A a a a

' Roles-based management with centralized authentication, authorization, and logging. Centralized authentication of devices connected to the network. Traffic isolation and access controls. Encryption of all data leaving the storage network for business continuance, remote vaulting, and backup. The Cisco MDS 9000 family of products is designed to allow storage professionals to achieve optimal security for their SANs. The security features of this product line make it well suited for...

About the CCNA Security Official Exam Certification Guide

As mentioned earlier, Cisco has outlined the topics tested on the 640-553 IINS exam. This book maps to these topic areas and provides some background material to give context and to help you understand these topics. This section lists this book's variety of features. A number of basic features included in this book are common to all Cisco Press Official Exam Certification Guides. These features are designed to help you prepare to pass the official certification exam, as well as help you learn...

Acknowledgments

I want to thank the team at Cisco Press for their direction and support throughout the writing process. For their support and encouragement throughout this process, I wish to thank and acknowledge Tom Warrick and the instructor team at SkillSoft. I also wish to thank Kevin Wallace, who brought his talent and experience to this project and was an enormous help each step of the way. Finally, I want to thank my family for their continued support through this project, especially my children,...

Additional Cisco Catalyst Switch Security Features

No single network device secures an entire network from all potential attacks. Rather, multiple hardware and or software solutions work in tandem to help secure the overall network. For example, virtual private networks (VPN) and firewalls can help protect sensitive traffic from eavesdroppers and prevent unwanted traffic from entering a network. As described earlier in this chapter, a Layer 2 Cisco Catalyst switch can also aid in network security. The additional Cisco Catalyst switch security...

Additional Forms of Attack

Buffer overflows are not the only concern. The larger issue is that a buffer overflow may be used to initiate malicious code such as viruses, worms, and Trojan horses so that they may gain access to your system and begin to do their damage. Two of the most destructive worms that have been unleashed on the Internet are SQL Slammer and Code Red. The destruction these worms caused was made possible by remote root buffer overflows. In contrast to worms, viruses are more likely to take advantage of...

Application Guidelines

When it comes to application design, security should not be an afterthought. It is best to approach application design with a focus on two key ideas. First, be sure to apply the least-privilege principle, limiting access where possible. Second, applications should employ modularization and multiple tiers of application functionality, spread over multiple servers. By following these two steps in your design, you can create a much more secure application. Even the best single security mechanism...

Apply Application Protection Methods

To conclude our discussion of best practices, it is important that we review four key application protection methods that can help make your environment more secure Using application access controls to enforce least privilege and using secure Topic programming practices are the most significant steps you can take toward application security. The creation of safer, high-level languages, along with the growing awareness of the need for application security among developers, has led to increased...

Availability

The availability of data is a measure of the data's accessibility. For example, if a server were down only five minutes per year, it would have an availability of 99.999 percent (that is, five nines of availability). Here are a couple of examples of how an attacker could attempt to compromise the availability of a network He could send improperly formatted data to a networked device, resulting in an unhandled exception error. He could flood a network system with an excessive amount of traffic...

Availability Confidentiality

Data confidentiality implies keeping data private. This privacy could entail physically or logically restricting access to sensitive data or encrypting traffic traversing a network. A network that provides confidentiality would do the following, as a few examples Use network security mechanisms (for example, firewalls and access control lists ACL ) to prevent unauthorized access to network resources. Require appropriate credentials (for example, usernames and passwords) to access specific...

Best Practices for Securing Endpoints

As mentioned earlier, trusted operating systems exist, but they are expensive and can be cumbersome to support. For the most part these are used for military or government purposes, acting as critical servers or workstations. For most modern operating systems, regardless of vendor, the default configuration is still quite untrustworthy. Significant improvements have occurred in the last ten years, but the sophistication of attacks has also greatly improved. As an administrator, you should...

Book Features

To help you customize your study time using this book, the core chapters have several features that help you make the best use of your time Do I Know This Already quiz Each chapter begins with a quiz that helps you determine how much time you need to spend studying that chapter. Foundation Topics These are the core sections of each chapter. They explain the protocols, concepts, and configuration for the topics in that chapter. Exam Preparation Tasks At the end of the Foundation Topics section...

Buffer Overflow Defined

With a buffer overflow, a program writes data beyond the allocated end of a buffer in memory. Often buffer overflows arise from a bug in the application or from improper use of languages such as C or C++ that are not memory-safe. When these overflows occur, valid data may be overwritten as well, making these threats particularly dangerous. Buffer overflows are one of the most commonly exploited computer security risks because of the structure of how computers handle data. Program control data...

Combining IEEE 8021x with Port Security Features

Earlier in this chapter you read about port security features supported on Cisco Catalyst switches. Interestingly, these port security features can be used in conjunction with 802.1x authentication to provide enhanced port security. For example, suppose a client authenticates via 802.1x, and the switch's port security table is not full (or the client's MAC address has been statically configured in the CAM table). The client is permitted to transmit data to the network. However, suppose the...

