Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
50 Cards in this Set
- Front
- Back
|
What are the different planes of operation for a Switch or Router?
|
Management Plane = Used to manage the device including accessing and configuring it. Control Plane = Encompasses protocols used between devices including routing protocols and STP. Data Plane = Is the plane of operation in charge of forwarding data through a device.
|
|
|
What are the three primary methods of accessing the data plane through the management plane?
|
1. CLI access via a serial connection (console) or over a network connection using Telnet or SHH. 2. Web Access via a web-based interface (e.g. CCP or SDM) via either HTTP or HTTPS. 3. SNMP Access = Is commonly used to monitor devices, with devices configured to support read-only or read-write access.
|
|
|
What two approaches can be used to stop an attacker adding a rogue switch into a network and making it the STP Root Bridge?
|
1. Root Guard can be enabled on all ports on a network which the RB shouldn't appear, effectively making a protective parameter around the RB. 2. BPDU guard is enabled on all Portfast ports, since all these ports shouldn't ever receive BPDUs since they are assumed to be attached to workstations.
|
|
|
What does Control Plane Policing ((CoPP) IOS 12.2S, 12.3T & 12.4) and Control Plane Protection ((CPPr) IOS 12.4(4)T) do?
|
They limit the amount of traffic sent to the control plane ensuring that the control plane CPU cannot be overloaded through a denial-of-service attack. CPPr is an extension of CoPP which allows an administrator to apply a quality of service (QoS) policy to a router's control plane. The control plane handles all traffic which must be processed by the router in software.
|
|
|
What can be used to prevent a man-in-the-middle attack gleaning info (e.g. usernames and passwords) from intercepted traffic?
|
A secure VPN tunnel can be constructed to encrypt the data so an attacker cant interpret any packets. Although multiple VPN protocols exist, IPsec is one of the most popular one used.
|
|
|
What are the three primary components of an 802.1x network?
|
1. Supplicant: Device that wants to gain access to the network. 2. Authenticator: Forwards supplicants authentication request to authentication server, and receives key that's used to securely communicate and transmit data with supplicant. 3. Authentication Server: Checks supplicants credentials and issues authenticator the key:
|
|
|
What is Cisco`s Network Admission Control (NAC)?
|
It restricts access to the network based on identity or security posture. It can force user or machine authentication prior to granting access to the network. In addition, guest access can be granted to a quarantine area where the user must present some sort of credentials before being granted access to the network (typical non-free Wi-Fi). Besides user authentication, authorization in NAC can be based upon compliance checking. This posture assessment is the evaluation of system security based on the applications and settings that a particular system is using. (e.g. Windows registry settings or the presence of security agents such as anti-virus or personal firewall).
|
|
|
What are the services offered by a AAA server?
|
Authentication = Check users credentials to confirm they are who they say they are, Authorization = Once authenticated, determines what user is allowed to do, Accounting = Can collect and store info about users login and what they are doing on the network.
|
|
|
What are the common attributes of TACACS+?
|
TCP, provides separate services for authentication, authorization and accounting, encrypts entire packet, offers basic accounting features, Cisco proprietary
|
|
|
What are the common attributes of RADIUS?
|
UDP, combines authentication and authorization functions, only encrypts password, offers robust accounting features, standards based.
|
|
|
To issue a break command from a terminal emulator to the router.
|
Within first 60 seconds of router initialization from within terminal emulator, press ctrl+pause/break keys. The break causes the router to enter rommon, from where you can enter router without start-up config.
|
|
|
How would you reset a forgotten password on a router?
|
1: In rommon enter "confreg 0x2142" and then "reset "to restart the router without running start-up config. 2: In priv mode "copy start run" which rather than replacing merges the 2 configs. 3: After the merger all the interfaces will be shutdown, so use "no shut" to bring back up. 4: Use "enable secret [password] to set new password. 5: Reset config register back to normal so router boots to start-up config with cmd " config-register 0x2102". 6: Finally "copy run start" to save running config and use "reload" to restart the router.
|
|
|
What's the major difference between protecting the management and control planes in comparison to the data plane?
|
Protecting the management and control planes focuses on protecting a network device, whilst protecting the data plane focuses on protecting the actual data flow through a network and the devices (e.g. hosts) on the network.
|
|
|
When trying to authenticate, what error message would you get if the TACACAS+ or RADIUS server where offline?
|
If an TACACAS+ or RADIUS server where off line you would have some sort of message about "connection refused" or "no response", while if authentication failed the message is more like "authentication failure" or "access rejected".
|
|
|
To specify how long EXEC process running on a line waits for user input before timing out the connection. Defaults to 10 mins.
|
R1(config-line)# exec-timeout [mins] [secs]
|
|
|
ROM Monitor cmd to configure a router to ignore its start-up config when it boots.
|
rommon 1 > confreg 0x2142
|
|
|
ROM Monitor cmd that causes a rooter to reboot.
|
rommon 1 > reset
|
|
|
The cmd to configure a router to use its start-up config the next time the router boots up.
|
R1(config)# config-register 0x2102
|
|
|
To disable the password recovery service (not available on all devices). Although this can stop an attacker accessing the device, still doesn't stop them completely wiping the config. For this reason physical security remains critical.
|
R1(config)# no service password-recovery
|
|
|
To enable Root Guard on a port. When the port receives a superior BPDU it goes into Root Inconsistent state.
|
Switch(config-if)# spanning-tree guard root
|
|
|
To enable BPDU Guard globally on all ports. When a port receives a BPDU it goes into the err-disable state.
|
Switch(config)# spanning-tree portfast bpduguard default
|
|
|
To enable or disable BPDU Guard on a per-interface basis.
|
Switch(config-if)# [no] spanning-tree bpduguard enable
|
|
|
To show all interfaces in the inconsistent state.
