In Figure 9-3, the firewall permits any machine on the Internet to connect to the web server on the DMZ. Additionally, the firewall permits all traffic from the DMZ into the internal LAN and permits all traffic from the DMZ to the Internet. Finally, the firewall permits all traffic from the internal LAN going out.
An attacker can exploit a vulnerability in the web server to gain access to that host. Once access to the web server in the DMZ is obtained, the attacker can set up port redirection software to redirect traffic so that the traffic connects to the system on the internal LAN. In Figure 9-3, the web server TCP port 80 is redirected to connect to the Telnet port on the internal host. The attacker then connects to the web server on TCP port 80 and is automatically redirected to the Telnet port on the internal host. This allows the attacker to tunnel into the internal LAN through the firewall without violating the firewall policy.
Figure 9-3 Port Redirection Attack
Guarding Against Virus and Trojan-Horse Applications
The most effective way to mitigate virus and Trojan-horse applications is to use antivirus software or a HIDS. These mitigation techniques can be deployed at the host and at the network level to prevent the entry of this attack vector into the network. The key point to remember is that these software applications rely on a database for the virus and Trojan-horse application signatures and the database must be kept up-to-date.
Attacker
WWW 23/TCP
80/TCP Telnet
Firewall Rules:
permit any DMZ port 80 permit DMZ inside permit DMZ outside permit inside any deny any any
Foundation Summary
The “Foundation Summary” section of each chapter lists the most important facts from the chapter.
Although this section does not list every fact from the chapter that will be on your CSI exam, a well-prepared CSI candidate should at a minimum know all the details in each “Foundation Summary”
section before taking the exam.
Table 9-2 summarizes the various attacks discussed in this chapter and the primary methods that can be used to mitigate the attacks.
Table 9-2 Mitigation Methods for Various Attacks
Attack Type Mitigation Methods
IP spoofing Access control restrictions, and RFC 2827 filtering
Packet sniffers Strong authentication (two-factor), switched infrastructure, antisniffing tools, and cryptography
Password attacks Cryptographic authentication, OTPs, user education on strong passwords, and periodic password testing
Man-in-the-middle attacks
Cryptography
Port redirection Strong trust models and access controls Virus and Trojan-horse
applications
Network antivirus software and a HIDS
Q&A 133
Q&A
As mentioned in the introduction, “All About the Cisco Certified Security Professional Certification,”
you have two choices for review questions. The questions that follow next give you a bigger challenge than the exam itself by using an open-ended question format. By reviewing now with this more difficult question format, you can exercise your memory better and prove your conceptual and factual knowledge of this chapter. The answers to these questions are found in Appendix A.
For more practice with exam-like question formats, including questions using a router simulator and multiple choice questions, use the exam engine on the CD-ROM.
1. Describe the characteristics of a strong password.
2. What is two-factor authentication?
3. How can cryptography mitigate packet sniffers?
4. How can an attacker insert himself between two systems using cryptography in a man-in-the-middle attack?
5. How can Trojan-horse applications be mitigated?
6. RFC 2827 describes filtering by service providers at their edge devices. How can an enterprise network that is connecting through a service provider also benefit from RFC 2827 filtering?
7. Port redirection is effective when there is a poor or weak trust model between systems. How can an attacker use such an attack to gain access to the internal host through the DMZ web server shown earlier in Figure 9-3?
8. How do switched infrastructures affect packet sniffers?
9. What are two methods that antisniffer tools use to detect the possible presence of a sniffer?
10. How do password-testing tools work?
This chapter covers the following topics:
■ Network Management Overview
■ Network Management Protocols
C H A P T E R 10
Network Management
Today’s networks can consist of numerous different networked devices, each requiring a varying degree of management. The ability to remotely and securely manage each of these devices is crucial to any network administrator. For this reason, several network management protocols are available that help the network administrator access, monitor, log, report, and transfer information between the management console and the managed device. This management information flows bidirectionally; logging and reporting information flows from the managed device to the management console, while configuration, content, and firmware update data flows to the managed device from the management console.
This chapter presents a review of network management and the protocols that are used for that purpose.
“Do I Know This Already?” Quiz
The purpose of the “Do I Know This Already?” quiz is to help you decide if you really need to read the entire chapter. If you already intend to read the entire chapter, you do not necessarily need to answer these questions now.
The 12-question quiz, derived from the major sections in the “Foundation Topics” portion of the chapter, helps you determine how to spend your limited study time.
Table 10-1 outlines the major topics discussed in this chapter and the “Do I Know This Already?” quiz questions that correspond to those topics.
Table 10-1 “Do I Know This Already?” Foundation Topics Section-to-Question Mapping
Foundation Topics Section Questions Covered in This Section
Network Management Overview 1–5
Network Management Protocols 6–12
1. Name the two types of network management traffic flows that occur?
a. Unidirectional
b. In-band
c. Bidirectional
d. Channeled
e. Out-of-band
2. Which network traffic management flow is considered the most secure?
a. Unidirectional
b. In-band
c. Bidirectional
d. Channeled
e. Out-of-band
3. Which network traffic management flow is generally considered more cost-effective to implement?
a. Unidirectional
b. In-band
c. Bidirectional
d. Channeled
e. Out-of-band
4. When using in-band network management, emphasis should be placed on which of the following?
a. Performance
b. Securing data
c. Ease of management
d. Traffic flow
CAUTION The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark this question wrong for purposes of the self-assessment. Giving yourself credit for an answer you correctly guess skews your self-assessment results and might provide you with a false sense of security.
“Do I Know This Already?” Quiz 137
5. If management protocols do not offer secure communications, then which of the following should be used to secure the in-band communications path?
a. Telnet
b. RFC 2827 filtering
c. Access control lists
d. IPSec
e. Encrypted tunneling protocols 6. What port does SSH use for connections?
a. UDP 443
b. TCP 22
c. TCP 25
d. UDP 443
e. TCP 23
7. Which of the following remote-access protocols is considered the least secure?
a. SSH
b. SSL
c. Telnet
d. HTTPS
8. Which of the following protocols transfer data in clear text?
a. SSL
b. HTTPS
c. IPSec
d. SSH
e. TFTP
9. Which version of SNMP provides authentication and encryption?
a. Version 1
b. Version 2
c. Version 3
d. Version 2c
10. Which version of NTP supports authentication?
a. Version 1
b. Version 2
c. Version 2c
d. Version 3
e. Version 3c
11. What two main components does SNMP use in its design?
a. Agents
b. Monitor
c. Reporter
d. Manager
12. When not using SNMPv3, it is recommended to do which of the following?
a. Use read-write access
b. Use read-only community strings
c. Use authentication
d. Use access control lists
The answers to the “Do I Know This Already?” quiz are found in Appendix A, “Answers to the
‘Do I Know This Already?’ Quizzes and Q&A Sections.” The suggested choices for your next step are as follows:
■ 10 or less overall score—Read the entire chapter. This includes the “Foundation Topics” and
“Foundation Summary” sections, and the “Q&A” section.
■ 11 or more overall score—If you want more review on these topics, skip to the “Foundation Summary” section and then go to the “Q&A” section. Otherwise, move to the next chapter.