Table 23 TCP Flags

The attacker's ultimate goal is to write special programs or pieces of code that are able to construct these illegal combinations resulting in an efficient DoS attack. The TCP IP protocol suite relies on the use of multiple timers during the lifetime of a session. These timers include the Connection Establishment timer, the FIN_WAIT timer, and the KEEP_ALIVE timer. The following list elaborates on the three-way handshake mechanism presented in Figure 2-7 Connection Establishment timer Starts...

Figure 42 3DES

When a message is to be encrypted with 3DES, a method called EDE (encryptdecryptencrypt) is used. The EDE method is described in the following list Step 1. The message is encrypted with the first 56-bit key, K1. Step 2. The data is decrypted with a second 56-bit key, K2. Step 3. The data is again encrypted with the third 56-bit key, K3. The EDE procedure provides encryption with an effective key length of 168 bits. If keys K1 and K3 are equal (as in some implementations), a less secure...

IP Session Logging

After a sensor detects an attack, an alarm is generated by the sensor and sent to the management station. The information is saved in a memory-mapped file on both the sensor and the management platform. This memory-mapped file is in binary format file. As discussed in the next section, the sensor uses RDEP to communicate with the external world so does the IP logging feature. It is an HTTP communication that is client-server and two-way based, whereby the client (sensor) sends an RDEP request,...

Router IDS Features and Network Modules

The router IDS feature is a built-in functionality in Cisco IOS, enabling the router to be configured as network intrusion detection sensors. The sensors have only a limited number of signatures. Because Cisco Secure Integrated Software is an in-line device, it inspects packets as they traverse the router's interfaces. This impacts network performance to a certain extent. When a packet, or a number of packets in a session, matches a signature, the router configured as network IDS can perform...

Social Constraints

Manpower, or labor in general, is a clear concern in any network design. The more often a task must be executed (for instance, the amount of effort and skill required to connect a new user to the network or to expand the capacity of the network infrastructure), the more the design should focus on making that particular task simple and efficient to manage. Including network-management services in the design can mitigate some of the labor concerns through the automation of monitoring and...

Figure 1S3 Syslog Server Informational

ICI Gl Id litolT.N41.tL- 150.100. 02-03-2004 10.54 03 LitalT Noli 150 100 1 15 02-03-200 1054 03 LotalT Elim 150 100 1 15 r 40 2w5d SYS 5C0NFIGJ Ca nltaamkl) 39 2w5d LINEPROTO 5 UPDOWN Line piotoeot on interface EthernetQ 1., changed state to up 38 2w5d XLINX.-3-UPOOWII imeilw* Elh nel0 1r changed state to up As you can see in Figure 15-3, there is now more information (two additional messages) sent to the SYSLOG server than when only the warning level was activated.

Trusted Third Party

The PKI relies on the concept of a trusted third party. This trusted third party and the associated enrollment protocol combine to form a method that enables scalability. PKI provides scalability to cryptographic applications such as VPNs. The use of a trusted third-party protocol with public key cryptography is also based on the digital signing of public keys. In this case, however, one central authority signs all the public keys, and everybody trusts that central authority. The authority's...

Net Screen Firewall

The NetScreen firewalls are deep inspection firewalls providing application-layer protection, whereas the PIX can be configured as stateful or stateless firewalls providing network- and transport-layer protection. Both NetScreen and PIX Firewalls are certified by the ICSA labs and have Common Criteria EAL 4 ratings. NetScreen was founded on the vision of providing integrated security technologies that offer wire speed performance and are easy to deploy throughout an enterprise network. Juniper...

Case Study Creating Your Own CA

This case study shows you how to install your own CA. For this case study, use the Windows 2000 server that comes with Microsoft CA software called Certificate Services. Other vendors, such as Netscape, also have certificate servers. All these servers can issue certificates, which can be used on any brand of web server and are accepted by any modern web browser. To install Microsoft's Certificate Services, follow these steps Step 1. Launch the Control Panel and click Add Remove Programs, as...

Conclusion

When designing a secure network, some goals need to be taken into consideration. The goal of network security is to protect networks against attacks, with the intent of ensuring data and system availability, confidentiality, and integrity. A good network design meets all these requirements. This chapter covered the basics of network design, network design principles, network design methodology, PDIOO, and physical security issues.

