11.0 Introduction
11.0.1 Welcome
11.0.1.1 Chapter 11: Managing a Secure Network
Up to this point in the course, we have considered the services that a data network can provide to the human network, examined the features of each layer of the OSI model and the operations of TCP/IP protocols, and looked in detail at Ethernet, a universal LAN technology. The next step is to learn how to assemble these elements together in a functioning network that can be maintained.
11.1 Network Security Testing
11.1.1 Network Security Testing Techniques
11.1.1.1 Operations Security
The majority of businesses are small. It is not surprising then that the majority of networks are also small. A typical small-business network is shown in the figure.
With small networks, the design of the network is usually simple. The number and type of devices included are significantly reduced compared to that of a larger network. The network topologies typically involve a single router and one or more switches. Small networks may also have wireless access points (possibly built into the router) and IP phones. As for connection to the Internet, normally a small network has a single WAN connection provided by DSL, cable, or an Ethernet connection.
Typical Small Business Network
Managing a small network requires many of the same skills as those required for managing a larger one. The majority of work is focused on maintenance and troubleshooting of existing equipment, as well as securing devices and information on the network. The management of a small network is either done by an employee of the company or a person contracted by the company, depending on the size and type of the business.
11.1.1.2 Testing and Evaluating Network Security
Device Selection for a Small Network
In order to meet user requirements, even small networks require planning and design. Planning ensures that all requirements, cost factors, and deployment options are given due consideration.
When implementing a small network, one of the first design considerations is the type of intermediate devices to use to support the network. When selecting the type of intermediate devices, there are a number of factors that need to be considered, as shown in the figure.
Cost
The cost of a switch or router is determined by its capacity and features. The device capacity includes the number and types of ports available and the backplane speed. Other factors that impact the cost are network management capabilities, embedded security technologies, and optional advanced switching technologies. The expense of cable runs required to connect every device on the network must also be considered. Another key element affecting cost considerations is the amount of redundancy to incorporate into the network.
Speed and Types of Ports/Interfaces
Choosing the number and type of ports on a router or switch is a critical decision. Newer computers have built-in 1 Gb/s NICs. 10 Gb/s ports are already included with some workstations and servers. While it is more expensive, choosing Layer 2 devices that can accommodate increased speeds allows the network to evolve without replacing central devices.
Expandability
Networking devices come in both fixed and modular physical configurations. Fixed configurations have a specific number and type of ports or interfaces. Modular devices have expansion slots that provide the flexibility to add new modules as requirements evolve. Switches are available with additional ports for high-speed uplinks. Routers can be used to connect different types of networks. Care must be taken to select the appropriate modules and interfaces for the specific media.
Operating System Features and Services
Depending on the version of the operating system, a network device can support certain features and services, such as:
- Security
- Quality of Service (QoS)
- Voice over IP (VoIP)
- Layer 3 switching
- Network Address Translation (NAT)
- Dynamic Host Configuration Protocol (DHCP)
Factors to Consider in Choosing a Device
11.1.1.3 Types of Network Tests
When implementing a small network, it is necessary to plan the IP addressing space. All hosts within an internetwork must have a unique address. The IP addressing scheme should be planned, documented and maintained based on the type of device receiving the address.
Examples of different types of devices that will factor into the IP design are:
- End devices for users
- Servers and peripherals
- Hosts that are accessible from the Internet
- Intermediary devices
Planning and documenting the IP addressing scheme helps the administrator track device types. For example, if all servers are assigned a host address between the range of 50-100, it is easy to identify server traffic by IP address. This can be very useful when troubleshooting network traffic issues using a protocol analyzer.
Additionally, administrators are better able to control access to resources on the network based on IP address when a deterministic IP addressing scheme is used. This can be especially important for hosts that provide resources to the internal network as well, as to the external network. Web servers or e-commerce servers play such a role. If the addresses for these resources are not planned and documented, the security and accessibility of the devices are not easily controlled. If a server has a random address assigned, blocking access to this address is difficult, and clients may not be able to locate this resource.
Each of these different device types should be allocated to a logical block of addresses within the address range of the network.
Click the buttons in the figure to see the method for assignment.
