![](/user_photo/1438_p9ksI.png)
- •Using Your Sybex Electronic Book
- •Acknowledgments
- •Introduction
- •Assessment Test
- •Answers to Assessment Test
- •Types of Network Security Threats
- •Types of Security Weaknesses
- •Technology Weaknesses
- •Configuration Weaknesses
- •Policy Weaknesses
- •Types of Network Attacks
- •Eavesdropping
- •Denial-of-Service Attacks
- •Unauthorized Access
- •WareZ
- •Masquerade Attack (IP Spoofing)
- •Session Hijacking or Replaying
- •Rerouting
- •Repudiation
- •Smurfing
- •Password Attacks
- •Man-in-the-Middle Attacks
- •Application-Layer Attacks
- •Trojan Horse Programs, Viruses, and Worms
- •HTML Attacks
- •The Corporate Security Policy
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Authentication Methods
- •Windows Authentication
- •Security Server Authentication
- •PAP and CHAP Authentication
- •PPP Callback
- •Configuring the NAS for AAA
- •Securing Access to the Exec Mode
- •Enable AAA Locally on the NAS
- •Authentication Configuration on the NAS
- •Authorization Configuration on the NAS
- •Accounting Configuration on the NAS
- •Verifying the NAS Configuration
- •Troubleshooting AAA on the Cisco NAS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 2.1: Setting the Line Passwords
- •Lab 2.2: Setting the Enable Passwords
- •Lab 2.3: Encrypting your Passwords
- •Lab 2.4: Creating Usernames and Logging In
- •Lab 2.5: Configuring AAA Authentication on the NAS
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the CiscoSecure ACS
- •Using User Databases for Authentication
- •Populating the User Database Population
- •New ACS Features
- •Installing CiscoSecure ACS 3.0
- •Administering CiscoSecure ACS
- •TACACS+ Overview
- •Configuring TACACS+
- •Using RADIUS
- •CiscoSecure User Database NAS Configuration for RADIUS
- •Verifying TACACS+
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Solving Eavesdropping and Session Replay Problems
- •Fighting Rerouting Attacks
- •Fighting Denial-of-Service Attacks
- •Turning Off and Configuring Network Services
- •Blocking SNMP Packets
- •Disabling Echo
- •Turning Off BOOTP and Auto-Config
- •Disabling the HTTP Interface
- •Disabling IP Source Routing
- •Disabling Proxy ARP
- •Disabling Redirect Messages
- •Disabling the Generation of ICMP Unreachable Messages
- •Disabling Multicast Route Caching
- •Disabling the Maintenance Operation Protocol (MOP)
- •Turning Off the X.25 PAD Service
- •Enabling the Nagle TCP Congestion Algorithm
- •Logging Every Event
- •Disabling Cisco Discovery Protocol
- •Disabling the Default Forwarded UDP Protocols
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 4.1: Controlling TCP/IP Services
- •Answers to Written Lab
- •Answers to Review Questions
- •Understanding the Cisco IOS Firewall
- •Authentication Proxy and IDS
- •Context-Based Access Control
- •CBAC Compared to ACLs
- •CBAC-Supported Protocols
- •Introduction to CBAC Configuration
- •Using Audit Trails and Alerts
- •Configuring Global Timeouts and Thresholds
- •Configuring PAM
- •Defining Inspection Rules
- •Applying Inspection Rules and ACLs to Router Interfaces
- •Configuring IP ACLs at the Interface
- •Testing and Verifying CBAC
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 5.1: Configure Logging and Audit Trails
- •Lab 5.2: Define and Apply Inspection Rules and ACLs
- •Lab 5.3: Test and Verify CBAC
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the Cisco IOS Firewall Authentication Proxy
- •Configuring the AAA Server
- •Configuring AAA
- •Configuring the Authentication Proxy
- •Testing and Verifying Your Configuration
- •show Commands
- •Clearing the Cache
- •Introduction to the Cisco IOS Firewall IDS
- •Initializing Cisco IOS Firewall IDS
- •Configuring, Disabling, and Excluding Signatures
- •Creating and Applying Audit Rules
- •Setting Default Actions
- •Creating an Audit Rule
- •Applying the Audit Rule
- •Verifying the Configuration
- •Stopping the IOS Firewall IDS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 6.1: Enabling the IOS Firewall Authentication Proxy
- •Lab 6.2: Enabling the IOS Firewall IDS
- •Answers to Written Lab
- •Answers to Review Questions
- •What is a Virtual Private Network?
