In this section, we examine some of the key principles involved in creating a secure network. We establish building blocks that will be used in formulating an effective security policy. The principles are as follows:
Open networks and knowledgeable attackers with sophisticated attack methods create the requirement for flexible, dynamic network security policies.
Examine the CIA triad: confidentiality, integrity, and availability.
Define data classification categories in the public and private sectors.
Examine the three top-level types of security controls: administrative, technical, and physical.
Explore some of the incident response methods when a security breach has occurred.
List key laws and ethical codes by which INFOSEC professionals are bound.
The following section illustrates how the advent of sophisticated attack methods combined with open networks has resulted in a growing need for network security and flexible security policies, which can be dynamically adjusted to meet this threat.
According to Cisco, there are two major categories of threats to network security:
Internal threats. Examples are network misuse and unauthorized access.
External threats. Examples are viruses and social engineering.
The most foolproof way of protecting a network against external threats would be to sever its connections completely to public networks. In theory, this is OK; in practice, however, it is not practical because many businesses require connectivity to public networks, such as the Internet, in order to perform E-commerce in today’s connected world. The challenge, therefore, is to strike a balance between three often-competing needs:
Evolving business requirements
Freedom of information initiatives
Protection of data: private, personal, and intellectual property
It is axiomatic in the field of network security that the tradeoff is largely between the first two items, which are necessary for a business or government organization to reach the public, and the last item. Essentially, the battle is fought between these opposing camps—openness vs. security. Often, more security means less openness, and vice versa.
According to Cisco, internal threats are the most serious, because insiders often have the most intimate knowledge of the network. They leverage on their knowledge of the internal network to achieve security breaches. They often don’t need to crack passwords because they already have sufficient access.
Insider attacks often render technical security solutions ineffective. This problem is exacerbated because human nature dictates that often the last place we look for security breaches is within the fortification! We are so busy looking for the enemy climbing the outside walls that we don’t look behind us.
A best practice for hardening systems from internal (as well as external) threats includes following the systems’ vendor recommendations.
External attackers lack the insider’s knowledge and often rely on technical tools to breach your network’s security. Technical tools such as Intrusion Prevention Systems (IPSs), firewalls, and routers with access control lists (ACLs) are usually effective in mitigating an organization’s vulnerability to this type of attack.
Note
Firewalls and ACLs are discussed in Chapter 5, “Using Cisco IOS Firewalls to Implement a Network Security Policy.”
IPSs are discussed in Chapter 8, “Network Security Using Cisco IOS IPS.”
An alarming trend is that as the sophistication of hacker tools has been on the increase, the technical knowledge required to use them has been on the decrease.
According to the 2007 CSI/FBI Computer Crime and Security Survey, organizations are suffering a two-fold increase in financial losses but on slightly fewer reported attacks in the report’s four-year period. Financial frauds have overtaken viruses as the greatest cause of loss.
Note
The 2007 CSI/FBI Computer Crime and Security Survey can be downloaded from this site, http://i.cmpnet.com/v2.gocsi.com/pdf/CSISurvey2007.pdf.
In the past, hackers have been motivated as much by notoriety and intellectual challenge as for profit. A disturbing recent trend has been what Cisco calls “custom” threats, which focus on the application layer of the OSI model. These attacks may be written to breach a known vulnerability in an organization’s own customized application. Traditional signature-based intrusion detection systems (IDSs) and IPS products will not detect this type of attack because the products’ signatures match against a database of known vulnerabilities. Even following best practices in ensuring that vendor patches are tested and applied regularly to application servers may prove to be ineffective. Compounding the issue is that the applications themselves may have been written by programmers who have little or no formal training in network security, let alone an appreciation for the subject. According to Theresa Lanowitz of Gartner Inc., 75 percent of all attacks today are application layer attacks with three out of four businesses being vulnerable to this type of attack.
Note
You can read more about the emergence of custom threats and their ability to go undetected by traditional signature-based intrusion detection systems (IDSs) and IPS products at this site: http://www.eweek.com/c/a/Security/App-Developers-Need-to-Redouble-Security-Efforts/.
This section describes the three primary purposes of network security, which are to secure an organization’s data confidentiality, integrity, and availability—the C-I-A triad. Here are some basic definitions:
Confidentiality. Ensuring that only authorized users have access to sensitive data
Integrity. Ensuring that only authorized entities can change sensitive data. May also guarantee origin authentication (see the following note), meaning an assurance that the data originated from an authorized entity (like an individual).
Availability. Ensuring that systems and the data that they provide access to remain available for authorized users.
Note
Origin authentication is often overlooked in designing network security architecture. In some texts, this is the “A” in CIA.
A security professional must constantly weigh the tradeoffs between threats, their likelihood, the costs to implement security countermeasures, and cost versus benefit. In the end, someone has to pay for security (more on this later in the chapter), and there must be a solid business case and return on investment (ROI) for the measures implemented.
Let’s look at confidentiality, integrity, and availability separately.
Confidentiality is often discussed in the context of hiding an organization’s data with encryption technologies—using a Virtual Private Network (VPN), for example. In a broader context, assuring confidentiality involves any method of separating an organization’s data from its adversaries. Here are some other thoughts about confidentiality:
Confidentiality means that only authorized users can read sensitive data.