IPv4 Address Planning and Assignment
11.1.1.4 Applying Network Test Results
Another important part of network design is reliability. Even small businesses often rely heavily on their network for business operation. A failure of the network can be very costly. In order to maintain a high degree of reliability, redundancy is required in the network design. Redundancy helps to eliminate single points of failure. There are many ways to accomplish redundancy in a network. Redundancy can be accomplished by installing duplicate equipment, but it can also be accomplished by supplying duplicate network links for critical areas, as shown in the figure.
Small networks typically provide a single exit point toward the Internet via one or more default gateways. If the router fails, the entire network loses connectivity to the Internet. For this reason, it may be advisable for a small business to pay for a second service provider as backup.
Redundancy to a Data Center
- Data Center: If one server fails, another is there to handle customer requests.
- Links: If the link to one switch fails, the link to the second switch is still available.
- Switches: Redundant switches are present to avoid a switching failure.
- Routers: Router redundancy can help to ensure that application transactions received from external traffic can be handled in the event of a router or route failure.
11.1.2 Network Security Testing Tools
11.1.2.1 Network Testing Tools
The network is only as useful as the applications that are on it. There are two forms of software programs or processes that provide access to the network: network applications and application layer services.
Network Applications
Applications are the software programs used to communicate over the network. Some end-user applications are network-aware, meaning that they implement application layer protocols and are able to communicate directly with the lower layers of the protocol stack. Email clients and web browsers are examples of this type of application.
Application Layer Services
Other programs may need the assistance of application layer services to use network resources like file transfer or network print spooling. Though transparent to an employee, these services are the programs that interface with the network and prepare the data for transfer. Different types of data, whether text, graphics or video, require different network services to ensure that they are properly prepared for processing by the functions occurring at the lower layers of the OSI model.
Each application or network service uses protocols, which define the standards and data formats to be used. Without protocols, the data network would not have a common way to format and direct data. In order to understand the function of various network services, it is necessary to become familiar with the underlying protocols that govern their operation.
Use the Task Manager to view the current applications, processes, and services running on a Windows PC, as shown in the figure.
Common Applications in a Small Network
11.1.2.2 Nmap and Zenmap
Most of a technician’s work, in either a small or a large network, will in some way be involved with network protocols. Network protocols support the applications and services used by employees in a small network. Common network protocols are shown in the figure. Click each server for a brief description.
These network protocols comprise the fundamental toolset of a network professional. Each of these network protocols define:
- Processes on either end of a communication session
- Types of messages
- Syntax of the messages
- Meaning of informational fields
- How messages are sent and the expected response
- Interaction with the next lower layer
Many companies have established a policy of using secure versions of these protocols whenever possible. These protocols are HTTPS, SFTP, and SSH.
Network Services
Domain Name Server (DNS):
Service that provides the IP address of a web site or domain name so a host can connect to it.
SSH Server:
Service that allows administrators to log in to a host from a remote location and control the host as though they were logged in locally.
Email Server:
- Uses Simple Mail Transfer Protocol (SMTP), Post Office Protocol (POP3) or Internet Message Access Protocol (IMAP).
- Used to send email messages from clients to servers over the Internet.
- Recipients are specified using the user@xyz format.
Dynamic Host Configuration Protocol (DHCP) Server:
Service that assigns an IP address, subnet mask, default gateway and other information to clients.
Web Server:
- Hypertext Transfer Protocol (HTTP).
- Used to transfer information between web clients and web servers.
- Most web pages are accessed using HTTP.
File Transfer Protocol (FTP) Server:
Service that allows for download and upload of files between a client and server.
11.1.2.3 SuperScan
Businesses today are increasingly using IP telephony and streaming media to communicate with customers and business partners, as shown in Figure 1. The network administrator must ensure the proper equipment is installed in the network and that the network devices are configured to ensure priority delivery. Figure 2 shows elements of a small network that support real-time applications.
Infrastructure
To support the existing and proposed real-time applications, the infrastructure must accommodate the characteristics of each type of traffic. The network designer must determine whether the existing switches and cabling can support the traffic that will be added to the network.
