CCNA Discovery 1CCNA Discovery 1Chp. 8: Basic SecurityChp. 8: Basic Security

ContentsContentsContentsContents 8.18.1: Networking Threats: Networking Threats

– Risks of intrusionRisks of intrusion– Sources of intrusionSources of intrusion– Social EngineeringSocial Engineering

8.2: 8.2: Methods of AttackMethods of Attack– Viruses, Worms, Trojan HorsesViruses, Worms, Trojan Horses– DOS, Brute Force AttacksDOS, Brute Force Attacks– Spyware, TrackersSpyware, Trackers– SpamSpam

8.38.3: Security Policies: Security Policies– Security MeasuresSecurity Measures– Updates and PatchesUpdates and Patches– Anti-Virus, Anti-Spam, Anti-SpywareAnti-Virus, Anti-Spam, Anti-Spyware

8.48.4: Firewalls: Firewalls

8.1: Networking Threats8.1: Networking Threats8.1: Networking Threats8.1: Networking Threats Computer networks are quickly becoming Computer networks are quickly becoming

essential to everyday activities. essential to everyday activities. Individuals and organizations depend daily on Individuals and organizations depend daily on

their computers and networks for important their computers and networks for important functions functions

Intrusion by an unauthorized person can Intrusion by an unauthorized person can result in costly network outages and loss of result in costly network outages and loss of work. work.

Attacks to a network can be devastating and Attacks to a network can be devastating and can result in a loss of time and money due to can result in a loss of time and money due to damage or theft of important information or damage or theft of important information or assets. assets.

8.1.1:Risks of Network Intrusions8.1.1:Risks of Network Intrusions8.1.1:Risks of Network Intrusions8.1.1:Risks of Network Intrusions

Intruders can gain access to a network in Intruders can gain access to a network in many different ways:many different ways:– Software vulnerabilitiesSoftware vulnerabilities– Hardware attacks Hardware attacks – Low-tech methods: password guessingLow-tech methods: password guessing

Intruders who gain access by modifying Intruders who gain access by modifying software or exploiting software vulnerabilities software or exploiting software vulnerabilities are often called are often called hackers.hackers.

Types of Network ThreatsTypes of Network ThreatsTypes of Network ThreatsTypes of Network Threats Once a hacker gains access to the network, Once a hacker gains access to the network,

4 types of threat may arise:4 types of threat may arise:1.1. Information theftInformation theft

– Breaking into a computer to obtain confidential Breaking into a computer to obtain confidential information which can be sold or used for other information which can be sold or used for other purposespurposes

2.2. Identity theftIdentity theft– Personal information is stolen to take over someone’s Personal information is stolen to take over someone’s

identityidentity

3.3. Data loss / manipulationData loss / manipulation– Breaking into a computer to destroy or alter data Breaking into a computer to destroy or alter data

recordsrecords

4.4. Disruption of serviceDisruption of service– Preventing legitimate users from accessing services Preventing legitimate users from accessing services

that are neededthat are needed

8.1.2: Sources of Intrusion8.1.2: Sources of Intrusion8.1.2: Sources of Intrusion8.1.2: Sources of Intrusion

Security threats from network intruders can Security threats from network intruders can come from 2 different sources:come from 2 different sources:– External ThreatsExternal Threats– Internal ThreatsInternal Threats

External ThreatsExternal ThreatsExternal ThreatsExternal Threats

Threats from individuals working outside of an Threats from individuals working outside of an organization who do not have authorized organization who do not have authorized access to the computer systems or network.access to the computer systems or network.

Access into the network is mainly obtained Access into the network is mainly obtained through the through the Internet,Internet, wireless linkswireless links or dialup or dialup access servers.access servers.

Internal ThreatsInternal ThreatsInternal ThreatsInternal Threats Threats from someone who has authorized access Threats from someone who has authorized access

to the network through a user account or with to the network through a user account or with physical access to the network equipment. physical access to the network equipment.

An internal attacker knows the internal politics and An internal attacker knows the internal politics and people. people.

They often know what information is both valuable They often know what information is both valuable and vulnerable and how to get to it. and vulnerable and how to get to it.

Some internal attacks are un-intentional – ex. A Some internal attacks are un-intentional – ex. A trustworthy employee who picks up a virus or trustworthy employee who picks up a virus or security threat, while outside the company and security threat, while outside the company and unknowingly brings it into the internal network. unknowingly brings it into the internal network.

The Wrong DefenseThe Wrong DefenseThe Wrong DefenseThe Wrong Defense

Most companies spend considerable Most companies spend considerable resources defending against external attacks resources defending against external attacks however most threats are actually from however most threats are actually from internal sources. internal sources.

According to the FBI, internal access and According to the FBI, internal access and misuse of computers systems account for misuse of computers systems account for approximately approximately 70%70% of reported incidents of of reported incidents of security breaches.security breaches.

One of the easiest ways for an intruder to gain One of the easiest ways for an intruder to gain access, whether internal or external is by access, whether internal or external is by exploiting human behavior.exploiting human behavior.

8.1.3: Social Engineering8.1.3: Social Engineering8.1.3: Social Engineering8.1.3: Social Engineering One of the more common methods of exploiting One of the more common methods of exploiting

human weaknesses is called human weaknesses is called Social Engineering. Social Engineering. – The ability of something or someone to influence the The ability of something or someone to influence the

behavior of a group of people. behavior of a group of people. – A collection of techniques used to deceive internal users A collection of techniques used to deceive internal users

into performing specific actions or revealing confidential into performing specific actions or revealing confidential information. information.

