SlideShare a Scribd company logo

Recognizing security threats

Kishore Kumar
Kishore Kumar

The document discusses various common security threats and how to mitigate them using Cisco's IOS Firewall features. It describes application-layer attacks, autorooters, backdoors, denial of service attacks, IP spoofing, man-in-the-middle attacks, network reconnaissance, packet sniffers, password attacks, port redirection attacks, Trojan horse attacks and viruses, and trust exploitation attacks. It then outlines Cisco IOS Firewall features like stateful inspection, intrusion detection, firewall voice traversal, ICMP inspection, authentication proxy, destination URL policy management, per-user firewalls, router provisioning, DoS prevention, dynamic port mapping, Java applet blocking, traffic filtering, multi-interface support, NAT, time-

Education
1 of 7
Download to read offline
Recognizing Security Threats
Yes, it’s true: Security attacks vary considerably in their complexity and threat level, and some even happen because of WUI, or witless user ignorance. (This term isn’t an exam objective, but it does occur more than you’d think!) You see, it all comes down to planning, or rather, lack thereof. Basically, the vital tool that the Internet has become today was absolutely unforeseen by those who brought it into being. This is a big reason why security is now such an issue—most IP implementations are innately insecure. No worries though, because Cisco has a few tricks up its sleeve to help us with this. But first, let’s examine some common attack profiles: Application-layer attacks These attacks commonly zero in on well-known holes in the software that’s typically found running on servers. Favorite targets include FTP, sendmail, and HTTP. Because the permissions level granted to these accounts is most often “privileged,” bad guys simply access and exploit the machine that’s running one of the applications I just mentioned. Autorooters You can think of these as a kind of hacker automaton. Bad guys use something called a rootkit to probe, scan, and then capture data on a strategically positioned computer that’s poised to give them “eyes” into entire systems—automatically! Backdoors These are simply paths leading into a computer or network. Through simple invasions, or via more elaborate “Trojan horse” code, bad guys can use their implanted inroads into a specific host or even a network whenever they want to— until you detect and stop them, that is! Denial of service (DoS) and distributed denial of service (DDoS) attacks These are bad—pretty tough to get rid of too! But even hackers don’t respect other hackers that execute them because, though nasty, they’re really easy to accomplish. (This means that some 10-year-old could actually bring you to your knees, and that is just wrong!) Basically, a service is made unavailable by overwhelming the system that normally provides it. And there are several different flavors: TCP SYN flood Begins when a client initiates a seemingly run-of-the-mill TCP connection and sends a SYN message to a server. The server predictably responds by sending a SYN-ACK message back to the client machine, which then establishes the connection by returning an ACK message. Sounds fine, but it’s actually during this process—when the connection is only halfway open—that the victim machine is literally flooded with a deluge of half- open connections and pretty much becomes paralyzed.
“Ping of death” attacks You probably know that TCP/IP’s maximum packet size is 65,536 octets. It’s okay if you didn’t know that—just understand that this attack is executed by simply pinging with oversized packets, causing a device to keep rebooting incessantly, freeze up, or just totally crash. Tribe Flood Network (TFN) and Tribe Flood Network 2000 (TFN2K) These nasty little numbers are more complex in that they initiate synchronized DoS attacks from multiple sources and can target multiple devices. This is achieved, in part, by something known as “IP spoofing,” which I’ll be describing soon. Stacheldraht This attack is actually a mélange of methods, and it translates from the German term for barbed wire. It basically incorporates TFN and adds a dash of encryption. It all begins with a huge invasion at the root level, followed up with a DoS attack finale. IP spoofing This is pretty much what it sounds like it is—a bad guy from within or outside of your network masquerades as a trusted host machine by doing one of two things: presenting with an IP address that’s inside your network’s scope of trusted addresses or using an approved, trusted external IP address. Because the hacker’s true identity is veiled behind the spoofed address, this is often just the beginning of your problems. Man-in-the-middle attacks Interception! But it’s not a football, it’s a bunch of your network’s packets—your precious data! A common guilty party could be someone working for your very own ISP using a tool known as a sniffer (discussed later) and augmenting it with routing and transport protocols. Network reconnaissance Before breaking into a network, hackers often gather all the information they can about it, because the more they know about the network, the better they can compromise it. They accomplish their objectives through methods like port scans, DNS queries, and ping sweeps. Packet sniffers This is the tool I mentioned earlier, but I didn’t tell you what it is, and it may come as a surprise that it’s actually software. Here’s how it works—a network adapter card is set to promiscuous mode so it will send all packets snagged from the network’s physical layer through to a special application to be viewed and sorted out. A packet sniffer can nick some highly valuable, sensitive data including, but not limited to, passwords and usernames, making them prized among identity thieves.
Password attacks These come in many flavors, and even though they can be achieved via more sophisticated types of attacks like IP spoofing, packet sniffing, and Trojan horses, their sole purpose is to—surprise—discover user passwords so the thief can pretend they’re a valid user and then access that user’s privileges and resources. Brute force attack Another software-oriented attack that employs a program running on a targeted network that tries to log in to some type of shared network resource like a server. For the hacker, it’s ideal if the accessed accounts have a lot of privileges because then the bad guys can form back doors to use for gaining access later and bypass the need for passwords entirely. Port redirection attacks This approach requires a host machine the hacker has broken into and uses to get wonky traffic (that normally wouldn’t be allowed passage) through a firewall. Trojan horse attacks and viruses These two are actually pretty similar—both Trojan horses and viruses infect user machines with malicious code and mess it up with varying degrees of paralysis, destruction, even death! But they do have their differences—viruses are really just nasty programs attached to command.com, which just happens to be the main interpreter for all Windows systems. Viruses then run amok, deleting files and infecting any flavor of command.com it finds on the now diseased machine. The difference between a virus and a Trojan horse is that Trojans are actually complete applications encased inside code that makes them appear to be a completely different entity—say, a simple, innocent game—than the ugly implements of destruction they truly are! Trust exploitation attacks These happen when someone exploits a trust relationship inside your network. For example, a company’s perimeter network connection usually shelters important things like SMTP, DNS, and HTTP servers, making the servers really vulnerable because they’re all on the same segment. To be honest, I’m not going to go into detail on how to mitigate each and every one of the security threats I just talked about, not only because that would be outside the scope of this book, but also because the methods I am going to teach you will truly protect you from being attacked in general. You will learn enough tricks to make all but the most determined bad guys give up on you and search for easier prey. So basically, think of this as a chapter on how to practice “safe networking.”
Mitigating Security Threats Hmm…what solution should we use to mitigate security threats? Something from Juniper, McAfee, or some other firewall product? Nah—we probably should use something from Cisco. Cisco has a very cool product called the Adaptive Security Appliance, or ASA. But there’s a catch or two—it’s a pretty pricey little beauty that scales in cost depending on the modules you choose (for example, intrusion prevention). Plus, the ASA is actually above the objectives of this book. I just personally think is the best product on the market—it truly rocks! Cisco IOS software runs on upwards of 80 percent of the Internet backbone routers out there; it’s probably the most critical part of network infrastructure. So let’s just keep it real and use the Cisco IOS’s software-based security, known as the Cisco IOS Firewall feature set, for our end-to-end Internet, intranet, and remote-access network security solutions. It’s a good idea to go with this because Cisco ACLs really are quite efficient tools for mitigating many of the most common threats around—and if you just happen to be studying for your CCNA exam, you need to solidly understand how ACLs work more than anything else in this chapter! Cisco’s IOS Firewall Here’s where we’re going to find out how to mitigate some of the more common security threats on the list I gave you earlier by using these Cisco IOS Firewall features: Stateful IOS Firewall inspection engine This is your perimeter protection feature because it gives your internal users secure access control on a per-application basis. People often call it Context- Based Access Control (CBAC). Intrusion detection A deep packet inspection tool that lets you monitor, intercept, and respond to abuse in real time by referencing 102 of the most common attack and intrusion detection signatures. Firewall voice traversal An application-level feature based on the protocol’s understanding of call flow as well as the relevant open channels. It supports both the H.323v2 and Session Initiation Protocol (SIP) voice protocols. ICMP inspection Basically permits responses to ICMP packets like ping and traceroute that come
from inside your firewall while denying other ICMP traffic. Authentication proxy A feature that makes users authenticate any time they want to access the network’s resources through HTTP, HTTPS, FTP, and Telnet. It keeps personal network access profiles for users and automatically gets them for you from a RADIUS or TACACS+ server and applies them as well. Destination URL policy management A buffet of features that’s commonly referred to as URL Filtering. Per-user firewalls These are basically personalized, user-specific, downloadable firewalls obtained through service providers. You can also get personalized ACLs and other settings via AAA server profile storage. Cisco IOS router and firewall provisioning Allows for no-touch router provisioning, version updates, and security policies. Denial of service (DoS) detection and prevention A feature that checks packet headers and drops any packets it finds suspicious. Dynamic port mapping A sort of adapter that permits applications supported by firewalls on nonstandard ports. Java applet blocking Protects you from any strange, unrecognized Java applets. Basic and Advanced Traffic Filtering You can use standard, extended, even dynamic ACLs like Lock-and-Key traffic filtering with Cisco’s IOS Firewall. And you get to apply access controls to any network segment you want. Plus, you can specify the exact kind of traffic you want to allow to pass through any segment. Policy-based, multi-interface support Allows you to control user access by IP address and interface depending on your security policy. Network Address Translation (NAT) Conceals the internal network from the outside, increasing security. (I’ll talk a lot about NAT in Chapter 13.) Time-based access lists Determine security policies based upon the exact time of day and the particular
day of the week. Peer router authentication Guarantees that routers are getting dependable routing information from actual, trusted sources. (For this to work, you need a routing protocol that supports authentication, like RIPv2, EIGRP, or OSPF.)

