Chapter 16

Network Security Fundamentals

Objectives

Upon completion of this chapter, you will be able to answer the following questions:

• Why are basic security measures necessary on network devices?

• How do you identify security vulnerabilities?

• How do you identify general mitigation techniques?

• How do you configure network devices with device hardening features to mitigate security threats?

Key Terms

This chapter uses the following key terms. You can find the definitions in the glossary at the end of the book.

virus page 546

worm page 547

Trojan horse page 547

reconnaissance attack page 547

access attack page 547

denial of service (DoS) attack page 547

internet query page 548

ping sweep page 548

port scan page 548

AAA (authentication, authorization, and accounting) page 555

stateful packet inspection (SPI) page 557

brute-force attack page 560

Introduction (16.0)

You may have already set up a network, or you may be getting ready to do so. Here is something to think about: Setting up a network without securing it is like opening all the doors and windows to your home and then going on vacation. Anyone could come by, gain entry, steal or break items, or just make a mess. As news articles indicate all the time, it is possible to break into any network! As a network administrator, it is part of your job to make it difficult for threat actors to gain access to your network. This chapter provides an overview of the types of network attacks and what you can do to reduce a threat actor’s chances of succeeding. It also has Packet Tracer activities to let you practice some basic techniques for network security. If you have a network, but it is not as secure as possible, you should read this chapter right now!

Security Threats and Vulnerabilities (16.1)

This section provides an overview the various types of network security threats and vulnerabilities.

Types of Threats (16.1.1)

Wired and wireless computer networks are essential to everyday activities. Individuals and organizations depend on their computers and networks. Intrusion by an unauthorized person can result in costly network outages and loss of work. Attacks on a network can be devastating and can result in a loss of time and money due to damage or theft of important information or assets.

Intruders can gain access to a network through software vulnerabilities, through hardware attacks, or by guessing someone’s username and password. Intruders who gain access by modifying software or exploiting software vulnerabilities are called threat actors.

After a threat actor gains access to a network, four types of threats may arise:

• Information theft: This type of threat involves breaking into a computer to obtain confidential information. Information can be used or sold for various purposes. An example is stealing an organization’s proprietary information, such as research and development data.

• Data loss and manipulation: This type of threat involves breaking into a computer to destroy or alter data records. An example of data loss is a threat actor sending a virus that reformats a computer hard drive. An example of data manipulation is breaking into a records system to change information, such as the price of an item.

• Identity theft: This type of threat is a form of information theft in which personal information is stolen for the purpose of taking over someone’s identity. Using this information, a threat actor can obtain legal documents, apply for credit, and make unauthorized online purchases. Identity theft is a growing problem that costs billions of dollars per year.

• Disruption of service: This type of threat involves preventing legitimate users from accessing services to which they are entitled. Examples include denial-of-service (DoS) attacks on servers, network devices, or network communications links.

Types of Vulnerabilities (16.1.2)

Vulnerability refers to the degree of weakness in a network or device. Some degree of vulnerability is inherent in routers, switches, desktops, servers, and even security devices. Typically, the network devices under attack are the endpoints, such as servers and desktop computers.

There are three primary sources of vulnerabilities or weaknesses: technological, configuration, and security policy. All three of these sources of vulnerabilities can leave a network or device open to various attacks, including malicious code attacks and network attacks. Tables 16-1 through 16-3 describe examples of the vulnerabilities in each category.

Table 16-1 Technological Vulnerabilities

Vulnerability	Description
TCP/IP protocol weakness	Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), and Internet Control Message Protocol (ICMP) are inherently insecure.
	Simple Network Management Protocol (SNMP) and Simple Mail Transfer Protocol (SMTP) are related to the inherently insecure structure on which TCP was designed.
Operating system weakness	Each operating system has security problems that must be addressed.
	UNIX, Linux, macOS, Mac OS X, Windows Server 2012, Windows 7, and Windows 8 are documented in the Computer Emergency Response Team (CERT) archives at http://www.cert.org.
Network equipment weakness	Various types of network equipment, such as routers, firewalls, and switches, have security weaknesses that must be recognized and protected against. Their weaknesses include password protection, lack of authentication, routing protocols, and firewall holes.

Table 16-2 Configuration Vulnerabilities

Vulnerability	Description
Unsecured user accounts	User account information may be transmitted insecurely across the network, exposing usernames and passwords to threat actors.
System accounts with easily guessed passwords	This common problem is the result of poorly created user passwords.
Misconfigured internet services	When JavaScript is turned on in a web browser, threat actors may be able to access untrusted sites. Other potential sources of weakness include misconfigured terminal services, FTP, or web servers (such as Microsoft Internet Information Services [IIS] and Apache HTTP server).
Unsecured default settings in products	Many products have default settings that create or enable holes in security.
Misconfigured network equipment	Misconfigurations of equipment can cause significant security problems. For example, misconfigured access lists, routing protocols, or SNMP community strings can create or enable holes in security.