Command Reference to Check Your Memory

This section includes the most important configuration and EXEC commands covered in this chapter. To see how well you have memorized the commands as a side effect of your other studies, cover the left side of the table with a piece of paper, read the descriptions on the right side, and see whether you remember the commands. Table 3-13 Chapter 3 Configuration Command Reference Table 3-13 Chapter 3 Configuration Command Reference A global configuration mode command that configures a router's...

Command Syntax Conventions

The conventions used to present command syntax in this book are the same conventions used in the IOS Command Reference. The Command Reference describes these conventions as follows Bold indicates commands and keywords that are entered literally as shown. In actual configuration examples and output (not general command syntax), bold indicates commands that the user enters (such as a show command). Italic indicates arguments for which you supply actual values. Vertical bars (I) separate...

Configuration Recommendations

Based on the Layer 2 attack mitigation strategies discussed earlier, the following list summarizes the recommended Cisco procedures for securing Layer 2 networks Limit management access for a Layer 2 switch to trusted administrators. If management protocols are used on a switch, use secure management protocols (such as SNMPv3) as opposed to management protocols that transmit information in plain text (such as SNMPvl and SNMPv2c). Disable any services running on the switch that are not...

Configuring AAA

As a network administrator, you must provide network access, as well as guard your network against improper access. The authentication, authorization, and accounting (AAA) model helps you securely manage who and what accesses the network, as well as provides a means of determining when, where, and how this network access can occur. AAA is made up of a series of network security services that together provide a framework for setting up Network Access Control (NAC). This chapter examines the...

Controls in a Security Solution

As just mentioned, the work of actually securing data is the responsibility of the custodian. However, if security is applied only through technical means, the results will not be highly effective. Specifically, because most attacks originating inside a network are not technical attacks, nontechnical mitigation strategies are required to thwart them. Cisco defines three security controls contained in a more all-encompassing security solution Administrative controls are primarily policy-centric....

Data Classification Characteristics

Table 1-4 offers a few characteristics by which data can be classified. Table i-4 Data Classification Characteristics How valuable the data is to the organization How long the data will be considered relevant When determining a classification approach, define how many classification levels you need. Having too many classification levels can prove difficult to administer, whereas having too few classification levels lacks the granularity needed to classify a wide spectrum of data. As part of...

Defending the Perimeter

In addition to Cisco firewall, virtual private network (VPN), and intrusion prevention system (IPS) appliances that can sit at the perimeter of a network, Cisco IOS routers offer perimeter-based security. For example, the Cisco Integrated Services Routers (ISR) can be equipped to provide high-performance security features, including firewall, VPN termination, and IPS features, in addition to other services such as voice and quality-of-service (QoS) services. This chapter introduces various ISR...

Defining Endpoint Security

Before you can take steps to defend your endpoints, you must better understand what endpoint security is and what it consists of. We will begin by exploring the fundamental principles involved in host security, as well as discuss the need to defend endpoints from viruses, worms, Trojan horses, and other security threats. Cisco bases its strategy for securing hosts, as well as the more overarching network and enterprise security needs, on three broad elements (see Table 7-2). The Cisco Security...

Definition of Key Terms

Define the following key terms from this chapter, and check your answers in the glossary confidentiality, integrity, availability, preventive control, deterrent control, detective control, vulnerability, exploit, phreaker, Defense in Depth, IP spoofing, data diddling, salami attack, denial of service (DoS) This chapter covers the following topics Increasing operations security This section explains the day-to-day procedures for deploying, maintaining, and retiring information security...

Developing a Secure Network

Day-to-day network operations include adding new components to the network, monitoring and maintaining existing components, and retiring other components. While you perform these operations, security should be a consideration, so this chapter discusses how security practices can be integrated into such day-to-day operations. Also, network security practices and procedures should be governed by a documented security policy, so this chapter discusses the elements and use of an effective security...

Do I Know This Already Quiz

The Do I Know This Already quiz helps you determine your level of knowledge of this chapter's topics before you begin. Table 3-1 details the major topics discussed in this chapter and their corresponding quiz questions. Table 3-1 Do I Know This Already Section-to-Question Mapping Table 3-1 Do I Know This Already Section-to-Question Mapping ISR Overview and Providing Secure Administrative Access Cisco Security Device Manager Overview 1. Which of the following are considered IOS security features...

Eapfast

Extensible Authentication Protocol Flexible Authentication via Secure Tunneling (EAP-FAST) was developed by Cisco. Similar to EAP with MS-CHAPv2, EAP-FAST protects authentication messages within a secure TLS tunnel. However, EAP-FAST uses shared secret keys. These keys, which are unique to each user, are called protected access credentials (PAC). PACs, which can be automatically or manually distributed to the supplicants, cause authentication to happen much faster than using digital...

Eapmd5

EAP-MD5 is a standards-based EAP type. This EAP type uses an MD5-Challenge message. This is much like the challenge message used in PPP CHAP (Point-to-Point Protocol Challenge Handshake Authentication Protocol), which uses MD5 (Message Digest 5) as its hashing algorithm. Figure 6-16 shows the messages exchanged in an EAP-MD5 authentication. Notice that the authentication begins when the PC (the supplicant) sends an EAP over LAN (EAPOL) message (specifically, an EAPOL-start message) to the...