Confidentiality countermeasures provide separation of data from users through the use of:
Physical separation
Logical separation
Thus, the risk of confidentiality breaches can be minimized by effective enforcement of access control, thereby limiting access to the following:
Network resources through use of VLANs, firewall policies, and physical network separation.
Files and objects through use of operating system-based controls, such as Microsoft™ Active Directory™ and domain controls and Unix host security.
Data through use of authentication, authorization, and accounting (AAA) at the application level.
When attackers successfully read sensitive data that they are not authorized to view, a breach has occurred. This is almost impossible to detect because the attacker may have breached the confidentiality of the data by making a copy of the data from the network and using tools offline, leaving no trace. This is why much of the focus of network security in the context of confidentiality is for preventing the breach in the first place. Technologies such as Virtual Private Networks (VPNs) would be an example. This is discussed in Chapter 7, “Virtual Private Networks with IPsec.”
Data integrity guarantees that only authorized entities can change sensitive data. It can also provide for optional authentication in proving that only authorized entities created the sensitive data. This provides for data authenticity. There are a number of methods to ensure data integrity and authenticity including the use of hashing functions and digital signatures. Some of these methods are described in Chapter 6, “Introducing Cryptographic Services,” and will not be discussed here.
Integrity services provide for some guarantee that:
Data cannot be changed except by authorized users.
Changes made by unauthorized users can be detected.
Availability refers to the safeguards that provide for uninterrupted access to data and other computing resources on a network during either accidental or deliberate network or computer disruptions.
Given the complexity of systems and the variety of current attack methods, this is one of the most difficult security services to guarantee. Attacks that prevent legitimate users access to system or network resources are called Denial of Service (DoS) attacks.
DoS attacks are usually caused by one of two things:
A device or an application becomes unresponsive because it is unable to handle an unexpected condition.
An attack (remember, this can be accidental!) creates a large amount of data causing a device or application to fail.
DoS attacks are relatively easy to launch, often with tools downloadable offline such as vulnerability assessment tools. There is a fine line between a network probe designed to determine a network’s resiliency against various types of attack, and an actual DoS attack. Some vulnerability assessment tools even give the user the choice as to whether to enable probes that are known to be dangerous when leveraged against vulnerable networks.
Exam Alert
Know the difference between (C)onfidentiality, (I)ntegrity, and (A)vailability. Understand that confidentiality is proof against reading data. Understand that integrity is proof against changing data, as well as providing for data authenticity. Understand that availability countermeasures provide for uninterrupted access to data.
Proper data classification will indicate what level of confidentiality, integrity, and availability services will be required to safeguard the organization’s data. It recognizes that not all data has the same inherent value, but that the divulgence of some data may even cause embarrassment to an organization. It also helps focus the development of the security policy so that more attention can be given to data that needs the most protection. As well, some laws require that information be classified for an organization to be compliant.
Classification levels are typically different for private (non-government) and public (government) sectors.
The following are the levels of classification for data in the public sector:
Unclassified. Data with minimum confidentiality, integrity, or availability requirements; thus, little effort is made to secure it.
Sensitive but Unclassified (SBU). Data that would cause some embarrassment if revealed, but not enough to constitute a security breach.
Confidential. First level of classified data. This data must comply with confidentiality requirements.
Secret. Data that requires concerted effort to keep secure. Typically, only a limited number of people are authorized to access this data—certainly fewer than those who are authorized to access confidential data.
Top Secret. The greatest effort is used to secure this data and to ensure its secrecy. Only those people with a “need to know” typically have access to data classified at this level.
There are no specific industry standards or definitions for data classification in the private sector. Standards, where they exist, will vary from country to country. That aside, Cisco makes these specific recommendations for data classification in the private sector:
Public. Data that is often displayed for public consumption such as that found on public websites and in marketing literature.
Sensitive. Similar to SBU data in the public-sector model.
Private. Data that is important to the organization and whose safeguarding is required for legal compliance. Some effort is exerted to maintain both the secrecy (confidentiality) and accuracy (integrity) of the data.
Confidential. The greatest effort is taken to safeguard this data. Trade secrets, intellectual property, and personnel files are examples of data commonly classified as confidential.
There are four basic metrics that determine at what level data should be classified and consequently what level of protection is required to safeguard that data:
Value. Most important and perhaps the most obvious.
Age. Data’s sensitivity typically decreases over time.
Useful Life. Data can be made obsolete by newer inventions.
Personal Association. Some data is particularly sensitive because of its association with an individual. Compromise of this data can lead to guilt by association.
Another advantage of properly classifying data is that it helps define the roles of the personnel that will be working with and safeguarding the data:
Owner. Ultimate responsibility for the data, usually management, and different than the custodian.
Custodian. Responsible for the routine safeguarding of classified data. Usually an IT resource.
User. These persons use the data according to the organization’s established operational procedures.
Now that the information classification roles have been established, the types of security controls over an organization’s data can be defined. Controls are the engine of a security policy. They define the levels of passive and active tools necessary for a custodian to enact a security policy and to meet the three objectives (remember those?!) of confidentiality, integrity, and availability. This is essential in order to provide defense in depth. Subcategories or “types” of controls are investigated a little later on in this section.
