Cisco CCNA 200-301 – The Security Threat Landscape Part 5

9. Remote Access VPN Virtual Private Networks

In this lecture you’ll learn about client to site remote access VPNs with the Cisco Any Connect client. So the Cisco Any Connect client is a remote access VPN application which uses the ASA firewall. You saw in the last lecture when we configured the site to site VPN, that the site to site VPN tunnels can terminate either on a firewall wall or a router. The firewall would be the Cisco ASA with the Any Connect client that’s going to terminate on the ASA firewall, not on a Cisco router.

And where the site to site tunnels were using IPsec. The Any Connect Remote access. VPN uses TLS. Now when you go to configure it, you’re going to see that the option it has there is SSL because TLS and SSL are still somewhat used interchangeably. SSL is now actually deprecated. It’s been replaced with TLS. But where TLS is used, you’ll often see that it’s actually still described as SSL. For example, if you buy a certificate for use on the Internet, you’ll see that it is being called an SSL certificate, even though it is actually TLS that is being used. So just be aware, if you do see SSL being mentioned anywhere, that’s fine. You are actually going to be using TLS because TLS is the update for SSL.

And you can see here a screenshot of using the client. So with the example topology, we’ve got our main site over here on the right. And because Any Connect it is a remote access VPN, it’s a client to site VPN. So you can have this installed on your laptop. So if you go traveling anywhere, if you’re in, say, a hotel or if you’re working from home, you can fire up the neck client on your laptop as you can see here. And from there you can connect into the corporate site.

When you do that, the VPN tunnel is going to terminate on the ASA firewall. So the traffic is going to be encrypted all the way from your laptop over to the ASA firewall. So if you are working in a hotel or somewhere like that, that’s fine because it’s not just from the router at the hotel, it’s actually from your laptop. The traffic is going to be encrypted because obviously the network infrastructure in the hotel, you’re not going to be trusting that either. Okay, so that’s the Any Connect VPN client. Now there’s a couple of different ways that this can be enabled and this is going to be chosen by the network security administrator. You can either use split tunneling or fool tunneling. When you use split tunneling, the corporate traffic is going to go over the VPN tunnel to the corporate site. Your public web traffic, for example, when you’re browsing normal sites on the Internet, that is going to go out directly to the Internet.

That is not going to go through the tunnel. So as you can see here, when we do have split tunneling enabled for traffic that is going to the corporate website that is going to go through the VPN tunnel and that is going to be encrypted. But when we’re browsing to a normal internet web server that is going to go out directly, it’s not going through the VPN tunnel. The other way that we can do it is with full tunneling. Now with full tunneling, both your corporate traffic and your normal internet browsing from your client are going to go through the VPN tunnel. So you can see the difference here now is traffic that’s going to the corporate office is going through the VPN tunnel. Traffic going to a public web server out on the internet that also goes through the tunnel as well. And then it gets hair pinned back out of there out to the internet.

So the reason why you would use one or the other if you implement full tunneling, that forces all traffic to go through the VPN tunnel and go through the main site. So that allows you to enforce security policies on your staff members when they’re out traveling with their laptops. For example, you could specify the types of websites that they’re allowed to go through. So because everything is going through your centralized main site here, you can enforce security policies at that point. The downside of using full tunneling is that maybe the user is in Chicago, your head office is in New York, and we’re browsing a website which is also in Chicago.

Well, if they were using split tunneling, that would just go out straight from Chicago to Chicago, it wouldn’t have to go all the way through the tunnel to the head office and back again. So you would get better performance. So you can get better performance if you’re using split tunneling, but you can get better, more centralized security if you use full tunneling. That’s everything as far as the CCNA exam is concerned for our remote access VPNs. See you in the next lecture.

10. Threat Defense Solutions

Near the start of this section we had a lecture where I covered the common attacks that a hacker will launch against you. And now that I’ve covered the different security devices that are available, I can wrap up the section with this last lecture where I will cover the mitigation techniques which protect you against, against those different attacks and I’ll cover them off here in the same order that they were covered in the common attacks lecture. So starting off with malware to guard against this, an email where software should be installed on the host systems and emailware software uses signatures and Heuristics to detect malicious software and block it from running.

So the way that the signatures work is it looks for known characteristics of known viruses when it sees them, it will block that file from running. What heuristics does is it’s not looking for knowing signatures of viruses, it’s looking for characteristics on a file which are common across other different viruses. So there the file would be suspicious and that will again trigger the antimalware software.

So you want to have your an email where software running on your corporate host PCs and also you want controls to be in place there to prevent users from disabling the software. Because maybe a hacker has got a Trojan horse which is available for download online, they’ve made it look very attractive and a user could be determined that they really want to download this Trojan horse which of course is going to do damage. So to prevent users from doing bad things like that, you want to make sure that they’re prevented from disabling the antimalware software.

