CCNA security — Part 1 : Networking Security Concepts

M'hirsi Hamza
7 min readOct 29, 2018

--

Source

Hi Medium !

Days ago, I started a new training course called “CCNA Security 210–260”, where we will explore in a series of 19 Articles:

Modules

  1. Networking Security Concepts Done
  2. Common Security Threats Done
  3. Implementing AAA in Cisco IOS
  4. Bring Your Own Device (BYOD)
  5. Fundamentals of VPN Technology and Cryptography
  6. Fundamentals of IP Security
  7. Implementing IPsec Site-to-Site VPNs
  8. Implementing SSL VPNs Using Cisco ASA
  9. Securing Layer 2 Technologies
  10. Network Foundation Protection
  11. Securing the Management Plane on Cisco IOS Devices
  12. Securing the Data Plane in IPv6
  13. Securing Routing Protocols and the Control Plane
  14. Understanding Firewall Fundamentals
  15. Implementing Cisco IOS Zone-Based Firewalls
  16. Configuring Basic Firewall Policies on Cisco ASA
  17. Cisco IDS/IPS Fundamentals
  18. Mitigation Technologies for E-mail-Based and Web-Based Threats
  19. Mitigation Technologies for Endpoint Threats

In this article we will talk about the concept of network security in different steps:

- Security Terms
- Network Security Objectives
Classifying Assets
TLP Protocol
Classifying Vulnerabilities
Classifying Countermeasure
- Recognizing Current Network Threats
1. Potential Attackers
2. Attack Methods
3. Attack Vectors
- Applying Fundamental Security Principles to Network Design
1. Guidelines for Secure Network Architecture
2. Network Topology
- Network Security for a Virtual Environment

Security Terms

In all following chapters we will use too many terms:

  • Asset — Every thing that we need to protect include people, and information/data that have value to the company.
  • Vulnerability — A vulnerability is a weakness on our system that can be exploited by an attacker (vulnerability + exploitation = attack).
  • Threat — A threat is a danger that can exploit a vulnerability to gain access to important data.
  • Risk — Risk is the potential of losing or gaining something important, a risk is something that we can protect with countermeasure (risk — countermeasure = vulnerability)
  • Countermeasure — To mitigate a threat, or minimize the risk we use countermeasure.

Network Security Objectives

You can see networks from different perspective (performance, security), for us we need to protect our network from different attacks with ensuring the following CIA: confidentiality, integrity and availability.
The best solution to perfectly protect our network is to mitigate to every risk (full-risk), classifying those objective will help us to sort risk according to their importance (most critical to less critical)

+ Classifying Assets

Every company have her own Policy that will help us to classify all the assets.

+ TLP Protocol

The Traffic Light Protocol (TLP) was created in order to facilitate greater sharing of information. TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s). This site provide more information about TLP protocol https://www.us-cert.gov/tlp, you can check this article Via FIRST: Traffic Light Protocol (TLP) version 1.0 by Karl M.‍

Source

+ Classifying Vulnerabilities

“Understanding the weaknesses and vulnerabilities in a system or network is a huge step toward correcting the vulnerability or putting in appropriate countermeasures to mitigate threats against those vulnerabilities.
The Common Vulnerabilities and Exposures (CVE) is a dictionary of publicly known security vulnerabilities and exposures.. There is also a National Vulnerability Database (NVD) , which is a repository of standards-based vulnerability information. (you can check those links for more information).” — Cisco 210–260

+ Classifying Countermeasure

This part is too important where we understand countermeasures perfectly and their types:

  • Administrative: This is the guideline, the policy that each user must verify and sign, and must be checked in every change.
  • Physical: It’s the physical security of network servers, infrastructure, and equipment.
  • Logical: This is the technical part, logical controls is about setting passwords, intrusion prevention systems, firewalls and so on.

Knowing how to deal with risks is too important, and we will discover them together in all those following chapter, after understanding each concept; we can easily enumerate and mitigate all the risks.

