In preparation of your CCNA Security 640-553 exam, we want to make sure we cover topics that you are very likely to encounter on your Cisco CCNA exam. So to assist you, below we will discuss the security threats facing modern network infrastructures.

Describe and list mitigation methods for common network attacks

As per Cisco, there are two major categories of threats to network security:

Internal threats:
These threats typically involve disgruntled former or current employees.

Although internal threats may seem more ominous than threats from external sources,

security measures are available for reducing vulnerabilities to internal threats and responding

when attacks occur. Examples are network misuse and unauthorized access.

External threats: These threats consist of structured and unstructured threats originating

from an external source. These threats may have malicious and destructive intent, or they

may simply be errors that generate a threat. Examples are viruses and social engineering.

Types of network attacks:

Reconnaissance attacks

An intruder attempts to discover and map systems, services, and

vulnerabilities. Network reconnaissance is the act of gathering information about a network in preparation for a possible attack. This information can be garnered from a wide variety of sources. The sources of information for a reconnaissance attack can include what is called uncontrollable information, which is information that the network staff cannot control because it is disseminated to network sweeps and port scans. Some examples of uncontrollable information include the IP address ranges owned by a company, which an attacker can determine through the use of the ARIN, RIPE, or APNIC databases, and domain name ownership information and DNS server IP addresses, which an attacker can determine by querying network registry databases such as Network Solutions or Register.com.

Reconnaissance attacks can consist of the following:

Packet sniffers

Port scans & Ping sweeps

Packer Sniffer:

It is a software application that uses a network adapter card in promiscuous mode (a mode in which the network adapter card sends all packets received on the physical network wire to an application for processing) to capture all network packets that are sent across a LAN.

Several network applications distribute network packets in clear text; that is, the information sent

across the network is not encrypted. Because the network packets are not encrypted, they can be

processed and understood by any application that can pick them up off the network and process

them.

Packet Sniffer Attack Mitigation:

The following techniques and tools can be used to mitigate sniffers attacks:

Authentication—A first option for defence against packet sniffers is to use strong authentication, such as one-time passwords.

Switched infrastructure—Deploy a switched infrastructure to counter the use of packet sniffers in your environment.

Antisniffer tools—Use these tools to employ software and hardware designed to detect the use of sniffers on a network.

Cryptography—The most effective method for countering packet sniffers does not prevent or detect packet sniffers, but rather renders them irrelevant.

Port Scans and Ping Sweeps: Port scans and ping sweeps are typically applications built to run various tests against a host or device in order to identify vulnerable services. The information is gathered by examining IP addressing and port or banner data from both TCP and UDP ports.

Port Scan and Ping Sweep Attack Mitigation:

If ICMP echo and echo reply are turned off on edge routers, for example, ping sweeps can be

stopped, but at the expense of network diagnostic data. However, port scans can easily be run

without full ping sweeps; they simply take longer because they need to scan IP addresses that

might not be live. IDSs (Intrusion Detection Systems) at the network and host levels can usually notify an administrator when a reconnaissance attack is under way. This warning allows the administrator to better prepare for the coming attack or to notify the Internet service provider (ISP) that is hosting the system launching the reconnaissance probe.

Access Attacks:- Access attacks exploit known vulnerabilities in authentication services, FTP services, and Web services to gain entry to Web accounts, confidential databases, and other sensitive information.

Access attacks can consist of the following:

Password attacks

Trust exploitation

Port redirection

Man-in-the-middle attacks

Password attacks:

Password attacks can be implemented using several methods, including brute-force attacks,

Trojan horse programs, IP spoofing, and packet sniffers. Although packet sniffers and IP

spoofing can yield user accounts and passwords, password attacks usually refer to repeated

attempts to identify a user account, password, or both. These repeated attempts are called

brute-force attacks.

Password Attack Mitigation:

Do not allow users to have the same password on multiple systems—Most users will use the

same password for each system they access, and often personal system passwords will be the

same as well.

Disable accounts after a specific number of unsuccessful logins—This practice helps to

prevent continuous password attempts.

Do not use plain-text passwords—Use of either an OTP or encrypted password is

recommended.

Use “strong” passwords—Many systems now provide strong password support and can

restrict a user to the use of strong passwords only. Strong passwords are at least eight

characters long and contain uppercase letters, lowercase letters, numbers, and special

characters.

