Module 16 – Network Security Fundamentals (ITN CCNA v7)

Threats & Vulnerabilities

Purpose of Module 16 (CCNA v7: ITN)
- Study security threats, vulnerabilities and basic mitigation.
- Focus on hardening network devices (routers, switches, servers, hosts, phones).
“Threat actor” definition
- Any entity (person, process, group) capable of exploiting a vulnerability.
Common threat goals
- Disruption of services (slow/unusable network).
- Data loss/manipulation.
- Credential theft (usernames, passwords).
- Identity, data, information or intellectual-property theft.
Three primary categories of vulnerabilities
- Technology: Weakness in protocols, OSs, or hardware/firmware.
- Configuration: Unsecured/default accounts, misconfigured Internet services, unused features left enabled.
- Administrative: Missing or weak security policies; lack of documentation/audit trail.
- NOTE: All three can leave "huge holes"; physical security is a separate but related pillar.

Physical Security Threats (4-Fold Classification)

Hardware threats
- Direct physical damage, theft or tampering of gear.
Environmental threats
- Temperature extremes, humidity issues ("too hot/too cold/too wet/too dry").
Electrical threats
- Unstable power grid → sags, spikes, improper voltage, noise, full outages.
Maintenance threats
- Poor ESD handling, lack of spare parts, clumsy procedures.
- Casino anecdote: 80-lb core switch stored on the top floor (runs elevators). If it fails, staff must carry it down 20 flights of stairs because elevators depend on that very switch—illustrates need for realistic, written plans.
Good physical security plan = documented response for each of the four categories.

Network-Based Attacks & Malware

“Malware” (malicious software)
- Virus: Inserts itself in files/media, needs user action to spread.
- Worm: Self-replicates across the network; no user action required.
- Trojan horse: Appears legitimate, hides backdoor.
- Growing varieties: Ransomware, spyware, adware (ransomware currently most severe—encrypts data, demands payment).

Reconnaissance Attacks

Goal: Map services, hosts, vulnerabilities.
Tools/Methods: Port scanners, WHOIS, NSLOOKUP, public intel.

Access Attacks

Goal: Obtain unauthorized access; data manipulation.
Tactics
- Social engineering, phishing.
- Password‐based (guessing, brute force, packet‐sniffed plaintext).
- Trust exploitation (leverage existing trusted relationships).
- Port redirection (pivot via compromised host).
- Man-in-the-Middle (MitM)
- Intercept/alter traffic; can “patch” downloads to insert malware.

Denial of Service (DoS / DDoS)

Aim: Exhaust target’s resources → legitimate users locked out.
DDoS: Threat actor + command‐and‐control (C2) system orchestrates numerous zombies → forms a botnet.
More attacking hosts = more resource exhaustion.

Network Attack Mitigation (Defense-in-Depth / Layered Approach)

Secure every device + service; assume nothing is implicitly trusted.
Combine multiple, cooperating controls: IDS/IPS, SIEM/SIM correlation, firewalls, email/web security, AAA, VPN, etc.
Layers compensate for single-control failure; slows/limits intruder progress.

Backups & Updating

Backups
- Must be current, frequent, securely stored, and capacity-planned.
Updates/Patching
- OS, antivirus, antimalware: ensure latest fixes & definitions.
- Verify services are actually running (many orgs deploy but disable).

AAA (Authentication, Authorization, Accounting)

Authentication: Prove identity.
Authorization: Determine permitted actions.
Accounting: Record/audit activity.
Centralized servers (RADIUS/TACACS+) recommended for scalability.

Firewalls & DMZs

Firewalls create rule sets controlling ingress/egress.
DMZ (Demilitarized Zone)
- Buffer segment between internal LAN and Internet; hosts that must be reachable by both sides live here.
Four common firewall types
1. Packet filtering (IP/MAC, layer-3/2 fields).
2. Application filtering (port/service granular control).
3. URL filtering (domain/keyword).
4. Stateful Packet Inspection (SPI) – permits only legitimate response traffic tied to existing sessions.

Endpoint & Administrative Security

Policies must dictate:
- Job training, rotation, least privilege.
- Regular user security awareness.
- Forced automatic updates/scans on endpoints.
Administrative policy quality directly affects technical enforcement.

Device Hardening & Cisco AutoSecure

“Hardening” = disable everything not needed; enable only required, updated services.
Cisco AutoSecure assists by:
- Changing default credentials.
- Restricting resource access.
- Enabling/disabling services according to best practice.
Always apply updates immediately on new equipment before production.

