Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
136 Cards in this Set
- Front
- Back
Cisco Security Elements for Endpoint
|
Endpoint Protection
Cisco Network Admission Control (NAC) Network Infection Contaiment |
|
Cisco Network
Admission Control (NAC) |
To ensure that every endpoint complies with network security
policies before being granted access to the network |
|
Network infection containment
|
The focus of containment is to automate key elements of the infection response process.
|
|
Secure software has two main areas of focus:
|
Security of operating systems
■ Security of applications that run on top of the operating system |
|
Trusted code
|
This is the assurance that the operating system code is not
compromised. This assurance might be provided through a process of integrity checking of all running code using keyed Hash-based Message Authentication Code (HMAC) or digital signatures. |
|
Trusted path
|
A trusted path is a facility that helps ensure that a user is using a
genuine system and not a Trojan horse. |
|
Privileged context of execution
|
Provides a degree of identity authentication and certain privileges based on the identity.
|
|
Process memory protection and isolation
|
Provides separation from other users and their data.
|
|
Access control to resources
|
Ensures confidentiality and integrity of data.
|
|
Techniques for Protecting Endpoints from Operating System Vulnerabilities
|
Least-privilege concept
Isolation between processes Reference monitor Small, verifiable pieces of code |
|
Isolation between
processes |
Isolation between processes should be provided by the operating
system and may be either physical or virtua |
|
Reference monitor
|
A central point for all
policy decisions is provided by the reference monitor, which typically implements auditing functions to keep track of access as well. |
|
These attacks against applications
|
Direct
Indirect |
|
Attack against application: Direct
|
An attacker “tricks” the application into performing a task using the
application’s privileges. |
|
Attack against application; Indirect
|
An attacker compromises another subsystem and then, through this
compromised subsystem, attacks the application (this is called privilege escalation). |
|
Cisco NAC device provides four key features
|
Securing Endpoints with Cisco Technologies 267 The Cisco NAC device provides four key features to help further secure the enterprise and endpoint systems
■Authentication and authorization ■Posture assessment (evaluating an incoming device against the network’s policies) ■Quarantining of noncompliant systems ■Remediation of noncompliant system |
|
General Categories of the Cisco NAC Product
|
NAC framework
Cisco NAC Appliance (Cisco Clean Access) |
|
Architectural Components of the Cisco Security Agent
|
Management
Center for Cisco Security Agents Cisco Security Agent |
|
Cisco Security Agent Interceptors
|
File System Interceptor
Network Interceptor Configuration Interceptor Execution Space Interceptor |
|
Cisco Security Agent provides security approaches:
|
Distributed firewall
HIPS Application sandbox Network worm prevention File integrity monitor |
|
SAN Transport Technologies
|
Fibre Channel
iSCSI FCIP |
|
Providing a comprehensive SAN security solution involves four key aspects:
|
Centralized authentication, authorization, and logging of all changes via secure rolesbased management
Centralized authentication of devices connected to the network, ensuring that only authorized devices may be connected Secure transmission and receipt of data through traffic isolation and access controls, which ensure protection from activities of other devices in the network Full encryption of all data leaving the storage network for business continuance, remote vaulting, and backup |
|
Classes of SAN Attacks
|
Snooping
Spoofing DoS |
|
A Logical Unit Number (LUN)
|
In this authorization process,
a LUN is made available to some hosts and unavailable to other hosts. Generally, this technique of LUN masking is implemented at the host bus adapter (HBA) level. |
|
The two main zoning methods
|
hard zoning and soft zoning
|
|
soft zoning shows
|
soft zoning shows a device only an
allowed subset of devices. So, with soft zoning in place, when a server looks at the fabric’s content, it sees only the devices it is allowed to see. |
|
hard zoning
|
hard zoning truly restricts communication across a fabric by
using access control lists (ACL) that are applied by the switch port ASIC to every Fibre Channel frame that is switched. |
|
Fibre Channel networks use
|
use 64-bit addresses known as World Wide Names (WWN) to
uniquely identify each element in a Fibre Channel network. |
|
two primary port authentication protocols when working with
VSANs: |
Diffie-Hellman Challenge Handshake Authentication Protocol (DHCHAP)
Challenge Handshake Authentication Protocol (CHAP) |
|
DHCHAP
|
Before any
