Module 16: Network Security

Fundamentals

Engr. Jeffrey Cayetano, CCNA, HCAI R&S

16.1 Security Threats and
Vulnerabilities

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Security Threats and Vulnerabilities
Types of Threats
Attacks on a network can be devastating and can result in a loss of time and money due
to damage, or theft of important information or assets. Intruders can gain access to a
network through software vulnerabilities, hardware attacks, or through guessing
someone's username and password. Intruders who gain access by modifying software or
exploiting software vulnerabilities are called threat actors.

After the threat actor gains access to the network, four types of threats may arise:
• Information Theft
• Data Loss and manipulation
• Identity Theft
• Disruption of Service

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Security Threats and Vulnerabilities
Types of Vulnerabilities
Vulnerability is the degree of weakness in a network or a device. Some degree of
vulnerability is inherent in routers, switches, desktops, servers, and even security devices.
Typically, the network devices under attack are the endpoints, such as servers and desktop
computers.
There are three primary vulnerabilities or weaknesses:
• Technological Vulnerabilities might include TCP/IP Protocol weaknesses, Operating
System Weaknesses, and Network Equipment weaknesses.
• Configuration Vulnerabilities might include unsecured user accounts, system accounts
with easily guessed passwords, misconfigured internet services, unsecure default
settings, and misconfigured network equipment.
• Security Policy Vulnerabilities might include lack of a written security policy, politics, lack
of authentication continuity, logical access controls not applied, software and hardware
installation and changes not following policy, and a nonexistent disaster recovery plan.
All three of these sources of vulnerabilities can leave a network or device open to various
attacks, including malicious code attacks and network attacks.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Security Threats and Vulnerabilities
Physical Security
If network resources can be physically compromised, a threat actor can deny the use of
network resources. The four classes of physical threats are as follows:
• Hardware threats - This includes physical damage to servers, routers, switches,
cabling plant, and workstations.
• Environmental threats - This includes temperature extremes (too hot or too cold) or
humidity extremes (too wet or too dry).
• Electrical threats - This includes voltage spikes, insufficient supply voltage
(brownouts), unconditioned power (noise), and total power loss.
• Maintenance threats - This includes poor handling of key electrical components
(electrostatic discharge), lack of critical spare parts, poor cabling, and poor labeling.

A good plan for physical security must be created and implemented to address these
issues.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
16.2 Network Attacks

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Network Attacks
Types of Malware
Malware is short for malicious software. It is code or software specifically designed to
damage, disrupt, steal, or inflict “bad” or illegitimate action on data, hosts, or networks. The
following are types of malware:
• Viruses - A computer virus is a type of malware that propagates by inserting a copy of
itself into, and becoming part of, another program. It spreads from one computer to
another, leaving infections as it travels.
• Worms - Computer worms are similar to viruses in that they replicate functional copies
of themselves and can cause the same type of damage. In contrast to viruses, which
require the spreading of an infected host file, worms are standalone software and do
not require a host program or human help to propagate.
• Trojan Horses - It is a harmful piece of software that looks legitimate. Unlike viruses
and worms, Trojan horses do not reproduce by infecting other files. They self-replicate.
Trojan horses must spread through user interaction such as opening an email
attachment or downloading and running a file from the internet.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Network Attacks
Reconnaissance Attacks
In addition to malicious code attacks, it is also possible for networks to fall prey to various
network attacks. Network attacks can be classified into three major categories:
• Reconnaissance attacks - The discovery and mapping of systems, services, or vulnerabilities.
• Access attacks - The unauthorized manipulation of data, system access, or user privileges.
• Denial of service - The disabling or corruption of networks, systems, or services.

For reconnaissance attacks, external threat actors can use internet tools, such as
the nslookup and whois utilities, to easily determine the IP address space assigned to a
given corporation or entity. After the IP address space is determined, a threat actor can
then ping the publicly available IP addresses to identify the addresses that are active.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Network Attacks
Access Attacks
Access attacks exploit known vulnerabilities in authentication services, FTP services, and
web services to gain entry to web accounts, confidential databases, and other sensitive
information.