– Allows an attacker to take advantage of unsuspecting Allows an attacker to take advantage of unsuspecting legitimate users to gain access to internal resources and legitimate users to gain access to internal resources and private information, such as bank account numbers or private information, such as bank account numbers or passwords. passwords.

– These attacks exploit the fact that users are generally These attacks exploit the fact that users are generally considered one of the weakest links in security. considered one of the weakest links in security.

Social engineers can be internal or external to the Social engineers can be internal or external to the organization, but most often do not come face-to-organization, but most often do not come face-to-face with their victims. face with their victims.

Social Engineering TechniquesSocial Engineering TechniquesSocial Engineering TechniquesSocial Engineering Techniques

Three of the most commonly used techniques Three of the most commonly used techniques in social engineering are: in social engineering are: – PretextingPretexting– PhishingPhishing– VishingVishing

PretextingPretextingPretextingPretexting A form of social engineering where an A form of social engineering where an invented invented

scenarioscenario (the pretext) is used on a victim in order to (the pretext) is used on a victim in order to get the victim to release information or perform an get the victim to release information or perform an action. action.

The target is typically contacted over the telephone. The target is typically contacted over the telephone. For pretexting to be effective, the attacker must be For pretexting to be effective, the attacker must be

able to able to establish legitimacyestablish legitimacy with the intended target, with the intended target, or victim. or victim.

This often requires some prior knowledge or This often requires some prior knowledge or research on the part of the attacker. research on the part of the attacker. – For example, if an attacker knows the target's social For example, if an attacker knows the target's social

security number, they may use that information to gain the security number, they may use that information to gain the trust of their target. trust of their target.

The target is then more likely to release further The target is then more likely to release further information. information.

PhishingPhishingPhishingPhishing A form of social engineering where the A form of social engineering where the

phisherphisher pretends to represent a legitimate pretends to represent a legitimate outside organization. outside organization.

They typically contact the target individual They typically contact the target individual (the phishee) via email. (the phishee) via email.

The phisher might ask for verification of The phisher might ask for verification of information, such as passwords or information, such as passwords or usernames in order prevent some terrible usernames in order prevent some terrible consequence from occurring. consequence from occurring.

VishingVishingVishingVishing

A new form of social engineering that uses A new form of social engineering that uses Voice over IP (VoIP) is known as vishing. Voice over IP (VoIP) is known as vishing.

An unsuspecting user is sent a voice mail An unsuspecting user is sent a voice mail instructing them to call a number which instructing them to call a number which appears to be a legitimate telephone-banking appears to be a legitimate telephone-banking service. service.

The call is then intercepted by a thief. The call is then intercepted by a thief. Bank account numbers or passwords entered Bank account numbers or passwords entered

over the phone for verification are then stolen.over the phone for verification are then stolen.

8.2: Methods of Attack8.2: Methods of Attack8.2: Methods of Attack8.2: Methods of Attack Some Network attacks exploit the vulnerabilities in Some Network attacks exploit the vulnerabilities in

computer software computer software – VirusesViruses– Worms Worms – Trojan horsesTrojan horses

These attacks operate by introducing malicious These attacks operate by introducing malicious software onto a host. software onto a host.

The effects of software attacks can be devastating:The effects of software attacks can be devastating:– Damage of a system and destruction of dataDamage of a system and destruction of data– Denial of access to networks, systems, or services. Denial of access to networks, systems, or services. – Forwarding of data and personal details from unsuspecting Forwarding of data and personal details from unsuspecting

PC users to criminalsPC users to criminals In many cases, the software can replicate itself and In many cases, the software can replicate itself and

spread to other hosts connected to the network. spread to other hosts connected to the network. Sometimes these techniques are used in combination Sometimes these techniques are used in combination

with social engineering to trick an unsuspecting user with social engineering to trick an unsuspecting user into executing the attack.into executing the attack.

VirusesVirusesVirusesViruses A A virusvirus is a program that runs and spreads by is a program that runs and spreads by

modifying other programs or files.modifying other programs or files. A virus cannot start by itself; it needs to be activatedA virus cannot start by itself; it needs to be activated

– Usually by executing a file Usually by executing a file Once activated, a virus may do nothing more than Once activated, a virus may do nothing more than

replicate itself and spread. replicate itself and spread. Though simple, even this type of virus is dangerous Though simple, even this type of virus is dangerous

as it can quickly use all available memory and bring as it can quickly use all available memory and bring a system to a halt. a system to a halt.

A more serious virus may be programmed to delete A more serious virus may be programmed to delete or corrupt specific files before spreading. or corrupt specific files before spreading.

Viruses can be transmitted via email attachments, Viruses can be transmitted via email attachments, downloaded files, instant messages or via diskette, downloaded files, instant messages or via diskette, CD or USB devicesCD or USB devices

Trojan HorsesTrojan HorsesTrojan HorsesTrojan Horses

A A Trojan horseTrojan horse is a non-self replicating is a non-self replicating program that is written to appear like a program that is written to appear like a legitimate programlegitimate program

A Trojan horse relies upon its legitimate A Trojan horse relies upon its legitimate appearance to deceive the victim into initiating appearance to deceive the victim into initiating the program. the program.

It may be relatively harmless or can contain It may be relatively harmless or can contain code that can damage the contents of the code that can damage the contents of the computer's hard drive. computer's hard drive.

Trojans can also create a back door into a Trojans can also create a back door into a system allowing hackers to gain access.system allowing hackers to gain access.