VoIP
VoIP devices convert analog into digital IP packets. The device could be an analog telephone adapter (ATA) that is attached between a traditional analog phone and the Ethernet switch. After the signals are converted into IP packets, the router sends those packets between corresponding locations. VoIP is much less expensive than an integrated IP telephony solution, but the quality of communications does not meet the same standards. Voice and video over IP solutions for small businesses can be realized, for example, with Skype and non-enterprise versions of Cisco WebEx.
IP Telephony
In IP telephony, the IP phone itself performs voice-to-IP conversion. Voice-enabled routers are not required within a network with an integrated IP telephony solution. IP phones use a dedicated server for call control and signaling. There are now many vendors with dedicated IP telephony solutions for small networks.
Real-time Applications
To transport streaming media effectively, the network must be able to support applications that require delay-sensitive delivery. Real-Time Transport Protocol (RTP) and Real-Time Transport Control Protocol (RTCP) are two protocols that support this requirement. RTP and RTCP enable control and scalability of the network resources by allowing Quality of Service (QoS) mechanisms to be incorporated. These QoS mechanisms provide valuable tools for minimizing latency issues for real-time streaming applications.
11.1.2.4 SIEM
Essential functions:
- Forensic Analysis
- Correlation
- Aggregation
- Retention
11.1.2.5 Activity – Identify Network Security Testing Tools
11.2 Developing a Comprehensive Security Policy
11.2.1 Security Policy Overview
11.2.1.1 Secure Network Life Cycle
Whether wired or wireless, computer networks are essential to everyday activities. Individuals and organizations alike depend on their computers and networks. Intrusion by an unauthorized person can result in costly network outages and loss of work. Attacks on a network can be devastating and can result in a loss of time and money due to damage or theft of important information or assets.
Intruders can gain access to a network through software vulnerabilities, hardware attacks or through guessing someone’s username and password. Intruders who gain access by modifying software or exploiting software vulnerabilities are often called hackers.
After the hacker gains access to the network, four types of threats may arise, as shown in the figure. Click each image for more information.
- Information Theft – This is breaking into a computer to obtain confidential information. Information can be used or sold for various purposes. Example: stealing an organization’s proprietary information, such as research and development information.
- Data Loss and Manipulation – This is breaking into a computer to destroy or alter data records. Examples of data loss: sending a virus that reformats a computer’s hard drive. Examples of data manipulation: breaking into a records system to change information, such as the price of an item.
- Identity Theft – This is a form of information theft where personal information is stolen for the purpose of taking over someone’s identity. Using this information, an individual can obtain legal documents, apply for credit, and make unauthorized online purchases. Identity theft is a growing problem costing billions of dollars per year.
- Disruption of Service – This is preventing legitimate users from accessing services to which they should be entitled.
Examples: Denial of Service (DoS) attacks on servers, network devices, or network communications links
11.2.1.2 Security Policy
An equally important vulnerability is the physical security of devices. An attacker can deny the use of network resources if those resources can be physically compromised.
The four classes of physical threats are:
- Hardware threats – physical damage to servers, routers, switches, cabling plant, and workstations
- Environmental threats – temperature extremes (too hot or too cold) or humidity extremes (too wet or too dry)
- Electrical threats – voltage spikes, insufficient supply voltage (brownouts), unconditioned power (noise), and total power loss
- Maintenance threats – poor handling of key electrical components (electrostatic discharge), lack of critical spare parts, poor cabling, and poor labeling
These issues must be dealt with in an organizational policy, as shown in the figure.
Secure Computer Room Floor Plan
Plan Physical Security to Limit Damage to the Equipment
- Lock up equipment and prevent unauthorized access from the doors, ceiling, raised floor, windows, ducts, and vents.
- Monitor and control closet entry with electronic logs.
- Use security cameras.
11.2.1.3 Security Policy Audience
Vulnerability is the degree of weakness which is inherent in every network and device. This includes routers, switches, desktops, servers, and even security devices. Typically, the network devices under attack are the endpoints, such as servers and desktop computers.
There are three primary vulnerabilities or weaknesses:
- Technological, as shown in Figure 1
- Configuration, as shown in Figure 2
- Security policy, as shown in Figure 3
All three of these vulnerabilities or weaknesses can lead to various attacks, including malicious code attacks and network attacks.
