2. Yes, it’s true: Security attacks vary considerably in their complexity and
threat level, and some even happen because of WUI, or witless user ignorance.
(This term isn’t an exam objective, but it does occur more than you’d think!)
You see, it all comes down to planning, or rather, lack thereof. Basically,
the vital tool that the Internet has become today was absolutely unforeseen by
those who brought it into being. This is a big reason why security is now such an
issue—most IP implementations are innately insecure. No worries though, because
Cisco has a few tricks up its sleeve to help us with this. But first, let’s examine
some common attack profiles:
Application-layer attacks
These attacks commonly zero in on well-known holes in the software that’s
typically found running on servers. Favorite targets include FTP, sendmail, and
HTTP. Because the permissions level granted to these accounts is most often
“privileged,” bad guys simply access and exploit the machine that’s running one
of the applications I just mentioned.
Autorooters
You can think of these as a kind of hacker automaton. Bad guys use something
called a rootkit to probe, scan, and then capture data on a strategically positioned
computer that’s poised to give them “eyes” into entire systems—automatically!
Backdoors
These are simply paths leading into a computer or network. Through simple
invasions, or via more elaborate “Trojan horse” code, bad guys can use their
implanted inroads into a specific host or even a network whenever they want to—
until you detect and stop them, that is!
Denial of service (DoS) and distributed denial of service (DDoS)
attacks
These are bad—pretty tough to get rid of too! But even hackers don’t respect
other hackers that execute them because, though nasty, they’re really easy to
accomplish. (This means that some 10-year-old could actually bring you to your
knees, and that is just wrong!) Basically, a service is made unavailable by
overwhelming the system that normally provides it. And there are several
different flavors:
TCP SYN flood
Begins when a client initiates a seemingly run-of-the-mill TCP connection
and sends a SYN message to a server. The server predictably responds by
sending a SYN-ACK message back to the client machine, which then
establishes the connection by returning an ACK message. Sounds fine, but
it’s actually during this process—when the connection is only halfway
open—that the victim machine is literally flooded with a deluge of half-
open connections and pretty much becomes paralyzed.
3. “Ping of death” attacks
You probably know that TCP/IP’s maximum packet size is 65,536 octets.
It’s okay if you didn’t know that—just understand that this attack is
executed by simply pinging with oversized packets, causing a device to
keep rebooting incessantly, freeze up, or just totally crash.
Tribe Flood Network (TFN) and Tribe Flood Network 2000
(TFN2K)
These nasty little numbers are more complex in that they initiate
synchronized DoS attacks from multiple sources and can target multiple
devices. This is achieved, in part, by something known as “IP spoofing,”
which I’ll be describing soon.
Stacheldraht
This attack is actually a mélange of methods, and it translates from the
German term for barbed wire. It basically incorporates TFN and adds a
dash of encryption. It all begins with a huge invasion at the root level,
followed up with a DoS attack finale.
IP spoofing
This is pretty much what it sounds like it is—a bad guy from within or outside of
your network masquerades as a trusted host machine by doing one of two things:
presenting with an IP address that’s inside your network’s scope of trusted
addresses or using an approved, trusted external IP address. Because the hacker’s
true identity is veiled behind the spoofed address, this is often just the beginning
of your problems.
Man-in-the-middle attacks
Interception! But it’s not a football, it’s a bunch of your network’s packets—your
precious data! A common guilty party could be someone working for your very
own ISP using a tool known as a sniffer (discussed later) and augmenting it with
routing and transport protocols.
Network reconnaissance
Before breaking into a network, hackers often gather all the information they can
about it, because the more they know about the network, the better they can
compromise it. They accomplish their objectives through methods like port scans,
DNS queries, and ping sweeps.
Packet sniffers
This is the tool I mentioned earlier, but I didn’t tell you what it is, and it may
come as a surprise that it’s actually software. Here’s how it works—a network
adapter card is set to promiscuous mode so it will send all packets snagged from
the network’s physical layer through to a special application to be viewed and
sorted out. A packet sniffer can nick some highly valuable, sensitive data
including, but not limited to, passwords and usernames, making them prized
among identity thieves.
4. Password attacks
These come in many flavors, and even though they can be achieved via more
sophisticated types of attacks like IP spoofing, packet sniffing, and Trojan horses,
their sole purpose is to—surprise—discover user passwords so the thief can
pretend they’re a valid user and then access that user’s privileges and resources.
Brute force attack
Another software-oriented attack that employs a program running on a targeted
network that tries to log in to some type of shared network resource like a server.
For the hacker, it’s ideal if the accessed accounts have a lot of privileges because
then the bad guys can form back doors to use for gaining access later and bypass
the need for passwords entirely.
Port redirection attacks
This approach requires a host machine the hacker has broken into and uses to get
wonky traffic (that normally wouldn’t be allowed passage) through a firewall.
