Chapter 1: Understanding Network Security Principles

Cisco Press

1 2 3 4 5 Page 3
Page 3 of 5
  • Physical vulnerabilities, such as fire, earthquake, or tornado

  • Weaknesses in a system’s design

  • Weaknesses in the protocol(s) used by a system

  • Weaknesses in the code executed by a system

  • Suboptimal configuration of system parameters

  • Malicious software (for example, a virus)

  • Human vulnerabilities (whether intentional or unintentional)

For example, consider human vulnerabilities. Because most attacks against information systems are launched from people on the “inside,” controls should be set up to prevent the intentional or unintentional misuse of information systems.

Social engineering is an example of unintentional misuse. To illustrate this concept, consider a situation in which an outside attacker calls a receptionist. The attacker pretends to be a member of the company’s IT department, and he convinces the receptionist to tell him her username and password. The attacker then can use those credentials to log into the network.

To prevent a single inside user from accidentally or purposefully launching an attack, some organizations require that two users enter their credentials before a specific act can be carried out, much like two keys being required to launch a missile.

Also, many employees are concerned with accomplishing a particular task. If stringent security procedures seem to stand in their way, the employees might circumnavigate any safeguards to, in their minds, be more productive. Therefore, user education is a critical component of any organizational security policy.

Potential Attackers

Another element of defending your data is identifying potential attackers who might want to steal or manipulate that data. For example, a company might need to protect its data from corporate competitors, terrorists, employees, and hackers, to name just a few.

The term “hacker” is often used very generically to describe attackers. However, not all hackers have malicious intent.

Table 1-5 lists various types of “hackers.”

Table 1-5 Types of Hackers<Anchor2>

Type of “Hacker”


White hat hacker

A white hat hacker has the skills to break into computer systems and do damage. However, he uses his skills to help organizations. For example, a white hat hacker might work for a company to test the security of its network.

Black hat hacker

A black hat hacker, also known as a “cracker,” uses his skills for unethical reasons (for example, to steal funds).

Gray hat hacker

A gray hat hacker can be thought of as a white hat hacker who occasionally strays and acts unethically. For example, a gray hat hacker might be employed as a legitimate network security tester. However, in the course of his ethical duties, he finds an opportunity for personal gain and acts unethically to obtain that personal gain.


A phreaker is a hacker of a telecommunications system. For example, a phreaker known as “Captain Crunch” used a toy whistle he found in a box of Captain Crunch cereal (which generated a 2600-Hz tone) to trick phone systems into letting him place free long distance calls. Convincing a telecommunications carrier to permit free long distance calls in this manner is an example of “phreaking.”

Script kiddy

A script kiddy is a user who lacks the skills of a typical hacker. Rather, he downloads hacking utilities and uses those utilities to launch attacks, rather than writing his own programs.


A hacktivist is a hacker with political motivations, such as someone who defaces the website of a political candidate.

Computer security hacker

A computer security hacker is knowledgeable about the technical aspects of computer and network security systems. For example, this person might attempt to attack a system protected by an IPS by fragmenting malicious traffic in a way that would go undetected by the IPS.

Academic hacker

An academic hacker typically is an employee or student at an institution of higher education. The academic hacker uses the institution’s computing resources to write “clever” programs. Typically, these hackers use their real names (unlike the pseudonyms often used by computer security hackers), and they tend to focus on open-standards-based software and operating systems (for example, Linux).

Hobby hacker

A hobby hacker tends to focus on home computing. He might modify existing hardware or software to, for example, use software without a legitimate license. For example, code that “unlocks” an Apple iPhone might be the work of a hobby hacker.

As shown in Table 1-5, “hackers” come in many flavors, which leads to the question, “What motivates a hacker?” Some hackers might work for governments to try to gather intelligence from other governments. Some attackers seek financial gain through their attacks. Other hackers simply enjoy the challenge of compromising a protected information system.

This book details several specific attacks that an attacker can launch. However, at this point, you should be familiar with five broad categories of attacks:

  • Passive: A passive attack is difficult to detect, because the attacker isn’t actively sending traffic (malicious or otherwise). An example of a passive attack is an attacker capturing packets from the network and attempting to decrypt them (if the traffic was encrypted originally).

  • Active: An active attack is easier to detect, because the attacker is actively sending traffic that can be detected. An attacker might launch an active attack in an attempt to access classified information or to modify data on a system.

  • Close-in: A close-in attack, as the name implies, occurs when the attacker is in close physical proximity with the target system. For example, an attacker can bypass password protection on some routers, switches, and servers if he gains physical access to those devices.

  • Insider: An insider attack occurs when legitimate network users leverage their credentials and knowledge of the network in a malicious fashion.

  • Distribution: Distribution attacks intentionally introduce “back doors” to hardware or software systems at the point of manufacture. After these systems have been distributed to a variety of customers, the attacker can use his knowledge of the implanted back door to, for example, access protected data, manipulate data, or make the target system unusable by legitimate users.

The Mind-set of a Hacker

Hackers can use a variety of tools and techniques to “hack” into a system (that is, gain unauthorized access to a system). Although these methods vary, the following steps illustrate one example of a hacker’s methodical process for hacking into a system:

Step 1

Learn more about the system by performing reconnaissance. In this step, also known as “footprinting,” the hacker learns all he can about the system. For example, he might learn the target company’s domain names and the range of IP addresses it uses. He might perform a port scan to see what ports are open on a target system.