Controls can be divided into three broad categories, as follows:
Administrative. Mostly policies and procedures.
Technical. Involving network elements, hardware, software, other electronic devices, and so on.
Physical. Mostly mechanical.
Exam Alert
Here’s a useful way to remember these categories of controls. If they are in place, you can “stand pat.” PAT = Physical, Administrative, Technical.
Here are some of the attributes of administrative, technical, and physical controls.
The following are attributes of administrative controls:
Security awareness training
Security policies and standards
Security audits and tests
Good hiring practices
Background checks of employees and contractors
IT staffs usually think of network security as a technical solution because it is in their nature. That said, implementation of devices and systems in this category, while important, should not be the sole part of an effective Information Security (INFOSEC) program. Here is a list of some common technologies and examples of those technologies that fit in the category of technical controls.
Network devices. Firewalls, IPSs, VPNs, Routers with ACLs.
Authentication systems. TACACS+, RADIUS, OTP.
Security devices. Smart cards, Biometrics, NAC systems.
Logical access control mechanisms. Virtual LANs (VLANs), Virtual Storage Area Networks (VSANs).
If the purpose of your security policy is to build a castle around your data with technical controls and manage it with administrative controls, how effective do you think it will be if you leave the drawbridge down or forget to lock or at least post sentinels at the front gate? This is where physical controls come in. Physical controls consist of the following:
Monitoring Equipment. Intruder detection systems.
Physical Security Devices. Locks, safes, equipment racks.
Environmental Controls. Uninterruptible Power Supplies (UPSs), fire suppression systems, positive air flow systems.
Security Guards. Human, canine.
A control “type” is a further subdivision of a control “category” (refer to the next Exam Alert):
Preventative. Controls that prevent access.
Deterrent. Controls that deter access.
Detective. Controls that detect access.
Exam Alert
It is important to note that although the three broadest categories are administrative, technical, and physical, these can be further subdivided by type. The hierarchy is Category of Control -> Type of Control. For example, an IPS would be an example of a Technical -> Preventative system, whereas an IDS would be an example of a Technical -> Detective system.
Remember this definition: A security control is any mechanism that you put in place to reduce the risk of compromise of any of the three objectives: confidentiality, integrity, and availability.
Some controls can take from more than one type. For example, a security camera in the lobby of a high-security government office building could be both a deterrent and detective control.
Now that you have built comprehensive security controls into our network design, what do you do when a security breach occurs? What internal procedures do you follow? Who do you notify? How do you contain the damage? What steps do you take to document the breach? How do you recover compromised data? So many questions! Adding to this complexity is the whole quagmire of the law, law enforcement agencies, and the question of legal and ethical responsibilities in both reporting a breach, as well as whether we may be somehow responsible for the breach because of bad network design and a lack of due diligence. Let’s look at answering these questions in two different contexts:
Incident response
Laws and ethics
So it’s happened. Someone has hacked into your network and either accessed your confidential data or denied access to your network by authorized users. Assuming that you have implemented Technical -> Detective controls, and you have evidence that a breach has, in fact, occurred, you must decide how to move forward and use the evidence gathered to improve your existing network and/or prosecute the hacker. Let’s look at some of the complex issues involved in prosecuting computer crimes.
Note
You shouldn’t decide what response you will take at the moment that the breach has been detected. You should plan an incident response as part of a comprehensive Network Security Policy. This is discussed a little later in this chapter.
For successful prosecution of computer crimes, law enforcement investigators must prove three things: motive, opportunity, and means (MOM). Anyone who enjoys watching crime shows on television will recognize these:
Motive. Did the individuals have something to gain from committing the crime?
Opportunity. Were the individuals available to commit the crime?
Means. Did the individuals have the ability to commit the crime?
Then there’s the complication of dealing with both gathering evidence and maintaining its integrity. This is not an easy chore, particularly with computers and leads to certain complications:
A virtual world. The virtual nature of computers means evidence is not physical—it cannot be held and touched.
Data integrity. Evidence can be easily tainted if not handled properly. A single flipped bit can totally change the data and render it useless.
Chain of custody. The chain of custody of data that is used as part of a forensic case is crucial and not easy to prove or to maintain.
Note
You will often see the term “chain of custody” in discussions about incident response. Chain of custody means that you can prove that from the time that the incident occurred, the copies you made of your system (see below) never left your control and were never changed while under your control and before they were presented as evidence to the investigating agency. Lawyers might question the completeness of this definition, but it is sufficient for this discussion.
Although it is advisable to immediately quarantine a breached system from the network, basic rules must be followed in order to collect evidence and to preserve its integrity:
Make a copy of the system. A complete copy of the system, both persistent and non-persistent storage, should be made. This means that the contents of RAM should be dumped to a file and multiple images should be made of the hard drive(s), flash drive(s), and so on.
Photograph the system. Photograph the system before it is moved or disconnected.
Handle evidence carefully. The chain of custody must be preserved.
As if computer crime isn’t complicated enough, a security expert also needs to deal with the jurisdictional, procedural, and legal issues within the framework of the law of the land.
There are three types of law found in most countries:
Criminal. Concerned with crimes. Penalties usually involve possible fines (paid to the court) and/or imprisonment of the offender.