Recommended

Network Security
Network SecurityNetwork Security
Network Security
hj43us
 
Network Security
Network SecurityNetwork Security
Network Security
Ramasubbu .P
 
Network seurity
Network seurityNetwork seurity
Network seurity
Naqash Rasheed
 
Network Security
Network SecurityNetwork Security
Network Security
VIKAS SINGH BHADOURIA
 
Network Attacks and Countermeasures
Network Attacks and CountermeasuresNetwork Attacks and Countermeasures
Network Attacks and Countermeasures
karanwayne
 
On-Analyzing-a-Layered-Defense-System
On-Analyzing-a-Layered-Defense-SystemOn-Analyzing-a-Layered-Defense-System
On-Analyzing-a-Layered-Defense-System
Sarah Rudd
 
Linux Security Quick Reference Guide
Linux Security Quick Reference GuideLinux Security Quick Reference Guide
Linux Security Quick Reference Guide
wensheng wei
 
Network Security R U Secure???
Network Security R U Secure???Network Security R U Secure???
Network Security R U Secure???
trendy updates
 

Recommended

Network Security
Network SecurityNetwork Security
Network Security
hj43us
 
Network Security
Network SecurityNetwork Security
Network Security
Ramasubbu .P
 
Network seurity
Network seurityNetwork seurity
Network seurity
Naqash Rasheed
 
Network Security
Network SecurityNetwork Security
Network Security
VIKAS SINGH BHADOURIA
 
Network Attacks and Countermeasures
Network Attacks and CountermeasuresNetwork Attacks and Countermeasures
Network Attacks and Countermeasures
karanwayne
 
On-Analyzing-a-Layered-Defense-System
On-Analyzing-a-Layered-Defense-SystemOn-Analyzing-a-Layered-Defense-System
On-Analyzing-a-Layered-Defense-System
Sarah Rudd
 
Linux Security Quick Reference Guide
Linux Security Quick Reference GuideLinux Security Quick Reference Guide
Linux Security Quick Reference Guide
wensheng wei
 
Network Security R U Secure???
Network Security R U Secure???Network Security R U Secure???
Network Security R U Secure???
trendy updates
 
