CH4 CS Lecture

Download as pptx, pdf, or txt
Download as pptx, pdf, or txt
You are on page 1of 61

Chapter 4:

Network Security

Networking Security
Introduction
Network security is a crucial aspect of information
technology that involves the implementation of
measures to protect data during transmission and
prevent unauthorized access to computer networks.
Here are some fundamental concepts and practices
related to network security:
Cont’d..
1. Firewalls:
• Definition: Firewalls act as a barrier between your secure internal network and
untrusted external networks (like the internet).
• Functionality: Firewalls monitor and control incoming and outgoing network
traffic based on predetermined security rules.
2. Encryption:
• Definition: Encryption is the process of converting data into a code to prevent
unauthorized access.
• Functionality: It ensures that even if unauthorized parties gain access to the data,
they cannot understand it without the correct decryption key.
Cont’d..
3. Virtual Private Network (VPN):
• Definition: A VPN is a secure tunnel between two or more devices
that encrypts the data passing through it.
• Functionality: It provides a secure connection over the internet,
allowing users to access a private network from a remote location.
4. Intrusion Detection and Prevention Systems (IDPS):
• Definition: IDPS tools monitor network and/or system activities
for malicious exploits or security policy violations.
• Functionality: They can alert system administrators or take
preventive actions to stop security incidents.
Cont’d
5. Authentication and Authorization:
• Authentication: Verifying the identity of users, systems, or
applications.
• Authorization: Granting or denying access rights to resources
based on the authenticated user's credentials.
6. Security Patches and Updates:
• Definition: Regularly updating software and systems to fix known
vulnerabilities.
• Functionality: This helps in protecting against exploits that take
advantage of software vulnerabilities.
Cont’d..
7. Security Policies:
• Definition: Clearly defined rules and guidelines for the secure use
of a network and its resources.
• Functionality: Security policies guide the behavior of users and
administrators to ensure the security of the network.
8. Network Segmentation:
• Definition: Dividing a computer network into subnetworks to
improve performance, security, and maintainability.
• Functionality: It limits the scope of potential security breaches and
contains the damage if a breach occurs.
Cont’d..
9. Security Audits and Monitoring:
• Security Audits: Regularly reviewing and assessing the security
measures in place.
• Monitoring: Continuously observing network activities for signs of
potential security threats.
10. Phishing Protection:
• Definition: Phishing involves attempts to trick individuals into
providing sensitive information.
• Functionality: Anti-phishing measures, such as email filtering,
educate users to recognize and avoid phishing attempts.
Cont’d..
11. Antivirus Software:
• Definition: Software designed to detect and remove malicious
software (malware).
• Functionality: Antivirus tools scan files and programs for known
patterns of harmful code.
12. Incident Response Plan:
• Definition: A documented set of procedures to address and manage
security incidents.
• Functionality: It ensures a coordinated and effective response to
security breaches.
Cont’d..
13. User Education and Training:
• Definition: Training users to be security-aware and to follow best practices.
• Functionality: Educated users are less likely to fall victim to social engineering attacks
and are more likely to follow secure practices.
14. Backup and Recovery:
• Definition: Regularly backing up critical data and having a recovery plan in case of data
loss.
• Functionality: It helps mitigate the impact of data breaches or system failures.
 Implementing a comprehensive network security strategy involves a combination of these
measures to create layers of defense, often referred to as defense-in-depth. The goal is to
create a resilient and secure network environment that protects sensitive information and
ensures the integrity and availability of network resources.
Network Threats

Networking Security
Who is Attacking Our Network?
Hacker vs. Threat Actor

As we know, “hacker” is a common term used to describe a threat actor. The term “hacker”
has a variety of meanings, as follows:

• A clever programmer capable of developing new programs and coding changes to existing
programs to make them more efficient.
• A network professional that uses sophisticated programming skills to ensure that networks
are not vulnerable to attack.
• A person who tries to gain unauthorized access to devices on the internet.
• An individual who runs programs to prevent or slow network access to many users, or to
corrupt or destroy data on servers.

You may see references to white hat, gray hat, and black hat hackers.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Who is Attacking Our Network?
Cybercriminals

Cybercriminals are threat actors


who are motivated to make money
using any means necessary.

