• Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off

Card Range To Study



Play button


Play button




Click to flip

Use LEFT and RIGHT arrow keys to navigate between flashcards;

Use UP and DOWN arrow keys to flip the card;

H to show hint;

A reads text to speech;

85 Cards in this Set

  • Front
  • Back
The Three Primary Goals of Network Security
Data confidentiality implies keeping data private.
Data integrity ensures that data has not been modified in transit
Cisco defines three
security controls
Administrative control
Physical control
Technical control
A vulnerability in an information system is a weakness that an attacker might leverage to
gain unauthorized access to the system or its data
attackers write a program intended to take advantage of the vulnerability
five broad categories of attacks
Defense in Depth
layers of security present in a Defense in Depth deployment should provide redundancy for
one another while offering a variety of defense strategies for protecting multiple aspects of
a network
Source routing has two variations
Loose: The attacker specifies a list of IP addresses through which a packet must travel.
Strict: The IP addresses in the list specified by the attacker are the only IP addresses
through which a packet is allowed to travel.
gratuitous ARP (GARP) frames
These GARP frames might claim that the
attacker’s Layer 2 MAC address was the MAC address of the next-hop router.
Protecting Against an IP Spoofing Attack
1. Use access control lists (ACL) on router interfaces
2. Encrypt traffic between devices.
3. Use cryptographic authentication
steganography is sending a digital image made
up of millions of pixels, with “secret” information encoded in
specific pixels
overt channels
An example of using an overt
channel is tunneling one protocol inside another (for example,
sending instant messaging traffic via HTTP).
covert channels
which can communicate
information as a series of codes and/or events. For example,
binary data could be represented by sending a series of pings to a
Salami attack
This is a collection of small attacks that result in a larger attack when
Data diddling
The process of data diddling changes data before it is stored in a
computing system.
Trust relationship exploitation
Different devices in a network might have a trust
relationship between themselves.
TCP SYN flood
One variant of a DoS attack is for an attacker to initiate multiple TCP sessions
by sending SYN segments but never completing the three-way handshake.
“Smurf attack”
can use ICMP traffic directed to a subnet to flood
a target system with ping replies,
Cisco recommends the following best practices to help harden the security
of your network:
■ Routinely apply patches to operating systems and applications.
■ Disable unneeded services and ports on hosts.
■ Require strong passwords, and enable password expiration.
■ Protect the physical access to computing and networking equipment.
■ Enforce secure programming practices, such as limiting valid characters that can be
entered into an application’s dialog box.
■ Regularly back up data, and routinely verify the integrity of the backups.
■ Train users on good security practices, and educate them about social engineering
■ Use strong encryption for sensitive data.
■ Defend against technical attacks by deploying hardware- and software-based security
systems (for example, firewalls, IPS sensors, and antivirus software).
■ Create a documented security policy for company-wide use.
operations security
operations security attempts to secure hardware, software, and various
media while investigating anomalous network behavior.
System Development Life Cycle
■ Initiation
■ Acquisition and development
■ Implementation
■ Operations and maintenance
■ Disposition
Security categorization
Security categorization, as the name suggests, categorizes
the severity of a security breach on a particular network component. For example, a
newly added network device might be categorized as having either a high, medium, or
low security level.
Security categorization
Preliminary risk assessment
Separation of
Information security personnel should be assigned
responsibilities such that no single employee can compromise a
system’s security.
Rotation of duties
The potential for a single employee to cause an ongoing security
breach is lessened by having multiple employees periodically
rotate duties.
Trusted recovery
Trusted recovery implies making preparations for a system
failure (for example, backing up sensitive data and securing
those backups) and having a plan to recover data in the event of a
Configuration and
change control
When making changes to an information system, multiple
personnel should review the changes beforehand to anticipate
any issues that could result
Three phases of recovery include
■ Emergency response phase
■ Recovery phase
■ Return to normal operations phase
Disruption Categories
main purpose of a security
The main purpose of a security policy is to protect an organization’s assets.
other purposes of the security policy
■ Making employees aware of their obligations as far as security practices
■ Identifying specific security solutions required to meet the goals of the security policy
■ Acting as a baseline for ongoing security monitoring
acceptable use policy
(AUP), also known as an appropriate use policy
An AUP identifies what users of a network
are and are not allowed to do on the network.
Governing Policy
At a very high level, a governing policy addresses security concepts deemed important to
an organization
Technical Policies
Security and IT personnel are the intended targets
of these technical policies, and these personnel use these policies in performing their day to day tasks
End-User Policies
End-user policies address security issues and procedures relevant to end users
More-Detailed Documents
identify threats facing the network
risk analysis
analyzing the probability that a threat will occur and the severity of the consequences if that
threat does occur
risk analysis approches
Risk management:
Risk management assumes that not all potential threats can be
eliminated. It attempts to reduce the anticipated damage from risks to an acceptable
Risk avoidance
Risk avoidance can eliminate the identified risks by not exposing a
system to end users
Consider the following elements of a secure network design:
Business needs
Risk Analysis
Security Policy
Best Practices
Security Operations
Cisco Self-Defending Network Core Characteristics
Security is built in to the network, as opposed to being added to an
existing network.
IT personnel focusing on security collaborate with IT personnel
focusing on network operations.
Security solutions can adapt to evolving threats.
IOS Security Features
Stateful Firewall
Intrusion Prevention System
VPN Routing and Forwarding-aware
Stateful Firewall
The Cisco IOS firewall feature allows an IOS router to perform
stateful inspection of traffic
The IOS Intrusion Prevention System (IPS) feature can detect
malicious network traffic inline and stop it before it reaches its
VPN Routing and Forwarding-aware
A VRF-aware firewall maintains a separate routing and
forwarding table for each VPN
ISR Enhanced Features
Integrated VPN acceleration
Dedicated voice hardware
Advanced Integration Modules
USB port
Cisco guidelines for selecting a strong router password
Select a password that is at least ten characters long
Use a mixture of alphabetic
The password should not be a common word found in a dictionary
Create a policy that dictates how and when passwords are to be changed.
To better secure these passwords, con 0, aux 0, vty 0 4
service password-encryption
To avoid th reset a password using the ROM monitor
no service password-recovery
Limit how many failures authentication password to avoid brute force attack
security authentication failure rate 5 log
Default inactivity timer in a router
10 minutes

