The Internet and Its Uses

Accessing the WAN – Chapter 4
Red Book – Chapter 4
Sandra Coleman, CCNA, CCAI
Identify security threats to enterprise
Describe methods to mitigate security
threats to enterprise networks
Configure basic router security
Disable unused router services and
Use the Cisco SDM one-step lockdown
Manage files and software images with the
Cisco IOS Integrated File System (IFS)
If the network’s security is compromised, serious consequences could occur,
i.e., loss of privacy, theft of information, and even legal liability. Types of threats
to networks are always evolving. Attackers can launch attacks from various
Increasing use of wireless and mobile computing demands that security
solutions become seamlessly integrated, more transparent, and more flexible.
Go to section
Check out the graphic here… WOW…
Does this surprise you?
Most commonly reported acts of computer crimes:
*Insider abuse of network access
Mobile device theft
IM misuse
*Denial of Service
*Password sniffing
*System penetration
Unauthorized access to information….the list goes on… (pg. 193-194)
*can be alleviated by effective network management!
As time goes on, attacker’s methods and
tools improved and they no longer are
required to have an intimate knowledge of
People who would not have previously
participated in computer crime, now can.
•A closed network
provides connectivity only
to known, trusted parties,
and site.
•No connectivity to public
•Still has internal threats.
•Most expensive to
• Any service is permitted
•Easy to configure and
•Easy for end users to
access network
•Less expensive to
•Vulnerabilities – degree of weakness of
networking devices (routers, switches, etc.)
Can include employees who are subject to
social-engineering attacks.
•Technological weaknesses (pg. 200)
•Configuration Weaknesses (pg 201)
•Security Policy weaknesses (pg 201-2)
•Physical Infrastructure
• Hardware threats – theft or vandalism
•Environmental threats – temp. & Humidity
•Electrical threats –Brown-outs, Spikes, etc
•Maintenance threats – ESD, lack of spare
parts, poor cabling, poor labeling
To solve some of these problems, limit physical access to servers,
equipment. Use security cameras to monitor them. Monitor
temperature and humidity. UPS use can help with electrical threats.
Label cable runs, use properly installed cable. Controlling access to
console ports is also important.
Unstructured – inexperienced individuals using hacking tools.
Hacking a website…etc.
Structured – Technically competent people who are highly
motivated. They know the vulnerabilities and how to exploit
them. They commit fraud, alter records, and create havoc.
External – OUTSIDE of the company. DO NOT have
authorized access to equipment.
Internal – WITHIN the company. A disgruntled employee or
one with a criminal intent on destruction.
Social Engineering – easiest attack. Trick someone into giving
out valuable information. Preys on personal vulnerabilities.
May include fake documents.
 Phishing – using e-mail to trick you into providing sensitive info. The
phisher appears to be a trusted party and seeks access to credit card
info, passwords, etc. See pg. 205 Training users is the best defense.
Reconnaisanace – unauthorized
discovery and mapping of systems,
services, or vulnerabilities. Like a thief,
casing a neighborhood, to see which
house is the most approachable.
i.e. internet information queries, ping
sweeps, port scans, packet sniffers.
Access - someone gains access to a
device which he has no username or
password. i.e. password attacks, rainbow
tables, brute force.
Denial of Services – networks are
disabled or corrupted with the intent to
deny services to intended users. MOST
Malicious Code Attacks - worms – infects
memory of a PC, and replicates, virus –
software that performs an unwanted
function , Trojan Horse – disguised
Examples include – nslookup, whois utilities.
These are designed to gain a public IP
address for a corp. then to use a ping sweep
tool to see which IP’s are vulnerable.
Fping or gping – pings all IP addresses in a
given range.
Once IP addresses are discovered, a port
scanner can be used to discern which network
ports can be exploited. Nmap, Superscan.
Eavesdropping – accumulate as much info as
possible for information or for theft purposes
(credit card #’s)
Password attacks – packet sniffers can capture pwds
sent in clear text. Brute-force attacks searches for a
pwd using a combination of characters to compute
every possible password.
 Trust exploitation – compromise a trusted host and
use it to stage attacks on other hosts. (pg. 210)
 Port Redirection – use a compromised host to pass
traffic through a firewall that would otherwise be
blocked. (pg. 211) Devices in the DMZ should NOT be
fully trusted by internal devices and their access
should be authenticated!
 Man-in-the-middle – intruders position themselves
between 2 legitimate hosts. Periodically manipulates
traffic. Can occur in the WAN using VPNs.
DoS – rendering a system unavailable by corrupting the
services with intent to deny trusted users access. Can be
physically disconnecting, crashing the system, or slowing
it down so slow that it is unusable. Most Feared attack!
 Ping of Death – modifying size of ping packet from 64 to
65,535 bytes. Can bring legacy systems DOWN.
 SYN flood attacks – Exploits TCP 3-way handshake. Sending
lots of SYN requests (1000’s) and never responding with an
ACK until it eventually runs out of resources.
 E-mail bombs – sending bulk emails which monopolizes email
 Malicious applets – Java, JavaScript, ActiveX programs that tie
up computer resources.
Smurf attack
Tribe Flood Network (TFN)
How to stop Dos/Ddos Attacks?
 Implement antispoof and anti-Dos ACL’s. ISP’s
can implement traffic rate policies.
A worm executes code and installs
copies of itself in the memory of the
infected computer, which can, in
turn, infect other hosts.