Introduction to the SAFE Blueprint

The SAFE blueprint is a flexible, dynamic blueprint for the security of standard networks and virtual private networks (VPNs), enabling organizations to successfully compete in the Internet economy. The SAFE architecture is based on Cisco and its partner products and uses a defense-in-depth approach and modular design for security. This appendix focuses solely on large enterprise environments. Modifications to the SAFE blueprint for smaller or more specialized environments exist because the...

Index

SYMBOL A B C D E F G H Q J K L M N O P Q R S T U V W X Z SA (security association) establishing for IPSec IKE SA lifetime ISAKMP protocol mode configuration option for VPNs reauthentication after IKE SA expires selection for IPSec on remote access VPN SAA (Service Assurance Agent) 2nd SAFE (Security Architecture for Enterprises) Blueprint for Enterprise Networks, web site out-of-band management, network IDS SAFE blueprint 2nd overview of architecture references for further information summary...

IP Address Spoofing

In this type of attack, the attacker replaces the IP address of the sender, or in some rare cases the destination, with a different address. IP spoofing is normally used to exploit a target host. In other cases, it is used to start a denial-of-service (DoS) attack. As shown in Figure 2-5, in a DoS attack, an attacker modifies the IP packet to mislead the target host into accepting the original packet as a packet sourced at a trusted host. The attacker must know the IP address of the trusted...

Weaknesses and Vulnerabilities

External and internal weaknesses and vulnerabilities must be considered. External weaknesses include malware, spyware, hackers, crackers, and script kiddies. Malware is a group of destructive programs such as viruses or worms. The following list defines some types of malware Virus A virus is a piece of code that is capable of attaching to programs, disks, or computer memory to propagate itself. Viruses also carry a payload with an action they must carry out. The action can be anything from...

Figure 1024 Event Record Details

Ii.etp.w2 i tu 001 ice rr toa 10.100.2,253 ii.etp.w2 i tu 001 ice rr toa 10.100.2,253 smitwdw. mi-vwwwwll lctmLbw aceres' iV< wm KtB.Hanm.Crmg.Vtewl Based on these events, some reporting and administration mechanisms can be triggered. Launching a notification, triggering a script, or even sending an e-mail are some of the possibilities.

Figure 1011 Network Based IDS Sensor Placement

Placement Ids Network

Sensor 1, connected on the inside network, sees only traffic that is permitted by the firewall or internal traffic that does not traverse the firewall. All intrusions reported by Sensor 1 require immediate attention and response from the network administrator. Protecting all internal connections on the firewall with a network sensor is the best practice. Sensor 2, connected on the outside network, sees all traffic targeted for the organization, including the traffic that is blocked by the...

Figure 107 Architecture of the Host Sensor Agent

The Host Sensor Agent is installed next to the operating system. The host sensor software has to run adjacent to the operating system to guarantee protection of the operating system itself. The agent protects the host against attacks launched via the network and also protects against attacks or malicious activity by a user who is logged in to the protected host. The rules engine consists of console, agent, general, operating system, web, and FTP rules. The database contains the security policy...

Communication SyntaxRDEP

The data format used on the communication channel, which is set up between the network IDS sensor and the management station (often called the IDS director), is defined by the RDEP protocol. As of version 4.x of IDS sensor software, RDEP is used instead of PostOffice Protocol, which was used by earlier versions. The RDEP communication channel is critical to the success of an IDS and therefore must comply with some minimum requirements. Figure 10-15 shows this communication channel, which is...

War Driving and War Chalking

War-driving can be best described as a new form of hacking into the network. Crackers are equipped with an antenna either inside their cars or on the roof of their cars. The antenna is connected to a laptop in the car. Once installed in the car, the crackers start driving (or sometimes just park in garages) and log data as they go. Special software logs the latitude and longitude of the car's position as well as the signal strength and network name. It is important to be aware that companies...

Countermeasures to WEP Protocol Vulnerabilities

Now that it is clear that many 802.11 networks employ the standard WEP protocol, which is known to have major faults, some 802.11 vendors have come up with proprietary solutions. Before the official IEEE 802.11i was released, Cisco created proprietary solutions to address WEP protocol vulnerabilities. The WEP protocol contains three components Data privacy or encryption algorithm The Cisco Wireless Security Suite contains an enhancement that exceeds the WEP functionality for each of the...

