18: Security

18.1 Security threats

There are many security threats that can affect our network, and the network administrator must be aware of how to prevent those security threats from harming the network.

Some kinds of the security threats are listed below,

DOS (Denial of service) and DDoS (Distributed Denial of service) attacks

The attacker floods the network servers with a huge stream of traffic, this traffic may be ping requests or any other kind of requests that keep the server busy with a huge number of junk work, which dramatically slow the network performance, and may bring it down.

Man-in-the-middle attack

The attacker convinces the two parties of the communication that he is the other party. If two nodes (node_A, node_B) are communicating with each other, the attacker convinces node_A that he is node_B, and convinces node_B that he is node_A. Therefore, the attacker is able to see all the communication between the two nodes, and he is able to inject faked packets in the communication between them.

IP spoofing

The attacker pretends that he has an IP address that differs from its real IP address. This pretended IP address may be an address of a source device that the network trusts of, or any other address that allow the attacker to gain unauthorized rights.

Packet sniffers

It is a program that can capture the network traffic and analyze it. An attacker can use a packet sniffer program in order to capture the network traffic that is not intended to be sent to him, and to know the information that he should not know.

Password attacks

The attacker tries to get an account password to pretend that he is an authorized person. He may get the password by guessing it, by using trial and error, or by claiming that he forgot the password, or any other mean that may cheat the system.

Brute force attacks

The attacker tries to decrypt the encrypted data using several methods. By decrypting the encrypted data, he may know sensitive information, passwords, and many other sensitive data that he should not know.

Virus

The virus is a malicious program that can harm the computers. It can reach the computer through the internet, removable mediums, or any other way.

Trojan horse

Trojan horse is a program that pretends to be an innocent program that provides you with a certain function. However, this program has a malicious code that can badly harm the computers.

18.2 Security threats mitigation

The network administrator can use appliances and applications that can be installed on his network in order to mitigate the security threats that may affect his network.

Firewall

It may be a device that is installed in the network, or it may be software that is installed on the end devices.

The firewall protects the network from unauthorized access that may come from outside the network. It controls the communication between the network and the external world to allow only authorized communications to pass through it.

IDS (Intrusion Detection System)

A device or software, it detects malicious activities and alerts the network administrator with them.

IPS (Intrusion Prevention System)

It is a device or software that detects and prevents the malicious activities, and alerts the network administrator with them.

Antivirus

It is a program that detects and removes the malicious programs.

Antispyware

A program that detects and removes spyware programs, which collects personal information from the computer.

18.3 Access Control List (ACL)

Access control list (ACL) is a powerful tool that enables network administrators to control the traffic in their network. Using ACLs, a network administrator can authorize certain networks to be able to access certain resources.

Suppose that we have the network:

Image2575.JPGFigure 18.1

By using ACLs, the network administrator can authorize the ‘sales’ network computers to access the server, while preventing the ‘finance’ network computers from accessing the same server. Over that, the network administrator can determine exactly which protocols on the server may be accesses from the ‘sales’ network computers.

18.3.1 Standard access list

Every ACL should have a unique number. Standard ACLs number can be from (1: 99).

Standard ACLs uses only the source IP address to determine if a certain packet is allowed, or is not allowed to access the resource.

To configure an ACL we use the following command,

Router(config)#access-list ACL number {deny | permit} source IP wild card mask

To apply an ACL to router’s interface, we use the following command,

Router(config-if)#ip access-group ACL number {in | out}

(in/out is the direction the ACL should be applied to)

In figure (18.1), suppose that we need to configure the router in order to prevent the packets that come from the ‘finance’ network (11.0.0.0 255.255.255.0) from accessing the server, while allowing the packets with any other source IP address.

The following commands show how to configure the ACL, and how to apply it on the router’s interface,

Router(config)#access-list 1 deny 11.0.0.0 0.0.0.255

(if the denied IP is only one IP address (e.g. 11.0.0.1), we can write host 11.0.0.1 instead of 11.0.0.1 0.0.0.0)

Router(config)#access-list 1 permit any

(any means any IP address. Instead, we can write, 0.0.0.0 255.255.255.255)

To apply the configured ACL on a certain interface,

Router(config)#interface fa 0/2

Router(config-if)#ip access-group 1 out

(out means that this ACL will be applied on packets that exit from the interface fa 0/2)

Note that in ACLs, the router will match the packet with every configured rule, respectively from the first rule to last rule. If a certain match found for the packet, it will be applied. If no match is found, the packet will be denied.

