UNIVERSITY OF SCIENCE

FACULTY OF ELECTRONICS TELECOMMUNICATIONS

DEPARTMENT OF TELECOMMUNICATIONS - NETWORKS

CURRENT STATE OF AFFAIRS

CHAPTER 1

SECURING NETWORKS

NGUYEN MINH TRI

Networking Security 2
Reference: Cisco Academy, Networking Security v1.0 [Online],
available at: [Link]

NETWORKS ARE TARGETS REASONS FOR NETWORK SECURITY

Networks are routinely under attack. A quick internet search for Network security breaches can disrupt e-commerce, cause the
network attacks will return many articles about them. loss of business data, threaten , and
Kaspersky maintains compromise the integrity of information.
the interactive The Cisco Talos Intelligence Group website provides
Cyberthreat Real-Time comprehensive security and threat intelligence.
Map display of current
network attacks. The
attack data is
submitted from
Kaspersky network
security products that
are deployed
worldwide.
Nguyen Minh Tri - Department of Telecommunications - Networks 3 Nguyen Minh Tri - Department of Telecommunications - Networks 4
VECTORS OF NETWORK ATTACKS DATA LOSS
Term Definition
An attack vector is a path by which a threat actor can gain
Email/Social Networking The most common vector for data loss includes instant messaging software and social
access to a server, host, or network. Attack vectors originate media sites. For instance, intercepted email or IMs could be captured and confidential
information revealed.
from inside or outside the corporate network.
Unencrypted Devices A stolen corporate laptop typically contains confidential organizational data. If the
data is not stored using an encryption algorithm, the thief can retrieve valuable
Threat actors may target a network through the internet, to confidential data.
disrupt network operations and create a denial of service Cloud Storage Devices Saving data to the cloud has many potential benefits. However, sensitive data can be
lost if access to the cloud is compromised due to weak security settings.
(DoS) attack.
Removable Media One risk is that an employee could perform an unauthorized transfer of data to a USB
drive. Another risk is that a USB drive containing valuable corporate data could be
lost.
Hard Copy Sensitive data should be disposed of thoroughly. For example, confidential data should
be shredded when no longer required. Otherwise, a thief could retrieve discarded
reports and gain valuable information.

Improper Access Control Passwords are the first line of defense. Stolen passwords or weak passwords which
have been compromised can provide an attacker easy access to data.

Nguyen Minh Tri - Department of Telecommunications - Networks 5 Nguyen Minh Tri - Department of Telecommunications - Networks 6

SMALL OFFICE AND HOME OFFICE NETWORKS

The figure displays a sample SOHO secured with a consumer-
grade wireless router which provides integrated firewall
features and secure wireless connections.
NETWORK TOPOLOGY OVERVIEW
The Layer 2 Switch is an access layer switch that is
hardened with various security measures. It
connects user-facing ports that use port security to
the SOHO network.
Wireless hosts connect to the wireless network using
WPA2 data encryption technology.
Hosts typically have antivirus and antimalware
software installed.
Combined, these security measures provide
7
comprehensive defense at different layers of the
network.
Nguyen Minh Tri - Department of Telecommunications - Networks 8
WIDE AREA NETWORKS DATA CENTER NETWORKS
Wide Area Networks (WANs) span a wide geographical area, Data center networks are typically housed in an off-site facility
often over the public internet. to store sensitive or proprietary data. These sites are
connected to corporate sites using VPN technology with ASA
Organizations must ensure secure devices and integrated data center switches.
transport for the data in motion as it
Because they store such vast quantities of sensitive, business-
travels between sites over the public critical information, physical security is critical to their
network. Network security operation.
professionals must use secure Outside perimeter security - This can include on-premise security officers,
devices on the edge of the network fences, gates, continuous video surveillance, and security breach alarms.

Inside perimeter security - This can include continuous video surveillance,

electronic motion detectors, security traps, and biometric access and exit
sensors.

Nguyen Minh Tri - Department of Telecommunications - Networks 9 Nguyen Minh Tri - Department of Telecommunications - Networks 10

CLOUD NETWORKS AND VIRTUALIZATION CLOUD NETWORKS AND VIRTUALIZATION

The cloud network consists of physical and virtual servers
interchangeably; however, they mean different things. usually found in data centers. Data centers are increasingly
using virtual machines (VM) to provide server services to their
Virtualization is the foundation of cloud computing. Without it,
clients. This allows for multiple operating systems to exist on a
cloud computing, as it is most-widely implemented, would not single hardware platform. VMs are prone to specific targeted
be possible. attacks:
Cloud computing separates the application from the hardware. Hyperjacking - An attacker could hijack a VM hypervisor (VM controlling
software) and then use it as a launch point to attack other devices on the
Virtualization separates the operating system from the
data center network.
hardware. Instant On Activation - When a VM that has not been used for a period of
time is brought online, it may have outdated security policies that deviate
from the baseline security and can introduce security vulnerabilities.
Antivirus Storms - This happens when all VMs attempt to download
antivirus data files at the same time.
Nguyen Minh Tri - Department of Telecommunications - Networks 11 Nguyen Minh Tri - Department of Telecommunications - Networks 12
THE EVOLVING NETWORK BORDER THE EVOLVING NETWORK BORDER
Smartphones, tablets, etc., are becoming substitutes for the Cisco devices support Mobile Device Management (MDM)
office PC that is behind a firewall. This trend is known as Bring features:
Your Own Device (BYOD). Data Encryption - MDM features can ensure that only devices that support data
encryption and have it enabled can access the network and content.
To accommodate this, Cisco developed the Borderless PIN Enforcement - Enforcing a PIN lock is the first and most effective step in
Network. In a Borderless Network, access to resources can be preventing unauthorized access to a device.
initiated by users from many locations, on many types of end Data Wipe - Lost or stolen devices can be remotely fully- or partially-wiped, either by
the user or by an administrator via the MDM.
devices, using various connectivity methods.
Data Loss Prevention (DLP) - DLP prevents authorized users from doing careless
or malicious things with critical data.
Jailbreak/Root Detection - Jailbreaking (on Apple iOS devices) and rooting (on
Android devices) are a means to bypass the management of a device. MDM features

or assets.
Nguyen Minh Tri - Department of Telecommunications - Networks 13 Nguyen Minh Tri - Department of Telecommunications - Networks 14

THREAT, VULNERABILITY, AND RISK

A threat exploits a vulnerability and can damage or destroy an
asset.

WHO IS ATTACKING OUR NETWORK? Vulnerability refers to a weakness in your hardware, software,

find their way into your system.)

And risk refers to the potential for lost, damaged, or destroyed
assets.

