Overview of security terms

When you buy a house, you take insurance on the house because of what you think/ know can go wrong like accidents (natural or human made), same way you look at security and begin to identify what can go wrong and then you put some mitigations in place to prevent it. The box in the diagram represent an enterprise building without doors or windows or any access in or out and what this means is that, no one can go in or out of the enterprise, which make it useless. As soon as you introduce a door or a window or an access point, which by the way is necessary in order to go in and enjoy the resources in the enterprise, the door becomes a weakness that can be taken advantage of, either by authorized users allowing their friends to come in or by thieves using tools to gain access to the enterprise.

(1.) Vulnerability =ANY WEAKNESS

Even if the door is locked, someone might find a way to get the door open and access the treasures inside. Because no door is impenetrable, the door becomes a vulnerability. In terms of security, a vulnerability is anything that can be considered to be any weakness that can compromise the security of something else, such as the integrity of data or how a system performs.

(2.) Exploit = Any tool

Nothing is necessarily in jeopardy in the enterprise just because a vulnerability /weakness exists to compromise the security of the enterprise, at least, not until the weakness is discovered by someone and taken advantage of . In the locked door example, nobody but the trusted owner /authorized users can open the door using the correct key unless some sort of tool (cloned key) other than the real key is used. Such a tool can be used to exploit a vulnerability. In fact, the tool itself is called an exploit. An exploit is not very effective if it is used against anything other than the targeted weakness or vulnerability. Technically, an exploit such as the pry bar is not very effective at all by itself. Someone must pick it up and use it against the vulnerability.

(3.) Threat =

A malicious user possesses the pry bar and intends to use it to open the locked door. Now there is an actual potential to break in, destroy, steal, or otherwise modify something without permission. This is known as a threat.

In the IT industry, there are many different vulnerabilities and exploits that can be leveraged by malicious users to become threats to an organization and its data. Some vulnerabilities include but not limited to the following; Operating systems, our Laptops/Desktops/tablets/all mobile devices/workstations/networks/access points, packages and applications, we will look at some measures and techniques we can leverage to prevent the malicious activity from happening. Such measures are known as mitigation techniques. 

——————————— Mitigation Techniques ——————————-

(1.) Attacks That Spoof Addresses

Spoofing attacks focus on one vulnerability. Attacks usually take place by replacing expected values with spoofed or fake values. Address spoofing attacks can be simple and straightforward, where one address value is substituted for another. For example, an attacker can send packets with a spoofed source IP address instead of its own. When the target receives the packets, it will send return traffic to the spoofed address, rather than the attacker’s actual address. If the spoofed address exists, then an unsuspecting host with that address will receive the packet. If the address does not exist, the packet will be forwarded and then dropped further out in the network.

How spoofing works

Data transmitted over the internet is first broken into multiple packets, and those packets are transmitted independently and reassembled at the end. Each packet has an IP (Internet Protocol) header that contains information about the packet, including the source IP address and the destination IP address.

In IP spoofing, a hacker uses tools to modify the source address in the packet header to make the receiving computer system think the packet is from a trusted source, such as another computer on a legitimate network, and accept it. Because this occurs at the network level, there are no external signs of tampering. Mac addresses can also be spoofed. This type of attack is common in Denial-of-Service (DoS) attacks, which can overwhelm computer networks with traffic. 

MITIGATION 1

1. Implement Switch port security
   1. Limit the number of mac addresses on each port-everyone should use this.
      1. Switch(config)#interface range F0/1 – 2
      2. Switch(config-if-range)#switchport mode access
      3. Switch(config-if)#switchport port-security maximum 1
   2. Limit what mac addresses can access the port.
      1. Switch(config-if)#switchport port-security mac-address sticky
2. Responses when these rules are violated
   1. Shutdown the port(default)-if it allows only 1 mac addresses and two shows up, it will err-disable the port. The admin will have to re-enable the port
   2. Protect-This says if only one mac address is allowed and two shows up, it ignores the 2nd, meaning the 2nd mac address will not work 
   3. Restrict -Like protect, it ignores the 2nd mac address and also logs it unlike protect which only ignores.

Configuration of violations

• • Switch(config)#interface range F0/1 – 2
  • Switch(config-if-range)#switchport mode access
  • Switch(config-if)#switchport port-security violation ?
    • protect Security violation protect mode
    • restrict Security violation restrict mode
    • shutdown Security violation shutdown mode
  • Switch(config-if)#switchport port-security violation restrict
  • Switch(config-if)#
  •  
  • Turn off port security
  • Switch(config-if-range)#no Switchport port-security
  • Switch(config-if-range)#

MITIGATION 2

Implement DHCP snooping by configuring the port the DHCP server is connected to as a trusted port by enabling it on the access layer switch for both the main DHCP port and any helper address. When this is done, any DHCP response that does not arrive on the trusted port on the access switches is dropped. These trusted ports are the ports directly connected to the DHCP server and also on the inter-switch link leading down to the pc. 

Ports f0/2 on Switch -1

port f0/1 on switch -2

Here, a rogue user has plugged in a dhcp server which is on the same IP subnet connected on port f0/5 but different DNS and gateway ip addresses. 

To fix this so that the rogue dhcp server will not be handing out ip addresses to unsuspecting hosts thereby causing a DOS attack, we will implement the following commands;

1. Enter global configuration mode by issuing the configure terminal command.

2. Create a VLAN

• Sw1(config)#vlan 10
• Sw1(config-vlan)#name DHCP_Snoop
• Sw1(config-vlan)#exit
• Sw1(config)#

3. Set the port that connects to the client as the access interface and add it into the VLAN

• Sw2(config)#interface range f0/10 – 11
• Sw2(config-if-range)#switchport mode access
• Sw2(config-if)#switchport access vlan 10
• Sw2(config-if)#exit

4. Set the port that connects to the DHCP server as the access interface and add it into the VLAN

• Sw1(config)#interface f0/2
• Sw1(config-if)#switchport mode access
• Sw1(config-if)#switchport access vlan 10
• Sw1(config-if)#exit

5. Enable DHCP Snooping on the VLAN

• Sw1(config)#ip dhcp snooping
• Sw1(config)#ip dhcp snooping vlan 10

6. Change the trust setting of the port that is connected to the DHCP server to trust at the interface configuration level

• Sw1(config)#interface f0/2
• Sw1(config-if)#ip dhcp snooping trust
• Sw1(config-if)#end

• Sw2(config)#interface f0/1
• Sw2(config-if)#ip dhcp snooping trust
• Sw2(config-if)#end

7. Check whether the DHCP binding table is created to verify the configuration

Sw1#show ip dhcp snooping binding