WormsWormsWormsWorms A worm is similar to a virus, but unlike a virus A worm is similar to a virus, but unlike a virus

it does not need to attach itself to an existing it does not need to attach itself to an existing program. program.

A A wormworm uses the network to send copies of uses the network to send copies of itself to any connected hosts. itself to any connected hosts.

Worms can run independently and spread Worms can run independently and spread quickly. quickly.

They do not necessarily require activation or They do not necessarily require activation or human intervention. human intervention.

Self-spreading network worms can have a Self-spreading network worms can have a much greater impact than a single virus and much greater impact than a single virus and can infect large parts of the Internet quickly.can infect large parts of the Internet quickly.

8.2.2: DoS Attacks8.2.2: DoS Attacks8.2.2: DoS Attacks8.2.2: DoS Attacks Sometimes the goal of an attacker is to shut down Sometimes the goal of an attacker is to shut down

the normal operations of a network.the normal operations of a network. This type of attack is usually carried out with the This type of attack is usually carried out with the

intent to disrupt the functions of an organization.intent to disrupt the functions of an organization. DoSDoS attacks are aggressive attacks on an attacks are aggressive attacks on an

individual computer or groups of computers with individual computer or groups of computers with the intent to deny services to intended users. the intent to deny services to intended users.

– DoS attacks can target end user systems, servers, DoS attacks can target end user systems, servers, routers, and network links.routers, and network links.

DoS attacks seek to do 2 main things:DoS attacks seek to do 2 main things:1.1. Flood a system or network with traffic to prevent Flood a system or network with traffic to prevent

legitimate network traffic from flowing legitimate network traffic from flowing 2.2. Disrupt connections between a client and server to Disrupt connections between a client and server to

prevent access to a serviceprevent access to a service

Types of DoS AttacksTypes of DoS AttacksTypes of DoS AttacksTypes of DoS Attacks Security administrators need to be aware of the Security administrators need to be aware of the

types of DoS attacks that can occur and ensure that types of DoS attacks that can occur and ensure that their networks are protected. their networks are protected.

Two common DoS attacks are:Two common DoS attacks are:– SYN (synchronous) FloodingSYN (synchronous) Flooding - a flood of packets are - a flood of packets are

sent to a server requesting a client connection. sent to a server requesting a client connection. The packets contain invalid source IP addresses. The packets contain invalid source IP addresses. The server becomes occupied trying to respond to The server becomes occupied trying to respond to

these fake requests and therefore cannot respond to these fake requests and therefore cannot respond to legitimate ones.legitimate ones.

– Ping of death: a packet that is greater in size than the Ping of death: a packet that is greater in size than the maximum allowed by IP (65,535 bytes) is sent to a device.maximum allowed by IP (65,535 bytes) is sent to a device. This can cause the receiving system to crash.This can cause the receiving system to crash.

DoS AttackDoS AttackDoS AttackDoS Attack

DDoSDDoSDDoSDDoS A A Distributed Denial of ServiceDistributed Denial of Service attack is a more attack is a more

sophisticated and potentially damaging form of the sophisticated and potentially damaging form of the DoS attack.DoS attack.

It is designed to saturate and overwhelm network It is designed to saturate and overwhelm network links with useless data. links with useless data.

DDoS operates on a much larger scale than DoS DDoS operates on a much larger scale than DoS attacks. attacks. – Typically hundreds or thousands of attack points attempt Typically hundreds or thousands of attack points attempt

to overwhelm a target simultaneously. to overwhelm a target simultaneously. – The attack points may be unsuspecting computers that The attack points may be unsuspecting computers that

have been previously infected by the DDoS code. have been previously infected by the DDoS code. – The systems that are infected with the DDoS code attack The systems that are infected with the DDoS code attack

the target site when invoked. the target site when invoked.

DDoSDDoSDDoSDDoS

Brute Force AttacksBrute Force AttacksBrute Force AttacksBrute Force Attacks

A A Brute force attackBrute force attack is another type of attack is another type of attack that may result in denial of services. that may result in denial of services.

A fast computer is used to try to guess A fast computer is used to try to guess passwords or to decipher an encryption code.passwords or to decipher an encryption code.

The attacker tries a large number of The attacker tries a large number of possibilities in rapid succession to gain possibilities in rapid succession to gain access or crack the code. access or crack the code.

Brute force attacks can cause a denial of Brute force attacks can cause a denial of service due to excessive traffic to a specific service due to excessive traffic to a specific resource or by locking out user accounts.resource or by locking out user accounts.

Collector AttacksCollector AttacksCollector AttacksCollector Attacks

Not all attacks do damage or prevent Not all attacks do damage or prevent legitimate users from having access to legitimate users from having access to resources. resources.

Many threats are designed to Many threats are designed to collect collect information about usersinformation about users which can be used for which can be used for advertising, marketing and research advertising, marketing and research purposes. purposes.

These include Spyware, Tracking Cookies, These include Spyware, Tracking Cookies, Adware and Pop-ups. Adware and Pop-ups.

While these may not damage a computer, While these may not damage a computer, they they invade privacyinvade privacy and can be annoying. and can be annoying.

SpywareSpywareSpywareSpyware SpywareSpyware is any program that gathers personal is any program that gathers personal

information from your computer without your information from your computer without your permission or knowledge. permission or knowledge.

This information can be sent to advertisers or others This information can be sent to advertisers or others on the Internet and can include passwords and on the Internet and can include passwords and account numbers.account numbers.