15

Nguyen Minh Tri - Department of Telecommunications - Networks 16

 RISK MANAGEMENT STRATEGY HACKER VS. THREAT ACTOR
Risk Management Explanation
Strategy

Risk acceptance This is when the cost of risk management options outweighs the cost of the
risk itself. The risk is accepted, and no action is taken. follows:
Risk avoidance This means avoiding any exposure to the risk by eliminating the activity or
A clever programmer capable of developing new programs and
device that presents the risk. By eliminating an activity to avoid risk, any coding changes to existing programs to make them more efficient.
benefits that are possible from the activity are also lost.
A network professional that uses sophisticated programming skills
Risk reduction This reduces exposure to risk or reduces the impact of risk by taking action to ensure that networks are not vulnerable to attack.
to decrease the risk. It is the most commonly used risk mitigation strategy.
This strategy requires careful evaluation of the costs of loss, the mitigation A person who tries to gain unauthorized access to devices on the
strategy, and the benefits gained from the operation or activity that is at internet.
risk.
An individual who runs programs to prevent or slow network
Risk transfer Some (or all) of the risk is transferred to a willing third party such as an access to many users, or to corrupt or destroy data on servers.
insurance company.
Nguyen Minh Tri - Department of Telecommunications - Networks 17 Nguyen Minh Tri - Department of Telecommunications - Networks 18

EVOLUTION OF THREAT ACTORS CYBERCRIMINALS

Cybercriminals are threat actors who are motivated to make
Since hacking started in the 1960s with phone freaking, or phreaking,
money using any means necessary.
it has evolved to include many types of threat actors.
While some cybercriminals work independently, they are more
Threat Actor Explanation often financed and sponsored by criminal organizations.
Script Kiddies Script kiddies emerged in the 1990s. They are teenagers or inexperienced threat
actors running existing scripts, tools, and exploits, to cause harm, but typically not for It is estimated that globally, cybercriminals steal billions of dollars
profit. from consumers and businesses every year.
Vulnerability Brokers Vulnerability brokers are grey hat hackers who attempt to discover exploits and report
them to vendors, sometimes for prizes or rewards.
Hacktivists Hacktivists are grey hat hackers who rally and protest against different political and
social ideas.
Cybercriminals Cybercriminal is a term for black hat hackers who are either self-employed or working
for large cybercrime organizations.
State-Sponsored State-Sponsored hackers are threat actors who steal government secrets, gather
intelligence, and sabotage networks of foreign governments, terrorist groups, and
corporations.
Nguyen Minh Tri - Department of Telecommunications - Networks 19 Nguyen Minh Tri - Department of Telecommunications - Networks 20
CYBERSECURITY TASKS
Organizations must act to protect their assets, users, and
customers. They must develop and practice cybersecurity
tasks, including the following:
THREAT ACTOR TOOLS
Use a trustworthy IT vendor
Keep security software up-to-date
Perform regular penetration tests
Back up to cloud and hard disk
Periodically change WIFI password
Keep security policy up-to-date
Enforce use of strong passwords
22
Use two factor authentication

Nguyen Minh Tri - Department of Telecommunications - Networks 21

INTRODUCTION OF ATTACK TOOLS EVOLUTION OF SECURITY TOOLS

To exploit a vulnerability, a threat actor must have a technique Ethical hacking uses many different types of tools to test the
or tool. Over the years, attack tools have become more network and end devices. To validate the security of a network
sophisticated, and highly automated. These new tools require and its systems, many network penetration testing tools have
less technical knowledge to implement. been developed.
However, many of these tools can also be used by threat
actors for exploitation.

Nguyen Minh Tri - Department of Telecommunications - Networks 23 Nguyen Minh Tri - Department of Telecommunications - Networks 24
 EVOLUTION OF SECURITY TOOLS EVOLUTION OF SECURITY TOOLS
Categories of Tools Description
Categories of Tools Description
fuzzers
password crackers Passwords are the most vulnerable security threat. Password cracking tools are often referred to as
vulnerabilities. Examples of fuzzers include Skipfish, Wapiti, and W3af.
password recovery tools and can be used to crack or recover the password. Password crackers repeatedly
make guesses in order to crack the password and access the system. Examples of password cracking tools forensic tools White hat hackers use forensic tools to sniff out any trace of evidence existing in a particular computer
include John the Ripper, Ophcrack, L0phtCrack, THC Hydra, RainbowCrack, and Medusa. system. Example of tools include Sleuth Kit, Helix, Maltego, and Encase.

wireless hacking tools Wireless networks are more susceptible to network security threats. Wireless hacking tools are used to debuggers Debugger tools are used by black hat hackers to reverse engineer binary files when writing exploits. They
intentionally hack into a wireless network to detect security vulnerabilities. Examples of wireless hacking are also used by white hat hackers when analyzing malware. Debugging tools include GDB, WinDbg, IDA
tools include Aircrack-ng, Kismet, InSSIDer, KisMAC, Firesheep, and NetStumbler. Pro, and Immunity Debugger.

hacking operating systems Hacking operating systems are specially designed operating systems preloaded with tools and technologies
network scanning and hacking Network scanning tools are used to probe network devices, servers, and hosts for open TCP or UDP ports. optimized for hacking. Examples of specially designed hacking operating systems include Kali Linux, SELinux,
tools Examples of scanning tools include Nmap, SuperScan, Angry IP Scanner, and NetScanTools. Knoppix, Parrot OS, and BackBox Linux.
packet crafting tools encryption tools
packets. Examples of such tools include Hping, Scapy, Socat, Yersinia, Netcat, Nping, and Nemesis. use algorithm schemes to encode the data to prevent unauthorized access to the data. Examples of these
tools include VeraCrypt, CipherShed, Open SSH, OpenSSL, OpenVPN, and Stunnel.
packet sniffers Packet sniffer tools are used to capture and analyze packets within traditional Ethernet LANs or WLANs.
Tools include Wireshark, Tcpdump, Ettercap, Dsniff, EtherApe, Paros, Fiddler, Ratproxy, and SSLstrip. vulnerability exploitation tools These tools identify whether a remote host is vulnerable to a security attack. Examples of vulnerability
exploitation tools include Metasploit, Core Impact, Sqlmap, Social Engineer Tool Kit, and Netsparker.
rootkit detectors A rootkit detector is a directory and file integrity checker used by white hat hackers to detect installed root
kits. Example tools include AIDE, Netfilter, and PF: OpenBSD Packet Filter. vulnerability scanners These tools scan a network or system to identify open ports. They can also be used to scan for known
vulnerabilities and scan VMs, BYOD devices, and client databases. Examples of these tools include Nipper,
Securia PSI, Core Impact, Nessus, SAINT, and Open VAS.

Nguyen Minh Tri - Department of Telecommunications - Networks 25 Nguyen Minh Tri - Department of Telecommunications - Networks 26

CATEGORIES OF ATTACKS CATEGORIES OF ATTACKS

Category of Attack Description

Category of Attack Description
denial-of-service (DoS) A DoS attack prevents normal use of a computer or network by valid users. After gaining
eavesdropping attack An eavesdropping attack is when a threat actor captures and listens to network traffic. This attack access to a network, a DoS attack can crash applications or network services. A DoS attack can
attack is also referred to as sniffing or snooping. also flood a computer or the entire network with traffic until a shutdown occurs because of the
overload. A DoS attack can also block traffic, which results in a loss of access to network
data modification Data modification attacks occur when a threat actor has captured enterprise traffic and has resources by authorized users.
attack altered the data in the packets without the knowledge of the sender or receiver.
man-in-the-middle A MiTM attack occurs when threat actors have positioned themselves between a source and
attack (MiTM) destination. They can now actively monitor, capture, and control the communication
transparently.
IP address spoofing An IP address spoofing attack is when a threat actor constructs an IP packet that appears to
attack originate from a valid address inside the corporate intranet. Compromised key A compromised key attack occurs when a threat actor obtains a secret key. This is referred to
attack as a compromised key. A compromised key can be used to gain access to a secured
password-based Password-based attacks occur when a threat actor obtains the credentials for a valid user communication without the sender or receiver being aware of the attack.
attacks account. Threat actors then use that account to obtain lists of other users and network sniffer attack A sniffer is an application or device that can read, monitor, and capture network data
information. They could also change server and network configurations, and modify, reroute, or exchanges and read network packets. If the packets are not encrypted, a sniffer provides a
delete data. full view of the data inside the packet. Even encapsulated (tunneled) packets can be broken
open and read unless they are encrypted, and the threat actor does not have access to the key.