- •Introduction to Cisco IOS IPSec
- •IPSec Transforms
- •IPSec Operation
- •The Components of IPSec
- •IPSec Encapsulation
- •Internet Key Exchange (IKE)
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Configuring Cisco IOS IPSec for Pre-Shared Keys Site-to-Site
- •Preparing for IKE and IPSec
- •Configuring IKE
- •Configuring IPSec
- •Testing and Verifying IPSec
- •Configuring IPSec Manually
- •Configuring IPSec for RSA-Encrypted Nonces
- •Configuring Cisco IOS IPSec Certificate Authority Support Site-to-Site
- •Configuring CA Support Tasks
- •Preparing for IKE and IPSec
- •Configuring CA Support
- •Configuring IKE Using CA
- •Configuring IPSec for CA
- •Testing and Verifying IPSec for CA
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 8.1: Configure IKE on Lab_A and Lab_B
- •Lab 8.2: Configure IPSec on Lab_A and Lab_B
- •Answers to Written Lab
- •Answers to Review Questions
- •Answers to Hands-On Labs
- •Answer to Lab 8.1
- •Answer to Lab 8.2
- •Introduction to Cisco Easy VPN
- •The Easy VPN Server
- •Introduction to the Cisco VPN 3.5 Client
- •Easy VPN Server Configuration Tasks
- •Pre-Configuring the Cisco VPN 3.5 Client
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 9.1: Installing the Cisco VPN 3.5 Client Software on Windows
- •Answers to Written Lab
- •Answers to Review Questions
- •Network Separation
- •Three Ways through a PIX Firewall
- •PIX Firewall Configuration Basics
- •Configuring Interfaces
- •Saving Your Configuration
- •Configuring Access through the PIX Firewall
- •Configuring Outbound Access
- •Configuring Inbound Access
- •Configuring Multiple Interfaces and AAA on the PIX Firewall
- •Configuring Multiple Interfaces
- •Implementing AAA on the PIX Firewall
- •Configuring Advanced PIX Firewall Features
- •Failover
- •Outbound Access Control
- •Logging
- •SNMP Support
- •Java Applet Blocking
- •URL Filtering
- •Password Recovery
- •Glossary
![](/html/1438/356/html_23OY49ciqg.iQJr/htmlconvd-veJkuU39x1.jpg)
8 Chapter 1 Introduction to Network Security
just to keep up. Improper and/or incomplete change control on the network can expose some really ugly policy weaknesses.
If your technical support staff is continually changing, be sure to understand that this can create a security weakness in your policies.
Lax Security Administration
Creating a fabulous corporate security policy, including monitoring and auditing your network’s security, is hard work. It can be upsetting when no one cares about it. “Why implement this? They’ll just tell me to change it next week!” That’s probably true, but somehow you need to try to provide a solid, well-defined security policy that is also well monitored.
Think of this as a policy within the policy, because if no one is monitoring or auditing company resources, those resources can and will certainly be wasted. This has potentially catastrophic implications because that type of lax security administration could easily end up exposing the corporation to legal action!
Installation and Changes That Do Not Follow the Stated Policy
Making sure that all software and hardware installations follow the stated installation policy is part of monitoring that policy. And monitoring these installations is integral to the policy’s integrity. I know this is difficult and tedious, and it seems as if I’m telling you that you don’t get to have a life, but it’s very important—really. If you have no installation or configuration policy to adhere to, then unauthorized changes to the network’s topology or some unapproved application installation can quickly create holes in your network’s security.
No Disaster Recovery Plan
Disasters? Those only happen somewhere else, right? But they might happen, and they can even happen to you. So for your network’s sake, earthquakes, fires, vandalism, hardware failure, vicious cord-eating rats, and even—God forbid—Internet access failure should all be things that you have a strategy for dealing with in your disaster recovery plan. Your gleaming, brilliant disaster recovery plan will describe your every answer to each and every one of these woes. If you don’t do this in times of tranquil peace before you experience a meltdown, you’ll experience sheer chaos, panic, and total confusion when something really does go down. And certain types of people tend to take advantage of situations like that, don’t they? ’Nuf said.
Types of Network Attacks
Okay, you know your enemy and your weaknesses. But what exactly is that enemy up to, and what are they going to do to take advantage of your vulnerabilities? This is extremely important
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
![](/html/1438/356/html_23OY49ciqg.iQJr/htmlconvd-veJkuU40x1.jpg)
Types of Network Attacks |
9 |
for you to understand so you can be prepared for what an attacker may throw at you. Most network attacks fall into these three categories:
Reconnaissance attacks Reconnaissance attacks are unauthorized familiarization sessions that a hacker might use to find out what can be attacked on your network. An attacker on reconnaissance is out for discovery—mapping the network and its resources, systems, and vulnerabilities. This is often just a preliminary task. The information gathered will frequently be used to attack the network later.
Access attacks Access attacks are waged against networks or systems to retrieve data, gain access, or escalate their access privilege. This can be as easy as finding network shares with no passwords. It’s not always serious—many access attacks are performed out of curiosity or for the intellectual challenge, but beware. Some access attacks are really done to nick stuff, while other hackers perform access attacks because they want to play with your toys or use you to camouflage their identity in order to make their dirty work look as though it came from your network!
