N10-007 Given a scenario, troubleshoot and resolve common security issues

Misconfigured firewall

A misconfigured firewall can cause WSD applications to fail. This topic provides some troubleshooting procedures to use when WSD clients and hosts cannot see each other on the network. The firewall settings should be inspected before using any other application troubleshooting procedure.

To inspect the adapter and firewall settings

1. Verify that the Network Discovery exception is enabled.

2. Check that there are no application-specific firewall rules blocking the application.

3. Explicitly enable the ports used for discovery and metadata exchange.

4. Disable the firewall and retest the application.

Note: The firewall should be re-enabled after completing this step.

Verifying that the Network Discovery exception is enabled

If any WS-Discovery applications are running, the Network Discovery firewall exception must be allowed.

To enable the Network Discovery firewall exception

1. Click Start, click Run, and then type firewall.cpl. This opens the Windows Firewall Control Panel applet.

2. Choose Allow a program through Windows Firewall.

3. On the Exceptions tab, select the Network Discovery check box.

4. Click OK to close the firewall applet.

Retest the program after making this firewall change. If the program now works successfully, the cause of the problem has been identified and no further troubleshooting steps are necessary. Otherwise, move on to the next step.

Misconfigured ACLs/applications

The first packet that the client sends to create a connection must be permitted by both the incoming access list on the interface on which it arrives and the outgoing access list on the interface through which it leaves. CBAC opens channels for the packets only after the conversation initiation packet. If either access list denies the conversation initiation, CBAC does not create a conversation, and therefore won’t create the temporary access list entries that permit the return traffic. The packets will be dropped. You can find out if the packet initiation is denied through an ACL with debug ip packet detail ACL command. The ACL in this command defines the source and destination addresses and ports of the initiation traffic. The goal is to see if this initiation is being denied because of misconfigured ACL, NAT, or routing problems.


Malicious software, or malware, is a serious problem in today’s computing environments. It is often assumed that malware is composed of viruses. Although this typically is true, many other forms of malware by definition are not viruses, but are equally undesirable.

Malware encompasses many different types of malicious software:

  • Viruses: Software programs or code loaded onto a computer without the user’s knowledge. After it is loaded, the virus performs some form of undesirable action on the computer.
  • Macro viruses: Although they are still a form of virus, macro viruses are specifically designed to damage office or text documents.
  • Worms: Worms are a nasty form of software that automatically and silently propagate without modifying software or alerting the user. After they are inside a system, they can carry out their intended harm, whether it is to damage data or relay sensitive information.
  • Trojan horses: Trojan horses appear as helpful or harmless programs but when installed carry and deliver a malicious payload. A Trojan horse virus might, for example, appear to be a harmless or free online game but when activated is actually malware.
  • Spyware: Spyware covertly gathers system information through the user’s Internet connection without his or her knowledge, usually for advertising purposes. Spyware applications typically are bundled as a hidden component of freeware or shareware programs that can be downloaded from the Internet.

Denial of service

A denial of service (DoS) attack is an incident in which a user or organization is deprived of the services of a resource they would normally expect to have. In a distributed denial-of-service, large numbers of compromised systems (sometimes called a botnet) attack a single target.

Although a DoS attack does not usually result in the theft of information or other security loss, it can cost the target person or company a great deal of time and money. Typically, the loss of service is the inability of a particular network service, such as e-mail, to be available or the temporary loss of all network connectivity and services. A denial of service attack can also destroy programming and files in affected computer systems. In some cases, DoS attacks have forced Web sites accessed by millions of people to temporarily cease operation.,

ICMP related issues

Routers, intermediary devices, or hosts to communicate updates or error information to other routers, intermediary devices, or hosts use iCMPs.

Each ICMP message contains three fields that define its purpose and provide a checksum. They are TYPE, CODE, and CHECKSUM fields. The TYPE field identifies the ICMP message, the CODE field provides further information about the associated TYPE field, and the CHECKSUM provides a method for determining the integrity of the message.