Figure 1 – Vulnerabilities – Technology
Network Security Weaknesses
TCP/IP Protocol Weakness
- Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), and Internet Control Message Protocol (ICMP) are inherently insecure.
- Simple Network Management Protocol (SNMP) and Simple Mail Transfer Protocol (SMTP) are related to the inherently insecure structure upon which TCP was designed.
Operating System Weakness
- Each operating system has security problems that must be addressed.
- UNIX, Linux, Mac OS, Mac OS X, Windows Server 2012, Windows 7, Windows 8
- They are documented in the Computer Emergency Response Team (CERT) archives at http://www.cert.org.
Network Equipment Weakness
Various types of network equipment, such as routers, firewalls, and switches have security weaknesses that must be recognized and protected against. Their weaknesses include password protection, lack of authentication, routing protocols, and firewall holes.
Figure 2 – Vulnerabilities – Configuration
| Configuration Weakness | How the Weakness is Exploited |
|---|---|
| Unsecured user accounts | User account information may be transmitted insecurely across the network, exposing usernames and passwords to snoopers. |
| System accounts with easily guessed passwords | This common problem is the result of poorly selected and easily guessed user passwords. |
| Misconfigured Internet services | A common problem is to turn on JavaScript in Web browsers, enabling attacks by way of hostile JavaScript when accessing untrusted sites. Other potential sources of weaknesses include misconfigured terminal services, FTP, or Web servers (e.g., Microsoft Internet Information Services (IIS), Apache HTTP Server). |
| Unsecured default settings within products | Many products have default settings that enable security holes. |
| Misconfigured network equipment | Misconfigurations of the equipment itself can cause significant security problems. For example, misconfigured access lists, routing protocols, or SNMP community strings can open up large security holes. |
Figure 3 – Vulnerabilities – Policy
| Policy Weakness | How the Weakness is Exploited |
|---|---|
| Lack of written security policy | An unwritten policy cannot be consistently applied or enforced. |
| Politics | Political battles and turf wars can make it difficult to implement a consistent security policy. |
| Lack of authentication continuity | Poorly chosen, easily cracked, or default passwords can allow unauthorized access to the network. |
| Logical access controls not applied | Inadequate monitoring and auditing allow attacks and unauthorized use to continue, wasting company resources. This could result in legal action or termination against IT technicians, IT management, or even company leadership that allows these unsafe conditions to persist. |
| Software and hardware installation and changes do not follow policy | Unauthorized changes to the network topology or installation of unapproved applications create security holes. |
| Disaster recovery plan is nonexistent | The lack of a disaster recovery plan allows chaos, panic, and confusion to occur when someone attacks the enterprise. |
11.2.2 Structure of a Security Policy
11.2.2.1 Security Policy Hierarchy
Malware or malicious code (malcode) is short for malicious software. It is code or software that is specifically designed to damage, disrupt, steal, or inflict “bad” or illegitimate action on data, hosts, or networks. Viruses, worms, and Trojan horses are types of malware.
Click Play to view an animation on these three threats.
Types of Malware
Viruses
A computer virus is a type of malware that propagates by inserting a copy of itself into, and becoming part of, another program. It spreads from one computer to another, leaving infections as it travels. Viruses can range in severity from causing mildly annoying effects to damaging data or software and causing denial-of-service (DoS) conditions. Almost all viruses are attached to an executable file, which means the virus may exist on a system but will not be active or able to spread until a user runs or opens the malicious host file or program. When the host code is executed, the viral code is executed as well. Normally, the host program keeps functioning after it is infected by the virus. However, some viruses overwrite other programs with copies of themselves, which destroys the host program altogether. Viruses spread when the software or document they are attached to is transferred from one computer to another using the network, a disk, file sharing, or infected e-mail attachments.
Worms
Computer worms are similar to viruses in that they replicate functional copies of themselves and can cause the same type of damage. In contrast to viruses, which require the spreading of an infected host file, worms are standalone software and do not require a host program or human help to propagate. A worm does not need to attach to a program to infect a host and enter a computer through a vulnerability in the system. Worms take advantage of system features to travel through the network unaided.