|
Switch# show spanning-tree inconsistent ports
|
|
|
To show ports which are in the err-disable state.
|
Switch# show interface status err-disabled
|
|
|
To enable DHCP snooping globally and to then specify which VLANs it should be implemented on. It helps prevent DHCP spoofing by using trusted and untrusted ports.
|
Switch(config)# ip dhcp snooping, Switch(config)# ip dhcp snooping vlan [vlan-id]
|
|
|
To enable an interface as DHCP snooping trusted, all are untrusted by default. If a port is trusted its allowed to receive DHCP responses, but if a DHCP response attempts to enter an untrusted port, that port is put into err-disable state.
|
Switch(config-if)# ip dhcp snooping trust
|
|
|
To limit the rate of DHCP requests (packets per second) accepted on an untrusted port. This can help prevent an DoS attack where an attacker repeatedly requests IP assignments from the DHCP server depleting its pool of addresses.
|
Switch(config-if)# ip dhcp snooping limit rate [1 to 2048]
|
|
|
To enable DIA for a specified VLAN. Uses DHCP binding table to help prevent ARP spoofing attacks, which is when the attacker sends GARP replies with an incorrect MAC address.
|
Switch(config)# ip arp inspection vlan [vlan-id]
|
|
|
To enable a port as DIA trusted, all untrusted by default. Trusted ports are normally those connected to other switches. Will only inspect ARP replies on untrusted ports, and if contains invalid or conflicting entries the ARP reply is dropped and a log message generated.
|
Switch(config-if)# ip arp inspection trust
|
|
|
To show the DHCP binding table with all the known DHCP bindings that have been overheard.
|
Switch# show ip dhcp snooping binding
|
|
|
To enable AAA services on a router to enable you to use username and password for logins.
|
Switch(config)# aaa new-model
|
|
|
To identify the method list (name of the authentication group) and the security protocol used with AAA (Radius, TACACS+ or local database). If you use "default" as a policy name the list is automatically applied to all interfaces and lines except those that have a named method list explicitly defined. A defined method list overrides the default method list.
|
Switch(config)# aaa authentication login [default | method list name] [local | radius | tacacs+]
|
|
|
To enable 802.1x security on a network. It requires a client to authenticate before communicating on the network. Once authenticated, a key is generated and shared between the client and the device its attaching to (e.g. WLAN controller), and this key is used to encrypt all traffic between them.
|
switch(config)# dot1x system-auth-control
|
|
|
To define the IP address of the authentication server and the shared secret that will be used to authenticate it. Must match on the specified authentication server.
|
Switch(config)# [tacacs-server | radius-server] host [ip add] key [string]
|
|
|
To specify what AAA method list should be used for login authentication for a line (for example, console line or vty line).
|
Switch(config-line)# login authentication [method list]
|
|
|
To define all RADIUS servers as the authentication method used for 802.1x authentication.
|
switch(config)# aaa authentication dot1x default group radius
|
|
|
To configure a switch port to use 802.1x. Force-authorized(default) = no authentication needed, Force-unauthorized = never authorize any client, Auto = Use 802.1x exchange to move from the unauthorized state to the authorized state.
|
switch(config-if)# dot1x port-control [force-authorized | force-unauthorized | auto]
|
|
|
To display real-time info for authentication attempts on a router configured for AAA authentication. It includes which method list was used, username and IP address of the client.
|
Switch# debug aaa authentication
|
|
|
To create an inspection rule that will examine internet traffic.
|
R1(config)# ip inspect name [name] http
|
|
|
To apply an inspection rule. If you applied outbound, the router would exam the outbound HTTP traffic, and allow return traffic from the session back into the router even if there is a ACL blocking it.
|
R1(config-if)# ip inspect [name] [in | out]
|
|
|
To make a router generate syslog messages whenever the router creates a new stateful inspection rule.
|
R1(config)# ip inspect audit-trail
|
|
|
To see the current sessions being inspected by the IOS Firewall feature. It displays the IP addresses, port numbers and protocols that make up the session.
|
R1# show ip inspect session
|
|
|
To see the current sessions being inspected in more detail. Shows info such as number of bytes sent by both session initiator and responder, as well as the number of times any corresponding ACL has been matched.
|
R1# show ip inspect session detail
|
|
|
To display information about an interfaces inspection configuration. Shows info such as any ingoing/ outgoing inspection rules and ACLs.
|
R1# show ip inspect session all
|
|
|
To display real-time info about an inspection session including info such as the initiators and responders IP addresses, the ACL being used, port number, and the L4 protocol type (e.g. TCP or UDP) in use.
|
R1# debug ip inspect object-creation
|
|
|
To create a basic ACL which can permit or deny traffic based on only src IP address. 0.0.0.0 255.255.255.255 for src or dst can be equated to "any". Host goes before the IP address and means that exact host (same as wildcard 0.0.0.0).
|
R1(config)# access-list [number/name] [permit | deny] [host | [src IP & wildcard mask] | any]
|
|
|
To create an extended ACL which can permit or deny traffic based on src or dst IP address and port number. Protocol = L3 IP or IPX and L4 TCP, UDP or ICMP. Operator = Indicates less than (lt), Equal to (eq) or greater (gt) than the port number . "Log" keyword logs all denied traffic.
|
R1(config)# access-list [number/name] [permit | deny] [protocol] [src & wildcard mask] [dst & wildcard mask] [operator] [port-number] [log]
|
|
|
To apply an ACL. Only one ACL per interface, per direction, per protocol.
|
R1(config-int)# ip access-group [number/name] [in | out]
|
|
|
To display the access lists configured on the router.
|
R1# show ip access-lists
|
|
|
To display the output collected from logged access list entries.
|
R1# show logging
|
