at the first letters of their surnames tells you where the term RSA came from. Today RSA encryption is widely known and widely used for a variety of security needs. Interestingly, a British mathematician named Clifford Cocks, who worked for the UK intelligence agency GCHQ, described an equivalent system in a top-secret internal document in 1973. However, because of...

Exploring the Role of Certificate Authorities and Registration Authorities in a PKI

One central tenet behind the use of a PKI and trusted third-party protocols is that all participating parties agree to accept the word of a neutral third party. Should two parties need to validate each other, they turn to this trusted third party, which in turn provides in-depth authentication of the parties involved. This is done rather than having each party perform its own authentication. These entities rely on the third party (the CA) to conduct an in-depth investigation of each entity...

Government and Military Classification Model

Table 1-2 provides an example of a data classification model, which is used by multiple governments and militaries. , Table 1-2 Government and Military Data Classification Example Key __ Data that has few or no privacy requirements Data that could cause embarrassment but not constitute a security threat if revealed Data that has a reasonable probability of causing damage if disclosed to an unauthorized party Data that has a reasonable probability of causing serious damage if disclosed to an...

HMAC Explained

Keyed Hash-based Message Authentication Code (HMAC) in cryptographic terms is a type of message authentication code (MAC) calculated by using a cryptographic hash function along with a secret key. It may be used to simultaneously verify the data's integrity and the message's authenticity. An iterative cryptographic hash function such as MD5 or SHA-1 may be used to calculate the HMAC. When these are used, the resulting MAC algorithm is called HMAC-MD5 or HMAC-SHA-1, for instance. The...

How This Book Is Organized

This book contains 15 core chapters Chapters 1 through 15. Chapter 16 includes some preparation tips and suggestions for how to approach the exam. Each core chapter covers a subset of the topics on the IINS exam. The core chapters are organized into parts. They cover the following topics Part I Network Security Concepts Chapter 1, Understanding Network Security Principles This chapter explains the need for network security and discusses the elements of a secure network. Additionally, legal and...

How to Use This Book to Prepare for the IINS Exam

Using this book to prepare for the IINS exam is pretty straightforward read each chapter in succession, and follow the study suggestions in Chapter 16, Final Preparation. For the core chapters of this book (Chapters 1 through 15), you do have some choices about how much of the chapter you read. In some cases, you may already know most or all of the information covered in a given chapter. To help you decide how much time to spend on each chapter, the chapters begin with a Do I Know This Already...

Identifying Common Voice Vulnerabilities

Because IP phones are readily accessible and plentiful in many corporate environments, they become attractive targets for attackers. Also, VoIP administrators should be on guard against VoIP variations of spam and fishing (both common in e-mail environments), as well as toll fraud (common in PBX environments). This section details these common attack targets for a VoIP network. Table 9-4 describes a few common VoIP attacks targeting endpoints. Table 9-4 Common VoIP Attack Targets Accessing VoIP...

IINS Course Outlines

Another way to get some direction about the topics on the exams is to look at the course outlines for the related courses. Cisco offers one authorized CCNA Security-related course Implementing Cisco IOS Network Security (IINSvl.0). Cisco authorizes Certified Learning Solutions Providers (CLSP) and Certified Learning Partners (CLP) to deliver these classes. These authorized companies can also create unique custom course books using this material, in some cases to teach classes geared toward...

IINS Exam Topics

Table I-1 lists the exam topics for the 640-553 IINS exam. Although the posted exam topics are not numbered at Cisco.com, Cisco Press does number the exam topics for easier reference. Notice that the topics are divided among nine major topic areas. The table also notes the part of this book in which each exam topic is covered. Because it is possible that the exam topics may change over time, it may be worthwhile to double-check the exam topics as listed on Cisco.com If Cisco later adds exam...

