My Calendar

2014年8月15日 星期五

CCNA Security Chapter 1 筆記

CCNA Security Chapter 1

Viruses, Worms, and Trojan Horse
The primary vulnerabilities for end users computers are virus, worm and Trojan Horse attacks:

  • Viruses = Malicious software which attaches to another program to execute a specific unwanted function on a computer.
  • Worm = Executes arbitrary code and installs copies of itself in the memory of the infected computer, which then infects other hosts.
  • Trojan Horse = An application written to look like something else. When a Trojan Horse is downloaded and opened, it attacks the end user computer from within.

Viruses
Malicious code that is attached to legitimate programs or executable files:
  • Most viruses require end user activation and can lay dormant for an extended period and then activate at a specific time or date.
  • A simple virus may install itself at the first line of code on an executable file.
  • Viruses can be harmless, such as those that display a picture on the screen, or can be destructive, such as delete files on the hard drive
Worms
Particularly dangerous type of hostile code. They replicate themselves by independently exploiting vulnerabilities in network.
  • Virus require host program to run, worms can run by themselves.
  • Do not require user participation and can spread very quickly over network.
Worms attack-Three major components
  • Enabling vulnerability = A worms install itself using an exploit mechanism(email-attachment, executable file, Trojan) on a vulnerable system.
  • Propagation mechanism = After gaining access to a device, the worm replicates itself and locates new targets. 
  • Payload - Any malicious code that results in some action. Most often this is used to create a backdoor to the infected host. 
Five phase of attack
  1. Probe phase = Vulnerable targets are identified. The goal is to find computer that can be subverted.
  2. Penetrate phase = Exploit code is transferred to the vulnerable target. The goal is to get the target to execute the exploit code through an attack vector.
  3. Persist phase = After the attack is successfully launched in the memory, the code tries to persist on the target system. The goal is to ensure that the attacker code is running and available to the attacker even if the system reboots.
  4. Propagate phase = The attacker attempts to extend the attack to other targets by looking for vulnerable neighboring machines.
  5. Paralyze phase = Actual damage is done to the system. Files can be erased, systems can crash, information can be stolen
Trojan Horse
A Trojan Horse is malware that carries out malicious operations under the guise of a desired function. It's contains hidden, malicious code that exploits the privileges of the user that runs it.

Trojan Horse classified according damage in system:
  • Remote-access Trojan Horse - Enables unauthorized remote access
  • Data sending Trojan Horse - Provides the attacker with sensitive data such as passwords
  • Destructive Trojan Horse - Corrupts or deletes files
  • Proxy Trojan Horse - User's computer functions as a proxy server
  • FTP Trojan Horse -Opens port 21
  • Security software disabled Trojan Horse - Stops antivirus programs or firewalls from functioning
  • Denial of Service Trojan Horse - Slows or halts network activity
Mitigating Viruses, Worms, and Trojan Horse
Mitigation technique referred in security community as "countermeasure".

The primary means of mitigating virus and Trojan Horse attacks is antivirus software.

Worm mitigation requires diligence and coordination on the part of network security professionals.The response to a worm infection can be broken down into four phases: 

  

  • Containment = Compartmentalization and segmentation of the network to slow down or stop the worm and prevent currently infected hosts from targeting and infecting other systems.
  • Inoculation = Runs parallel to or subsequent to the containment phase. During the inoculation phase, all uninfected systems are patched with the appropriate vendor patch for the vulnerability.
  • Quarantine = Tracking down and identifying infected machines within the contained areas and disconnecting, blocking, or removing them. Isolates these systems appropriately for the treatment phase.
  • Treatment = Actively infected systems are disinfected of the worm. This can involve terminating the worm process, removing modified files or system settings that the worm introduced, and patching the vulnerability the worm used to exploit the system.
Attack Methodologies
CCNA Security classifies attacks in three major categories:
  • Reconnaissance Attacks =  Involve the unauthorized discovery and mapping of systems, services, or vulnerabilities. Reconnaissance attacks often employ the use of packet sniffers and port scanners.
  • Access Attacks = Exploits known vulnerabilities in authentication services, FTP services, confidential databases etc. Access attacks often employs a dictionary attacks.attacks.
  • Denial of Service Attacks = Send extremely large numbers of request over a network or the Internet. There excessive request cause the target device become unavailable for legitimate access and use.

Reconnaissance Attacks
Reconnaissance also known as information gathering,. The attacks using various tools to gain access to a network.
  • Packet sniffer
  • Ping sweeps
  • Port scans
  • Internet information queries
Packet Sniffer
A software application that uses a network adapter card in promiscuous mode to capture all network packets that are sent across a LAN.

Promiscuous mode is a mode causes the controller to pass all traffic it receives to the CPU rather than passing only the frame that the controller is intended to receive.

Packet sniffer can only work in the same collision domain.

Tools : Wireshark

Ping Sweep
Basic network scanning technique that determine which range of IP addresses map to live hosts.