Trojan horse attacks and viruses
These two are actually pretty similar—both Trojan horses and viruses infect user
machines with malicious code and mess it up with varying degrees of paralysis,
destruction, even death! But they do have their differences—viruses are really just
nasty programs attached to command.com, which just happens to be the main
interpreter for all Windows systems. Viruses then run amok, deleting files and
infecting any flavor of command.com it finds on the now diseased machine. The
difference between a virus and a Trojan horse is that Trojans are actually
complete applications encased inside code that makes them appear to be a
completely different entity—say, a simple, innocent game—than the ugly
implements of destruction they truly are!
Trust exploitation attacks
These happen when someone exploits a trust relationship inside your network. For
example, a company’s perimeter network connection usually shelters important
things like SMTP, DNS, and HTTP servers, making the servers really vulnerable
because they’re all on the same segment.
To be honest, I’m not going to go into detail on how to mitigate each and
every one of the security threats I just talked about, not only because that would be
outside the scope of this book, but also because the methods I am going to teach
you will truly protect you from being attacked in general. You will learn enough
tricks to make all but the most determined bad guys give up on you and search for
easier prey. So basically, think of this as a chapter on how to practice “safe
networking.”
5. Mitigating Security Threats
Hmm…what solution should we use to mitigate security threats?
Something from Juniper, McAfee, or some other firewall product? Nah—we
probably should use something from Cisco. Cisco has a very cool product called
the Adaptive Security Appliance, or ASA. But there’s a catch or two—it’s a pretty
pricey little beauty that scales in cost depending on the modules you choose (for
example, intrusion prevention). Plus, the ASA is actually above the objectives of
this book. I just personally think is the best product on the market—it truly rocks!
Cisco IOS software runs on upwards of 80 percent of the Internet backbone
routers out there; it’s probably the most critical part of network infrastructure. So
let’s just keep it real and use the Cisco IOS’s software-based security, known as
the Cisco IOS Firewall feature set, for our end-to-end Internet, intranet, and
remote-access network security solutions. It’s a good idea to go with this because
Cisco ACLs really are quite efficient tools for mitigating many of the most
common threats around—and if you just happen to be studying for your CCNA
exam, you need to solidly understand how ACLs work more than anything else in
this chapter!
Cisco’s IOS Firewall
Here’s where we’re going to find out how to mitigate some of the more
common security threats on the list I gave you earlier by using these Cisco IOS
Firewall features:
Stateful IOS Firewall inspection engine
This is your perimeter protection feature because it gives your internal users
secure access control on a per-application basis. People often call it Context-
Based Access Control (CBAC).
Intrusion detection
A deep packet inspection tool that lets you monitor, intercept, and respond to
abuse in real time by referencing 102 of the most common attack and intrusion
detection signatures.
Firewall voice traversal
An application-level feature based on the protocol’s understanding of call flow as
well as the relevant open channels. It supports both the H.323v2 and Session
Initiation Protocol (SIP) voice protocols.
ICMP inspection
Basically permits responses to ICMP packets like ping and traceroute that come
6. from inside your firewall while denying other ICMP traffic.
Authentication proxy
A feature that makes users authenticate any time they want to access the
network’s resources through HTTP, HTTPS, FTP, and Telnet. It keeps personal
network access profiles for users and automatically gets them for you from a
RADIUS or TACACS+ server and applies them as well.
Destination URL policy management
A buffet of features that’s commonly referred to as URL Filtering.
Per-user firewalls
These are basically personalized, user-specific, downloadable firewalls obtained
through service providers. You can also get personalized ACLs and other settings
via AAA server profile storage.
Cisco IOS router and firewall provisioning
Allows for no-touch router provisioning, version updates, and security policies.
Denial of service (DoS) detection and prevention
A feature that checks packet headers and drops any packets it finds suspicious.
Dynamic port mapping
A sort of adapter that permits applications supported by firewalls on nonstandard
ports.
Java applet blocking
Protects you from any strange, unrecognized Java applets.
Basic and Advanced Traffic Filtering
You can use standard, extended, even dynamic ACLs like Lock-and-Key
traffic filtering with Cisco’s IOS Firewall. And you get to apply access controls to
any network segment you want. Plus, you can specify the exact kind of traffic you
want to allow to pass through any segment.
Policy-based, multi-interface support
Allows you to control user access by IP address and interface depending on your
security policy.
Network Address Translation (NAT)
Conceals the internal network from the outside, increasing security. (I’ll talk a lot
about NAT in Chapter 13.)
Time-based access lists
Determine security policies based upon the exact time of day and the particular
7. day of the week.
Peer router authentication
Guarantees that routers are getting dependable routing information from actual,
trusted sources. (For this to work, you need a routing protocol that supports
authentication, like RIPv2, EIGRP, or OSPF.)