Spyware is usually installed unknowingly when Spyware is usually installed unknowingly when downloading a file, installing another program or downloading a file, installing another program or clicking a popup. clicking a popup.

It can slow down a computer and make changes to It can slow down a computer and make changes to internal settings creating more internal settings creating more vulnerabilities vulnerabilities for for other threats. other threats.

In addition, spyware can be very difficult to remove. In addition, spyware can be very difficult to remove.

Tracking CookiesTracking CookiesTracking CookiesTracking Cookies

CookiesCookies are a form of spyware that are not are a form of spyware that are not always bad. always bad.

They are used to record information about an They are used to record information about an Internet user when they visit websites.Internet user when they visit websites.

Cookies may be useful or desirable by Cookies may be useful or desirable by allowing personalization and other time saving allowing personalization and other time saving techniques. techniques.

Many web sites require that cookies be Many web sites require that cookies be enabled in order to allow the user to connect.enabled in order to allow the user to connect.

Spyware and CookiesSpyware and CookiesSpyware and CookiesSpyware and Cookies

AdwareAdwareAdwareAdware AdwareAdware is a form of spyware used to collect is a form of spyware used to collect

information about a user based on websites the user information about a user based on websites the user visits. visits.

That information is then used for targeted That information is then used for targeted advertising. advertising.

Adware is commonly installed by a user in exchange Adware is commonly installed by a user in exchange for a "free" product.for a "free" product.

When a user opens a browser window, Adware can When a user opens a browser window, Adware can start new browser instances which attempt to start new browser instances which attempt to advertize products or services based on a user's advertize products or services based on a user's surfing practices. surfing practices.

The unwanted browser windows can open The unwanted browser windows can open repeatedly, and can make surfing the Internet very repeatedly, and can make surfing the Internet very difficult, especially with slow Internet connections.difficult, especially with slow Internet connections.

Adware can be very difficult to uninstall.Adware can be very difficult to uninstall.

Pop-UpsPop-UpsPop-UpsPop-Ups Pop-ups and pop-undersPop-ups and pop-unders are additional advertising are additional advertising

windows that display when visiting a web site. windows that display when visiting a web site. Unlike Adware, pop-ups and pop-unders are not Unlike Adware, pop-ups and pop-unders are not

intended to collect information about the user and intended to collect information about the user and are typically associated only with the web-site being are typically associated only with the web-site being visited. visited.

Pop-upsPop-ups: open in front of the current browser : open in front of the current browser window. window.

Pop-unders:Pop-unders: open behind the current browser open behind the current browser window.window.

They can be annoying and usually advertise They can be annoying and usually advertise products or services that are undesirable.products or services that are undesirable.

SpamSpamSpamSpam Spam Spam is unwanted bulk messages sent through email or is unwanted bulk messages sent through email or

instant messaginginstant messaging Spam is a serious network threat that can overload ISPs, Spam is a serious network threat that can overload ISPs,

email servers and individual end-user systems. email servers and individual end-user systems. A person or organization responsible for sending spam is A person or organization responsible for sending spam is

called a called a spammer.spammer. Spammers often make use of unsecured email servers to Spammers often make use of unsecured email servers to

forward email. forward email. Spammers can also use hacking techniques, such as viruses, Spammers can also use hacking techniques, such as viruses,

worms and Trojan horses to take control of home computers. worms and Trojan horses to take control of home computers. These computers are then used to send spam without the These computers are then used to send spam without the

owner's knowledge. owner's knowledge. Every Internet user receives approximately 3,000 spam Every Internet user receives approximately 3,000 spam

emails in a year. emails in a year. Spam consumes large amounts of Internet bandwidth and is Spam consumes large amounts of Internet bandwidth and is

a serious enough problem that many countries now have a serious enough problem that many countries now have laws governing spam use.laws governing spam use.

SpamSpamSpamSpam

8.3: Security Policy8.3: Security Policy8.3: Security Policy8.3: Security Policy Security risks cannot be eliminated or Security risks cannot be eliminated or

prevented completely. prevented completely. Effective risk management and assessment Effective risk management and assessment

can significantly minimize the existing security can significantly minimize the existing security risks. risks.

To minimize the amount of risk, it is important To minimize the amount of risk, it is important to understand that no single product can to understand that no single product can make an organization secure. make an organization secure.

True network security comes from a True network security comes from a combination of products and services, combination of products and services, combined with a thorough combined with a thorough security policysecurity policy and and a commitment to adhere to that policy. a commitment to adhere to that policy.

Security PolicySecurity PolicySecurity PolicySecurity Policy A A security policysecurity policy is a formal statement of the rules is a formal statement of the rules

that users must adhere to when accessing that users must adhere to when accessing technology and information assets. technology and information assets.

As a network grows in size and scope, the As a network grows in size and scope, the importance of a defined security policy for all users importance of a defined security policy for all users increases drastically. increases drastically.

A good security policy will contain:A good security policy will contain:– identification and authentication policiesidentification and authentication policies– password policiespassword policies– acceptable use policiesacceptable use policies– remote access policiesremote access policies– incident handling proceduresincident handling procedures

Security PolicySecurity PolicySecurity PolicySecurity Policy

When a security policy is developed, it is necessary When a security policy is developed, it is necessary that all users of the network support and follow the that all users of the network support and follow the

security policy in order for it to be effective.security policy in order for it to be effective.

Security ProceduresSecurity ProceduresSecurity ProceduresSecurity Procedures A security policy should be the central point for how A security policy should be the central point for how

a network is secured, monitored, tested and a network is secured, monitored, tested and improved upon. improved upon.

