In this video, technical author Ed Liberman explains various network related security threats such as distributed denial of service, malware, and man in the middle. In addition, learn more about mitigation techniques and various firewalls types.
- [Instructor] Connecting to the public internet exposes a company to many different types of security threats. Now, there are several different ways for malicious hackers to attack a company network, which can range anywhere from a variety of malicious tools to human attacks involving social engineering. So I'd like to go through a quick overview here of some of the common network threats and talk about ways to maybe help prevent them. Now, there are three fairly common network related security threats I want to go over with you.
The first is a distributed denial-of-service attack, or simply DDoS. This is not an attack where someone is looking to come in and steal information, or even necessarily damage your systems, the idea here is that an attacker will put some form of malicious software on a large quantity of hosts, and these hosts can be inside your network or out on the internet, and then all it wants, these hosts, which will act as what sometimes are referred to as bots, will all be instructed to specifically connect to a server on your network, or a website would be a great example, all at once, they all connect to the website at once, and the idea is that the website just can't handle the quantity of incoming requests and then it goes down.
So the idea behind DDoS is typically just to take down a public facing server. Now next we have malware, which I'm going to tell you is a very generic term which basically means that it's anything, any type of software that is designated to install other unwanted software, again, it could be software that makes your system into a bot, like I was just talking about, to either spy on, attack or even damage your systems.
Now some of the types of malware that's out there? We have viruses, this is a common term we've talked about for many, many years. Viruses typically are installed by being part of an email attachment which a user downloads or installs, which can cause unwanted effects on your systems. We have worms, which is essential the same thing as a virus, except for once it's on a network it has the ability to self propagate to other systems. It does not need a user to propagate it on its way.
Then we have Trojan horses, which is a type of malware or even a type of virus to where it will look like legitimate software, and in fact, it may be legitimate software, but contained within that software or inside that document or that file that you've installed is actually a piece of malware, which then is released out onto your network. And then we have spyware, which, just as it sounds, typically the idea behind spyware is to kind of spy on or watch what's going on with your network and in turn can sometimes trick your users into installing some of the other types of malware.
Next we have Man-in-the-middle attacks, this is the third type of common network security threat, and the idea behind this is just as it sounds. You have two systems which are communicating, or if you can picture two people having a conversation. But what if when the two people are having a conversation, somebody else was able to be in the middle and could grab hold of that communication and be aware of all those conversations. That's the simple man-in-the-middle, it's just somebody who's listening.
But the real severe type of man-in-the-middle is when that somebody takes the message and then alters it before sending it on to its recipient. So the communication that's going back and forth between the two legitimate parties is not necessarily the communication that they thought that they were supposed to be having. Now, for every method that a malicious hacker creates to attack a network, I want to tell you, there's always someone out there who's developing a method to block them, it's this endless game.
And it's important that you keep up with the game, every time there is some kind of potential threat that an attacker has, you have to have some form of mitigation technique. Now before I go into any specific, individual mitigation techniques, I want to tell you, one of the absolute best ways to prevent security threats from infecting your network is through user education. Just training your users on the right way to recognize and avoid the threats that are out there.
I cannot even begin to emphasize how much more useful a tool user education is than all the different actual mitigation software and technologies that are out there. To prove this, on my home computer, for many years, I refused to install any type of antivirus software, for instance, but yet my computer was virus free longer than most of my friends and family who all had antivirus software, because they all thought they were protected and they were counting on the antivirus software.
I, on the other hand, was educated and knew what to do to prevent that type of an attack. Now, that said, let's talk about some of the specific mitigation techniques that can be implemented. So when it comes to your distributed denial-of-service attacks, you have the ability to use DDoS-aware network appliances and service, which can be aware when this kind of attack is coming in and then mitigate against it. You also have the ability to use something called a host-based firewall, or antivirus software to help prevent your clients from having the DDoS bots software installed on to them.
Now along with the antivirus software, we also have a whole variety of anti malware software that can be installed to help protect against malware installations. And when it comes to the man-in-the-middle attacks, the best way to protect yourself against it is by using secure encrypted communications. If your communications are secure, then nobody can be in the middle to watch or intercept those communications. Now, firewalls can also play a major role in protecting your network from malicious attacks, regardless of where they come from.
Now this firewalls can be implemented on your clients, on your servers, they can be on your routers which are connecting two or more networks together, and you also have the ability to use multiple firewalls to create a perimeter network or a protection network of sorts to act as some form of a buffer between your internet network and the internet. Now, there are different kinds of firewalls that are available, and depending on where the actual communication of the process (mumbles) occurs, that would help protect the different levels of attacks.
So first we have our application layer gateways, which operate, just as it says in the name, at the application layer of the OSI model. Now, the application layer gateway acts as an end point for communications from internet based clients to internal applications. The gateway will accept the connection, examine the network packet for malicious content, and then establish the connection to the internal application. Firewalls that understand applications can examine the actual contents of the application layer traffic and decide whether to accept that traffic based upon the contents of the packet.
And next we have a circuit level gateway which operates at the session layer of the OSI model and monitors the datagrams between communicating hosts to verify that requested sessions are legitimate. Now, the circuit level gateway monitors the TCP hand-shaking process that is used to establish TCP sessions between hosts and determine whether the session is legitimate. Now, another name for circuit level gateways that might be more common, that you may have heard of, is something called a proxy server.
And what this can do is, a proxy server has the ability to allow responses from the internet to requests made by internal clients while blocking unsolicited requests that come in from the internet. Also the information that is passed from your network out to the internet appears to originate from the actual proxy server, not from the legitimate IP address of the internal client. So it's kind of a multi-protection we have there with those types of gateways.
And then we have packet filters. Now this simply operates at the network layer of the OSI model. And I will tell you, it is frequently implemented in consumer markets as just simply part of the routers that are out there. So you have a like a cable modem or a DSL router, very often packet filtering is built right in, and the idea is that the packet itself is filtered and compared with an action list to determine what to do with that packet, whether it's an allow or a blocking packet, and we're going to talk about ports in just a moment, and ports play a big role in the packet filters.
And then we have stateful multi-layer inspection. Now basically the idea here is it combines the aspects of all the other three firewall types for helping provide a high level of security, and just as it says in the name, multi-layer, it operates at all the different layers of the OSI model, so it has the ability to kind of go through all the different aspects of these different types of gateways, and really give you a high level of protection.
Firewalls examine the TCPI traffic that's flowing through them to match the traffic to the firewall rules, as they're called. Now many firewalls use something called 5-tuple for matching. Now, the 5-tuple, meaning the five things, is it looks at the IP addresses and the port numbers for both the sender and the receiver, so if you picture each sender and receiver has an IP address and a port, that's two items of the five for the sender, two items for the receiver, that's four, and then the protocol that's being used, that's the five part of the 5-tuple.
Now, here I have a table of some of the most common well known ports used in typical TCP IP communication. You should keep in mind that a well known port can be any port between zero and 1,023, and you want to be as familiar with as many ports as possible. So, again, I have some of the basics here, things like HTTP, just your web traffic on port 80, or if it's HTTPS, or SSL, or secure web traffic, that would be 443.
Your file transfers and FTP are ports 20 and 21. Your name resolution, traffic through DNS is port 53. When it comes to email you have SMTP which is port 25, POP3 which is 110, and IMAP which is 143. SMTP is typically looked at as your outgoing mail, your POP3 and IMAP has to do with your incoming mail. I will tell you that they also have secure ports that are associated with them that you should be familiar with. You have Telnet, which has to do with remote login, that's on port 23, and then, of course, SSH, which is the secure remote login on port 22.
Now I want to reemphasize, this is not an all-inclusive list here, there is many more ports out there that you should be familiar with, so you want to know what protocols are working on your network, and then know what the ports are so that you can have your firewalls be aware of those ports and what traffic should and shouldn't be coming into your network. So now that you understand the basics of network related threats, you should be able to begin protecting your networks from some of these malicious attacks.
But one thing I want you to remember and always keep in mind, this is a moving target, and you need to be prepared to move with it.