Firewall notes
Firewall notesFirewall notes
Firewall notes
netlabacademy
 
Denail of Service
Denail of ServiceDenail of Service
Denail of Service
Ramasubbu .P
 
Network Security and Spoofing Attacks
Network Security and Spoofing AttacksNetwork Security and Spoofing Attacks
Network Security and Spoofing Attacks
PECB
 
Honeypots - Tracking the Blackhat Community
Honeypots - Tracking the Blackhat CommunityHoneypots - Tracking the Blackhat Community
Honeypots - Tracking the Blackhat Community
amiable_indian
 
Spoofing
SpoofingSpoofing
Spoofing
Greater Noida Institute Of Technology
 
DoS Attack - Incident Handling
DoS Attack - Incident HandlingDoS Attack - Incident Handling
DoS Attack - Incident Handling
Marcelo Silva
 
CEHv7 Question Collection
CEHv7 Question CollectionCEHv7 Question Collection
CEHv7 Question Collection
Manish Luintel
 
ip spoofing
ip spoofingip spoofing
ip spoofing
vipin soni
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
Jignesh Patel
 
Module 9 Dos
Module 9 DosModule 9 Dos
Module 9 Dos
leminhvuong
 
System and web security
System and web securitySystem and web security
System and web security
chirag patil
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
Vitor Jesus
 
5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS Attack5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS Attack
RedZone Technologies
 
Network defenses
Network defensesNetwork defenses
Network defenses
G Prachi
 
Mobile computing
Mobile computingMobile computing
Mobile computing
Neethu Thankappan
 
Hacking tutorial
Hacking tutorialHacking tutorial
Hacking tutorial
MSA Technosoft
 
Information Security Fundamentals - New Horizons Bulgaria
Information Security Fundamentals - New Horizons BulgariaInformation Security Fundamentals - New Horizons Bulgaria
Information Security Fundamentals - New Horizons Bulgaria
New Horizons Bulgaria
 
Network security
Network securityNetwork security
Network security
syed mehdi raza
 
Hacking
HackingHacking
Hacking
Roshan Chaudhary
 
Hacking
HackingHacking
Hacking
rameswara reddy venkat
 
RIP Update Timers
RIP Update TimersRIP Update Timers
RIP Update Timers
Kishore Kumar
 
Ccna simulation exam practice guide
Ccna simulation exam practice guideCcna simulation exam practice guide
Ccna simulation exam practice guide
Kishore Kumar
 

More Related Content

What's hot

Firewall notes
Firewall notesFirewall notes
Firewall notes
netlabacademy
 
Denail of Service
Denail of ServiceDenail of Service
Denail of Service
Ramasubbu .P
 
Network Security and Spoofing Attacks
Network Security and Spoofing AttacksNetwork Security and Spoofing Attacks
Network Security and Spoofing Attacks
PECB
 
Honeypots - Tracking the Blackhat Community
Honeypots - Tracking the Blackhat CommunityHoneypots - Tracking the Blackhat Community
Honeypots - Tracking the Blackhat Community
amiable_indian
 
Spoofing
SpoofingSpoofing
Spoofing
Greater Noida Institute Of Technology
 
DoS Attack - Incident Handling
DoS Attack - Incident HandlingDoS Attack - Incident Handling
DoS Attack - Incident Handling
Marcelo Silva
 
CEHv7 Question Collection
CEHv7 Question CollectionCEHv7 Question Collection
CEHv7 Question Collection
Manish Luintel
 
ip spoofing
ip spoofingip spoofing
ip spoofing
vipin soni
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
Jignesh Patel
 
Module 9 Dos
Module 9 DosModule 9 Dos
Module 9 Dos
leminhvuong
 
System and web security
System and web securitySystem and web security
System and web security
chirag patil
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
Vitor Jesus
 
5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS Attack5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS Attack
RedZone Technologies
 
Network defenses
Network defensesNetwork defenses
Network defenses
G Prachi
 
Mobile computing
Mobile computingMobile computing
Mobile computing
Neethu Thankappan
 
Hacking tutorial
Hacking tutorialHacking tutorial
Hacking tutorial
MSA Technosoft
 
Information Security Fundamentals - New Horizons Bulgaria
Information Security Fundamentals - New Horizons BulgariaInformation Security Fundamentals - New Horizons Bulgaria
Information Security Fundamentals - New Horizons Bulgaria
New Horizons Bulgaria
 
Network security
Network securityNetwork security
Network security
syed mehdi raza
 
Hacking
HackingHacking
Hacking
Roshan Chaudhary
 
Hacking
HackingHacking
Hacking
rameswara reddy venkat
 

What's hot (20)

Firewall notes
Firewall notesFirewall notes
Firewall notes
 
Denail of Service
Denail of ServiceDenail of Service
Denail of Service
 
Network Security and Spoofing Attacks
Network Security and Spoofing AttacksNetwork Security and Spoofing Attacks
Network Security and Spoofing Attacks
 
Honeypots - Tracking the Blackhat Community
Honeypots - Tracking the Blackhat CommunityHoneypots - Tracking the Blackhat Community
Honeypots - Tracking the Blackhat Community
 
Spoofing
SpoofingSpoofing
Spoofing
 
DoS Attack - Incident Handling
DoS Attack - Incident HandlingDoS Attack - Incident Handling
DoS Attack - Incident Handling
 
CEHv7 Question Collection
CEHv7 Question CollectionCEHv7 Question Collection
CEHv7 Question Collection
 
ip spoofing
ip spoofingip spoofing
ip spoofing
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
 
Module 9 Dos
Module 9 DosModule 9 Dos
Module 9 Dos
 
System and web security
System and web securitySystem and web security
System and web security
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
 
5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS Attack5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS Attack
 
Network defenses
Network defensesNetwork defenses
Network defenses
 
Mobile computing
Mobile computingMobile computing
Mobile computing
 
Hacking tutorial
Hacking tutorialHacking tutorial
Hacking tutorial
 
Information Security Fundamentals - New Horizons Bulgaria
Information Security Fundamentals - New Horizons BulgariaInformation Security Fundamentals - New Horizons Bulgaria
Information Security Fundamentals - New Horizons Bulgaria
 