Trojan Horses
A Trojan horse is another type of malware named after the wooden horse the Greeks used to infiltrate Troy. It is a harmful piece of software that looks legitimate. Users are typically tricked into loading and executing it on their systems. After it is activated, it can achieve any number of attacks on the host, from irritating the user (popping up windows or changing desktops) to damaging the host (deleting files, stealing data, or activating and spreading other malware, such as viruses). Trojan horses are also known to create back doors to give malicious users access to the system.
Unlike viruses and worms, Trojan horses do not reproduce by infecting other files, nor do they self-replicate. Trojan horses must spread through user interaction such as opening an e-mail attachment or downloading and running a file from the Internet.
11.2.2.2 Governing Policy
In addition to malicious code attacks, it is also possible for networks to fall prey to various network attacks. Network attacks can be classified into three major categories:
- Reconnaissance attacks – the discovery and mapping of systems, services, or vulnerabilities
- Access attacks – the unauthorized manipulation of data, system access, or user privileges
- Denial of service – the disabling or corruption of networks, systems, or services
For reconnaissance attacks, external attackers can use Internet tools, such as the nslookup and whois utilities, to easily determine the IP address space assigned to a given corporation or entity. After the IP address space is determined, an attacker can then ping the publicly available IP addresses to identify the addresses that are active. To help automate this step, an attacker may use a ping sweep tool, such as fping or gping, which systematically pings all network addresses in a given range or subnet. This is similar to going through a section of a telephone book and calling each number to see who answers.
Click each type of reconnaissance attack tool to see an animation of the attack.
Internet Queries
Ping Sweeps
Port Scans
Packet Sniffers
11.2.2.3 Technical Policies
Access attacks exploit known vulnerabilities in authentication services, FTP services, and web services to gain entry to web accounts, confidential databases, and other sensitive information. An access attack allows an individual to gain unauthorized access to information that they have no right to view. Access attacks can be classified into four types:
- Password attacks (Figure 1)
- Trust Exploitation (Figure 2)
- Port Redirection (Figure 3)
- Man-in-the-Middle (Figure 4)
Password Attack
Attackers Can Implement Password Attacks Using Several Different Methods
- Brute-force attacks
- Trojan horse programs
- Packet sniffers
Trust Exploitation Example
| Network OS | Trust Models |
|---|---|
| Windows | Domains Active Directory (AD) |
| Linux and UNIX | Network File System (NFS) Network Information Service Plus (NIS+) |
Trust Exploitation Example
Port Redirection
Man-in-the-Middle
11.2.2.4 End User Policies
Denial of Service (DoS) attacks are the most publicized form of attack and also among the most difficult to eliminate. Even within the attacker community, DoS attacks are regarded as trivial and considered bad form because they require so little effort to execute. But because of their ease of implementation and potentially significant damage, DoS attacks deserve special attention from security administrators.
DoS attacks take many forms. Ultimately, they prevent authorized people from using a service by consuming system resources.
Click the buttons in the figure to see examples of DoS and DDoS attacks.
To help prevent DoS attacks it is important to stay up to date with the latest security updates for operating systems and applications. For example, the ping of death is no longer a threat because updates to operating systems have fixed the vulnerability that it exploited.
DoS Attack
| Resource Overloads | Malformed Data |
|---|---|
| Disk space, bandwidth, buffers | Oversized packets such as ping of death |
| Ping floods such as smurf | Overlapping packet such as winuke |
| Packet storms such as UDP bombs and fraggle | Unhandled data such as teardrop |
DoS attacks prevent authorized people from using a service by using up system resources.
Ping of Death
SYN Flood
DDoS
Attacker uses many intermediate hosts, called zombies, to launch the attack.
Smurf Attack
11.2.3 Standards, Guidelines, and Procedures
11.2.3.1 Security Policy Documents
Backup, Upgrade, Update, and Patch
Keeping up-to-date with the latest developments can lead to a more effective defense against network attacks. As new malware is released, enterprises need to keep current with the latest versions of antivirus software.
The most effective way to mitigate a worm attack is to download security updates from the operating system vendor and patch all vulnerable systems. Administering numerous systems involves the creation of a standard software image (operating system and accredited applications that are authorized for use on client systems) that is deployed on new or upgraded systems. However, security requirements change and already deployed systems may need to have updated security patches installed.