• While some cybercriminals


work independently, they are
more often financed and
sponsored by criminal
organizations.
• It is estimated that globally,
cybercriminals steal billions of
dollars from consumers and
businesses every year.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Who is Attacking Our Network?
Cybersecurity Tasks

Organizations must act to protect their assets, users, and customers. They must
develop and practice cybersecurity tasks, including the following:

• Use a trustworthy IT vendor


• Keep security software up-to-date
• Perform regular penetration tests
• Back up to cloud and hard disk
• Periodically change WIFI password
• Keep security policy up-to-date
• Enforce use of strong passwords
• Use two factor authentication

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Threat Actor Tools
Introduction of Attack Tools

To exploit a vulnerability, a threat actor must have a technique or tool. Over the years, attack
tools have become more sophisticated, and highly automated. These new tools require less
technical knowledge to implement.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Threat Actor Tools
Evolution of Security Tools
Ethical hacking uses many different types of tools to test the network and end devices. To validate the security of
a network and its systems, many network penetration testing tools have been developed. However, many of
these tools can also be used by threat actors for exploitation.
Categories of Tools Description
password crackers Passwords are the most vulnerable security threat. Password cracking tools are often referred to as password
recovery tools and can be used to crack or recover the password. Password crackers repeatedly make guesses
in order to crack the password and access the system. Examples of password cracking tools include John the
Ripper, Ophcrack, L0phtCrack, THC Hydra, RainbowCrack, and Medusa.

wireless hacking tools Wireless networks are more susceptible to network security threats. Wireless hacking tools are used to
intentionally hack into a wireless network to detect security vulnerabilities. Examples of wireless hacking tools
include Aircrack-ng, Kismet, InSSIDer, KisMAC, Firesheep, and NetStumbler.
network scanning and hacking Network scanning tools are used to probe network devices, servers, and hosts for open TCP or UDP ports.
tools Examples of scanning tools include Nmap, SuperScan, Angry IP Scanner, and NetScanTools.
packet crafting tools Packet crafting tools are used to probe and test a firewall’s robustness using specially crafted forged packets.
Examples of such tools include Hping, Scapy, Socat, Yersinia, Netcat, Nping, and Nemesis.
packet sniffers Packet sniffer tools are used to capture and analyze packets within traditional Ethernet LANs or WLANs. Tools
include Wireshark, Tcpdump, Ettercap, Dsniff, EtherApe, Paros, Fiddler, Ratproxy, and SSLstrip.
rootkit detectors A rootkit detector is a directory and file integrity checker used by white hat hackers to detect installed root kits.
Example tools include AIDE, Netfilter, and PF: OpenBSD Packet Filter.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Threat Actor Tools
Categories of Attacks
Category of Attack Description
eavesdropping attack An eavesdropping attack is when a threat actor captures and listens to network traffic. This attack is also referred
to as sniffing or snooping.
data modification Data modification attacks occur when a threat actor has captured enterprise traffic and has altered the data in the
attack packets without the knowledge of the sender or receiver.
IP address spoofing An IP address spoofing attack is when a threat actor constructs an IP packet that appears to originate from a
attack valid address inside the corporate intranet.

password-based Password-based attacks occur when a threat actor obtains the credentials for a valid user account. Threat actors
attacks then use that account to obtain lists of other users and network information. They could also change server and
network configurations, and modify, reroute, or delete data.
denial-of-service (DoS) A DoS attack prevents normal use of a computer or network by valid users. After gaining access to a network, a
attack DoS attack can crash applications or network services. A DoS attack can also flood a computer or the entire
network with traffic until a shutdown occurs because of the overload. A DoS attack can also block traffic, which
results in a loss of access to network resources by authorized users.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Threat Actor Tools
Categories of Attacks (Cont.)
Category of Description
Attack
man-in-the-middle A MiTM attack occurs when threat actors have positioned themselves between a source and destination. They
attack (MiTM) can now actively monitor, capture, and control the communication transparently.

Compromised key A compromised key attack occurs when a threat actor obtains a secret key. This is referred to as a compromised
attack key. A compromised key can be used to gain access to a secured communication without the sender or receiver
being aware of the attack.
sniffer attack A sniffer is an application or device that can read, monitor, and capture network data exchanges and read
network packets. If the packets are not encrypted, a sniffer provides a full view of the data inside the packet.
Even encapsulated (tunneled) packets can be broken open and read unless they are encrypted, and the threat
actor does not have access to the key.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Malware
Types of Malware

Malware is short for malicious software or malicious code. It is code or software that is specifically
designed to damage, disrupt, steal, or generally inflict some other “bad” or illegitimate action on
data, hosts, or networks.

End devices are especially prone to malware attacks.

Three most common types of malware are:


• virus
• worm
• Trojan horse

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Malware
Viruses

A virus is a type of malware that spreads by inserting a copy of itself into another program. After
the program is run, viruses then spread from one computer to another, infecting the computers.
Most viruses require human help to spread.