Civil (also called “tort”). Concerned with righting wrongs that do not involve crimes or criminal intent. Penalties are typically monetary and paid to the party who wins the lawsuit.
Administrative. Typically, government agencies in the course of enforcing regulations. Monetary awards are divided between the government agency and the victim (if any) of the contravened regulation.
Although these categories are common for most countries, some governments do not follow or even recognize them. Further complicating this is that computer crimes often cross international boundaries, meaning that jurisdiction must be established before the crime can be prosecuted.
Sometimes we are motivated to do something, not because we will be punished if we don’t do it, but because we know it’s the right thing to do. This is why ethics are considered to be moral principles and a higher standard than the law. These codes of ethics are as follows:
Moral principles that constitute a higher standard (or “code”) than the law.
Guides for the conduct of individuals or groups.
Supported by a number of organizations in the INFOSEC field:
ISC2 (International Information Systems Security Certification Consortium, Inc.) Code of Ethics
Computer Ethics Institute
IAB (Internet Activities Board)
GASSP (Generally Accepted System Security Principles)
A good example of why codes of ethics are an important INFOSEC principle would be the subject of entrapment. Entrapment is the process of luring someone to commit an illegal act that they might not otherwise commit were the opportunity not there. They might have motive. They might have means. You have provided them opportunity. An example of this might be a “Honey Pot” consisting of a deliberately easy-to-compromise system. You may have deployed this system to see what bees are interested in your honey and as an early warning system for penetration of your network. In this manner, private use of the data so collected may be legitimate from a security control (Technical -> Detective) perspective, but it may contravene legal, regulatory, and ethical standards if it was used for prosecution. Seek legal and ethical advice before deploying such a system as part of your network security architecture.
Organizations are responsible for the proper protection of their systems against compromise. If a loss of service occurs due to a security breach, and if it is discovered that the organization did not have adequate security controls in place, that organization might be held liable for damages. Organizations are required to practice the following:
Due Diligence. Concerns itself with the implementation of adequate security controls (administrative, technical, and physical) and establishing best practices for ongoing risk assessment and vulnerability testing.
Due Care. Operating and maintaining security controls that have been implemented through due diligence.
Exam Alert
Security practitioners are very fond of using the terms “due care” and “due diligence” when describing exposure to liability. Cisco’s definitions are listed previously, and you need to know them for the exam, but they still look very similar, don’t they? Think of due diligence as being exercised in the planning and overall design of a network security architecture. This includes all the security controls (discussed in a previous section) put in place to meet expected threats. It is relatively static. Due care, on the other hand, is more dynamic and involves the day-to-day operating, maintaining, and tweaking of the security architecture. Remember the old axiom, “Security is a process, not a product.” Due care is that process.
Here are some examples of U.S. government regulations that have been introduced to enforce network and system security and to raise awareness of privacy and (more recently) INFOSEC issues:
Gramm-Leach-Bliley Act (GLBA) of 1999. Enacted to allow banks, securities firms, and insurance companies to merge and share information with one another.
Health Insurance Portability and Accountability Act (HIPAA) of 2000. Requires national standards for the confidentiality of electronic patient records.
Sarbanes-Oxley (SOX) Act of 2002. Law to ensure transparency of corporations’ accounting and reporting practices.
Security and Freedom Through Encryption Act (SAFE) of 1997. Entrenches the rights of U.S. citizens to any kind of encryption of data without the requirement of a key escrow.
Computer Fraud and Abuse Act. Last amended in 2001 by the USA PATRIOT Act (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism). Intention of this act is to reduce hacking by defining specific penalties when damages result from a compromised system.
Privacy Act of 1974. Privacy of individuals is to be respected unless a written release is obtained.
Federal Information Security Management Act (FISMA) of 2002. Intended to strengthen IT security in the U.S. federal government by requiring yearly audits.
Economic Espionage Act of 1996. Enacted to criminalize the misuse of trade secrets.
In this section, we conduct a quick survey of the methodologies of attacks against our network infrastructure and the resulting threats against confidentiality, integrity, and availability. It won’t be all bad news, however, because we’ll summarize some of the best practices used to mitigate the effect of these attacks. We will:
Define adversaries, their motives, and types of attacks.
Summarize the concept of defense in depth.
Examine the threat of IP spoofing.
List and briefly summarize attack methods used to compromise confidentiality, integrity, and availability.
Summarize some best practices for defense.
A vulnerability is a weakness that can be exploited by an attacker.
Risk is the likelihood that a vulnerability might be exploited by a specific attack.
An exploit is an attack that takes advantage of a vulnerability.
Categories of vulnerabilities are as follows:
Poor design
Weaknesses in protocols
Software
Misconfiguration
Hostile code
Human factor
So, who wants our stuff or wants to make our stuff unusable by us? Sounds simplistic, but answering this question and thus knowing your enemy (and their motivations) will go a long way toward acquiring the right mindset for designing network security controls. Remember, we are not at risk with all of these adversaries, so we should focus on only those where there is likelihood that they may exploit our vulnerabilities. Some examples are as follows:
Nations or states
Government agencies
Hackers (we’ll examine these further)
Terrorists
Competitors
Disgruntled employees
Organized crime
Hackers are the most obvious external threat to network security. There are several different species of hackers according to Cisco:
Hacker. A computer enthusiast. They can also be grouped by their motivations:
White hat. Ethical hacker.