One solution to the management of critical security patches is to create a central patch server that all systems must communicate with after a set period of time, as shown in the figure. Any patches that are not applied to a host are automatically downloaded from the patch server and installed without user intervention.
11.2.3.2 Standards Documents
Authentication, authorization, and accounting (AAA, or “triple A”) network security services provide the primary framework to set up access control on a network device. AAA is a way to control who is permitted to access a network (authenticate), what they can do while they are there (authorize), and what actions they perform while accessing the network (accounting).
The AAA Concept is Similar to the Use of a Credit Card
The concept of AAA is similar to the use of a credit card. The credit card identifies who can use it, how much that user can spend, and keeps account of what items the user spent money on, as shown in the figure.
11.2.3.3 Guideline Documents
A firewall is one of the most effective security tools available for protecting users from external threats. Network firewalls reside between two or more networks, control the traffic between them, and help prevent unauthorized access. Host-based firewalls or personal firewalls are installed on end systems. Firewall products use various techniques for determining what is permitted or denied access to a network. These techniques are:
- Packet filtering – Prevents or allows access based on IP or MAC addresses
- Application filtering – Prevents or allows access by specific application types based on port numbers
- URL filtering – Prevents or allows access to websites based on specific URLs or keywords
- Stateful packet inspection (SPI) – Incoming packets must be legitimate responses to requests from internal hosts. Unsolicited packets are blocked unless permitted specifically. SPI can also include the capability to recognize and filter out specific types of attacks, such as denial of service (DoS)
Firewall products may support one or more of these filtering capabilities. Firewall products come packaged in various forms, as shown in the figure. Click each type to see more information.
- Cisco Security Appliances – Dedicated firewall devices are specialized computers that do not have peripherals or hard drives. Appliance-based firewalls can inspect traffic faster and are less prone to failure.
- Linksys Wireless Router with Integrated Firewall – Most home integrated routers have built-in basic firewall capabilities that support packet, application, and web site filtering. Higher-end routers that run special operating systems like Cisco Internetwork Operating System (IOS) also have firewall capabilities that can be configured.
- Server-Based Firewall – Firewall applications that generally provide a solution that combines an SPI firewall and access control based on IP address or application. Server-based firewalls can be less secure than dedicated, appliance-based firewalls because of the security weaknesses of the general purpose OS.
- Personal Firewall – Client-side firewalls that typically filter using SPI. The user may be prompted to allow certain applications to connect or may define a list of automatic exceptions. Personal firewalls are often used when a host device is connected directly to an ISP modem. It may interfere with Internet access if not properly configured. It is not recommended to use more than one personal firewall at a time since they can conflict with one another.
11.2.3.4 Procedure Documents
Endpoint Security
An endpoint, or host, is an individual computer system or device that acts as a network client. Common endpoints, as shown in the figure, are laptops, desktops, servers, smartphones, and tablets. Securing endpoint devices is one of the most challenging jobs of a network administrator because it involves human nature. A company must have well-documented policies in place and employees must be aware of these rules. Employees need to be trained on proper use of the network. Policies often include the use of antivirus software and host intrusion prevention. More comprehensive endpoint security solutions rely on network access control.
11.2.4 Roles and Responsibilities
11.2.4.1 Organizational Reporting Structure
Locking Down Your Router
When a new operating system is installed on a device, the security settings are set to the default values. In most cases, this level of security is inadequate. For Cisco routers, the Cisco AutoSecure feature can be used to assist securing the system, as shown in the figure. In addition, there are some simple steps that should be taken that apply to most operating systems:
- Default usernames and passwords should be changed immediately.
- Access to system resources should be restricted to only the individuals that are authorized to use those resources.
- Any unnecessary services and applications should be turned off and uninstalled when possible.
Often, devices shipped from the manufacturer have been sitting in a warehouse for a period of time and do not have the most up-to-date patches installed. It is important to update any software and install any security patches prior to implementation.
11.2.4.2 Common Executive Titles
To protect network devices, it is important to use strong passwords. Here are standard guidelines to follow:
- Use a password length of at least 8 characters, preferably 10 or more characters. A longer password is a better password.
- Make passwords complex. Include a mix of uppercase and lowercase letters, numbers, symbols, and spaces, if allowed.
