As networks grow and technology advances, so does the cyber threats landscape. Every hour a new threat emerges, and cybersecurity companies are battling to mitigate and prevent such malicious attacks from invading our computers and networks. This has been a challenge for all, from the evolution of a simple batch virus script to Advanced Persistent Threats (APTs). Cisco has created a certification that allows you to begin your career in network security, the Cisco Certified Network Associate (CCNA) security designation.
This certification focuses on understanding threats to secure your network using Cisco routers and switches and even configuring and setting up the Cisco Adaptive Security Appliance (ASA). After completion, you'll be able to function as a network security engineer and mitigate and prevent such threats from entering your network. This chapter covers the basic principles of implementing network security in an enterprise network.
Security is very important and if no proper security principles are followed, it will lead to financial risks, legal risks, and negative public relations implications. In some cases, the overall business may be placed at risk due to the noncompliance of security policies. The security of an enterprise network can be viewed from different perspectives. For a management team, the network is a tool that enables the business goals of the company. For end users, a network is just a tool for them to complete their job. Unfortunately, if an end user or a management team is not maintaining their data safely, it may lead to several vulnerabilities and security threats. If the hacker compromises and gains access to the data and applications, the security component of the network fails.
The following topics are the three basic concepts of network security:
- Confidentiality: The privacy of the data in the network. The data on the network should be protected from unauthorized users and they should not access the data by any means. The data can be protected by encrypting it.
- Integrity: The changes made to the data should only be made by the authorized users. If the data in transit is corrupted, it leads to a failure of integrity and a loss of revenue.
- Availability: A network, or data, should be available to its authorized users. The term availability refers to the provision of services that are dependent on networks, systems, and data. Any impact on the availability of the data leads to heavy loss of business and revenue.
The following diagram illustrates the working mechanism of the network security concept better known as the CIA triad:
After completing this chapter, you will:
- Understand the basics of network security
- Understand the different security terminologies
- Understand different types of attack
- Understand the different types of security tools
Network security is a very broad concept; it starts with authenticating users and authorizing resources. It deals with security threats analysis and vulnerability checks.
A threat is the potential for an attacker to take advantage of a vulnerability on a system. An example of a threat can be a disgruntled employee who has been given a warning letter in an organization. This person may want to inflict harm to the company's network and has decided to research exploitation.
Some further examples of threats include malware, Denial of Service (DoS), and phishing.
Let's now discuss risk and countermeasure:
- Risk: A risk is the likelihood of a threat actor taking advantage of a vulnerability that can attack a network system, which leads to damage to the network
- Countermeasure: A countermeasure can be a combination of a process and a device that can act together as a safeguard against potential attacks, thereby reducing security risks
Vulnerability is a weakness of the system, data, or any application, by which unauthorized persons can exploit it. Vulnerability on the network may occur due to various reasons:
- Result of a malicious attack
- Failure of a policy
- Weakness of the system or a policy
- Weakness of a protocol
Vulnerabilities are found in operating systems, routers, switches, firewalls, applications, antivirus software, and so on. An attacker uses these vulnerabilities to create a threat to the network. Generally, vulnerabilities arise due to high complexity or human error while developing an application and designing a network.
Vulnerability analysis is the process of identifying security weaknesses on a computing platform or network. This aids the internal security team (blue team) in remediating any flaws that have been discovered. A security team is also responsible for conducting a vulnerability assessment to evaluate the cybersecurity risk and try to minimize/mitigate it as much as possible. Vulnerability assessments are usually conducted before and after applying any countermeasures within the organization. This helps with the evaluation process to determine whether the attack surfaces are reduced; it also ensures the proper practices are used and applied correctly.
When an administrator dealing with security installs a patch on the endpoint security tool, there are chances of manual errors or misconfigurations in the tool that may open a door for a hacker to attack the node.
Periodic vulnerability testing/analysis is essential in such situations.
