4. 4
UNDERSTANDING ROUTERS
• Routers are hardware devices used on a network to
send packets to different network segments
• Operate at the network layer of the OSI model
• Routing protocols used by routers
• Link-state routing protocol
• Router advertises link-state to identify network topology and
any changes on paths
• Distance-vector routing protocol
• Router passes its routing table to all routers participating on
the network
5. 5
UNDERSTANDING BASIC
HARDWARE ROUTERS
• Cisco routers are widely used in the networking
community
• More than one million Cisco 2500 series routers are
currently being used by companies around the world
• Vulnerabilities exist in Cisco as they do in any
operating system
• Security professionals must consider these vulnerabilities
when conducting a security test
6. 6
CISCO ROUTER COMPONENTS
• A Cisco router uses the Cisco Internetwork
Operating System (IOS) to function
• Components
• Random access memory (RAM)
• Holds the router’s running configuration, routing tables, and
buffers
• If you turn off the router, the contents stored in RAM are
wiped out
• Nonvolatile RAM (NVRAM)
• Holds the router’s configuration file, but the information is
not lost if the router is turned off
7. 7
CISCO ROUTER COMPONENTS
(CONTINUED)
• Components (continued)
• Flash memory
• Holds the IOS the router is using
• Is rewritable memory, so you can upgrade the IOS
• Read-only memory (ROM)
• Contains a minimal version of the IOS used to boot the router
if flash memory gets corrupted
• Interfaces
• Hardware connectivity points
• Example: an Ethernet port is an interface that connects to a
LAN
8. 8
CISCO ROUTER CONFIGURATION
• Configuration modes:
• User mode
• Administrator can perform basic troubleshooting tests and list
information stored on the router
• Router-name>, indicates that you are in user mode
• Privileged mode
• Administrator can perform full router configuration tasks
• Router-name#, indicates that you are in privileged mode
• By default, you are in user mode
• Type “enable” or “en” to change to privileged mode
9. 9
CISCO ROUTER CONFIGURATION
(CONTINUED)
• Once in privileged mode, you can change to two
more configuration modes
• Global configuration mode
• Administrator can configure router settings that affect overall
router operation
• To use this mode, you enter the command config t at the
Router-name# prompt
• Router-name (config)# tells the user she is in global
configuration mode
10. 10
CISCO ROUTER CONFIGURATION
(CONTINUED)
• Once in privileged mode, you can change to two
more configuration modes (continued)
• Interface configuration mode
• Administrator can configure an interface on the router
• To use this mode, you enter global configuration mode first
• Next, you enter the command for interface configuration
mode and the interface name you want to configure
• Router-name(config-if)# indicates you are in interface
configuration mode
11. 11
UNDERSTANDING ACCESS
CONTROL LISTS
• There are several types of access control lists
• We will focus on IP access lists
• IP access lists
• Lists of IP addresses, subnets, or networks that are allowed
or denied access through a router’s interface
• Two different types of access lists on Cisco router
• Standard IP access lists
• Extended IP access lists
12. 12
STANDARD IP ACCESS LISTS
• Can restrict IP traffic entering or leaving a router’s
interface based on source IP address
• The syntax of a standard access list is as follows:
access-list [list #] [permit|deny] [source address]
[source wildcard mask]
• [list #] is a number in the range of 1 to 99
• permit | deny] are keywords to permit or deny traffic
• [source address] specifies the IP address of the source host
• [source wildcard mask] signifies which bits of the source
address are significant
13. 13
STANDARD IP ACCESS LISTS
(CONTINUED)
• Example:
access-list 1 deny 173.110.0.0 0.0.255.255
access-list permit any
• A wildcard mask is similar to a subnet mask
• Example: access-list 1 deny 10.10.1.112 0.0.0.0
• The 0s used after the IP address signify that every octet in
the IP address must match the IP address being filtered
• Another example:
access-list 1 deny 192.168.10.0 0.0.0.255
access-list 1 permit any
14. 14
STANDARD IP ACCESS LISTS
(CONTINUED)
• Cisco allows a shortcut for the mask 0.0.0.0
access-list 1 deny host 192.168.10.112
• Access lists always end with an implicit deny rule
• To avoid this, you must add the “permit any” statement
access-list 1 deny host 192.168.10.112
access-list 1 permit any
• Steps for applying the access list to an interface
• Enter global configuration mode
• Create the access list
• Enter interface configuration mode
• Use the ip access-group command
15. 15
STANDARD IP ACCESS LISTS
(CONTINUED)
• Example
Router> en
Password ******
Router# config t
Router(config)# access-list 1 deny 172.16.5.0 0.0.0.255
Router(config)# access-list 1 permit any
Router(config)# int e0
