satellite or radio, to Coordinated Universal Time (UTC). However, if network administrators do not want to implement their own master clocks because of cost or other reasons, clock sources are available for synchronization via the Internet. The current version of NTP is version 4. The latest version defined by an RFC is version 3, which is recommended from a security perspective. An attacker could attempt a DoS attack on a network by sending bogus NTP data across the Internet in an attempt to change the clocks on network devices in such a manner that digital certificates are considered invalid. An attacker could also attempt to confuse a network administrator during an attack by disrupting the clocks on network devices. This scenario makes it difficult for the network administrator to determine the order of syslog events on multiple devices.

Content 5.3 Network Attacks Using Intelligence 5.3.5 Management Protocol Best Practices Figure summarizes best practices to be followed when implementing a secure management solution. These are recommendations for the correct use of SNMP tools:

Configure SNMP with only read-only community strings.
Set up access control on the device you want to manage via SNMP to allow access by only the appropriate management hosts.
Use SNMP version 3. This version provides secure access to devices through a combination of authenticating and encrypting management packets over the network.

When possible, the following management practices are advised:

Encrypt syslog traffic within an IPsec tunnel.
Implement RFC 3704 filtering at the perimeter router when allowing syslog access from devices outside a firewall.
Implement ACLs on the firewall to allow syslog data from only the managed devices themselves to reach the management hosts.
When possible, encrypt TFTP traffic within an IPsec tunnel in order to reduce the chance of interception.

The following are recommendations to follow when using NTP:

Implement your own master clock for private network synchronization.
Use NTP version 3 or above because these versions support a cryptographic authentication mechanism between peers. NTP v3 is currently supported by most vendors, including Cisco Systems. The latest version 4 is not defined by any RFC and therefore not widely supported.
Use ACLs that specify which network devices are allowed to synchronize with other network devices.

Content 5.3 Network Attacks Using Intelligence 5.3.6 Determining Vulnerabilities and Threats You can use several tools and techniques to find vulnerabilities in your network. Once you identify the vulnerabilities, you can consider and implement mitigation steps as appropriate. Use these tools listed in Figure to determine vulnerabilities:

The Blue’s Port Scanner scans 300 ports per second on a Windows computer.
Wireshark (formerly known as Ethereal) is used by network professionals around the world for troubleshooting, analysis, software and protocol development, and education. Wireshark has all of the standard features that you expect in a protocol analyzer, and several features not seen in any other product. The Wireshark open source license allows talented experts in the networking community to add enhancements. Wireshark runs on all popular computing platforms, including UNIX, Linux, and Windows.

Note
As of June, 2006, Ethereal is now known as Wireshark.

Microsoft Baseline Security Analyzer (MBSA) is the free, best practices vulnerability assessment tool for the Microsoft platform. MBSA is a tool designed for the IT professional that helps with the assessment phase of an overall security management strategy. MBSA includes a graphic and command-line interface that can perform local or remote scans of Windows systems.
Nmap is a well-known low-level scanner that is available to the general public. Nmap is simple to use and has an array of excellent features that can be used for network mapping and reconnaissance. The basic functionality of Nmap allows the user to do the following:
- Perform classic TCP/UDP port scanning (looking for different services on one host) and sweeping (looking for the same service on multiple systems).
- Stealth port scans and sweeps, which are hard to detect by the target host or intrusion detection systems.
- Identification of remote operating system (“operating system fingerprinting”) through TCP idiosyncrasies. This technique analyzes the responses to different stimuli and identifies elements that are characteristic to a specific operating system or platform.
- Advanced features of Nmap include protocol scanning (Layer 3 port scanning), which can identify Layer 3 protocol support on a host (generic routing encapsulation [GRE] support, Open Shortest Path First [OSPF] support, and so on).

Blue’s Port Scanner and Wireshark
Figure shows screen captures from Blue’s Port Scanner and Wireshark. The window on the left illustrates a TCP host scan and a resulting list of open TCP ports produced by Blue’s Port Scanner. Blue’s Port Scanner has been used in this example to scan a single host with the address 10.1.1.2. The TCP scan shows that SMTP, HTTP, FTP, HTTPS, EPMAP, and NETBIOS-SSN are open on that host. The image on the right shows an example of a packet capture using Wireshark. Wireshark allows you to specify various options, such as which adapter is used for sniffing and which packet filters to apply to the capture. In the figure, you see a number of packets of different protocols, each of which can be individually investigated in detail. Caution
Limit the scope of the testing when using Port Scanner or Wireshark so that you do not cause a DoS attack against your network. Microsoft Baseline Security Analyzer
Figure illustrates the results of a host vulnerability scan using the MBSA. MBSA is an easy-to-use tool that identifies security vulnerabilities of hosts that are running Microsoft operating systems. This tool allows you to scan the local host, on which MBSA is running, or any remote systems. The program provides a list of found vulnerabilities that can be sorted using different criteria. The tool provides a description of each detected vulnerability and recommends methods to fix the vulnerability. Web Links Blue’s Port Scanner
http://www.bluebitter.de/portscn2.htm Wireshark
http://www.wireshark.org/ Microsoft Baseline Security Analyzer
http://www.microsoft.com/technet/security/tools/
mbsahome.mspx Nmap
http://insecure.org/nmap/

Content 5.4 Disabling Unused Cisco Router Network Services and Interfaces 5.4.1 Vulnerable Router Services and Interfaces Medium size and large networks typically use a firewall appliance behind the perimeter router, which adds security features and performs user authentication and more advanced packet filtering. Firewall installations also facilitate the creation of Demilitarized Zones (DMZs) where the firewall places hosts that are commonly accessed from the Internet. Cisco IOS software offers an alternative to a firewall appliance by incorporating many firewall features in the perimeter router. Although this option does not provide the same performance and security features that a Cisco PIX