Eaptls

Microsoft developed EAP-TLS (Extensible Authentication Protocol Transport Layer Security). EAP-TLS was designed to address weaknesses found in other EAP types (such as the one-way authentication used by EAP-MD5). However, the trade-off for addressing these weaknesses is increased complexity in the deployment of EAP-TLS. Specifically, EAP-TLS uses certificate-based (that is, X.509 certificate-based) authentication. Therefore, to perform mutual authentication between the supplicant and the...

Examining Application Vulnerabilities

It is important to take the proper steps to address the vulnerabilities faced by your operating system, such as applying service packs and hot fixes and tuning it for secure operation. However, the majority of attacks target applications or, perhaps more specifically, the data they are protecting (or both). These attacks against applications can be categorized as either direct or indirect Direct An attacker tricks the application into performing a task using the application's privileges....

Examining Attack Response with the Cisco Security Agent

It seems that each year a number of new software programs and technologies are released. Coming quickly on their heels are malicious attacks that attempt to discover and exploit their vulnerabilities. Although literally thousands of varieties of attacks exist, with new ones constantly being devised, in general almost all of them have the same ultimate goal. With each, the goal is to gain control of the core mechanisms of the system being targeted. However, significant differences exist between...

Examining Endpoint Security

To devise a successful strategy to defend your endpoints, you must begin with knowledge of the defenses that are available. This section describes the current endpoint protection methods, such as Host-based Intrusion Prevention System (HIPS), integrity checkers, operating system protection, and the Cisco NAC Appliance. As part of our discussion, we will cover endpoint security and explore the fundamental principles involved in host security. We will also examine specific threats to endpoints,...

Examining Operating System Vulnerabilities

The various endpoints that we support on our networks each support some form of endpoint, whether it is a desktop operating system (OS) or Network Operating System (NOS). These operating systems provide a set of basic security services to all applications that run on them. Table 7-3 lists the basic security services. Table 7-3 Basic Security Services Provided to Applications by Operating Systems Table 7-3 Basic Security Services Provided to Applications by Operating Systems This is the...

Exploring Secure Voice Solutions

In the past, large companies used privately owned telephone systems (such as private branch exchanges PBX ) to provide voice services to their employees. As data networks began to emerge, most companies maintained separate voice and data networks, and perhaps even a separate video network. However, with the performance and reliability offered by modern data networks, many network administrators began to see the wisdom of consolidating voice, data, and video traffic on the same network. This...

Exploring Security Fundamentals

As new vulnerabilities and new methods of attack are discovered, a relatively unsophisticated user can potentially launch a devastating attack against an unprotected network. This section begins by describing the challenges posed by the current security landscape. You will learn about the three primary goals of security confidentiality, integrity, and availability. This section also explains traffic classification and security controls. You will learn how to...

External Threats

Because external attackers probably do not have intimate knowledge of a network, and because they do not already possess access credentials, their attacks tend to be more technical in nature. For example, an attacker could perform a ping sweep on a network to identify IP addresses that respond to the series of pings. Then, those IP addresses could be subjected to a port scan, in which open services on those hosts are discovered. The attacker could then try to exploit a known vulnerability to...

Feedback Information

At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members of the professional technical community. Reader feedback is a natural continuation of this process. If you have any comments about how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through e-mail at feed-back...

Format of the IINS Exam

The 640-553 IINS exam follows the same general format of other Cisco exams. When you get to the testing center and check in, the proctor gives you some general instructions and then takes you into a quiet room with a PC. When you're at the PC, you have a few things to do before the timer starts on your exam. For instance, you can take a sample quiz, just to get accustomed to the PC and the testing engine. If you have user-level PC skills, you should have no problems with the testing...

Government and Military Classification Model

Table 1-2 provides an example of a data classification model, which is used by multiple governments and militaries. Table 1-2 Government and Military Data Classification Example Key __ Table 1-2 Government and Military Data Classification Example Key __ Data that has few or no privacy requirements Data that could cause embarrassment but not constitute a security threat if revealed Data that has a reasonable probability of causing damage if disclosed to an unauthorized party Data that has a...

How to Use This Book to Prepare for the IINS Exam

Using this book to prepare for the IINS exam is pretty straightforward read each chapter in succession, and follow the study suggestions in Chapter 16, Final Preparation. For the core chapters of this book (Chapters 1 through 15), you do have some choices about how much of the chapter you read. In some cases, you may already know most or all of the information covered in a given chapter. To help you decide how much time to spend on each chapter, the chapters begin with a Do I Know This Already...

IINS Exam Topics

Table I-1 lists the exam topics for the 640-553 IINS exam. Although the posted exam topics are not numbered at Cisco.com, Cisco Press does number the exam topics for easier reference. Notice that the topics are divided among nine major topic areas. The table also notes the part of this book in which each exam topic is covered. Because it is possible that the exam topics may change over time, it may be worthwhile to double-check the exam topics as listed on Cisco.com If Cisco later adds exam...

