© 2007 cisco systems, inc. all rights reserved.iscw-mod5_l3 1 implementing secure converged wide...

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L3 1

Implementing Secure Converged Wide Area Networks (ISCW)


Lesson 3 – Module 5 – ‘Cisco Device Hardening’

Network Attack Using Intelligence


Module Introduction

The open nature of the Internet makes it increasingly important for businesses to pay attention to the security of their networks. As organisations move more of their business functions to the public network, they need to take precautions to ensure that attackers do not compromise their data, or that the data does not end up being accessed by the wrong people.

Unauthorised network access by an outside hacker or disgruntled employee can wreak havoc with proprietary data, negatively affect company productivity, and stunt the ability to compete.

Unauthorised network access can also harm relationships with customers and business partners who may question the ability of companies to protect their confidential information, as well as lead to potentially damaging and expensive legal actions.


Objectives

At the completion of this third lesson, you will be able to:

Describe the difference between virus, trojan and worm threats

Show how these threats are propagated

Explain techniques for dealing with these threats

Describe system software that can aid in defending and mitigating against host machine attacks


End Station (Host) Vulnerabilities

Host machines are particularly vulnerable to attack if not adequately protected. The main threats are:

Viruses

Trojan horse attacks

Worms


Viruses

A virus can only spread from one computer to another when its host is taken to an uninfected computer, for instance by a user sending it over a network as a file or as an email payload or carrying it on a removable medium such as a ‘floppy’ disk, USB disk (‘memory stick’), or CD / DVD

Some viruses are programmed to damage the computer by damaging programs, deleting files, or reformatting the hard disk. Others are not designed to do any damage, but simply replicate themselves and perhaps make their presence known by presenting text, video, or audio messages

Source: Wikepedia – Computer virus

A computer virus is a malicious computer program (executable file) that can copy itself and infect a computer without permission or knowledge of the user. The original may modify the copies or the copies may modify themselves, as occurs in a metamorphic virus


Trojan Horse

Trojan horses may appear to be useful or interesting programs, or at the very least harmless to an unsuspecting user, but are actually harmful when executed

There are two common types of Trojan horses

One is otherwise useful software that has been corrupted by a hacker inserting malicious code that executes while the program is used

The other type is a standalone program that masquerades as something else, like a game or image file, in order to trick the user into some misdirected complicity that is needed to carry out the program's objectives

A Trojan horse is a program that - unlike a virus - contains or installs a malicious program – the payload or 'trojan‘


Worms

A computer worm is a self-replicating executable computer program. It uses a network to send copies of itself to other hosts (‘end-user’ machines on the network) and it may do so without any user intervention.

Unlike a virus, it does not need to attach itself to an existing program. Worms always harm the network (if only by consuming bandwidth), whereas viruses always infect or corrupt files on a targeted computer.


Malicious software containment

Viruses and Trojan horses can be contained by:

Effective use of antivirus software

Keeping up to date with the latest developments in these methods of attacks

Keeping up to date with the latest antivirus software and application versions

Implementing host-based intrusion prevention systems (for example, Cisco Security Agent)


Worm Attack, Mitigation and Response

The anatomy of a worm attack has three parts:

The enabling vulnerability: A worm installs itself on a vulnerable system

Propagation mechanism: After gaining access to devices, a worm replicates and selects new targets

Payload: Once the worm infects the device, the attacker has access to the host – often as a privileged user. Attackers use a local exploit to escalate their privilege level to administrator.


Worm attack mitigation

Worm attack mitigation requires diligence on the part of system and network administration staff.

Coordination between system administration, network engineering, and security operations personnel is critical in responding effectively to a worm incident.

Recommended steps for worm attack mitigation:

Containment: Contain the spread of the worm into your network and within your network. Compartmentalise uninfected parts of your network.

Inoculation: Start patching all systems and, if possible, scanning for vulnerable systems.

Quarantine: Track down each infected machine inside your network. Disconnect, remove, or block infected machines from the network.

Treatment: Clean and patch each infected system. Some worms may require complete core system reinstallations to clean the system.


Worm attack response

Six typical incident response methodologies to worms are as follows:

1. Preparation: Acquire the resources to respond

2. Identification: Identify the worm

3. Classification: Classify the type of worm

4. Traceback: Trace the worm back to the attack’s origin

5. Reaction: Isolate and repair the affected systems

6. Post mortem: Document and analyse the process that you used for future use


Application Layer Attacks and Mitigation

Application layer attacks have the following characteristics:

They exploit well-known weaknesses, such as those in protocols, that are intrinsic to an application or system (for example, sendmail, HTTP, and FTP)

They often use ports that are allowed through a firewall (for example, TCP port 80 used in an attack against a web server behind a firewall)

They can never be completely eliminated because new vulnerabilities are always being discovered


Netcat

Netcat is a tool that reads or writes data on any TCP/UDP connections, relays TCP connections, and can act as a TCP/UDP server.