Black hat. Unethical hacker.
Gray hat. We’re not sure! (This is a hacker who has a real job and sometimes plays both sides of the law, often motivated by intellectual challenge and notoriety but usually not monetary gain.)
Blue Hat. Bug testers (from “blue collar”).
Cracker. Hacker with criminal intent, motivated by economic gain.
Phreakers (or Phone Phreaks). Hackers of telephone systems.
Script Kiddies. Wannabe hackers with little or no skill.
Hacktivist. Hacker with a political agenda.
Whether a hacker wears a white, black, gray, or blue hat, they can be further defined by the type of hacking they perform:
Computer Security Hackers. Usually secretive and specialize in computers and computer networks.
Academic Hackers. Not usually secretive. Specialize in designing elegant software and gravitate toward Unix and the open source movement.
Hobby Hackers. Usually hack code related to video games and gaming hardware and other home computing.
As we’ve seen, in a broad sense, hackers can be categorized by their motivations but so too can the other adversaries. What makes them do it? Here are some motivations:
Intelligence gathering
Theft of intellectual property
DoS
Intellectual challenge
Hackers are said to think “outside the box.” Imagine that the hacker is a very clever lab animal that, when presented with a maze to run through as part of an experiment, chooses to run outside the maze to the prize. In so doing, the animal bypasses all the clever little turns in the maze that are supposed to make it difficult to get to the other side. The inference is clear. If our network is a maze, and the hacker is that clever animal, we will be in big trouble if we don’t start to think like him! This is not to say that all hackers take shortcuts, either. Nor do all hackers use the same methods, but here is an example of a typical structured attack.
According to Cisco, the seven steps for compromising targets and applications are as follows:
Security is only as strong as its weakest link. Although this is a commonly held belief, it is not as commonly followed in practice. Defending a network with only one type of security control (administrative, technical, or physical) is bad enough, but many networks are only protected by one control. For example, protecting a home broadband connection with a single technical control such as an integrated firewall/router/wireless access point may be sufficient. It would certainly not be sufficient for a large e-commerce site that sells books online and keeps credit card information and other personal information about their customers. Clearly, the solution needs to be scaled to need and single points of failure should be avoided wherever possible.
To summarize, the Defense in Depth philosophy entails the following:
Diversity and Redundancy. Use multiple security mechanisms to back up each other.
Independence. Security mechanisms are self-sufficient and do not rely on one another.
Augment Weakest Links. Single points of failure can be avoided.
Defense in Depth recommendations are as follows:
Build a multi-layered defense.
Place controls in multiple places.
Use hardened, quality components.
Use IDS or IPS (consider also Host IPS (HIPS)).
Employ effective credential and key management.
Figure 1.1 shows an example with no depth of defense. A single Cisco IOS firewall establishes a perimeter between an outside, hostile network and an e-commerce site’s inside network, where the employees’ computers and the book-selling server all reside. The firewall is configured to open up access from the outside to allow Internet users to connect to the server. This is an example of a single technical security control. The single technical control might be sufficient for a home network, but note that the file server coexists on the inside network with the employees’ computers. If hackers compromised the server, they could leverage the compromised server to attack other inside hosts including the switch, PC, and laptop. Without the use of an IDS or IPS, we might not even know that the attack had taken place. If this was a company’s e-commerce site, it doesn’t make sense to deploy a server in the same part of the network as knowledge workers’ computers. This is clearly a security incident waiting for a place to happen.
Some simple modifications to the security architecture illustrate the principle of depth of defense, as illustrated in Figure 1.2. The IOS router is configured as an IPS (see Chapter 8, “Network Security Using Cisco IOS IPS”) and can now detect and prevent intrusion attempts into and out of the inside network. The e-commerce server is deployed into a separate demilitarized zone (DMZ). Access Control Lists (ACLs) are configured on the IOS router to ensure that the e-commerce server cannot initiate a connection to an inside host, neutralizing the threat of its compromise leading to a compromise of our inside network. ACLs are covered in Chapter 5, “Using Cisco IOS Firewalls to Implement a Network Security Policy.” The IOS router is hardened against attack using principles discussed in Chapter 3, “Security at the Network Perimeter.” This also separates data planes, making it harder for an attacker to gain access to an inside host.
IP spoofing is the networking equivalent of identity theft. If you fake some other device’s IP address, you can pretend to be that other device in order to:
Gain root access.
Inject erroneous data into an existing conversation.
Fool other devices in order to divert packets to the hacker.
Overload resources on servers (DoS).
Accomplish a task as part of a larger attack.
One of the things that makes IP spoofing so effective is that the process of routing is destination based, meaning that routers make their best path determination based on the destination IP address in an IP packet, often ignoring completely the source address. For example, if an attacker on the outside guesses correctly source addresses of devices internal to your network, they can inject packets into your network that appear to be coming from trusted hosts on the inside.