Table 16-3 Policy Vulnerabilities

Vulnerability	Description
Lack of written security policy	A security policy cannot be consistently applied or enforced if it is not written down.
Politics	Political battles and turf wars can make it difficult to implement a consistent security policy.
Lack of authentication continuity	Poorly chosen, easily cracked, or default passwords can allow unauthorized access to a network.
Logical access controls not applied	Inadequate monitoring and auditing allow attacks and unauthorized use to continue, wasting company resources. It could result in legal action against or termination of IT technicians, IT management, or even company leaders who allow these unsafe conditions to persist.
Software and hardware installation and changes that do not follow policy	Unauthorized changes to the network topology and installation of unapproved applications create or enable holes in security.
Lack of a disaster recovery plan	Without a disaster recovery plan, chaos, panic, and confusion may occur when a natural disaster occurs or a threat actor attacks the enterprise.

Physical Security (16.1.3)

An important vulnerable area of the network to consider is the physical security of devices. If network resources can be physically compromised, a threat actor can deny the use of network resources.

The four classes of physical threats are as follows:

• Hardware threats: This includes physical damage to servers, routers, switches, the cabling plant, and workstations.

• Environmental threats: This includes temperature extremes (too hot or too cold) or humidity extremes (too damp or too dry).

• Electrical threats: This includes voltage spikes, insufficient supply voltage (brownouts), unconditioned power (noise), and total power loss.

• Maintenance threats: This includes poor handling of key electrical components (electrostatic discharge), lack of critical spare parts, poor cabling, and poor labeling.

An organization needs to create and implement a good plan for physical security to address these issues. Figure 16-1 shows an example of a physical security plan, which includes taking the following actions:

Figure 16-1 Plan Physical Security to Limit Damage to Equipment

Physical security of network components is essential to limit the damage. In an organization, the help desk and the card reader are provided in a separate front lobby near the entrance door. From the reception area, another locked door is located, it is represented by a dashed line. On the other side of the locked door, firstly LAN is arranged sequentially, followed by the sequential arrangements of WAN and SVRS. AC is located at the left corner, beside which the UPS BAY is located.

• Secure the computer room.

• Implement physical security to limit damage to equipment.

• Lock up equipment and prevent unauthorized access from the doors, ceiling, raised floor, windows, ducts, and vents.

• Monitor and control closet entry with electronic logs.

• Use security cameras.

Check Your Understanding—Security Threats and Vulnerabilities (16.1.4)

Refer to the online course to complete this activity.

Network Attacks (16.2)

Many different types of network attacks may occur, using a variety of different methods. The previous section explains the types of network threats and the vulnerabilities that make threats possible. This section goes into more detail about how threat actors gain access to network or restrict authorized users from having access. It discusses different categories of network attacks, such as malware, reconnaissance attacks, access attacks, and denial-of-service attacks, and provides examples of each.

Types of Malware (16.2.1)

Malware is short for malicious software. It is code or software specifically designed to damage, disrupt, steal, or inflict “bad,” or illegitimate, action on data, hosts, or networks. Viruses, worms, and Trojan horses are types of malware.

Viruses

A computer virus is a type of malware that propagates by inserting a copy of itself into, and becoming part of, another program. It spreads from one computer to another, leaving infection as it travels. Viruses can range in severity from causing mildly annoying effects to damaging data or software and causing denial-of-service (DoS) conditions. Almost all viruses are attached to executable files, which means the virus may exist on a system but be inactive and unable to spread until a user runs or opens the malicious host file or program. When the host code is executed, the viral code is executed as well. Normally, the host program keeps functioning after a virus infects it. However, some viruses overwrite other programs with copies of themselves, destroying the host programs altogether. A virus spreads when the software or document it is attached to is transferred from one computer to another using the network, a disk, file sharing, or infected email attachments.

Worms

Computer worms are similar to viruses in that they replicate functional copies of themselves and can cause the same type of damage. In contrast to viruses, which require the spreading of an infected host file, worms are standalone software and do not require a host program or human help to propagate. A worm does not need to attach to a program to infect a host and enter a computer through a vulnerability in the system. Worms take advantage of system features to travel through the network unaided.

Trojan Horses

A Trojan horse is a type of malware named after the wooden horse the Greeks used to infiltrate Troy. It is a harmful piece of software that looks legitimate. Users are typically tricked into loading and executing a Trojan on their systems. After it is activated, it can achieve any number of attacks on the host, from irritating the user (by presenting excessive pop-up windows or changing the desktop) to damaging the host (deleting files, stealing data, or activating and spreading other malware, such as viruses). Trojan horses are also known to create backdoors to give malicious users access to the system.

Unlike viruses and worms, Trojan horses do not reproduce by infecting other files. They self-replicate. Trojan horses must spread through user interaction; for example, a user may need to open an email attachment or download and run a file from the internet.

Animated Explanation of the Three Types of Malware

Go to the online course to view an animated explanation of the three types of malware.

Reconnaissance Attacks (16.2.2)

In addition to being threatened by malicious code attacks, it is also possible for networks to fall prey to various network attacks. Network attacks can be classified into three major categories:

• Reconnaissance attacks: These attacks involve discovery and mapping of systems, services, or vulnerabilities.

• Access attacks: These attacks involve unauthorized manipulation of data, system access, or user privileges.

