CCNA3 Module 3: Network Security Concepts - Enterprise Networking Security and Automation (ENSA)
Summary
Highlights
This module introduces network security, explaining how vulnerabilities, threats, and exploits can be mitigated. It covers cybersecurity, threat actors, malware, common network attacks, IP and TCP/UDP vulnerabilities, and network security best practices, including cryptography. The importance of ethical hacking and responsible use of tools for educational purposes is emphasized due to potential legal consequences for unauthorized access.
Cyber criminals possess advanced tools to target critical infrastructure. Maintaining a secure network protects users and commercial interests. Key security terms include: 'assets' (anything valuable like people, data, equipment), 'vulnerability' (a system weakness that can be exploited), 'threat' (potential danger to assets), 'exploit' (a mechanism leveraging a vulnerability), 'mitigation' (countermeasures to reduce risk), and 'risk' (likelihood of a threat exploiting a vulnerability). All users should understand these terms.
An attack vector is how a threat actor gains access. These can originate internally or externally, with internal threats often causing more damage due to direct access to infrastructure. Data loss or exfiltration, whether intentional or accidental, can lead to severe consequences like brand damage, financial losses, legal action, and even national security threats. Common data loss vectors include intercepted emails, unencrypted devices, compromised cloud storage, removable media, hard copies left unsecured, and improper access controls with weak passwords.
Threat actors are categorized by their motivations and methods. 'White hat hackers' are ethical hackers working for good, reporting vulnerabilities responsibly. 'Grey hat hackers' commit arguably unethical acts but without personal gain or direct damage, sometimes disclosing vulnerabilities after compromising a network. 'Black hat hackers' are malicious criminals who compromise systems for personal gain or destructive reasons. Other types include 'script kiddies' (inexperienced hackers), 'vulnerability brokers' (who discover and report exploits for rewards), 'hacktivists' (protestors using hacking), 'cybercriminals' (focused on financial theft or data trading), and 'state-sponsored hackers' (governments stealing secrets or sabotaging networks).
Attack tools have become more sophisticated, requiring less technical knowledge to operate. Penetration testing (pen testing) tools are used by both ethical and malicious hackers. Categories include: 'password crackers' (like John the Ripper), 'wireless hacking tools' (like Aircrack-ng), 'network scanning and hacking tools' (like Nmap), 'packet crafting tools' (like hping), 'packet sniffers' (like Wireshark), 'rootkit detectors', 'fuzzers' (to find vulnerabilities), 'forensic tools', 'debuggers', 'hacking operating systems' (like Kali Linux), 'encryption tools' (which can also be misused for ransomware), 'vulnerability exploitation tools', and 'vulnerability scanners'. Users must be aware of their legal responsibilities when using these tools.
Common network attacks include: 'eavesdropping' (capturing network traffic), 'data modification' (altering data in transit), 'IP address spoofing' (falsifying source IP to hide identity or pose as a legitimate user), 'password-based attacks' (gaining access through compromised user accounts), 'Denial of Service (DoS)' (preventing legitimate users from accessing services by overwhelming or crashing systems), 'Man-in-the-Middle (MitM)' (intercepting and controlling communications transparently), 'compromised key' (obtaining secret keys to access secure communication), and 'sniffer attacks' (reading and analyzing unencrypted network packets).
Malware typically targets end-users. 'Viruses' require human action to propagate, attaching to files and executing when opened, leading to data corruption, system issues, or information theft. 'Trojan horses' appear useful but harbor malicious code, often bundled with free software, allowing remote access, data theft (like keyloggers), or system destruction. 'Worms' are self-replicating programs that spread automatically without user interaction by exploiting software vulnerabilities, mainly aiming to disrupt network operations. Various types of viruses (boot sector, firmware, macro, program, script) and trojan horses (remote access, data sending, destructive, proxy, DoS, FTP, security disablers, keyloggers) exist.
