Series Editor
Jean-Charles Pomerol
Computer Network Security
First published 2020 in Great Britain and the United States by ISTE Ltd and John Wiley & Sons, Inc.
Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form or by any means, with the prior permission in writing of the publishers, or in the case of reprographic reproduction in accordance with the terms and licenses issued by the CLA. Enquiries concerning reproduction outside these terms should be sent to the publishers at the undermentioned address:
ISTE Ltd
27-37 St George’s Road
London SW19 4EU
UK
www.iste.co.uk
John Wiley & Sons, Inc.
111 River Street
Hoboken, NJ 07030
USA
www.wiley.com
© ISTE Ltd 2020
The rights of Ali Sadiqui to be identified as the author of this work have been asserted by him in accordance with the Copyright, Designs and Patents Act 1988.
Library of Congress Control Number: 2019952965
British Library Cataloguing-in-Publication Data
A CIP record for this book is available from the British Library
ISBN 978-1-78630-527-5
This book is meant for students preparing for the CCNA security exam (210-260 IINS), whether they are in professional training centers, technical faculties or in training centers associated with the “Cisco Academy” program. Nevertheless, it may also prove useful to anyone who is interested in information security, whether they work in a professional setting or are simply an IT user.
The book covers all subjects listed in the syllabus for the Cisco exam mentioned above. However, we have also integrated certain practical cases from the real work of networks that we deemed important.
Each chapter begins by presenting a theoretical concept related to a predetermined security objective and then provides the CLI commands and screenshots of the GUI needed to secure the network component. Practical tasks are suggested at the end to help the student apply this configuration and gain mastery over the concept presented.
This book was developed in collaboration with a training and certification team from Cisco in order to ensure that the content was clear and simple. The book aims to present, in a single volume, the state-of-the-art and good practices to put in place a secure information system.
We hope that the book meets the expectations of our students and helps them obtain their certification while also allowing anyone interested in this topic to better understand the different concepts of information security.
Ali SADIQUI
November 2019
Introduction to CCNA Security
The “ CCNA Security ” certificate is a test that validates the knowledge and qualifications required to secure a network made up of Cisco infrastructure.
This allows a network professional to demonstrate the skills required to develop security infrastructure, recognize threats to the network and vulnerabilities in the network, and mitigate these threats in order to maintain integrity, confidentiality and the availability of data and devices.
Prerequisites
- 1) In order to optimize your learning from this book, it is highly recommended that you examine the objectives required for the following certifications:
- – CCENT Cisco;
- – CCNA routing and commutation.
Conventions for command syntax
- 2) The conventions followed in this book to present the syntax for commands are given below:
- – text in bold: indicates the commands or keywords;
- – italics: denote the arguments or user variables;
- – vertical lines (|): indicate alternative and mutually exclusive elements;
- – square brackets ([]): indicate optional elements;
- – curly brackets ({}): indicate a necessary choice;
- – curly brackets within square brackets ([{}]): indicate a necessary choice in an optional element.
1
Fundamentals of Network Security
This chapter studies the following subjects:
- – the chief objectives of securing a network;
- – information security terminology:
- - general terminology,
- - types of hackers,
- - malicious codes;
- – the types of network security:
- - physical security,
- - logical security,
- - administrative security;
- – the chief risks related to the logical security of a network:
- - the different kinds of network attacks,
- - measures for network security,
- - vulnerability audit measures
1.1. Introduction
Network security is the branch of computer science that consists of protecting all components of a computer network in order to prevent unauthorized access, data stealing, misuse of a network connection, modification of data, etc. The aim of network security is to provide proactive defense methods and mechanisms to protect a network against internal and external threats.
1.1.1. The main objectives of securing a network
The three main objectives in securing a network are to ensure:
- – confidentiality: this consists of protecting data stored on or traveling over a computer network from unauthorized persons;
- – integrity: this maintains or ensures the reliability of data. The data received by a recipient must be identical to the data transmitted by the sender;
- – availability: this ensures that network data or services are constantly accessible to users.