Vulnerability assessments have the following advantages:
- Help administrators to keep their data safe from hackers and attackers, which eliminates business risks.
- Vulnerability assessment tools help administrators to check for loopholes in the network architecture. These tools also examine whether there are any possible destructive actions that can cause damage to your application, software, or network.
- Vulnerability assessment tools detect attack pathways that may get missed in manual assessment, which increases the ROI.
Before performing a vulnerability assessment, the administrators should create a test plan, develop a threat model and verify the URLs, and access credentials.
There are two ways of conducting a vulnerability assessment. The first one is the automated dynamic scanning and the other is the manual Vulnerability and Penetration Testing (VAPT).
In the automated method, a tool, such as Burp Suite Pro, IBM Rational AppScan, is used to scan the application and find security flaws. The manual testing is performed in the following steps:
- Check SQL injection, XML injection, and LDAP injection flaws
- Inspect poor authentication methods and cracked login processes
- Inspect cookies and other session details
- Inspect the default settings in the security configurations in the devices
- Inspect broken encryption algorithms and other ciphers to secure the communications
Choose either automatic or manual testing methods to verify the scan results, collect evidence, and complete the reports.
An attack is the process of attempting to steal data, destroy data, gain unauthorized access to a device, or even shut down/disable a system, preventing legitimate users from accessing the resources. An attack can be local, where a malicious user has physical access to the system and either executes a malicious payload or is attempting to gain access into the device. A remote attack requires the malicious user to send a payload over a network connection to the victim device in the hope that the attack would be successful and it would either gain control of the victim device or cause service interruptions (denial of service).
Attacks are mainly distinguished as either:
- Passive attacks
- Active attacks
In a passive attack, the attacker is considered to be in a learning (monitoring) state to understand the details about the potential victim's device, how it performs and operates. This allows the attacker to have a better attack strategy. An example of a passive attack is where an attacker is sniffing the network traffic between a victim machine and its default gateway.
Types of passive attack:
- Sniffing: Capturing packets unknown to users on the network. The goal is to obtain any sensitive information sent across the network.
- Port scanning: Checking for open TCP and UDP ports. This will aid the attacker in determining the services running on the target/victim machine.
In an active attack, the attacker may have already done enough reconnaissance on the target device and is ready to execute its exploit against the victim. Sometimes, the attack can be a direct attack, meaning the exploit is sent from the attacker's machine to the target, or an indirect attack, where the attacker compromises another machine, making it a zombie, and using the zombie to pivot all the attacks through it. Therefore, the zombie would seem to be the attacker machine from the view of the victim.
Examples of active attacks include:
- Denial of Service: This attack focuses on exhausting the resources of a system, therefore legitimate users are not given access to the resource
- Botnet: The attacker sets up a Command and Control (CnC) server to control all its infected machines (zombies) to carry out malicious activities
In a spoofing attack, the attacker uses false information to pretend to be a legitimate or authorized user/machine. When an attacker attempts to exploit a system or deliver a payload, they have to try to trick the user into falling victim to the attack. Sometimes, changing the source IP address and source MAC address of the packets originating from the attacking machine may trick the potential victim into thinking it's from a legitimate user and may disguise the attack's origins.
Internet Protocol (IP) is a connection protocol that exists at the Network layer (layer 3) of the Open Systems Interconnection (OSI) reference model. Internet protocol is used to assist routers or any layer 3 devices to forward packets to their corresponding destinations. One main characteristic of internet protocol is its nature of being a connectionless protocol, which means it provides delivery using best effort and is not guaranteed to be delivered to the recipient. Since IP is said to be connectionless, it depends on the upper layers to assist with the delivery of data. The layer above the Network layer is known as the Transport layer. There are two sub protocols, which are used primarily for delivery; these are known as the User Datagram Protocol (UDP) and the Transmission Control Protocol (TCP). An IP packet contains the following: source and destination IP addresses, version (IPv4 or IPv6), Time to Live (TTL) value, protocol (TCP, UDP, or ICMP), and flags.