Other malware includes 'adware' (displaying unsolicited ads or redirects), 'ransomware' (denying access to files by encryption until a ransom is paid), 'rootkits' (gaining administrative access and hiding presence by altering system functions), and 'spyware' (gathering user information without consent). Network attacks are categorized into 'reconnaissance attacks' (information gathering), 'access attacks' (gaining unauthorized entry or privilege escalation), and 'DoS/DDoS attacks' (denying service to legitimate users). Reconnaissance techniques involve information queries, ping sweeps, port scans, vulnerability scans, and exploitation tools.
Access attacks exploit vulnerabilities in authentication, FTP, and web services to gain entry to accounts or sensitive databases, sometimes escalating privileges. These include 'password attacks' (using cracking tools) and 'spoofing attacks' (falsifying identity like IP or MAC addresses, or DHCP spoofing). 'Social engineering' attacks manipulate individuals to divulge confidential information or perform harmful actions. Techniques include 'pretexting' (pretending to need info), 'phishing' (fraudulent emails), 'spear phishing' (targeted phishing), 'spam' (junk mail), 'something for something' (offering gifts for info), 'baiting' (leaving infected media), 'impersonation' (pretending to be someone else), 'tailgating' (following authorized personnel into secure areas), 'shoulder surfing' (observing sensitive info), and 'dumpster diving' (finding confidential documents in trash). User education and strong policies are essential for defense.
DoS (Denial of Service) attacks interrupt network services, overwhelming targets with traffic or maliciously formatted packets, leading to slow performance or system crashes. These attacks are simple to execute, even for unskilled actors. DDoS (Distributed Denial of Service) attacks are similar but originate from multiple coordinated sources, often compromised 'zombie' computers worldwide, making them harder to trace and mitigate. The impact can be significant, causing substantial loss of time and money, and often requiring system reboots or service restarts.
IP (Internet Protocol) does not validate source addresses, making it susceptible to spoofing. 'ICMP (Internet Control Message Protocol) attacks' use echo packets (pings) for reconnaissance (mapping networks, discovering active hosts, OS fingerprinting, firewall state) and DoS attacks. Ipv4 and Ipv6 are both vulnerable; strict ICMP ACL filtering and security devices (firewalls, IDS) are necessary. Amplification and reflection attacks, such as Smurf attacks, overwhelm targets. Address spoofing can be 'non-blind' (threat actor sees traffic) or 'blind' (used in DoS to prevent service, not steal data). MAC address spoofing occurs when an internal attacker alters a MAC address to match a legitimate one.
TCP (Transmission Control Protocol) provides reliable, connection-oriented communication with flow control and acknowledgments. Its three-way handshake establishes connections. TCP attacks include 'SYN flood attacks,' where an attacker sends many SYN requests but ignores SYN-ACK responses, exhausting server resources and causing a DoS. TCP session termination uses a four-way handshake. A 'TCP reset attack' (RST) can prematurely terminate connections, and 'TCP session hijacking' allows an attacker to take over an authenticated session. UDP (User Datagram Protocol) is connectionless, has lower overhead, and is often used for real-time applications like video streaming and VoIP. It lacks built-in encryption and reliability, making it vulnerable to 'UDP flood attacks' that overwhelm networks by sending spoofed UDP packets, eliciting ICMP unreachable messages and consuming bandwidth, leading to DoS.
ARP (Address Resolution Protocol) maps IP addresses to MAC addresses. A vulnerability lies in 'gratuitous ARP,' where any host can claim ownership of an IP/MAC address. This allows 'ARP cache poisoning,' where a threat actor sends spoofed ARP responses, redirecting traffic to their device and enabling man-in-the-middle attacks, which can be passive (stealing info) or active (modifying data). DNS (Domain Name System) translates human-readable domain names to IP addresses. DNS attacks include 'open resolver attacks' (vulnerable to cache poisoning, amplification/reflection, and resource exhaustion), 'stealth attacks' (fast flux, double IP flux, domain generation algorithms to hide malicious sites), 'domain shadowing attacks' (creating malicious subdomains without the owner's knowledge), and 'tunneling attacks' (embedding non-DNS traffic within DNS queries to bypass security). Next-gen firewalls are crucial for deep packet inspection to mitigate these threats.