• Denial-of-service (DoS) attacks: These attacks involve disabling or corruption of networks, systems, or services.

For reconnaissance attacks, external threat actors can use internet tools such as the nslookup and whois utilities, to easily determine the IP address space assigned to a given corporation or entity. After the IP address space is determined, a threat actor can then ping the publicly available IP addresses to identify the addresses that are active. To help automate this step, a threat actor may use a ping sweep tool, such as fping or gping, to systematically ping all network addresses in a given range or subnet. This is similar to going through a section of a telephone book and calling each number to see who answers.

• Internet queries: The threat actor looks for initial information about a target. Various tools can be used, including Google search, the websites of organizations, whois, and more.

• Ping sweeps: The threat actor initiates a ping sweep to determine which IP addresses are active.

• Port scans: The threat actor performs a port scan on the discovered active IP addresses.

Animations of Internet Queries, Ping Sweeps, and Port Scans

Go to the online course to view animations of internet queries, ping sweeps, and port scans.

Access Attacks (16.2.3)

Access attacks exploit known vulnerabilities in authentication services, FTP services, and web services to gain entry to web accounts, confidential databases, and other sensitive information. An access attack allows individuals to gain unauthorized access to information that they have no right to view. Access attacks can be classified into four types: password attacks, trust exploitation, port redirection, and man-in-the middle attacks.

Password Attacks

Threat actors can implement password attacks using several different methods:

• Brute-force attacks

• Trojan horse attacks

• Packet sniffers

Trust Exploitation

In a trust exploitation attack, a threat actor uses unauthorized privileges to gain access to a system and may compromise the target. In Figure 16-2, System A trusts System B. System B trusts everyone. The threat actor wants to gain access to System A. Therefore, the threat actor compromises System B first and then can use System B to attack System A.

Figure 16-2 Example of a Trust Exploitation

An attacker wants to gain access to system A, in a topology which connects 2 systems A and B to the Internet via router. Here, system A trusts system B and system B trusts everyone. Hence, the threat actor cannot get access to system A but system B is open, he tries compromising system B first by using the command user = psmith; Pat Smith. System B gets compromised by attacker: user - psmith; Pat Smith. He indirectly gains access to system A hence the command at A is also user = psmith; Pat Smith.

Port Redirection

In a port redirection attack, a threat actor uses a compromised system as a base for attacks against other targets. The example in Figure 16-3 shows a threat actor using SSH (port 22) to connect to a compromised Host A. Host A is trusted by Host B and, therefore, the threat actor can use Telnet (port 23) to access it.

Figure 16-3 Example of Port Redirection

A topology connecting a multilayer switch with a pair of computers and a pair of servers is shown to illustrate port redirection. The multilayer switch is connected to a common router. One of the servers is host B. Another PC which is host A, communicates with the common router. One of the servers is host B. The common router on the other end is connected to a series of 4 routers among which the second and fourth routers are connected to Internet clouds. The threat Actor connects with the Internet cloud at the fourth router, here the source is attacker, destination is A, and port is 22. At compromised host A, the source is A, destination is B, and port is 23. At host B, the source is the attacker, destination is B, and the port is 23.

Man-in-the-Middle

In a man-in-the-middle attack, the threat actor is positioned in between two legitimate entities in order to read or modify the data that passes between the two parties. Figure 16-4 shows an example of a man-in-the-middle attack where the numbers relate to the following steps:

Step 1. When a victim requests a web page, the request is directed to the threat actor’s computer.

Step 2. The threat actor’s computer receives the request and retrieves the real page from the legitimate website.

Step 3. The threat actor can alter the legitimate web page and make changes to the data.

Step 4. The threat actor forwards the requested page to the victim.

Figure 16-4 Example of a Man-in-the-Middle Attack

The step-by-step process involved in man-in-the-middle attack is demonstrated. A victim laptop, is connected to LAN S5 which is in-turn connected to router R1. R1 is WAN connected with R2 which is WAN connected to the Internet cloud. The Internet cloud connects with the server, between which the attacker is located. An arrow labeled 1 from the victim laptop, reaches the attacker, from the attacker another arrow labeled 2 reaches the web server, from the web server another arrow labeled 3 reaches the attacker, then the last arrow labeled 4 reaches the victim laptop from the attacker.

Denial of Service Attacks (16.2.4)

Denial-of-service (DoS) attacks are the most publicized form of attack and among the most difficult to eliminate. However, because of their ease of implementation and potentially significant damage, DoS attacks deserve special attention from security administrators.

DoS attacks take many forms. Ultimately, they prevent authorized people from using a service by consuming system resources. To help prevent DoS attacks, it is important to stay up to date with the latest security updates for operating systems and applications.

DoS Attack

DoS attacks are a major risk because they interrupt communication and cause significant loss of time and money. These attacks are relatively simple to conduct, even by an unskilled threat actor. Figure 16-5 shows an example of a DoS attack.

Figure 16-5 Example of a DoS Attack

The method in which the denial of service attack is implemented, is shown in the form an illustration. An Internet cloud is connected to 4 computers and a web server. A user and an threat actor are located in a computer each. The web server belongs to the website www.XYZcorp.com. The threat actor sends so many pings that the server cant respond to anyone else. The server needs help, due to the pings it is not able to accomplish any work. The website is very low at the user end.