Recognizing Current Network Threats

  1. Potential Attackers

There is too many attackers type (terrorism, political..) but we generally classify them on 3 types, you can check this article for more information Hackers and Pentesters by Hamza M’hirsi‍

2. Attack Methods

There is too many variety of technique used in attacks and we need to know the most of the:

  • Reconnaissance — This is the most important part before attacking where we collect different information about the network by scanning it using different methods tiring to know the topology; using nmap for example — you can check this article How to write an Nmap script by Chiheb Chebbi‍ — this is a part of enumeration phase. Enumeration by Hamza M’hirsi‍
  • Social engineering — The term “social engineering” as an act of psychological manipulation of a human, is also associated with the social sciences, but its usage has caught-on among computer and information security professionals. [Source: Wikipedia ], check this article How to Perform Social Engineering Engagement using SEEF by Chiheb Chebbi
  • Privilege escalation — This is the proccess of gaining more privilege on a system, for example going from a normal user to a root user.
  • Back doors — When someone gain access to your system he would prefer to access easily in the next future, so he create a script that will help him to gain access to your system when ever he want.
  • Code execution — The damage that an attacker can deal in based on the privilege that he gain, and the commands that he can run.
  • Man-in-the-Middle — This attack in implemented on layer2,3 of OSI Model, that give the attacker the possibility of sniffing the traffic and catch important information like passwords and usernames. Check this article Man-in-the-middle tutorial with bettercap by Gergely Révay‍
  • Covert channel — This method is to send a payload encapsulated on the permitted traffic between two peers.
  • Trust exploitation — “If the firewall has three interfaces, and the outside interface allows all traffic to the demilitarized zone (DMZ) but not to the inside network, and the DMZ allows access to the inside network from the DMZ, an attacker could leverage that by gaining access to the DMZ and using that location to launch his attacks from there to the inside network.” Cisco 210–260
  • Brute-force — This attack is when an attacker try thousand of combination in the objective is to guess login and password.
  • Botnet — Is an infected host that can an attacker use to simulate his attack.
  • DoS and DDoS — a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. A distributed denial-of-service attack (DDoS attack), the incoming traffic flooding the victim originates from many different sources. This effectively makes it impossible to stop the attack simply by blocking a single source.A DoS or DDoS attack is analogous to a group of people crowding the entry door of a shop, making it hard for legitimate customers to enter, disrupting trade. [Source: Wikipedia ], check this article DOS, DoS & DDoS by netsecml‍

3.Attack Vectors

We need to be aware not only from outside attackers, also attack that are launched from people and device inside our company can deal more damage, now company allow employees to bring their own devices (BYOD). Taking on consideration the risk of those attacks will push as to implement authentication and users control.

Applying Fundamental Security Principles to Network Design

  1. Guidelines for Secure Network Architecture

We need some guidelines in place that will help us to implement and design our network:

  • Rule of least privilege — provide always the minimal access needed.
  • Defense in depth — Implement security in every point of your network, so traffic will be filtered too many time on router, firewall, IPS….
  • Separation of duties — Never give all control in the hand of different users so you can detect from where the attack is comming, changing privilege for user may be a solution also.
  • Auditing — Keeping records about all users will help for auditing and detecting threat where we im authentication, authorization, and accounting (AAA).

2. Network Topology

The topology of the network depend on the type and the size. In Cisco book we discover most used and secure topology:

  • Campus-Area Network (CAN) — is the network topology of the corporate office (headquarters) where we provide connectivity between all the part of the network.
  • Cloud, Wide-Area Network (WAN) — The cloud and WAN provide a logical and physical location for data and applications that an organization prefers to have moved off-site. — CCNA Security 210–260
  • Data Center — This network is provided by a series of Nexus switches that contain Unified Computing System (UCS), voice gateways… The network is protected by firewalls that filter all traffic.
  • Small office/Home office (SOHO) — This will provide connectivity to the SOHO users through the use of WAN routers that will connect them to the CAN.

Network Security for a Virtual Environment

Cisco has created technologies and products such as the Application Centric Infrastructure (ACI) ecosystem and the Cisco ASAv (virtual ASA) to provide security solutions for today’s data center demands. The challenge of using physical firewalls and other security appliances in a virtualized environment is that sometimes the traffic does not leave the physical server (often referred to as bare metal). Subsequently, a virtual security solution is needed. — CCNA Security 210–260

Summary

In this certification we need to keep in mind CIA concept in every part discussed (confidentiality, data integrity, and availability), and we will conclude directly what we need to protect in each part we discover in this training

Main resource

CCNA Security 210–260 Book

--

--

M'hirsi Hamza

Cyber Security Architect at Rakuten Symphony Deutschland, talks about #innovation, #technology, #cyberattack, #cyberdefense, and #cybersecurity