CCDA 640-864 Official Cert Guide - Chapter 12 Summary

Network Security Overview

U.S. Public Company Accounting Reform and Investor Protection Act of 2002 (Sarbanes-Oxley or SOX): Focuses on the accuracy and controls imposed on a company’s financial records. This was passed as a U.S. federal law because of a number of corporate and accounting scandals.

Payment Card Industry (PCI) Data Security Standard (DSS): PCI is a data security standard that defines how to protect credit card holder data, including the storage and transfer of credit card holder information. Many retailers that accept credit cards have to meet PCI DSS standards or pay stiff penalties and are subject to regular and rigorous audits for PCI DSS compliance.

Gramm-Leach-Bliley Financial Services Modernization Act of 1999 (GLBA): Provides protection against the sale of bank and account information that is regularly bought and sold by financial institutions. GLBA also guards against the practice of obtaining private information through false pretenses.

U.S. Health Insurance Portability and Accountability Act (HIPAA): Applies to the protection of private health information that is used electronically. The purpose is to enable better access to health information, reduce fraud, and lower the cost of health care in the United States.

EU Data Protection Directive 95/46/EC: Calls for the protection of people’s right to privacy with respect to the processing of personal data.

Reconnaissance: The goal of reconnaissance is to gather as much information as possible about the target host/network. Generally, this type of information gathering is done before an attack is carried out.

Gaining unauthorized access: Refers to the act of attacking or exploiting the target system or host. Operating systems, services, and physical access to the target host have known system vulnerabilities that the attacker can take advantage of and use to increase his or her privileges. Social engineering is another technique for obtaining confidential information from employees by manipulation. As a result of the attacker exploiting the host, confidential information can be read, changed, or deleted from the system.

Denial of service (DoS): DoS attacks aim to overwhelm resources such as memory, CPU, and bandwidth and thus impact the target system and deny legitimate user’s access. Distributed DoS (DDoS) attacks involve multiple sources working together to deliver the attack.

Feature Description	Feature
Verifies DHCP transitions and prevents rogue DHCP server from interfering with production traffic	DHCP snooping
Intercepts Address Resolution Protocol (ARP) packets and verifies that the packets have valid IP-to-MAC bindings	Dynamic ARP Inspection (DAI)
Prevents unknown source addresses from using the network as a transport mechanism to carry out attacks	Unicast Reverse Path Forwarding (uRFP)
Controls what traffic is allowed on the network	Access control lists (ACL)
Controls the rate of bandwidth that incoming traffic, such as ARP packets and DHCP requests	Rate limiting

When attackers change sensitive data without the proper authorization, this is called an integrity violation.

Confidentiality breaches occur when the attacker attempts to read sensitive information.

Security Policy and Process

Basic Approach of a Security Policy:

To help create a security policy, here is generally accepted approach from RFC 2196:

Step 1. Identify what you are trying to protect.

Step 2. Determine what you are trying to protect it from.

Step 3. Determine how likely the threats are.

Step 4. Implement measures that protect your assets in a cost-effective manner.

Step 5. Review the process continuously, and make improvements each time a weakness is found

PKI

• It relies on asymmetric cryptography, which uses two different keys for encryption.
• Public keys are used to encrypt and private keys to decrypt.
• PKI requires a certificate to be issued by a certificate authority (CA) and is used by many e-commerce sites on the Internet.

VPN Description	VPN Name
Use AH and ESP to secure data; requires endpoints have IPsec software	Standard IPsec
Secure encrypted point-to-point GRE tunnels; on-demand spoke-to-spoke connectivity	Cisco DMVPN
Simplifies hub-and-spoke VPNs; need to reduce VPN management	Cisco Easy VPN
Enables routing and multicast traffic across an IPsec VPN; non-IP protocol and QoS support	Cisco GRE-based VPN
Encryption integration on IP and MPLS WANs; simplifies encryption management using group keying; any-to-any connectivity	Cisco GET VPN

The IPsec suite is an open standard. IPsec uses the following protocols to perform various functions:

• Authentication Headers (AH) provide connectionless integrity and data origin authentication for IP datagram’s and provides protection against replay attacks.

• Encapsulating Security Payloads (ESP) provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic flow confidentiality.

• Security Associations (SA) provide the bundle of algorithms and data that provide the parameters necessary to operate the AH and/or ESP operations. The Internet Security Association and Key Management Protocol (ISAKMP) provides a framework for authentication and key exchange, with actual authenticated keying material provided either by manual configuration with pre-shared keys, Internet Key Exchange (IKE and IKEv2), Kerberized Internet Negotiation of Keys (KINK), or IPSECKEY DNS records.