Router(config-if)# ip access-group 1 out
Router(config-if) Ctrl+z [to save and exit global
configuration mode]
Router#
16. 16
EXTENDED IP ACCESS LISTS
• Allow packet filtering based on
• Source IP address
• Destination IP address
• Protocol type
• Application port number
• Syntax for extended IP access lists
access-list [list #] [permit|deny] [protocol] [source IP
address] [source wildcard mask] [destination IP address]
[destination wildcard mask] [operator] [port] [log]
• [list #] is a number in the range of 100 to 199
• [permit | deny] are keywords to permit or deny traffic
17. 17
EXTENDED IP ACCESS LISTS
(CONTINUED)
• Syntax for extended IP access lists (continued)
• [protocol] can be IP, TCP, UDP, ICMP, and so on
• [source IP address] is the IP address of the source
• [source wildcard mask] determines significant bits of source
IP address
• [destination IP address] is the IP address of the destination
• [destination wildcard mask] determines significant bits of
destination IP address
• [operator] can be lt, gt, eq, or neq
18. 18
EXTENDED IP ACCESS LISTS
(CONTINUED)
• Syntax for extended IP access lists (continued)
• [port] port number of the protocol to be filtered
• [log] logs all activity of the access list for the administrator
• Example:
access-list 100 deny tcp host 172.16.1.112 host
172.30.1.100 eq www
19. 19
EXTENDED IP ACCESS LISTS
(CONTINUED)
• Applying an access list to an interface
Router> en
Password ******
Router# config t
Router(config)# access-list 100 deny tcp host
172.16.1.112 host 172.30.1.100
Router(config)# access-list 100 permit any
Router(config)# int e0
Router(config-if)# ip access-group 100 in
Router(config-if) Ctrl+z
Router#
20. 20
UNDERSTANDING FIREWALLS
• Firewalls are hardware devices or software installed
on a system and have two purposes
• Controlling access to all traffic that enters an internal
network
• Controlling all traffic that leaves an internal network
• Advantages of hardware firewalls
• They are usually faster than software firewalls
• They can handle a larger throughput than software firewalls
21. 21
UNDERSTANDING FIREWALLS
(CONTINUED)
• Disadvantage of hardware firewalls
• You are locked into the firewall’s hardware
• Advantage of software firewalls
• You can easily add NICs to the server running the firewall
software
• Disadvantage of software firewalls
• You might have to worry about configuration problems
• They rely on the OS on which they are running
23. NETWORK ADDRESS TRANSLATION (NAT)
• The most basic security feature of a firewall
• With NAT, internal private IP addresses are mapped to public
external IP addresses
23
• Hiding the internal infrastructure
• Port Address Translation (PAT)
• Technology derived from NAT
• This allows thousands of internal IP addresses to be mapped to one
external IP address
24. ACCESS CONTROL LISTS
• Access lists are used to filter traffic based on source IP address,
destination IP address, and ports or services
• Firewalls also use this technology
• Creating access control lists in a firewall is a similar process to
creating them in a router
24
25. PACKET FILTERING
25
• Packet filters screen packets based on information
contained in the packet header
• Protocol type
• IP address
• TCP/UDP port
26. STATEFUL PACKET INSPECTION (SPI)
26
• Stateful packet filters record session-specific
information about a network connection
• Create a state table
• Can help reduce port scans that rely on spoofing or
sending packets after a three-way handshake
• Stateful packet filters recognize types of anomalies
that most routers ignore
• Stateless packet filters handle each packet on an
individual basis
• Spoofing or DoS attacks are more prevalent
27. IMPLEMENTING A FIREWALL
• Placing a firewall between a company’s internal network and
the Internet is dangerous
27
• It leaves the company open to attack if a hacker compromises the
firewall
• Use a demilitarized zone instead
28. DEMILITARIZED ZONE (DMZ)
• DMZ is a small network containing resources available to
Internet users
28
• Helps maintain security on the company’s internal network
• Sits between the Internet and the internal network
• It is sometimes referred to as a “perimeter network”
29. UNDERSTANDING THE PRIVATE INTERNET
EXCHANGE (PIX) FIREWALL
• Cisco PIX firewall
29
• One of the most popular firewalls on the market
30. CONFIGURATION OF THE PIX FIREWALL
• Working with a PIX firewall is similar to working with any other Cisco router
• Login prompt
30
If you are not authorized to be in this XYZ Hawaii network device,
log out immediately!
User Access Verification
Password:
• This banner serves a legal purpose
• General prompt example:
Type help or '?' for a list of available commands.
xyz>
31. CONFIGURATION OF THE PIX FIREWALL
(CONTINUED)
• You should enter privileged mode to configure the PIX firewall
• To enter configuration mode in PIX, you use the same command as
on a Cisco router
31
xyz# configure terminal
xyz(config)# ?