Security procedures implement security policies.Security procedures implement security policies.– they define configuration, login, audit, and maintenance they define configuration, login, audit, and maintenance

processes for hosts and network devices. processes for hosts and network devices. – They include the use of both preventative measures to They include the use of both preventative measures to

reduce risk, as well as active measure for how to handle reduce risk, as well as active measure for how to handle known security threats. known security threats.

Security Procedures can range from simple, Security Procedures can range from simple, inexpensive tasks such as maintaining up-to-date inexpensive tasks such as maintaining up-to-date software releases, to complex implementations of software releases, to complex implementations of firewalls and intrusion detection systems. firewalls and intrusion detection systems.

Security MeasuresSecurity MeasuresSecurity MeasuresSecurity Measures

Some of the security tools and applications Some of the security tools and applications used in securing a network include:used in securing a network include:– Software patches and updatesSoftware patches and updates– Virus protectionVirus protection– Spyware protectionSpyware protection– Spam blockersSpam blockers– Pop-up blockersPop-up blockers– FirewallsFirewalls

Security MeasuresSecurity MeasuresSecurity MeasuresSecurity Measures

Patches & UpdatesPatches & UpdatesPatches & UpdatesPatches & Updates One of the most common methods that a hacker uses to gain One of the most common methods that a hacker uses to gain

access to hosts and/or networks is through access to hosts and/or networks is through software software vulnerabilities.vulnerabilities.

It is important to keep software applications up-to-date with It is important to keep software applications up-to-date with the latest security patches and updates to help deter threats.the latest security patches and updates to help deter threats.

A A patchpatch is a small piece of code that fixes a specific problem. is a small piece of code that fixes a specific problem. An An updateupdate, on the other hand, may include additional , on the other hand, may include additional

functionality to the software package as well as patches for functionality to the software package as well as patches for specific issues. specific issues.

Vendors often release collections of patches and updates Vendors often release collections of patches and updates called called service packsservice packs. .

Many operating systems offer an automatic update feature Many operating systems offer an automatic update feature that allows OS and applications updates to be automatically that allows OS and applications updates to be automatically downloaded and installed on a host.downloaded and installed on a host.

Detecting a VirusDetecting a VirusDetecting a VirusDetecting a Virus Any device that is connected to a network is Any device that is connected to a network is

susceptible to viruses, worms and Trojan horses. susceptible to viruses, worms and Trojan horses. Some signs that a virus, worm or Trojan horse may Some signs that a virus, worm or Trojan horse may

be present :be present :– Computer starts acting abnormallyComputer starts acting abnormally– Program does not respond to mouse and keystrokes.Program does not respond to mouse and keystrokes.– Programs starting or shutting down on their own. Programs starting or shutting down on their own. – Email program begins sending out large quantities of Email program begins sending out large quantities of

emailemail– CPU usage is very high CPU usage is very high – There are a large number of unidentifiable processes There are a large number of unidentifiable processes

running.running. – Computer slows down significantly or crashesComputer slows down significantly or crashes

Anti-virus SoftwareAnti-virus SoftwareAnti-virus SoftwareAnti-virus Software Anti-virus software can be used as both a preventative tool Anti-virus software can be used as both a preventative tool

and as a reactive tool. and as a reactive tool. – should be installed on all computers connected to the network. There should be installed on all computers connected to the network. There

are many Anti-virus programs available. are many Anti-virus programs available.

Some of the features that can be included in Anti-Some of the features that can be included in Anti-virus programs are:virus programs are:– Email checking - Email checking - Scans incoming and outgoing emails, Scans incoming and outgoing emails,

and identifies suspicious attachmentsand identifies suspicious attachments..– Resident dynamic scanning - Resident dynamic scanning - Checks executable files and Checks executable files and

documents when they are accesseddocuments when they are accessed..– Scheduled scans - Scheduled scans - Virus scans can be scheduled to run at Virus scans can be scheduled to run at

regular intervals and check specific drives or the entire regular intervals and check specific drives or the entire computer. computer.

– Automatic Updates - Automatic Updates - Checks for, and downloads, known Checks for, and downloads, known virus characteristics and patterns. virus characteristics and patterns.

Virus DefinitionsVirus DefinitionsVirus DefinitionsVirus Definitions Anti-virus software relies on knowledge of the virus to remove Anti-virus software relies on knowledge of the virus to remove

it. it. It is important to keep the It is important to keep the virus definitionvirus definition files for your anti- files for your anti-

virus software up-to-date so that it can identify as many virus software up-to-date so that it can identify as many viruses as possibleviruses as possible

When a virus is identified it is important to report it or any When a virus is identified it is important to report it or any virus-like behavior to the network administrator. virus-like behavior to the network administrator. – This is normally done by submitting an incident report according to the This is normally done by submitting an incident report according to the

company's network security policy. company's network security policy. Network administrators can report new instances of threats to Network administrators can report new instances of threats to

the local governmental agency that handle security problems. the local governmental agency that handle security problems. – Example: https://forms.us-cert.gov/report/ Example: https://forms.us-cert.gov/report/ – This agency is responsible for developing counter measures to new This agency is responsible for developing counter measures to new

virus threats as well as ensuring that those measures are available to virus threats as well as ensuring that those measures are available to the various anti-virus software developers.the various anti-virus software developers.