A simple virus may install itself at the first line of code in an executable file. When activated, the
virus might check the disk for other executables so that it can infect all the files it has not yet
infected.

Viruses can also be programmed to mutate to avoid detection.

Most viruses are now spread by USB memory drives, CDs, DVDs, network shares, and email.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Malware
Trojan Horses

Trojan horse malware is software that appears to be legitimate, but it contains malicious code
which exploits the privileges of the user who runs it.

Often, Trojans are found attached to online games. Users are commonly tricked into loading and
executing the Trojan horse on their systems. While playing the game, the user will not notice a
problem. In the background, the Trojan horse has been installed on the user’s system. The
malicious code from the Trojan horse continues operating even after the game has been closed.

The Trojan horse concept is flexible. It can cause immediate damage, provide remote access to
the system, or access through a back door. It can also perform actions as instructed remotely,
such as "send me the password file once per week."

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Malware
Trojan Horse Classification
Trojan horses are usually classified according to the damage that they cause, or the manner in
which they breach a system, as shown in the table.

Type of Trojan Horse Description


Remote-access Enables unauthorized remote access.
Data-sending Provides the threat actor with sensitive data, such as passwords.
Destructive Corrupts or deletes files.
Proxy Uses the victim's computer as the source device to launch attacks and perform
other illegal activities.
FTP Enables unauthorized file transfer services on end devices.
Security software disabler Stops antivirus programs or firewalls from functioning.
Denial of Service (DoS) Slows or halts network activity.
Keylogger Actively attempts to steal confidential information, such as credit card numbers, by
recording keystrokes that have been entered into a web form.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Malware
Worms
Computer worms are like viruses because they replicate and can cause the same type of damage.
Specifically, worms replicate themselves by independently exploiting vulnerabilities in networks.
Worms can slow down networks as they spread from system to system.

SQL Slammer, known as the worm that ate the internet, was a denial of service (DoS) attack that
exploited a buffer overflow bug in Microsoft’s SQL Server. At its peak, the number of infected
servers doubled in size every 8.5 seconds. It infected 250,000+ hosts within 30 minutes, as shown
in the figure.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Malware
Worm Components

Most worm attacks consist of three components:

•Enabling vulnerability - A worm installs itself using an exploit mechanism, such as an


email attachment, an executable file, or a Trojan horse, on a vulnerable system.
•Propagation mechanism - After gaining access to a device, the worm replicates itself
and locates new targets.
•Payload - Any malicious code that results in some action is a payload. Most often this is
used to create a backdoor that allows a threat actor access to the infected host or to create
a DoS attack.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Malware
Worm Components (Cont.)

The propagation technique used by


the Code Red worm is shown in the
figure.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Malware
Ransomware

Currently, the most dominant malware is ransomware.

• Ransomware is malware that denies access to the infected computer system or its
data. The cybercriminals then demand payment to release the computer system.
• Ransomware has evolved to become the most profitable malware type in history.
• There are dozens of ransomware variants.
• Ransomware frequently uses an encryption algorithm to encrypt system files and data.
• Payments are typically paid in Bitcoin because users of bitcoin can remain
anonymous.
• Email and malicious advertising, also known as malvertising, are vectors for
ransomware campaigns.
• Social engineering is also used.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Malware
Other Malware
These are some examples of the varieties of modern malware:
Type of Malware Description
Spyware Used to gather information about a user and send the information to another entity without the user’s
consent. Spyware can be a system monitor, Trojan horse, Adware, tracking cookies, and key loggers.
Adware Displays annoying pop-ups to generate revenue for its author. The malware may analyze user interests
by tracking the websites visited. It can then send pop-up advertising pertinent to those sites.
Scareware Includes scam software which uses social engineering to shock or induce anxiety by creating the
perception of a threat. It is generally directed at an unsuspecting user and attempts to persuade the
user to infect a computer by taking action to address the bogus threat.

Phishing Attempts to convince people to divulge sensitive information. Examples include receiving an email from
their bank asking users to divulge their account and PIN numbers.
Rootkits Installed on a compromised system. After it is installed, it continues to hide its intrusion and provide
privileged access to the threat actor.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Malware
Common Malware Behaviors

Computers infected with malware often exhibit one or more of the following symptoms:
• Appearance of strange files, programs, or desktop icons
• Antivirus and firewall programs are turning off or reconfiguring settings
• Computer screen is freezing or system is crashing
• Emails are spontaneously being sent to your contact list without your knowledge
• Files have been modified or deleted
• Increased CPU and/or memory usage
• Problems connecting to networks
• Slow computer or web browser speeds
• Unknown processes or services running
• Unknown TCP or UDP ports open
• Connections are made to hosts on the internet without user action
• Other strange computer behavior

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Common Network Attacks - Reconnaissance, Access, and Social Engineering
Types of Network Attacks

To mitigate attacks, it is useful to first categorize the various types of attacks. By


categorizing network attacks, it is possible to address types of attacks rather than
individual attacks.

