Recognizing Security Threats
You see, it all comes down to planning—or, rather, a lack thereof. Basically, the vital tool that
the Internet has become to us today was absolutely unforeseen by those who brought it into
being. This is a big reason why security is now such an issue—most IP implementations are
innately insecure. No worries, though. Cisco can help us with this. But first, let’s examine
some common attack profiles:
Application-layer attacks
Autorooters
Backdoors
Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
TCP SYN flood
“Ping of Death” attacks
Tribe Flood Network (TFN) and Tribe Flood Network 2000 (TFN2K)
Stacheldraht
IP spoofing
Man-in-the-middle attacks
Network reconnaissance
Packet sniffers
Password attacks
Brute-force attack
Port redirection attacks
Trojan horse attacks and viruses
Trust exploitation attacks
DoS detection and prevention
This is a feature that checks packet headers and drops any
packets it finds suspicious.
Dynamic port mapping
This is a sort of adapter that permits applications supported by firewalls
on nonstandard ports.
Java applet blocking
This protects you from any strange, unrecognized Java applets.
You can use standard, extended, and even dynamic ACLs such as lock-and-key traffic
filtering with Cisco IOS Firewall. And you get to apply access controls to any network segment
you want. Plus, you can specify the exact kind of traffic you want to allow to pass through any
segment.
Policy-based, multi-interface support
This allows you to control user access by IP address
and interface depending on your security policy.
Network Address Translation (NAT)
This conceals the internal network from the outside,
which increases security.
Time-based access lists
This determines security policies based upon the exact time of day
and the particular day of week.
Peer router authentication
This guarantees that routers are getting dependable routing
information from actual, trusted sources. (For this to work, you need a routing protocol that
supports authentication such as RIPv2, EIGRP, or OSPF.)