© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L3 1 Implementing Secure Converged Wide Area Networks (ISCW)

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L3 2 Lesson 3 – Module 5 – ‘Cisco Device Hardening’ Network Attack Using Intelligence

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L3 3 Module Introduction  The open nature of the Internet makes it increasingly important for businesses to pay attention to the security of their networks. As organisations move more of their business functions to the public network, they need to take precautions to ensure that attackers do not compromise their data, or that the data does not end up being accessed by the wrong people.  Unauthorised network access by an outside hacker or disgruntled employee can wreak havoc with proprietary data, negatively affect company productivity, and stunt the ability to compete.  Unauthorised network access can also harm relationships with customers and business partners who may question the ability of companies to protect their confidential information, as well as lead to potentially damaging and expensive legal actions.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L3 4 Objectives  At the completion of this third lesson, you will be able to: Describe the difference between virus, trojan and worm threats Show how these threats are propagated Explain techniques for dealing with these threats Describe system software that can aid in defending and mitigating against host machine attacks

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L3 5 End Station (Host) Vulnerabilities  Host machines are particularly vulnerable to attack if not adequately protected. The main threats are: Viruses Trojan horse attacks Worms

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L3 6 Viruses  A virus can only spread from one computer to another when its host is taken to an uninfected computer, for instance by a user sending it over a network as a file or as an payload or carrying it on a removable medium such as a ‘floppy’ disk, USB disk (‘memory stick’), or CD / DVD  Some viruses are programmed to damage the computer by damaging programs, deleting files, or reformatting the hard disk. Others are not designed to do any damage, but simply replicate themselves and perhaps make their presence known by presenting text, video, or audio messages Source: Wikepedia – Computer virus  A computer virus is a malicious computer program (executable file) that can copy itself and infect a computer without permission or knowledge of the user. The original may modify the copies or the copies may modify themselves, as occurs in a metamorphic virus

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L3 7 Trojan Horse  Trojan horses may appear to be useful or interesting programs, or at the very least harmless to an unsuspecting user, but are actually harmful when executed  There are two common types of Trojan horses One is otherwise useful software that has been corrupted by a hacker inserting malicious code that executes while the program is used The other type is a standalone program that masquerades as something else, like a game or image file, in order to trick the user into some misdirected complicity that is needed to carry out the program's objectives  A Trojan horse is a program that - unlike a virus - contains or installs a malicious program – the payload or 'trojan‘

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L3 8 Worms  A computer worm is a self-replicating executable computer program. It uses a network to send copies of itself to other hosts (‘end-user’ machines on the network) and it may do so without any user intervention.  Unlike a virus, it does not need to attach itself to an existing program. Worms always harm the network (if only by consuming bandwidth), whereas viruses always infect or corrupt files on a targeted computer.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L3 9 Malicious software containment  Viruses and Trojan horses can be contained by: Effective use of antivirus software Keeping up to date with the latest developments in these methods of attacks Keeping up to date with the latest antivirus software and application versions Implementing host-based intrusion prevention systems (for example, Cisco Security Agent)

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L3 10 Worm Attack, Mitigation and Response  The anatomy of a worm attack has three parts: The enabling vulnerability: A worm installs itself on a vulnerable system Propagation mechanism: After gaining access to devices, a worm replicates and selects new targets Payload: Once the worm infects the device, the attacker has access to the host – often as a privileged user. Attackers use a local exploit to escalate their privilege level to administrator.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L3 11 Worm attack mitigation  Worm attack mitigation requires diligence on the part of system and network administration staff.  Coordination between system administration, network engineering, and security operations personnel is critical in responding effectively to a worm incident.  Recommended steps for worm attack mitigation: Containment: Contain the spread of the worm into your network and within your network. Compartmentalise uninfected parts of your network. Inoculation: Start patching all systems and, if possible, scanning for vulnerable systems. Quarantine: Track down each infected machine inside your network. Disconnect, remove, or block infected machines from the network. Treatment: Clean and patch each infected system. Some worms may require complete core system reinstallations to clean the system.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L3 12 Worm attack response  Six typical incident response methodologies to worms are as follows: 1.Preparation: Acquire the resources to respond 2.Identification: Identify the worm 3.Classification: Classify the type of worm 4.Traceback: Trace the worm back to the attack’s origin 5.Reaction: Isolate and repair the affected systems 6.Post mortem: Document and analyse the process that you used for future use