Nguyen Minh Tri - Department of Telecommunications - Networks 27 Nguyen Minh Tri - Department of Telecommunications - Networks 28
 TYPES OF MALWARE
Malware is short for malicious software or malicious code. It is
code or software that is specifically designed to damage,
disrupt, steal, or generally inflict some other
MALWARE
illegitimate action on data, hosts, or networks.
End devices are especially prone to malware attacks.
Three most common types of malware are:
virus
worm
Trojan horse
29

Nguyen Minh Tri - Department of Telecommunications - Networks 30

VIRUSES TROJAN HORSES

A virus is a type of malware that spreads by inserting a copy of Trojan horse malware is software that appears to be legitimate, but it
itself into another program. After the program is run, viruses contains malicious code which exploits the privileges of the user who
then spread from one computer to another, infecting the runs it.
computers. Most viruses require human help to spread. Often, Trojans are found attached to online games. Users are
A simple virus may install itself at the first line of code in an commonly tricked into loading and executing the Trojan horse on their
executable file. When activated, the virus might check the disk systems. While playing the game, the user will not notice a problem.
for other executables so that it can infect all the files it has not
yet infected. system. The malicious code from the Trojan horse continues
operating even after the game has been closed.
Viruses can also be programmed to mutate to avoid detection.
The Trojan horse concept is flexible. It can cause immediate damage,
Most viruses are now spread by USB memory drives, CDs,
provide remote access to the system, or access through a back door.
DVDs, network shares, and email.
It can also perform actions as instructed remotely, such as "send me
the password file once per week."
Nguyen Minh Tri - Department of Telecommunications - Networks 31 Nguyen Minh Tri - Department of Telecommunications - Networks 32
 TROJAN HORSE CLASSIFICATION WORMS
Type of Trojan Horse Description Computer worms are like viruses because they replicate and
Remote-access Enables unauthorized remote access. can cause the same type of damage. Specifically, worms
Data-sending Provides the threat actor with sensitive data, such as passwords. replicate themselves by independently exploiting vulnerabilities
Destructive Corrupts or deletes files. in networks. Worms can slow down networks as they spread
Proxy Uses the victim's computer as the source device to launch attacks and from system to system.
perform other illegal activities.

FTP Enables unauthorized file transfer services on end devices.

Security software Stops antivirus programs or firewalls from functioning.

disabler
Denial of Service (DoS) Slows or halts network activity.

Keylogger Actively attempts to steal confidential information, such as credit card

numbers, by recording keystrokes that have been entered into a web form.

Nguyen Minh Tri - Department of Telecommunications - Networks 33 Nguyen Minh Tri - Department of Telecommunications - Networks 34

WORM COMPONENTS RANSOMWARE

Most worm attacks consist of three components: Currently, the most dominant malware is ransomware.
Enabling vulnerability - A worm installs itself using an exploit Ransomware is malware that denies access to the infected computer system or
mechanism, such as an email attachment, an executable file, or a its data. The cybercriminals then demand payment to release the computer
Trojan horse, on a vulnerable system. system.
Ransomware has evolved to become the most profitable malware type in history.
Propagation mechanism - After gaining access to a device, the
There are dozens of ransomware variants.
worm replicates itself and locates new targets.
Ransomware frequently uses an encryption algorithm to encrypt system files
Payload - Any malicious code that results in some action is a
and data.
payload. Most often this is used to create a backdoor that allows a
Payments are typically paid in Bitcoin because users of bitcoin can remain
threat actor access to the infected host or to create a DoS attack. anonymous.
Email and malicious advertising, also known as malvertising, are vectors for
ransomware campaigns.
Social engineering is also used.

Nguyen Minh Tri - Department of Telecommunications - Networks 35 Nguyen Minh Tri - Department of Telecommunications - Networks 36
 OTHER MALWARE COMMON MALWARE BEHAVIORS

Type of Malware Description Computers infected with malware often exhibit one or more of
Spyware Used to gather information about a user and send the information to another entity without the following symptoms:
Appearance of strange files, programs, or desktop icons
and key loggers.
Adware Displays annoying pop-ups to generate revenue for its author. The malware may analyze Antivirus and firewall programs are turning off or reconfiguring
user interests by tracking the websites visited. It can then send pop-up advertising pertinent settings
to those sites.
Scareware Includes scam software which uses social engineering to shock or induce anxiety by creating Computer screen is freezing or system is crashing
the perception of a threat. It is generally directed at an unsuspecting user and attempts to Emails are spontaneously being sent to your contact list without
persuade the user to infect a computer by taking action to address the bogus threat.
your knowledge
Phishing Attempts to convince people to divulge sensitive information. Examples include receiving an
email from their bank asking users to divulge their account and PIN numbers.
Files have been modified or deleted
Increased CPU and/or memory usage
Rootkits Installed on a compromised system. After it is installed, it continues to hide its intrusion and
provide privileged access to the threat actor.

Nguyen Minh Tri - Department of Telecommunications - Networks 37 Nguyen Minh Tri - Department of Telecommunications - Networks 38

COMMON MALWARE BEHAVIORS

Computers infected with malware often exhibit one or more of
the following symptoms: COMMON NETWORK ATTACKS -
RECONNAISSANCE, ACCESS, AND SOCIAL
Problems connecting to networks
ENGINEERING
Slow computer or web browser speeds
Unknown processes or services running
Unknown TCP or UDP ports open
Connections are made to hosts on the internet without user action
Other strange computer behavior

40

Nguyen Minh Tri - Department of Telecommunications - Networks 39

TYPES OF NETWORK ATTACKS RECONNAISSANCE ATTACKS
To mitigate attacks, it is useful to first categorize the various Reconnaissance is information gathering. Threat actors use
types of attacks. By categorizing network attacks, it is possible reconnaissance (or recon) attacks to do unauthorized
to address types of attacks rather than individual attacks. discovery and mapping of systems, services, or vulnerabilities.
Although there is no standardized way of categorizing network Recon attacks precede access attacks or DoS attacks.
Technique Description
attacks, the method used in this course classifies attacks in Perform an information The threat actor is looking for initial information about a target. Various tools can be used,
query of a target including the Google search, organizations website, whois, and more.
three major categories.
Initiate a ping sweep of
Reconnaissance Attacks the target network initiate a ping sweep to determine which IP addresses are active.
Initiate a port scan of This is used to determine which ports or services are available. Examples of port scanners
Access Attacks active IP addresses include Nmap, SuperScan, Angry IP Scanner, and NetScanTools.
DoS Attacks Run vulnerability scanners This is to query the identified ports to determine the type and version of the application and
operating system that is running on the host. Examples of tools include Nipper, Secuna PSI, Core
Impact, Nessus v6, SAINT, and Open VAS.
Run exploitation tools The threat actor now attempts to discover vulnerable services that can be exploited. A variety
of vulnerability exploitation tools exist including Metasploit, Core Impact, Sqlmap, Social
Engineer Toolkit, and Netsparker.
Nguyen Minh Tri - Department of Telecommunications - Networks 41 Nguyen Minh Tri - Department of Telecommunications - Networks 42

ACCESS ATTACKS ACCESS ATTACKS

Access attacks exploit known vulnerabilities in authentication Technique Description
services, FTP services, and web services. The purpose of this Password Attacks In a password attack, the threat actor attempts to discover critical system passwords using
various methods.
type of attack is to gain entry to web accounts, confidential
Spoofing Attacks
databases, and other sensitive information. data. Common spoofing attacks include IP spoofing, MAC spoofing, and DHCP spoofing.

