CCNA Security Study Notes – What are the networking security concepts?
This post will be the first of many detailing my CCNA Security Study Notes as I go.
I’ve been somewhat slack and life events have arisen which has slowed my CCNA Security studies of late, however I’m going to be updating the site as I go with my study notes; Lets get to it!
Network Security really dives deep with the following characteristics.
Confidentiality generally comes in the form of encryption to ensure only the user is able to read/decrypt the sensitive data.
Integrity comes in the form of hashing which ensures that the confidential information has not been tampered by hashing or generating a checksum of the information before or after it has been encrypted, and then the hash is compared on the receiving end. If the hash checksums do not match, the data has been tampered with and the information has lost integrity, and should not be trusted.
Availability ensures the infrastructure is always up and running. Failing devices passing the job to another device (Fail over) is one example.
First, lets define the terms used in risk management.
Assets are a person, data, physical server that is valuable to the company.
A Vulnerability is an exploitable weakness to a system or its design.
Threats are the potential danger to an asset. A not yet found threat is called a latent threat and a discovered threat is called a realised threat.
Countermeasures are safeguards to mitigate risk.
Risk is the potential for unauthorised access or damage to a company. For example, a network may be vulnerable to a DDoS attack. The risk is that the network may be affected by the DDoS, and the counter measure for the DDoS would be to have some sort of mitigation in place.
Unclassified but sensitive
Owner: The group ultimately responsible for the data. Senior management are the ones that create the governing policy which the group creates, and the users accept.
Group: The group responsible for implementing the policy s directed by the owner.
User: Those who access the data abide to the rules of the Acceptable User Policy.
Administrative: These consist of written policies, guidelines, procedures and standards.
The Acceptable User Policy is an example of an Administrative countermeasure.
Physical: Physical countermeasures are physical locks, uninterrupted power supplies, biometric authentication etc..
Logical: Passwords, VPN, IPS and access lists are logical countermeasures. These are also called technical controls.
A reconnaissance attack is performed on the network normally in the form of an IP scan to find which hosts are online, followed by a more in-depth port scan to find which services can be exploited.
Social engineering turns away from the computer attack surface and targets humans into turning over sensitive information without intention.
Privilege escalation can be performed by a user with a local, non administrator account, which escalates their privilege to an administrator.
Back doors can be installed on a system to provide unauthorised remote access to the host.
Internal attack risk can be reduced by implementing 802.1x (Ethernet Authentication) and Cisco Access Control Server (ACS) which ensures the user passes the security policy profile prior to be allowed to access the network.
Network Admission Control (NAC) or Identity Security Engine (ISE) could also be used to enforce a security policy.
Man in the middle attacks can either occur at layer 2 with ARP poisoning or at layer 3 with tricking users on the subnet that you are the default gateway.
Miscellaneous Attack Vectors
Covert channel is utlising a service that is allowed through a firewall to tunnel blocked traffic. For example, a firewall allows HTTPS, but blocks all SSH traffic. A user could tunnel the SSH traffic inside the HTTPS payload and transit the firewall without being denied.
Trust exploitation is when the DMZ is internet accessible, but restrictions are in place to deny direct connections from the internet to the internal network, but internal users can access the DMZ. A user could gain access to a DMZ host, and pivot to access internal hosts.
Password attacks generally involve brute forcing a password
Botnet, DoS and DDoS
Botnet and DDoS generally fall under the same category in that a distributed denial of service (DDoS) attack generally comes from a botnet.
A botnet is a large amount of devices, generally unaware they are infected, which an attacker controls to target one host at the same time.
Guidelines for secure network architecture
Rule of least privilege gives users only the access they need to perform their duties.
Defense in-depth ensures a multi-layer defense against attack is utilised. There can be multiple firewalls, intrusion prevention systems etc.. in use.
Separation of duties provides separation of roles to help ensure the security guidelines are kept up to date as the user will be required to read and accept the policies.