Network Security Today – Executive Summary
Understanding the drivers of network security, key organizations, and the various domains is essential for any network security professional. Domains provide a structured framework to organize and study the broad field of network security.
ISO/IEC 27002 defines 12 network security domains that help establish organizational security standards, manage risks, and build confidence in inter-organizational activities. These domains align closely with those used in CISSP certification and serve as a high-level reference for managing security practices.
While memorizing all 12 domains is not critical, being aware of them is important. They offer a structured approach to learning, implementing, and managing security measures across an organization.
Security Policy is one of the most crucial domains. It represents a formal set of rules governing how people access and use an organization’s technology and information assets. Network security professionals are responsible for integrating security policies into all aspects of business operations to ensure organizational security.
A network security policy is a comprehensive, end-to-end document that guides an organization’s approach to protecting its network and information assets. It defines rules for network access, enforces security principles, and outlines the architecture of the security environment. Typically developed by a committee, it covers areas such as data access, web browsing, password usage, encryption, and email security.
Security policies establish a hierarchy of access, giving users only the minimum permissions needed to perform their tasks. They identify critical assets—like databases, applications, shared drives, email, and web servers—and provide guidance for protecting them. Policies also dictate procedures for mitigation, security device deployment, and acceptable use, often formalized in an Acceptable Use Policy (AUP).
A Cisco Self-Defending Network (SDN) exemplifies a strategic network-based security approach. It integrates elements such as IPS, firewalls, routers, VPN concentrators, and monitoring systems like Cisco Security Manager or MARS. SDN components can be deployed individually or linked together, offering flexibility while supporting the creation of hierarchical, policy-driven security frameworks.
Effective security policies are both comprehensive and usable by technology practitioners. They are “living documents,” continuously updated to reflect evolving technology, business requirements, and emerging threats. Policies drive all security measures, including patch management, virus definition updates, and access controls, ensuring that organizational networks remain protected against both internal and external risks.
End-user computers are primarily vulnerable to viruses, worms, and Trojan Horses:
The term "computer virus" was introduced by Frederick Cohen in 1983. Like a biological virus, a computer virus requires a host program to propagate. It can remain dormant and activate at a specified time, often infecting multiple files on a system. Viruses range from harmless (e.g., displaying images) to destructive (e.g., deleting or modifying files), and some can mutate to evade detection.
Historically, viruses spread via floppy disks and modems. Today, the primary vectors are email, USB drives, CDs/DVDs, and network shares, with email viruses being the most common threat.
Worms are self-replicating malware that independently exploit network vulnerabilities. Unlike viruses, they do not require a host program or user action and can spread rapidly, often slowing down networks.
Some worms have caused massive disruptions. For example, the SQL Slammer Worm of January 2003 infected over 250,000 hosts within 30 minutes, exploiting a buffer overflow in Microsoft SQL Server. Systems without patches were vulnerable, highlighting the importance of timely updates in organizational security policies.
Modern worms continue to evolve, but most attacks share three core components:
Worm attacks generally follow five phases:
These phases provide a framework for understanding and categorizing worms and viruses. Trojan Horses add another layer by disguising malicious code as legitimate programs.
The term “Trojan Horse” comes from Greek mythology, where Greek warriors hid inside a giant wooden horse to infiltrate the city of Troy. In computing, a Trojan Horse is malware that performs malicious actions while appearing as a legitimate program. It can be embedded within games, software, or other desired applications, executing hidden code once run.
Trojan Horses exploit the privileges of the user who executes them and can have diverse effects, such as immediate damage, creating backdoors, or performing scheduled remote actions like sending sensitive files to an attacker. Custom-targeted Trojans are particularly difficult to detect.
Trojan Horses are commonly classified by their behavior or the type of damage they cause:
Many software vulnerabilities stem from buffer overflows. A buffer is an allocated area of memory used to store temporary data. A buffer overflow occurs when a program writes more data than the buffer can hold, potentially overwriting adjacent memory and causing unexpected behavior. Buffer overflows are often the primary vectors for viruses, worms, and Trojan Horses. Reports suggest that about one-third of vulnerabilities identified by CERT are related to buffer overflows.