It is through the forging of this source address that hackers are able to break into the network and mislead communication between the source and the destination. Almost all networks use routers as intermediate devices for the transmission of data. When the data is sent via routers, they identify the destination IP address from the header of the IP datagram to forward the packets to that destination. The source address is ignored by the routers. The source address is used only by the destination machine when a reply is sent back for the received packets.
In an IP packet/datagram, the header contains the addressing information, such as the sender's source and the destination's IP address. An IP packet is usually unencrypted, therefore if someone is sniffing the traffic between the sender and the receiver, the contents of the packet and its header information are captured. A malicious user or an attacker can modify the IP address on the IP packets originating from the attacker machine, making it seem to originate from somewhere else, which is known as IP spoofing. It tricks a potential victim into believing the IP packet came from a legitimate or trusted source, but is actually from a malicious user. The operating system has no way of determining whether the IP addresses actually belong to the legitimate machine or not. When the internet protocol was built, security was not a concern at the time, hence IP lacks security features.
There are different types of spoofing attacks:
- Address Resolution Protocol spoofing
- DNS spoofing
Using the following scenario, an attacker sends a specially crafted packet to the web server (18.104.22.168). Within the IP header of the specially crafted packet, it has a source IP address of 22.214.171.124, which belongs to the potential victim machine and not the real IP address of the attacker. When the web server receives the packet and has to respond, it sees the sender's IP address is 126.96.36.199 and sends its response to the victim machine instead of the attacker:
Attackers primarily use IP spoofing as a technique to bypass any filters, access lists, or even security appliances that act as countermeasures for spoofing attacks. The goal is to find a way into a network by tricking the system into believing it's a legit packet.
In this method, the attacker creates IP packets with a fake source IP address to hide the identity of the sender. Attackers use IP spoofing to overcome security measures, such as authentication-based IP networks. Attackers use randomly chosen IP address and spoof the original IP address to perform the DoS attack.
When two computers communicate, information about the IP address is placed on the source field of the packet. In an IP spoofing attack, the source IP address in the packet is not the original IP address of the source computer. By modifying the source IP address, the original sender can make the victim machine think the message originated from another source and therefore the sending machine or the attacker will be protected from being tracked.
Various options where IP spoofing can be used:
- Hijacking an online session
Scanning is a process in which a malicious user sends probes to a victim machine to determine TCP/UDP open ports, the type of operating system and version, services running on the victim machine, and vulnerabilities:
During the scanning phase, the attack may notice whether port 80 is open or not on the target device. If port 80 is open, we can determine there is a web server daemon running on the target device. The attacker can then use the Telnet protocol to perform banner-grabbing on the victim using port 80 as the destination port. This will determine the type and version of the web server, whether it's Microsoft IIS, Apache, or even nginx. Knowing this information will aid the attacker in fine-tuning their payload for the target device.
In a session hijacking attack, an attacker can capture the cookie from a user who has logged on to a website and uses data found inside the cookie to also log on to the same website without having to enter a username and password combination. This would allow the attacker to gain access to the user (victim) account details.
In a flooding attack, the attacker sends unsolicited packets to the target continuously until the target is overwhelmed. The target will need to process each packet it receives, but due to the high influx of packets received, the target would eventually be unable to respond to a legitimate request from users or perform any further action.
In an ARP spoofing attack, the attacker tries to map the MAC address with the IP address of a victim. The attacker can then intercept, steal, or delete the data. An ARP spoofing attack targets the nodes, layer 2 switches, and routers by disturbing the ARP caches of the connected systems:
Hosts A, B, and C are connected to the switch. Host A broadcasts a request (ARP) asking for the MAC address of host B, after host A sends data to host B. The switch receives the broadcast and forwards the request, and when host B receives the ARP request, it fills the ARP cache with the ARP entry and the IP address of host A (10.1.1.1 ) and the MAC address of A (aaaa.aaaa.aaaa.aaaa). When host B replies, host A fills their ARP cache with the IP address of host B (10.1.1.2) and the MAC address of B (bbbb.bbbb.bbbb.bbbb). At the same time, host C tries to poison the ARP cache of hosts A and B by sending some fake ARP messages with the IP address of B and the MAC address of host C (cccc.cccc.cccc.cccc).