Therefore, it is very important to writ the rule (access-list ACL numberpermit any) as the last rule in the access list. This is done in order to allow any unrestricted packets.

18.3.2 Extended access list

Every ACL should have a unique number. Extended ACLs number can be from (100: 199).

Extended access list can use a source IP address, a destination IP address, a protocol and port numbers to determine if a certain packet is allowed or not allowed.

To configure the extended ACL, we use the following command,

Router(config)#access-list ACL number protocol source IP wild card mask destination IP wild card mask eq { the port number | the protocol name}

ACL number: from 100 to 199

Protocol: may be TCP, UDP or IP

Source IP: the source IP address

Wild card mask: the wild card mask of the source IP address

Destination IP: the destination IP address

Wild card mask: the wild card mask of the destination IP address

The port number or the protocol name: the port number of the protocol, or in case that it is a well-known port number, we can write the protocol name. As an example, if the port number is 23, I can write the protocol name telnet instead of the port number.

To apply the ACL to the router’s interface, we use the following command,

Router(config-if)#ip access-group ACL number {in | out}

(in/out is the direction the ACL should be applied to)

18.3.3 Case study

In figure (18.1), suppose that the network administrator needs to allow only the ‘sales’ network computers to access the server, only using the telnet protocol, taking into consideration that the telnet uses the port number 23.

The administrator will configure the router using the following commands,

Router(config)#access-list 101 permit tcp 10.0.0.0 0.0.0.255 20.0.0.2 0.0.0.0 eq 23

Router(config)#interface fa 0/2

Router(config-if)#ip access-group 101 out

Note that, in this case study, we did not write the explicit permit condition (access-list ACL number permit ip any any) as the last rule in the ACL. This is because that we need every packet that does not our rules to be denied.

In case that we need to permit every packet that do not match any of ACL rules, we should write the explicit permit rule (access-list ACL number permit ip any any) as the last rule in the ACL.

18.4 NAT (Network Address Translation)

NAT is the process of changing the source IP address of the packet while sending it through a ‘layer 3’ device such as a router.

NAT is developed and used because the IP addresses in the world are about to be drained.

18.4.1 Private IP vs. public (real) IP

NAT divided the IP addresses into two types:

  1. 1. Private IP addresses
  2. 2. Public IP addresses

The private IP addresses are the addresses in the following ranges,

10.0.0.0 : 10.255.255.255

172.16.0.0 : 172.31.255.255

192.168.0.0 : 192.168.255.255

Any other IP address is a public IP address.

The ‘public IP’ may be called the ‘real IP’ or the ‘global IP’.

The ‘private IP’ may be called the ‘virtual IP’ or the ‘local IP’.

In the NAT configuration, we can assign a private IP address to any device that does not exist on the internet. While any device that exist on the internet should be assigned a public IP address.

Image2582.JPGFigure 18.2

In figure (18.2), a ‘private IP address’ should be assigned to all the devices that exist in the internal network like, PC_1, PC_2, the printer, the server, and the internal router’s interface fa 0/0.

However, a ‘public IP address’ should be assigned to all the devices that exist on the internet like the external router’s interface ser 0/0.

Our deduction is that, any interface or device that should be accessible from the internet is assigned a public IP address. While any device or interface that should not be accessible from the internet is assigned a private IP address.

18.4.2 How NAT works?

In figure (18.2), when an internal device needs to communicate with a device that exists on the internet (like a web server), the internal device will send the packets to the router’s interface ‘fa 0/0’. Then, the router will change the source IP address that exists in the packet to a public IP address, and then send the packet to the web server, so that when the web server needs to reply to the packet, it will send the reply to this public IP address. Then the router will send the reply to the internal device.

18.5 Static NAT, dynamic NAT and PAT

18.5.1 Static NAT

In the static NAT, every private IP address is statically mapped to a public IP address.

The network administrator statically configures the router to change every private IP address to a certain public IP address.