Denial-of-service (DoS) attacks Denial-of-service (DoS) attacks are always nasty. Their sole purpose is to disable or corrupt network services. A DoS attack will usually either crash a system or slow it down to the point where it’s rendered useless. DoS attacks are usually aimed at web servers and are surprisingly easy to perform. (The next section discusses DoS attacks in more detail.)
But there are many ways—most of them fairly common—to gather information about a network and to compromise corporate information, even to cause the destruction of a corporate web server and services. In particular, there are the three network attacks we just discussed that can cause the most trouble in your system.
TCP/IP teams up with your operating system to provide many weak, exploitable spots (if not outright invitations) into a corporation’s network. TCP/IP and operating system weaknesses are probably the two greatest technology-oriented weaknesses facing corporations today.
Here is a list of the most common attacks on your network:
Eavesdropping
Denial-of-service attacks
Unauthorized access
WareZ
Masquerade attack (IP spoofing)
Session replaying or hijacking
Rerouting
Repudiation
Smurfing
Password attacks
Man-in-the-middle attacks
Application-layer attacks
HTML attacks
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
![](/html/1438/356/html_23OY49ciqg.iQJr/htmlconvd-veJkuU41x1.jpg)
10 Chapter 1 Introduction to Network Security
When protecting your information from these attacks, it’s your job to prevent the theft, destruction, corruption, and introduction of information that can cause irreparable damage to sensitive and confidential data on your network.
Eavesdropping
Eavesdropping, also known in the industry as network snooping and packet sniffing, is the act of a hacker “listening in” to your system. You wouldn’t believe it, but there’s a really cool product called (surprise!) a packet sniffer that enables its user to read packets of information sent across a network. Because a network’s packets are not encrypted by default, they can be processed and understood by the sniffer. You can just imagine how wonderfully helpful this capability is to the network administrator trying to optimize or troubleshoot a network! But it’s not exactly a stretch to visualize an evil hacker—packet sniffer in hand—using it to break into a network to gather sensitive corporate info, now is it?
And gather they can! Did you know that some applications send all information across the network in cleartext? This is especially convenient for the hacker who’s striving to snag some usernames and passwords and use them to gain access to corporate resources. Yes, my friend, all bad guys need to do is jack the right account information, and they’ve got the run of your network. Worse, if a hacker manages to gain admin or root access, they can even create a new user ID to use at any time as a back door into your network and its resources. Then your network belongs to the hacker—kiss it goodbye!
Simple Eavesdropping
Here is an example of simple eavesdropping that I encountered when I was checking my e-mail. This shows how easy it can be to find usernames and passwords!
Notice in this example that the EtherPeek network analyzer I’m using shows that the first packet has the username in cleartext:
TCP - Transport Control |
Protocol |
Source Port: |
3207 |
Destination Port: |
110 pop3 |
Sequence Number: |
1904801173 |
Ack Number: |
1883396251 |
Offset: |
5 (20 bytes) |
Reserved: |
%000000 |
Flags: |
%011000 |
|
0. .... (No Urgent pointer) |
|
.1 .... Ack |
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
![](/html/1438/356/html_23OY49ciqg.iQJr/htmlconvd-veJkuU42x1.jpg)
Types of Network Attacks |
11 |
|
.. |
1... Push |
|
.. .0.. (No Reset) |
|
|
.. ..0. (No SYN) |
|
|
.. ...0 (No FIN) |
|
Window: |
64166 |
|
Checksum: |
0x078F |
|
Urgent Pointer: |
0 |
|
No TCP Options |
|
|
POP - Post Office Protocol |
|
|
Line 1: |
USER tlammle1<CR><LF> |
|
FCS - Frame Check Sequence |
|
|
FCS (Calculated): |
0x0CFCA80E |
This next packet has the password. Everything seen in this packet (an e-mail address and a username/password) can be used to break into the system:
TCP - Transport Control |
Protocol |
Source Port: |
3207 |
Destination Port: |
110 pop3 |
Sequence Number: |
1904801188 |
Ack Number: |
1883396256 |
Offset: |
5 (20 bytes) |
Reserved: |
%000000 |
Flags: |
%011000 |
|
0. .... (No Urgent pointer) |
|
.1 .... Ack |
|
.. 1... Push |
|
.. .0.. (No Reset) |
|
.. ..0. (No SYN) |
|
.. ...0 (No FIN) |
Window: |
64161 |
Checksum: |
0x078F |
Urgent Pointer: |
0 |
No TCP Options
POP - Post Office Protocol
Line 1: PASS secretpass<CR><LF>
The username is tlammle1 and the password is secretpass—all nice and clear for everyone’s viewing pleasure.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |