Network Sales and Services Handbook (Cisco Press Networking Technology)
In order to design an effective security solution, it is important to understand the types of network threats that exist. These threats to a network or system are categorized as follows:
Denial-of-Service (DoS)
Unauthorized Access
Illicit Command Execution
Confidentiality Breaches
Destructive Behavior
Each of these threats is discussed in the following sections.
Denial-of-Service (DoS)
DoS attacks are considered to be both the most dangerous threat and the most difficult to address. The premise of a DoS attack is the attacker sends more requests to a host (for example, a web server) than the host can handle. For example, if a host can answer 20 requests per second and the attacker is sending 50 requests per second, the host is unable to service all of the requests, much less any legitimate requests, such as hits on a web site from legitimate users or customers.
DoS attacks are considered the most dangerous threat because DoS attacks are easy to launch, difficult (sometimes impossible) to track, and it is not an easy task refusing attacker requests for service without refusing legitimate service requests.
The following list offers things that can be done to reduce the risk of being a target of a DoS attack:
Avoid running visible-to-the-world servers close to capacity, leaving room for a flood of service requests.
Use packet filtering to prevent forged packets from entering into the network. Forged packets are those that claim to come from one of the network hosts; for example, addresses reserved for private networks (defined in RFC 1918) and the loopback network (127.0.0.0).
Maintain up-to-date security-related patches on host operating systems.
Each of these possible solutions has an associated implementation and management cost. It is this cost that must be weighed versus the risk of lost service.
Unauthorized Access
Unauthorized access is a high-level term referring to a number of different sorts of attacks. The goal of an unauthorized access attack is for the attacker to access some host resource that would not otherwise be available. For example, a host could be a web server, and therefore should provide anyone with requested Web pages. However, the web server should not provide command line access to someone without ensuring that the requestor is someone who should have such access, such as a local administrator.
Illicit Command Execution
It is undesirable for an unknown and/or an unauthorized person to be able to execute commands on an organization's servers. There are two main severity classifications of this problem:
Normal user access A normal user can do a number of things on a host, such as read files or send e-mail that an attacker should not be able to do. This access might be all the access that an attacker needs to create havoc impacting the network.
Administrator access With administrator privileges, an attacker can make host configuration changes, such as changing its IP address or putting a start-up script in place to cause the machine to shut down every time it's started.
Confidentiality Breaches
Confidentiality breaches are based on the model that certain information could be damaging if it fell into the wrong hands, such as those of a competitor, an enemy, or the public. In these cases, it is possible that the compromise of a normal user account on the host can be enough to cause damage, resulting, perhaps, in bad publicity for the organization or access to information that can be used against the company.
Destructive Behavior
Two major categories of destructive break-ins and attacks are used:
Data Diddling Considered the worst sort of attack because the break-in might not be obvious. The attacker could do any number of things, such as the following:
- Change numbers in spreadsheets
- Change dates in a project plan
- Change the account numbers for direct deposit of paychecks
It is rare that something wrong is immediately identified. An accounting procedure might turn up a discrepancy in the books three or four months later. Once the problem is discovered, the question "How can any numbers from that time period be trusted?" is raised.
Data Destruction Attackers are deleting data, resulting in something comparable to a fire or other disaster caused the host or server to be destroyed.