Network security
Network securityNetwork security
Network security
 
Hacking
HackingHacking
Hacking
 
Hacking
HackingHacking
Hacking
 

Viewers also liked

RIP Update Timers
RIP Update TimersRIP Update Timers
RIP Update Timers
Kishore Kumar
 
Ccna simulation exam practice guide
Ccna simulation exam practice guideCcna simulation exam practice guide
Ccna simulation exam practice guide
Kishore Kumar
 
Switching Types
Switching TypesSwitching Types
Switching Types
Kishore Kumar
 
Route Authentication
Route AuthenticationRoute Authentication
Route Authentication
Kishore Kumar
 
OSPF 3
OSPF 3OSPF 3
OSPF 3
Kishore Kumar
 
Internal & External of Routers
Internal & External of RoutersInternal & External of Routers
Internal & External of Routers
Kishore Kumar
 
Frame Relay
Frame RelayFrame Relay
Frame Relay
Kishore Kumar
 
Initial Configuration of Router
Initial Configuration of RouterInitial Configuration of Router
Initial Configuration of Router
Kishore Kumar
 
Integrated Service Digital Network
Integrated Service Digital NetworkIntegrated Service Digital Network
Integrated Service Digital Network
Kishore Kumar
 
Multi Static Routng & Default Routing
Multi Static Routng & Default RoutingMulti Static Routng & Default Routing
Multi Static Routng & Default Routing
Kishore Kumar
 
OSPF 2
OSPF 2OSPF 2
OSPF 2
Kishore Kumar
 
Ip addressing
Ip addressingIp addressing
Ip addressing
Kishore Kumar
 
Password Recovery
Password RecoveryPassword Recovery
Password Recovery
Kishore Kumar
 
1. Introduction
1. Introduction1. Introduction
1. Introduction
Open Source Group
 
Switching Types
Switching TypesSwitching Types
Switching Types
Kishore Kumar
 
Dynamic Routing RIP
Dynamic Routing RIPDynamic Routing RIP
Dynamic Routing RIP
Kishore Kumar
 
Static Routing
Static RoutingStatic Routing
Static Routing
Kishore Kumar
 
block ciphers
block ciphersblock ciphers
block ciphers
Asad Ali
 
CCNA presentation.
CCNA presentation.CCNA presentation.
CCNA presentation.
Ajaigururaj R
 
Network Security Threats and Solutions
Network Security Threats and SolutionsNetwork Security Threats and Solutions
Network Security Threats and Solutions
Colin058
 

Viewers also liked (20)

RIP Update Timers
RIP Update TimersRIP Update Timers
RIP Update Timers
 
Ccna simulation exam practice guide
Ccna simulation exam practice guideCcna simulation exam practice guide
Ccna simulation exam practice guide
 
Switching Types
Switching TypesSwitching Types
Switching Types
 
Route Authentication
Route AuthenticationRoute Authentication
Route Authentication
 
OSPF 3
OSPF 3OSPF 3
OSPF 3
 
Internal & External of Routers
Internal & External of RoutersInternal & External of Routers
Internal & External of Routers
 
Frame Relay
Frame RelayFrame Relay
Frame Relay
 
Initial Configuration of Router
Initial Configuration of RouterInitial Configuration of Router
Initial Configuration of Router
 
Integrated Service Digital Network
Integrated Service Digital NetworkIntegrated Service Digital Network
Integrated Service Digital Network
 
Multi Static Routng & Default Routing
Multi Static Routng & Default RoutingMulti Static Routng & Default Routing
Multi Static Routng & Default Routing
 
OSPF 2
OSPF 2OSPF 2
OSPF 2
 
Ip addressing
Ip addressingIp addressing
Ip addressing
 
Password Recovery
Password RecoveryPassword Recovery
Password Recovery
 
1. Introduction
1. Introduction1. Introduction
1. Introduction
 
Switching Types
Switching TypesSwitching Types
Switching Types
 
Dynamic Routing RIP
Dynamic Routing RIPDynamic Routing RIP
Dynamic Routing RIP
 
Static Routing
Static RoutingStatic Routing
Static Routing
 
block ciphers
block ciphersblock ciphers
block ciphers
 
CCNA presentation.
CCNA presentation.CCNA presentation.
CCNA presentation.
 
Network Security Threats and Solutions
Network Security Threats and SolutionsNetwork Security Threats and Solutions
Network Security Threats and Solutions
 

Similar to Recognizing security threats

Network security
Network securityNetwork security
Network security
Shyam Kumar Singh
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
belsis
 
HACKING DESCRIBE IN DETAIL FOR UNIVERSITY PROJECT
HACKING DESCRIBE IN DETAIL FOR UNIVERSITY PROJECTHACKING DESCRIBE IN DETAIL FOR UNIVERSITY PROJECT
HACKING DESCRIBE IN DETAIL FOR UNIVERSITY PROJECT
DHRUV562167
 
Discovery of Compromised Machines
Discovery of Compromised MachinesDiscovery of Compromised Machines
Discovery of Compromised Machines
Anton Chuvakin
 
Hacking and its Defence
Hacking and its DefenceHacking and its Defence
Hacking and its Defence
Greater Noida Institute Of Technology
 
Hacking 1224807880385377-9
Hacking 1224807880385377-9Hacking 1224807880385377-9
Hacking 1224807880385377-9
Geoff Pesimo
 
Network Security
Network SecurityNetwork Security
Network Security
Puneet Abichandani
 
Report_Honeypots_Trojans_Spyware
Report_Honeypots_Trojans_SpywareReport_Honeypots_Trojans_Spyware
Report_Honeypots_Trojans_Spyware
Shan Kumar
 
Lecture 5
Lecture 5Lecture 5
Lecture 5
Education
 
Computer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdfComputer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdf
xererenhosdominaram
 