Case study

In figure (18.3), suppose that PC_1 needs to communicate with a web server on the internet,

Image2590.JPGFigure 18.3

The router will change the source IP address in the packets that comes from the PC_1. It will set the source IP address in the packets to ‘50.0.0.6’ instead of ‘10.0.0.3’.

Therefore, when the web server needs to reply to PC_1, it will reply to ‘50.0.0.6’, and then the router will forward this reply to PC_1.

Static NAT configuration

To configure the static NAT on a router, we use the following command,

Router(config)#ip nat inside source static private IP public IP

To configure NAT in the network in figure (18.3),

Router(config)#ip nat inside source static 10.0.0.2 50.0.0.5

Router(config)#ip nat inside source static 10.0.0.3 50.0.0.6

Router(config)#interface fa 0/0

Router(config-if)#ip nat inside

(This means that NAT configuration will be applied to the packets of the internal network through this interface).

Router(config-if)#interfac ser 0/0

Router(config-if)#ip nat outside

(This means that NAT configuration will be applied to the packets of the external network through this interface).

18.5.2 Dynamic NAT

In the dynamic NAT, the network administrator configures an IP pool on the router. This pool contains a range of public IPs that should be used in the NAT process.

Dynamic NAT configuration

We use the following command to configure the dynamic NAT,

Router(config)#ip nat inside source list ACL number pool pool name

To configure the network that exist in figure (18.3) to use the dynamic NAT, we use the following commands,

Router(config)#aaccess-list 1permit 10.0.0.0 255.255.255.0

(Configures Access list that contains private IPs that NAT should be applied on).

Router(config)#ip nat pool abc 50.0.0.2 50.0.0.6 netmask 255.255.255.0

(Configures a pool of public IPs that contain 5 IPs).

Router(config)#ip nat inside source list 1 pool abc

(Configures the NAT operation between the private IPs that contained in the ‘access-list 1’ and the public IPs that contained in the pool ‘abc’).

Router(config)#interface fa 0/0

Router(config-if)#ip nat inside

(This means that the NAT configuration will be applied to the packets of the internal network through this interface).

Router(config-if)#interfac ser 0/0

Router(config-if)#ip nat outside

(This means that the NAT configuration will be applied to the packets of the external network through this interface).

18.5.3 PAT Port Address Translation

It is also known as ‘overloading’, or ‘many to one NAT’. In this NAT type, we can map any number of private IP addresses to only one public IP address.

Therefore, PAT reserves the number of the public IP addresses used in the network. In addition, it is the most widely used technique.

PAT maps many private IPs to only one public IP by using the port addresses as following,

5863.jpgFigure 18.4

In figure (18.4), suppose that PC_1 and PC_2 need to communicate with a web server that exists on the internet, and it has an IP address of ‘136.123.1.45’.

The router will map both PC_1 and PC_2 IPs to only one public IP ‘50.0.0.5’.

However, the router will give a different source port number to the packets of every session of the two sessions.

As seen in figure (18.4), the router will give a source port number ‘1342’ to the packets of the PC_1’s session with the web server.

In addition, the router will give a source port number ‘1475’ to the packets of the PC_2’s session with the web server.

Therefore, when the web server replies to the router, the router will know the required internal destination by looking at the destination port number.

If the destination port number is ‘1342’, the router will forward the packets to PC_1.

If the destination port number is ‘1475’, the router will forward the packets to PC_2.

The advantage of the PAT is that, all the internal devices can access the internet using only on public IP address.

PAT configuration

To configure the network in figure (18.4), we use the following commands,

Router(config)#access-list 1permit 10.0.0.0 255.255.255.0

(Configures Access list that contains private IPs that NAT should be applied on)

Router(config)#ip nat pool abc 50.0.0.2 50.0.0.2 netmask 255.255.255.0

(Configures a pool of public IPs that contain only one IP, it may be any number of IPs)

Router(config)#ip nat inside source list 1 pool abc

(Configures NAT operation between the private IPs that contained in access-list 1 and public IPs that contained in pool abc)

Router(config)#interface fa 0/0

Router(config-if)#ip nat inside

(This means that NAT configuration will be applied to packets of the internal network through this interface)

Router(config-if)#interfac ser 0/0

Router(config-if)#ip nat outside

(This means that NAT configuration will be applied to packets of the external network through this interface)