Example 810 Example of an Inspection for an Application Layer Protocol

Tokyo(config) ip inspect name users http Tokyo (config) interface Ethernet1 1 Tokyo(config-if) ip access-group 100 in Tokyo(config) interface Ethernet1 0 Tokyo(config-if) ip inspect users in access-list 100 deny tcp any any access-list 100 deny udp any any access-list 100 permit icmp any any echo-reply access-list 100 permit icmp any any time-exceeded access-list 10 0 permit icmp any any packet-too-big access-list 100 permit icmp any any traceroute access-list 100 permit icmp any any...

Qa

1 Standards for digital IDs and certificates are defined in which of the following documents 2 List four parameters of a digital ID. 3 A host IDS can be embedded in a networking device, a standalone appliance, or a module monitoring the network traffic. True or False 4 Hardware keys are examples of which of the following 5 What processes are covered in physical security policies 6 List two protocols that can be used for encrypted logins. 7 Which three functional areas can be connected to a...

Tcp

The TCP or transport layer of the TCP IP stack corresponds to the OSI transport layer. TCP is a connection-oriented protocol providing delivery of segments in a reliable manner. Some TCP characteristics are highlighted in the next section because they might be used to exploit some vulnerability in the TCP IP protocol suite. The TCP segment is a combination of a number of bytes (TCP header) that prefixes the data received from the upper layers. Figure 2-4 shows the complete TCP header format,...

Buffer Overflows

A buffer is a temporary data storage area used to store program code and data. When a program or process tries to store more data in a buffer than it was originally anticipated to hold, a buffer overflow occurs. What is really happening during a buffer overflow Buffers are temporary storage locations in memory (memory or buffer sizes are often measured in bytes) that are able to store a fixed amount of data in bytes. When more data is retrieved than can be stored in a buffer location, the...

Different Types of Firewalls

Companies such as Cisco and other major vendors have introduced a multitude of firewall products that are capable of monitoring traffic using different techniques. Some of today's firewalls can inspect data packets up to Layer 4 (TCP layer). Others can inspect all layers (including the higher layers) and are referred to as deep packet firewalls. This section defines and explains these firewalls. The three types of inspection methodologies are as follows Packet filtering and stateless filtering...

Figure 113 ACS Setup for Tacacs Authentication

Tacacs Operation Diagram

TACACS+ accounting provides an audit record of what commands were completed. When NAS sends a record of commands, the TACACS+ server sends a response acknowledging the accounting record. RADIUS is a client-server based system that secures a network. RADIUS is a protocol that is implemented in all Cisco devices that send authentication requests to a RADIUS server. RADIUS is defined in RFC 2138 2139. A RADIUS server is a device that has the RADIUS daemon or application installed. RADIUS must be...

Characteristics of Digital Certificates

PKI provides a hierarchical framework for managing the digital security attributes. Each PKI participant holds a digital certificate that has been issued by a CA. The certificate contains a number of attributes that are used when parties negotiate a secure connection. These attributes must include the certificate validity period, end-host identity information, encryption keys that will be used for secure communications, and the signature of the issuing CA. Optional attributes may be included,...

IP Security

You cannot talk about VPNs without saying something about IP Security (IPSec). IPSec is a framework of open standards. It is not bound to any specific encryption or authentication algorithm keying technology. IPSec acts on the network layer, where it protects and authenticates IP packets between participating peers such as firewalls, routers, or concentrators. IPSec security provides four major functions Confidentiality The sender can encrypt the packets before transmitting them across the...

Enhanced Access Lists

Several types of enhanced access lists can be configured on a router. So far, only standard and extended access lists have been discussed in this chapter. Enhanced access lists were designed to secure routers and their networks better. They all have special features, and selection depends on your particular needs for security. The following types of access lists are available

Notification Alarms

The overall purpose of IDSs is to trigger alarms when a given packet or sequence of packets seems to represent suspicious activity that violates the defined network security policy. Although alarms are essential, it is critical for network security personnel to configure the IDS to minimize the occurrence of false negative and false positive alarms. Let's start with a definition of these terms. A false positive is a condition in which valid traffic or a benign action causes the signature to...

Appendix D Answers to Chapter QA

Chapter 1 Q& A Chapter 2 Q& A Chapter 3 Q& A Chapter 4 Q& A Chapter 5 Q& A Chapter 6 Q& A Chapter 7 Q& A Chapter 8 Q& A Chapter 9 Q& A Chapter 10 Q& A Chapter 11 Q& A Chapter 12 Q& A Chapter 13 Q& A Chapter 14 Q& A Chapter 15 Q& A 1 Which resources in a network are considered the most trusted Al Answer The resources in a network that are considered the most trusted include internal servers, domain controllers, and network-attached devices. A2 Answer...