Anti-SpamAnti-SpamAnti-SpamAnti-Spam Spam is not only annoying; it can overload email servers and Spam is not only annoying; it can overload email servers and

potentially carry viruses and other security threats.potentially carry viruses and other security threats. Spammers take control of a host by planting code on it in the Spammers take control of a host by planting code on it in the

form of a virus or a Trojan horse. form of a virus or a Trojan horse. – The host is then used to send spam mail without the user's The host is then used to send spam mail without the user's

knowledge. knowledge. A computer infected this way is known as a A computer infected this way is known as a Spam millSpam mill.. Anti-spam software protects hosts by identifying spam and Anti-spam software protects hosts by identifying spam and

performing an action, such as placing it into a junk folder or performing an action, such as placing it into a junk folder or deleting it. deleting it. – It can be installed locally or on email servers. It can be installed locally or on email servers. – Many ISPs offer spam filters. Many ISPs offer spam filters.

Anti-spam software does not recognize all spam, so it is Anti-spam software does not recognize all spam, so it is important to open email carefully. important to open email carefully.

It may also accidentally identify wanted email as spam and It may also accidentally identify wanted email as spam and treat it as such. treat it as such.

Anti-Spam MeasuresAnti-Spam MeasuresAnti-Spam MeasuresAnti-Spam Measures In addition to using spam blockers, other In addition to using spam blockers, other

preventative actions to prevent the spread of spam preventative actions to prevent the spread of spam include: include: – Apply OS and application updates when available.Apply OS and application updates when available.– Run an Antivirus program regularly and keep it up to date.Run an Antivirus program regularly and keep it up to date.– Do not forward suspect emails.Do not forward suspect emails.– Do not open email attachments, especially from people Do not open email attachments, especially from people

you do not know.you do not know.– Set up rules in your email to delete spam that by-pass the Set up rules in your email to delete spam that by-pass the

anti-spam software.anti-spam software.– Identify sources of spam and report it to a network Identify sources of spam and report it to a network

administrator so it can be blocked.administrator so it can be blocked.– Report incidents to the governmental agency that deals Report incidents to the governmental agency that deals

with abuse by spam.with abuse by spam.

Virus HoaxVirus HoaxVirus HoaxVirus Hoax One of the most common types of spam forwarded are One of the most common types of spam forwarded are virus virus

hoaxeshoaxes While some virus warnings sent via email are true, a large While some virus warnings sent via email are true, a large

amount of them are hoaxes and do not really exists. amount of them are hoaxes and do not really exists. This type of spam can create problems because people warn This type of spam can create problems because people warn

others of the impending disaster and so flood the email others of the impending disaster and so flood the email system. system.

Also, network administrators may overreact and waste time Also, network administrators may overreact and waste time investigating a problem that does not exist. investigating a problem that does not exist.

Finally, many of these emails can actually contribute to the Finally, many of these emails can actually contribute to the spread of viruses, worms and Trojan horses. spread of viruses, worms and Trojan horses.

Before forwarding virus warning emails, check to see if the Before forwarding virus warning emails, check to see if the virus is a hoax at a trusted source such as: virus is a hoax at a trusted source such as: http://vil.mcafee.com/hoax.asp or http://hoaxbusters.ciac.org/http://vil.mcafee.com/hoax.asp or http://hoaxbusters.ciac.org/

Spam BlockerSpam BlockerSpam BlockerSpam Blocker

Anti-SypwareAnti-SypwareAnti-SypwareAnti-Sypware Spyware and adware can also cause Spyware and adware can also cause virus-virus-

like symptoms. like symptoms. In addition to collecting unauthorized In addition to collecting unauthorized

information, they can use important computer information, they can use important computer resources and affect performance. resources and affect performance.

Anti-spyware software detects and deletes Anti-spyware software detects and deletes spyware applications, as well as prevents spyware applications, as well as prevents future installations from occurring. future installations from occurring.

Many Anti-Spyware applications also include Many Anti-Spyware applications also include detection and deletion of cookies and adware.detection and deletion of cookies and adware.

Some Anti-virus packages include Anti-Some Anti-virus packages include Anti-Spyware functionality. Spyware functionality.

Pop-Up BlockersPop-Up BlockersPop-Up BlockersPop-Up Blockers

Pop-up stopper software can be installed to Pop-up stopper software can be installed to prevent pop-ups and pop-unders. prevent pop-ups and pop-unders.

Many web browsers include a pop-up blocker Many web browsers include a pop-up blocker feature by default. feature by default.

Note that some programs and web pages Note that some programs and web pages create necessary and desirable pop-ups.create necessary and desirable pop-ups.

Most pop-up blockers offer an override Most pop-up blockers offer an override feature for this purpose.feature for this purpose.

8.4: Firewalls8.4: Firewalls8.4: Firewalls8.4: Firewalls

It is important to control traffic traveling to and It is important to control traffic traveling to and from the network.from the network.

A Firewall is one of the most effective security A Firewall is one of the most effective security tools available for protecting internal network tools available for protecting internal network users from external threats. users from external threats.

A A firewallfirewall resides between two or more resides between two or more networks and controls the traffic between networks and controls the traffic between them as well as helps prevent unauthorized them as well as helps prevent unauthorized access. access.