A virus is malicious software that is
attached to another program for the
purpose of executing a particular
unwanted function on a
Host- and Server based Security – Device Hardening – involved changing
default settings on OS. The default level of security is inadequate. Here are
some of the things to do:
Change default usernames/passwords IMMEDIATELY
Restrict access to system resources to authorized personnel only
Turn off or uninstall unnecessary services and applications
Configure system logging and tracking
Antivirus Software
Personal firewalls
OS Patches – download frequently
Intrusion Detection Systems (IDS) – detects
attacks and logs it to a management console.
Adaptive Security
1st – develop a security policy that
enables appropriate security
- Identify the organization’s
security objectives
- Document resources to be
- Identify network
infrastructure with maps/inventories
- Identify critical resources
that need to be protected (R & D,
financial, etc.)
1) SECURE – Device-hardening,
antivirus, IPS, OS patches, traffic
filtering, disabling unnecessary
Active – audit host-level log
files, CHECK these files
Passive – IDS devices to
detect intrusion. Detects them in
real-time and
respond before any damage is done!
Verify that SECURE
measures are implemented from
step 1
3) Test –
Security measures are
proactively tested. Step 1 & 2 are
verified. Vulnerability tools such as
SATAN, Nessus, and Nmap are useful
Adjust IDS to strategically
implement any changes that were
detected in
steps 1 & 2. Adjust the security
policy as necessary when risks are
This cycle must be continuously
repeated, because new risks and
vulnerabilities emerge every day!
What is a security policy?
Formal statement of the rules by which people who
are given access to an organization’s technology and
information assets must abide.
Characteristics of a security Policy
- Defines acceptable and unacceptable use of resources
- Communicates consensus and defines roles
- Defines how to handle security incidents
Secure passwords by encrypting
them. This command encrypts ALL
Passwords: DO NOT write down passwords! Avoid dictionary words, names,
phone #’s, and dates. Deliberately misspell a word. Use lengthy passwords
(min of 8 chars). Change passwords often. Use passphrases – see below
Simple encryption – type 7 – uses a simple
encryption algorithm
 Can be used on enable, user, and line passwords. Not
as secure as type 5, but better than nothing.
Complex encryption – type 5 – uses MD5 hash
 Used when using the secret command for passwords.
 i.e. enable secret class – when displayed using show
run shows up as encrypted.
Min password length – security passwords min-length command
Some routing protocols use passwords – i.e.
Ip ospf message-disges-key 1 md5 cisco - sets a key that is used to authenticate routing
Commands - (pg. 253)
1) no service tcp-small-servers – disables echo, discard,
and chargen services
2) no service udp-small-servers - ditto from above
3) no ip http server - disables use of HTTP
4) no cdp run – disables use of CDP
By default, all queries are broadcast (
No authentication or integrity assurance is provided
For routers
Turn off DNS lookup – no ip domain-lookup
Give routers a name – hostname name
Use ip name-server command to set an explicit name to ip address
Benefits of this:
1) Ability to instantly disable nonessential system processes and
2) Allows the admin to configure
security policies w/out having to
understand all of the IOS software
Web-based device-management
tool designed for configuring LAN,
WAN, and security features on
Cisco IOS software based routers.
Can be installed on PC or router,
but better on PC because it saves
router memory and allows you to
manage ALL routers on the
1. Get to router’s CLI
2. Enable HTTP and HTTPS on
3. Create a user acct defined with
privilege level of 15 (enable
4. Configure SSH and Telnet for
local login and privilege level 15
See the top of pg. 267 in book for a
list of the commands to do this.
To start SDM, Use HTTPS protocol and enter the
router’s IP address into the browser window. – will launch the initial web
page for SDM.
Then a dialog box that request a username &
password will prompt you…enter the user that we
talked about in the previous step with privilege 15.
1. Use the Security Audit Wizard to find and fix configuration changes that
may leave your network vulnerable.
Periodically, the router requires updates to be loaded to
either the operating system or the configuration file.
 These updates are necessary to fix known security
vulnerabilities, support new features that allow more
advanced security policies, or improve performance
 Naming convention for IOS – (pg. 282)
 C1841-ipbase-mz.123-14.t7.bin
 C1841 – platform (cisco 1841 router)
 ipbase – feature set (basic IP networking image…there are
 mz – where the image runs and if it is compressed. (RAM,
 123-14.T7 – version #
 bin – file extension (binary executable)
Router#copy tftp flash:
Address or name of remote host []?
Make sure you can ping the TFTP server from the router…there has to be
Make sure you have enough flash memory for the new image…
Router#show flash (will show you memory for flash)
If you try to load or restore an image using TFTP and you get %Error opening tftp,
The router is unable to connect to the TFTP server, make sure the TFTP server
software has been started!
We have used various show and debug commands during
these last 3 or 4 semesters… Here are a few pointers
1) Debug – use it carefully…it gets CPU priority. With debug,
it is helpful to know what you are looking for before you
2) Show – displays static information. Used to confirm
configuration changes.
Know this!
Connect via the console port
Show version – show current config register
Turn off router – turn router back on and press Break on the keyboard
within 60 seconds.
You will be at rommon> prompt
Change the config register to 0x2142 which will bypass NVRAM when
you re-boot.
Type reset at the prompt
Get into privilege mode
Config t – get into global config mode
Change password – enable secret password
Enter config-register 0x2102 to reset the config register
Copy run start – your password and config register is reset!
Study guide
 Pg. 126 - Matching
 Pg. 128-129 – Configuring Router Passwords
 Pg. 131 – Preparing a router for SDM
 4-1, pg. 135
Online Test – On until Wed, Feb. 27, midnite!
Test –You will be asked to write a 1-2 page article on
a topic dealing with network security. I will check
for grammar, spelling, and content. This will be
done in class at the next class meeting.