An attacker looks for poorly configured network devices to exploit. Common vulnerabilities include weak default installation settings, wide- open access controls, and unpatched devices. The following are high-level network threats:
Information gathering
Sniffing
Spoofing
Session hijacking
Denial of service
With knowledge of the threats that can affect the network, you can apply effective countermeasures.
Information gathering can reveal detailed information about network topology, system configuration, and network devices. An attacker uses this information to mount pointed attacks at the discovered vulnerabilities.
Common vulnerabilities that make your network susceptible to an attack include:
The inherently insecure nature of the TCP/IP protocol suite
Configuration information provided by banners
Exposed services that should be blocked
Common information-gathering attacks include:
Using Tracert to detect network topology
Using Telnet to open ports for banner grabbing
Using port scans to detect open ports
Using broadcast requests to enumerate hosts on a subnet
You can employ the following countermeasures:
Use generic service banners that do not give away configuration information such as software versions or names .
Use firewalls to mask services that should not be publicly exposed.
Sniffing , also called eavesdropping , is the act of monitoring network traffic for data, such as clear-text passwords or configuration information. With a simple packet sniffer, all plaintext traffic can be read easily. Also, lightweight hashing algorithms can be cracked and the payload that was thought to be safe can be deciphered.
Common vulnerabilities that make your network susceptible to data sniffing include:
Weak physical security
Lack of encryption when sending sensitive data
Services that communicate in plain text or weak encryption or hashing
The attacker places packet sniffing tools on the network to capture all traffic.
Countermeasures include the following:
Strong physical security that prevents rogue devices from being placed on the network
Encrypted credentials and application traffic over the network
Spoofing , also called identity obfuscation , is a means to hide one's true identity on the network. A fake source address is used that does not represent the actual packet originator's address. Spoofing can be used to hide the original source of an attack or to work around network access control lists (ACLs) that are in place to limit host access based on source address rules.
Common vulnerabilities that make your network susceptible to spoofing include:
The inherently insecure nature of the TCP/IP protocol suite
Lack of ingress and egress filtering. Ingress filtering is the filtering of any IP packets with untrusted source addresses before they have a chance to enter and affect your system or network. Egress filtering is the process of filtering outbound traffic from your network.
An attacker can use several tools to modify outgoing packets so that they appear to originate from an alternate network or host.
You can use ingress and egress filtering on perimeter routers.
With session hijacking, also known as man in the middle attacks, the attacker uses an application that masquerades as either the client or the server. This results in either the server or the client being tricked into thinking that the upstream host is the legitimate host. However, the upstream host is actually an attacker's host that is manipulating the network so that it appears to be the desired destination. Session hijacking can be used to obtain logon information that can then be used to gain access to a system or to confidential information.
Common vulnerabilities that make your network susceptible to session hijacking include:
Weak physical security
The inherent insecurity of the TCP/IP protocol suite
Unencrypted communication
An attacker can use several tools to combine spoofing, routing changes, and packet manipulation.
Countermeasures include the following:
Session encryption
Stateful inspection at the firewall
A denial of service attack is the act of denying legitimate users access to a server or services. Network-layer denial of service attacks usually try to deny service by flooding the network with traffic, which consumes the available bandwidth and resources.
Vulnerabilities that increase the opportunities for denial of service include:
The inherent insecurity of the TCP/IP protocol suite
Weak router and switch configuration
Unencrypted communication
Service software bugs
Common denial of service attacks include:
Brute force packet floods, such as cascading broadcast attacks
SYN flood attacks
Service exploits, such as buffer overflows
Countermeasures include:
Filtering broadcast requests
Filtering Internet Control Message Protocol (ICMP) requests
Patching and updating of service software