Trust Exploitation In a trust exploitation attack, a threat actor uses unauthorized privileges to gain access to a
system, possibly compromising the target.

Port redirection In a port redirection attack, a threat actor uses a compromised system as a base for attacks
against other targets.

Man-in-the-Middle In a man-in-the-middle attack, the threat actor is positioned in between two legitimate
entities in order to read or modify the data that passes between the two parties.

Buffer Overflow In a buffer overflow attack, the threat actor exploits the buffer memory and overwhelms it
Attack with unexpected values. This usually renders the system inoperable, resulting in a DoS attack.

Nguyen Minh Tri - Department of Telecommunications - Networks 43 Nguyen Minh Tri - Department of Telecommunications - Networks 44
 SOCIAL ENGINEERING ATTACKS SOCIAL ENGINEERING ATTACKS
Social engineering is an access attack that attempts to
manipulate individuals into performing actions or divulging Social Description
confidential information. Engineering
Social Engineering Description Attack
Attack Tailgating This is where a threat actor quickly follows
Pretexting A threat actor pretends to need personal or financial data to confirm the identity of the recipient. an authorized person into a secure
Phishing A threat actor sends fraudulent email which is disguised as being from a legitimate, trusted source to location to gain access to a secure area.
trick the recipient into installing malware on their device, or to share personal or financial
Shoulder This is where a threat actor inconspicuously
information.
surfing
Spear phishing A threat actor creates a targeted phishing attack tailored for a specific individual or organization. their passwords or other information.
Spam Also known as junk mail, this is unsolicited email which often contains harmful links, malware, or
deceptive content. Dumpster This is where a threat actor rummages
Something for diving through trash bins to discover confidential
Something party in exchange for something such as a gift. documents.
Baiting A threat actor leaves a malware-infected flash drive in a public location. A victim finds the drive and
unsuspectingly inserts it into their laptop, unintentionally installing malware.
Impersonation In this type of attack, a threat actor pretends to be someone else to gain the trust of a victim.
45 Nguyen Minh Tri - Department of Telecommunications - Networks 46

STRENGTHENING THE WEAKEST LINK

Cybersecurity is only as strong as its weakest link. Because
computers and other internet-connected devices have become
an essential part of our lives, they no longer seem new or NETWORK ATTACKS - DENIAL OF SERVICE,
different. BUFFER OVERFLOWS, AND EVASION
The weakest link in cybersecurity can be the personnel within
an organization, and social engineering is a major security
threat. Because of this, one of the most effective security
measures that an organization can take is to train its personnel
-

48

Nguyen Minh Tri - Department of Telecommunications - Networks 47

DOS AND DDOS ATTACKS COMPONENTS OF DDOS ATTACKS
A Denial of Service (DoS) attack creates some sort of If threat actors can compromise many hosts, they can perform
interruption of network services to users, devices, or a Distributed DoS Attack (DDoS). The following terms are
applications. There are two major types of DoS attacks: used to describe components of a DDoS attack:
Overwhelming Quantity of Traffic Component Description
zombies This refers to a group of compromised hosts (i.e., agents). These hosts run malicious code
Maliciously Formatted Packets referred to as robots (i.e., bots). The zombie malware continually attempts to self-propagate
like a worm.
A Distributed DoS Attack (DDoS) is like a DoS attack, but it bots Bots are malware that is designed to infect a host and communicate with a handler system.
originates from multiple, coordinated sources. Bots can also log keystrokes, gather passwords, capture and analyze packets, and more.
botnet This refers to a group of zombies that have been infected using self-propagating malware
(i.e., bots) and are controlled by handlers.
handlers This refers to a master command-and-control (CnC or C2) server controlling groups of
zombies. The originator of a botnet can use Internet Relay Chat (IRC) or a web server on the
C2 server to remotely control the zombies.
botmaster This is the threat actor who is in control of the botnet and handlers.

Nguyen Minh Tri - Department of Telecommunications - Networks 49 Nguyen Minh Tri - Department of Telecommunications - Networks 50

BUFFER OVERFLOW ATTACK EVASION METHODS

The goal of a threat actor when using a buffer overflow DoS Some of the evasion methods used by threat actors include:
attack is to find a system memory-related flaw on a server and Evasion Method Description
Encryption and This evasion technique uses tunneling to hide, or encryption to scramble, malware files. This
exploit it. tunneling makes it difficult for many security detection techniques to detect and identify the malware.
Tunneling can mean hiding stolen data inside of legitimate packets.
Exploiting the buffer memory by Resource exhaustion This evasion technique makes the target host too busy to properly use security detection
overwhelming it with unexpected techniques.
Traffic fragmentation This evasion technique splits a malicious payload into smaller packets to bypass network
values usually renders the system security detection. After the fragmented packets bypass the security detection system, the
inoperable, creating a DoS attack. malware is reassembled and may begin sending sensitive data out of the network.
Protocol-level This evasion technique occurs when network defenses do not properly handle features of a
It is estimated that one third of misinterpretation PDU like a checksum or TTL value. This can trick a firewall into ignoring packets that it should
check.
malicious attacks are the result of Traffic substitution In this evasion technique, the threat actor attempts to trick an IPS by obfuscating the data in
buffer overflows. the payload. This is done by encoding it in a different format. For example, the threat actor
could use encoded traffic in Unicode instead of ASCII. The IPS does not recognize the true
meaning of the data, but the target end system can read the data.
Nguyen Minh Tri - Department of Telecommunications - Networks 51 Nguyen Minh Tri - Department of Telecommunications - Networks 52
 EVASION METHODS
Evasion Method Description
Traffic insertion Similar to traffic substitution, but the threat actor inserts extra bytes of data in a sequence
of malicious data. The IPS rules miss the malicious data, accepting the full sequence of data.
Pivoting This technique assumes that the threat actor has compromised an inside host and wants to
expand their access further into the compromised network. An example is a threat actor MITIGATING THREATS
who has gained access to the administrator password on a compromised host and is
attempting to login to another host using the same credentials.
Rootkits A rootkit is a complex attacker tool used by experienced threat actors. It integrates with the
lowest levels of the operating system. When a program attempts to list files, processes, or
network connections, the rootkit presents a sanitized version of the output, eliminating any
incriminating output. The goal of the rootkit is to completely hide the activities of the
attacker on the local system.
Proxies Network traffic can be redirected through intermediate systems in order to hide the ultimate
destination for stolen data. In this way, known command-and-control cannot be blocked by
an enterprise because the proxy destination appears benign. Additionally, if data is being
stolen, the destination for the stolen data can be distributed among many proxies, thus not 54

drawing attention to the fact that a single unknown destination is serving as the destination
for large amounts of network traffic.
Nguyen Minh Tri - Department of Telecommunications - Networks 53

NETWORK SECURITY PROFESSIONALS NETWORK SECURITY PROFESSIONALS

Network security professionals are responsible for maintaining Regardless of job titles, network security professionals must
data assurance for an organization and ensuring the integrity always stay one step ahead of the hackers:
and confidentiality of information. They must constantly upgrade their skill set to keep abreast of the
Security specialist job roles within an enterprise include Chief latest threats.

