All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1 of 5 CCNA Security

Chapter 1 Lab A: Researching Network Attacks and Security Audit Tools

Instructor Version Grey Highlighting – indicates answers provided on instructor lab copies only Objectives Part 1: Researching Network Attacks  Research network attacks that have occurred.  Select a network attack and develop a report for presentation to the class. Part 2: Researching Security Audit Tools  Research network security audit tools.  Select a tool and develop a report for presentation to the class. BackgroundScenario Network attacks have resulted in the loss of sensitive data and significant network downtime. When a network or the resources within it are inaccessible, worker productivity can suffer, and business income may be lost. Attackers have developed many tools over the years to attack and compromise the networks of organizations. These attacks take many forms, but in most cases, they seek to obtain sensitive information, destroy resources, or deny legitimate users access to resources. To understand how to defend a network against attacks, an administrator must first identify network vulnerabilities. Specialized security audit software developed by equipment and software manufacturers can be used to help identify potential weaknesses. In addition, the same tools used by attackers can be used to test the ability of a network to mitigate an attack. After the vulnerabilities are known, steps can be taken to help mitigate the network attacks. This lab provides a structured research project that is divided into two parts: Researching Network Attacks and Researching Security Audit Tools. You can elect to perform Part 1, Part 2, or both. Let your instructor know what you plan to do so to ensure that a variety of network attacks and vulnerability tools are reported on by the members of the class. In Part 1, you research various network attacks that have actually occurred. You select one of these and describe how the attack was perpetrated and how extensive the network outage or damage was. You also investigate how the attack could have been mitigated or what mitigation techniques might have been implemented to prevent future attacks. You prepare a report based on a predefined form included in the lab. In Part 2, you research network security audit tools and investigate one that can be used to identify host or network device vulnerabilities. You create a one-page summary of the tool based on a predefined form included in the lab. You prepare a short 5 –10 minute presentation to present to the class. You may work in teams of two with one person reporting on the network attack and the other reporting on the security audit tools. All team members deliver a short overview of their findings. You can use live demonstrations or PowerPoint to summarize your findings. CCNA Security All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 2 of 5 Required Resources  Computer with Internet access for research.  Presentation computer with PowerPoint or other presentation software installed.  Video projector and screen for demonstrations and presentations. Instructor Note: To maintain tighter control over what the students report, you can provide the students a list of recent network attacks and security audit tools from which to choose. You might want to ask the students to email you their desired research project by a specific time, or you will assign them a topic. In the email, they should provide some background information description, links, and so on to make sure that no one is doing the same thing. Part 1. Researching Network Attacks In Part 1 of this lab, you research various network attacks that have actually occurred and select one on which to report. Fill in the form below based on your findings. Step 1: Research various network attacks. List some of the attacks you identified in your search. Possible examples include: Code Red, Nimba, Back Orifice, Blaster, MyDoom, SQL Slammer, SMURF, Tribe flood network TFN, Stacheldraht, Sobig, Netsky, Witty, and Storm. The Code Red attack is used as an example here. Instructor Note: An extensive list of viruses and worms listed by the year they were discovered can be found at http:en.wikipedia.orgwikiNotable_computer_viruses_and_worms . Step 2: Fill in the following form for the network attack selected. Name of attack: Code Red Type of attack: Worm Dates of attacks: July 2001 Computers Organizations affected: Infected an estimated 359,000 computers in one day. How it works and what it did: Instructor Note: Most of the following is from Wikipedia. Code Red exploited buffer-overflow vulnerabilities in unpatched Microsoft Internet Information Servers. It launched Trojan code in a denial-of-service attack against fixed IP addresses. The worm spread itself using a common type of vulnerability known as a buffer overflow . It used a long string repeating the character N to overflow a buffer, which then allowed the worm to execute arbitrary code and infect the machine. The payload of the worm included the following:  Defacing the affected website with the message: HELLO Welcome to http:www.worm.com CCNA Security All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 3 of 5 Hacked By Chinese  It tried to spread itself by looking for more IIS servers on the Internet.  It waited 20–27 days after it was installed to launch DoS attacks on several fixed IP addresses. The IP address of the White House web server was among them.  