This chapter covers the following topics:
Exploring security fundamentals:
This section explains the need for network security and discusses the elements of a secure network. Additionally, legal and ethical considerations are discussed.
Understanding the methods of network attacks:
This section makes you aware of various threats targeting the security of your network and describes specific attacks that could be launched against a network.
As networks grow and interconnect with other networks, including the Internet, those networks are exposed to a greater number of security risks. Not only does the number of potential attackers grow along with the size of the network, but the tools available to those potential attackers are always increasing in terms of sophistication.1
Understanding Network Security Principles
This chapter begins by broadly describing the necessity of network security and what should be in place in a secure network. Legal ramifications are addressed. Also, this chapter walks you through several specific types of attacks that could threaten your network. Finally, you are provided with a list of best-practice recommendations for mitigating such attacks.
“Do I Know This Already?” Quiz
The “Do I Know This Already?” quiz helps you determine your level of knowledge of this chapter’s topics before you begin. Table 1-1 details the major topics discussed in this chapter and their corresponding quiz questions.
Table 1-1 “Do I Know This Already?” Section-to-Question Mapping
Foundation Topics Section
Exploring Security Fundamentals
1 to 6
Understanding the Methods of Network Attacks
7 to 15
Where do most attacks on an organization’s computer resources originate?
From the Internet
From the inside network
From intruders who gain physical access to the computer resources
What are the three primary goals of network security? (Choose three.)
The U.S. government places classified data into which classes? (Choose three.)
Cisco defines three categories of security controls: administrative, physical, and technical. Individual controls within these categories can be further classified as what three specific types of controls? (Choose three.)
Litigators typically require which three of the following elements to present an effective argument when prosecuting information security violations? (Choose three.)
Which type of law typically involves the enforcement of regulations by government agencies?
Which of the following is a weakness in an information system that an attacker might leverage to gain unauthorized access to the system or data on the system?
What type of hacker attempts to hack telephony systems?
White hat hacker
Which of the following is a method of gaining access to a system that bypasses normal security measures?
Creating a back door
Launching a DoS attack
Starting a Smurf attack
Conducting social engineering
What security design philosophy uses a layered approach to eliminate single points of failure and provide overlapping protection?
Defense in Depth
What are two types of IP spoofing attacks? (Choose two.)
What term refers to the electromagnetic interference (EMI) that can radiate from network cables?
What kind of integrity attack is a collection of small attacks that result in a larger attack when combined?
Hijacking a session
Which of the following best describes a Smurf attack?
It sends ping requests to a subnet, requesting that devices on that subnet send ping replies to a target system.
It sends ping requests in segments of an invalid size.
It intercepts the third step in a TCP three-way handshake to hijack a session.
It uses Trojan horse applications to create a distributed collection of “zombie” computers, which can be used to launch a coordinated DDoS attack.
Which of the following are Cisco best-practice recommendations for securing a network? (Choose three.)
Deploy HIPS software on all end-user workstations.
Routinely apply patches to operating systems and applications.
Disable unneeded services and ports on hosts.
Require strong passwords, and enable password expiration.
Foundation Topics: Exploring Security Fundamentals
A “secure network” is a moving target. As new vulnerabilities and new methods of attack are discovered, a relatively unsophisticated user can potentially launch a devastating attack against an unprotected network. This section begins by describing the challenges posed by the current security landscape. You will learn about the three primary goals of security: confidentiality, integrity, and availability.
This section also explains traffic classification and security controls. You will learn how to respond to a security violation and consider the legal and ethical ramifications of network security.
Why Network Security Is a Necessity
Network attacks are evolving in their sophistication and in their ability to evade detection. Also, attacks are becoming more targeted and have greater financial consequences for their victims.
Types of Threats
Connecting a network to an outside network (for example, the Internet) introduces the possibility that outside attackers will exploit the network, perhaps by stealing network data or by impacting the network’s performance (for example, by introducing viruses). However, even if a network were disconnected from any external network, security threats (in fact, most of the probable security threats) would still exist.
Specifically, according to the Computer Security Institute (CSI) in San Francisco, California, approximately 60 to 80 percent of network misuse incidents originate from the inside network. Therefore, although network isolation is rarely feasible in today’s e-business environment, even physical isolation from other networks does not ensure network security.
Based on these factors, network administrators must consider both internal and external threats.
Network security threats originating inside a network tend to be more serious than external threats. Here are some reasons for the severity of internal threats:
Inside users already have knowledge of the network and its available resources.
Inside users typically have some level of access granted to them because of the nature of their job.