Implementing Endpoint Security

In the network world, the term endpoint can mean a myriad of devices everything from workstations to PDAs, laptops to smart phones. This chapter uses endpoint to mean an individual computer or device that acts as a network client. In addition to common endpoints such as laptops, desktop systems, and PDAs, servers may also be considered endpoints in a networked environment. This chapter looks at the variety of threats faced by endpoint devices. It also discusses specific Cisco technologies that...

Internal Threats

Network security threats originating inside a network tend to be more serious than external threats. Here are some reasons for the severity of internal threats Inside users already have knowledge of the network and its available resources. Key Inside users typically have some level of access granted to them because of the nature of their job. Traditional network security mechanisms such as Intrusion Prevention Systems (IPS) and firewalls are ineffective against much of the network misuse...

International Jurisdiction Issues

A unique legal challenge for prosecuting information security offenses deals with jurisdictional issues. For example, an attacker in one country could launch an attack from a computer in another country that targets a computer in yet another country. The international boundaries that were virtually crossed could pose significant challenges to litigators. Fortunately, governments are beginning to collaborate on such investigations and prosecutions. For example, organizations that share law...

Introduction

Congratulations on your decision to pursue a Cisco Certification If you're reading far enough to look at the introduction to this book, you likely already have a sense of what you ultimately would like to achieve the Cisco CCNA Security certification. Achieving Cisco CCNA Security certification requires that you pass the Cisco IINS (640-553) exam. Cisco certifications are recognized throughout the networking industry as a rigorous test of a candidate's knowledge of and ability to work with...

Introduction to Cisco IBNS

Cisco IBNS can be deployed on an end-to-end Cisco network, which includes components such as Cisco Catalyst switches, wireless LAN (WLAN) devices (such as wireless access points and controllers), and a RADIUS server (such as a Cisco Secure Access Control Server ACS ). However, for a client to directly benefit from IBNS, the client operating system needs to support IEEE 802.1x. Fortunately, many modern operating systems (such as Microsoft Windows Vista) support 802.1x. For greater scalability,...

Launching a Local IP Spoofing Attack Using a Maninthe Middle Attack

If an attacker is on the same subnet as the target system, he might launch a man-in-the-middle attack. In one variant of a man-in-the-middle attack, the attacker convinces systems to send frames via the attacker's PC. For example, the attacker could send a series of gratuitous ARP (GARP) frames to systems. These GARP frames might claim that the attacker's Layer 2 MAC address was the MAC address of the next-hop router. The attacker could then capture traffic and forward it to the legitimate...

Launching a Remote IP Spoofing Attack with IP Source Routing

If an attacker uses a feature known as IP source routing, he can specify a complete routing path to be taken by two endpoints. Consider Figure 1-5. The attacker is on a different subnet than the destination host. However, the attacker sends an IP packet with a source route specified in the IP header, which causes the destination host to send traffic back to the spoofed IP address via the route specified. This approach can overcome the previously described challenge that an attacker might have...

Legal and Ethical Ramifications

Some businesses must abide by strict government regulations for security procedures. Therefore, information security professionals should be familiar with a few fundamental legal concepts. For example, most countries classify laws into one of the following three types Criminal law applies to crimes that have been committed and that might result in fines and or imprisonment for someone found guilty. Civil law addresses wrongs that have been committed. However, those wrongs are not considered...

Legal Issues to Consider

As a provider of network connectivity to customers, a service provider needs to be aware of potential liability issues. For example, if an e-commerce company lost a certain amount of business because of a service provider outage, the service provider might be found liable and have to pay damages. Also, some countries are passing laws dictating how companies handle privacy issues. For example, the Notification of Risk to Personal Data Act in the U.S. requires companies and government agencies...

Nonsecured Custom Applications

The vast majority (approximately 75 percent) of network attacks target specific applications, as opposed to lower-layer attacks. One reason attacks have become more targeted is the trend of attackers to be more motivated by profit, rather than by the fame or notoriety generated by creating a virus, for example. Unfortunately, because many organizations use custom applications (often not written with security in mind), these applications can be prime attack targets. Attacks on custom...

Notifying Network Managers of CAM Table Updates

Cisco Catalyst switches can proactively notify network administrators when CAM table updates occur. For example, if a switch learns a new MAC address and adds it to the CAM table, the Cisco Catalyst switch could send a Simple Network Management Protocol (SNMP) trap (that is, a notification) to a network management station (NMS). Similarly, a trap could be sent when a MAC address is deleted from the CAM table. The mac address-table notification command is used to enable this notification...

Objectives and Methods

The most important and somewhat obvious objective of this book is to help you pass the 640-553 IINS exam. In fact, if the primary objective of this book were different, the book's title would be misleading However, the methods used in this book to help you pass the exams are also designed to make you much more knowledgeable about how to do your job. This book uses several key methodologies to help you discover the exam topics on which you need more review, to help you fully understand and...