Safe Computing At Home And Work
Safe Computing At Home And WorkSafe Computing At Home And Work
Safe Computing At Home And Work
John Steensen, MBA/TM, CISA, CRISC
 
Network security
Network securityNetwork security
Network security
Sidiq Dwi Laksana
 
basic knowhow hacking
basic knowhow hackingbasic knowhow hacking
basic knowhow hacking
Anant Shrivastava
 
Network intrusi detection system
Network intrusi detection systemNetwork intrusi detection system
Network intrusi detection system
Maulana Arif
 
Network intrusi detection system
Network intrusi detection systemNetwork intrusi detection system
Network intrusi detection system
Duwinowo NT
 
The Media Access Control Address
The Media Access Control AddressThe Media Access Control Address
The Media Access Control Address
Angie Lee
 
Network Security & Ethical Hacking
Network Security & Ethical HackingNetwork Security & Ethical Hacking
Network Security & Ethical Hacking
Sripati Mahapatra
 
Hacking In Detail
Hacking In DetailHacking In Detail
Hacking In Detail
Greater Noida Institute Of Technology
 
The Security Of Information Security
The Security Of Information SecurityThe Security Of Information Security
The Security Of Information Security
Rachel Phillips
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
aashish2cool4u
 

Similar to Recognizing security threats (20)

Network security
Network securityNetwork security
Network security
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
 
HACKING DESCRIBE IN DETAIL FOR UNIVERSITY PROJECT
HACKING DESCRIBE IN DETAIL FOR UNIVERSITY PROJECTHACKING DESCRIBE IN DETAIL FOR UNIVERSITY PROJECT
HACKING DESCRIBE IN DETAIL FOR UNIVERSITY PROJECT
 
Discovery of Compromised Machines
Discovery of Compromised MachinesDiscovery of Compromised Machines
Discovery of Compromised Machines
 
Hacking and its Defence
Hacking and its DefenceHacking and its Defence
Hacking and its Defence
 
Hacking 1224807880385377-9
Hacking 1224807880385377-9Hacking 1224807880385377-9
Hacking 1224807880385377-9
 
Network Security
Network SecurityNetwork Security
Network Security
 
Report_Honeypots_Trojans_Spyware
Report_Honeypots_Trojans_SpywareReport_Honeypots_Trojans_Spyware
Report_Honeypots_Trojans_Spyware
 
Lecture 5
Lecture 5Lecture 5
Lecture 5
 
Computer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdfComputer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdf
 
Safe Computing At Home And Work
Safe Computing At Home And WorkSafe Computing At Home And Work
Safe Computing At Home And Work
 
Network security
Network securityNetwork security
Network security
 
basic knowhow hacking
basic knowhow hackingbasic knowhow hacking
basic knowhow hacking
 
Network intrusi detection system
Network intrusi detection systemNetwork intrusi detection system
Network intrusi detection system
 
Network intrusi detection system
Network intrusi detection systemNetwork intrusi detection system
Network intrusi detection system
 
The Media Access Control Address
The Media Access Control AddressThe Media Access Control Address
The Media Access Control Address
 
Network Security & Ethical Hacking
Network Security & Ethical HackingNetwork Security & Ethical Hacking
Network Security & Ethical Hacking
 
Hacking In Detail
Hacking In DetailHacking In Detail
Hacking In Detail
 
The Security Of Information Security
The Security Of Information SecurityThe Security Of Information Security
The Security Of Information Security
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

More from Kishore Kumar

OSI Layers
OSI LayersOSI Layers
OSI Layers
Kishore Kumar
 
Password Recovery
Password RecoveryPassword Recovery
Password Recovery
Kishore Kumar
 
OSPF 3
OSPF 3OSPF 3
OSPF 3
Kishore Kumar
 
OSPF 2
OSPF 2OSPF 2
OSPF 2
Kishore Kumar
 
IP Addressing
IP AddressingIP Addressing
IP Addressing
Kishore Kumar
 
Internal & External of Routers
Internal & External of RoutersInternal & External of Routers
Internal & External of Routers
Kishore Kumar
 
Integrated Service Digital Network
Integrated Service Digital NetworkIntegrated Service Digital Network
Integrated Service Digital Network
Kishore Kumar
 
Initial Configuration of Router
Initial Configuration of RouterInitial Configuration of Router
Initial Configuration of Router
Kishore Kumar
 
Dynamic Routing RIP
Dynamic Routing RIPDynamic Routing RIP
Dynamic Routing RIP
Kishore Kumar
 
Frame Relay
Frame RelayFrame Relay
Frame Relay
Kishore Kumar
 
Rip Update Timers
Rip Update TimersRip Update Timers
Rip Update Timers
Kishore Kumar
 
Wan Interface Configuration
Wan Interface ConfigurationWan Interface Configuration
Wan Interface Configuration
Kishore Kumar
 
Switching 2
Switching 2Switching 2
Switching 2
Kishore Kumar
 
Subnetting
SubnettingSubnetting
Subnetting
Kishore Kumar
 

More from Kishore Kumar (14)

OSI Layers
OSI LayersOSI Layers
OSI Layers
 
Password Recovery
Password RecoveryPassword Recovery
Password Recovery
 
OSPF 3
OSPF 3OSPF 3
OSPF 3
 
OSPF 2
OSPF 2OSPF 2
OSPF 2
 
IP Addressing
IP AddressingIP Addressing
IP Addressing
 
Internal & External of Routers
Internal & External of RoutersInternal & External of Routers
Internal & External of Routers
 
Integrated Service Digital Network
Integrated Service Digital NetworkIntegrated Service Digital Network
Integrated Service Digital Network
 
Initial Configuration of Router
Initial Configuration of RouterInitial Configuration of Router
Initial Configuration of Router
 
Dynamic Routing RIP
Dynamic Routing RIPDynamic Routing RIP
Dynamic Routing RIP
 
Frame Relay
Frame RelayFrame Relay
Frame Relay
 
Rip Update Timers
Rip Update TimersRip Update Timers
Rip Update Timers
 
Wan Interface Configuration
Wan Interface ConfigurationWan Interface Configuration
Wan Interface Configuration
 