Access attacks can be classified into four types:

• Password attacks - Implemented using brute force, trojan horse, and packet sniffers
• Trust exploitation - A threat actor uses unauthorized privileges to gain access to a
system, possibly compromising the target.
• Port redirection: - A threat actor uses a compromised system as a base for attacks
against other targets. For example, a threat actor using SSH (port 22) to connect to a
compromised host A. Host A is trusted by host B and, therefore, the threat actor can
use Telnet (port 23) to access it.
• Man-in-the middle - The threat actor is positioned in between two legitimate entities
in order to read or modify the data that passes between the two parties.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Network Attacks
Denial of Service Attacks
Denial of service (DoS) attacks are the most publicized form of attack and among the
most difficult to eliminate. However, because of their ease of implementation and
potentially significant damage, DoS attacks deserve special attention from security
administrators.
• DoS attacks take many forms. Ultimately, they prevent authorized people from using a
service by consuming system resources. To help prevent DoS attacks it is important to
stay up to date with the latest security updates for operating systems and applications.
• DoS attacks are a major risk because they interrupt communication and cause
significant loss of time and money. These attacks are relatively simple to conduct,
even by an unskilled threat actor.
• A DDoS is similar to a DoS attack, but it originates from multiple, coordinated sources.
For example, a threat actor builds a network of infected hosts, known as zombies. A
network of zombies is called a botnet. The threat actor uses a command and control
(CnC) program to instruct the botnet of zombies to carry out a DDoS attack.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
16.3 Device Security

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Device Security
Cisco AutoSecure
The security settings are set to the default values when a new operating system is
installed on a device. In most cases, this level of security is inadequate. For Cisco routers,
the Cisco AutoSecure feature can be used to assist securing the system.

In addition, there are some simple steps that should be taken that apply to most operating
systems:
• Default usernames and passwords should be changed immediately.
• Access to system resources should be restricted to only the individuals that are
authorized to use those resources.
• Any unnecessary services and applications should be turned off and uninstalled
when possible.
• Often, devices shipped from the manufacturer have been sitting in a warehouse for a
period of time and do not have the most up-to-date patches installed. It is important
to update any software and install any security patches prior to implementation.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Device Security
Passwords
To protect network devices, it is important to use strong passwords. Here are standard guidelines to
follow:
• Use a password length of at least eight characters, preferably 10 or more characters.
• Make passwords complex. Include a mix of uppercase and lowercase letters, numbers, symbols,
and spaces, if allowed.
• Avoid passwords based on repetition, common dictionary words, letter or number sequences,
usernames, relative or pet names, biographical information, such as birthdates, ID numbers,
ancestor names, or other easily identifiable pieces of information.
• Deliberately misspell a password. For example, Smith = Smyth = 5mYth or Security = 5ecur1ty.
• Change passwords often. If a password is unknowingly compromised, the window of opportunity for
the threat actor to use the password is limited.
• Do not write passwords down and leave them in obvious places such as on the desk or monitor.
On Cisco routers, leading spaces are ignored for passwords, but spaces after the first character are not.
Therefore, one method to create a strong password is to use the space bar and create a phrase made
of many words. This is called a passphrase. A passphrase is often easier to remember than a simple
password. It is also longer and harder to guess.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Device Security
Additional Password Security
There are several steps that can be taken to
help ensure that passwords remain secret on
a Cisco router and switch including these:
• Encrypt all plaintext passwords with the
service password-encryption
command.
• Set a minimum acceptable password
length with the security passwords
min-length command.
• Deter brute-force password guessing
attacks with the login block-
for # attempts # within # command.
• Disable an inactive privileged EXEC
mode access after a specified amount of
time with the exec-timeout command.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Device Security
Enable SSH
It is possible to configure a Cisco device to support SSH using the following steps:
1. Configure a unique device hostname. A device must have a unique hostname other than the default.
2. Configure the IP domain name. Configure the IP domain name of the network by using the global
configuration mode command ip-domain name.
3. Generate a key to encrypt SSH traffic. SSH encrypts traffic between source and destination. However, to
do so, a unique authentication key must be generated by using the global configuration command crypto
key generate rsa general-keys modulus bits. The modulus bits determines the size of the key and can
be configured from 360 bits to 2048 bits. The larger the bit value, the more secure the key. However, larger
bit values also take longer to encrypt and decrypt information. The minimum recommended modulus length
is 1024 bits.
4. Verify or create a local database entry. Create a local database username entry using
the username global configuration command.
5. Authenticate against the local database. Use the login local line configuration command to
authenticate the vty line against the local database.
6. Enable vty inbound SSH sessions. By default, no input session is allowed on vty lines. You can specify
multiple input protocols including Telnet and SSH using the transport input [ssh | telnet] command.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15