Information Officer (CIO), Chief Information Security Officer They must attend training and workshops.

(CISO), Security Operations (SecOps) Manager, Chief They must subscribe to real-time feeds regarding threats.
Security Officer (CSO), Security Manager, and Network They must peruse security websites daily.
Security Engineer. They must maintain familiarity with network security organizations.
These organizations often have the latest information on threats
and vulnerabilities.

Nguyen Minh Tri - Department of Telecommunications - Networks 55 Nguyen Minh Tri - Department of Telecommunications - Networks 56
NETWORK INTELLIGENCE COMMUNITIES NETWORK SECURITY CERTIFICATIONS
SysAdmin, Audit, Network, Security (SANS) Institute Certifications for network security professionals are offered by
Mitre Corporation the following organizations:
Global Information Assurance Certification (GIAC)
Forum of Incident Response and Security Teams (FIRST)
International Information System Security Certification
SecurityNewsWire Consortium (ISC)2
International Information Systems Security Certification Information Systems Audit and Control Association (ISACA)
Consortium (ISC2) International Council of E-Commerce Consultants (EC-Council)

Center for Internet Security (CIS) Certified Wireless Network Professionals (CWNP)

Nguyen Minh Tri - Department of Telecommunications - Networks 57 Nguyen Minh Tri - Department of Telecommunications - Networks 58

COMMUNICATIONS SECURITY: CIA

Information security deals with protecting information and
information systems from unauthorized access, use,
disclosure, disruption, modification, or destruction. The CIA
NETWORK SECURITY POLICIES
Triad serves as a conceptual foundation for the field.
Confidentiality - Only authorized individuals,
entities, or processes can access sensitive
information.

Integrity - This refers to the protection of data

from unauthorized alteration.

Availability - Authorized users must have

uninterrupted access to the network resources
60
and data that they require.

Nguyen Minh Tri - Department of Telecommunications - Networks 59

NETWORK SECURITY DOMAINS NETWORK SECURITY DOMAINS
Network Security Domain Description
There are 14 network security domains specified by the
Access Control This describes the restriction of access rights to networks,
International Organization for Standardization systems, applications, functions, and data.
(ISO)/International Electrotechnical Commission (IEC). Cryptography This concerns data encryption and the management of
Network Security Domain Description sensitive information to protect confidentiality, integrity, and
availability of data.
Information Security Policies This annex is designed to ensure that security policies are
created, reviewed, and maintained. Physical and Environmental Security This describes the protection of the physical computer
facilities and equipment within an organization.
Organization of Information Security This is the governance model set out by an organization for Operations Security This describes the management of technical security controls
information security. It assigns responsibilities for information in systems and networks including malware defenses, data
security tasks within in organization. backup, logging and monitoring, vulnerability management,
and audit considerations. This domain is also concerned with
Human Resources Security This addresses security responsibilities relating to employees the integrity of software that is used in business operations.
joining, moving within, and leaving an organization.
Communications Security This concerns the security of data as it is communicated on
Asset Management This concerns the way that organizations create an inventory networks, both within an organization or between and
of and classification scheme for information assets. organization and third parties such as customers or suppliers.

Nguyen Minh Tri - Department of Telecommunications - Networks 61 Nguyen Minh Tri - Department of Telecommunications - Networks 62

NETWORK SECURITY DOMAINS BUSINESS POLICIES

Network Security Domain Description
Business policies are the guidelines that are developed by an
System Acquisition, Development, This ensures that information security remains a central
and Maintenance
organization to govern its actions.
lifecycle, in both private and public networks.
The policies define standards of correct behavior for the
Supplier Relationships This concerns the specification of contractual agreements business and its employees. In networking, policies define the
assets that are accessible by third parties that provide activities that are allowed on the network. This sets a baseline
supplies and services to the organization. of acceptable use. If behavior that violates business policy is
Information Security Incident This describes how to anticipate and respond to information detected on the network, it is possible that a security breach
Management security breaches. has occurred.
Business Continuity Management This describes the protection, maintenance, and recovery of
business-critical processes and systems.

Compliance This describes the process of ensuring conformance with

information security policies, standards, and regulations.

Nguyen Minh Tri - Department of Telecommunications - Networks 63 Nguyen Minh Tri - Department of Telecommunications - Networks 64
 BUSINESS POLICIES SECURITY POLICY
Policy Description Security policies are used to inform users, staff, and managers
Company policies These policies establish the rules of conduct and the responsibilities of both employees
and employers. requirements for protecting technology
Policies protect the rights of workers as well as the business interests of employers. and information assets.
Depending on the needs of the organization, various policies and procedures establish
rules regarding employee conduct, attendance, dress code, privacy and other areas A security policy also specifies the mechanisms that are
related to the terms and conditions of employment.
Employee policies These policies are created and maintained by human resources staff to identify needed to meet security requirements and provides a baseline
employee salary, pay schedule, employee benefits, work schedule, vacations, and from which to acquire, configure, and audit computer systems
more.
They are often provided to new employees to review and sign. and networks for compliance.
Security policies These policies identify a set of security objectives for a company, define the rules of
behavior for users and administrators, and specify system requirements.
These objectives, rules, and requirements collectively ensure the security of a network
and the computer systems in an organization.
Much like a continuity plan, a security policy is a constantly evolving document based
on changes in the threat landscape, vulnerabilities, and business and employee
requirements.
Nguyen Minh Tri - Department of Telecommunications - Networks 65 Nguyen Minh Tri - Department of Telecommunications - Networks 66

