In this tutorial I will explain some common network security threats with their possible solutions. Knowing these vulnerabilities will help you in planning, building and operating a network successfully. Network administrators spend quality of time with security policies. This tutorial could be your first step toward the challenging world of networking.
A computer network is basically built from two components; hardware and software. Both components have their own vulnerabilities and risks. Hardware threats are easy to detect in comparison with software threats. Hardware threats cause more damage in network than software threats. A software threat can only harm the data while a hardware threat can harm both device and data.
Hardware threats involve four types of threats;
Improper installation, selecting wrong components, incomplete devices, lack of knowledge, unsecure or less secure network components can cause physical threat to the critical network resources. Physical threats are divided in two types; accidentally and intentionally. With proper planning we can minimize accidental damage. For intentional damage we have to increase security measurements.
Following measurement should be taken to deal with physical threat:-
Irregular power supply (such as fluctuations, high voltage, low voltage or surge voltage) can cause serious damage to the network components. Following precautions should be taken to minimize the electrical threats:-
Extreme weather conditions (such as moisture, EMI field, very high or low temperature and humidity) can also damage network devices. To mitigate environmental threat following action should be taken:-
Improper disaster planning triggers the maintenance threats. It includes lack of spare parts, poor cabling, incorrect or no labeling on components. To deal with maintenance threats following guideline should be followed:-
Hardware threats are easy in finding and patching. Hardware threats need physical access which makes it difficult option for crackers. According to a study over the 90% attacks are software based.
Gone are the days when hacking was the task of highly skilled developers. In current time anyone who has a little knowledge of programming can become hacker by downloading tools from Internet. With these complicated tools, hacking is no more a programing game. A person who has an ability to use these tools may bring an unsecure network down.
Beside these tools, another reason for increasing threats is the balancing feature. People want the software which is easy to use and contains many features. A featured rich and easy to use software is also easy to crack. Balancing between features and security is the toughest challenge. Sometime a developer has to compromise with security in order to provide features.
Security threat involves three goals:-
This goal defines how we keep our data private from eavesdropping. Packet capturing and replaying are the example threats for this goal. Data encryption is used to achieve this goal.
This goal defines how we avoid our data from being altered. MiTM (Man in the middle attacks) is the example threat for this goal. Data hashing is used to take the fingerprint of data. Through hashing we can match data from its original source.
This goal defines how we keep available data to our genuine users. DoS (Denial of service attacks) is the example threat for this goal. User rate limit and firewall are used to mitigate the threat for this goal.
An adversary (a person/hacker/cracker who is interested in attacking your network) can use any kind of attack to threat the network infrastructures. A network may face several other attacks from adversary while achieving above goals. In following section, I will include some most common attacks.
In this kind of attack, an adversary collects as much information about your network as he needed for other attacks. This information includes IP address range, server location, running OS, software version, types of devices etc. Packet capturing software, Ping command, traceroot command, whois lookup are some example tools which can be used to collect this information. Adversary will use this information in mapping your infrastructure for next possible attack.
In this attack an adversary deploys a sniffer tool and waits for sensitive information to be captured. This information can be used for other types of attacks. It includes packet sniffer tools, traffic analysis software, filtering clear text passwords from unencrypted traffic and seeking authentication information from unprotected communication. Once an adversary found any sensitive or authentication information, he will use that without the knowledge of the user.
In this attack an adversary does not wait for any sensitive or authentication information. He actively tries to break or bypass the secured systems. It includes viruses, worms, trojan horses, stealing login information, inserting malicious code and penetrating network backbone. Active attacks are the most dangerous in natures. It results in disclosing sensitive information, modification of data or complete data lost.
In this attack an adversary hides malicious code in trusted software. Later this software is distributed to many other users through the internet without their knowledge. Once end user installs infected software, it starts sending sensitive information to the adversary silently. Pirated software is heavily used for this purpose.
According to a survey more than 70% attacks are insider. Insider attacks are divided in two categories; intentionally and accidentally. In intentionally attack, an attacker intentionally damage network infrastructure or data. Usually intentionally attacks are done by disgruntled or frustrated employees for money or revenge. In accidentally attack, damages are done by the carelessness or lack of knowledge.
Phishing attack is gaining popularity from last couple of years. In this attack an adversary creates fake email address or website which looks like a reputed mail address or popular site. Later attacker sends email using their name. These emails contain convincing message, some time with a link that leads to a fake site. This fake site looks exactly same as original site. Without knowing the truth user tries to log on with their account information, hacker records this authentication information and uses it on real site.