#nc -hconnect to somewhere: nc [-options] hostname port[s] [ports] ...listen for inbound: nc -l -p port [-options] [hostname] [port]options: -g gateway source-routing hop point[s], up to 8 -G num source-routing pointer: 4, 8, 12, ... -i secs delay interval for lines sent, ports scanned -l listen mode, for inbound connects -n numeric-only IP addresses, no DNS -o file hex dump of traffic -p port local port number -r randomize local and remote ports -s addr local source address -u UDP mode -v verbose [use twice to be more verbose]port numbers can be individual or ranges: lo-hi [inclusive]


Netcat Example


Mitigation of Application Layer Attacks

Measures you can take to reduce risks include:

Read operating system and network log files or have the files analysed by log analysis applications

Subscribe to mailing lists that publicise vulnerabilities

Keep all operating systems and applications current with the latest patches

Use IDS/IPS that can scan for known attacks, monitor and log attacks, and, in some cases, prevent attacks


Configuration Management protocols

Configuration management protocols include SSH, SSL and the more insecure Telnet

Whichever is chosen for remote access to the managed device, ACLs should be configured to allow only management servers to connect to the device. All attempts from other IP addresses should be denied and logged

Ideally use secure management protocols when configuring all network devices. Protocols, such as Telnet and SNMPv2, must be made secure by protecting the data with IPsec

The access lists should permit management access, such as SSH or HTTPS, only from the legitimate management hosts

Also implement RFC 3704 filtering at the ingress router to reduce the chance of an attacker from outside the network spoofing the addresses of the management hosts


Management Protocols

These management protocols can be compromised:

SNMP: The community string information for simple authentication is sent in plaintext.

syslog: Data is sent as plaintext between the managed device and the management host.

TFTP: Data is sent as plaintext between the requesting host and the TFTP server.

NTP: Many NTP servers on the Internet do not require any authentication of peers.


Management Protocol Best Practices

The following two slides summarise the best practices to be followed when implementing a secure management solution

Recommendations for the correct use of SNMP tools include:

Configure SNMP with only read-only community strings

Set up access control on the device you want to manage via SNMP to allow access by only the appropriate management hosts

Use SNMP version 3. This version provides secure access to devices through a combination of authenticating and encrypting management packets over the network


Management Protocol Best Practices

Syslog: Encrypt syslog traffic within an IPsec tunnel. Implement RFC 3704 filtering at the perimeter router when

allowing syslog access from devices outside a firewall. Implement ACLs on the firewall to allow syslog data from only the

managed devices themselves to reach the management hosts. TFTP: When possible, encrypt TFTP traffic within an IPsec tunnel

in order to reduce the chance of interception. NTP: Implement your own master clock for private network

synchronisation. Use NTP version 3 or above because these versions support a

cryptographic authentication mechanism between peers. NTP v3 is currently supported by most vendors, including Cisco Systems. The latest version 4 is not defined by any RFC and therefore not widely supported.

Use ACLs that specify which network devices are allowed to synchronise with other network devices.


Determining Vulnerabilities and Threats

There are several tools and techniques that can be used to find vulnerabilities in your network

Once any vulnerabilities have been identified, mitigation steps can be considered and utilised as appropriate

Some common tools include:

Blue’s PortScanner

Wireshark (formerly Ethereal)

Microsoft Baseline Security Analyzer

Nmap


Blue’s Port Scanner

Blue’s Port Scanner

Blue’s Port Scanner is a fast network scanner that can scan over 300 ports per second on a NT or Windows 2000 machine. it comes with a Windows XP - style interface, and offers TCP and UDP scanning as well as a Anti-Flood function

http://www.securityconfig.com/software/specializedscanners/blues_port_scanner.html


Wireshark (Ethereal)

Wireshark is the world's foremost network protocol analyser, and is the standard in many industries. It is the continuation of a project that started in 1998. Hundreds of developers around the world have contributed to it, and it is still under active development.

Wireshark

http://www.wireshark.org/about.html


Microsoft Baseline Security Analyzer


Nmap Nmap ("Network Mapper") is a

free open source utility for network exploration or security auditing.

It is designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

Nmap runs on most types of computers and both console and graphical versions are available.

Nmap is free and open source

© 2007 cisco systems, inc. all rights reserved.iscw-mod5_l3 1 implementing secure converged wide...

Documents