An IPS can also be used to detect and block network traffic containing malware from getting into your organization still on malware and also providing protection against phishing and data exfiltration. You can use the Cisco, ESA and WSA appliances. The ESA is the email security appliance and it scans links and attachments in incoming email for malware, phishing attacks and spam and it blocks them before they can get to your user’s mailbox. There’s also the Cisco WSA, which is the web security appliance and that prevents users from accessing dangerous websites, the kind of places that they would maybe accidentally download a Trojan horse or a worm from.

Policies can also be implemented on the ESA and the WSA to prevent sensitive information from being sent out of the organization. So you can configure rules with your policies there about what is sensitive information and you can block that from being sent out. Policies and procedures should be implemented, for example about how and what information can be sent or taken outside the company premises. For example, to prevent data exfiltration you could have a policy, but staff are not allowed to have corporate data on USB sticks because that would be easy to lose in a public place. Security awareness training should also be implemented. So for example, you should train your staff about the dangers of fishing and tell them that they should not open suspicious emails, that they should call a member of the It staff to investigate It. Moving on to reconnaissance and social engineering, low level reconnaissance, for example, just doing research on Google on the company. And also social engineering can use very low tech methods to gain information and access to the target organization. Because of that, it’s difficult for It departments to use technical solutions to protect against them. So the way to defend against them is through staff security awareness.

Again, policies and procedures should be implemented to guard against these kind of attacks, and staff should be educated about security concerns. So, for example, they should be made aware that if somebody calls them, that person may not be who they say they are, that they should be very guarded about giving out what could be sensitive information. An IPS can defend against deeper reconnaissance, which uses port and vulnerability scanners. It’s not normal behavior for a host to scan through a range of port numbers. That would indicate a port scan attack, and an IPS can detect and drop that traffic. Now, a determined attacker may attempt to circumvent this by running the scan over a longer period of time. That can make it more difficult for the IPS to detect it.

But if you’re using an advanced IPS like the one from Cisco, it can still detect this kind of attack because it’s able to correlate actions that happened before and after other actions. So if it sees that a host has been running a port scan over a long period of time, and then that host takes another action, which would indicate an escalation of the attack that will trigger the IPS to fire, it will send an alert to the administrators, and you can also block that host. Moving on to distributed denial of service. Again, we can use an IPS here, and IPS can detect DDoS attacks through anomalybased inspection. Obviously, if you’re under a DDoS attack, it’s not going to be conforming to the normal traffic patterns that you would expect to see. Also, advanced firewalls like the Cisco ASA can offload incoming connection attempts from servers when the traffic rate reaches a threshold and respond with quicker connection timeouts and or cookies.

So how this works is if there is a server behind a firewall that you want to protect, the ASA can monitor the rate of traffic, the rate of new connections that are coming into that server. And if it goes above a certain threshold, that would indicate that that server may be under a DDoS attack. And then the firewall can start proxying the incoming connections. So the incoming connections terminate on the firewall rather than the server. If it is a TCP Syn Floyd attack, the firewall is capable of actually responding with a cookie rather than a synac and not keeping any half open connections. So the firewall is a hardened security device it is less susceptible to DDoS attacks than maybe your other servers.

However, your firewalls can still be a target of DDoS attacks themselves. They can also become overwhelmed. So there are other solutions available as well. And eddos services such as Arbor Networks monitor global internet traffic to detect botnets and command and control servers they have on premises and cloud based solutions. So on your premises and also available in the cloud which scrub traffic when an organization is under DDoS attack.

So if you do become under a DDoS attack with Arbor Networks they can detect that more easily because they are monitoring for botnets and command and control servers. When it happens that traffic can be sent either to an appliance on premises or to a cloud based service which will scrub it, which will just allow the clean traffic through and which will block the traffic from the botnet. Geographic dispersion of an organization services can also help mitigate DDoS attacks. So you can use any cast to have your servers spread across multiple locations. That makes it more difficult for an attacker to launch a DDoS attack against it. Next up spoofing man in the middle and reflection attacks. First defense we have here is unicast. Reverse path forwarding, uRPF. This guards against spoofed IP addresses because it verifies a source IP address is reachable through the same interface it was received on. So let me explain how this works. You can see in the diagram here we’ve got our outside interface on the left that’s fast zero on our router and we’ve got an external host out on the internet on the left there. Then on the right we’ve got our internal server at 19216 810 and the IP address there is 192-16-8124. So if we did a show IP route on this router in the middle here you would see that we’ve got a connected route to the one in 2168 dot or 24 network on the inside on fast one slash zero.