DDoS Attack

A distributed denial-of-service (DDoS) attack is similar to a DoS attack, but it originates from multiple, coordinated sources. For example, in Figure 16-6, a threat actor builds a network of infected hosts, known as zombies, to form a botnet. The threat actor uses a command-and-control (CnC) program to instruct the botnet of zombies to carry out a DDoS attack.

Figure 16-6 Example of a DDoS Attack

The command-and-control program, used by the attacker to activate DDoS in multiple computers is illustrated in the figure. An Internet cloud is connected to 5 computers and a web server. Two users and a threat actor are located in a computer each. The web server belongs to the website www.QZXBANK.com. The threat actor infects the computers across the Internet with the DDoS code. He activates all of them. The 2 users gets the an information saying DDoS code is activated. This information then reaches the server. The communication from the 2 users to the Internet cloud and the to the server is indicated by arrows with envelops.

Check Your Understanding—Network Attacks (16.2.5)

Refer to the online course to complete this activity.

Lab—Research Network Security Threats (16.2.6)

In this lab, you will complete the following objectives:

• Part 1: Explore the SANS Website

• Part 2: Identify Recent Network Security Threats

• Part 3: Detail a Specific Network Security Threat

Network Attack Mitigations (16.3)

An important aspect of being a network professional is to take the necessary precautions to prevent network attacks before they happen. Now that you know more about how threat actors can break into networks, you need to understand what to do to prevent such unauthorized access. This section details several actions you can take to make a network more secure.

The Defense-in-Depth Approach (16.3.1)

To mitigate network attacks, you must first secure devices, including routers, switches, servers, and hosts. Most organizations use a defense-in-depth approach (also known as a layered approach) to security. This requires a combination of networking devices and services working in tandem.

Consider the network in Figure 16-7. Several security devices and services have been implemented to protect its users and assets against TCP/IP threats.

Figure 16-7 Example of a Defense-in-Depth Topology

Multiple networking devices are secured by defense-in-depth technology to protects users from TCP/IP threats. A topology displays 2 layer 3 switches connected with each other, in-turn connected to 2 separate layer 2 switches. An IPS (Intrusion prevention system) and a AAA server connects with one of the layer 3 switches. The IPS is connected to an ASA firewall, which connects t the Internet cloud via VPN. A network consisting of a layer 2 switch connected to a DHCP server, an email server, a web server, and an ESA/WSA is connected to the ASA firewall. Three computers and 3 laptops are displayed at the bottom as hosts.

All network devices, including the router and switches, are also hardened, as indicated by the padlocks on their respective icons. This indicates that they have been secured to prevent threat actors from gaining access and tampering with the devices.

Keep Backups (16.3.2)

Backing up device configurations and data is one of the most effective ways of protecting against data loss. A data backup stores a copy of the information on a computer to removable backup media that can be kept in a safe place. Infrastructure devices should have backups of configuration files and IOS images on an FTP or similar file server. If a computer or a router hardware fails, the data or configuration can be restored using the backup copy.

Backups should be performed on a regular basis, as identified in the security policy. Data backups are usually stored offsite to protect the backup media in case anything happens to the main facility. Windows hosts have a backup and restore utility. It is important for users to back up their data to another drive or to a cloud-based storage provider.

Table 16-4 describes some important backup considerations.

Table 16-4 Backup Considerations

Consideration	Description
Frequency	Perform backups on a regular basis, as identified in the security policy.
	Full backups can be time-consuming, so perform monthly or weekly backups with frequent partial backups of changed files.
Storage	Always validate backups to ensure the integrity of the data and validate the file restoration procedures.
Security	Backups should be transported to an approved offsite storage location on a daily, weekly, or monthly rotation, as required by the security policy.
Validation	Backups should be protected using strong passwords that are required to restore the data.

Upgrade, Update, and Patch (16.3.3)

Keeping up to date with the latest developments can lead to more effective defense against network attacks. As new malware is released, enterprises need to keep current with the latest versions of antivirus software.

The most effective way to mitigate a worm attack is to download security updates from the operating system vendor and patch all vulnerable systems. Administering numerous systems involves creating a standard software image (of operating system and accredited applications that are authorized for use on client systems) that is deployed on new or upgraded systems. However, security requirements change, and deployed systems may need to have updated security patches installed.

One solution to the management of critical security patches is to make sure all end systems automatically download updates, as shown for Windows 10 in Figure 16-8, to ensure that security patches are automatically downloaded and installed without user intervention.

Figure 16-8 Windows 10 Update

Updation in software is necessary to avoid malware. The screenshot of windows update page is shown. The navigation pane displays the settings home page, a search box for find a settings is present. Below this the categories and Update and Security are present. There are options for windows update (selected), delivery optimization, windows security, backup, troubleshoot, and recovery. The content pane displays the Windows Update, you're up to date, followed by a button o check for updates. Below this there are settings to pause update for 7 days, change active hours, view update history, and advanced options.