SECURITY POLICY BYOD POLICIES

Policies that may be included in a security policy are: Many organizations must now also support Bring Your Own
Policy Description Device (BYOD). This enables employees to use their own
Identification and Specifies authorized persons that can have access to network mobile devices to access company systems, software,
authentication policy resources and identity verification procedures. networks, or information. This can bring an increased
Password policies Ensures passwords meet minimum requirements and are changed information security risk because BYOD can lead to data
regularly.
breaches and greater liability for the organization.
Acceptable Use Policy (AUP) Identifies network applications and uses that are acceptable to the
organization. It may also identify ramifications if this policy is BYOD security best practices to help mitigate BYOD
violated. vulnerabilities are:
Remote access policy Identifies how remote users can access a network and what is
accessible via remote connectivity.
Network maintenance policy Specifies network device operating systems and end user application
update procedures.
IncidentNguyen
handling
Minh Tri -procedures Describes how
Department of Telecommunications security incidents are handled.
- Networks 67 Nguyen Minh Tri - Department of Telecommunications - Networks 68
 BYOD POLICIES REGULATORY AND STANDARDS COMPLIANCE
BYOD security best practices to help mitigate BYOD There are also external regulations regarding network security.
vulnerabilities are: Network security professionals must be familiar with the laws
Best Practice Description and codes of ethics that are binding on Information Systems
Password protected access Use unique passwords for each device and account.
Security (INFOSEC) professionals.
Manually control wireless connectivity Turn off Wi-Fi and Bluetooth connectivity when not in use.
Connect only to trusted networks. Many organizations are mandated to develop and implement
Keep updated Always keep the device OS and other software updated. security policies. Compliance regulations define what
Updated software often contains security patches to mitigate
against the latest threats or exploits. organizations are responsible for providing and the liability if
Back up data Enable backup of the device in case it is lost or stolen. they fail to comply. The compliance regulations that an
Subscribe to a device locator service with remote wipe feature.
organization is obligated to follow depend on the type of
Provide antivirus software Provide antivirus software for approved BYOD devices.
organization and the data that the organization handles.
Use Mobile Device Management (MDM) MDM software enables IT teams to implement security settings
software and software configurations on all devices that connect to
company networks.
Nguyen Minh Tri - Department of Telecommunications - Networks 69 Nguyen Minh Tri - Department of Telecommunications - Networks 70

THE SECURITY ONION AND THE SECURITY ARTICHOKE

A common analogy used to describe a defense-in-depth

have to peel away at layer by layer in a

SECURITY TOOLS, PLATFORMS, AND SERVICES
manner similar to peeling an onion. Only after penetrating
each layer would the threat actor reach the target data or
system.

71

Nguyen Minh Tri - Department of Telecommunications - Networks 72

 THE SECURITY ONION AND THE SECURITY ARTICHOKE SECURITY TESTING TOOLS
The changing landscape of networking, Ethical hacking involves using different types of tools to test
such as the evolution of borderless the network and end devices to validate the security of the
networks, has changed this analogy to network.
Penetration testing uses hacker techniques and tools to
threat actors because they no longer evaluate the strength of network security measures.
have to peel away each layer. They only
Cybersecurity personnel must also know how to use these
need to remove certain
tools when performing network penetration tests.

security armor along the perimeter to get

Nguyen Minh Tri - Department of Telecommunications - Networks 73 Nguyen Minh Tri - Department of Telecommunications - Networks 74

SECURITY TESTING TOOLS SECURITY TESTING TOOLS

Categories of Tools Description Categories of Tools Description

password crackers Passwords are the most vulnerable security threat. Password cracking tools are
packet crafting tools
often referred to as password recovery tools and can be used to crack or recover
specially crafted forged packets. Examples of such tools include Hping, Scapy,
the password. This is accomplished either by removing the original password, after
Socat, Yersinia, Netcat, Nping, and Nemesis.
bypassing the data encryption, or by outright discovery of the password. Password
crackers repeatedly make guesses in order to crack the password and access the packet sniffers Packet sniffer tools are used to capture and analyze packets within traditional
system. Examples of password cracking tools include John the Ripper, Ophcrack, Ethernet LANs or WLANs. Tools include Wireshark, Tcpdump, Ettercap, Dsniff,
L0phtCrack, THC Hydra, RainbowCrack, and Medusa. EtherApe, Paros, Fiddler, Ratproxy, and SSLstrip.
wireless hacking tools Wireless networks are more susceptible to network security threats. Wireless rootkit detectors A rootkit detector is a directory and file integrity checker used by white hats to
hacking tools are used to intentionally hack into a wireless network to detect detect installed root kits. Example tools include AIDE, Netfilter, and PF: OpenBSD
security vulnerabilities. Examples of wireless hacking tools include Aircrack-ng, Packet Filter.
Kismet, InSSIDer, KisMAC, Firesheep, and NetStumbler. fuzzers to search Fuzzers are tools used by threat actors when attempting to discover a computer
network scanning and Network scanning tools are used to probe network devices, servers, and hosts for vulnerabilities
hacking tools open TCP or UDP ports. Examples of scanning tools include Nmap, SuperScan, W3af.
Angry IP Scanner, and NetScanTools. forensic tools White hat hackers use forensic tools to sniff out any trace of evidence existing in a
particular computer system. Example of tools include Sleuth Kit, Helix, Maltego,
and Encase.
Nguyen Minh Tri - Department of Telecommunications - Networks 75 Nguyen Minh Tri - Department of Telecommunications - Networks 76
 SECURITY TESTING TOOLS DATA SECURITY PLATFORMS

Categories of Tools Description Data Security Platforms (DSP) are an integrated security
debuggers Debugger tools are used by black hats to reverse engineer binary files when writing solution that combines traditionally independent tools into a
exploits. They are also used by white hats when analyzing malware. Debugging tools
include GDB, WinDbg, IDA Pro, and Immunity Debugger. suite of tools that are made to work together.
hacking operating Hacking operating systems are specially designed operating systems preloaded with One such DSP is the Helix platform from
systems tools and technologies optimized for hacking. Examples of specially designed hacking
FireEye. FireEye Helix is a cloud-based
operating systems include Kali Linux, SELinux, Knoppix, Parrot OS, and BackBox Linux.
encryption tools
security operations platform that enables
transmitted. Encryption tools use algorithm schemes to encode the data to prevent organizations to integrate many security
unauthorized access to the data. Examples of these tools include VeraCrypt, CipherShed, functionalities into a single platform
Open SSH, OpenSSL, OpenVPN, and Stunnel.
vulnerability exploitation These tools identify whether a remote host is vulnerable to a security attack. Examples of Another integrated DSP is Cisco SecureX. The
tools vulnerability exploitation tools include Metasploit, Core Impact, Sqlmap, Social Engineer Cisco Secure portfolio consists of a broad set
Tool Kit, and Netsparker.
of technologies that function as a team -
vulnerability scanners These tools scan a network or system to identify open ports. They can also be used to
scan for known vulnerabilities and scan VMs, BYOD devices, and client databases. providing interoperability with the security
Examples of these tools include Nipper, Securia PSI, Core Impact, Nessus, SAINT, and infrastructure, including third-party
Open VAS.
technologies.
Nguyen Minh Tri - Department of Telecommunications - Networks 77 Nguyen Minh Tri - Department of Telecommunications - Networks 78

SECURITY SERVICES
Threat intelligence and security services allow the exchange of
threat information such as vulnerabilities, indicators of
compromise (IOC), and mitigation techniques. As threats
MITIGATING COMMON NETWORK ATTACKS
emerge, threat intelligence services create and distribute
firewall rules and IOCs to the devices that have subscribed to
the service.
One such service is the Cisco Talos Threat
Intelligence Group. Talos is one of the largest
commercial threat intelligence teams in the
world. Cisco Security products can use Talos
threat intelligence in real time to provide fast
80
and effective security solutions.