Ill

Example 10-7 Using an ACL to Provide RIPv2 Route Filtering R1(config) access-list 12 deny 12.2.2.0 0.0.0.255 R1(config) access-list 12 permit any R1(config) router rip R1(config-router) distribute-list 12 out R1(config-router) version 2 R1(config-router) no auto-summary R1(config-router) network 12.0.0.0 R1(config-router) end Here a standard IP ACL is applied to RIP. Access list 12 is used to prevent R1 from advertising any routes of the 12.2.2.0 DMZ network out of interface e0 0. To this point...

Implementing Digital Signatures

As you examine the security at play in your network and seek to increase your defenses, it is important to have a general understanding of cryptography and digital signatures. In cryptography, a cryptographic hash function is a transformation that takes an input and returns a string, which is called the hash value. Digital signatures are rather like written signatures in that they are used to provide authentication of the associated input, typically called a message. These messages can be...

Implementing Endpoint Security

In the network world, the term endpoint can mean a myriad of devices everything from workstations to PDAs, laptops to smart phones. This chapter uses endpoint to mean an individual computer or device that acts as a network client. In addition to common endpoints such as laptops, desktop systems, and PDAs, servers may also be considered endpoints in a networked environment. This chapter looks at the variety of threats faced by endpoint devices. It also discusses specific Cisco technologies that...

Increasing Operations Security

After a network is installed, network operations personnel monitor and maintain it. From a security perspective, operations security attempts to secure hardware, software, and various media while investigating anomalous network behavior. A computer network is a dynamic entity, continuously changing to meet the needs of its users. New network components are added and eventually retired. The life of these components can be defined by the System Development Life Cycle (SDLC), which consists of...

Info

Cisco Security Agent with Internal or External Database Table 7-8 explores the underlying architectural model for the Cisco Security Agent and the two components that make it up. Table 7-8 Architectural Components of the Cisco Security Agent Table 7-8 Architectural Components of the Cisco Security Agent Management Center for Cisco Security Agents Using the Management Center for Cisco Security Agent, you can divide network hosts into groups based on function and security requirements. You may...

International Jurisdiction Issues

A unique legal challenge for prosecuting information security offenses deals with jurisdictional issues. For example, an attacker in one country could launch an attack from a computer in another country that targets a computer in yet another country. The international boundaries that were virtually crossed could pose significant challenges to litigators. Fortunately, governments are beginning to collaborate on such investigations and prosecutions. For example, organizations that share law...

Introduction to Cisco IBNS

Cisco IBNS can be deployed on an end-to-end Cisco network, which includes components such as Cisco Catalyst switches, wireless LAN (WLAN) devices (such as wireless access points and controllers), and a RADIUS server (such as a Cisco Secure Access Control Server ACS ). However, for a client to directly benefit from IBNS, the client operating system needs to support IEEE 802.1x. Fortunately, many modern operating systems (such as Microsoft Windows Vista) support 802.1x. For greater scalability,...

Isolating Traffic Within a VLAN Using Private VLANs

Another way for a Cisco Catalyst switch to provide security is through the use of private VLANs (PVLAN). These PVLANs can provide privacy between groups of Layer 2 ports on a Cisco Catalyst switch. A PVLAN domain has a single primary VLAN. Additionally, the PVLAN domain contains secondary VLANs that provide isolation between ports in a PVLAN domain. Cisco Catalyst switches support two categories of secondary VLANs Isolated VLANs Ports belonging to an isolated VLAN lack Layer 2 connectivity...

Legal Issues to Consider

As a provider of network connectivity to customers, a service provider needs to be aware of potential liability issues. For example, if an e-commerce company lost a certain amount of business because of a service provider outage, the service provider might be found liable and have to pay damages. Also, some countries are passing laws dictating how companies handle privacy issues. For example, the Notification of Risk to Personal Data Act in the U.S. requires companies and government agencies...

MD5 Features and Functionality

Defined in RFC 1321, MD5 (Message Digest algorithm 5), with its 128-bit hash value, has been employed in a wide variety of security applications. It is also commonly used to check the integrity of files. An MD5 hash typically is expressed as a 32-character hexadecimal number. Figure 13-3 shows a single MD5 operation. In practice, MD5 consists of 64 of these operations. These are grouped in four rounds of 16 operations. In this figure, F is a nonlinear function one function is used in each...