The TYPES defined are:

TYPE Description

——- —————

0 Echo Reply

3 Destination Unreachable

4 Source Quench

5 Redirect Message

8 Echo Request

11 Time Exceeded

12 Parameter Problem

13 Timestamp Request

14 Timestamp Reply

15 Information Request (No Longer Used)

16 Information Reply (No Longer Used)

17 Address Mask Request

18 Address Mask Reply

Echo Request & Echo Reply

This is the ICMP most used to test IP connectivity commonly known as PING. The Echo Request ICMP will have a Type field of 8 and a Code field of 0. Echo Replies have a Type field of 0 and a Code field of 0.

Destination Unreachable

When a packet is undeliverable, a Destination Unreachable, Type 3, ICMP is generated. Type 3 ICMPs can have a Code value of 0 to 15:

Type 3


Value Description

——– —————

0 Network Unreachable

1 Host Unreachable

N10-006 Study Guide

210 | P a g e

2 Protocol Unreachable

3 Port Unreachable

4 Fragmentation needed and DF (Don’t Fragment) set

5 Source route failed

6 Destination Network unknown

7 Destination Host unknown

8 Source Host isolated

9 Communication with Destination Network Administratively Prohibited

10 Communication with Destination Host Administratively Prohibited

11 Network Unreachable for Type Of Service

12 Host Unreachable for Type Of Service

13 Communication Administratively Prohibited by Filtering

14 Host Precedence Violation

15 Precedence Cutoff in Effect

Source Quench

An ICMP Source Quench message has a Type field of 4 and Code 0. Source Quench messages are sent when the destination is unable to process traffic as fast as the source is sending it. The Source Quench ICMP tells the source to cut back the rate at which it is sending data. The destination will continue to generate Source Quench ICMPs until the source is sending at an acceptable speed.

Redirect Message

An intermediary device will generate an ICMP Redirect Message when it determines that a route being requested can be reached either locally or through a better path.

Time Exceeded

If a router or host discards a packet due to a time-out, it will generate a Time Exceeded Type 11 ICMP. The Time Exceeded ICMP will have a Code value of either 0 or 1. A Code 0 is generated when the hop count of a datagram is exceeded and the packet is discarded. A Code 1 is generated when the reassemble of a fragmented packet exceeds the time-out value.

Parameter Problem

When an intermediary device or host discards a datagram due to inability to process, an ICMP 12 is generated. Common causes of this ICMP are corrupt header information or missing options. If the reason for the ICMP is a required missing option, the ICMP will have a Code value of 1. If the Code value is 0, the Pointer field will contain the octet of the discarded datagram’s header where the error was detected.

Timestamp Request & Timestamp Reply

Timestamp Request and Timestamp Reply is a rudimentary method for synchronizing the time maintained on different devices. The Request has a Type field of 13 and the

Reply is Type 14. This method for time synchronization is crude and unreliable. Therefore, it is not heavily used.

Information Request & Information Reply

These ICMP types were originally designed to allow a booting host to discover an IP address. This method is obsolete and is no longer used. Most common methods for IP address discovery are BOOTP (bootstrap protocol) and DHCP (dynamic host configuration protocol). BOOTP is defined by RFC1542, and DHCP is defined by RFC1541.

Address Mask Request & Address Mask Reply

A booting computer to determine the subnet mask in use on the local network uses the Address Mask Request ICMP Type 17. An intermediary device or computer acting as an intermediary device will reply with a Type 18 ICMP Address Mask Reply ICMP.

Unpatched firmware/OSs

Network protection can be enhanced with some simple techniques. Application firewalls are usually better protection for database servers or web servers than are other types of firewalls. Application firewalls, in addition to packet filtering, filter specific application- related content. For example, a web server might use an application firewall to filter common SQL injection attacks.

It is just as important to make sure firmware updates are applied. Firmware version control is closely related to updating the firmware. You need to be sure that each device is using the appropriate version of firmware. You may even need to manually update devices with critical updates. Certain viruses specifically target the firmware in routers and switches. This risk is mitigated by firmware version control.