• Nameif is a PIX command to name an interface
• PIX allows the administrator to assign values to an interface that designate
its security level
• Values can be from 0 to 100
32. CONFIGURATION OF THE PIX FIREWALL
(CONTINUED)
• Access lists
32
• PIX enables an administrator to use descriptive names for the access list
instead of numbers
• PIX also uses the implicit deny rule
33. UNDERSTANDING MICROSOFT ISA
33
• Microsoft’s software approach to firewalls
• Microsoft Internet Security and Acceleration (ISA)
Server
• Functions as a software router, firewall, and IDS
• ISA has the same functionality as any hardware
router
• Packet filtering to control incoming traffic
• Application filtering through the examination of protocols
• Intrusion detection filters
• Access policies to control outgoing traffic
34. IP PACKET FILTERS
34
• ISA enables administrators to filter IP traffic based
on the following:
• Source and destination IP address
• Network protocol, such as HTTP
• Source port or destination port
• ISA provides a GUI for these configurations
• A network segment can be denied or allowed HTTP access
in the Remote Computer tab
35. APPLICATION FILTERS
• Can accept or deny data from specific applications or data containing
specific content
• SMTP filter can restrict
35
• E-mail with specific attachments
• E-mail from a specific user or domain
• E-mail containing specific keywords
• SMTP commands
• SMTP Filter Properties dialog box
• Administrator can filter a specific e-mail attachment based on a rule he or
she configures
36. APPLICATION FILTERS (CONTINUED)
• Users/Domains tab in the SMTP Filter Properties dialog box
36
• Administrator can filter e-mail messages sent from a user or from
specific domains
• As a security professional, you might be asked to restrict e-mails
containing certain keywords
• SMTP Commands tab
• Administrator can prevent a user from running SMTP commands
37. INTRUSION DETECTION FILTERS
• Analyze all traffic for possible known intrusions
37
• DNS intrusion detection filter
• POP intrusion detection filter
• FTP Access filter
• H.323 filter
• HTTP Redirector filter
• RPC filter
• SMTP filter
• SOCKSV4 filter
• Streaming Media filter
38. ACCESS POLICIES
• Allow administrators to control outgoing traffic
• An access policy consists of the following
38
• Policy rules
• Site and content rules
• IP filter rules
39. UNDERSTANDING INTRUSION DETECTION
SYSTEMS (IDSS)
• Monitor network devices so that security administrators can
identify attacks in progress and stop them
• An IDS look at the traffic and compare it with known exploits
39
• Similar to virus software using a signature file to identify viruses
• Types
• Network-based IDSs
• Host-based IDSs
40. NETWORK-BASED AND HOST-BASED IDSS
• Network-based IDSs
40
• Monitor activity on network segments
• They sniff traffic and alert a security administrator when something
suspicious occurs
• Host-based IDSs
• Used to protect a critical network server or database server
• The software is installed on the server you’re attempting to protect
41. NETWORK-BASED AND HOST-BASED IDSS
(CONTINUED)
• IDSs are categorized by how they react when they detect
suspicious behavior
41
• Passive systems
• Send out an alert and log the activity
• Active systems
• Log events and send out alerts
• Can also interoperate with routers and firewalls
42. UNDERSTANDING HONEYPOTS
• Honeypot
42
• Computer placed on the perimeter of a network
• Contains information intended to lure and then trap hackers
• Computer is configured to have vulnerabilities
• Goal
• Keep hackers connected long enough so they can be traced back
43. HOW THEY WORK
43
• A honeypot appears to have important data or
sensitive information stored on it
• Could store fake financial data that tempts hackers to
attempt browsing through the data
• Hackers will spend time attacking the honeypot
• And stop looking for real vulnerabilities in the company’s
network
• Honeypots also enable security professionals to
collect data on attackers
• Honeypots are available commercially and through
open-source avenues
44. HOW THEY WORK (CONTINUED)
• Virtual honeypots
44
• Honeypots created using software solutions instead of hardware devices
• Example: Honeyd
45. SUMMARY
45
• Security devices
• Routers
• Firewalls
• IDSs
• Routers use access lists to accept or deny traffic
through their interfaces
• Firewalls can be hardware devices or software
installed on computer systems
• Firewalls use NAT, IP filtering, and access control lists to
filter incoming and outgoing network traffic
46. SUMMARY (CONTINUED)
46
• Firewall examples
• Cisco PIX (hardware)
• Microsoft ISA (software)
• Stateful packet filters vs. stateless packet filters
• PGP is a free public key encryption program to
encrypt e-mail messages
• Demilitarized zones (DMZs)
• Add a layer of defense between the Internet and a company’s
internal network
47. SUMMARY (CONTINUED)
47
• Intrusion detection systems (IDSs)
• Network-based IDSs
• Host-based IDSs
• Passive IDSs vs. active IDSs
• Honeypots