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L3 13 Application Layer Attacks and Mitigation  Application layer attacks have the following characteristics: They exploit well-known weaknesses, such as those in protocols, that are intrinsic to an application or system (for example, sendmail, HTTP, and FTP) They often use ports that are allowed through a firewall (for example, TCP port 80 used in an attack against a web server behind a firewall) They can never be completely eliminated because new vulnerabilities are always being discovered

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L3 14 Netcat  Netcat is a tool that reads or writes data on any TCP/UDP connections, relays TCP connections, and can act as a TCP/UDP server. #nc -h connect to somewhere: nc [-options] hostname port[s] [ports]... listen for inbound: nc -l -p port [-options] [hostname] [port] options: -g gateway source-routing hop point[s], up to 8 -G num source-routing pointer: 4, 8, 12,... -i secs delay interval for lines sent, ports scanned -l listen mode, for inbound connects -n numeric-only IP addresses, no DNS -o file hex dump of traffic -p port local port number -r randomize local and remote ports -s addr local source address -u UDP mode -v verbose [use twice to be more verbose] port numbers can be individual or ranges: lo-hi [inclusive]

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L3 15 Netcat Example

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L3 16 Mitigation of Application Layer Attacks  Measures you can take to reduce risks include: Read operating system and network log files or have the files analysed by log analysis applications Subscribe to mailing lists that publicise vulnerabilities Keep all operating systems and applications current with the latest patches Use IDS/IPS that can scan for known attacks, monitor and log attacks, and, in some cases, prevent attacks

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L3 17 Configuration Management protocols  Configuration management protocols include SSH, SSL and the more insecure Telnet  Whichever is chosen for remote access to the managed device, ACLs should be configured to allow only management servers to connect to the device. All attempts from other IP addresses should be denied and logged  Ideally use secure management protocols when configuring all network devices. Protocols, such as Telnet and SNMPv2, must be made secure by protecting the data with IPsec  The access lists should permit management access, such as SSH or HTTPS, only from the legitimate management hosts Also implement RFC 3704 filtering at the ingress router to reduce the chance of an attacker from outside the network spoofing the addresses of the management hosts

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L3 18 Management Protocols  These management protocols can be compromised: SNMP: The community string information for simple authentication is sent in plaintext. syslog: Data is sent as plaintext between the managed device and the management host. TFTP: Data is sent as plaintext between the requesting host and the TFTP server. NTP: Many NTP servers on the Internet do not require any authentication of peers.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L3 19 Management Protocol Best Practices  The following two slides summarise the best practices to be followed when implementing a secure management solution  Recommendations for the correct use of SNMP tools include: Configure SNMP with only read-only community strings Set up access control on the device you want to manage via SNMP to allow access by only the appropriate management hosts Use SNMP version 3. This version provides secure access to devices through a combination of authenticating and encrypting management packets over the network

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L3 20 Management Protocol Best Practices  Syslog: Encrypt syslog traffic within an IPsec tunnel.  Implement RFC 3704 filtering at the perimeter router when allowing syslog access from devices outside a firewall.  Implement ACLs on the firewall to allow syslog data from only the managed devices themselves to reach the management hosts.  TFTP: When possible, encrypt TFTP traffic within an IPsec tunnel in order to reduce the chance of interception.  NTP: Implement your own master clock for private network synchronisation.  Use NTP version 3 or above because these versions support a cryptographic authentication mechanism between peers. NTP v3 is currently supported by most vendors, including Cisco Systems. The latest version 4 is not defined by any RFC and therefore not widely supported.  Use ACLs that specify which network devices are allowed to synchronise with other network devices.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L3 21 Determining Vulnerabilities and Threats  There are several tools and techniques that can be used to find vulnerabilities in your network  Once any vulnerabilities have been identified, mitigation steps can be considered and utilised as appropriate  Some common tools include: Blue’s PortScanner Wireshark (formerly Ethereal) Microsoft Baseline Security Analyzer Nmap

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L3 22 Blue’s Port Scanner Blue’s Port Scanner Blue’s Port Scanner is a fast network scanner that can scan over 300 ports per second on a NT or Windows 2000 machine. it comes with a Windows XP - style interface, and offers TCP and UDP scanning as well as a Anti-Flood function

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L3 23 Wireshark (Ethereal)  Wireshark is the world's foremost network protocol analyser, and is the standard in many industries. It is the continuation of a project that started in Hundreds of developers around the world have contributed to it, and it is still under active development. Wireshark

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L3 24 Microsoft Baseline Security Analyzer

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L3 25 Nmap  Nmap ("Network Mapper") is a free open source utility for network exploration or security auditing.  It is designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.  Nmap runs on most types of computers and both console and graphical versions are available.  Nmap is free and open source

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L3 26