Malicious users

A packet sniffer is a utility that has been used since the original release of Ethernet. Packet sniffing allows individuals to capture data as it is transmitted over a network. Packet sniffer programs are commonly used by network professionals to help diagnose network issues and are also used by malicious users to capture unencrypted data like passwords and usernames in network traffic. Once this information is captured, the user can then gain access to the system or network.

If you want to keep information confidential or are concerned about packet sniffing, it is advised that you work on encrypted protocols and encrypt all sensitive data, such as e-mails, being sent over the Internet or network. A great encryption program is PGP, users who are using Telnet should consider using SSH instead.

Authentication issues

TACACS/RADIUS misconfigurations

The authentication, authorization, and accounting (AAA) feature verifies the identity of, grants access to, and tracks the actions of users managing a switch. All Cisco MDS 9000 Family switches use the Remote Access Dial-In User Service (RADIUS) and Terminal Access Controller Access Control System Plus (TACACS ) protocols to provide solutions using remote AAA servers.

Verifying RADIUS Configuration Using Fabric Manager

To verify or change the RADIUS configuration using Fabric Manager, follow these steps:

1. Choose Switches > Security > AAA > RADIUS and select the Servers tab. You see the RADIUS configuration in the Information pane.

2. Highlight the server that you need to change and click Delete Row to delete this server configuration.

3. Click Create Row to add a new RADIUS server.

4. Set the KeyType and Key fields to the preshared key configured on the RADIUS server.

5. Set the AuthPort and AcctPort fields to the authentication and accounting ports configured on the RADIUS server.

6. Set the TimeOut value and click Apply to save these changes.

7. Click the CFS tab and select commit from the Config Action drop-down menu and click Apply Changes to distribute these changes to all switches in the fabric.

Verifying TACACS Configuration Using Fabric Manager

To verify or change the TACACS configuration using Fabric Manager, follow these steps:

1. Choose Switches > Security > AAA > TACACS and click the Servers tab. You see the TACACS configuration in the Information panel.

2. Highlight the server that you need to change and click Delete Row to delete this server configuration.

3. Click Create Row to add a new TACACS server.

4. Set the KeyType and Key fields to the preshared key configured on the TACACS server.

5. Set the AuthPort and AcctPort fields to the authentication and accounting ports configured on the TACACS server.

6. Set the TimeOut value and click Apply to save these changes.

7. Click the CFS tab and select commit from the Config Action drop-down menu and click Apply Changes to distribute these changes to all switches in the fabric.

Improper access/backdoor access

A back door is a means of access to a computer program that bypasses security mechanisms. A programmer may sometimes install a back door so that the program can be accessed for troubleshooting or other purposes. However, attackers often use back doors that they detect or install themselves, as part of an exploit. In some cases, a worm is designed to take advantage of a back door created by an earlier attack. For example, Nimda gained entrance through a back door left by Code Red.

Whether installed as an administrative tool or a means of attack, a back door is a security risk, because there are always crackers out there looking for any vulnerability to exploit. In her article “Who gets your trust?” security consultant Carole Fennelly uses an analogy to illustrate the situation: “Think of approaching a building with an elaborate security system that does bio scans, background checks, the works. Someone who doesn’t have time to go through all that might just rig up a back exit so they can step out for a smoke — and then hope no one finds out about it.”

ARP issues

Address Resolution Protocol, or ARP, is a way for computers to communicate with each other over a network. This telecommunications protocol takes a network, or layer 3, address and associates it with a MAC, or layer 2, address. A computer on a network has one layer 2 address for each LAN connection, while it is possible to have multiple layer 3 addresses. Data at layer 3 are addressed to a host, while at layer 2 it is addressed to a hop. These MAC addresses are assigned by the manufacturer and are stored on the network interface card and this sometimes causes problems. Here are some of the most common ones you find with this system.

Rogue Hosts

An ARP request that is sent out with a legitimate host’s IP address sometimes uses a MAC address improperly. If the MAC address is used as a multicast address as opposed to a unicast or broadcast address, ARP host caches are updated and no longer function properly. The result is that some users lose access to the server.