This attack usually takes place between running sessions. Hacker joins a running session and silent disconnects other party. Then he starts communicating with active parties by using the identity of disconnected party. Active party thinks that he is talking with original party and may send sensitive information to the adversary.
In this kind of attack an adversary changes the sources address of packet so receiver assumes that packet comes from someone else. This technique is typically used to bypass the firewall rules.
This attack is part of DoS technique. In this attack an adversary sends more data to an application than its buffer size. It results in failure of service. This attack is usually used to halt a service or server.
Exploit attack is used after Reconnaissance attack. Once an attacker learned from reconnaissance attack that which OS or software is running on target system, he starts exploiting vulnerability in that particular software or OS.
In this attack an adversary tries to login with guessed password. Two popular methods for this attack are dictionary attack and brute force attack. In brute force method, an adversary tires with all possible combinations. In dictionary method, an adversary tires with a word list of potential passwords.
This attack is part of passive attack. In this attack an attacker uses a packet capturing software which captures all packets from wire. Later he extracts information from these packets. This information can be used to deploy several kinds of other attacks.
In this attack an attacker pings all possible IP addresses on a subnet to find out which hosts are up. Once he finds an up system, he tries to scan the listening ports. From listing ports he can learn about the type of services running on that system. Once he figures out the services, he can try to exploit the vulnerabilities associated with those services.
DNS queries are used to discover information about public server on the internet. All OS includes the tool for DNS queries such as nslookup in Windows, Dig and Host in Linux. These tools query a DNS server for information about specified domain. DNS server respond with internal information such as Server IP address, Email Server, technical contacts etc. An adversary can use this information in phishing or ping attack.
In this attack an adversary captures data from middle of transmission and changes it, then send it again to the destination. Receiving person thinks that this message came from original source. For example in a share trading company Jack is sending a message to Rick telling him to hold the shares. An adversary intercepts this message in way that it looks like Jack is telling for sell. When Rick receives this message, he will think that Jack is telling for the sell and he will sell the shares. This is known as Man in the middle attack.
DoS attack is a series of attacks. In this attack an adversary tires to misuse the legitimate services. Several networking tools are available for troubleshooting. An attacker uses these tools for evil purpose. For example ping command is used to test the connectivity between two hosts. An adversary can use this command to continuously ping a host with oversized packets. In such a situation target host will be too busy in replying (of ping) that it will not be able run other services.
Mitigating security threats
To protect network from above attacks, administrators use different approaches. No matter what approach you choose, there are some basic rules which you should always follow:-
Beside these essential steps you can also consider a security device or software as per network requirements. There are several thousands of security solutions are available in market to choose from. In this last section I will discuss some Cisco security appliances which may be questioned in the CCNA level exams.
More than 80% of the Internet backbone routers are running Cisco IOS software. Cisco IOS is the most critical part of network infrastructure. Probably it gets the most hacking attacks in the networking world. Cisco provides several security products to secure the Cisco IOS and other critical network infrastructures. Few of them are following:-
This is the coolest product from Cisco. It is the replacement of Cisco PIX firewall. Along with working as firewall, it also supports requirement specific security modules. Based on our need we can purchase specific security module. For example if our network is getting highly intrusion attack, we can purchase and install IPS module.
This module filters all network traffic for possible attack. If an attack signature match, it will automatically change access control lists and will create a rule in firewall to block the attacker. IPS can be integrated in a standalone device or it can be installed as a module in Cisco ASA.
This module filter network traffic in real time for potential DDoS attack and block malicious traffic without affecting genuine traffic.
This module works with DDoS guard to extend its functionality. DDoS Guard can only match known DDoS attacks. It cannot match newly discovered attacks, as it uses signature database to detect the attack. Anomaly Guard helps in dealing with real time attack. It maintains a normal traffic profile by analyzing user behavior. It can detect any deviation from normal traffic profile. If it detects any deviation, it will trigger an alert to administrator or interact with the DDoS guard to mitigate the attack.
This module works like antivirus software. But it has much more features than antivirus software. Its feature includes audit logs, malicious mobile code detection and protection system, OS patch and built in IPS. Along with these features it has real time threat detection technology. This module is installed on desktop clients, server, tablet, mobile and endpoint devices.
Through this module administrator can quarantine and prevent unauthorized access from end users. This module is also known as Cisco Clean Access.
This module is used for monitoring security devices and host applications. With monitoring it also assists with analysis and response of threats on your network.
This is the only tool which you need to study for CCNA level exams. I will discuss this tool in details with examples in next article.