Switching 2
Switching 2Switching 2
Switching 2
 
Subnetting
SubnettingSubnetting
Subnetting
 

Recently uploaded

Wound healing PPT
Wound healing PPTWound healing PPT
Wound healing PPT
Jyoti Chand
 
Your Skill Boost Masterclass: Strategies for Effective Upskilling
Your Skill Boost Masterclass: Strategies for Effective UpskillingYour Skill Boost Masterclass: Strategies for Effective Upskilling
Your Skill Boost Masterclass: Strategies for Effective Upskilling
Excellence Foundation for South Sudan
 
Film vocab for eal 3 students: Australia the movie
Film vocab for eal 3 students: Australia the movieFilm vocab for eal 3 students: Australia the movie
Film vocab for eal 3 students: Australia the movie
Nicholas Montgomery
 
The History of Stoke Newington Street Names
The History of Stoke Newington Street NamesThe History of Stoke Newington Street Names
The History of Stoke Newington Street Names
History of Stoke Newington
 
PCOS corelations and management through Ayurveda.
PCOS corelations and management through Ayurveda.PCOS corelations and management through Ayurveda.
PCOS corelations and management through Ayurveda.
Dr. Shivangi Singh Parihar
 
Hindi varnamala | hindi alphabet PPT.pdf
Hindi varnamala | hindi alphabet PPT.pdfHindi varnamala | hindi alphabet PPT.pdf
Hindi varnamala | hindi alphabet PPT.pdf
Dr. Mulla Adam Ali
 
Leveraging Generative AI to Drive Nonprofit Innovation
Leveraging Generative AI to Drive Nonprofit InnovationLeveraging Generative AI to Drive Nonprofit Innovation
Leveraging Generative AI to Drive Nonprofit Innovation
TechSoup
 
RHEOLOGY Physical pharmaceutics-II notes for B.pharm 4th sem students
RHEOLOGY Physical pharmaceutics-II notes for B.pharm 4th sem studentsRHEOLOGY Physical pharmaceutics-II notes for B.pharm 4th sem students
RHEOLOGY Physical pharmaceutics-II notes for B.pharm 4th sem students
Himanshu Rai
 
LAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UP
LAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UPLAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UP
LAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UP
RAHUL
 
UGC NET Exam Paper 1- Unit 1:Teaching Aptitude
UGC NET Exam Paper 1- Unit 1:Teaching AptitudeUGC NET Exam Paper 1- Unit 1:Teaching Aptitude
UGC NET Exam Paper 1- Unit 1:Teaching Aptitude
S. Raj Kumar
 
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptx
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptxBeyond Degrees - Empowering the Workforce in the Context of Skills-First.pptx
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptx
EduSkills OECD
 
PIMS Job Advertisement 2024.pdf Islamabad
PIMS Job Advertisement 2024.pdf IslamabadPIMS Job Advertisement 2024.pdf Islamabad
PIMS Job Advertisement 2024.pdf Islamabad
AyyanKhan40
 
How to Fix the Import Error in the Odoo 17
How to Fix the Import Error in the Odoo 17How to Fix the Import Error in the Odoo 17
How to Fix the Import Error in the Odoo 17
Celine George
 
Advanced Java[Extra Concepts, Not Difficult].docx
Advanced Java[Extra Concepts, Not Difficult].docxAdvanced Java[Extra Concepts, Not Difficult].docx
Advanced Java[Extra Concepts, Not Difficult].docx
adhitya5119
 
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdfবাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
eBook.com.bd (প্রয়োজনীয় বাংলা বই)
 
Main Java[All of the Base Concepts}.docx
Main Java[All of the Base Concepts}.docxMain Java[All of the Base Concepts}.docx
Main Java[All of the Base Concepts}.docx
adhitya5119
 
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdfANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
Priyankaranawat4
 
คำศัพท์ คำพื้นฐานการอ่าน ภาษาอังกฤษ ระดับชั้น ม.1
คำศัพท์ คำพื้นฐานการอ่าน ภาษาอังกฤษ ระดับชั้น ม.1คำศัพท์ คำพื้นฐานการอ่าน ภาษาอังกฤษ ระดับชั้น ม.1
คำศัพท์ คำพื้นฐานการอ่าน ภาษาอังกฤษ ระดับชั้น ม.1
สมใจ จันสุกสี
 
MARY JANE WILSON, A “BOA MÃE” .
MARY JANE WILSON, A “BOA MÃE” .MARY JANE WILSON, A “BOA MÃE” .
MARY JANE WILSON, A “BOA MÃE” .
Colégio Santa Teresinha
 
writing about opinions about Australia the movie
writing about opinions about Australia the moviewriting about opinions about Australia the movie
writing about opinions about Australia the movie
Nicholas Montgomery
 

Recently uploaded (20)

Wound healing PPT
Wound healing PPTWound healing PPT
Wound healing PPT
 
Your Skill Boost Masterclass: Strategies for Effective Upskilling
Your Skill Boost Masterclass: Strategies for Effective UpskillingYour Skill Boost Masterclass: Strategies for Effective Upskilling
Your Skill Boost Masterclass: Strategies for Effective Upskilling
 
Film vocab for eal 3 students: Australia the movie
Film vocab for eal 3 students: Australia the movieFilm vocab for eal 3 students: Australia the movie
Film vocab for eal 3 students: Australia the movie
 
The History of Stoke Newington Street Names
The History of Stoke Newington Street NamesThe History of Stoke Newington Street Names
The History of Stoke Newington Street Names
 
PCOS corelations and management through Ayurveda.
PCOS corelations and management through Ayurveda.PCOS corelations and management through Ayurveda.
PCOS corelations and management through Ayurveda.
 