- Avoid passwords based on repetition, common dictionary words, letter or number sequences, usernames, relative or pet names, biographical information, such as birthdates, ID numbers, ancestor names, or other easily identifiable pieces of information.
- Deliberately misspell a password. For example, Smith = Smyth = 5mYth or Security = 5ecur1ty.
- Change passwords often. If a password is unknowingly compromised, the window of opportunity for the attacker to use the password is limited.
- Do not write passwords down and leave them in obvious places such as on the desk or monitor.
The figure shows examples of strong and weak passwords.
On Cisco routers, leading spaces are ignored for passwords, but spaces after the first character are not. Therefore, one method to create a strong password is to use the space bar and create a phrase made of many words. This is called a passphrase. A pass phrase is often easier to remember than a simple password. It is also longer and harder to guess.
11.2.5 Security Awareness and Training
11.2.5.1 Security Awareness Program
Router File Systems
The Cisco IOS File System (IFS) allows the administrator to navigate to different directories and list the files in a directory, and to create subdirectories in flash memory or on a disk. The directories available depend on the device.
Figure 1 displays the output of the show file systems command, which lists all of the available file systems on a Cisco 1941 router. This command provides useful information such as the amount of available and free memory, the type of file system, and its permissions. Permissions include read only (ro), write only (wo), and read and write (rw), shown in the Flags column of the command output.
File Systems
Although there are several file systems listed, of interest to us will be the tftp, flash, nvram, and usbflash file systems.
Notice that the flash file system also has an asterisk preceding it. This indicates that flash is the current default file system. The bootable IOS is located in flash; therefore, the pound symbol (#) is appended to the flash listing, indicating that it is a bootable disk.
The Flash File System
Figure 2 displays the output from the dir command. Because flash is the default file system, the dir command lists the contents of flash. Several files are located in flash, but of specific interest is the last listing. This is the name of the current Cisco IOS file image that is running in RAM.
Flash
The NVRAM File System
To view the contents of NVRAM, you must change the current default file system using the cd (change directory) command, as shown in Figure 3. The pwd (present working directory) command verifies that we are viewing the NVRAM directory. Finally, the dir (directory) command lists the contents of NVRAM. Although there are several configuration files listed, of specific interest is the startup-configuration file.
NVRAM
11.2.5.2 Awareness Campaigns
With the Cisco 2960 switch flash file system, you can copy configuration files, and archive (upload and download) software images.
The command to view the file systems on a Catalyst switch is the same as on a Cisco router: show file systems, as shown in the figure.
11.2.5.3 Security Training Course
Backup Configurations with Text Capture (Tera Term)
Configuration files can be saved/archived to a text file using Tera Term.
As shown in the figure, the steps are:
Step 1. On the File menu, click Log.
Step 2. Choose the location to save the file. Tera Term will begin capturing text.
Step 3. After capture has been started, execute the show running-config or show startup-config command at the privileged EXEC prompt. Text displayed in the terminal window will be directed to the chosen file.
Step 4. When the capture is complete, select Close in the Tera Term: Log window.
Step 5. View the file to verify that it was not corrupted.
Restoring Text Configurations
A configuration can be copied from a file to a device. When copied from a text file and pasted into a terminal window, the IOS executes each line of the configuration text as a command. This means that the file will require editing to ensure that encrypted passwords are in plain text and that non-command text such as “–More–” and IOS messages are removed. This process is discussed in the lab.
Further, at the CLI, the device must be set at the global configuration mode to receive the commands from the text file being pasted into the terminal window.
When using Tera Term, the steps are:
Step 1. On the File menu, click Send file.
Step 2. Locate the file to be copied into the device and click Open.
Step 3. Tera Term will paste the file into the device.
The text in the file will be applied as commands in the CLI and become the running configuration on the device. This is a convenient method for manually configuring a router.
Saving to a Text File in Tera Term
1. Start the log process.
2. Issue a show running-config command.
3. Close the log
11.2.5.4 Educational Program
Backup Configurations with TFTP
Copies of configuration files should be stored as backup files in the event of a problem. Configuration files can be stored on a Trivial File Transfer Protocol (TFTP) server or a USB drive. A configuration file should also be included in the network documentation.