Organizational Classification Model

Table 1-3 provides an example of an organizational data classification model. Table 1-3 Organizational Data Classification Example Table 1-3 Organizational Data Classification Example Information made available to the public (for example, through marketing materials) Data that could cause embarrassment but not constitute a security threat if revealed Organizational information that should be kept secret and whose accuracy should be maintained Sensitive organizational information (for example,...

Overview of SAN Operations

Organizations are producing ever-increasing amounts of data. A storage-area network (SAN) is an effective means to allow them to store and access this data in a secure fashion. This section examines the fundamentals of SAN operation and describes the technology behind these focused networks. It also examines attacks focused on SANs and discusses their defense. With ever-increasing storage needs, many organizations are moving away from traditional file servers to more sophisticated SAN solutions...

Network Security Concepts

Chapter 1 Understanding Network Security Principles Chapter 2 Developing a Secure Network Chapter 3 Defending the Perimeter This chapter covers the following topics Exploring security fundamentals This section explains the need for network security and discusses the elements of a secure network. Additionally, legal and ethical considerations are discussed. Understanding the methods of network attacks This section makes you aware of various threats targeting the security of your network and...

Constructing a Secure Infrastructure

Chapter 7 Implementing Endpoint Security Chapter 9 Exploring Secure Voice Solutions Chapter 10 Using Cisco IOS Firewalls to Defend the Network Chapter 11 Using Cisco IOS IPS to Secure the Network This chapter covers the following topics Defending against Layer 2 attacks This section explains how Cisco Catalyst switches can be configured to mitigate several common Layer 2 attacks. Cisco Identity-Based Networking Services This section examines how Cisco Identity-Based Networking Services (IBNS)...

Peap Mschapv2

Protected Extensible Authentication Protocol (PEAP) comes in a couple of variations. PEAP version 0 uses MS-CHAPv2 (Microsoft Challenge Handshake Authentication Protocol version 2). PEAP version 1 uses GTC (generic token card). However, PEAP using MS-CHAPv2 is far more widely deployed than PEAP using a generic token card. Cisco Systems, Microsoft, and RSA Security collaborated on the development of PEAP with MS-CHAPv2. PEAP increases protection of authentication messages by creating a protected...

Potential Attackers

Another element of defending your data is identifying potential attackers who might want to steal or manipulate that data. For example, a company might need to protect its data from corporate competitors, terrorists, employees, and hackers, to name just a few. The term hacker is often used very generically to describe attackers. However, not all hackers have malicious intent. Table 1-5 lists various types of hackers. Table 1-5 Types of Hackers Key ' _ A white hat hacker has the skills to break...

Providing SAN Security

It seems that every year organizations create more and more critical data data that needs to be stored securely for future reference. Storage-area networks (SAN) offer these organizations a targeted solution to meet this need in a cost-effective manner. With so much crucial data now residing on a SAN, securing this data effectively is a prime concern for these businesses. This chapter explores the fundamentals of SAN operations as well as the steps to take to effectively implement SAN security.

Responding to a Security Incident

Many deterrent controls might display warnings such as Violators will be prosecuted to the fullest extent of the law. However, to successfully prosecute an attacker, litigators typically require the following elements to present an effective argument Motive A motive describes why the attacker committed the act. For example, was he a disgruntled employee Also, potential motives can be valuable to define during an investigation. Specifically, an investigation might begin with those who had a...

Review All the Key Topics

Review the most important topics from this chapter, denoted with the Key Topic icon. Table 1-9 lists these key topics and the page where each is found. Reasons for the severity of internal threats The three primary goals of network security Government and military data classification example Legal elements needed to make a case Defending against different classes of attacks

Scope of the Challenge

The 2007 CSI FBI Computer Crime and Security Survey is a fascinating document that provides insight into trends in network attacks from 2004 to 2007. A copy of this document can be downloaded from As an example of the information contained in this document, Figure 1-1 shows the average number of security incidents reported by 208 respondents for the years 2004 to 2007. Notice that the percentage of respondents reporting more than 10 incidents in a year dramatically increased in 2007. Figure 1-1...

Securing Layer 2 Devices

The characteristics of Layer 2 LAN devices frequently make these devices attractive targets for attackers. If an attacker can compromise Layer 2, he has access to the upper layers. This chapter explores these Layer 2 vulnerabilities and describes methods of mitigating such weaknesses using features available on Cisco Catalyst switches. Cisco Catalyst switches also play an integral role in the Cisco Identity-Based Networking Services (IBNS) technology. IBNS offers per-user access control to...

Securing the Router

Newly installed Cisco IOS routers might have multiple services and interfaces enabled that do not need to be enabled. Therefore, they present potential security vulnerabilities. The process of turning off unnecessary services is called hardening a router, and this chapter discusses Cisco best-practice recommendations for router hardening. Cisco SDM's One-Step Lockdown feature is explored, in addition to the auto secure command. Besides disabling unneeded services and interfaces, unsecured...

Simlet

The first three types of questions are relatively common in many testing environments. The multiple-choice format simply requires that you point and click a circle beside the correct answer(s). Cisco traditionally tells you how many answers you need to choose, and the testing software prevents you from choosing too many answers. Testlets are questions with one general scenario, with multiple MC questions about the overall scenario. Drag-and-drop questions require you to click and hold, move a...