Example 84 Configuration File for the Brussels Router

Brussels show running-config Building configuration service timestamps debug uptime service timestamps log uptime no service password-encryption ip address 10.10.10.2 2 55.255.255.0 half-duplex interface Serial0 0 no ip address shutdown interface TokenRing0 0 no ip address shutdown interface Serial0 1 no ip address shutdown line con 0 exec-timeout 0 0 password c0npa55 login line aux 0 exec-timeout 3 30 password au6pa55 login line vty 0 4 exec-timeout 5 0 password vt1pa55 login The console port...

Figure 82 Dynamic Access List

To be able to connect to the device, the user needs a dynamic access list on Router A and a username for local authentication. Configure a username so that the user can access the device by using following command Tokyo(config) username user password te5t Because you should not count on the user to issue the access-enable command correctly, you need the line that follows under vty 0 4. The access-enable command is used to create a temporary access list entry in a dynamic access list....

Covert Channels

A covert or clandestine channel can be best described as a pipe or communication channel between two entities that can be exploited by a process or application transferring information in a manner that violates the system's security specifications. More specifically for TCP IP, in some instances, covert channels are established, and data can be secretly passed between two end systems. Let's take Internet Control Message Protocol (ICMP) as an example. In the following types of circumstances,...

Firewall Basics

A firewall is defined as a gateway or access server (hardware- or software-based) or several gateways or access servers that are designated as buffers between any connected public network and a private network. A firewall is a device that separates a trusted network from an untrusted network. It may be a router, a PC running specialized software, or a combination of devices. A Cisco firewall router primarily uses access lists to ensure the security of the private network. Figure 9-1 displays a...

Figure 103 A Smurf Attack Signature Name Signature ID and Description

h* - j s -a a* ** jj w j j & - j * 1 VT < frwrtOK IK It j ra.i Ilni-ploip iiiritiil ICMI CONTEXT Riiiuijiu Vorslon 2.1.1 Dftscript Q IJ m* in * wft nt - l gt riumior of I CMP1 Echo tirait t T h c*i bp from cr* or m*ny ct iMs C*isii the tuet ir ai Sreorf* d crtttd m lKw Irc4t*d vufcraraWhy p fff Stcq I'm jLIk w-cot mr. m rr Is-ources, autc-nariK shuYHig of inditridtMl twt is nur y o'f 1> va 9ir iri f anp ns woit > r t4uiq used hroidcasi iti t& bo- i'in Unir. I i -Iii l'i nrri n'inir...

Table 81 Banner Command

Banner exec Specifies a message to be displayed when an EXEC process is created (a line is activated or an incoming banner incoming Specifies a message used when you have an incoming connection to a line from a host on the network. Command banner login banner motd banner slip-ppp Specifies a message to be displayed before the username and password login prompts. Specifies and enables a message-of-the-day (MOTD) banner. Specifies and enables a banner to be displayed when a Serial Line Interface...

Example 812 Example of Access List Permission

Access-list 101 deny ip host 255.255.255.255 any access-list 101 deny ip 192.168.1.0 0.0.0.255 any access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any 192.168.1.0 0.0.0.255 time-exceeded access-list 101 permit icmp any 192.168.1.0 0.0.0.255 packet-too-big access-list 101 permit icmp any 192.168.1.0 0.0.0.255 traceroute access-list 101 permit icmp any 192.168.1.0 0.0.0.255 unreachable access-list 101 permit tcp any host 192.168.1.20 eq smtp access-list 101 permit tcp...

TCP Flags

As discussed previously, data exchange using TCP does not happen until a three-way handshake has been successfully completed. This handshake uses different flags to influence the way TCP segments are processed. There are 6 bits in the TCP header that are often called flags. In Figure 2-4, six different flags are part of the TCP header Urgent pointer field (URG), Acknowledgment field (ACK), Push function (PSH), Reset the connection (RST), Synchronize sequence numbers (SYN), and sender is...

Appendix C Nsa Guidelines

Much of the material in this appendix is quoted directly from the relevant websites that are listed at the end of the appendix. According to its website, the National Security Agency (NSA) is the cryptologic organization in the U.S. It coordinates, directs, and performs highly specialized activities to protect American information systems and produce foreign intelligence information. NSA is a high technology organization, and as such it is on the frontier of communications and data processing....