Mitigating CAM Table Overflow Attacks

A Cisco Catalyst switch uses a Content Addressable Memory (CAM) table to store the information used by the switch to make forwarding decisions. Specifically, the CAM table contains a listing of MAC addresses that have been learned from each switch port. Then, when a frame enters the switch, the switch interrogates the frame's destination MAC address. If the destination MAC address is known to exist off one of the switch ports, the frame is forwarded out only that port. For example, consider...

Nonsecured Custom Applications

The vast majority (approximately 75 percent) of network attacks target specific applications, as opposed to lower-layer attacks. One reason attacks have become more targeted is the trend of attackers to be more motivated by profit, rather than by the fame or notoriety generated by creating a virus, for example. Unfortunately, because many organizations use custom applications (often not written with security in mind), these applications can be prime attack targets. Attacks on custom...

Notifying Network Managers of CAM Table Updates

Cisco Catalyst switches can proactively notify network administrators when CAM table updates occur. For example, if a switch learns a new MAC address and adds it to the CAM table, the Cisco Catalyst switch could send a Simple Network Management Protocol (SNMP) trap (that is, a notification) to a network management station (NMS). Similarly, a trap could be sent when a MAC address is deleted from the CAM table. The mac address-table notification command is used to enable this notification...

Objectives and Methods

The most important and somewhat obvious objective of this book is to help you pass the 640-553 IINS exam. In fact, if the primary objective of this book were different, the book's title would be misleading However, the methods used in this book to help you pass the exams are also designed to make you much more knowledgeable about how to do your job. This book uses several key methodologies to help you discover the exam topics on which you need more review, to help you fully understand and...

Organizational Classification Model

Table 1-3 provides an example of an organizational data classification model. Table 1-3 Organizational Data Classification Example Table 1-3 Organizational Data Classification Example Information made available to the public (for example, through marketing materials) Data that could cause embarrassment but not constitute a security threat if revealed Organizational information that should be kept secret and whose accuracy should be maintained Sensitive organizational information (for example,...

Origins of MD5

Ronald Rivest of MIT created Message Digest as a series of message digest algorithms. MD5 was designed to be a secure replacement for its predecessor, MD4, when work demonstrated that MD4 was likely unsecure. Security of the MD5 algorithm was initially brought into question in 1993 when researchers found a pseudo-collision of the MD5 compression function. In other words, two different initialization vectors produced an identical digest. In 1996, a true collision of the MD5 compression function...

Overview of IEEE 8021x

IEEE 802.1x (commonly just called 802.1x) is a standards-based approach for providing port-based network access. Specifically, 802.1x is a Layer 2 protocol that defines how Extensible Authentication Protocol (EAP) frames are encapsulated typically between a user's network device (such as a PC) and a switch or wireless access point. The 802.1x standard also defines hardware components, as shown in Figure 6-15 and defined in Table 6-4. Figure 6-15 IEEE 802.1x Hardware Components P ,- u, _,o u...

Overview of SHA1

The SHA-1 hash produces a message digest that is 160 bits long, as opposed to 128 bits for MD5. A number of widely used security applications and protocols employ SHA-1, including TLS, SSL, PGP, SSH, S MIME, and IPsec. SHA-1 has been positioned as the successor to MD5, which was one of the most widely used hash functions until SHA-1 was introduced. Like its predecessor, MD5, researchers have attempted to validate the security of SHA-1. Although it has been somewhat compromised, no attacks have...

Network Security Concepts

Chapter 1 Understanding Network Security Principles Chapter 2 Developing a Secure Network Chapter 3 Defending the Perimeter This chapter covers the following topics Exploring security fundamentals This section explains the need for network security and discusses the elements of a secure network. Additionally, legal and ethical considerations are discussed. Understanding the methods of network attacks This section makes you aware of various threats targeting the security of your network and...