Our other connected network is going out to the internet on 203 011303 on interface fast zero. And here we’ve configured a default static route to send all other traffic out to the internet. Again going out interface fast zero. So here what happens is the host out on the internet that’s an attacker and they try to send some traffic in with a spoofed IP address looking like they’re actually on the inside of the network. So a reason that they would do this is maybe they know that there are security measures on the inside here which are only going to accept traffic from this network. So they try to spoof it to make it look like they are on that network. So they send in a packet with a source IP address of 192. Well, if you have got unicast Reverse Path Forwarding turned on which it is by default the router is going to block that packet because what it does is it looks and it sees. Okay, that packet coming in, it’s come in with source address 192168 100 on interfacefastero.

What the uRPF check does is it says if I was going to send traffic to that IP address would I send it out that same interface that it came in on? But no, if the router was going to send traffic to 192168 100 it would send it out the Fast 10 interface because that has come in under Fast zero, a different interface that indicates that it is invalid. It’s a spoofed source IP address and the router will just drop that packet. When an attacker does spoof their source IP address they don’t receive return traffic so they do not see the sequence numbers and TCP responses from the target. Going back to the previous slide again, let’s say that we didn’t have uRPF on here and that the host on the left here did send in a packet with a spoofed source address of 192-1680 100.

Well, whenever the term traffic was sent back to the IP address, 192168 100, obviously it’s not going to get sent back to that host. So when it is sending in traffic with a spoofed source address that traffic is going to be just one way it’s sending packets into the target. It knows that it’s not going to get any return packets coming back so it’s not going to see the sequence numbers in return TCP packets. But a target may be more vulnerable to attacks if it uses predictable TCP sequence numbers. Because the way that TCP works is when a connection is set up and there’s a session between two hosts, we’re going to use TCP sequence numbers and if those TCP sequence numbers appear to be invalid, the host will just drop the traffic. Well, going back to the previous slide again, let’s say that my host on the left here is sending an attack against the server on the right and let’s say that the traffic is getting to the server.

Well, if that server is using predictable TCP sequence numbers then the host here can pretend like it is in a two way communication with the server and it can send multiple packets in in that session and they will be accepted by the server. It would be better if the server used random sequence numbers and then that would prevent the attacker from doing that. So because of this, your applications should be up to date and patched so that they are using random rather than predictable TCP sequence numbers. If that is not possible, if the application does not support it, then an advanced firewall can also do that as long as it is in the traffic path.

Also, to guard against spoofing you should use secure authentication where possible. Secure authentication proves that systems are communicating with who they think they are. We also have dynamic ARP inspection which will detect and block ARP spoofing attacks. We covered that back in the switch security section for guarding against password attacks, firewalls and packet filters. Your access controllers should be configured to prevent illegitimate users from having connectivity to login windows. For example, if you’re the administrator and you need to log into a network device to administer it, you should be able to do that. Somebody that works in the warehouse should not have connectivity.

They should not be able to get a login prompt on that particular device. If at all possible that traffic should be blocked. Policies should also be in place to enforce secure passwords for your users who do have a legitimate reason to get to a login window. Password complexity settings include minimum password length, special requirements for the characters, for example, having to use a capital letter, having to use a number, having to use a special character such as an asterisk. Other settings include how often passwords must be changed and prevention of old passwords from being reused. Again, so what a user might try to do is have a password of password. When they’re told to change the password, they change it to something else, but then they just immediately change it again back to password. Your password complexity settings should also prevent that as well. So again, summarize that to protect against password attacks, make sure that only people who should be able to get to the login window can get there. And also make sure that your users are using complex passwords.

Multifactor authentication should also be used where suitable. This uses something the user knows, which is for password, and something they have which could be a biometric reader, for example, something that checks for fingerprint or a code which is generated on a mobile app or security device. And also staff should be educated to guard against social engineering attacks against their passwords.

So they should be told if somebody phones up and asks for your password or asks to change your password to a certain thing, be very suspicious of that. Do not do it to guard against buffer overflow attacks, software should be up to date and patched so that it rejects malformed packets. If you’ve got your own internal developers that are building your own applications, they should also make sure that they are not susceptible to buffer overflow attacks.

For packet sniffers, your packet filters and firewalls should be used to ensure traffic paths are controlled. So traffic should only be going where it should be going to. That’s going to lessen the chance that somebody that shouldn’t see it is able to sniff it and traffic should be authenticated and encrypted if it passes over an untrusted network. And finally, you can also employ the services of a penetration tester. Penetration testing can be employed to test the organization security defense. So a penetration tester is a job rule. Penetration tester uses the same tools and methods as a hacker. So what we’re testing for is would a hacker be able to do any damage the way they do that is, they asked the same way that a hacker would. Internal security teams should also do their own testing of their security systems and policies. But an external penetration tester can be used for validation. Okay, so that was all of the different defense solutions that we’re going to use to guard against those threats.

• Category: Uncategorized