Now the ARP cache is poisoned and it uses the destination MAC address of host C (cccc.cccc.cccc.cccc) for the traffic intended for host B. The attacker on host C interrupts the traffic flow between host A and host B, as host C knows the MAC addresses of host A and host B.
ARP attacks cannot be mitigated straightforwardly; however, proactive measures can be taken against ARP-cache poisoning on your network.
Statically mapping the MAC addresses to the IP address is one approach against the unsolicited dynamic ARP requests sent by an attacker. You can see the ARP cache of a Windows system by simply opening a Command Prompt and typing the arp -a command, as shown:
In situations where network arrangements do not change often, static ARP entries can still be used. This will guarantee that devices will depend on their local ARP cache, as opposed to depending on ARP requests and responses:
- Monitoring ARP traffic: The other method of protecting against the ARP cache is monitoring the network traffic of hosts. This should be possible with a couple of interruption-based identification frameworks and utilities.
- Dynamic ARP inspection: This is one of the security features that verifies the ARP packet. Dynamic ARP inspection verifies, stores log information, and rejects all the invalid ARP bindings. Dynamic ARP inspection will be explained in more depth in the following chapters.
Whenever a client connects to a network, it automatically searches for a Dynamic Host Configuration Protocol (DHCP) server. A DHCP server is used to primarily distribute an IP address, subnet mask, default gateway, and Domain Name System (DNS) server configurations to clients. When the client connects, it broadcasts a DHCPDISCOVER message with a destination MAC address of FFFF.FFFF.FFFF and a destination port of 67
The following is the DHCP four (4) way handshake:
The DHCP server will respond, send a unicast DHCP Offer message back to the client with potentially usable IP configurations. The client will return a DHCPREQUEST back to the DHCP server, letting the server know it's going to accept the IP configurations from the previous message. They will send a DHCP Acknowledgement message to confirm the IP information the client is going to use for network communication.
DHCP snooping is a feature that exists on a switch. It creates two types of ports: trusted and untrusted. When DHCP snooping is enabled on a switch, all ports are labeled as untrusted, and this prevents any DHCP Offer and DHCP ACK messages from entering the switch. However, the port that is connected to the DHCP server should be configured manually as a trusted port. The trusted port allows the DHCP Offer and DHCP ACK messages to enter the switch.
The DHCP snooping feature is a countermeasure against any rogue DHCP server that may be attached to the network infrastructure.
At times, a malicious user may attempt to install a rogue DHCP server on the network in the hope that potential client devices become victims. We need to remember a few things about the DHCP server: it provides the IP address, subnet mask, default gateway, and DNS server configurations to clients. The default gateway is used to forward traffic destined for a network outside of the LAN, and the DNS server resolves hostnames and IP address. What if the clients are using another default gateway and/or a compromised DNS server with false DNS entries? The following table shows the switches and the classification of ports as trusted/untrusted:
F1/3 of switch
F1/1 of switch
F1/2 of switch
When the DHCP snooping features are configured on a Cisco switch, it immediately converts all ports to become untrusted ports. An untrusted port prevents any DHCP Offer and DHCP ACK messages from entering the switch port. However, the port that the DHCP server is connected to must be manually configured as a trusted port:
The following describes how the DHCP snooping feature actually functions:
- The DHCP snooping is enabled with the switch, the untrusted ports will forward only DHCPDISCOVER and DHCPREQUEST packets to the DHCP Server. The trusted port would only forward DHCP Offer and DHCP Ack packets back to the DHCP client.