Tools : nmap

Port Scan
Scan a range of TCP and UDP port numbers on a host to detect listening services.

Tools : nmap

Internet information queries

Reveal information such as who owns a particular domain and what addresses have been assigned to that domain. They can also reveal who owns a particular IP address and which domain is associated with the address.

Tools : http://whois.net/

Access Attacks
Hackers use access attacks on networks or systems for three reasons: retrieve data, gain access, and escalate access privileges. 

There are five types of access attacks:

  1. Password attacks = An attacker attempts to guess system password
    • Brute-force
    • Trojan Horse
    • Packet sniffer
  2. Trust exploitation - An attacker uses privileges granted to a system in an unauthorized way, possibly leading to compromising the target.
  3. Port redirection - A compromised system is used as a jump-off point for attacks against other targets. An intrusion tool is installed on the compromised system for session redirection.
  4. Man-in-the-middle attack - An attacker is positioned in the middle of communications between two legitimate entities in order to read or modify the data that passes between the two parties.
  5. Buffer overflow - A program writes data beyond the allocated buffer memory. Buffer overflows usually arise as a consequence of a bug in a C or C++ program. A result of the overflow is that valid data is overwritten or exploited to enable the execution of malicious code.

Denial of Service Attack
Is a network attack that results in some sort of interruption of service to users, devices, or applications.

Two major reasons of DoS attacks occurs:

  1. A host or application fails to handle unexpected condition.
  2. A network, host, or application unable to handle enormous quantity of data
Three common DoS attacks:

  • Ping of Death = A hacker sends an echo request in an IP packet larger than the packet maximum size of 65,535 bytes, Sending a ping of this size can crash the target computer.
  • Smurf Attack = A perpetrator send a large number of ICMP request to directed broadcast addresses, all with spoofed source addresses on the same network as the respective directed broadcast.
  • TCP SYN Flood = TCP SYN Flood often with a forged sender address. Each packet is handled like a connection request, causing the server to spawn a half-open connection by sending back TCP SYN-ACK and waiting for a packet in response from the sender address.
Mitigating Network Attacks
Reconnaissance attack can be mitigate several ways:

  1. Implement authentication to ensure proper access.
  2. Use encryption to render packet sniffer attacks useless.
  3. Use anti-sniffer tools to detect packet sniffer attacks.
  4. Implement a switched infrastructure.
  5. Use a firewall and IPS.
Mitigate access attacks in several ways:
  1. Strong password security
  2. Principle of minimum trust
  3. Cryptography
  4. Applying operating system and application patches
Mitigate DoS Attack:
  1. IPS and firewalls
  2. Antispoofing technologies
  3. Quality of Service – traffic policing

Cisco Network Foundation Protection (NFP) framework 
NFP logically divides router and switches into three functional areas:

  • Control Plane = Responsible for routing data correctly. Control plane traffic consists of device-generated packets required for the operation of the network itself such as ARP message exchanges or OSPF routing advertisements.
  • Management Plane = Responsible for managing network elements. It is generated either by network devices or network management stations using processes and protocols.
  • Data Plane = Responsible for forwarding data.


Control plane
Control plane security can be implemented using the following features:

  • Cisco AutoSecure - Provides a one-step device lockdown feature to protect the control plane as well as the management and data planes. It is a script that is initiated from the CLI to configure the security posture of routers. The script disables nonessential system processes and services. It first makes recommendations to address security vulnerabilities and then modifies the router configuration.
  • Routing protocol authentication - Routing protocol authentication prevents a router from accepting fraudulent routing updates. 
  • Control Plane Policing (CoPP) - CoPP is a Cisco IOS feature designed to allow users to control the flow of traffic that is handled by the route processor of a network device.

Management plane
Management plane security can be implemented using the following features:
  • Login and password policy - Restricts device accessibility. Limits the accessible ports and restricts the "who" and "how" methods of access.
  • Present legal notification - Displays legal notices. These are often developed by legal counsel of a corporation. 
  • Ensure the confidentiality of data - Protects locally stored sensitive data from being viewed or copied. Uses management protocols with strong authentication to mitigate confidentiality attacks aimed at exposing passwords and device configurations. 
  • Role-based access control (RBAC) - Ensures access is only granted to authenticated users, groups, and services. RBAC and authentication, authorization, and accounting (AAA) services provide mechanisms to effectively manage access control. 
  • Authorize actions - Restricts the actions and views that are permitted by any particular user, group, or service.
  • Enable management access reporting - Logs and accounts for all access. Records who accessed the device, what occurred, and when it occurred.

Data plane
Data plane security can be implemented using the following features:
  • ACLs
  • Antispoofing
  • Layer 2 security including port security, DHCP snooping, dynamic ARP inspection (DAI)

Reference :
1) CCNA Security Cisco Network Academy

張貼者:
標籤:

沒有留言:

張貼留言

訂閱: 張貼留言 (Atom)