Note
The Open Systems Interconnect (OSI) model defines a packet as a network layer (layer 3) protocol data unit (PDU). An IP datagram is an example of a packet. Try to avoid using the term “packet” for PDUs at other layers of the OSI model. This will become very important in later chapters, where we will discuss TCP segments (layer 4) and Ethernet frames (layer 2) in the context of network security. This is terminology that you will have learned in your CCNA studies. If you don’t know them, now is the time to go back over your ICND1 and ICND2 notes to review them.
Recall that logical communication between TCP/IP hosts occurs at the transport layer of the OSI model. This is where dialog occurs between end systems. The Transmission Control Protocol (TCP) keeps track of the sequence number of segments both sent and received. Among other things, this allows an end system to put segments received in the right order, as well as retransmit segments from its transmit queue where the other device indicates that it has not received them.
If an attacker were able to actually see these sequence numbers, maybe through the use of a packet capture tool, the IP spoofing attack would be called nonblind spoofing. They would need physical access to your network to accomplish this.
If an attacker were simply guessing at sequence numbers—essentially using tools to calculate them—then the attack would be called blind spoofing. Physical access to your network is not required. Furthermore, with blind spoofing, the guesswork involved means that there is no verification of a successful attack.
Note
Another thing that aids the attacker is that although it is completely up to the end systems what initial sequence numbers they use to build a TCP session, some vendors’ TCP/IP implementations always use the same one. If an attacker were to know what type of system they were dealing with through footprinting (recall “Seven Steps for Compromising Targets and Applications” in a previous section), the guessing would be much easier.
In any case, the information learned through IP spoofing in the course of network reconnaissance may lead to several types of attacks, including:
Man-in-the-middle attacks (MiM). The attacker assumes the identity of a trusted host on the network and steals information. An example of this is session hijacking.
DoS Attacks. The information gained leads to a flooding of resources on a targeted system. An example would be excessive hard drive thrash of an unpatched web server.
Distributed DoS Attacks (DDoS). The information learned during the reconnaissance leads to a flooding of resources on a targeted system from multiple hosts and simultaneously. An example would be an attack on a core network device that consumes all the bandwidth into and out of a network.
If effective administrative, technical, and physical security controls are in place, the risk of the following attacks would be minimal.
Exam Alert
According to Cisco, attacks against confidentiality are successful if you have been lax with access control (network, OS, application) or protection of data moving over hostile, untrusted networks.
Examples of attacks that may lead to confidentiality (and other) breaches include the following:
Protocol Analysis (Packet Sniffing). As indicated previously, this is very effective if the attacker has physical access to your network. Packets can be captured and often analyzed offline for cleartext, confidential information.
Port Scanning. This is very common during the reconnaissance phase of an attack, using tools like nmap or Nessus to scan a network to find out what TCP ports are open.
Ping Sweeps. Often used in the initial phases of reconnaissance. First find out what hosts are answering to the ping (ICMP echo packet); then drill down on them with a port scan (see previous).
Dumpster Diving. Organizations often accidentally throw out sensitive information that would be of use to an attacker.
Social Engineering. Subverting an individual through social skills within a targeted organization to provide information that is either confidential by itself or that can lead to the breach of a network’s security controls.
Overt Channels. Hiding something out in the open sounds like an oxymoron. An attacker can craft an attack that tunnels one protocol inside another protocol. If the security appliance or IDS/IPS is not configured to check protocol compliance at the application layer, it will be successful. An example might be a Peer-to-Peer (P2P) file transfer of malicious code using Kazaa inside an HTTP session. Another example might be the process of steganography. This is typically executed through the secretion of hidden messages into image files, themselves embedded in overt objects such as HTML for transport.
Covert Channels. Hiding information (perhaps by encryption) within a network session. An example might be injecting some malicious code within a legitimate client-server session. This is sometimes called a back channel attack.
Emanations Capturing. Capturing electrical and radio frequency emissions (from wireless networking gear, for example) using passive means and decoding their meaning. Can be countered with TEMPEST standard equipment.
Note
TEMPEST is a U.S. government standard. Equipment or rooms that are certified as TEMPEST standard are leakage-free but it is an expensive standard. Other nations have similar standards. Interestingly, TEMPEST is actually not an acronym, though many have tried to make it into one. One of the most common examples of this “bacronym” is “Transient Electromagnetic Pulse Emanation Surveillance Technology.” It sounds cool, but it’s incorrect. Why not “Tiny ElectroMagnetic Particles Emitting Secret Things?” TEMPEST is an unclassified U.S. government code word coined by the National Security Agency (NSA) in the late 60’s and early 70’s for an operation for compromising emanations. The general term for preventing unwanted electromagnetic emissions is now more properly called Emissions Security (EMSEC).
Two very real exploits that are commonly in the news are phishing and pharming. Both these exploits are threats against a user or site’s identity.
Phishing. This is a social engineering attack. By posing as a legitimate, trusted third party, an attacker attempts to acquire confidential or sensitive information from the victim. The most common vehicles for phishing are email messages that entice victims to visit a legitimate-looking website where their credit card information, PINs, and so on, are stolen.
Pharming. This is the process of farming (get it?) or harvesting traffic from one website by redirecting it to another. A common method is commandeering vulnerable Domain Name System (DNS) servers and altering their records so that users are redirected to a site not operated by the real owner of the domain name.
Antivirus, antispyware, and anti-spam software are somewhat effective against phishing attacks. Nevertheless, this type of technical control is not a replacement for the administrative control of educating users.