Viruses and Trojan Horses commonly exploit local root buffer overflows, which require user interaction, such as opening an email attachment, visiting a malicious website, or exchanging files via messaging. Worms, like SQL Slammer and Code Red, exploit remote root buffer overflows, which do not require user intervention.
Network administrators have multiple tools and strategies—collectively called countermeasures—to mitigate malware attacks.
Anti-virus software is the primary defense against viruses and Trojan Horses. It prevents infection, stops the spread of malicious code, and is far easier to maintain than cleaning infected systems. Vendors like Symantec, McAfee, Trend Micro, and Computer Associates provide widely deployed solutions with automated updates for virus definitions. Host-based anti-virus software should be installed on all desktops, laptops, and servers, and its updates must be formalized in the organization’s network security policy.
Because worms are network-based, mitigation requires coordinated action by network security professionals. Responses typically follow four phases:
For example, the SQL Slammer worm exploited UDP port 1434. Ideally, the port should be blocked, but if it is critical for business operations, selective access can be granted to minimize infection risk.
Host-based Intrusion Prevention Systems (HIPS) like Cisco Security Agent (CSA) integrate with anti-virus software to provide centralized protection. CSA defends the operating system from network threats without relying solely on user vigilance.
Cisco Network Admission Control (NAC) ensures that only authenticated hosts with approved security postures can access the network. NAC monitors operating systems, patches, and anti-virus updates, providing simplified, integrated network security management for medium-sized networks.
Cisco Monitoring, Analysis, and Response System (MARS) centralizes security monitoring for network devices and host applications. MARS can visualize attack paths, identify threat sources, and provide actionable recommendations for threat removal.
In summary, viruses, worms, and Trojan Horses can disrupt networks and damage data. Effective mitigation requires a combination of software and hardware solutions, proactive monitoring, and constant vigilance. Network security professionals must anticipate vulnerabilities and remediate them before attacks occur.
There are many types of network attacks beyond viruses, worms, and Trojan Horses. To mitigate attacks effectively, it is useful to categorize them. Categorization allows addressing types of attacks rather than individual attacks. This course classifies attacks into three major categories.
Reconnaissance attacks involve unauthorized discovery and mapping of systems, services, or vulnerabilities. They often use packet sniffers and port scanners, widely available as free downloads. Reconnaissance is analogous to a thief surveying a neighborhood for vulnerable homes, such as unoccupied houses or those with easy-to-open doors or windows.
Access attacks exploit known vulnerabilities in authentication services, FTP services, and web services to gain entry to accounts, confidential databases, and other sensitive information. Methods include dictionary attacks to guess system passwords, including specialized dictionaries for different languages.
Denial of service (DoS) attacks send massive numbers of requests over a network or the Internet, causing the target device to become slow or unavailable. By executing exploits or combinations of exploits, DoS attacks can slow or crash applications and processes.
Reconnaissance is also known as information gathering and typically precedes access or DoS attacks. Malicious intruders often begin with a ping sweep of the target network to identify active IP addresses, then determine available services or ports. Nmap is a popular tool for port scanning. From the port information obtained, intruders can identify application types, versions, and operating systems, searching for vulnerable services to exploit later.
Common reconnaissance tools include:
A packet sniffer captures all network packets sent across a LAN using a network adapter in promiscuous mode. Promiscuous mode allows the adapter to forward all received packets to an application for processing. Some packets are unencrypted and can be interpreted by anyone with access. Packet sniffers generally work only within the same collision domain unless the attacker has access to intermediary switches. Freeware and shareware sniffers like Wireshark are widely available and easy to use.
Ping sweeps and port scans, when used maliciously, map live hosts and available services. A ping sweep sends ICMP echo requests to multiple hosts to determine which IPs are active. Port scans probe ranges of TCP or UDP ports to identify listening services. Internet information queries can reveal domain ownership, assigned addresses, and associated domains. Combining these techniques allows attackers to create a detailed map of the network and services.
