Search This Blog

Thursday, April 2, 2015

CCNA Security: Network Security Concepts

               CCNA Security: Network Security Concepts

Basic Network Security Objectives

  • Confidentiality
Data at rest should be protected by authentication to ensure sensitive information is restricted
Data in motion should be protected by encryption/isolation as it moves through the network

  • Integrity
Data integrity is concerned with making sure that only authorized sources are manipulating data

  • Availability
For systems and data, availability refers to the ability to access data by authorized users

 Cost/Benefit Security Analysis

Risk management deals with identifying assets, threats/vulnerabilities and countermeasures that make sense commeasurate to the value of the asset

Asset: Anything that has value to an organization such as property or data

Vulnerability: Exploitable weakness in a system or its design

Threat: Potential danger to an asset. An unrealized threat is a vulnerability that has not yet been exploited. A realized threat is a successful attack against an asset. Attacker is a threat agent or threat vector.

Risk: Potential for compromise/destruction/access to an asset

Countermeasure: Safeguard that mitigates risk by eliminating or reducing a vulnerability, or otherwise making the asset less vulnerable.

Thresholds apply to classification, generally a countermeasure or risk mitigation would not cost more than the value of the asset excepting government/financial regulations, etc

Classifying Assets

Assets can be classified so that policy can be developed on how to take action for certain classifications

Government Classifications
  • Unclassified
  • Sensitive But Unclassified
  • Confidential
  • Secret
  • Top Secret

Private Sector Classifications
  •  Public 
  • Confidential
  • Sensitive 
  • Private

Classification Criteria
  • Value
  • Replacement Cost
  • Lifetime
  • Age

Classification Roles
  • Owner: Person or group ultimately responsible for the data
  • User: People who access the data any abide by acceptable use policy
  • Custodian: Group responsible for implementing policy dictated by owner

Classifying Vulnerabilities

 Potential Vulnerabilities

  • Policy Flaw
  • Misconfiguration
  • Protocol Weakness
  • Design Error
  • Software vulnerability
  • Malware
  • Hardware vulnerability
  • Human ffactor
  • Physical Access to Resources

 Classifying Countermeasures

Control Methods to Implement Countermeasures

  • Administrative: Policy, procedure, change control
  • Physical: Locked doors, access badges, cameras, etc
  • Logical: Passwords, firewalls, VPN, IPS, access lists

Recognizing Current Network Threats


Potential Attackers

  • Terrorists
  • Hackers
  • Government Agencies
  • Competitors
  • Criminals
  • Nation-states
  • Disgruntled Employees
  • Anyone that can access a computer

Attack Methods

  • Reconnaissance: Discovery process used to find information about the network. Port scans, IP scans, etc
  • Social Engineering: User compromise, email, misdirection of web pages, phishing, pharming
  • Privilege Escalation: Escalating level of access beyond what is allowed by policy/role
  • Back Door: Application or user access left behind by an attacker to allow future access

Attack Vectors

Attacks can be launched from outside or inside company, even by authorized users. Using ICE/NAC or 802.1x can help mitigate authorized users from launching attacks internally 



Man-in-the-Middle Attack

 Attacker places itself between two devices that are communicating to perform reconnaissance or manipulate data as it moves between them. Main purpose is eavesdropping so attacker can see all traffic.

Layer 2 MITM Attacks
  • ARP Poisoning: Attacker spoofs MAC address of actual default gateway in order to become gateway for the clients. Can be mitigated with Dynamic ARP Inspection
  • Root Bridge Attack: Attacker connects switch to network with intent of becoming spanning-tree root bridge and forcing all traffic through that switch. Mitigated by Root Guard and BPDU Guard.

Layer 3 MITM Attacks
  • Rogue Router: Rogue router can inject routes with better metric to force routing to go through the rogue router. Mitigated by routing protocol authentication and only listening for routing protocols on specific interfaces

Miscellaneous Attack Vectors

  • Covert Channels: Uses communications in unintended ways such as tunnelling P2P file sharing inside of HTTP traffic, or a backdoor using ICMP to communicate with an attacker 
  • Trust Exploitation:  Attacker leverages implied trust relationship to gain access, such as exploiting a DMZ server that can communicate to the inside to launch attacks internally
  • Password Attack: Brute force attacks to guess passwords, MITM or key logging software
  • BotNet: Infected computers that listen for command/control signals from an attacker utilizing a backdoor channel to communicate
  • DoS and DDoS: Usinga  botnet to target a particular system in order to flood it with malicious traffic with the intent to deny legitimate access

Applying Fundamental Security Principles to Network Design


  • Least Privilege: Minimal access to perform the function is assigned and no more
  • Defense in Depth: Security is implemented in multiple places on the network, such as a firewall with an IPS, host-based firewall, etc
  • Separation of Duty: Specific individuals are placed into specific roles, allows checks and balance regarding implementation of security policy
  • Auditing: Keeping records of what is occurring on the network using things like AAA and syslogs, logs can be reviewed to check access and events

No comments:

Post a Comment