Hindi varnamala | hindi alphabet PPT.pdf
Hindi varnamala | hindi alphabet PPT.pdfHindi varnamala | hindi alphabet PPT.pdf
Hindi varnamala | hindi alphabet PPT.pdf
 
Leveraging Generative AI to Drive Nonprofit Innovation
Leveraging Generative AI to Drive Nonprofit InnovationLeveraging Generative AI to Drive Nonprofit Innovation
Leveraging Generative AI to Drive Nonprofit Innovation
 
RHEOLOGY Physical pharmaceutics-II notes for B.pharm 4th sem students
RHEOLOGY Physical pharmaceutics-II notes for B.pharm 4th sem studentsRHEOLOGY Physical pharmaceutics-II notes for B.pharm 4th sem students
RHEOLOGY Physical pharmaceutics-II notes for B.pharm 4th sem students
 
LAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UP
LAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UPLAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UP
LAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UP
 
UGC NET Exam Paper 1- Unit 1:Teaching Aptitude
UGC NET Exam Paper 1- Unit 1:Teaching AptitudeUGC NET Exam Paper 1- Unit 1:Teaching Aptitude
UGC NET Exam Paper 1- Unit 1:Teaching Aptitude
 
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptx
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptxBeyond Degrees - Empowering the Workforce in the Context of Skills-First.pptx
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptx
 
PIMS Job Advertisement 2024.pdf Islamabad
PIMS Job Advertisement 2024.pdf IslamabadPIMS Job Advertisement 2024.pdf Islamabad
PIMS Job Advertisement 2024.pdf Islamabad
 
How to Fix the Import Error in the Odoo 17
How to Fix the Import Error in the Odoo 17How to Fix the Import Error in the Odoo 17
How to Fix the Import Error in the Odoo 17
 
Advanced Java[Extra Concepts, Not Difficult].docx
Advanced Java[Extra Concepts, Not Difficult].docxAdvanced Java[Extra Concepts, Not Difficult].docx
Advanced Java[Extra Concepts, Not Difficult].docx
 
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdfবাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
 
Main Java[All of the Base Concepts}.docx
Main Java[All of the Base Concepts}.docxMain Java[All of the Base Concepts}.docx
Main Java[All of the Base Concepts}.docx
 
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdfANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
 
คำศัพท์ คำพื้นฐานการอ่าน ภาษาอังกฤษ ระดับชั้น ม.1
คำศัพท์ คำพื้นฐานการอ่าน ภาษาอังกฤษ ระดับชั้น ม.1คำศัพท์ คำพื้นฐานการอ่าน ภาษาอังกฤษ ระดับชั้น ม.1
คำศัพท์ คำพื้นฐานการอ่าน ภาษาอังกฤษ ระดับชั้น ม.1
 
MARY JANE WILSON, A “BOA MÃE” .
MARY JANE WILSON, A “BOA MÃE” .MARY JANE WILSON, A “BOA MÃE” .
MARY JANE WILSON, A “BOA MÃE” .
 
writing about opinions about Australia the movie
writing about opinions about Australia the moviewriting about opinions about Australia the movie
writing about opinions about Australia the movie
 