Firewall TechniquesFirewall TechniquesFirewall TechniquesFirewall Techniques Firewall products use various techniques for Firewall products use various techniques for

determining what is permitted or denied access to a determining what is permitted or denied access to a network. network. – Packet Filtering - Packet Filtering - Prevents or allows access based on IP Prevents or allows access based on IP

or MAC addressesor MAC addresses– Application / Web Site Filtering - Application / Web Site Filtering - Prevents or allows Prevents or allows

access based on the application. (for example block all access based on the application. (for example block all telnet sessions, or blocks specific web site URLs)telnet sessions, or blocks specific web site URLs)

– Stateful Packet Inspection (SPI) – Stateful Packet Inspection (SPI) – Allows only incoming Allows only incoming packets that are legitimate responses to requests from packets that are legitimate responses to requests from internal hosts. Unsolicited packets are blocked unless internal hosts. Unsolicited packets are blocked unless permitted specifically. SPI can also include the capability permitted specifically. SPI can also include the capability to recognize and filter out specific types of attacks such as to recognize and filter out specific types of attacks such as DoS.DoS.

NATNATNATNAT

Firewalls often also perform Network Address Firewalls often also perform Network Address Translation (Translation (NATNAT). ).

NAT translates an internal address or group of NAT translates an internal address or group of addresses into an outside, public address that addresses into an outside, public address that is sent across the network. is sent across the network.

This allows internal IP addresses to be This allows internal IP addresses to be concealed from outside users.concealed from outside users.

Types of FirewallsTypes of FirewallsTypes of FirewallsTypes of Firewalls Firewall products come packaged in various forms:Firewall products come packaged in various forms:

– Appliance-based firewalls - Appliance-based firewalls - a firewall that is built-in to a a firewall that is built-in to a dedicated hardware device known as a security appliance. dedicated hardware device known as a security appliance.

– Server-based firewalls - Server-based firewalls - a firewall application that runs on a firewall application that runs on a network operating system (NOS) such as UNIX, a network operating system (NOS) such as UNIX, Windows or Novell.Windows or Novell.

– Integrated Firewalls - Integrated Firewalls - implemented by adding firewall implemented by adding firewall functionality to an existing device, such as a routerfunctionality to an existing device, such as a router..

– Personal firewalls – Personal firewalls – software that resides on a local host software that resides on a local host computers and is not designed for LAN implementations. computers and is not designed for LAN implementations.

FirewallsFirewallsFirewallsFirewalls

Using a FirewallUsing a FirewallUsing a FirewallUsing a Firewall

By placing the firewall between the internal By placing the firewall between the internal network (intranet) and the Internet as a border network (intranet) and the Internet as a border device, all traffic to and from the Internet can device, all traffic to and from the Internet can be monitored and controlled. be monitored and controlled.

This creates a clear line of defense between This creates a clear line of defense between the internal and external network. the internal and external network.

However, there may be some external However, there may be some external customers that require access to internal customers that require access to internal resources. resources.

A demilitarized zone (DMZ) can be configured A demilitarized zone (DMZ) can be configured to accomplish this. to accomplish this.

DMZ ZoneDMZ ZoneDMZ ZoneDMZ Zone The term demilitarized zone is borrowed from the military, The term demilitarized zone is borrowed from the military,

where a DMZ is a designated area between two powers where a DMZ is a designated area between two powers where military activity is not permitted. where military activity is not permitted.

In computer networking, a In computer networking, a DMZDMZ refers to an area of the refers to an area of the network that is accessible to both internal and external network that is accessible to both internal and external users. users.

A DMZ allows certain areas of the internal network to be A DMZ allows certain areas of the internal network to be accessible to both internal and external users, while accessible to both internal and external users, while protecting the rest of the internal network. protecting the rest of the internal network.

– The DMZ is more secure than the external network but not as The DMZ is more secure than the external network but not as secure as the internal network.secure as the internal network.

A DMZ Zone is created by using a firewall to separate the A DMZ Zone is created by using a firewall to separate the internal, DMZ and external networks. internal, DMZ and external networks.

Web servers for public access are frequently placed in a Web servers for public access are frequently placed in a DMZ.DMZ.

DMZ ZoneDMZ ZoneDMZ ZoneDMZ Zone

Single firewall configurationSingle firewall configurationSingle firewall configurationSingle firewall configuration A single firewall configuration has three areas: A single firewall configuration has three areas:

– external networkexternal network– internal networkinternal network– the DMZthe DMZ

All traffic originating from outside is sent to the All traffic originating from outside is sent to the firewallfirewall

The firewall is required to monitor the traffic and The firewall is required to monitor the traffic and determine what traffic should be passed to the DMZ, determine what traffic should be passed to the DMZ, what traffic should be passed internally, and what what traffic should be passed internally, and what should be denied altogether.should be denied altogether.

A single firewall configuration is appropriate for A single firewall configuration is appropriate for smaller, less congested networks.smaller, less congested networks.

A single firewall configuration has a single point of A single firewall configuration has a single point of failure and can be overloaded.failure and can be overloaded.

1 Firewall1 Firewall1 Firewall1 Firewall

2 firewall configuration2 firewall configuration2 firewall configuration2 firewall configuration In a 2 firewall configuration there is a double In a 2 firewall configuration there is a double

layer of protection:layer of protection:– An internal firewall - An internal firewall - is more restrictive and is more restrictive and

protects the internal network from unauthorized protects the internal network from unauthorized accessaccess

– An external firewall - An external firewall - is less restrictive and allows is less restrictive and allows external access to the services in the DMZ as well external access to the services in the DMZ as well as allowing traffic that any internal user requested as allowing traffic that any internal user requested to pass throughto pass through..

– the DMZ between themthe DMZ between them A two-firewall configuration is more A two-firewall configuration is more

appropriate for larger, more complex networks appropriate for larger, more complex networks that handle a lot more traffic.that handle a lot more traffic.