authentication may be performed, DHCHAP negotiates hash algorithms and DiffieHellman (DH) groups. In addition, it supports Message Digest 5 (MD5) and Secure Hash Algorithm 1 (SHA-1)-based authentication. |
|
FCAP Advantages
|
strong authentication and management data integrity using certificates (PKI Infrastructure)
|
|
FCPAP
|
This is based in password and does not require PKI Infrastructure
|
|
FC-SP
|
Fibre Channel Security Protocol
|
|
The Need for VoIP
|
Reduced recurring expenses
Adaptability Advanced functionality |
|
Advanced functionality for VoIP
|
Call Routing: using diferents networks (OSPF, EIGRP)
Messaging Call center solutions Security Customer facing solutions |
|
Gatekeeper
|
Gatekeepers can be thought of as the traffic cops of the WAN. For
example, because bandwidth on a WAN typically is somewhat limited, a gatekeeper can monitor the available bandwidth. Then, when there is not enough bandwidth to support another voice call, the gatekeeper can deny future call attempts. |
|
Multipoint
Control Unit (MCU) |
MCUs are useful for conference calling
|
|
VoIP Protocols
|
H.323, MGCP, H.248, SIP, and
SCCP |
|
H.323
|
H.323 is
considered a peer-to-peer protocol, because some H.323 devices can make their own call-routing decisions, as opposed to relying on an external database. it is a suite of protocols |
|
SIP
|
Session Initiation Protocol (SIP), like H.323, is considered a peer-to-peer
protocol |
|
RTP
|
Real-time Transport Protocol (RTP) carries the voice payload.
|
|
Common VoIP Attack Targets
|
Accessing VoIP resources without appropriate credentials
Gleaning information from unsecured VoIP network resources Launching a denial-of-service (DoS) attack Capturing telephone conversations |
|
SPIT
|
spam over IP telephony
|
|
vishing
|
maliciously collecting such information over the phone
|
|
message tampering
|
the attacker could change the SIP addresses in
the messages. This type of attack is known as message tampering. |
|
Examples of Attacks Targeting Voice Networks
|
SPIT
Vishing Toll fraud SIP attacks |
|
auxiliary VLAN
|
Separate the voice from the data
|
|
Methods of Mitigating Attacks Targeting Voice Networks
|
Using auxiliary VLANs
Using Firewalls Using IPsec-protected VPNs Disabling web access Disabling unneeded services |
|
Firewalls consist of a pair of mechanisms
|
One mechanism blocks traffic.
The second mechanism permits traffic. |
|
basic firewall services
|
Static packet filtering
Circuit-level firewalls Proxy server Application server |
|
Initial Firewall Technologies
|
Static packet-filtering firewall
Circuit-level firewall Application layer firewall Dynamic packetfiltering firewall |
|
Static packet-filtering firewall
|
This first-generation firewall technology is a Layer 3
device that analyzes network traffic. IP packets are examined to see if they match one of a set of rules defining which data flows are allowed. |
|
Circuit-level firewall
|
This second-generation firewall technology validates the
fact that a packet is either a connection request or a data packet belonging to a connection, or virtual circuit, between two peer transport layers. |
|
Application layer firewall
|
Data in all network packets
is examined at the application layer and maintains complete connection state and sequencing information. |
|
Dynamic packet filtering firewall
|
This fourth-generation firewall technology, sometimes
called stateful firewalls, keeps track of the actual communication process through the use of a state table. These firewalls operate at Layers 3, 4, and 5. |
|
transparent firewall
|
A transparent firewall is a Layer 2 firewall and
behaves like a “stealth firewall.” In other words, it is not seen as a router hop to connected devices. However, each interface resides on a separate VLAN. |
|
The characteristics of transparent firewall mode are as follows:
|
■ Transparent firewall mode supports two interfaces, usually an inside interface and an
outside interface. ■ Transparent firewall mode can run in single as well as multiple context mode. ■ Packets are bridged by the security appliance from one VLAN to the other instead of being routed. ■ MAC lookups are performed rather than routing table lookups. |
|
Application Layer Firewalls
|
Application layer firewalls,
sometimes called proxy firewalls or application gateways, allow the greatest level of control and work across all seven layers of the OSI model, These firewalls filter traffic at Layers 3, 4, 5, and 7 of the OSI model. |
|
Benefits to install application firewall layer
|
By locating the firewall at the application
layer, you gain greater control over traffic compared to packet-filtering, stateful, or application inspection firewalls. |
|
Advantages of Application Layer Firewalls
|
Authenticate individuals, not devices
It’s more difficult to spoof and implement DoS attacks Can monitor and filter application data Can provide detailed logging |
|
Authenticate individuals,
not devices |
Typically, connection requests can be authenticated
before traffic is allowed to pass to an internal or external resource. |