Authentication, Authorization, and Accounting (16.3.4)

All network devices should be securely configured to provide only authorized individuals with access. Authentication, authorization, and accounting (AAA, or “triple A”) network security services provide the primary framework to set up access control on network devices.

AAA makes it possible to control who is permitted to access a network (authenticate) and what actions they can perform while accessing the network (authorize), as well as to make a record of what was done while they were there (accounting).

The concept of AAA is similar to the use of a credit card. The credit card identifies who can use it and how much that user can spend, and it keeps an account of what items the user spent money on, as shown in Figure 16-9.

Figure 16-9 AAA Credit Card Bill Analogy

The triple-A network security services to setup access control on credit cards are displayed. A credit card and a statement of personal credit card account are displayed. The 16-digit card number, expiry date, and the account holder name mentioned in the card are the authentications to detect who you are. The credit limit mentioned in the statement is the authorization to how much you can spend. And the activity since last statement indicated accounting to what you spent it on.

Firewalls (16.3.5)

A firewall is one of the most effective security tools available for protecting users from external threats. A firewall protects computers and networks by preventing undesirable traffic from entering internal networks.

Network firewalls reside between two or more networks, control the traffic between them, and help prevent unauthorized access. For example, the top topology in Figure 16-10 illustrates how a firewall enables traffic from an internal network host to exit the network and return to the inside network. The bottom topology illustrates how traffic initiated by the outside network (that is, the internet) is denied access to the internal network.

Figure 16-10 Firewall Operation

Two figures show how the firewall permits traffic from users in the inside network to exit and return, and how the firewall denies outside traffic access to the inside network. In both the figures the inside network has a computer, and the outside network is the Internet cloud. In the first figure, two arrows, one from the computer to the Internet, and another from the Internet to the computer pass through the firewall in-between. In the second figure, and arrow from the Internet cloud does not reach the computer and is stopped at the firewall itself.

A firewall may be able to allow outside users controlled access to specific services. For example, servers accessible to outside users are usually located on a special network referred to as the demilitarized zone (DMZ), as shown in Figure 16-11. The DMZ enables a network administrator to apply specific policies for hosts connected to that network.

Figure 16-11 Firewall Topology with DMZ

Network administration made easy by DMZ is illustrated in the figure. An inside network consisting of a computer and an outside network consisting of an Internet cloud is located on either side of a firewall. Above the firewall is a DMZ server. AN arrow from the computer and the Internet cloud each, passes through the firewall to the DMZ server.

Types of Firewalls (16.3.6)

Firewall products come packaged in various forms. These products use different techniques for determining what will be permitted or denied access to a network. They include the following:

• Packet filtering: Prevents or allows access based on IP addresses or MAC addresses.

• Application filtering: Prevents or allows access by specific application types based on port numbers.

• URL filtering: Prevents or allows access to websites based on specific URLs or keywords.

• Stateful packet inspection (SPI): Ensures that incoming packets are legitimate responses to requests from internal hosts. Unsolicited packets are blocked unless permitted specifically. SPI can also include the capability to recognize and filter out specific types of attacks, such as denial-of-service (DoS) attacks.

Endpoint Security (16.3.7)

An endpoint, or host, is an individual computer system or device that acts as a network client. Common endpoints are laptops, desktops, servers, smartphones, and tablets. Securing endpoint devices is one of the most challenging jobs of a network administrator because human nature creates complications. A company must have well-documented policies in place, and employees must be trained on the rules and proper use of the network. Policies often include the use of antivirus software and host intrusion prevention. More comprehensive endpoint security solutions rely on network access control.

Check Your Understanding—Network Attack Mitigation (16.3.8)

Refer to the online course to complete this activity.

Device Security (16.4)

Devices on a network require special security. You probably already have a password for your computer, smartphone, or tablet. Is it as strong as it could be? Are you using other tools to enhance the security of your devices? This section discusses how to protect network devices, including end devices and intermediary devices, with proper security measures.

Cisco AutoSecure (16.4.1)

When a new operating system is installed on a device, the security settings are set to the default values. In most cases, this level of security is inadequate. The Cisco AutoSecure feature can be used to assist in securing Cisco routers, as shown in Example 16-1.

Example 16-1 Configuring Cisco AutoSecure

Click here to view code image

Router# auto secure
                --- AutoSecure Configuration ---
*** AutoSecure configuration enhances the security of
the router but it will not make router absolutely secure
from all security attacks ***

In addition, there are some simple security guidelines apply to most operating systems:

• Default usernames and passwords should be changed immediately.

• Access to system resources should be restricted to only the individuals who are authorized to use those resources.

• Any unnecessary services and applications should be turned off and uninstalled when possible.

Often, devices shipped from the manufacturer have been sitting in a warehouse for a period of time and do not have the most up-to-date patches installed. It is important to update any software and install any security patches prior to implementation.

Passwords (16.4.2)

To protect network devices, it is important to use strong passwords. Here are standard guidelines to follow:

• Use a password length of at least 8 characters—and preferably 10 or more characters. A longer password is a more secure password.

• Make passwords complex. Include a mix of uppercase and lowercase letters, numbers, symbols, and spaces, if allowed.