Constructing a Secure Infrastructure

Chapter 7 Implementing Endpoint Security Chapter 9 Exploring Secure Voice Solutions Chapter 10 Using Cisco IOS Firewalls to Defend the Network Chapter 11 Using Cisco IOS IPS to Secure the Network This chapter covers the following topics Defending against Layer 2 attacks This section explains how Cisco Catalyst switches can be configured to mitigate several common Layer 2 attacks. Cisco Identity-Based Networking Services This section examines how Cisco Identity-Based Networking Services (IBNS)...

Extending Security and Availability with Cryptography and VPNs

Chapter 12 Designing a Cryptographic Solution Chapter 13 Implementing Digital Signatures Chapter 14 Exploring PKI and Asymmetric Encryption Chapter 15 Building a Site-to-Site IPsec VPN Solution This chapter covers the following topics Cryptographic services can be divided into two halves the construction of codes and the breaking of codes. This section explores the interworking of cryptographic services and examines symmetric and asymmetric algorithms. It also discusses the use of block and...

Potential Attackers

Another element of defending your data is identifying potential attackers who might want to steal or manipulate that data. For example, a company might need to protect its data from corporate competitors, terrorists, employees, and hackers, to name just a few. The term hacker is often used very generically to describe attackers. However, not all hackers have malicious intent. Table 1-5 lists various types of hackers. A white hat hacker has the skills to break into computer systems and do...

Retrieving the CA Certificate

Figure 14-9 shows the process that occurs when the CA certificate is retrieved, as described 1. Abby and Matt request the CA certificate that contains the CA public key. 2. After the CA certificate is received, Abby and Matt's systems verify the validity of the certificate. This is done using public-key cryptography. 3. Abby and Matt go beyond the technical verification done by their systems by telephoning the CA administrator to verify the public key and the serial number of the certificate....

Review All the Key Topics

Review the most important topics from this chapter, denoted with the Key Topic icon. Table 1-9 lists these key topics and the page where each is found. Reasons for the severity of internal threats The three primary goals of network security Government and military data classification example Legal elements needed to make a case Defending against different classes of attacks

Ri

The proxy server requests connections between a client on the inside of the firewall and the Internet. Client requests are filtered on the basis of Layer 5 and Layer 7 information. The proxy server requests connections between a client on the inside of the firewall and the Internet. Client requests are filtered on the basis of Layer 5 and Layer 7 information. By standing in the gap between the internal and external networks, application proxies separate the trusted and untrusted networks...

Scope of the Challenge

The 2007 CSI FBI Computer Crime and Security Survey is a fascinating document that provides insight into trends in network attacks from 2004 to 2007. A copy of this document can be downloaded from As an example of the information contained in this document, Figure 1-1 shows the average number of security incidents reported by 208 respondents for the years 2004 to 2007. Notice that the percentage of respondents reporting more than 10 incidents in a year dramatically increased in 2007. Figure 1-1...

Signing Messages with RSA

In addition to encrypting and decrypting messages, RSA can be used to sign messages. To continue our example of two individuals exchanging a message, let's suppose that one of the individuals uses the other's public key to encrypt and send a message. Although the message is encrypted, the sender may not be who we think she is. In other words, because the public key has been widely distributed, you have no way of verifying that the message is in fact from the individual who claims to have sent...

Steps of the Diffie Hellman Key Exchange Algorithm

Let's take a closer look at the steps involved in the DH key exchange Step 1 Matthew and Abby agree on generator g and modulus p. Step 2 Matthew selects a random large integer Xa and sends Abby its public value, Ya, where YA gx(A)modp. Step 3 Abby selects a random large integer XB and sends Matthew her public value, Yb, where YB gx(B)modp. Step 4 Matthew computes k YBx(A)modp. Step 6 Both k and k' are equal to gx(A)x(B)modp. Now that Matthew and Abby have gone through this process, they have a...

Study Plan

This section suggests a particular study plan, with a sequence of tasks that may work better than just using the tools randomly. However, feel free to use the tools in any way and at any time that helps you get fully prepared for the exam. The suggested study plan separates the tasks into two categories Recall the facts Activities that help you remember all the details from the first 15 chapters of the book. Use the exam engine to practice realistic questions You can use the exam engine on the...