To save the running configuration or the startup configuration to a TFTP server, use either the copy running-config tftp or copy startup-config tftp command as shown in the figure. Follow these steps to backup the running configuration to a TFTP server:
Step 1. Enter the copy running-config tftp command.
Step 2. Enter the IP address of the host where the configuration file will be stored.
Step 3. Enter the name to assign to the configuration file.
Step 4. Press Enter to confirm each choice.
Restoring Configurations with TFTP
To restore the running configuration or the startup configuration from a TFTP server, use either the copy tftp running-config or copy tftp startup-config command. Use these steps to restore the running configuration from a TFTP server:
Step 1. Enter the copy tftp running-config command.
Step 2. Enter the IP address of the host where the configuration file is stored.
Step 3. Enter the name to assign to the configuration file.
Step 4. Press Enter to confirm each choice.
11.2.6 Responding to a Security Breach
11.2.6.1 Motive, Opportunity, and Means
11.2.6.2 Collecting Data
11.3 Summary
11.3.1 Conclusion
11.3.1.1 Packet Tracer – Skills Integration Challenge
11.3.1.1 Packet Tracer – Skills Integration Challenge
Using the ping command is an effective way to test connectivity. The ping command uses the Internet Control Message Protocol (ICMP) and verifies Layer 3 connectivity. The ping command will not always pinpoint the nature of a problem, but it can help to identify the source of the problem, an important first step in troubleshooting a network failure.
IOS Ping Indicators
A ping issued from the IOS will yield one of several indications for each ICMP echo request that was sent. The most common indicators are:
- ! – indicates receipt of an ICMP echo reply message, as shown in Figure 1
- . – indicates a time expired while waiting for an ICMP echo reply message
- U – an ICMP unreachable message was received
The “.” (period) may indicate that a connectivity problem occurred somewhere along the path. It may also indicate that a router along the path did not have a route to the destination and did not send an ICMP destination unreachable message. It also may indicate that the ping was blocked by device security. When sending a ping on an Ethernet LAN, it is common for the first echo request to timeout if the ARP process is required.
IOS Ping Indicators
The “U” indicates that a router along the path responded with an ICMP unreachable message. The router either did not have a route to the destination address, or that the ping request was blocked.
Testing the Loopback
The ping command can also be used to verify the internal IP configuration on the local host by pinging the loopback address, 127.0.0.1, as shown in Figure 2. This verifies the proper operation of the protocol stack from the network layer to the physical layer, and back, without actually putting a signal on the media.
Testing the Loopback
11.3.1.2 Lab – CCNA Security Comprehensive Lab
11.3.1.2 Lab – CCNA Security ASA 5505 Comprehensive
11.3.1.2 Lab – CCNA Security ASA 5506-X Comprehensive
The Cisco IOS offers an “extended” mode of the ping command. This mode is entered by typing ping in privileged EXEC mode, without a destination IP address. As shown in the figure, a series of prompts are then presented. Pressing Enter accepts the indicated default values. The example illustrates how to force the source address for a ping to be 10.1.1.1 (see R2 in the figure); the source address for a standard ping would be 209.165.200.226. By doing this, the network administrator can verify from R2 that R1 has a route to 10.1.1.0/24.
Note: The ping ipv6 command is used for IPv6 extended pings.
11.3.1.3 Chapter 11: Managing a Secure Network
One of the most effective tools for monitoring and troubleshooting network performance is to establish a network baseline. Creating an effective network performance baseline is accomplished over a period of time. Measuring performance at varying times (Figures 1 and 2) and loads will assist in creating a better picture of overall network performance.
Run the Same Test
At Different Times
The output derived from network commands contributes data to the network baseline.
One method for starting a baseline is to copy and paste the results from an executed ping, trace, or other relevant commands into a text file. These text files can be time stamped with the date and saved into an archive for later retrieval and comparison (Figure 3). Among items to consider are error messages and the response times from host to host. If there is a considerable increase in response times, there may be a latency issue to address.
Compare Values
Corporate networks should have extensive baselines; more extensive than we can describe in this course. Professional-grade software tools are available for storing and maintaining baseline information. In this course, we cover a few basic techniques and discuss the purpose of baselines.
Best practices for baseline processes can be found here.