• Avoid passwords based on repetition, common dictionary words, letter or number sequences, usernames, relative or pet names, biographical information such as birthdates, ID numbers, ancestor names, or other easily identifiable pieces of information.

• Deliberately misspell a password. For example, Smith = Smyth = 5mYth or Security = 5ecur1ty.

• Change passwords often. This way, if a password is unknowingly compromised, the window of opportunity for the threat actor to use the password is limited.

• Do not write down passwords in obvious places such as on the desk or monitor.

Tables 16-5 and 16-6 show examples of strong and weak passwords.

Table 16-5 Weak Passwords

Weak Password	Why It Is Weak
secret	Simple dictionary password
smith	Maiden name of mother
toyota	Make of a car
bob1967	Name and birthday of the user
Blueleaf23	Simple words and numbers

Table 16-6 Strong Passwords

Strong Password	Why It Is Strong
b67n42d39c	Combines alphanumeric characters
12^h u4@1p7	Combines alphanumeric characters and symbols and includes a space

On Cisco routers, leading spaces are ignored in passwords, but spaces after the first character are not. Therefore, one method to create a strong password is to use spaces in a phrase consisting of many words. This is called a passphrase. A passphrase is often easier to remember than a simple password. It is also longer and harder to guess.

Additional Password Security (16.4.3)

Strong passwords are useful only if they are secret. Several steps can help ensure that passwords remain secret on a Cisco router and switch, including these:

• Encrypt all plaintext passwords.

• Set a minimum acceptable password length.

• Deter brute-force password guessing attacks.

• Disable an inactive privileged EXEC mode access after a specified amount of time.

As shown in the sample configuration in Example 16-2, the service password-encryption global configuration command prevents unauthorized individuals from viewing plaintext passwords in the configuration file. This command encrypts all plaintext passwords. Notice in the example that the password cisco has been encrypted as 03095A0F034F. (Keep in mind that cisco would not be a secure password; it is used here for illustration only.)

To ensure that all configured passwords are a minimum of a specified length, use the security passwords min-length length command in global configuration mode. In Example 16-2, any new password configured would need to have a minimum length of eight characters.

Threat actors may use password cracking software to conduct a brute-force attack on a network device. Such an attack repeatedly attempts to guess the valid passwords until one works. Use the login block-for number-of attempts attempts within seconds global configuration command to deter this type of attack. In Example 16-2, the login block-for 120 attempts 3 within 60 command blocks vty login attempts for 120 seconds if there are three failed login attempts within 60 seconds.

Network administrators might become distracted and accidently leave a privileged EXEC mode session open on a terminal. This could enable an internal threat actor access to change or erase the device configuration.

By default, Cisco routers log out an EXEC session after 10 minutes of inactivity. However, you can reduce this setting by using the exec-timeout minutes seconds line console configuration command. This command can be applied on line console, auxiliary, and vty lines. In Example 16-2, exec-timeout 5 30 tells the Cisco device to automatically disconnect an inactive user on a vty line after the user has been idle for 5 minutes and 30 seconds.

Example 16-2 Configuring Additional Password Security on a Cisco Router

Click here to view code image

Router(config)# service password-encryption
Router(config)# security password min-length 8
Router(config)# login block-for 120 attempts 3 within 60
Router(config)# line vty 0 4
Router(config-line)# password cisco
Router(config-line)# exec-timeout 5 30
Router(config-line)# transport input ssh
Router(config-line)# end
Router#
Router# show running-config | section line vty
line vty 0 4
 password 7 03095A0F034F
 exec-timeout 5 30
 login
Router#

Enable SSH (16.4.4)

Telnet simplifies remote device access, but it is not secure. Data contained in a Telnet packet is transmitted unencrypted. For this reason, it is highly recommended to enable Secure Shell (SSH) on devices for secure remote access.

It is possible to configure a Cisco device to support SSH by using the following six steps:

Step 1. Configure a unique device hostname other than the default.

Step 2. Configure the IP domain name of the network by using the global configuration mode command ip domain name name.

Step 3. Generate a key to encrypt SSH traffic by using the global configuration command crypto key generate rsa general-keys modulus bits. The modulus bits determines the size of the key and can be configured to a value between 360 bits and 2048 bits. The larger the bit value, the more secure the key. However, with larger bit values, it also takes longer to encrypt and decrypt information. The minimum recommended modulus length is 1024 bits.

Step 4. Verify or create a local database entry by using the username global configuration command. In the example, the parameter secret is used so that the password will be encrypted using MD5.

Step 5. Use the login local line configuration command to authenticate the vty line against the local database.

Step 6. Enable vty inbound SSH sessions. By default, no input session is allowed on vty lines. You can specify multiple input protocols including Telnet and SSH by using the transport input {ssh | telnet} command.

In Example 16-3, router R1 is configured in the span.com domain. This information is used along with the bit value specified in the crypto key generate rsa general-keys modulus command to create an encryption key. Next, a local database entry for a user named Bob is created. Finally, the vty lines are configured to authenticate against the local database and to accept only incoming SSH sessions.