The Anatomy of a Buffer Overflow Exploit

Because buffer overflows are one of the most common methods of application subversion in use today on the Internet, it is important that you understand these attacks and how to stop them. Let's take a look at the anatomy of a buffer overflow attack in detail. In most buffer overflow attacks, the attacker tries to subvert a program function that reads input and calls a subroutine (see Figure 7-1). What makes this possible is that the exploitable program function does not perform input length...

The Architecture Behind Iron Port

SenderBase represents the first and largest e-mail traffic monitoring service, collecting data from more than 100,000 ISPs, universities, and corporations around the world. More than 120 parameters can be measured and scrutinized with SenderBase. The massive SenderBase database handles more than five billion queries per day. Real-time data is provided from every continent, from both small and large network providers. With this massive amount of data, SenderBase can develop the most accurate...

The Mindset of a Hacker

Hackers can use a variety of tools and techniques to hack into a system (that is, gain unauthorized access to a system). Although these methods vary, the following steps illustrate one example of a hacker's methodical process for hacking into a system Step 1 Learn more about the system by performing reconnaissance. In this step, also known as footprinting, the hacker learns all he can about the system. For example, he might learn the target company's domain names and the range of IP addresses...

The Three Primary Goals of Network Security

For most of today's corporate networks, the demands of e-commerce and customer contact require connectivity between internal corporate networks and the outside world. From a security standpoint, two basic assumptions about modern corporate networks are as follows Today's corporate networks are large, interconnect with other networks, and run both standards-based and proprietary protocols. The devices and applications connecting to and using corporate networks are continually increasing in...

Traffic Policing

To prevent an attacker from flooding a network with traffic in a DoS attack, Cisco Catalyst switches can rate-limit traffic using a traffic policing mechanism. Specifically, a traffic policing configuration allows an administrator to configure a committed information rate (CIR), which can be thought of as a speed limit on specific traffic. If traffic conforms to the speed limit, typically it is transmitted. However, traffic policing can alternatively transmit the conforming traffic and set a...

Types of Threats

Connecting a network to an outside network (for example, the Internet) introduces the possibility that outside attackers will exploit the network, perhaps by stealing network data or by impacting the network's performance (for example, by introducing viruses). However, even if a network were disconnected from any external network, security threats (in fact, most of the probable security threats) would still exist. Specifically, according to the Computer Security Institute (CSI) in San...

Understanding Iron Port

IronPort is designed to protect an enterprise from various Internet threats that target e-mail and web security. IronPort's e-mail security capabilities are readily used by 20 percent of the largest enterprise organizations in the world. IronPort has a strong history of providing security and reliability. This same code base that protects eight of the ten largest ISPs is built into all of IronPort's e-mail security appliances for enterprises of any size. In addition to enterprise-level e-mail...

Understanding Network Security Principles

As networks grow and interconnect with other networks, including the Internet, those networks are exposed to a greater number of security risks. Not only does the number of potential attackers grow along with the size of the network, but the tools available to those potential attackers are always increasing in terms of sophistication. This chapter begins by broadly describing the necessity of network security and what should be in place in a secure network. Legal ramifications are addressed....

Understanding the Methods of Network Attacks

You might have noticed that this book has thus far referred to computer criminals as attackers rather than hackers. This wording is intentional, because not all hackers have malicious intent, even though the term hacker often has a negative connotation. In this section, you will gain additional insight into the mind-set and characteristics of various hackers. Additionally, you will be introduced to a variety of methods that attackers can use to infiltrate a computing system. To help mitigate...

Understanding the Threat of Buffer Overflows

To understand the threat that buffer overflows present when defending endpoints, you must first understand what a buffer overflow actually is and how applications operate. When a user or other source interacts with an application, it has to carefully verify all input, because the input might contain improperly formatted data, control sequences, or simply too much data for the application to work with. When these things occur, a buffer overflow condition can arise. Attackers realize this and try...

Understanding the Types of Buffer Overflows

Most buffer overflow attacks are used to either root a system or cause a DoS attack. We will look at each of these types of attacks. The phrase rooting a system comes from the UNIX world. It means that a system has been hacked so that the attacker has root, or superuser, privileges. Rooting a system is most easily accomplished with either remote root or local root buffer overflows. Of these two, remote root buffer overflows are the more dangerous. This is because an attacker can own your system...

US Laws and Regulations

With increased levels of terrorist activity on the Internet and an ever-increasing percentage of Internet connectivity for the world's citizens, governments are forced to develop regulations and legislation covering information security. As a few examples, the U.S. government created the following regulations, which pertain to information security Gramm-Leach-Bliley Act (GLBA) of 1999 Did away with antitrust laws that disallowed banks, insurance companies, and securities firms from combining...

Using Cisco IOS Firewalls to Defend the Network

Because of the prevalence of Internet usage in business today, it has become increasingly important for growing businesses to look more closely at the security of their networks. As more and more business functions move to the public network, organizations need to take steps to ensure that their data and private information is not compromised or that this information does not end up in front of the wrong individuals. If a network were to experience unauthorized network access on the part of an...

