Mitigating Network Threats
- Explain general methods to mitigate common security threats to network devices, hosts, and applications
- Describe the functions of common security appliances and applications
- Describe security recommended practices including initial steps to secure network devices
By definition, to mitigate is to lessen in force or intensity. Now that you are familiar with the various classes of attack, let’s discuss what actions you can take to lessen the impact of an attack on a network. Keep in mind that we already went over some common mitigation techniques, such as password integrity, password encryption, TCP intercept, and no ip directed-broadcast. We will continue this chapter with a general overview of additional recommended practices and security measures. Our discussion includes the following mitigation techniques:
- Authentication, Authorization, and Accounting (AAA)
- Cisco access control lists (ACLs)
- Cisco Internetwork Operating System (IOS) secure management features
- Encryption protocols
- Security appliances and applications
Commonly called “triple A,” AAA is a group of three services that are used to increase network security:
- Authentication: Identifies a user by login and password.
- Authorization: Determines what a user is allowed to do.
- Accounting: Assembles and sends usage information (such as logging).
AAA works in conjunction with TACACS or RADIUS to provide a secure network connection with a record of user activities.
An access list is an ordered list of permit and deny statements that can be applied on a Cisco device to effectively determine whether a packet will be permitted or denied access to the network. A properly configured access list can help block most of the attack methods described in this chapter:
- IP spoofing
- TCP SYN attacks
- Smurf attacks
- ICMP and traceroute
Chapter 19, “Using Cisco Access Lists,” provides a detailed explanation of ACLs and their functionality.
Cisco IOS Secure Management Features
I mentioned earlier that it is the responsibility of the network administrator to configure Cisco equipment with a new password before deployment. You can take this a step further by performing some initial steps to secure Cisco equipment within the IOS. Configuring the following features on your Cisco device helps create a secure network environment:
- Secure Shell (SSH)
- Simple Network Management Protocol (SNMP)
- Network Time Protocol (NTP)
SSH is a data transmission protocol that uses strong authentication and an encrypted tunnel to ensure secure communications between an SSH client and the SSH server. SSH uses TCP port number 22 for connectivity.
SNMP is a management protocol that monitors the network and manages configurations by collecting statistics to analyze network performance and ensure network security. It is best to use SNMP version 3, which provides cryptographic authentication and management traffic encryption. SNMP uses UDP port number 161 for connectivity.
With syslog, log messages are collected from the Cisco device and are sent to a syslog server to keep record of any network occurrences. For syslog to work properly, NTP must be configured. Each logged message has an associated severity level. Syslog uses UDP port number 514 for connectivity. Table 4.3 lists the severity levels in order, with 0 representing the most critical message.
NTP is a protocol that synchronizes clocks on the local network to provide accurate local time on the user system. As with SNMP version 3, NTP version 3 is preferred because of the ability to provide cryptographic authentication and management traffic encryption. NTP uses UDP port number 123 for connectivity.
Unencrypted data can be easily read by internal or external threats to a network. This is the case when data is left in clear-text format. To help prevent an attack, it is important to encrypt or encode data. Here are three key encryption protocols:
- SSH: A data transmission protocol that uses strong authentication and an encrypted tunnel to ensure secure communications between an SSH client and the SSH server.
- Internet Protocol Security (IPsec): Consists of a set of protocols that were developed to secure the transfer of packets above the Network layer (Layer 3) of the OSI model.
- Secure Socket Layer (SSL): A protocol that provides a secure channel between two devices at the Application layer (Layer 7) of the OSI model. Asymmetric encryption and certificates are used to exchange a session key. Data is encrypted using that key and a block cipher. HTTPS is an example of an SSL secure transaction.
Security Appliances and Applications
The following are security devices used to mitigate security vulnerabilities:
- Firewall: A firewall can be either software or hardware that is installed to separate a trusted network from a less-trusted network, such as the Internet.
- Intrusion Prevention System (IPS): IPS is an active device that is inline with the traffic path on a network. An IPS listens promiscuously to all incoming traffic to identify attacks. It works with the firewall to modify rule templates to block traffic from the attacker address(es) while the attack is still in progress.
- Intrusion Detection System (IDS): IDS is a passive device that may not be inline with the traffic path on a network. An IDS also listens promiscuously to all incoming traffic to record and generate alerts and issue TCP resets if necessary.
Because so many possible mitigation techniques exist, let’s go over them all in a quick review. Table 4.4 lists and describes each method.