Although there is no standardized way of categorizing network attacks, the method used
in this course classifies attacks in three major categories.
• Reconnaissance Attacks
• Access Attacks
• DoS Attacks

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Common Network Attacks - Reconnaissance, Access, and Social Engineering
Reconnaissance Attacks
Reconnaissance is information gathering. Threat actors use reconnaissance (or recon) attacks to do
unauthorized discovery and mapping of systems, services, or vulnerabilities. Recon attacks precede
access attacks or DoS attacks. Some of the techniques used by malicious threat actors to conduct
reconnaissance attacks are described in the table.
Technique Description
Perform an information query of a target The threat actor is looking for initial information about a target. Various tools can be used,
including the Google search, organizations website, whois, and more.
Initiate a ping sweep of the target network The information query usually reveals the target’s network address. The threat actor can now
initiate a ping sweep to determine which IP addresses are active.
Initiate a port scan of active IP addresses This is used to determine which ports or services are available. Examples of port scanners
include Nmap, SuperScan, Angry IP Scanner, and NetScanTools.
Run vulnerability scanners This is to query the identified ports to determine the type and version of the application and
operating system that is running on the host. Examples of tools include Nipper, Secuna PSI,
Core Impact, Nessus v6, SAINT, and Open VAS.
Run exploitation tools The threat actor now attempts to discover vulnerable services that can be exploited. A variety
of vulnerability exploitation tools exist including Metasploit, Core Impact, Sqlmap, Social
Engineer Toolkit, and Netsparker.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Common Network Attacks - Reconnaissance, Access, and Social Engineering
Access Attacks
Access attacks exploit known vulnerabilities in authentication services, FTP services, and
web services. The purpose of this type of attack is to gain entry to web accounts,
confidential databases, and other sensitive information.
Technique Description
Password Attacks In a password attack, the threat actor attempts to discover critical system passwords using various
methods.
Spoofing Attacks In spoofing attacks, the threat actor’s device attempts to pose as another device by falsifying data.
Common spoofing attacks include IP spoofing, MAC spoofing, and DHCP spoofing.
Trust Exploitation In a trust exploitation attack, a threat actor uses unauthorized privileges to gain access to a system,
possibly compromising the target.
Port redirection In a port redirection attack, a threat actor uses a compromised system as a base for attacks against
other targets.

Man-in-the-Middle In a man-in-the-middle attack, the threat actor is positioned in between two legitimate entities in order to
read or modify the data that passes between the two parties.

Buffer Overflow Attack In a buffer overflow attack, the threat actor exploits the buffer memory and overwhelms it with
unexpected values. This usually renders the system inoperable, resulting in a DoS attack.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Common Network Attacks - Reconnaissance, Access, and Social Engineering
Social Engineering Attacks
Social engineering is an access attack that attempts to manipulate individuals into performing actions or
divulging confidential information. Information about social engineering techniques is shown in the table.
Social Engineering Description
Attack
Pretexting A threat actor pretends to need personal or financial data to confirm the identity of the recipient.
Phishing A threat actor sends fraudulent email which is disguised as being from a legitimate, trusted source to trick the
recipient into installing malware on their device, or to share personal or financial information.
Spear phishing A threat actor creates a targeted phishing attack tailored for a specific individual or organization.
Spam Also known as junk mail, this is unsolicited email which often contains harmful links, malware, or deceptive
content.
Something for Sometimes called “Quid pro quo”, this is when a threat actor requests personal information from a party in
Something exchange for something such as a gift.
Baiting A threat actor leaves a malware-infected flash drive in a public location. A victim finds the drive and
unsuspectingly inserts it into their laptop, unintentionally installing malware.
Impersonation In this type of attack, a threat actor pretends to be someone else to gain the trust of a victim.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Network Attacks - Denial of Service, Buffer Overflows, and Evasion
DoS and DDoS Attacks

A Denial of Service (DoS) attack creates some sort of interruption of network services
to users, devices, or applications.
A Distributed DoS Attack (DDoS) is like a DoS attack, but it originates from multiple,
coordinated sources.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Network Attacks - Denial of Service, Buffer Overflows, and Evasion
Buffer Overflow Attack

The goal of a threat actor when using a buffer


overflow DoS attack is to find a system memory-
related flaw on a server and exploit it. Exploiting
the buffer memory by overwhelming it with
unexpected values usually renders the system
inoperable, creating a DoS attack.