Nguyen Minh Tri - Department of Telecommunications - Networks 79

DEFENDING THE NETWORK DEFENDING THE NETWORK
Constant vigilance and ongoing education are required to Constant vigilance and ongoing education are required to
defend your network against attack. The following are best defend your network against attack. The following are best
practices for securing a network: practices for securing a network:
Develop a written security policy for the company. Implement security hardware and software such as firewalls, IPSs,
Educate employees about the risks of social engineering, and virtual private network (VPN) devices, antivirus software, and
develop strategies to validate identities over the phone, via email, content filtering.
or in person. Perform backups and test the backed-up files on a regular basis.
Control physical access to systems. Shut down unnecessary services and ports.
Use strong passwords and change them often. Keep patches up-to-date by installing them weekly or daily, if
Encrypt and password-protect sensitive data. possible, to prevent buffer overflow and privilege escalation
attacks.
Perform security audits to test the network.
Nguyen Minh Tri - Department of Telecommunications - Networks 81 Nguyen Minh Tri - Department of Telecommunications - Networks 82

MITIGATING MALWARE MITIGATING WORMS

Malware, including viruses, worms, and Trojan horses, can cause Worms are more network-based than viruses. Worm mitigation
serious problems on networks and end devices. Network requires diligence and coordination on the part of network
administrators have several means of mitigating these attacks. security professionals.
Antivirus software helps prevent hosts from getting infected and The response to a worm attack can be broken down into four
spreading malicious code. Several companies that create phases: containment, inoculation, quarantine, and treatment.
antivirus software, such as Symantec, McAfee, and Trend Micro.
Another way to mitigate malware threats is to prevent malware
files from entering the network at all. Security devices at the
network perimeter can identify known malware files based on
their indictors of compromise.

Nguyen Minh Tri - Department of Telecommunications - Networks 83 Nguyen Minh Tri - Department of Telecommunications - Networks 84
 MITIGATING WORMS MITIGATING RECONNAISSANCE ATTACKS
Phase Response
Reconnaissance attacks are typically the precursor to other
1. Containment The containment phase involves limiting the spread of a worm infection to areas of the network
that are already affected. This requires compartmentalization and segmentation of the network attacks that are designed to gain unauthorized access to a
to slow down or stop the worm and to prevent currently infected hosts from targeting and
infecting other systems. Containment requires using both outgoing and incoming ACLs on routers
network or disrupt network functionality. You can detect when a
and firewalls at control points within the network. reconnaissance attack is underway by receiving notifications
2. Inoculation The inoculation phase runs parallel to or subsequent to the containment phase. During the from preconfigured alarms. These alarms are triggered when
inoculation phase, all uninfected systems are patched with the appropriate vendor patch. The
inoculation process further deprives the worm of available targets. certain parameters are exceeded, such as the number of ICMP
3. Quarantine The quarantine phase involves tracking down and identifying infected machines within the requests per second.
contained areas and disconnecting, blocking, or removing them. This isolates these systems
appropriately for the treatment phase.

4. Treatment The treatment phase involves actively disinfecting infected systems. This can involve terminating the
worm process, removing modified files or system settings that the worm introduced, and patching
the vulnerability the worm used to exploit the system. Alternatively, in more severe cases, the
system may need to be reinstalled to ensure that the worm and its by-products are removed.

Nguyen Minh Tri - Department of Telecommunications - Networks 85 Nguyen Minh Tri - Department of Telecommunications - Networks 86

MITIGATING RECONNAISSANCE ATTACKS MITIGATING ACCESS ATTACKS

Reconnaissance attacks can be mitigated in several ways, Several techniques are available for mitigating access attacks,
including the following: including strong password security, principle of minimum trust,
Implementing authentication to ensure proper access. cryptography, and applying operating system and application patches.
Using encryption to render packet sniffer attacks useless.
Use strong passwords - Strong passwords are at least eight characters and
Using anti-sniffer tools to detect packet sniffer attacks. contain uppercase letters, lowercase letters, numbers, and special
Implementing a switched infrastructure. characters.
Disable accounts after a specified number of unsuccessful logins has
Using a firewall and IPS. occurred - This practice helps to prevent continuous password attempts.
It is impossible to mitigate port scanning. Using an IPS and Use encryption for remote access to a network and routing protocol
firewall can limit the information that can be discovered with a port
traffic to reduce the possibility of man-in-the-middle attacks. Educate
scanner.
employees about the risks of social engineering, and develop
Ping sweeps can be stopped if ICMP echo and echo-reply are strategies to validate identities over the phone, via email, or in person.
turned off on edge routers; however, when these services are Multifactor authentication (MFA) has become increasingly common.
turned off, network diagnostic data is lost.
Nguyen Minh Tri - Department of Telecommunications - Networks 87 Nguyen Minh Tri - Department of Telecommunications - Networks 88
MITIGATING DOS ATTACKS
One of the first signs of a DoS attack is a large number of user
complaints about unavailable resources or unusually slow
network performance. A network utilization graph showing
unusual activity could indicate a DoS attack. To minimize the SECURE THE EDGE ROUTER
number of attacks, a network utilization software package
should be running at all times.
Historically, many DoS attacks were sourced from spoofed
addresses. Cisco routers and switches support many
antispoofing technologies, such as port security, Dynamic Host
Configuration Protocol (DHCP) snooping, IP Source Guard,
Dynamic Address Resolution Protocol (ARP) Inspection, and
90
access control lists (ACLs).

Nguyen Minh Tri - Department of Telecommunications - Networks 89

SECURE THE NETWORK INFRASTRUCTURE EDGE ROUTER SECURITY APPROACHES

Securing the network infrastructure is critical to overall network Single Router - A single router connects the
protected network or internal local area network
security. The network infrastructure includes routers, switches, (LAN), to the internet. All security policies are
servers, endpoints, and other devices. configured on this device.
Defense-in-Depth This uses multiple layers
Routers are a primary target for attacks because these devices of security prior to traffic entering the protected
direct traffic into, out of, and between networks. LAN. There are three primary layers of
defense: the edge router, the firewall, and an
internal router that connects to the protected
LAN.
DMZ - The DMZ can be used for servers that
must be accessible from the internet or another
external network. The DMZ can be set up
between two routers, with an internal router
connecting to the protected network and an
external router connecting to the unprotected
network.
Nguyen Minh Tri - Department of Telecommunications - Networks 91 Nguyen Minh Tri - Department of Telecommunications - Networks 92
 THREE AREAS OF ROUTER SECURITY SECURE ADMINISTRATIVE ACCESS
Three areas of router security must be maintained: Securing administrative access is important. If an unauthorized
Physical - Place the router and physical devices that connect to it in a person gains administrative access to a router, that person
secure locked room that is accessible only to authorized personnel. Install could alter routing parameters, disable routing functions, or
an uninterruptible power supply (UPS) or diesel backup power generator.
discover and gain access to other systems within the network.
Operating System - Configure the router with the maximum amount of
memory possible. The availability of memory can help mitigate DoS
Several tasks are involved in securing administrative access to
attacks. Use the latest, stable version of the operating system that meets an infrastructure device:
the feature specifications of the router or network device. Keep a secure Restrict device accessibility
copy of router operating system images and router configuration files as
Log and account for all access
backups.
Router Hardening - Ensure that only authorized personnel have access
Authenticate access
and that their level of access is controlled. Disable unused ports and Authorize actions
interfaces. Disable unnecessary services. A router has services that are Present legal notification
enabled by default. Some of these services can be used by an attacker to
Ensure the confidentiality of data
gather information about the router and the network.
Nguyen Minh Tri - Department of Telecommunications - Networks 93 Nguyen Minh Tri - Department of Telecommunications - Networks 94

SECURE LOCAL AND REMOTE ACCESS

A router can be accessed for administrative
purposes locally or remotely:
Local access - The administrator must have
physical access to the router and use a console CONFIGURE SECURE ADMINISTRATIVE ACCESS
cable to connect to the console port. Local access
is typically used for initial configuration of the
device.
Remote access - Although the aux port option is
available, the most common remote access
method involves allowing Telnet, SSH, HTTP,
HTTPS, or SNMP connections to the router from
a computer. The computer can be on the local
96
network or a remote network.