Example 16-3 Configuring SSH Access on a Cisco Router

Click here to view code image

Router# configure terminal
Router(config)# hostname R1
R1(config)# ip domain name span.com
R1(config)# crypto key generate rsa general-keys modulus 1024
The name for the keys will be: Rl.span.com % The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
Dec 13 16:19:12.079: %SSH-5-ENABLED: SSH 1.99 has been enabled
R1(config)#
R1(config)# username Bob secret cisco
R1(config)# line vty 0 4
R1(config-line)# login local
R1(config-line)# transport input ssh
R1(config-line)# exit
R1(config)#

Disable Unused Services (16.4.5)

Cisco routers and switches start with a list of active services that may or may not be required in the network. It is a best practice to disable any unused services to preserve system resources, such as CPU cycles and RAM, and prevent threat actors from exploiting these services. The type of services that are on by default vary depending on the IOS version. For example, IOS XE typically has only HTTPS and DHCP ports open. You can verify this with the show ip ports all command, as shown in Example 16-4.

Example 16-4 Showing Open Ports on IOS XE

Click here to view code image

Router# show ip ports all
Proto Local Address        Foreign Address    State       PID/Program Name
TCB   Local Address        Foreign Address    (state)
tcp   :::443               :::*               LISTEN      309/[IOS]HTTP CORE
tcp   *:443                *:*                LISTEN      309/[IOS]HTTP CORE
udp   *:67                 0.0.0.0:                       387/[IOS]DHCPD Receive
Router#

IOS versions prior to IOS XE use the show control-plane host open-ports command. You might see this command on older devices. The output is similar to the output shown in Example 16-4. However, notice that this older router has an insecure HTTP server and Telnet running. Both of these services should be disabled. As shown in Example 16-5, you can disable HTTP with the no ip http server global configuration command. You disable Telnet by specifying only SSH in the line configuration command: transport input ssh.

Example 16-5 Showing Open Ports on IOS Versions Prior to IOS XE

Click here to view code image

Router# show control-plane host open-ports
Active internet connections (servers and established)
Prot        Local Address      Foreign Address                   Service    State
 tcp                *:23                   *:0                    Telnet   LISTEN
 tcp                *:80                   *:0                 HTTP CORE   LISTEN
 udp                *:67                   *:0             DHCPD Receive   LISTEN
Router# configure terminal
Router(config)# no ip http server
Router(config)# line vty 0 15
Router(config-line)# transport input ssh

Packet Tracer—Configure Secure Passwords and SSH (16.4.6)

The network administrator has asked you to prepare RTA and SW1 for deployment. Before they can be connected to the network, security measures must be enabled.

Lab—Configure Network Devices with SSH (16.4.7)

In this lab, you will complete the following objectives:

• Part 1: Configure Basic Device Settings

• Part 2: Configure the Router for SSH Access

• Part 3: Configure the Switch for SSH Access

• Part 4: SSH from the CLI on the Switch

Summary

The following is a summary of the topics in the chapter and their corresponding online modules.

Security Threats and Vulnerabilities

Attacks on a network can be devastating and can result in lost time and money due to damage or theft of important information or assets. Intruders who gain access by modifying software or exploiting software vulnerabilities are threat actors. After a threat actor gains access to a network, four types of threats may arise: information theft, data loss and manipulation, identity theft, and disruption of service. There are three primary vulnerabilities or weaknesses: technological, configuration, and security policy. The four classes of physical threats are hardware, environmental, electrical, and maintenance.

Network Attacks

Malware, which is short for malicious software, is code or software specifically designed to damage, disrupt, steal, or inflict “bad,” or illegitimate, action on data, hosts, or networks. Viruses, worms, and Trojan horses are types of malware. Network attacks can be classified into three major categories: reconnaissance, access, and denial of service. The four classes of physical threats are hardware, environmental, electrical, and maintenance. The three types of reconnaissance attacks are internet queries, ping sweeps, and port scans. The four types of access attacks are password (brute-force, Trojan horse, packet sniffers), trust exploitation, port redirection, and man-in-the-middle attacks. The two types of service disruption attacks are DoS and DDoS.

Network Attack Mitigation

To mitigate network attacks, you must first secure devices, including routers, switches, servers, and hosts. Most organizations employ a defense-in-depth approach to security. This requires a combination of networking devices and services working together. Several security devices and services are implemented to protect an organization’s users and assets against TCP/IP threats: VPN, ASA firewall, IPS, ESA/WSA, and AAA server. Infrastructure devices should have backups of configuration files and IOS images on an FTP or similar file server. If a computer’s or a router’s hardware fails, the data or configuration can be restored using the backup copy. The most effective way to mitigate a worm attack is to download security updates from the operating system vendor and patch all vulnerable systems. To manage critical security patches, make sure all end systems automatically download updates. AAA makes it possible to control who is permitted to access a network (authenticate), what they can do while they are there (authorize), and what actions they perform while accessing the network (accounting). Network firewalls reside between two or more networks, control the traffic between them, and help prevent unauthorized access. Servers accessible to outside users are usually located on a special network referred to as the DMZ. Firewalls use various techniques for determining what is permitted or denied access to a network, including packet filtering, application filtering, URL filtering, and SPI. Securing endpoint devices is critical to network security. A company must have well-documented policies in place, which may include the use of antivirus software and host intrusion prevention. More comprehensive endpoint security solutions rely on network access control.