Step 2

Identify applications on the system, as well as the system’s operating system. Hackers can use various tools to attempt to connect to a system, and the prompt they receive (for example, an FTP login prompt or a default web page) could provide insight into the system’s operating system. Also, the previously mentioned port scan can help identify applications running on a system.

Step 3

Gain access to the system. Social engineering is one of the more popular ways to obtain login credentials. For example, public DNS records provide contact information for a company’s domain name. A hacker might be able to use this information to convince the domain administrator to reveal information about the system. For example, the hacker could pretend to be a representative of the service provider or a government agency. This approach is called pretexting.

Step 4

Log in with obtained user credentials, and escalate the hacker’s privileges. For example, a hacker could introduce a Trojan horse (a piece of software that appears to be a legitimate application but that also performs some unseen malicious function) to escalate his privileges.

Step 5

Gather additional usernames and passwords. With appropriate privileges, hackers can run utilities to create reports of usernames and/or passwords.

Step 6

Configure a “back door.” Accessing a system via a regular username/password might not be how a hacker wants to repeatedly gain access to a system. Passwords can expire, and logins can be logged. Therefore, hackers might install a back door, which is a method of gaining access to a system that bypasses normal security measures.

Step 7

Use the system. After a hacker gains control of a system, he might gather protected information from that system. Alternatively, he might manipulate the system’s data or use the system to launch attacks against other systems with which the system might have an established trust relationship.

Defense in Depth

Because a security solution is only as strong as its weakest link, network administrators are challenged to implement a security solution that protects a complex network. As a result, rather than deploying a single security solution, Cisco recommends multiple, overlapping solutions. These overlapping solutions target different aspects of security, such as securing against insider attacks and securing against technical attacks. These solutions should also be subjected to routine testing and evaluation. Security solutions should also overlap in a way that eliminates any single point of failure.

Defense in Depth is a design philosophy that achieves this layered security approach. The layers of security present in a Defense in Depth deployment should provide redundancy for one another while offering a variety of defense strategies for protecting multiple aspects of a network. Any single points of failure in a security solution should be eliminated, and weak links in the security solution should be strengthened.

The Defense in Depth design philosophy includes recommendations such as the following:

  • Defend multiple attack targets in the network.

    • Protect the network infrastructure.

    • Protect strategic computing resources, such as via a Host-based Intrusion Prevention System (HIPS).

  • Create overlapping defenses. For example, include both Intrusion Detection System (IDS) and IPS protections.

  • Let the value of a protected resource dictate the strength of the security mechanism. For example, deploy more resources to protect a network boundary as opposed to the resources deployed to protect an end-user workstation.

  • Use strong encryption technologies, such as AES (as opposed to DES) or Public Key Infrastructure (PKI) solutions.

Consider the sample Defense in Depth topology shown in Figure 1-2. Notice the two e-mail servers—external and internal. The external e-mail server acts as an e-mail relay to the internal e-mail server. Therefore, an attacker attempting to exploit an e-mail vulnerability would have to compromise both e-mail servers to affect the internal corporate e-mail.

Also notice the use of a Network-based Intrusion Detection System (NIDS), a Network Intrusion Prevention System (NIPS), and a Host-based Intrusion Prevention System (HIPS). All three of these mitigation strategies look for malicious traffic and can alert or drop such traffic. However, these strategies are deployed at different locations in the network to protect different areas of the network. This overlapping yet diversified protection is an example of the Defense in Depth design philosophy.

However, if all security solutions in a network were configured and managed by a single management station, this management station could be a single point of failure. Therefore, if an attacker compromised the management station, he could defeat other security measures.

Figure 1-2

Figure 1-2

Defense in Depth

In the “Potential Attackers” section you read about five classes of attacks; Table 1-6 provides examples of overlapping defenses for each of these classes.

Table 1-6  Defending Against Different Classes of Attacks

Attack Class

Primary Layer of Defense

Secondary Layer of Defense



Applications with integrated security


Firewall at the network edge



Protecting against unauthorized physical access



Protecting against unauthorized physical access

Video monitoring systems


Secured software distribution system

Real-time software integrity checking

Understanding IP Spoofing

Attackers can launch a variety of attacks by initiating an IP spoofing attack. An IP spoofing attack causes an attacker’s IP address to appear to be a trusted IP address. For example, if an attacker convinces a host that he is a trusted client, he might gain privileged access to a host. The attacker could also capture traffic, which might include credentials such as usernames and passwords. As another example, you might be familiar with denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks. The perpetrators of such attacks might use IP spoofing to help conceal their identities.

To understand how an IP spoofing attack is possible, consider the operation of IP and TCP. At Layer 3, the attacker can easily modify his packets to make the source IP address appear to be a “trusted” IP address. However, TCP, operating at Layer 4, can be more of a challenge.

From your early studies of TCP, you might recall that a TCP session is established using a three-way handshake:

  1. The originator sends a SYN segment to the destination, along with a sequence number.

  2. The destination sends an acknowledgment (an ACK) of the originator’s sequence number along with the destination’s own sequence number (a SYN).

  3. The originator sends an ACK segment to acknowledge the destination’s sequence number, after which the TCP communication channel is open between the originator and destination.

Figure 1-3 illustrates the TCP three-way handshake process.

Figure 1-3

Figure 1-3

TCP Three-Way Handshake

1 2 3 4 5 Page 3
Page 3 of 5
The 10 most powerful companies in enterprise networking 2022