It is estimated that one third of malicious attacks


are the result of buffer overflows.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Integrity and Authenticity
Secure Communications
These are the four elements of secure communications:

• Data Integrity - Guarantees that the message was not altered. Any changes to data in transit will be
detected. Integrity is ensured by implementing either of the Secure Hash Algorithms (SHA-2 or SHA-3).
The MD5 message digest algorithm is still widely in use. However, it is inherently insecure and creates
vulnerabilities in a network. Note that MD5 should be avoided.

• Origin Authentication - Guarantees that the message is not a forgery and does actually come from
whom it states. Many modern networks ensure authentication with algorithms such as hash-based
message authentication code (HMAC).

• Data Confidentiality - Guarantees that only authorized users can read the message. If the message is
intercepted, it cannot be deciphered within a reasonable amount of time. Data confidentiality is
implemented using symmetric and asymmetric encryption algorithms.

• Data Non-Repudiation - Guarantees that the sender cannot repudiate, or refute, the validity of a
message sent. Nonrepudiation relies on the fact that only the sender has the unique characteristics or
signature for how that message is treated.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Integrity and Authenticity
Cryptographic Hash Functions

Hashes are used to verify and ensure data integrity. Hashing is


based on a one-way mathematical function that is relatively
easy to compute, but significantly harder to reverse.

As shown in the figure, a hash function takes a variable block


of binary data, called the message, and produces a fixed-
length, condensed representation, called the hash. The
resulting hash is also sometimes called the message digest,
digest, or digital fingerprint.

With hash functions, it is computationally infeasible for two


different sets of data to come up with the same hash output.
Cryptographic hash values are often called “digital fingerprints”.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Integrity and Authenticity
Cryptographic Hash Operation

Mathematically, the equation h= H(x) is used to explain how a hash algorithm operates.
As shown in the figure, a hash function H takes an input x and returns a fixed-size string
hash value h.

The example in the figure summarizes the mathematical process. A cryptographic hash
function should have the following properties:
• The input can be any length.
• The output is always a fixed length.
• H(x) is relatively easy to compute for any given
x.
• H(x) is one way and not reversible.
• H(x) is collision free, meaning that two different
input values will result in different hash values.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Integrity and Authenticity
MD5 and SHA

Hash functions are used to ensure the integrity of a message. They help ensure data has
not accidentally changed and that what was sent is indeed what was received.

There are four well-known hash functions:


• MD5 with 128-bit digest
• SHA-1
• SHA-2
• SHA-3

While hashing can be used to detect accidental changes, it cannot be used to guard against
deliberate changes that are made by a threat actor. Therefore, hashing is vulnerable to man-in-
the-middle attacks and does not provide security to transmitted data. To provide integrity against
man-in-the-middle attacks, origin authentication is also required.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Confidentiality
Data Confidentiality
Symmetric encryption algorithms such as Data Encryption Standard (DES), 3DES, and Advanced
Encryption Standard (AES) are based on the premise that each communicating party knows the
pre-shared key.

Data confidentiality can also be ensured using asymmetric algorithms, including Rivest, Shamir,
and Adleman (RSA) and the public key infrastructure (PKI).

The figure highlights some differences between symmetric and asymmetric encryption

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Confidentiality
Symmetric Encryption
Symmetric algorithms use the same pre-shared key to encrypt and decrypt data. A pre-shared key, also
called a secret key, is known by the sender and receiver before any encrypted communications can take
place.

In the figure, Alice and Bob have identical keys to a single padlock. These keys were exchanged prior to
sending any secret messages. Alice writes a secret message and puts it in a small box that she locks using
the padlock with her key. She mails the box to Bob. The message is safely locked inside the box as the box
makes its way through the post office system. When Bob receives the box, he uses his key to unlock the
padlock and retrieve the message. Bob can use the same box and padlock to send a secret reply back to
Alice.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Confidentiality
Symmetric Encryption (Cont.)
Symmetric encryption algorithms are sometimes classified as either a block cipher or a stream cipher.

Block ciphers transform a fixed-length block of plaintext into a common block of ciphertext of 64 or 128 bits.
Common block ciphers include DES with a 64-bit block size and AES with a 128-bit block size.