Using the SPAN Feature with IDS

Chapter 11, Using Cisco IOS IPS to Secure the Network, discusses the Cisco Intrusion Detection System (IDS) technology. With IDS, a sensor receives a copy of traffic for analysis. If the sensor recognizes the traffic as being malicious or suspicious, the IDS sensor can take a preconfigured action, such as generating an alarm or dynamically configuring a firewall to block the sender. One way to cause an IDS sensor to receive a copy of network traffic is to configure a port on a Cisco Catalyst...

Vulnerabilities

A vulnerability in an information system is a weakness that an attacker might leverage to gain unauthorized access to the system or its data. In some cases, after a vulnerability is discovered, attackers write a program intended to take advantage of the vulnerability. This type of malicious program is called an exploit. However, even if a system has a vulnerability, the likelihood that someone will use that vulnerability to cause damage varies. This likelihood is called risk. For example, a...

Warning and Disclaimer

This book is designed to provide the information necessary to be successful on the Cisco IINS (640-553) exam. Every effort has been made to make this book as complete and accurate as possible, but no warranty or fitness is implied. The information is provided on an as is basis. The authors, Cisco Press, and Cisco Systems, Inc. shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from...

Whats on the IINS Exam

Cisco wants the public to know both the variety of topics and the kinds of knowledge and skills that are required for each topic, for every Cisco certification exam. To that end, Cisco publishes a set of exam topics for each exam. The topics list the specific subjects, such as ACLs, PKI, and AAA, that you will see on the exam. The wording of the topics also implies the kinds of skills required for that topic. For example, one topic might start with Describe , and another might begin with...

Working with the Cisco Security Agent

In today's computing environment, endpoint protection must encompass more than simple desktop systems. The Cisco Security Agent software provides full-featured endpoint protection with threat protection capabilities for server, desktop, and point-of-service (POS) computing systems. This highly scalable solution can support as many as 100,000 agents from a single management console. Figure 7-4 shows the architecture of the Cisco Security Agent, which can grow with an organization's changing...

Cisco Security Device Manager Overview

Cisco IOS routers support many features (including security features) that require complex configurations. To aid in a number of these configuration tasks, Cisco introduced the Cisco Security Device Manager (SDM) interface. This section introduces SDM, discusses how to configure and launch SDM, and how to navigate the SDM wizards. Cisco SDM provides a graphical user interface (GUI) for configuring a wide variety of features on an IOS router, as shown in Figure 3-3. Not only does SDM offer...

Port Security Configuration

Earlier in this chapter you saw that Cisco Catalyst port security features can be used to combat CAM table overflow attacks and MAC address spoofing attacks. Cisco recommends that port security be configured on a switch before a switch is deployed in the network, to be proactive instead of reactive. When a switch port security violation occurs, you can configure the switch port to respond in one of three ways Protect When configured for protect, a switch port drops frames with an unknown Topic...

Using IEEE 8021x for VLAN Assignment

The authentication server component of an 802.1x topology can also help restrict user access to network resources specifically, VLANs. In addition to configuration on the RADIUS server (that is, the authentication server), the Cisco Catalyst switch is configured with appropriate AAA commands. After a client (that is, a supplicant) successfully authenticates by providing a username and password, the RADIUS server, which maintains the username-to-VLAN mappings, sends the client's VLAN information...

Enforcing Security Policies with VACLs

Routers can use IP access control lists (ACL) to permit or deny specific traffic from entering or exiting a network interface. Therefore, ACLs are used as traffic travels between network address spaces. However, a Cisco Catalyst switch can have an ACL applied within a VLAN. This intra-VLAN ACL is called a VLAN access control list (VACL). Example 6-7 shows the configuration of a VACL that permits Telnet traffic to be sent to a host at IP address 10.1.1.2 while denying all other traffic. Notice...

Combating DHCP Server Spoofing

On today's networks, most clients obtain their IP address information dynamically, using Dynamic Host Configuration Protocol (DHCP), rather than having their IP address information statically configured. To dynamically obtain IP address information, a client (for example, a PC) sends out a DHCP request. A DHCP server sees the request, and a DHCP response (including such information as an IP address, subnet mask, and default gateway) is sent to the requesting client. However, if an attacker...

Understanding Cisco Security Agent Interceptors

To help you understand how Cisco Security Agent interceptors work, we must first explore how applications access system resources. Each time an application needs access to system resources, it has to make an operating system call to the kernel. When this occurs, the Cisco Security Agent intercepts these operating system calls and compares them to the cached security policy. Figure 7-5 shows this process. Figure 7-5 Cisco Security Agent Interceptors Key ' As long as the request does not violate...

Using Dynamic ARP Inspection

The DHCP snooping feature dynamically builds a DHCP binding table, which contains the MAC addresses associated with specific IP addresses. Additionally, this feature supports static MAC address to IP address mappings, which might be appropriate for network devices, such as routers. This DHCP binding table can be used by the Dynamic ARP Inspection (DAI) feature to help prevent Address Resolution Protocol (ARP) spoofing attacks. Recall the purpose of ARP requests. When a network device needs to...