1.1.2. Information security terminology
1.1.2.1. General terminology
1.1.2.2. Types of hackers
There are different kinds of hackers in the field of information technology:
- – “hackers”: this group is defined as people who are “network maniacs” and only wish to understand the working of computer systems, while also testing their own knowledge and tools;
- – “white hat hackers”: these are individuals who carry out safety audits in order to test that an organization’s computer networks are well-protected;
- – “black hat hackers”: these are experienced individuals who work towards illegal ends by carrying out data theft, hacking accounts, infiltrating systems etc.;
- – “gray hat hackers”: individuals who are a mix of a “white hat” and “black hat” hackers;
- – “blue hat hackers”: these are individuals who test bugs in order to ensure that applications work smoothly;
- – “script-kiddies”: these are individuals with very basic IT security management skills and who try to infiltrate systems using scripts and programs developed by others;
- – “hacktivists”: these are individuals who are chiefly driven by ideological motives;
- – “phreakers”: these are individuals who are specialized in attacking telephonic systems. In general, they work towards placing free calls;
- – “carders”: these are individuals who specialize in attacking smart card systems.
1.1.2.3. Malicious codes
The most common types of malicious codes or malware that may be used by hackers are:
- – virus: this is a program that attaches itself to a software to carry out a specific, undesirable function on a computer. Most viruses need to be activated by the user. However, they can also be set to “idle mode” for prolonged periods as they can also be programmed to avoid detection;
- – worms: these are independent programs that exploit known vulnerabilities with the aim of slowing down a network. They do not need to be activated by the user, and they can duplicate themselves and attempt to infect other hosts in the network;
- – spyware: these are spy software that are generally used in order to influence the user, to buy certain products or services. Spyware is not usually automatically self-propagating but install themselves without permission. They are programmed to:
- - collect the user’s personal information,
- - track browsing activity on the internet in order to detect the user’s preferences,
- - redirect HTTP requests towards pre-set advertising sites;
- – adware: this refers to any software that displays advertisements without the user’s permission, often in the form of pop-up windows;
- – scaryware: this refers to a category of software that is used to convince users that their system has been infected by viruses and suggests solutions, with the goal being to sell software;
- – Trojan horse: this is a program characterized by two features:
- - behavior that is apparently useful to the user,
- - hidden malicious behavior, which usually leads to access to the machine on which this software is executed;
- – ransomware: ransomware is a program that is designed to block access to a computer system, by encrypting the contents until a certain amount of money is paid in order to restore the system.
1.2. Types of network security
We identify three categories of network security.
1.2.1. Physical security
Physical security involves all aspects of the environment in which the resources are installed. This may include:
- – the physical security of server rooms, network devices etc.;
- – the prevention of accidents and fires;
- – uninterrupted power supply;
- – video surveillance etc.
1.2.2. Logical security
Logical security refers to the implementation of an access control system (using a software) in order to secure resources. This may include:
- – applying a reliable security strategy for passwords;
- – setting up an access model that is based on authentication, authorization and traceability;
- – ensuring the correct configuration of network firewalls;
- – putting in place IPS (intrusion prevention systems);
- – using VPNs (Virtual Private Network) etc.
1.2.3. Administrative security
Administrative security allows the internal monitoring of an organization using a manual of procedures.
This may include:
- – preventing errors and frauds;
- – defining the responsibilities of different actors or operators;
- – protecting the integrity of the company’s property and resources;
- – ensuring that all operations concerning handling of material are recorded;
- – rationally managing the company’s property;
- – ensuring effective and efficient management of activities.
NOTE.– You can now attempt Exercise 1.
1.3. The main risks related to the logical security of the network
1.3.1. Different kinds of network attacks
1.3.1.1. Reconnaissance attacks
The aim of reconnaissance attack or “passive attack” is to collect information on the target network in order to detect all the vulnerabilities. In general, this attack uses the following basic methods:
- – “ping sweep”: the attacker sends ping packets to a range of IP addresses to identify the computers that are part of a network.
- – port scanning: the attacker carries out a port analysis (TCP and UDP) in order to discover what services are being run on a target computer;
- – packet sniffing: “packet sniffing” makes it possible to capture data (generally Ethernet frames) that are traveling over a network, with the aim of identifying MAC addresses, IP addresses or the number of ports used in a target network. This attack can even make it possible to discover user names or passwords. The most commonly used packet capture software is wireshark and tcpdump.