Device Security

When a new OS is installed on a device, the security settings are set to the default values. This level of security is inadequate. For Cisco routers, the Cisco AutoSecure feature can be used to assist in securing a system. For most OSs, default usernames and passwords should be changed immediately, access to system resources should be restricted to only the individuals authorized to use those resources, and any unnecessary services and applications should be turned off and uninstalled when possible. To protect network devices, it is important to use strong passwords. A passphrase is often easier to remember than a simple password; it is also longer and harder to guess. For routers and switches, encrypt all plaintext passwords, set a minimum acceptable password length, deter brute-force password guessing attacks, and disable inactive privileged EXEC mode access after a specified amount of time. Configure appropriate devices to support SSH and disable unused services.

Packet Tracer—Secure Network Devices (16.5.1)

In this activity, you will configure a router and a switch based on a list of requirements.

Lab—Secure Network Devices (16.5.2)

In this lab, you will complete the following objectives:

• Part 1: Configure Basic Device Settings

• Part 2: Configure Basic Security Measures on the Router

• Part 3: Configure Basic Security Measures on the Switch

Practice

The following activities provide practice with the topics introduced in this chapter. The lab is available in the companion Introduction to Networks Labs & Study Guide (CCNAv7) (ISBN 9780136634454). The Packet Tracer activity instructions are also provided in the Labs & Study Guide. The PKA files are available in the online course.

Labs

Lab 16.2.6: Research Network Security Threats

Lab 16.4.7: Configure Network Devices with SSH

Lab 16.5.2: Secure Network Devices

Packet Tracer Activities

Packet Tracer 16.4.6: Configure Secure Passwords and SSH

Packet Tracer 16.5.1: Secure Network Devices

Check Your Understanding Questions

Complete all the review questions listed here to test your understanding of the topics and concepts in this chapter. The appendix “Answers to ‘Check Your Understanding’ Questions” lists the answers.

1. Which component is designed to protect against unauthorized communications to and from a computer?

1. security center

2. port scanner

3. antimalware

4. antivirus

5. firewall

2. Which command blocks login attempts on RouterA for a period of 30 seconds if there are 2 failed login attempts within 10 seconds?

1. RouterA(config)# login block-for 10 attempts 2 within 30

2. RouterA(config)# login block-for 30 attempts 2 within 10

3. RouterA(config)# login block-for 2 attempts 30 within 10

4. RouterA(config)# login block-for 30 attempts 10 within 2

3. What is the purpose of the network security accounting function?

1. to require users to prove who they are

2. to determine which resources a user can access

3. to keep track of the actions of users

4. to provide challenge-and-response questions

4. What type of attack may involve the use of tools such as nslookup and fping?

1. access attack

2. reconnaissance attack

3. denial-of-service attack

4. worm attack

5. Which benefit does SSH offer over Telnet for remotely managing a router?

1. encryption

2. TCP usage

3. authorization

4. connections via multiple vty lines

6. What is one of the most effective security tools available for protecting users from external threats?

1. firewall

2. router that run AAA services

3. path server

4. password encryption

7. Which type of network threat is intended to prevent authorized users from accessing resources?

1. DoS attack

2. access attack

3. reconnaissance attack

4. trust exploitation

8. Which three services are provided by the AAA framework? (Choose three.)

1. accounting

2. automation

3. authorization

4. authentication

5. availability

6. autoconfiguration

9. Which malicious code attack is self-contained and tries to exploit a specific vulnerability in a system?

1. virus

2. worm

3. Trojan horse

4. maintenance

10. Some routers and switches in a wiring closet malfunctioned after an air conditioning unit failed. What type of threat does this situation describe?

1. configuration

2. environmental

3. electrical

4. maintenance

11. What does the term vulnerability mean?

1. a weakness that makes a target susceptible to an attack

2. a computer that contains sensitive information

3. a method of attack to exploit a target

4. a known target or victim machine

5. a potential threat a hacker creates

12. What three configuration steps must be performed to implement SSH access to a router? (Choose three.)

1. a password on the console line

2. an IP domain name

3. a user account

4. an enable mode password

5. a unique hostname

6. an encrypted password

13. What is the objective of a network reconnaissance attack?

1. discover and map systems

2. manipulate data without authorization to do so

3. disable network systems or services

4. deny access to resources by legitimate users

14. For security reasons, a network administrator needs to ensure that local computers cannot ping each other. Which settings can accomplish this task?

1. smartcard settings

2. firewall settings

3. MAC address settings

4. file system settings

15. A network administrator establishes a connection to a switch through SSH. What characteristic uniquely describes the SSH connection?

1. out-of-band access to a switch through the use of a virtual terminal with password authentication

2. remote access to the switch through the use of a telephone dialup connection

3. on-site access to a switch through the use of a directly connected PC and a console cable

4. remote access to a switch where data is encrypted during the session

5. direct access to the switch through the use of a terminal emulation program