There is no specific technical control to thwart pharming, however. The best defense is to make sure that vulnerable servers are properly patched (problematic across the whole Internet!) and to regularly test DNS resolution against root servers in the Internet to ensure that an organization’s fully-qualified domain name (FQDN) resolves properly to the correct IP address.
Exam Alert
Like attacks against confidentiality, attacks against integrity are successful if you have been lax with access control (network, OS, application) or protection of data that moves over hostile, untrusted networks.
We’ve done a good job at defining integrity previously, so let’s look at a list of common attacks against a system or a network’s integrity. These attacks might also be used to breach availability and confidentiality:
Salami Attacks. Salami, like sausage, is made up of a variety of ingredients. It’s not a single meat. This is true with a salami attack. It is a larger attack that is comprised of a series of smaller attacks. An example would be an attacker launching an attack that makes small compromises of the integrity of several different systems’ databases simultaneously. This type of granular, spread-out attack is difficult to detect.
Data Diddling. Interfering with data before it is stored on a computer, prior to or during data input. This may be the result of a virus or even malicious code designed into the program.
Trust Exploits. An attacker leverages on a trust relationship between devices on a network. Port redirection is an example of this type of attack. A walk-through of a port redirection is found in Figure 1.3.
Password Attacks. This is any attack that is geared toward making a system divulge its password database. Viruses, trojans, keyloggers, protocol analyzers (sniffers), and brute force attacks are common vectors. Application protocols such as Telnet and FTP that use cleartext passwords are the most vulnerable to the use of protocol analyzers. Even protocols like NTLM (Windows NT LAN Manager) and Active Directory, which exchange hashes of passwords vs. cleartext passwords, are vulnerable to offline, brute force tools such as John the Ripper.
Note
Hashing is explained in Chapter 6, “Introducing Cryptographic Services.” Although theoretically a hash cannot be cracked, there are cracking programs such as RainbowCrack, which can match a hash against a database of known hashes captured with protocol analyzers.
Session Hijacking. This is the most common Man-in-the-Middle (MiM) attack. It’s not so much an attack in itself, as it is a result of a successful attack.
Exam Alert
Memorize the names and port numbers of several popular protocols that use authentication, as shown in Table 1.1.
This example should help bring together some concepts about attacks against integrity. Revisit the simple network from a previous example now in Figure 1.3. Figure 1.3 shows an IOS router with three interfaces: one facing the Internet, another one facing the inside, and a third that establishes a DMZ where the e-commerce server is deployed.
Figure 1.3 shows a port redirection attack in which “Z” trusts “Y” and “Y” trusts “X.” The attacker is trying to trick “Z” into trusting “X” too. Arrow “A” illustrates that the router is configured to allow connections from the outside to the web server in the DMZ on TCP port 80 (or else, how could we sell books?).
The router will not allow connections to be initiated from the outside to the inside.
However, the router is configured to allow the DMZ server to initiate connections to the inside (arrow “B”) perhaps to synchronize its clock on a time server or to authenticate users on a AAA server. Here’s how an attack might unfold:
-
A hacker “X” conducts a port scan of the network and discovers that there is a web server “Y.” The hacker footprints the network using a tool such as nmap and learns that the web server software used may have some vulnerabilities that could be exploited. This peaks his interest!
-
The attacker uses a hacking tool such as netcat to compromise the web server and installs a port forwarding tool, such that when inbound WWW traffic from the attacker’s workstation is sent to the compromised web server, it will redirect it to a different port entirely (TCP port 3389 = Terminal Services, for example).
-
Now the attacker can essentially tunnel the desired protocol inside HTTP to the DMZ server and then use the DMZ server to attempt to establish a connection to an inside host “Z.”
-
Because the attacker has control over the DMZ server, he can complete a remote reconnaissance of the internal network from the DMZ server using a ping sweep to find out what IP addresses are active.
-
The attacker conducts a port sweep to see what services are available on the active IP addresses.
-
The attacker then attempts to exploit vulnerabilities on inside hosts, perhaps also installing keylogger software, and so on.
The attacker has now successfully leveraged the trust relationships. “Z” trusts “Y.” “Y” trusts “X.” Now “Z” trusts “X,” too. Ouch! This is what makes port redirection an example of a trust exploit.
The risk of this exploit happening can be mitigated by:
Installing a firewall or IPS, which can examine inbound HTTP traffic to ensure that it is protocol compliant, block traffic that isn’t, and also alert a custodian.
Installing Host Intrusion Protection System (HIPS) software on inside hosts.
Using ACLs on the IOS firewall to tighten the rules as to which IP addresses and applications the DMZ server is allowed to initiate connections to on the inside.
Now we move on to the last letter of our C-I-A triad and more reasons for network insecurity! We look at what constitutes an availability attack and how to mitigate their effects.
Exam Alert
Availability attacks are DoS attacks. If these attacks are successful, it is because the system fails to either handle:
Unanticipated, exceptional conditions (such as malicious code, buffer overflows, and so on).
Enormous floods of data, crashing a system or bringing it to a halt....leading to a compromise of availability.
Also know that many availability attacks can be used to attack confidentiality and integrity too.