Cisco Recomandation: 3 minutes
Inactivity timer command:


exec-timeout 2 30

2 minutes 30 seconds
n disable the inactivity timer (not recommended)
exec-timeout 0 0
Cisco supported priviledge levels
0 to 15
Priviledge level default
user mode level 0
after enable level 15
Configuring a Privilege Level
(set also enable to level 5)
privilege exec level 5 debug
enable secret level 5 passxxxx
Cisco IOS Resilient Configuration Steps
Step 1: Enable
image resilience
Step 2: Secure the
boot configuration
Step 3: Verify the
security of the
image resilience
secure boot-image
Secure the
boot configuration
secure boot-config
Verify the
security of the
show secure bootset
How to protect the routers from virtual connections like telnet, ssh or https
Create a delay between repeated login attempts.
Suspend the login process if a denial-of-service (DoS) attack is suspected.
Create syslog messages upon the success and/or failure of a login attempt.
login enhancements command
login block-for
show if SDM is installed
show flash
Authentication, Authorization, and Accounting
Authentication is the process by which users and administrators prove
that they are who they claim to
After the user or administrator has been authenticated, authorization
services are used to decide which resources he is allowed to access,
Accounting and auditing:
It is the role of accounting and auditing to
record what the user or administrator actually did with this access, what he accessed,
and how long he accessed it.
Cisco provides three ways to implement AAA services for Cisco routers:
Cisco Secure ACS Solution Engine
Cisco Secure Access Control Server (ACS) for Windows Server:
Self-contained AAA:
Cisco Secure ACS Solution Engine:
AAA services on either
the router or network access server (NAS), which acts as a gateway to guard access to
protected resources
Cisco Secure Access Control Server (ACS) for Windows Server:
AAA services on the
router or NAS contact an external Cisco Secure ACS for Microsoft Windows systems.
You need a separate license for CSA if this is what you want.
Self-contained AAA
AAA services are self-contained in either a router or NAS.
Implemented in this fashion, this form of authentication is also known as local
Six steps are required to configure a Cisco router for local authentication:
Step 1 Secure access to privileged EXEC mode.
Step 2 Use the aaa new-model command to enable AAA globally on the
perimeter router.
Step 3 Configure AAA authentication lists.
Step 4 Configure AAA authorization for use after the user has passed
Step 5 Configure the AAA accounting options.
Step 6 Verify the configuration.
aaa authentication (IMPORTANT COMMANDS)
learn the following three commands and how to implement them in an AAA environment:
■ The aaa authentication login command
■ The aaa authentication ppp command
■ The aaa authentication enable default command
aaa authentication login
Use the aaa authentication login global configuration
command to set AAA authentication at login
aaa authentication enable default
Use the aaa authentication enable default global
configuration command to enable AAA authentication to
determine if a user can access the privileged command level.
aaa authentication ppp
Use the aaa authentication ppp global configuration
command to specify one or more AAA authentication
methods for use on serial interfaces running PPP.
Using the CLI to Troubleshoot AAA for Cisco Routers
debug aaa authentication
debug aaa authorization
debug aaa accounting