Reconnaissance attacks are usually the precursor to more serious attacks aiming for unauthorized access or disruption. Detection can be accomplished using alarms triggered when certain thresholds are exceeded, such as ICMP requests per second. Cisco ISRs with IOS security images support network-based intrusion prevention, enabling these alarms. Host-based intrusion prevention systems and standalone network-based intrusion detection systems can also alert security professionals to reconnaissance activity.
Hackers use access attacks on networks or systems for three primary reasons: to retrieve data, gain access, and escalate access privileges.
Access attacks often involve password attacks to guess system passwords. Methods include brute-force attacks, Trojan Horse programs, IP spoofing, and packet sniffers. Most password attacks refer to brute-force attacks, which involve repeated attempts based on a built-in dictionary to identify a user account or password.
A brute-force attack is typically performed using a program that runs across the network, attempting to log in to a shared resource, such as a server. Once access is gained, the attacker inherits the privileges of the compromised user account. If this account has elevated privileges, the attacker can create a back door for future access regardless of password changes.
For example, a user can run L0phtCrack (LC5) to perform a brute-force attack to obtain a Windows server password. Once the password is obtained, a keylogger could be installed to send all keystrokes to a specified destination. Alternatively, a Trojan Horse could be installed to capture and forward all packets sent and received by the target system, enabling complete traffic monitoring.
There are five main types of access attacks:
Access attacks can generally be detected by reviewing logs, monitoring bandwidth utilization, and analyzing process loads.
The network security policy should require formal logging for all network devices and servers. By reviewing logs, security personnel can detect unusual numbers of failed login attempts. Tools such as ManageEngine EventLog Analyzer or Cisco Secure Access Control Server (CSACS) can track failed logins. UNIX and Windows servers also maintain logs of failed login attempts. Cisco routers and firewalls can block further login attempts from a source after a specified number of failures within a given timeframe.
Man-in-the-middle attacks often involve unusual network activity or high bandwidth usage, which can be detected with network monitoring software.
Similarly, a compromised system resulting from an access attack may exhibit sluggish performance due to ongoing buffer overflow exploits, as indicated by process loads visible on Windows or UNIX systems.
A DoS attack is a network attack that interrupts service to users, devices, or applications. Several mechanisms can generate a DoS attack. The simplest method is to generate large amounts of seemingly valid network traffic, saturating the network so that legitimate traffic cannot get through.
DoS attacks exploit the fact that target systems, such as servers, must maintain state information. Applications may rely on expected buffer sizes and specific packet content. A DoS attack can exploit this by sending packets with unexpected sizes or data values.
Two major reasons a DoS attack occurs are:
DoS attacks compromise the availability of a network, host, or application. They pose a major risk because they can interrupt business processes and cause significant loss. These attacks are relatively easy to perform, even by unskilled attackers.
One example is sending a poisonous packet, an improperly formatted packet designed to cause the receiving device to crash or slow down. Another example is overwhelming network links with a continuous stream of packets, making it difficult to differentiate between attacker and legitimate traffic.
A Distributed Denial of Service Attack (DDoS) is similar but originates from multiple coordinated sources. This increases network traffic and requires the network defense to identify and stop each distributed attacker.
For example, a DDoS attack may involve a hacker scanning for accessible systems, installing zombie software on "handler" systems, which then infect "agent" systems. The hacker can then load remote-control attack software on the agents to launch the DDoS attack.
Three common DoS attacks include:
The TCP SYN flood, ping of death, and smurf attacks illustrate how devastating DoS attacks can be. DoS attacks harm systems in five basic ways:
Indicators of a DoS attack include a large number of complaints about inaccessible resources. Network utilization software should be running continuously, as required by the security policy, to detect unusual activity that may indicate a DoS attack.
DoS attacks may be part of larger offensives, potentially affecting entire network segments or exceeding router capacity, compromising connectivity on a large scale. Quick mitigation by a network security professional is critical to minimize damage.