Password Best Practices & Policies

Length: ≥8 characters (≥10 preferred).
Complexity: at least 3 of 4 categories – uppercase, lowercase, numbers, symbols.
Avoid dictionary words & predictable patterns.
“Leet speak” example: Replace $s \to 5$ , $a \to 4$ , etc. – memorable yet non-dictionary.
Good habits
- Never write on sticky notes under keyboard/monitor.
- Choose secure yet recallable strings to avoid unsafe storage.
Device enforcement options (IOS examples)
- $login\ block-for$ X sec $attempts$ Y $within$ Z sec.
- $exec-timeout$ (auto-logout idle sessions).
- $password\ algorithm\ type$ .

Secure Management Access (Telnet vs SSH)

Telnet = plaintext; susceptible to sniffing.
SSH = encrypted; mandatory for device management.
6-Step IOS SSH Setup
1. $hostname$
2. $ip\ domain-name$
3. $crypto\ key\ generate\ rsa$ (specify modulus ≥2048 bits).
4. $username$ $secret$ (local database).
5. $line\ vty$ 0 4 → $login\ local$ & $transport\ input\ ssh$ .
6. (Optional) $ip\ ssh\ version$ 2 & apply ACLs for mgmt plane.

Disabling Unused Services & Ports

Principle: “If you don’t use it, turn it off.”
Close ports: e.g., FTP (20/21) if unnecessary.
Disable legacy protocols (e.g., HTTP, SNMP v1) in favor of secure versions (HTTPS, SNMPv3).

Course Recap

Classified physical threats: hardware, environmental, electrical, maintenance.
Reviewed malware & network attack types: reconnaissance, access, DoS.
Learned layered mitigation: backups, updates, AAA, firewalls, endpoint training.
Explored firewall categories & DMZ rationale.
Emphasized endpoint practices, AutoSecure, hardening steps.
Covered strong password creation/enforcement & secure remote access (SSH).
Labs: SANS threat identification, basic config + SSH, securing devices.

If any questions arise, instructor encourages reaching out for clarification.

To mitigate or overcome network attacks, a Defense-in-Depth or Layered Approach is recommended. This involves securing every device and service, assuming nothing is implicitly trusted, and combining multiple, cooperating controls. Key mitigation strategies include:

Network Attack Mitigation (Defense-in-Depth / Layered Approach):
- Secure every device and service, assuming nothing is implicitly trusted.
- Combine multiple, cooperating controls such as IDS/IPS, SIEM/SIM correlation, firewalls, email/web security, AAA, and VPN.
- Layers compensate for single-control failure, slowing and limiting intruder progress.
Backups & Updating:
- Ensure backups are current, frequent, securely stored, and capacity-planned.
- Keep OS, antivirus, and antimalware definitions up-to-date, and verify that these services are actively running.
AAA (Authentication, Authorization, Accounting):
- Authentication: Prove identity.
- Authorization: Determine permitted actions.
- Accounting: Record and audit activity.
- Use centralized servers like RADIUS/TACACS+ for scalability.
Firewalls & DMZs:
- Firewalls create rule sets controlling ingress/egress traffic.
- A DMZ (Demilitarized Zone) acts as a buffer segment between the internal LAN and the Internet for hosts that need to be reachable by both sides.
- Common firewall types include Packet filtering, Application filtering, URL filtering, and Stateful Packet Inspection (SPI).
Endpoint & Administrative Security:
- Implement policies for job training, rotation, and least privilege.
- Conduct regular user security awareness training.
- Enforce forced automatic updates and scans on endpoints.
- The quality of administrative policy directly affects technical enforcement.
Device Hardening & Cisco AutoSecure:
- Hardening: Disable everything not needed and enable only required, updated services.
- Cisco AutoSecure helps by changing default credentials, restricting resource access, and enabling/disabling services according to best practices.
- Apply updates immediately on new equipment before production use.
Password Best Practices & Policies:
- Require passwords of $8$ characters or more ( $10$ preferred) with complexity (at least three of four categories: uppercase, lowercase, numbers, symbols).
- Avoid dictionary words and predictable patterns; consider using "Leet speak" for memorability.
- Never write passwords on sticky notes.
- Implement device enforcement options like login block-for X sec attempts Y within Z sec and exec-timeout <minutes> <seconds>.
- Use secure password hashing algorithms like password algorithm type sha256.
Secure Management Access (Telnet vs SSH):
- Telnet is plaintext and susceptible to sniffing; SSH is mandatory for device management due to its encryption.
- SSH setup involves configuring hostname, IP domain name, generating RSA crypto keys (modulus $\ge2048$ bits), setting local usernames/passwords, and configuring VTY lines for SSH transport input.
Disabling Unused Services & Ports:
- Follow the principle: "If you don’t use it, turn it off."
- Close unnecessary ports (e.g., FTP ports $20/21$ ).
- Disable legacy protocols (e.g., HTTP, SNMP v1) in favor of secure versions (HTTPS, SNMPv3).