- When the attacker sends multiple fake DHCPDISCOVER messages to the server, the CPU utilization of the DHCP server goes up, and at some point the server will be out of IP addresses for that particular network in its pool. To avoid this, the DHCP snooping feature rate limits the DHCP traffic from trusted and untrusted sources so that only one DHCPDISCOVER message can be sent by the client.
- If any untrusted port exceeds the number of DHCPREQUEST messages, the port goes into an err-disabled state.
- When DHCP snooping is enabled and configured, the switch maintains a DHCP snooping database that is used to keep track of untrusted sources, their leased IP address, and all the other TCP/IP settings.
- DHCP snooping can also be enabled for a particular VLAN of the switch interface. By default, it is disabled on all the VLAN interfaces.
A DoS attack is a process by which an attacker tries to create a disturbance in the network by triggering unwanted traffic, and this disables the network. The objective of this attack is to not allow network services to be available to legitimate users.
DoS attacks look legitimate, but the size of the traffic might increase to a level that cannot be managed by the victim, for example:
- Ping of Death (PoD): Sending continuous ICMP messages that cause the victim to crash or be unable to respond to legitimate requests
- TCP SYN flood: Simply creating a half-open TCP session on the victim server, thereby halting the services offered by the victim
The Internet Control Message Protocol (ICMP) can be used to check basic network connectivity between two devices. Attacks can manipulate the size of the ICMP message to be greater than the normal size. A simple utility that uses the ICMP is known as ping.
If an attacker sends a ping of 65,536 bytes or greater to another device on a network, it will cause the recipient machine (victim) to crash. This type of attack is known as Ping of Death.
Let's take a look at the following diagram to better understand what takes place:
In this diagram, the victim that receives the fragmented packets will do the reassembly only to find that the final packet is greater than 65,536 bytes. Not knowing what to do with the packet, the system crashes or malfunctions, resulting in its inability to provide service to the legitimate users.
In most instances, whenever two devices want to communicate, they use the TCP protocol to ensure the message reaches both devices. The first process is known as the TCP three-way handshake. Once the handshake is completed, then data is allowed to flow between both devices. In a TCP SYN flood attack, the attacker sends a constant stream of SYN packets to the victim:
On the victim's end, for every SYN packet received, it must reply with an SYN/ACK packet. The attacker would receive this SYN/ACK packet but would not respond to it, therefore creating a lot of half-open connections on the victim machine. Remember, the attacker is continuously sending TCP SYN packets, which would eventually cause the victim's machine to exhaust its resources and not be able to create any future connections with other devices as long as the attack continues.
In a password attack, the attacker tries to obtain the password of a user account, an encrypted file, or even a network. The purpose can vary based on the attacker's intent. In doing so, there are a variety of different methods for attempting to gain the password of another person:
- Brute force attack: In a brute force attack, every possible combination of characters is attempted against the protected data until the correct combination is found. A brute force attack has the highest possibility of cracking the password; however, the downside is the length of time it may take before the password is found.
- Dictionary attack: This attack uses a password list to reference when attempting to crack the password. This attack may not always be a good choice since the success of the attack is only as good as the words that are in the actual wordlist of the password file.
- Keylogger: A keylogger can be either software- or hardware-based. The primary purpose of a keylogger is to capture keystrokes. This can be useful in capturing an unsuspecting user's password for a secure website, such as their online banking user account information.
- Trojan Horse: A Trojan Horse is a type of malware that disguises itself to look like a trusted program/software to trick its potential victims into installing it. Once installed, the actual malicious payload installs itself in the background and stays hidden from the victim. The payload can also be a software keylogger configured to send logs of data remotely back the attacker.