How This Book Is Organized

This book contains 15 core chapters Chapters 1 through 15. Chapter 16 includes some preparation tips and suggestions for how to approach the exam. Each core chapter covers a subset of the topics on the IINS exam. The core chapters are organized into parts. They cover the following topics Part I Network Security Concepts Chapter 1, Understanding Network Security Principles This chapter explains the need for network security and discusses the elements of a secure network. Additionally, legal and...

Overview of IEEE 8021x

IEEE 802.1x (commonly just called 802.1x) is a standards-based approach for providing port-based network access. Specifically, 802.1x is a Layer 2 protocol that defines how Extensible Authentication Protocol (EAP) frames are encapsulated typically between a user's network device (such as a PC) and a switch or wireless access point. The 802.1x standard also defines hardware components, as shown in Figure 6-15 and defined in Table 6-4. Figure 6-15 IEEE 802.1x Hardware Components Figure 6-15 IEEE...

Creating a Cisco Self Defending Network

Many modern security threats rapidly propagate across the Internet and internal networks. As a result, security components need to be able to respond rapidly to emerging threats. To combat these threats, Cisco offers the Cisco Self-Defending Network, which is its vision for using the network to recognize threats and then prevent and adapt to them. This section describes the implementation of the Cisco Self-Defending Network approach, which leverages Cisco products and solutions. As computing...

Securing a VoIP Network

Now that you have a foundational understanding of the myriad attacks that can target a VoIP network, this section addresses specific VoIP attack mitigations. Specifically, it covers separating voice traffic from data traffic using voice VLANs, using firewalls and VPNs to protect voice traffic, and approaches to harden the security of voice endpoints and servers. Protecting a VoIP Network with Auxiliary VLANs A fundamental approach to protecting voice traffic from attackers is to place it in a...

Understanding IP Spoofing

Attackers can launch a variety of attacks by initiating an IP spoofing attack. An IP spoofing attack causes an attacker's IP address to appear to be a trusted IP address. For example, if an attacker convinces a host that he is a trusted client, he might gain privileged access to a host. The attacker could also capture traffic, which might include credentials such as usernames and passwords. As another example, you might be familiar with denial-of-service (DoS) and distributed denial-of-service...

Identifying Common Voice Vulnerabilities

Because IP phones are readily accessible and plentiful in many corporate environments, they become attractive targets for attackers. Also, VoIP administrators should be on guard against VoIP variations of spam and fishing (both common in e-mail environments), as well as toll fraud (common in PBX environments). This section details these common attack targets for a VoIP network. Table 9-4 describes a few common VoIP attacks targeting endpoints. Table 9-4 Common VoIP Attack Targets Table 9-4...

Contents

Chapter 1 Understanding Network Security Principles 5 Do I Know This Already Quiz 5 Why Network Security Is a Necessity 9 Types of Threats 9 Scope of the Challenge 10 Nonsecured Custom Applications 11 The Three Primary Goals of Network Security 12 Confidentiality 12 Integrity 12 Availability 13 Categorizing Data 13 Classification Models 13 Classification Roles 15 Controls in a Security Solution 16 Responding to a Security Incident 17 Legal and Ethical Ramifications 18 Legal Issues to Consider...

Mitigating CAM Table Overflow Attacks

A Cisco Catalyst switch uses a Content Addressable Memory (CAM) table to store the information used by the switch to make forwarding decisions. Specifically, the CAM table contains a listing of MAC addresses that have been learned from each switch port. Then, when a frame enters the switch, the switch interrogates the frame's destination MAC address. If the destination MAC address is known to exist off one of the switch ports, the frame is forwarded out only that port. For example, consider...

Defending Against Layer 2 Attacks

This section begins by exploring the nature of Layer 2 switch operation and why it is such an attractive target for attackers. Then, approaches for mitigating a variety of Layer 2 attacks are addressed. These strategies include best practices for securing a Layer 2 network, protecting against VLAN hopping attacks, preventing an attacker from manipulating Spanning Tree Protocol (STP) settings, stopping DHCP server and ARP spoofing, preventing Content Addressable Memory (CAM) table overflow...

Defense in Depth

Defense Depth

Because a security solution is only as strong as its weakest link, network administrators are challenged to implement a security solution that protects a complex network. As a result, rather than deploying a single security solution, Cisco recommends multiple, overlapping solutions. These overlapping solutions target different aspects of security, such as securing against insider attacks and securing against technical attacks. These solutions should also be subjected to routine testing and...

Protecting Against an IP Spoofing Attack

The following approaches can be used to mitigate IP spoofing attacks Use access control lists (ACL) on router interfaces. As traffic comes into a router from an outside network, an ACL could be used to deny any outside traffic claiming to be addressed with IP addressing used internally on the local network. Conversely, ACLs should be used to prevent traffic leaving the local network from participating in a DDoS attack. Therefore, an ACL could deny any traffic leaving the local network that...