Nguyen Minh Tri - Department of Telecommunications - Networks 95

PASSWORDS CONFIGURE PASSWORDS
To secure user EXEC mode access, enter line
console configuration mode using the line console 0
Weak Password Why it is Weak global configuration command. Specify the user
secret Simple dictionary password EXEC mode password using the password password
smith Maiden name of mother command. Enable user EXEC access using the login
toyota Make of a car command.

bob1967 Name and birthday of the user To have administrator access to all IOS commands
including configuring a device, you must gain
Blueleaf23 Simple words and numbers
privileged EXEC mode access. To secure privileged
EXEC access, use the enable secret password
Strong Password Why it is Strong
global config command.
b67n42d39c Combines alphanumeric characters
To secure vty lines, enter line vty mode using the line
12^h u4@1p7 Combines alphanumeric characters, symbols, and includes vty 0 15 global config command. Specify the vty
a space password using the password password command.
Enable vty access using the login command.

Nguyen Minh Tri - Department of Telecommunications - Networks 97 Nguyen Minh Tri - Department of Telecommunications - Networks 98

ENCRYPT PASSWORDS ADDITIONAL PASSWORD SECURITY

Strong passwords are only useful if they are secret. There are To ensure that all configured passwords are
several steps that can be taken to help ensure that passwords a minimum of a specified length, use the
remain secret on a Cisco router and switch including these: security passwords min-length length
command in global configuration mode.
Encrypting all plaintext passwords
Setting a minimum acceptable password length Threat actors may use password cracking
Deterring brute-force password guessing attacks
software to conduct a brute-force attack on a
network device. This attack continuously
Disabling an inactive privileged EXEC mode access after a
attempts to guess the valid passwords until
specified amount of time.
one works. Use the login block-for seconds
attempts number within seconds global
configuration command to deter this type of
attack.

Nguyen Minh Tri - Department of Telecommunications - Networks 99 Nguyen Minh Tri - Department of Telecommunications - Networks 100
SECRET PASSWORD ALGORITHMS
MD5 hashes are no longer considered secure because
attackers can reconstruct valid certificates. This can allow
attackers to spoof any website. The enable secret password CONFIGURE ENHANCED SECURITY FOR
uses an MD5 hash by default. It is now recommended that you VIRTUAL LOGINS
configure all secret passwords using either type 8 or type 9
passwords. Type 8 and type 9 were introduced in Cisco IOS
15.3(3)M. Type 8 and type 9 use SHA encryption.
To enter an unencrypted password, use the enable algorithm-
type command syntax:

102

Nguyen Minh Tri - Department of Telecommunications - Networks 101

ENHANCE THE LOGIN PROCESS CONFIGURE LOGIN ENHANCEMENT FEATURES

Login blocking is enabling a detection profile that lets you The login block-for command can defend against DoS
configure a network device to react to repeated failed login attacks by disabling logins after a specified number of failed
attempts by refusing further connection requests. login attempts. The login quiet-mode command maps to an
Access control lists (ACLs) can be used to permit legitimate ACL that identifies the permitted hosts. The login delay
connections from addresses of known system administrators. command specifies the number of seconds the user must wait
between unsuccessful login attempts. The login on-success
Use the banner global configuration mode command to
and login on-failure commands log successful and
specify appropriate messages. Banners protect the
unsuccessful login attempts.
organization from a legal perspective.

Nguyen Minh Tri - Department of Telecommunications - Networks 103 Nguyen Minh Tri - Department of Telecommunications - Networks 104
ENABLE LOGIN ENHANCEMENTS LOG FAILED ATTEMPTS
To help a Cisco IOS device provide DoS detection, use the There are three commands that can be configured to help an
login block-for command, which must be issued before any administrator detect a password attack. Each lets a device to
other login command. The login block-for command monitors generate syslog messages for failed or successful login
login device activity and operates in two modes: attempts. The first two commands, login on-success log and
Normal mode - Also called watch mode, the router keeps count of login on-failure log, generate syslog messages for successful
the number of failed login attempts within an identified amount of and unsuccessful login attempts. An alternative to the login
time. on-failure log command is the security authentication
Quiet mode Also called the quiet period. If the number of failed failure rate command can be configured to generate a log
logins exceeds the configured threshold, all login attempts using message when the login failure rate is exceeded.
Telnet, SSH, and HTTP are denied for the time specified in the
login block-for command.

Nguyen Minh Tri - Department of Telecommunications - Networks 105 Nguyen Minh Tri - Department of Telecommunications - Networks 106

LOG FAILED ATTEMPTS

Use the show login command to verify the login block-for
command settings and current mode.
The show login failures command displays additional CONFIGURE SSH
information regarding the failed attempts, such as the IP
address from which the failed login attempts originated.

108

Nguyen Minh Tri - Department of Telecommunications - Networks 107

 ENABLE SSH ENHANCE SSH LOGIN SECURITY
Configure a Cisco device to support SSH using the following Use the ip ssh time-out seconds global
six steps: configuration mode command to modify the
default 120-second timeout interval. This
Step 1. Configure a unique device hostname.
configures the number of seconds that
Step 2. Configure the IP domain name.
SSH can use to authenticate a user.
Step 3. Generate a key to encrypt SSH traffic.
By default, a user logging in has three
Step 4. Verify or create a local database entry.
attempts to enter the correct password
Step 5. Authenticate against the local
before being disconnected. To configure a
database. different number of consecutive SSH
Step 6. Enable vty inbound SSH sessions. retries, use the ip ssh authentication-
retries integer global configuration mode
command.

Nguyen Minh Tri - Department of Telecommunications - Networks 109 Nguyen Minh Tri - Department of Telecommunications - Networks 110

PACKET TRACER - CONFIGURE SECURE PASSWORDS AND

CONNECT A ROUTER TO AN SSH-ENABLED ROUTER SSH
To verify the status of the client connections, use the show
ssh command. There are two different ways to connect to an The network administrator has asked you to prepare RTA and
SSH-enabled router. By default, when SSH is enabled, a Cisco SW1 for deployment. Before they can be connected to the
router can act as an SSH server or SSH client. As a server, a network, security measures must be enabled.
router can accept SSH client connections. As a client, a router
can connect via SSH to another SSH-enabled router.

4.4.8 Packet Tracer - Configure Secure Passwords and SSH

Nguyen Minh Tri - Department of Telecommunications - Networks 111 Nguyen Minh Tri - Department of Telecommunications - Networks 112
QUESTIONS & ANSWERS

Nguyen Minh Tri

Email: ngmtri@[Link]
Department of Telecommunications Networks
Faculty of Electronics Telecommunications
University of Science Vietnam National University Ho Chi Minh City
113