|
It’s more difficult to spoof
and implement DoS attacks |
prevent most
spoofing attacks, and DoS attacks are limited to the application firewall itself. Application firewalls can detect DoS attacks, thereby reducing the burden on your internal resources. |
|
Can monitor and filter
application data |
Application layer firewalls also allow you
to control what commands or functions you allow an individual to perform based on the authentication and authorization information. |
|
Can provide detailed
logging |
Detailed logs may be generated, and you can monitor the
actual data that the individual is sending across a connection. |
|
Two solutions can address the significant consumption of disk space in application firewalls
|
Use a Context Transfer Protocol (CXTP)
Have the application layer firewall monitor only key applications |
|
using a CXTP
|
By using a CXTP, you can perform authentication and authorization exclusively, rather than
adding the overhead of monitoring data on the connection. |
|
Static packet-filtering firewalls
|
control traffic flow based on ports
|
|
Stateful Packet-Filtering Firewalls
|
stateful inspection can track each
connection traversing all interfaces of the firewall and confirm that they are valid. These firewalls operate at Layers 3, 4, and 5 of the OSI model. |
|
Disadvantages of Stateful Filtering
|
Remember, packets must make their way to the outside network. In doing so,
internal IP addresses might be exposed to potential hackers. |
|
Uses of Stateful Packet-Filtering Firewalls
|
A primary means of defense
An intelligent first line of defense Improve routing performance Defend against spoofing and DoS attacks |
|
Limitations of Stateful Packet-Filtering Firewalls
|
No prevention of application layer attacks Not all protols are stateful
Applications that open multiple connections User authentication is not supported |
|
Application Inspection Firewalls
|
Application inspection firewalls, sometimes called deep inspection firewalls, are used to
provide for the security of applications and services Application inspection firewalls are essentially stateful firewalls with intrusion detection system capabilities. |
|
application inspection firewalls
|
Are aware of the Layer 5 state of a connection.
■ Check the conformity of application commands on Layer 5. ■ Can check and affect Layer 7 (such as Java applet or peer-to-peer filtering). ■ Prevent more kinds of attacks than stateful firewalls. |
|
Inspection Firewall Behavior
|
Transport layer
Session layer Application layer |
|
Application inspection firewalls also offer a number of advantages:
|
Application inspection firewalls are aware of the state of Layer 4 and Layer 5
connections. For example, they know that a Layer 5 SMTP mail-from command always follows a HELO command. ■ Application inspection firewalls check the conformity of application commands on Layer 5. ■ Application inspection firewalls can check and affect Layer 7, as previously discussed. ■ Application inspection firewalls can prevent more kinds of attacks than stateful firewalls. |
|
Uses of an Application Inspection Firewall
|
Secondary means of defense
To provide more stringent controls over security than stateful filtering provides |
|
Best Practices When Developing a Firewall Policy
|
Trust no one
Deny physical access to firewall devices Allow only necessary protocoles Use logs and alerts Segement security zones Do no use a firewall as a server Never use a firewall as a worstation for a user Set connection limits Restrict accesss to firewall technology Use firewall as part of a comprehensive security solution Maintain your installation |
|
packets that are allowed
|
permited packets
|
|
packets that are not allowed
|
denied packets
|
|
Cisco access lists:
|
Standard
Extended |
|
Standard ACLs
|
Standard ACLs allow you to permit or deny traffic from only specific IP addresses
|
|
Extended ACL
|
With extended ACLs you can filter IP packets based on a number of attributes. TCP or UDP ports, and optional
protocol type information if you require finer granularity of control. |
|
IP standard ACL
|
1 to 99
1300 to 1999 |
|
IP extended ACL
|
100-199
2000-2699 |
|
Turbo ACLs
|
Turbo ACLs
use the packet header to access these tables in a small, fixed number of lookups, independent of the existing number of ACL entries. |
|
The Turbo ACL feature has a number of benefits:
|
For ACLs with more than three entries, the CPU load is lower when matching the
packet to the predetermined packet matching. The Turbo ACL feature leads to much reduced latency because the time it takes to match the packet is fixed. |
|
support Turbo ACLs,
|
access-list compiled
show access-list compiled |
|
Guidelines for Developing ACLs
|
Create ACLs based on your
security policy Write out your ACLs Set up a development system Test your ACLs |
|
Where to apply the ACLs
|
For the ACL to take effect, you must first apply packet-filtering ACLs to a router interface.