Example 114 show aaa user all Command Output

Accounting log 0x18001 Events recorded CALL START INTERIM START INTERIM STOP update method(s) NONE update interval 0 Outstanding Stop Records 0 Dynamic attribute list 63517944 0 00000001 connect-progress(3 0) 4 0 63517958 0 00000001 pre-session-time(2 37) 4 21(15 63517 96C 0 00000001 elapsed_time(2 94) 4 0(0) 63517980 0 00000001 pre-bytes-in(2 33) 4 0(0) 63517994 0 00000001 pre-bytes-out(2 3 4) 4 0(0) 6 3517 9A8 0 00000001 pre-paks-in(2 35) 4 0(0) 63517 9BC 0...

PKI Topology

PKIs can form different topologies of trust. In one model, a single or root CA issues all the certificates to the end users, as shown in Figure 13-4. The advantage of this setup is its simplicity, but there are some pitfalls. The setup has a single point of failure, and it is not suitable for large-scale deployments. Because of its simplicity, this topology is often used in VPNs managed by a single organization. A more complex topology involves multiple CAs within the same organization. This is...

IDS Management Communications Monitoring the Network

Network device management requires a communications channel to be available to the network devices. Devices may support out-of-band management, in-band management, or both. In-band management consumes bandwidth that could otherwise be used by network traffic. Out-of-band management increases bandwidth available for network traffic and typically improves the privacy and security of network management communications. The benefits are achieved in the reduced cost of designing, provisioning, and...

Hardware Firewalls PIX and Net Screen

This section covers two of the most common hardware-based firewalls in the marketplace today, namely the CiscoSecure Private Internet Exchange (PIX) Firewall and the NetScreen firewall. For more details on specific product lines, please visit www.cisco.com security and http www.juniper.net netscreen com.html. The PIX is a dedicated hardware-based networking device that is designed to ensure that only traffic that matches a set of criteria is permitted to access resources from networks defined...

Case Study Deployment of IDS Sensors in the Organization and Their Typical Placement

Placement Network

The IDS case study covers the placement of the IDS equipment in an actual situation. The case study includes the setup and configuration of IDSs in a customer's environment with a few screenshots of the customer's network under attack. This practical example shows how organizations can inspect and monitor overall network activity using IDSs to protect their assets. Figure 10-19 and Figure 10-20 illustrate the Company XYZ network diagram for this scenario. An Internet user (cracker) is connected...

About the Technical Reviewers

Stephen Kalman is a data security trainer. He is the author or technical editor of more than 20 books, courses, and CBT titles. His most recent book is Web Security Field Guide, published by Cisco Press. In addition to those responsibilities, he runs a consulting company, Esquire Micro Consultants, that specializes in network security. Stephen holds CISSP, CEH, CCNA, CCDA, A+, Network+, and Security+ certifications and is a member of the New York State Bar. Danny Rodriguez is currently a member...

Network Design Principles

The fundamental principles of network design call for dividing the network into manageable blocks. This division ensures that the network can function within the specifications, performance, and scale limits of the required applications, protocols, and network services. The network infrastructure itself is an important component in the design process because it transports the application and network-management traffic. The designed network infrastructure must meet at least three high-level...

Cce Plan In Cbac Patern

SYMBOL1 A B C D E F G H j J K L M N O P Q R S T U V W X Z packet filtering packet filters for routers See access lists, router passive response to attacks, network IDS passive scanning for wireless stations or access points Password Authentication Protocol (PAP) capture by Trojan horses combined with digital signatures configuring secure passwords for routers encryption service password-encryption command file protection with reusable assigned to the console, VTY, AUX lines, and enable...

Is It a Policy a Standard or a Guideline

What's in a name People frequently use the names policy, standard, and guideline to refer to documents that fall within the policy infrastructure. Although they all have different definitions, most people use these names synonymously, which is why the sections that follow define each term separately. A policy is typically a document that outlines specific requirements or rules that must be met. In the information and network security realm, policies are usually point-specific, covering a single...

Example 94 PIX Full Working Configuration

Nameif ethernetO outside securityC nameif ethernetl inside securitylOC hostname pixfirewall fixup protocol ftp 21 fixup protocol http 80 fixup protocol smtp 25 fixup protocol h323 172C fixup protocol rsh 514 fixup protocol sqlnet 1521 names logging timestamp no logging standby logging console debugging no logging monitor logging buffered debugging no logging trap logging facility 20 logging queue 512 interface ethernetO 10full interface ethernet1 10full mtu outside 1500 mtu inside 1500 ip...