1.3.1.2. Password attacks
The goal of these attacks is to discover usernames and passwords in order to access various resources. There are two commonly used methods in this type of attack:
- – dictionary attack: this method uses a list of words or phrases that are commonly used as passwords;
- – brute force attack: this method tries out all possible combinations of letters, numbers and symbols to detect a user’s password.
1.3.1.3. Access attacks
The aim of these attacks is to try and recover sensitive information about network components. The following methods are commonly used to carry out an access attack:
- – phishing: phishing is an attempt to recover sensitive information (usually financial information such as credit card details, login, password, etc.), by sending unsolicited emails with fake URLs;
- – pharming: this is another network attack that aims to redirect traffic from one website to another website;
- – “Man-in-the-middle” attack: an attacker places themselves between two network components to try and benefit from the data being exchanged. This attack is based, among other things, on:
- - spoofing: this is a practice in which communication is sent from an unknown source disguised as a reliable source for the receiver. This makes it possible to deceive a firewall, a TCP service, an authentication server etc. Spoofing may take place at several levels: MAC address, IP address, TCP/UDP port, a DNS domain name,
- - hijacking: the attacker hijacks a session between a host and server to obtain unauthorized access to this service. This attack relies on spoofing;
- – mixed attacks: Mixed attacks combine the characteristics of viruses, worms, and other software to collect user information.
1.3.1.4. Network attacks against availability
- – DoS or Denial of Service attacks are attacks that render a service unavailable in various ways. These attacks can be divided into two main categories:
- - denial of service by saturation: these attacks consist of flooding a machine with false requests so that it is unable to respond to real requests;
- - denial of service by exploiting vulnerability: these attacks consist of exploiting a weakness in a remote system in order to make it unavailable.
- – DDoS or Distributed Denial of Service attacks are a type of DoS attack originating from many connected computers controlled by hackers who attack from different geographic locations. The principles underlying these attacks are based on the follow methods (among others):
- - SYN flood attacker: an attacker sends several TCP-SYN packets to set up a 'TCP' connection without sending a “SYN-ACK” message;
- - ICMP flood: an attacker sends the target computer multiple fake ICMP packets.
1.3.1.5. Close attacks
A close attack is unusual in that the attacker is physically close to the target system. The attacker takes advantage of the fact that they are close to the target devices to reset a router, for example, or start a server with a CD etc.
1.3.1.6. Attacks on the approval relationships
When taking control of a network machine, the attacker exploits the relationship of approval between this machine and the various peripheral devices on a network in order to gain greater control.
1.3.2. Network security measures
In order to ensure greater security to a network within a company, the following measures are recommended:
- – separation of resources: the network of resources of an organization and various sensitive data must be located in different security zones (for example, creation of a DMZ cone). Access to the network of an organization and to databases must be carried out through highly monitored mechanisms.
- – deep protection: network security devices must be used in different locations of the organization’s network;
- – the “least privilege” rule: each user must be assigned only the minimal level of access required to carry out a given task;
- – adequate protection: protection mechanisms must be installed in a reliable and effective manner at all levels of the network;
- – restricting the consultation of information: only information required for carrying out a specific task must be provided to a given employee.
- – separation of tasks and job rotation: the separation of tasks and job rotation contributes to a better implementation of security policies in organizations and to the reduction of vulnerabilities.
1.3.3. Vulnerability audit measures
A computer network audit must include the following five categories:
- – preventive measures: these include precautions taken to prevent the exploitation of a vulnerability, through the use of a firewall, physical locks and an administrative security strategy;
- – detective measures: these include the retrieval of all information on intrusion into the network or system using system logs, intrusion prevention systems (IPS), anti-spoofing technologies and surveillance cameras;
- – corrective measures: these include determining the cause of a security violation and then mitigating these effects through updating viruses or IPS;
- – recovery measures: these enable system recovery after an incident;
- – deterrence measures: these discourage persons who try to breach network security.