Network Security Guide
Network Security Guide| Todays world is ruled by the internet . Network Security is critical to enable organizations to protect productivity gains and reduce network operating costs. Network security technologies enable new business applications by reducing risk and providing a foundation for expanding business with Intranet, extranet, and electronic commerce applications, as well as helping to protect sensitive data and corporate resources from intrusion.It is very important that we prevent attacks from both within and outside the enterprise network . This site covers the following areas * Latest developments in network security - NAC , IDS , WLAN sec 802.1x * Typical attacks on networks - Snooping, password , worms , Trojan , DOS , Man in middle etc * Basics of network security - AAA , Radius , Tacacs , IKE , IPsec etc , 802.1x * Security products from Cisco * Cisco IOS Security Configuration Guide * Security Advisories/Vulnerabilities | Other sites from the author CCNA preparation Guide Network Devices SAN Guide - Storage |
Latest in Network Security
| Network Admission Control - Building self defending networks Network Admission Control (NAC) is a Cisco Systems sponsored industry initiative that uses the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources, thereby limiting damage from viruses and worms. Using NAC, organizations can provide network access to endpoint devices such as PCs, PDAs, and servers that are verified to be fully compliant with established security policy. NAC can also identify noncompliant devices and deny them access, place them in a quarantined area, or give them restricted access to computing resources. NAC is part of the Cisco Self-Defending Network, an initiative to increase network intelligence in order to enable the network to automatically identify, prevent, and adapt to security threats. Check NAC for more details . |
| IDS - Intrusion Detection System - What is ID? ID stands for Intrusion Detection, which is the art of detecting inappropriate, incorrect, or anomalous activity. ID systems that operate on a host to detect malicious activity on that host are called host-based ID systems, and ID systems that operate on network data flows are called network-based ID systems. Sometimes, a distinction is made between misuse and intrusion detection. The term intrusion is used to describe attacks from the outside; whereas, misuse is used to describe an attack that originates from the internal network. However, most people don't draw such distinctions. Common approaches are Host Based Intrusion Detection System - Host-based ID involves loading a piece or pieces of software on the system to be monitored. The loaded software uses log files and/or the system's auditing agents as sources of data. In contrast, a network- based ID system monitors the traffic on its network segment as a data source. Check HIDS for more info Network Based Intrusion Detection System - A network- based ID system monitors the traffic on its network segment as a data source. Check NIDS for more info |
| Wireless Lan Security - With a WLAN, transmitted data is broadcast over the air using radio waves that travel between client devices, or stations, and access points-the WLAN endpoints on the Ethernet network that link stations to the network. This means that any WLAN client device within an access point service area can receive data transmitted to or from the access point. Also the WEP keys used to encrypt and decrypt transmitted data has lot of vulnerabilities . Robust WLAN access control, also called authentication, prevents unauthorized users from communicating through access points. Strong WLAN access control measures help ensure that legitimate client stations associate only with trusted access points rather than rogue or unauthorized access points. Cisco provides wirless security with Controlled access to the WLAN via numerous authentication and encryption policies, including 802.11i, Wi-Fi Protected Access (WPA), WPA2, and mobile VPNs , WLAN Intrusion Protection System (IPS) that detects and mitigates rogue access points, unassociated client devices, and ad-hoc networks, and provides customizable RF attack signatures to protect against common wireless threats and Secure management of infrastructure and RF-layer security boundaries . Check WLAN Security for more details . |
Typical attacks in enterprise switching environment
| Attack with Packet Sniffers - A packet sniffer is a software application that uses a network adapter card in promiscuous mode (a mode in which the network adapter card sends all packets received on the physical network wire to an application for processing) to capture all network packets that are sent across a local-area network. Because several network applications distribute network packets in clear text, a packet sniffer can provide its user with meaningful and often sensitive information, such as user account names and passwords. In addition, many network administrators use packet sniffers to diagnose and fix network-related problems. Because in the course of their usual and necessary duties these network administrators (such as those in the Payroll Department) work during regular employee hours, they can potentially examine sensitive information distributed across the network. So all data that is transmitted has to be encrypted all the time . |
| IP spoofing Attack - An IP spoofing attack occurs when an attacker outside your network pretends to be a trusted computer. This is facilitated either by using an IP address that is within the range of IP addresses for your network, or by using an authorized external IP address that you trust and to which you want to provide access to specified resources on your network. Normally, an IP spoofing attack is limited to the injection of data or commands into an existing stream of data passed between a client and server application or a peer-to-peer network connection. To enable bidirectional communication, the attacker must change all routing tables to point to the spoofed IP address. |
| DOS - Denial of Service Attack - The denial of service occurs because the system receiving the requests becomes busy trying to establish a return communications path with the initiator (which may or may not be using a valid IP address). In more technical terms, the targeted host receives a TCP SYN and returns a SYN-ACK. It then remains in a wait state, anticipating the completion of the TCP handshake that never happens. Each wait state uses system resources until eventually, the host cannot respond to other legitimate requests. |
| Password Attacks - Password attacks can be implemented using several different methods, including brute-force attacks, Trojan horse programs (discussed later in the chapter), IP spoofing, and packet sniffers. Although packet sniffers and IP spoofing can yield user accounts and passwords, password attacks usually refer to repeated attempts to identify a user account and/or password; these repeated attempts are called brute-force attacks. |
| MIM - Man in the Middle Attacks - A man-in-the-middle attack requires that the attacker have access to network packets that come across the networks. An example of such a configuration could be someone who is working for your Internet service provider (ISP), who can gain access to all network packets transferred between your network and any other network. Such attacks are often implemented using network packet sniffers and routing and transport protocols. The possible uses of such attacks are theft of information, hijacking of an ongoing session to gain access to your internal network resources, traffic analysis to derive information about your network and its users, denial of service, corruption of transmitted data, and introduction of new information into network sessions. |
| Layer2 MAC Flooding - MAC flooding is the attempt to exploit the fixed hardware limitations of the switch's content addressable memory (CAM) table. The Catalyst switch CAM table stores the source MAC address and the associated port of each device connected to the switch. The CAM table on the Catalyst 6000 can contain 128,000 entries. These 128,000 entries are organized as 8 pages that can store approximately 16,000 entries. A 17 bit hash algorithm is used to place each entry in the CAM table. If the hash results in the same value, each entry is stored on separate pages. Once these eight locations are full, the traffic is flooded out all ports on the same VLAN on which the source traffic is being received. |
| Layer2 ARP Spoofing - Gratuitous ARPs can be used to perform an ARP spoofing attack. Before discussing gratuitous ARP attacks, you must first have a sound understanding of ARP and gratuitous ARP. ARP request messages are placed in a frame broadcast to all devices on a segment. Each device on the segment receives the broadcast message and examines the IP address. Either the host that owns the IP address being requested or a router that knows the location of the that host responds to the request by sending the requester back the target MAC address via unicast.When server A ARPs for its default gateway's (192.168.10.1's) MAC address it places the response in its ARP table. Now, when the attacker sends a gratuitous ARP stating that it is 192.168.10.1, server A updates its ARP table and forwards traffic to the attacker because server A thinks that the attacker's computer is its default gateway.The attacker is simply performing a man in the middle (MIM) attack and may go undetected because all traffic still reaches its destination. |
| DOS attacks from spanning tree vulnerabilities - An rogue switch sending BPDUs can force topology changes in the network which can result as a DOS attack. |
| Solutions for the above attacks - Cisco provides solutions to all the above mentioned issues . Check this link solutions |
Basics of Network Security