Recognizing security threats

  • 2. Yes, it’s true: Security attacks vary considerably in their complexity and threat level, and some even happen because of WUI, or witless user ignorance. (This term isn’t an exam objective, but it does occur more than you’d think!) You see, it all comes down to planning, or rather, lack thereof. Basically, the vital tool that the Internet has become today was absolutely unforeseen by those who brought it into being. This is a big reason why security is now such an issue—most IP implementations are innately insecure. No worries though, because Cisco has a few tricks up its sleeve to help us with this. But first, let’s examine some common attack profiles: Application-layer attacks These attacks commonly zero in on well-known holes in the software that’s typically found running on servers. Favorite targets include FTP, sendmail, and HTTP. Because the permissions level granted to these accounts is most often “privileged,” bad guys simply access and exploit the machine that’s running one of the applications I just mentioned. Autorooters You can think of these as a kind of hacker automaton. Bad guys use something called a rootkit to probe, scan, and then capture data on a strategically positioned computer that’s poised to give them “eyes” into entire systems—automatically! Backdoors These are simply paths leading into a computer or network. Through simple invasions, or via more elaborate “Trojan horse” code, bad guys can use their implanted inroads into a specific host or even a network whenever they want to— until you detect and stop them, that is! Denial of service (DoS) and distributed denial of service (DDoS) attacks These are bad—pretty tough to get rid of too! But even hackers don’t respect other hackers that execute them because, though nasty, they’re really easy to accomplish. (This means that some 10-year-old could actually bring you to your knees, and that is just wrong!) Basically, a service is made unavailable by overwhelming the system that normally provides it. And there are several different flavors: TCP SYN flood Begins when a client initiates a seemingly run-of-the-mill TCP connection and sends a SYN message to a server. The server predictably responds by sending a SYN-ACK message back to the client machine, which then establishes the connection by returning an ACK message. Sounds fine, but it’s actually during this process—when the connection is only halfway open—that the victim machine is literally flooded with a deluge of half- open connections and pretty much becomes paralyzed.
  • 3. “Ping of death” attacks You probably know that TCP/IP’s maximum packet size is 65,536 octets. It’s okay if you didn’t know that—just understand that this attack is executed by simply pinging with oversized packets, causing a device to keep rebooting incessantly, freeze up, or just totally crash. Tribe Flood Network (TFN) and Tribe Flood Network 2000 (TFN2K) These nasty little numbers are more complex in that they initiate synchronized DoS attacks from multiple sources and can target multiple devices. This is achieved, in part, by something known as “IP spoofing,” which I’ll be describing soon. Stacheldraht This attack is actually a mélange of methods, and it translates from the German term for barbed wire. It basically incorporates TFN and adds a dash of encryption. It all begins with a huge invasion at the root level, followed up with a DoS attack finale. IP spoofing This is pretty much what it sounds like it is—a bad guy from within or outside of your network masquerades as a trusted host machine by doing one of two things: presenting with an IP address that’s inside your network’s scope of trusted addresses or using an approved, trusted external IP address. Because the hacker’s true identity is veiled behind the spoofed address, this is often just the beginning of your problems. Man-in-the-middle attacks Interception! But it’s not a football, it’s a bunch of your network’s packets—your precious data! A common guilty party could be someone working for your very own ISP using a tool known as a sniffer (discussed later) and augmenting it with routing and transport protocols. Network reconnaissance Before breaking into a network, hackers often gather all the information they can about it, because the more they know about the network, the better they can compromise it. They accomplish their objectives through methods like port scans, DNS queries, and ping sweeps. Packet sniffers This is the tool I mentioned earlier, but I didn’t tell you what it is, and it may come as a surprise that it’s actually software. Here’s how it works—a network adapter card is set to promiscuous mode so it will send all packets snagged from the network’s physical layer through to a special application to be viewed and sorted out. A packet sniffer can nick some highly valuable, sensitive data including, but not limited to, passwords and usernames, making them prized among identity thieves.
  • 4. Password attacks These come in many flavors, and even though they can be achieved via more sophisticated types of attacks like IP spoofing, packet sniffing, and Trojan horses, their sole purpose is to—surprise—discover user passwords so the thief can pretend they’re a valid user and then access that user’s privileges and resources. Brute force attack Another software-oriented attack that employs a program running on a targeted network that tries to log in to some type of shared network resource like a server. For the hacker, it’s ideal if the accessed accounts have a lot of privileges because then the bad guys can form back doors to use for gaining access later and bypass the need for passwords entirely. Port redirection attacks This approach requires a host machine the hacker has broken into and uses to get wonky traffic (that normally wouldn’t be allowed passage) through a firewall. Trojan horse attacks and viruses These two are actually pretty similar—both Trojan horses and viruses infect user machines with malicious code and mess it up with varying degrees of paralysis, destruction, even death! But they do have their differences—viruses are really just nasty programs attached to command.com, which just happens to be the main interpreter for all Windows systems. Viruses then run amok, deleting files and infecting any flavor of command.com it finds on the now diseased machine. The difference between a virus and a Trojan horse is that Trojans are actually complete applications encased inside code that makes them appear to be a completely different entity—say, a simple, innocent game—than the ugly implements of destruction they truly are! Trust exploitation attacks These happen when someone exploits a trust relationship inside your network. For example, a company’s perimeter network connection usually shelters important things like SMTP, DNS, and HTTP servers, making the servers really vulnerable because they’re all on the same segment. To be honest, I’m not going to go into detail on how to mitigate each and every one of the security threats I just talked about, not only because that would be outside the scope of this book, but also because the methods I am going to teach you will truly protect you from being attacked in general. You will learn enough tricks to make all but the most determined bad guys give up on you and search for easier prey. So basically, think of this as a chapter on how to practice “safe networking.”
  • 5. Mitigating Security Threats Hmm…what solution should we use to mitigate security threats? Something from Juniper, McAfee, or some other firewall product? Nah—we probably should use something from Cisco. Cisco has a very cool product called the Adaptive Security Appliance, or ASA. But there’s a catch or two—it’s a pretty pricey little beauty that scales in cost depending on the modules you choose (for example, intrusion prevention). Plus, the ASA is actually above the objectives of this book. I just personally think is the best product on the market—it truly rocks! Cisco IOS software runs on upwards of 80 percent of the Internet backbone routers out there; it’s probably the most critical part of network infrastructure. So let’s just keep it real and use the Cisco IOS’s software-based security, known as the Cisco IOS Firewall feature set, for our end-to-end Internet, intranet, and remote-access network security solutions. It’s a good idea to go with this because Cisco ACLs really are quite efficient tools for mitigating many of the most common threats around—and if you just happen to be studying for your CCNA exam, you need to solidly understand how ACLs work more than anything else in this chapter! Cisco’s IOS Firewall Here’s where we’re going to find out how to mitigate some of the more common security threats on the list I gave you earlier by using these Cisco IOS Firewall features: Stateful IOS Firewall inspection engine This is your perimeter protection feature because it gives your internal users secure access control on a per-application basis. People often call it Context- Based Access Control (CBAC). Intrusion detection A deep packet inspection tool that lets you monitor, intercept, and respond to abuse in real time by referencing 102 of the most common attack and intrusion detection signatures. Firewall voice traversal An application-level feature based on the protocol’s understanding of call flow as well as the relevant open channels. It supports both the H.323v2 and Session Initiation Protocol (SIP) voice protocols. ICMP inspection Basically permits responses to ICMP packets like ping and traceroute that come
  • 6. from inside your firewall while denying other ICMP traffic. Authentication proxy A feature that makes users authenticate any time they want to access the network’s resources through HTTP, HTTPS, FTP, and Telnet. It keeps personal network access profiles for users and automatically gets them for you from a RADIUS or TACACS+ server and applies them as well. Destination URL policy management A buffet of features that’s commonly referred to as URL Filtering. Per-user firewalls These are basically personalized, user-specific, downloadable firewalls obtained through service providers. You can also get personalized ACLs and other settings via AAA server profile storage. Cisco IOS router and firewall provisioning Allows for no-touch router provisioning, version updates, and security policies. Denial of service (DoS) detection and prevention A feature that checks packet headers and drops any packets it finds suspicious. Dynamic port mapping A sort of adapter that permits applications supported by firewalls on nonstandard ports. Java applet blocking Protects you from any strange, unrecognized Java applets. Basic and Advanced Traffic Filtering You can use standard, extended, even dynamic ACLs like Lock-and-Key traffic filtering with Cisco’s IOS Firewall. And you get to apply access controls to any network segment you want. Plus, you can specify the exact kind of traffic you want to allow to pass through any segment. Policy-based, multi-interface support Allows you to control user access by IP address and interface depending on your security policy. Network Address Translation (NAT) Conceals the internal network from the outside, increasing security. (I’ll talk a lot about NAT in Chapter 13.) Time-based access lists Determine security policies based upon the exact time of day and the particular
  • 7. day of the week. Peer router authentication Guarantees that routers are getting dependable routing information from actual, trusted sources. (For this to work, you need a routing protocol that supports authentication, like RIPv2, EIGRP, or OSPF.)