Note
Heads up! Strictly speaking, any type of attack that seriously impedes the availability of a network or system is a DoS attack. By that definition, availability attacks are DoS attacks. Nevertheless (and confusingly) DoS is often also identified as a category of availability attack, typically a network-borne attack. Don’t be confused by this inconsistency. Just know that the term DoS can be used correctly in those two contexts.
Aiding an attacker is the relative simplicity of the attack methods. Even a script kiddy would have no problem executing some of these attacks.
Some common types of availability attack include the following:
Botnets
ICMP floods
DoS
DDoS
SYN floods
Electrical power
Computer environment
MAC flooding
The following sections go over each type of availability attack in more detail.
A botnet is a collection of infected computers or “robots” that can be controlled by crackers. The location of infected computers is shared by circles of crackers who can then seize control of these machines, typically on Internet Relay Chat (IRC), and use them in the commission of larger attacks such as a DDoS. For crackers, locating these computers’ IP addresses can be done fairly easily if they register their domain names dynamically with a Dynamic DNS provider. Whole communities of infected computers might resolve to the same domain suffix, such as “ivebeenhacked.net.”
ICMP floods work like they sound. A constant stream of ICMP messages is sent against a system. No response is necessary; the ICMP message just has to be received by the host being attacked. Conducting a constant ping from one host is unlikely to completely consume bandwidth and/or CPU cycles on an attacked host. However, when used as part of a DDoS attack (maybe combined with spoofed source IP addresses!), it can be quite effective.
In general terms, DoS attacks occur when an attack is leveraged against a system that slows its response to legitimate requests. The affected server will eventually drop requests from legitimate clients when there are too many unanswered requests for resources in its receive queue.
A DDoS attack is a DoS attack from many sources simultaneously, perhaps from hosts enlisted from a botnet. This remains a common attack due to both its efficacy and its relative simplicity to execute.
This is a type of DoS attack. This attack leverages on the requirement within the Transmission Control Protocol (TCP) that a server answer a synchronization attempt from a client (SYN) when a connection is being established to his well-known port number. Think of the SYN, which is carried inside a TCP segment, as pushing a doorbell. A web server has a doorbell with the number “80” on it. The server, if it is polite (or at least protocol compliant!) is required to answer the SYN with a SYN, ACK. Of course, in between the time that the attacker has pressed the server’s doorbell and the time the server has gotten out of his comfortable chair to answer the door, perhaps thousands of other doorbell presses to port 80 have happened ... some of them even from legitimate clients of the server. The attacker won’t even wait around to see if the server has come to the door because unlike a legitimate client, his goal is not to actually create a connection with the server but to frustrate him. Meanwhile the server has to allocate memory and other resources for each connection attempt. Eventually, the server is going to get so tired of coming to the door only to find that there is no one there, that he will no longer answer the door for anybody, attacker and legitimate user alike.
Any attack against an organization’s electrical power is an availability attack. There are three categories, as follows:
Excess power (spikes and surges)
Complete power outage (brief faults and blackouts)
Reduced power levels (sag and brownouts)
One of the most neglected parts of network security. This falls under the broad category of physical controls (remember “PAT”?). Ensure that the physical environment is regulated for the following:
Temperature
Ventilation
Humidity
This kind of attack will be examined in more detail in Chapter 10, “Protecting Switch Infrastructure.” This is an OSI layer 2 (data link layer) attack. Essentially, an attacker can use some commonly available tools (such as the macof utility) to inject a switch with vast quantities of Ethernet frames with fictitious source addresses. The normal behavior of the switch is cache these addresses in its MAC address table. The MAC address table can contain a finite number of entries. For example, a Cisco Catalyst 2924-XL-EN can contain 4096 entries in its MAC address table. Eventually, the switch will become so full of bogus MAC addresses that when it receives a frame, it will flood it out all its ports, effectively acting like a hub. If an attacker is connected to one of the switch’s ports, they will potentially see all the traffic served by that switch, compromising confidentiality as well as availability.
Note
Do you know how on some vacuum cleaners, you can reverse their operation so they will blow air rather than suck particles? Some protocol analyzers can be configured to not only suck traffic off a wire, but to blow engineered traffic back (for example, Ethernet frames) into a network. Instant attack tool!
If common sense were so common, we wouldn’t have to call it common. Cisco makes specific recommendations as to some best practices for ensuring that you reduce the risk footprint of your network through three categories of controls: administrative, technical, and physical security controls.
Administrative controls include the following:
Written Security Policy. Put your security policy in writing! Make sure all the stakeholders: owners, custodians, and users understand and respect their responsibilities. (This will be discussed in Chapter 2, “Building a Secure Network Using Security Controls.”)
Education. Ensure all stakeholders are aware of the dangers of social engineering.
Patches. Keep up-to-date with firmware, hardware, and software patches, particularly those that address security vulnerabilities.
Technical controls include the following:
Unnecessary Services and TCP/UDP Ports. Configure the network such that only necessary services are exposed. Don’t forget to configure servers so they only have the necessary services active.
Encryption. Encrypt all sensitive data, especially if it passes over hostile networks.
Passwords. Rotate passwords often and make them complex (strong).
Hardware and Software. Use hardware and software that can mitigate risk to an appropriate level.