Trust exploitation:

Trust exploitation refers to an individual’s taking advantage of a trust relationship within a network. The classic example is a perimeter network connection from a corporation. These network segments often house DNS, Simple Mail Transfer Protocol (SMTP), and HTTP servers. Because they all reside on the same segment, a compromise of one system can lead to the compromise of other systems if those other systems in turn trust systems attached to the same network.

Trust Exploitation Attack Mitigation:

Systems on the outside of a Router should never be absolutely trusted by systems on

the inside of a Router. Such trust should be limited to specific protocols and should be

authenticated by something other than an IP address where possible.

Port Redirection:

Port redirection attacks are a type of trust exploitation attack that uses a compromised host to

pass traffic through a Router that would otherwise be dropped.

Port Redirection Mitigation:

Port redirection can be mitigated primarily through the use of proper trust models, which are

network specific (as mentioned earlier). Assuming a system under attack, a host-based IDS (Itrusion Detection System) can help detect a hacker and prevent installation of such utilities on a host.

Man-in-the-Middle Attacks:

A man-in-the-middle attack requires that the attacker have access to network packets that come

across the network. Such attacks are often implemented using network packet sniffers and

routing and transport protocols. The possible uses of such attacks are theft of information,

hijacking of an ongoing session to gain access to your internal network resources, traffic analysis

to derive information about your network and its users, denial of service, corruption of transmitted data, and introduction of new information into network sessions.

Man-in-the-Middle Attack Mitigation:

Man-in-the-middle attacks can be effectively mitigated only through the use of cryptography (encryption).

Denial of Service Attacks:

DoS attacks are not aimed at gaining access to a network or the information on a network but rather at making a service or a network unavailable to legitimate users. DoS attacks fall into two general categories:

DoS attacks can consist of the following:

IP spoofing

Distributed denial of service (DDoS)

IP Spoofing:

An IP spoofing attack occurs when an attacker outside your network pretends to be a trusted

computer, either by using an IP address that is within the range of IP addresses for your network

or by using an authorized external IP address that you trust and to which you wish to provide

access to specified resources on your network.

IP Spoofing Attack Mitigation

The threat of IP spoofing can be reduced, but not eliminated, through the following measures:

• Access control—The most common method for preventing IP spoofing is to properly configure access control.

• RFC 2827 filtering—Prevent any outbound traffic on your network that does not have a source address in your organization’s own IP range.

• Require additional authentication that does not use IP-based authentication—Examples of this technique include the following:

– Cryptographic (recommended)

– Strong, two-factor, one-time passwords

DoS and DDoS Attacks

DoS attacks are different from most other attacks because they are not targeted at gaining access

to your network or the information on your network. These attacks focus on making a service

unavailable for normal use, which is typically accomplished by exhausting some resource

limitation on the network or within an operating system or application. These attacks require

little effort to execute because they typically take advantage of protocol weaknesses or because

the attacks are carried out using traffic that would normally be allowed into a network. DoS

attacks are among the most difficult to completely eliminate because of the way they use

protocol weaknesses and “native” traffic to attack a network.

DDoS attacks are the “next generation” of DoS attacks on the Internet. This type of attack is not

new—UDP and TCP SYN flooding, Internet Control Message Protocol (ICMP) echo request

floods, and ICMP directed broadcasts (also known as smurf attacks) are similar—but the scope

certainly is new. Victims of DDoS attacks experience packet flooding from many different

sources, possibly spoofed IP source addresses, that bring their network connectivity to a grinding

halt. In the past, the typical DoS attack involved a single attacker’s attempt to flood a target host

with packets. With DDoS tools, an attacker can conduct the same attack using thousands of

systems.

DoS and DDoS Attack Mitigation

The threat of DoS attacks can be reduced through the following three methods:

• Antispoof features—Proper configuration of antispoof features on routers and Routers

• Anti-DoS features—Proper configuration of anti-DoS features on routers and Routers

• Traffic rate limiting—Implement traffic rate limiting with the network’s ISP

Hopefully you found this Cisco CCNA Security 640-533 article helpful as you progress toward your CCNA certification. You will find that the hands-on experience you gain with our CCNA certification kits is the best way to really solidify the various CCNA concepts in your brain. So please check out our various kits and other free CCNA certification material.