2 Firewalls2 Firewalls2 Firewalls2 Firewalls

Integrated FirewallsIntegrated FirewallsIntegrated FirewallsIntegrated Firewalls

Many home network devices, such as Many home network devices, such as integrated routers, frequently include integrated routers, frequently include integrated firewalls (multi-function firewall integrated firewalls (multi-function firewall software)software)

This firewall typically provides many services:This firewall typically provides many services:– Network Address Translation (NAT)Network Address Translation (NAT)– Stateful Packet Inspection (SPI)Stateful Packet Inspection (SPI)– IP, Application and web site filtering capabilitiesIP, Application and web site filtering capabilities– DMZ capabilitiesDMZ capabilities

Simple DMZ serverSimple DMZ serverSimple DMZ serverSimple DMZ server On an integrated router, a On an integrated router, a simple DMZsimple DMZ serverserver can be can be

set up that allows an internal server to be accessible set up that allows an internal server to be accessible by outside hosts. by outside hosts.

To accomplish this, the server requires a To accomplish this, the server requires a static IPstatic IP address that must be specified in the DMZ address that must be specified in the DMZ configuration. configuration.

The integrated router isolates traffic destined to the The integrated router isolates traffic destined to the IP address specified and forwards it only to the LAN IP address specified and forwards it only to the LAN port where the server is connected. port where the server is connected.

All other hosts are still protected by the firewall.All other hosts are still protected by the firewall. When a simple DMZ is enabled, outside hosts can When a simple DMZ is enabled, outside hosts can

access access all ports on the serverall ports on the server, such as 80 (HTTP), , such as 80 (HTTP), 21 (FTP), and 110 (Email POP3), etc.21 (FTP), and 110 (Email POP3), etc.

DMZ ServerDMZ ServerDMZ ServerDMZ Server

Port ForwardingPort ForwardingPort ForwardingPort Forwarding

A more restrictive DMZ can be set up using A more restrictive DMZ can be set up using port forwardingport forwarding

Port forwardingPort forwarding allows you to set up a DMZ, allows you to set up a DMZ, but only allows traffic destined for specific but only allows traffic destined for specific ports on the server ports on the server

In this case, only traffic destined for those In this case, only traffic destined for those port(s) is allowed, all other traffic is excluded. port(s) is allowed, all other traffic is excluded.

AP SecurityAP SecurityAP SecurityAP Security One of the biggest threats to security on a wireless One of the biggest threats to security on a wireless

network is an network is an unsecured APunsecured AP The wireless access point within the integrated The wireless access point within the integrated

router is considered part of the internal network. router is considered part of the internal network. It is important to realize that if the wireless access It is important to realize that if the wireless access

point is unsecured, anyone who connects to it is point is unsecured, anyone who connects to it is within the protected part of the internal network and within the protected part of the internal network and is behind the firewall.is behind the firewall.

Hackers can use this to gain access to the internal Hackers can use this to gain access to the internal network and completely bypass any security.network and completely bypass any security.

It is important to properly secure your wireless It is important to properly secure your wireless network with good passwords, encryption keys, and network with good passwords, encryption keys, and authentication. authentication.

Integrated Router SecurityIntegrated Router SecurityIntegrated Router SecurityIntegrated Router Security

Vulnerability AnalysisVulnerability AnalysisVulnerability AnalysisVulnerability Analysis The process of testing host and network security is The process of testing host and network security is

called called vulnerability analysisvulnerability analysis There are many tools that allow you to perform a There are many tools that allow you to perform a

vulnerability analysis- they are also known as vulnerability analysis- they are also known as security scanners, security scanners,

They can help identify areas where attacks might They can help identify areas where attacks might occur and offer guidance on steps that can be takenoccur and offer guidance on steps that can be taken

Some more common features:Some more common features:– Identify the number of hosts available on a networkIdentify the number of hosts available on a network– Identify the services hosts are offeringIdentify the services hosts are offering– Identify the operating system and versions on the hostsIdentify the operating system and versions on the hosts– Identify packet filters and firewalls in useIdentify packet filters and firewalls in use

Security Best PracticesSecurity Best PracticesSecurity Best PracticesSecurity Best Practices There are several best practices for There are several best practices for

implementing Network Security:implementing Network Security:– Define security policiesDefine security policies– Physically secure servers and network equipmentPhysically secure servers and network equipment– Set login and file access permissionsSet login and file access permissions– Update OS and applicationsUpdate OS and applications– Change permissive default settingsChange permissive default settings– Run anti-virus and anti-spywareRun anti-virus and anti-spyware– Update antivirus software filesUpdate antivirus software files– Activate browser tools - Popup stoppers, anti-Activate browser tools - Popup stoppers, anti-

phishing, plug-in monitors phishing, plug-in monitors – Use a firewallUse a firewall

PreventionPreventionPreventionPrevention

The first step towards securing a network is to The first step towards securing a network is to understand how traffic moves across the understand how traffic moves across the network and the different threats and network and the different threats and vulnerabilities that exist. vulnerabilities that exist.

Once security measures are implemented, a Once security measures are implemented, a truly secure network needs to be truly secure network needs to be monitoredmonitored constantly. constantly.

Security procedures and tools need to be Security procedures and tools need to be reviewed in order to stay ahead of evolving reviewed in order to stay ahead of evolving threats.threats.

Security Best PracticesSecurity Best PracticesSecurity Best PracticesSecurity Best Practices