The main concept behind this attack is the weakness of the human mind in creating a strong password which contains alphanumeric characters, upper and lower cases with number(s) and a special character. This is sometimes an amateur way of obtaining critical information from users, such as bank account details, credit card PIN, or other confidential data. As a prerequisite, the attacker tries to look legitimate and provides information that looks real from a victim's perspective.
Different types of social engineering attacks can be seen:
- Phishing: This attack uses email as the mechanism through which an attacker disguised as a legitimate organization tries to get critical details, such as banking passwords.
- Vishing: This attack uses phones, through which the attacker tries to converse like a person from a legitimate organization and get critical details from the victim.
- Spear phishing: This attack is similar to phishing, but it focuses on a particular target from whom the attacker will steal information. It is important to note that the attacker gathers some information about the particular victim prior to launching this attack so that it looks like a particular email sent to the victim is legitimate, for example, targeting the CEO of an organization.
- Pharming: This is an attack where a rogue DNS server provides the wrong DNS IP for a particular URL, which leads the victim to a malicious site. Also, this can be done by injecting some incorrect DNS mappings into the host file on the Windows machine.
- Smishing: This attack uses SMS instead of email.
In programming, a buffer is an area that is used to store data temporarily during program execution. The size of the buffer is usually fixed. Once the program closes, the contents of the buffer are also cleared. In a buffer overflow attack, the buffer is filled with more data than it can handle, causing the program to behave abnormally. Attackers use this attack to gain reverse shells into a victim machine by injecting shellcode as the payload.
Malware is any malicious software that can cause harm to any computing system or network. A piece of malware may have multiple functions, such as wiping data from a hard drive, capturing screenshots of the victim's monitor, or even creating a backdoor.
Some types of malware include:
- Crypto-malware, ransomware
- Trojan Horse
A tool is only as good as its wielder. There are many network security tool out there; some categories include tools for reconnaissance to help gather information on DNS, email addresses, and SNMP. At our fingertips, there's Nmap (Network Mapper), https://nmap.org, for exploitation development; the famous Metasploit from Rapid 7 (https://www.rapid7.com/products/metasploit/), for sniffing; Wireshark (https://www.wireshark.org/); and most importantly, one of the most advanced penetration platforms, Kali Linux (https://www.kali.org/) from Offensive Security.
We always need to remember hackers, network administrators, and cyber security professionals use network tools for different purposes. A white-hat hacker may use it to find vulnerabilities on a network before the black-hat hacker finds and exploits them. A penetration tester is trying to find and exploit any weakness in a network because it's their job.
Wireshark is referred to as the best protocol analyzer/sniffer. It has the ability to display all the Protocol Data Units (PDUs) for the four layers of the TCP/IP stack. Wireshark is a free tool for both Windows and Linux operating systems. It has the ability to see all the conversations/network traffic passing along a network segment:
To start a capture on Wireshark, simply open it and click on Capture | Options, then select the interface you want to capture traffic on. Now, click on Start.
Metasploit is an exploitation development framework. This is a free tool for students and people who want to learn hacking in an ethical manner. The tool can be used with both Windows and Linux:
This is the Command Prompt from which Metasploit can be used. The console is referred to as msf.
Kali Linux is a penetration testing Linux distribution. It was created by Offensive Security as the successor to the famous BackTrack. Kali Linux is a single operating system with all the possible tools and utilities needed for conducting a penetration test and forensics.
The amazing benefit of this distro is that it can be installed on a virtual machine, on a hard drive, it can be live-booted via USB, and can be installed on mobile devices, such as the Google Nexus, OnePlus smartphones, and the Raspberry Pi computer.
There are many categories of tools, such as information-gathering, scanners, password-cracking, exploitation development, post-exploitation, and forensics. The possibilities with Kali Linux are endless.
In this chapter, we took a look at the CIA triad and its importance, network security terminologies, types of attacks, how IP works and its vulnerabilities to network attack, and some security tools.
In the next chapter, we will look at the uses of different types of firewall and the significance of IPS in network security.