DHCP (Dynamic Host Configuration Protocol) dynamically assigns IP configuration to clients via a discover-offer-request-acknowledgment process. A 'DHCP spoofing attack' occurs when a rogue DHCP server provides false IP parameters to legitimate clients. This rogue server can respond faster than the legitimate one, supplying incorrect default gateways (enabling MitM), wrong DNS servers (redirecting to malicious websites), or invalid IP addresses (causing DoS). To prevent this, network administrators must secure switch ports and monitor DHCP traffic for unauthorized servers. The section transitions to 'Network Security Best Practices,' starting with the CIA triad: Confidentiality, Integrity, and Availability.
Network security aims to protect information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. The 'CIA triad' is a core principle: 'Confidentiality' (only authorized access to sensitive info, often via encryption), 'Integrity' (protecting data from unauthorized alteration, often via hashing algorithms like SHA), and 'Availability' (uninterrupted access to resources and data, supported by redundancy and DoS prevention). A 'defense-in-depth' approach involves multiple layers of security, like VPNs, firewalls, IPS/IDS, and hardened devices, to secure communication across both public and private networks. Firewalls act as gatekeepers, enforcing access control policies between networks, allowing or denying specific traffic based on ports and protocols.
IPS (Intrusion Prevention Systems) and IDS (Intrusion Detection Systems) are critical for defending against evolving attacks. Both detect patterns in network traffic using signatures (rules to identify malicious activity). IPS deployments can be on routers, dedicated appliances, or integrated within other security devices. They intercept and evaluate traffic against policies, logs messages, and drop malicious packets. Modern IPS solutions rely on frequently updated, cloud-based threat intelligence databases. Content security devices, like the Cisco Email Security Appliance (ESA) and Cisco Web Security Appliance (WSA), provide specialized protection. ESA monitors SMTP for email threats, updated by Cisco Talos. WSA safeguards against web-based threats, offering malware protection, application visibility/control, URL filtering, web application filtering, and encryption/decryption, enabling deep packet inspection to block undesirable application usage like social media.
Cryptography is fundamental for securing data communication, especially external traffic. Four key elements are: 'Data Integrity' (guaranteeing message alteration hasn't occurred, using hash functions like MD5 or SHA to compute fixed-length digests), 'Origin Authentication' (ensuring messages are from legitimate sources, often using HMAC combined with a secret key), 'Data Confidentiality' (ensuring only authorized users can read messages, using symmetric or asymmetric encryption), and 'Data Non-repudiation' (guaranteeing senders cannot deny sending a valid message, relying on unique sender characteristics like digital signatures). Hashing can detect changes but is vulnerable to man-in-the-middle attacks if not combined with other security measures.
Encryption algorithms are categorized into symmetric and asymmetric. 'Symmetric encryption' (e.g., DES, 3DES, AES, SEED, RC) uses the same pre-shared secret key for both encryption and decryption. It's faster and commonly used for bulk data like VPN traffic, with longer keys (minimum 128 bits recommended) offering greater security. 'Asymmetric encryption' (e.g., Diffie-Hellman, DSS, DSA, RSA, El Gamal, ECC) uses different public and private keys for encryption and decryption, respectively. It achieves confidentiality, authentication, and integrity without a shared secret. Asymmetric keys are much longer (512-4096 bits, 1024+ recommended for trustworthiness) and computationally more intensive, making them slower. They are typically used for low-volume cryptographic mechanisms like digital signatures and key exchanges.
The Diffie-Hellman (DH) algorithm is a common asymmetric mathematical algorithm allowing two parties to generate an identical shared secret key over an insecure channel without directly exchanging that key. Its security relies on the difficulty of computing discrete logarithms of extremely large numbers. DH is widely used in IPsec VPNs, SSL/TLS (HTTPS), and SSH for secure key exchange. Due to its computational intensity and resulting slowness, modern practices combine it with symmetric algorithms: DH is used to securely establish the shared symmetric key, and then the symmetric algorithm (like 3DES or AES) encrypts the bulk data traffic. This hybrid approach leverages the best of both encryption types for efficiency and security.