The Mindset of a Hacker

Hackers can use a variety of tools and techniques to hack into a system (that is, gain unauthorized access to a system). Although these methods vary, the following steps illustrate one example of a hacker's methodical process for hacking into a system Step 1 Learn more about the system by performing reconnaissance. In this step, also known as footprinting, the hacker learns all he can about the system. For example, he might learn the target company's domain names and the range of IP addresses...

The Three Primary Goals of Network Security

For most of today's corporate networks, the demands of e-commerce and customer contact require connectivity between internal corporate networks and the outside world. From a security standpoint, two basic assumptions about modern corporate networks are as follows Today's corporate networks are large, interconnect with other networks, and run both standards-based and proprietary protocols. The devices and applications connecting to and using corporate networks are continually increasing in...

Understanding Cisco Security Agent Interceptors

To help you understand how Cisco Security Agent interceptors work, we must first explore how applications access system resources. Each time an application needs access to system resources, it has to make an operating system call to the kernel. When this occurs, the Cisco Security Agent intercepts these operating system calls and compares them to the cached security policy. Figure 7-5 shows this process. As long as the request does not violate the policy, it is passed to the kernel for...

Understanding Digital Signatures

To understand digital signatures, we need to begin by examining digital signature schemes and their commonalities. All digital signature schemes have a number of prior requirements. Figure 13-7 shows a digital signature. Signed Fingerprint Public Key Certificate Signed Fingerprint Public Key Certificate i- l. -i-i -i i -j u. ' Digitally Signed Document Embedded Inside the Document 3 ' 3 Certificate Public Key Digital Signature The first requirement is quality algorithms. As we have discussed,...

Understanding How Certificates Are Employed

Certificates first found their use in providing strong authentication for applications. When employed in this manner, each application may have a different implementation of the actual authentication process. They all use a similar type of certificate in the X.509 format. Secure Socket Layer (SSL) is one of the most widely used and most well known means of certificate-based authentication. With the emergence of e-commerce, SSL's ability to negotiate keys that are used to encrypt the SSL session...

Understanding IP Spoofing

Attackers can launch a variety of attacks by initiating an IP spoofing attack. An IP spoofing attack causes an attacker's IP address to appear to be a trusted IP address. For example, if an attacker convinces a host that he is a trusted client, he might gain privileged access to a host. The attacker could also capture traffic, which might include credentials such as usernames and passwords. As another example, you might be familiar with denial-of-service (DoS) and distributed denial-of-service...

Understanding Iron Port

IronPort is designed to protect an enterprise from various Internet threats that target e-mail and web security. IronPort's e-mail security capabilities are readily used by 20 percent of the largest enterprise organizations in the world. IronPort has a strong history of providing security and reliability. This same code base that protects eight of the ten largest ISPs is built into all of IronPort's e-mail security appliances for enterprises of any size. In addition to enterprise-level e-mail...

Understanding Network Security Principles

As networks grow and interconnect with other networks, including the Internet, those networks are exposed to a greater number of security risks. Not only does the number of potential attackers grow along with the size of the network, but the tools available to those potential attackers are always increasing in terms of sophistication. This chapter begins by broadly describing the necessity of network security and what should be in place in a secure network. Legal ramifications are addressed....

Understanding PKI Standards

As discussed in an earlier section, the market has a number of PKI vendors, making standardization and interoperability an issue when interconnecting PKIs. Some progress has been made in this area by the X.509 standards and the Internet Engineering Task Force (IETF) Public Key Infrastructure X.509 (PKIX) workgroup. Together they have worked toward publishing a common set of standards to be used for PKI protocols and data formats. In addition to striving toward these standards, it is important...