These ACLs are applied based on the direction of the data flow. |
|
The ACL may be applied to
|
Inbound (in): Applies to packets received on the router interface.
Outbound (out): Applies to packets transmitted outbound on the router interface. |
|
To apply an ACL to a router’s interface
|
ip access-group
|
|
Caveats to Consider When Creating ACLs
|
Implicit deny all
Standard ACL limitation Standard evaluation order Order of specific statements Directional filtering Modify numbered ACLs Special packets Extended ACL placement Standard ACL placement |
|
Extended AC placement
|
Using extended ACLs on routers too far from the source that you
need to filter might adversely affect packets flowing to other routers and interfaces. It is best to place extended ACLs |
|
Standard ACL placement
|
Placing standard ACLs too close to the source can adversely affect
packets destined for other destinations, because these filter packets are based on the source address. It is best to place standard ACLs as close to the destination as possible. |
|
You should filter traffic with ACLs to block services that hackers use to gather information
|
Disable unused services, ports, or protocols
Limit access to services, ports, or protocols: |
|
Blocked Services with ACL
|
pmux 1 TCP and UDP
Echo 7 TCP and UDP Discard 9 TCP and UDP Systat 11 TCP Daytime 13 TCP and UDP Netstat 15 TCP Chargen 19 TCP and UDP Time 37 TCP and UDP Whois 43 TCP BOOTP 67 UDP TFTP-DC OK 69 UDP SUPDUP 93 TCP SunRPC 111 TCP and UDP loc-srv 135 TCP and UDP NetBIOS Name Service (NBNS) 137 TCP and UDP NetBIOS Datagram Service (NetBIOS-DGN) 138 TCP and UDP NetBIOS Session Service (NetBIOS-SSN) 139 TCP and UDP X-Display Manager Client Protocol (XDMCP) 177 UDP NetBIOS 445 TCP Rexec 512 TCP Line printer remote (LPR) 515 TCP Talk 517 UDP Ntalk 518 UDP UNIX-to-UNIX Copy Program (UUCP) 540 TCP Internet Relay Chat (IRC) 667 TCP Microsoft UPnP SSDP 1900, 5000 TCP and UDP Network File System (NFS) 2049 UDP X Window System 6000 to 6063 TCP NetBus 12345, 12346 TCP Back Orifice 31337 TCP and UDP |
|
Services to Deny with ACL
|
Finger 79 TCP
SNMP 161 TCP and UDP SNMP trap 162 TCP and UDP rlogin 513 UDP Who 513 UDP Remote Shell Protocol (rsh), Remote Copy Protocol (rcp), rdist, rdump 514 TCP Syslog 514 UDP new-who 550 TCP and UDP |
|
Access to router services can be controlled in two ways:
|
Disable the service:
Restrict access to the service using ACLs |
|
Preventing IP Spoofing with ACLs
|
To mitigate IP address spoofing, do not allow any IP packets containing the source address
of any internal hosts or networks inbound to a private network. |
|
The Cisco IOS classic firewall can provide network protection on multiple levels
|
■ Traffic filtering
■ Traffic inspection ■ Alerts and audit trails ■ Intrusion prevention |
|
Traffic Filtering
|
The Cisco IOS classic firewall can intelligently filter TCP and UDP packets based on
application layer protocol session information |
|
Traffic Inspection
|
One of the key responsibilities of the Cisco IOS classic firewall is to inspect traffic as it
travels through the firewall to discover and manage state information for the various TCP and UDP sessions. |
|
The Role of Alerts and Audit Trails
|
Real-time alerts and audit trails generated by the Cisco IOS classic firewall provide a means
for you to gain insight into what is happening on your firewall |
|
Classic Firewall Process
|
The Cisco IOS classic firewall provides Stateful Packet Inspection (SPI) to inspect traffic and create temporary openings at firewall interfaces
|
|
SPI
|
Stateful Packet Inspection (SPI)
|
|
CBAC
|
Context-Based Access
Control (CBAC) |
|
SPI works by inspecting the packet after it passes the inbound ACL
|
ip inspect in
ip inspect ou |
|
The network generally has two main policies:
|
Private zone connectivity to the Internet
■ Internet zone connectivity to the private zone |
|
Two steps are involved when grouping interfaces into zones:
|
Creating a zone so that interfaces can be attached to it
■ Configuring an interface to be a member of a given zone |
|
To define the zone pair
|
To define the zone pair, you need to use the zone-pair security command
|
|
To attach a firewall policy map to the target zone pair,
|
To attach a firewall policy map to the target zone pair, you use the service-policy type
inspect command. |
|
Creating Cisco IOS zone-based policy firewall policies involves three main
constructs: |
Class map
■ Policy map ■ Parameter map |
|
A class map
|
A class map is a way to identify a set of packets based on its contents using “match” conditions.
To create a class map, you use the class-map command |
|
Actions are associated with traffic classified by class maps using policy maps
|
inspect, drop, and pass
|
|
policy-map
|
The policy-map
command is used to specify the name of the policy map to be created, added to, or modified. |
|
parameter-map
|
Parameter maps are used to specify parameters to be applied to classified traffic.
|
|
Types of Parameter Maps
|
Inspect parameter map
URL filter parameter map Protocol-specific parameter map |
|
The match-any or match-all
|
If match-any is specified, traffic must meet only one of the match
criteria in the class map. In contrast, if match-all is specified, traffic must match all the class map criteria to belong to that particular class. |
|
show ip port-map
|
show all known services
|
|
show zone security
|
You can display zone descriptions along with the interfaces contained in a specified zone
using the show zone security [zone-name] command. |
|
show zone-pair security [source source-zonename] [destination destination-zone-name
|
If you would like to display the source zone and the destination zone
|
|
To display a specified policy ma
|
show policy-map type inspect [policymap-name [class class-map-name]] command.
|
|
Detection Methods IDS and IPS
|
Signature-based detection
Policy-based detection Anomaly-based detection Honey pot detection |
|
Policy-Based Detection
|
With a policy-based approach, the IDS/IPS
device needs a very specific declaration of the security policy. |
|
Anomaly-Based Detection
|
Statistical anomaly detection
Nonstatistical anomaly detection |
|
Statistical anomaly detection
|
This approach watches network traffic patterns over a
period of time and dynamically builds a baseline |
|
Nonstatistical anomaly detection
|
This approach allows an administrator to define
what traffic patterns are supposed to look like |
|
All sensors contain at least two interfaces for IDS and IPS:
|
Command and control interface
Monitoring interface(s) |
|
Sensor Operating Modes
|
Promiscuous mode
Inline mode |
|
Promiscuous mode
|
When running in promiscuous
mode, a sensor receives a copy of selected network traffic. Because a sensor running in promiscuous mode is not inline with the traffic, IDS operation is supported, but not IPS operation. |
|
Inline mode
|
Inline mode operation requires a least two monitoring interfaces
(either virtual or physical), because the sensor resides inline with the traffic. Therefore, a sensor running in inline mode supports IPS operation and can drop malicious traffic before the traffic reaches its intended target. |
|
ollowing are examples of potential attacker exploits at these OSI layers:
|
Application layer
Transport layer Network layer |
|
Responses to a Signature Alarm:
|
Create a log entry
Drop the offending packet Reset the TCP connection Block the attacker’s IP address Block traffic associated with the offending connection |
|
Tabs in the Edit Global Settings Window
|
Syslog and SDEE
Global Engine |
|
Syslog and SDEE
|
With this tab, an administrator can cause the IPS feature to send alarm, event, and error information using syslog services
|
|
Global Engine
|
Enable Engine Fail Closed
Use Built-In Signatures (as backup Enable deny action on IPS interface |