Stream ciphers encrypt plaintext one byte or one bit at a time. Stream ciphers are basically a block cipher
with a block size of one byte or bit. Stream ciphers are typically faster than block ciphers because data is
continuously encrypted.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Confidentiality
Symmetric Encryption (Cont.)
Well-known symmetric encryption algorithms are described in the table.
Symmetric Encryption Algorithms Description
Data Encryption Standard (DES) This is a legacy symmetric encryption algorithm. It uses a short key length that makes it
insecure for most current uses.
3DES (Triple DES) The is the replacement for DES and repeats the DES algorithm process three times. It
should be avoided if possible as it is scheduled to be retired in 2023. If implemented, use
very short key lifetimes.

Advanced Encryption Standard (AES) AES is a popular and recommended symmetric encryption algorithm. It offers
combinations of 128-, 192-, or 256-bit keys to encrypt 128, 192, or 256 bit-long data
blocks.

Software-Optimized Encryption Algorithm (SEAL) SEAL is a faster alternative symmetric encryption algorithm to AES. SEAL is a stream
cypher that uses a 160-bit encryption key and has a lower impact on the CPU compared
to other software-based algorithms.

Rivest ciphers (RC) series algorithms This algorithm was developed by Ron Rivest. Several variations have been developed, but
RC4 was the most prevalent in use. RC4 is a stream cipher that was used to secure web
traffic. It has been found to have multiple vulnerabilities which have made it insecure.
RC4 should not be used.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Confidentiality
Asymmetric Encryption
Asymmetric algorithms, also called public-key algorithms, are designed so that the key that is used for encryption
is different from the key that is used for decryption, as shown in the figure. The decryption key cannot, in any
reasonable amount of time, be calculated from the encryption key and vice versa.

Examples of protocols that use asymmetric key algorithms include:

• Internet Key Exchange (IKE) - This is a fundamental component of IPsec VPNs.


• Secure Socket Layer (SSL) - This is now implemented as IETF standard Transport Layer Security
(TLS).
• Secure Shell (SSH) - This protocol provides a secure remote access connection to network devices.
• Pretty Good Privacy (PGP) - This computer program provides cryptographic privacy and
authentication. It is often used to increase the security of email communications.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
Confidentiality
Asymmetric Encryption (Cont.)
Asymmetric Encryption Key Length Description
Algorithm
Diffie-Hellman (DH) 512, 1024, The Diffie-Hellman algorithm allows two parties to agree on a key that they can use to encrypt messages
2048, 3072, they want to send to each other. The security of this algorithm depends on the assumption that it is easy
4096 to raise a number to a certain power, but difficult to compute which power was used given the number
and the outcome.
Digital Signature Standard (DSS) 512 - 1024 DSS specifies DSA as the algorithm for digital signatures. DSA is a public key algorithm based on the
and Digital Signature Algorithm ElGamal signature scheme. Signature creation speed is similar to RSA, but is 10 to 40 times slower for
(DSA) verification.
Rivest, Shamir, and Adleman 512 to 2048 RSA is for public-key cryptography that is based on the current difficulty of factoring very large numbers. It
encryption algorithms (RSA) is the first algorithm known to be suitable for signing, as well as encryption. It is widely used in electronic
commerce protocols and is believed to be secure given sufficiently long keys and the use of up-to-date
implementations.
EIGamal 512 - 1024 An asymmetric key encryption algorithm for public-key cryptography which is based on the Diffie-Hellman
key agreement. A disadvantage of the ElGamal system is that the encrypted message becomes very big,
about twice the size of the original message and for this reason it is only used for small messages such as
secret keys.
Elliptic curve techniques 224 or higher Elliptic curve cryptography can be used to adapt many cryptographic algorithms, such as Diffie-Hellman or
ElGamal. The main advantage of elliptic curve cryptography is that the keys can be much smaller.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
Confidentiality
Asymmetric Encryption - Confidentiality
The process can be summarized using the formula:

Public Key (Encrypt) + Private Key (Decrypt) = Confidentiality

When the public key is used to encrypt the data, the private key must be used to decrypt the data.
Only one host has the private key; therefore, confidentiality is achieved.
Alice requests and obtains Bob’s public key. Alice uses Bob’s public key to encrypt a message Bob then uses his private key to decrypt the
using an agreed-upon algorithm. Alice sends the message. Since Bob is the only one with the
encrypted message to Bob. private key, Alice's message can only be
decrypted by Bob and thus confidentiality is
achieved.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
Confidentiality
Asymmetric Encryption - Authentication
The authentication objective of asymmetric algorithms is initiated when the encryption process is
started with the private key.