Traditional network security mechanisms such as Intrusion Prevention Systems (IPS) and firewalls are ineffective against much of the network misuse originating internally.
Because external attackers probably do not have intimate knowledge of a network, and because they do not already possess access credentials, their attacks tend to be more technical in nature. For example, an attacker could perform a ping sweep on a network to identify IP addresses that respond to the series of pings. Then, those IP addresses could be subjected to a port scan, in which open services on those hosts are discovered. The attacker could then try to exploit a known vulnerability to compromise one of the discovered services on a host. If the attacker gains control of the host, he could use that as a jumping-off point to attack other systems in the network.
Fortunately, network administrators can mitigate many of the threats posed by external attackers. In fact, the majority of this book is dedicated to explaining security mechanisms that can defeat most external threats.
Scope of the Challenge
The “2007 CSI/FBI Computer Crime and Security Survey” is a fascinating document that provides insight into trends in network attacks from 2004 to 2007. A copy of this document can be downloaded from http://i.cmpnet.com/v2.gocsi.com/pdf/CSISurvey2007.pdf.
As an example of the information contained in this document, Figure 1-1 shows the average number of security incidents reported by 208 respondents for the years 2004 to 2007. Notice that the percentage of respondents reporting more than 10 incidents in a year dramatically increased in 2007.
Incidents in the Past 12 Months (Source: “2007 CSI/FBI Computer Crime and Security Survey”)
The following is a further sampling of information contained in the survey:
The average financial loss from computer crime/security incidents increased from $168,000 in 2006 to $350,424 in 2007.
Of the survey respondents who reported one or more attacks, 18 percent of those attacks were “targeted” attacks (that is, an attack not targeting the general population).
Before the 2007 report, viruses were the leading contributor to financial losses for seven years in a row. However, in the 2007 report, viruses fell to the second leading cause of financial losses, with financial fraud rising to the number one factor.
Nonsecured Custom Applications
The vast majority (approximately 75 percent) of network attacks target specific applications, as opposed to lower-layer attacks. One reason attacks have become more targeted is the trend of attackers to be more motivated by profit, rather than by the fame or notoriety generated by creating a virus, for example. Unfortunately, because many organizations use custom applications (often not written with security in mind), these applications can be prime attack targets.
Attacks on custom applications are not as preventable as attacks on “well-known” applications, which periodically release security patches and updates. Another concern for some organizations is complying with regulatory mandates about protecting company data (for example, customer credit card information).
The Three Primary Goals of Network Security
For most of today’s corporate networks, the demands of e-commerce and customer contact require connectivity between internal corporate networks and the outside world. From a security standpoint, two basic assumptions about modern corporate networks are as follows:
Today’s corporate networks are large, interconnect with other networks, and run both standards-based and proprietary protocols.
The devices and applications connecting to and using corporate networks are continually increasing in complexity
Because almost all (if not all) corporate networks require network security, consider the three primary goals of network security:
Data confidentiality implies keeping data private. This privacy could entail physically or logically restricting access to sensitive data or encrypting traffic traversing a network. A network that provides confidentiality would do the following, as a few examples:
Use network security mechanisms (for example, firewalls and access control lists [ACL]) to prevent unauthorized access to network resources.
Require appropriate credentials (for example, usernames and passwords) to access specific network resources.
Encrypt traffic such that an attacker could not decipher any traffic he captured from the network.
Data integrity ensures that data has not been modified in transit. Also, a data integrity solution might perform origin authentication to verify that traffic is originating from the source that should be sending it.
Examples of integrity violations include
Modifying the appearance of a corporate website
Intercepting and altering an e-commerce transaction
Modifying financial records that are stored electronically
The availability of data is a measure of the data’s accessibility. For example, if a server were down only five minutes per year, it would have an availability of 99.999 percent (that is, “five nines” of availability).
Here are a couple of examples of how an attacker could attempt to compromise the availability of a network:
He could send improperly formatted data to a networked device, resulting in an unhandled exception error.
He could flood a network system with an excessive amount of traffic or requests. This would consume the system’s processing resources and prevent the system from responding to many legitimate requests. This type of attack is called a denial-of-service (DoS) attack.
Different data requires varying levels of security (for example, based on the data’s sensitivity). Therefore, organizations often adapt a data classification system to categorize data. Each category can then be treated with a specific level of security. However, sometimes this data classification is not just a convenience. Sometimes organizations are legally required to protect certain classifications of data.
Although no single standard exists for data classification, organizations often benefit from examining classification models commonly used by government and many businesses.
Government and Military Classification Model
Table 1-2 provides an example of a data classification model, which is used by multiple governments and militaries.