Understanding PKI Terminology

The following are two very important PKI terms Certificate authority (CA) A trusted third party responsible for signing the public keys of entities in a PKI-based system. i Topic Certificate A document issued and signed by the CA that binds the name of the entity and its public key. In a PKI, the certificate issued to a user is always signed by a CA. Each CA also has a certificate of its own. This certificate, called a CA certificate or a root certificate, contains its public key and is signed...

Understanding Public Key Cryptography Standards PKCS

Public Key Cryptography Standards (PKCS) is used to provide basic interoperability for applications that employ public-key cryptography. Taken together, PKCS defines a set of low-level standardized formats for the secure exchange of arbitrary data. For instance, PKCS defines a standard format for an encrypted piece of data, a signed piece of data, and so on. Table 14-3 outlines a number of PKCS standards. Password-Based Cryptography Standard Extended-Certificate Syntax Standard Cryptographic...

Understanding Security Algorithms

It is almost hard to imagine modern computing and networking without also thinking about the mechanisms that provide for the underlying security of the data that resides on these systems or travels across the wire. Security algorithms are central to securing the data created within an organization, as well as securing it in transit. This section examines the characteristics of the encryption process and what makes for a strong, trustworthy encryption algorithm. This section also explores the...

Understanding Simple Certificate Enrollment Protocol SCEP

As we have discussed, public-key technology is widely used today and is incorporated in various standards-based security protocols. This increasing emphasis on public-key technology makes it all the more important that there be a certificate management protocol that PKI clients and CA servers can rely on to support all certificate life-cycle operations. Simple Certificate Enrollment Protocol (SCEP), illustrated in Figure 14-8, addresses the need for a certificate management protocol to handle...

Understanding the Certificate Enrollment Process

After the users have retrieved the CA certificate, they need to submit certificate requests to the CA. This process is shown in Figure 14-10 and described in the following steps 4. Abby and Matt's systems forward a certificate request that includes their public key along with some identifying information. All of this information is encrypted using the CA's public key. 5. After the certificate request is received, the CA administrator telephones Abby and Matt to confirm that they submitted the...

Understanding the Features of the RSA Algorithm

RSA, invented by Ron Rivest, Adi Shamir, and Len Adleman in 1977, is one of the most common asymmetric algorithms in use today. This public-key algorithm was patented until September 2000, when the patent expired, making the algorithm part of the public domain. RSA has been widely embraced over the years, in part because of its ease of implementation and flexibility. This flexibility is because of RSA's use of a variable key length. This allows implementers to trade speed for the security of...

Understanding the Types of Buffer Overflows

Most buffer overflow attacks are used to either root a system or cause a DoS attack. We will look at each of these types of attacks. The phrase rooting a system comes from the UNIX world. It means that a system has been hacked so that the attacker has root, or superuser, privileges. Rooting a system is most easily accomplished with either remote root or local root buffer overflows. Of these two, remote root buffer overflows are the more dangerous. This is because an attacker can own your system...

Usage of SHA1

SHA-1 and other SHA hash algorithms (SHA-224, SHA-256, SHA-384, and SHA-512) are secure hash algorithms required by law for use in certain U.S. government applications. This includes the use of SHA-1 within other cryptographic algorithms and protocols to protect sensitive yet unclassified information. Adoption and usage of SHA-1 by private and commercial organizations has been encouraged by FIPS PUB 180-1. Central to the publication of SHA was the Digital Signature Standard, in which it is...

Using Cisco IOS Firewalls to Defend the Network

Because of the prevalence of Internet usage in business today, it has become increasingly important for growing businesses to look more closely at the security of their networks. As more and more business functions move to the public network, organizations need to take steps to ensure that their data and private information is not compromised or that this information does not end up in front of the wrong individuals. If a network were to experience unauthorized network access on the part of an...

Using Digital Signatures

Much like written signatures, digital signatures may be used to authenticate an associated input. In the written sense, we might find a signature providing authentication on anything from a letter to a legal contract. In the digital sense, a digital signature's input is called a message. These messages may be anything. They might be an e-mail or a legal contract, or it might even be a message sent in a more complicated cryptographic protocol. These digital signatures are used to create public...