There are a variety of network attacks, network attack methodologies, and categorizations of network attacks. The important question is, 'How do I mitigate these network attacks?'
The type of attack, as specified by the categorization of reconnaissance, access, or DoS attack, determines the means of mitigating a network threat.
Reconnaissance attacks can be mitigated in several ways.
Using strong authentication is a first option for defense against packet sniffers. Strong authentication is a method of authenticating users that cannot easily be circumvented. A One-Time Password (OTP) is a form of strong authentication. OTPs utilize two-factor authentication. Two-factor authentication combines something one has, such as a token card, with something one knows, such as a PIN. Automated teller machines (ATMs) use two-factor authentication.
Encryption is also effective for mitigating packet sniffer attacks. If traffic is encrypted, it is practically irrelevant if a packet sniffer is being used because the captured data is not readable.
Antisniffer software and hardware tools detect changes in the response time of hosts to determine whether the hosts are processing more traffic than their own traffic loads would indicate. While this does not completely eliminate the threat, it can reduce the number of instances of threat.
A switched infrastructure is the norm today, making it difficult to capture any data except that on your immediate collision domain. A switched infrastructure does not eliminate the threat of packet sniffers but greatly reduces their effectiveness.
It is impossible to completely mitigate port scanning, but using an IPS and firewall can limit the information discoverable with a port scanner. Ping sweeps can be stopped if ICMP echo and echo-reply are turned off on edge routers, although this disables some diagnostic capabilities. Network-based and host-based IPSs can notify administrators when reconnaissance attacks are underway, allowing proactive measures.
Several techniques are also available for mitigating access attacks.
Many access attacks rely on simple password guessing or brute-force dictionary attacks. Using encrypted or hashed authentication protocols, combined with a strong password policy, greatly reduces the probability of successful access attacks. Specific practices include:
The principle of minimum trust should also be incorporated. Systems should not trust one another unnecessarily. For example, if a server is used by untrusted devices, it should not trust those devices unconditionally.
Cryptography is critical for modern secure networks. Encrypting remote access and routing protocol traffic reduces opportunities for man-in-the-middle attacks.
Companies with a high-profile Internet presence should plan in advance for DoS attacks. Many attacks use spoofed source addresses, which can be mitigated using antispoofing technologies on routers and firewalls. Distributed DoS attacks require coordination and diagnostics with ISPs. Firewalls and IPSs, both host- and network-based, are essential defenses.
Cisco routers and switches support antispoofing technologies such as port security, DHCP snooping, IP Source Guard, Dynamic ARP Inspection, and ACLs. Additionally, Quality of Service (QoS) can be used for traffic policing to limit the impact a single source has on ingress bandwidth.
Defending your network requires constant vigilance and education. Ten best practices include:
These methods provide a starting point for sound security management. Applying these practices, organizations are better prepared to deploy network security solutions, starting with securing access to network devices.
This chapter covers the major types of network attacks and how to mitigate them.
Viruses: Malicious programs that attach to files and can spread when executed. Can be harmless or destructive and often spread via email or removable media.
Worms: Self-replicating programs that exploit network vulnerabilities, often without user action. Can propagate rapidly and disrupt networks.
Trojan Horses: Malware disguised as legitimate software. Can provide remote access, steal data, or perform destructive actions.
Reconnaissance Attacks: Unauthorized discovery of systems, services, or vulnerabilities using tools like packet sniffers, ping sweeps, and port scans. Often precede access or DoS attacks.
Access Attacks: Exploit authentication or system weaknesses to gain unauthorized access. Includes password attacks, man-in-the-middle attacks, and buffer overflows.
Denial of Service (DoS) Attacks: Overwhelm a network, host, or application to make it unavailable. Distributed DoS (DDoS) attacks originate from multiple sources and are harder to mitigate.
Mitigation Strategies:
Following these strategies helps prevent and reduce the impact of network attacks, keeping systems and data secure.