Wrong Address

If the ARP request returns a wrong address error, network traffic is adversely affected. This is a problem with the router returning the wrong MAC address to the sending host. The solution is to resolve the MAC address assigned to the device by the manufacturer, allowing the traffic to be sent to a valid MAC address.

Banner grabbing/OUI

As the name implies, banner grabbing looks at the banner, or header information messages sent with data to find out about the system(s). Banners often identify the host, the operating system running on it, and other information that can be useful if you are going to attempt to later breach the security of it. Banners can be snagged with Telnet as well as tools like netcat or Nmap.

Domain/local group configurations

Group Policy is a powerful tool for controlling the configuration of desktops and servers on an Active Directory network, but Group Policy’s lesser cousin, Local Group Policy, can also be useful to know about. In a domain environment, Group Policy objects (GPOs) can be linked to domain, organizational unit (OU), and site containers to control hundreds of settings for users and computers in these containers. GPOs are processed according to a simple inheritance rule: site GPOs first, and then domain GPOs, followed by OU GPOs starting from top-level OUs on down. This rule, however, can be modified in complex ways using features like No Override, Block Inheritance, Loopback, Security Filtering, and WMI filters. The result can be so complex that Microsoft has created additional tools, Resulting Set of Policy (RSoP), to help you figure out how dozens of GPOs might be processed in a given situation.

Local Group Policy Objects (LGPOs), on the other hand, are much simpler, because there is exactly one LGPO on each Windows 2000 or later computer on your network. In an Active Directory environment, LGPOs have the lowest precedence and are always processed first if they have been configured, and so the result is that LGPO settings are usually overwritten by GPOs linked to domains, sites, or OUs. As a result, you usually won’t need to configure LGPOs unless you have stand-alone computers that belong to a workgroup. Another scenario in which LGPOs might need to be configured would be kiosk machines configured in a stand-alone environment for public users to access.

While neither of those two scenarios is common in enterprise environments, one place where LGPOs can be important in the enterprise is for bastion hosts residing on a perimeter network (demilitarized zone or DMZ) where your firewall protects your internal private network from the external public internet. In such a case, you can lock down your public web server, for example, by importing a security template into the LGPO on your web server and configuring other LGPO settings to harden your web server as necessary.


Since RF (radio frequency) is essentially an open medium, jamming can be a huge problem for wireless networks. Jamming is one of many exploits used compromise the wireless environment. It works by denying service to authorized users as legitimate traffic is jammed by the overwhelming frequencies of illegitimate traffic. A knowledgeable attacker with the right tools can easily jam the 2.4 GHz frequency in a way that drops the signal to a level where the wireless network can no longer function.

The complexity of jamming is the fact that it may not be caused intentionally, as other forms of wireless technology are relying on the 2.4 GHz frequency as well. Some widely used consumer products include cordless phones, Bluetooth-enabled devices

and baby monitors, all capable of disrupting the signal of a wireless network and faltering traffic.

The issue of jamming mostly relates to older wireless local area networks as they are not fully equipped to make the adaptation to numerous types of interference. These networks typically call for an administrator to manually adjust each access point through trial and error. To avoid this daunting task, the best practice is to invest into a newer WLAN system. These environments offer real-time RF management features capable of identifying and adapting to unintentional interference.

Jamming Solutions

If an attacker truly wanted to compromise your LAN and wireless security, the most effective approach would be to send random unauthenticated packets to every wireless station in the network. This exploit can be easily achieved by purchasing hardware off the shelf from electronics retailer and downloading free software from the internet. In some cases, it is simply impossible to defend against jamming as an experienced attacker may have the ability to flood all available network frequencies.

If the major concern relates to malicious jamming, an intrusion prevention and detection system may be your best option. At the bare minimum, this type of system should be able to detect the presence of an RPA (Rogue Access Point) or any authorized client device in your wireless network. More advanced systems can prevent unauthorized clients from accessing the system, alter configurations to maintain network performance in the presence of an attack, blacklist certain threats and pinpoint the physical location of a rogue device to enable faster containment.

It doesn’t what type of interference you’re experiencing; the network must have the ability to detect it, react and quickly make adjustments.