The process can be summarized using the formula:


Private Key (Encrypt) + Public Key (Decrypt) = Authentication

Alice encrypts a message using her private key. Alice sends In order to authenticate the message, Bob uses Alice’s public key to decrypt the message.
the encrypted message to Bob. Bob needs to authenticate Bob requests Alice’s public key.
that the message did indeed come from Alice.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
Confidentiality
Asymmetric Encryption - Integrity
Combining the two asymmetric encryption processes provides message confidentiality, authentication, and
integrity. The following example will be used to illustrate this process. In this example, a message will be
ciphered using Bob’s public key and a ciphered hash will be encrypted using Alice’s private key to provide
confidentiality, authenticity, and integrity.

Alice wants to send a message to Bob ensuring that only Bob Alice also wants to ensure message authentication and integrity.
can read the document. In other words, Alice wants to ensure Authentication ensures Bob that the document was sent by Alice,
message confidentiality. Alice uses the public key of Bob to and integrity ensures that it was not modified Alice uses her
cipher the message. Only Bob will be able to decipher it using his private key to cipher a hash of the message. Alice sends the
private key encrypted message with its encrypted hash to Bob.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
Confidentiality
Asymmetric Encryption – Integrity (Cont.)

Bob uses Alice’s public key to verify that the message Bob uses his private key to decipher the
was not modified. The received hash is equal to the message.
locally determined hash based on Alice’s public key.
Additionally, this verifies that Alice is definitely the
sender of the message because nobody else has
Alice’s private key.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
Network Security Testing Techniques
Operations Security
Operations security starts with the planning and implementation process of a network. During
these phases, the operations team analyzes designs, identifies risks and vulnerabilities, and
makes the necessary adaptations. The actual operational tasks begin after the network is set up
and include the continual maintenance of the environment.

Some security testing techniques are predominantly manual, and others are highly automated.
Regardless of the type of testing, the staff that sets up and conducts the security testing should
have significant security and networking knowledge in these areas:
• Device hardening
• Firewalls
• IPSs
• Operating systems
• Basic programming
• Networking protocols, such as TCP/IP
• Network vulnerabilities and risk mitigation
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
Network Security Testing Techniques
Testing and Evaluating Network Security

During the implementation stage, security testing is conducted on specific parts of the network.
After a network is fully integrated and operational, a Security Test and Evaluation (ST&E) is
performed. An ST&E is an examination of the protective measures that are placed on an
operational network.

Objectives of ST&E include the following:


• Uncover design, implementation, and operational flaws that could lead to the violation
of the security policy.
• Determine the adequacy of security mechanisms, assurances, and device properties to
enforce the security policy.
• Assess the degree of consistency between the system documentation and its
implementation.

Tests should be repeated periodically and whenever a change is made to the system.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
Network Security Testing Techniques
Types of Network Tests
After a network is operational, ascertain its security status. Many security tests can be conducted to assess
the operational status of the network:

• Penetration testing - Simulate attacks to determine the feasibility of an attack and possible
consequences if one were to occur.

• Network scanning - Includes software that can ping computers, scan for listening TCP ports and
display which types of resources are available on the network.

• Vulnerability scanning - Detects potential weaknesses in the tested systems.

• Password cracking - Tests and detects weak passwords that should be changed.

• Log review - Filter and review security logs to detect abnormal activity.

• Integrity checkers - Detects and reports changes in the system.

• Virus detection - Detects and removes computer viruses and other malware.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
Network Security Testing Techniques
Applying Network Test Results

Network security testing results can be used in several ways:

• To define mitigation activities to address identified vulnerabilities


• As a benchmark to trace the progress of an organization in meeting security
requirements
• To assess the implementation status of system security requirements
• To conduct cost and benefit analysis for improvements to network security
• To enhance other activities, such as risk assessments, certification and authorization
(C&A), and performance improvement efforts
• As a reference point for corrective action

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
Network Security Testing Tools
Network Testing Tools
There are many tools available to test the security of systems and networks. Some of these tools are open
source while others are commercial tools that require licensing. Various software tools can be used to perform
network testing including:

• Nmap/Zenmap - This discovers computers and services on a computer network, thus creating a map
of the network.
• SuperScan - Designed to detect open TCP and UDP ports, determine what services are running on
those ports, and to run queries, such as whois, ping, traceroute, and hostname lookups.
• SIEM (Security Information Event Management) - Used in enterprise organizations to provide real
time reporting and long-term analysis of security events.
• GFI LANguard - This is a network and security scanner which detects vulnerabilities.
• Tripwire - Assesses and validates IT configurations.
• Nessus - Vulnerability scanning software, focusing on remote access, misconfigurations, and DoS
against the TCP/IP stack.
• L0phtCrack - Password auditing and recovery application.
• Metasploit - Provides information about vulnerabilities and aids in penetration testing and IDS
signature development.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
Network security protocols

Network security protocols are standardized sets of rules and


conventions designed to secure the communication and data
integrity between devices in a network.
These protocols ensure that data is transmitted securely and that
unauthorized access and malicious activities are prevented.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Application layer security
The application layer, the top layer of the OSI model, is responsible
for providing network services directly to end-users or applications.
Application layer security involves protecting applications and the
data they exchange over a network. Here are some key aspects and
measures related to application layer security:
1. Secure Sockets Layer (SSL) / Transport Layer Security (TLS):
•Functionality: Ensures secure communication between
applications over a network.
•Use Case: HTTPS for secure web browsing, secure email
transmission (SMTPS, POP3S, IMAPS).

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cont’d..
2. Web Application Firewalls (WAF):
•Functionality: Protects web applications from various attacks such as
SQL injection, cross-site scripting (XSS), and cross-site request forgery
(CSRF).
•Use Case: Used to secure online applications, websites, and APIs.
3. Secure File Transfer Protocols:
•a. SFTP (SSH File Transfer Protocol): Secure alternative to FTP for file
transfer.
•b. SCP (Secure Copy Protocol): Secure file transfer protocol using
SSH.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cont’d
4. Email Encryption:
•Functionality: Protects the content of emails from unauthorized access.
•Use Case: PGP/GPG for end-to-end email encryption.
5. Application-Layer Authentication:
•Functionality: Verifies the identity of users accessing applications.
•Use Case: Multi-factor authentication, single sign-on.
6. Web Security Best Practices:
•a. Input Validation: Ensures that data provided by users is within expected
parameters, preventing attacks like SQL injection.
•b. Output Encoding: Protects against XSS attacks by encoding user input
before rendering it in the browser.
•c. Session Management: Ensures secure handling of user sessions,
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

preventing unauthorized access.


Transport Layer Security
Transport Layer Security (TLS) is a cryptographic protocol that ensures privacy
and data integrity between two communicating applications. It operates at the
transport layer of the OSI model and is designed to secure the communication
channel between a client and a server. TLS is the successor to the earlier Secure
Sockets Layer (SSL) protocol, and the terms "SSL" and "TLS" are often used
interchangeably.
Key Features and Components of TLS:
1. Encryption:
2. Authentication:
3. Key Exchange:
4. Data Integrity:
5. Protocol Versions:
6. Perfect Forward Secrecy (PFS): © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Network Layer Security

Network Layer Security involves measures and protocols applied at the


network layer (Layer 3 of the OSI model) to secure data transmission and
protect network infrastructure. This layer is responsible for routing and
forwarding data packets between devices on different networks. Here are key
aspects of network layer security:
1. IPsec (Internet Protocol Security):
2. Virtual Private Networks (VPNs):
3. Routing Security:
4. Network Address Translation (NAT):
5. Firewalls:
6. Router Security:
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Link Layer Security
Link Layer Security involves implementing security measures at the data link
layer (Layer 2 of the OSI model). This layer is responsible for the reliable
transmission of frames between directly connected nodes on a network. Here
are key aspects of link layer security:
1. MAC Address Filtering:
2. 802.1X Port-Based Authentication:
3. Port Security:
4. VLAN Security:
5. Link Layer Encryption:

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Physical security
Physical security involves the protection of the physical assets, infrastructure,
and resources of an organization. In the context of network security, physical
security measures are critical for safeguarding the hardware, data centers, and
other tangible elements that support network operations. Here are key aspects
of physical security in the context of network protection:
1. Data Centers and Server Rooms:
2. Cabling Infrastructure:
3. Physical Access Points:
4. Equipment Protection:
5. Power Infrastructure:
6. Employee Training:
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Wireless security
Wireless security involves protecting the communication and data transmitted
over wireless networks from unauthorized access, interception, and tampering.
As wireless networks become ubiquitous, implementing effective security
measures is crucial to safeguard sensitive information. Here are key aspects of
wireless security:
1. Wireless Encryption:
2. Wi-Fi Protected Setup (WPS):
3. Wireless Network Segmentation:
4. Authentication Mechanisms:
5. SSID (Service Set Identifier) Management:

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

You might also like