When scanning for vulnerable machines, the worm did not check whether the server running on a remote machine was running a vulnerable version of IIS or whether it was running IIS at all. Mitigation options: To prevent the exploitation of the IIS vulnerability, organizations needed to apply the IIS patch from Microsoft. References and info links: CERT Advisory CA-2001-19 eEye Code Red advisory Code Red II analysis Presentation support graphics include PowerPoint filename or web links: Wikipedia, Animation on The Spread of the Code-Red Worm CRv2 . CAIDA Analysis. Retrieved on 2006-10-03. www.networkworld.comslideshows2008031108-worst-moments-in-net- security.html?nwwpkg=slideshows Part 2. Researching Security Audit Tools In Part 2 of this lab, you research network security audit tools and attacker tools and investigate one that can be used to identify host or network device vulnerabilities. Fill in the report below based on your findings. Step 1: Research various security audit and network attack tools. List some of the tools that you identified in your search. Possible examples include: Microsoft Baseline Security Analyzer MBSA, NMAP, Cisco IOS AutoSecure, Cisco Configuration Professional CCP Security Audit Wizard. Sourceforge Network Security Analysis Tool NSAT, Solarwinds Engineering Toolset. Attacker tools may also be investigated, including L0phtcrack, Cain and Abel, John the Ripper, Netcat, THC Hydra, Chkrootkit, DSniff, Nessus, AirSnort, AirCrack, WEPCrack. The CCP Security Audit tool is used as an example here. Instructor Note: Additional sources of information include the following: http:www.yolinux.comTUTORIALSLinuxSecurityTools.html Top Network Security Tools: http:sectools.org CCNA Security All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 4 of 5 Password Crackers: http:sectools.orgcrackers.html Sniffers: http:sectools.orgsniffers.html Vulnerability Scanner: http:sectools.orgvuln-scanners.html Web Scanners: http:sectools.orgweb-scanners.html Wireless: http:sectools.orgwireless.html Exploitation: http:sectools.orgsploits.html Packet Crafters: http:sectools.orgtagpacket-crafters Step 2: Fill in the following form for the security audit or network attack tool selected. Name of tool: CCP Security Audit Developer: Cisco Systems Type of tool character-based or GUI: Cisco router GUI-based security analysis Used on network device or computer host: Router Cost: Free to download Description of key features and capabilities of product or tool: CCP Security Audit wizard runs a series of predefined checklists to assess the security configuration of a router. When finished, CCP presents a list of recommended actions, which you can selectively choose to apply. CCP also allows you to directly perform a one-step router lockdown option. One-step lockdown configures the router with a set of defined security features with recommended settings. Security Audit is a feature of CCP that examines an existing router configuration and then provides a list of recommended configuration changes to make a router and network more secure. For a complete list of functions that Security Audit checks for, see the online help topics in CCP. Security audit does the following:  Checks the router running configuration against a list of predefined security configuration settings  Lists identified problems and provides recommendations for fixing them  Allows the user to choose which problems to fix and displays the appropriate user interface for CCNA Security All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 5 of 5 fixing them  Delivers commands to configure the router with the chosen security configuration Examples of security-related issues that Security Audit can address include services that should be disabled, password requirements, warning banners, Telnet settings, SSH access, firewalls, logging, and AAA. CCP and the Security Audit wizard provide context-sensitive help. References and info links: http:www.cisco.comenUSprodcollateralroutersps9422data_sheet_c78_462210.html Step 3: Reflection a. What is the prevalence of network attacks and what is their impact on the operation of an organization? What are some key steps organizations can take to help protect their networks and resources? Answers will vary. Massive network attacks like Code Red, which can affect large portions of the Internet, are less common because of mitigation strategies that have been implemented. However, smaller targeted attacks, especially those intended to acquire personal information, are more common than ever. Networking devices and hosts on a network have many potential vulnerabilities that can be exploited. Vulnerability analysis tools can help identify security holes so that network administrators can take steps to correct the problem before an attack occurs. Other steps that can be taken include the use of firewalls, intrusion detection and prevention, hardening of network devices, endpoint protection, AAA, user education and security policy development. b. Have you actually worked for an organization or know of one where the network was compromised? If so, what was the impact to the organization and what did it do about it? Answers will vary, and the results can be interesting. c. What steps can you take to protect your own PC or laptop computer? Answers will vary but could include keeping the operating system and applications up to date with patches and service packs, using a personal firewall, configuring passwords to access the system, configuring screensavers to timeout and requiring a password, protecting important files by making them read-only, encrypting confidential files and backup files for safe keeping. All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1 of 57 CCNA Security

Chapter 2 Lab A: Securing the Router for Administrative Access