Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
85 Cards in this Set
- Front
- Back
The Three Primary Goals of Network Security
|
Confidentiality
Integrity Availability |
|
Confidentiality
|
Data confidentiality implies keeping data private.
|
|
Integrity
|
Data integrity ensures that data has not been modified in transit
|
|
Cisco defines three
security controls |
Administrative control
Physical control Technical control |
|
Vulnerability
|
A vulnerability in an information system is a weakness that an attacker might leverage to
gain unauthorized access to the system or its data |
|
exploit
|
attackers write a program intended to take advantage of the vulnerability
|
|
five broad categories of attacks
|
Passive
Active Close-in Isider Distribution |
|
Defense in Depth
|
The
layers of security present in a Defense in Depth deployment should provide redundancy for one another while offering a variety of defense strategies for protecting multiple aspects of a network |
|
Source routing has two variations
|
Loose
Strict |
|
Loose
|
Loose: The attacker specifies a list of IP addresses through which a packet must travel.
|
|
Strict
|
Strict: The IP addresses in the list specified by the attacker are the only IP addresses
through which a packet is allowed to travel. |
|
gratuitous ARP (GARP) frames
|
These GARP frames might claim that the
attacker’s Layer 2 MAC address was the MAC address of the next-hop router. |
|
Protecting Against an IP Spoofing Attack
|
1. Use access control lists (ACL) on router interfaces
2. Encrypt traffic between devices. 3. Use cryptographic authentication |
|
Steganography
|
steganography is sending a digital image made
up of millions of pixels, with “secret” information encoded in specific pixels |
|
overt channels
|
An example of using an overt
channel is tunneling one protocol inside another (for example, sending instant messaging traffic via HTTP). |
|
covert channels
|
which can communicate
information as a series of codes and/or events. For example, binary data could be represented by sending a series of pings to a destination |
|
Salami attack
|
This is a collection of small attacks that result in a larger attack when
combined. |
|
Data diddling
|
The process of data diddling changes data before it is stored in a
computing system. |
|
Trust relationship exploitation
|
Different devices in a network might have a trust
relationship between themselves. |
|
TCP SYN flood
|
One variant of a DoS attack is for an attacker to initiate multiple TCP sessions
by sending SYN segments but never completing the three-way handshake. |
|
“Smurf attack”
|
can use ICMP traffic directed to a subnet to flood
a target system with ping replies, |
|
Cisco recommends the following best practices to help harden the security
of your network: |
:
■ Routinely apply patches to operating systems and applications. ■ Disable unneeded services and ports on hosts. ■ Require strong passwords, and enable password expiration. ■ Protect the physical access to computing and networking equipment. ■ Enforce secure programming practices, such as limiting valid characters that can be entered into an application’s dialog box. ■ Regularly back up data, and routinely verify the integrity of the backups. ■ Train users on good security practices, and educate them about social engineering tactics. ■ Use strong encryption for sensitive data. ■ Defend against technical attacks by deploying hardware- and software-based security systems (for example, firewalls, IPS sensors, and antivirus software). ■ Create a documented security policy for company-wide use. |
|
operations security
|
operations security attempts to secure hardware, software, and various
media while investigating anomalous network behavior. |
|
System Development Life Cycle
(SDLC) |
■ Initiation
■ Acquisition and development ■ Implementation ■ Operations and maintenance ■ Disposition |
|
Security categorization
|
Security categorization, as the name suggests, categorizes
the severity of a security breach on a particular network component. For example, a newly added network device might be categorized as having either a high, medium, or low security level. |
|
Initiation
|
Security categorization
Preliminary risk assessment |
|
Separation of
duties |
Information security personnel should be assigned
responsibilities such that no single employee can compromise a system’s security. |
|
Rotation of duties
|
The potential for a single employee to cause an ongoing security
breach is lessened by having multiple employees periodically rotate duties. |
|
Trusted recovery
|
Trusted recovery implies making preparations for a system
failure (for example, backing up sensitive data and securing those backups) and having a plan to recover data in the event of a failure |
|
Configuration and
change control |
When making changes to an information system, multiple
personnel should review the changes beforehand to anticipate any issues that could result |
|
Three phases of recovery include
|
■ Emergency response phase
■ Recovery phase ■ Return to normal operations phase |
|
Disruption Categories
|
Nondisaster
Disaster Catastrophe |
|
main purpose of a security
|
The main purpose of a security policy is to protect an organization’s assets.
|
|
other purposes of the security policy
|
■ Making employees aware of their obligations as far as security practices
■ Identifying specific security solutions required to meet the goals of the security policy ■ Acting as a baseline for ongoing security monitoring |
|
acceptable use policy
(AUP), also known as an appropriate use policy |
An AUP identifies what users of a network
are and are not allowed to do on the network. |
|
Governing Policy
|
At a very high level, a governing policy addresses security concepts deemed important to
an organization |
|
Technical Policies
|
Security and IT personnel are the intended targets
of these technical policies, and these personnel use these policies in performing their day to day tasks |
|
End-User Policies
|
End-user policies address security issues and procedures relevant to end users
|
|
More-Detailed Documents
|
Standards
Guidelines Procedures |
|
threat
identification |
identify threats facing the network
|
|
risk analysis
|
analyzing the probability that a threat will occur and the severity of the consequences if that
threat does occur |
|
risk analysis approches
|
quantitative
qualitative. |
|
Risk management:
|
Risk management assumes that not all potential threats can be
eliminated. It attempts to reduce the anticipated damage from risks to an acceptable level. |
|
Risk avoidance
|
Risk avoidance can eliminate the identified risks by not exposing a
system to end users |
|
Consider the following elements of a secure network design:
|
Business needs
Risk Analysis Security Policy Best Practices Security Operations |
|
Cisco Self-Defending Network Core Characteristics
|
Integrated
Collaborative Adaptive |
|
Integrated
|
Security is built in to the network, as opposed to being added to an
existing network. |
|
Collaborative
|
IT personnel focusing on security collaborate with IT personnel
focusing on network operations. |
|
Adaptive
|
Security solutions can adapt to evolving threats.
|
|
IOS Security Features
|
Stateful Firewall
Intrusion Prevention System VPN Routing and Forwarding-aware VPN |
|
Stateful Firewall
|
The Cisco IOS firewall feature allows an IOS router to perform
stateful inspection of traffic |
|
IPS
|
The IOS Intrusion Prevention System (IPS) feature can detect
malicious network traffic inline and stop it before it reaches its destination. |
|
VPN Routing and Forwarding-aware
|
A VRF-aware firewall maintains a separate routing and
forwarding table for each VPN |
|
ISR Enhanced Features
|
Integrated VPN acceleration
Dedicated voice hardware Advanced Integration Modules USB port |
|
Cisco guidelines for selecting a strong router password
|
Select a password that is at least ten characters long
Use a mixture of alphabetic The password should not be a common word found in a dictionary Create a policy that dictates how and when passwords are to be changed. |
|
To better secure these passwords, con 0, aux 0, vty 0 4
|
service password-encryption
|
|
To avoid th reset a password using the ROM monitor
|
no service password-recovery
|
|
Limit how many failures authentication password to avoid brute force attack
|
security authentication failure rate 5 log
|
|
Default inactivity timer in a router
|
10 minutes
Cisco Recomandation: 3 minutes |
|
Inactivity timer command:
|
exec-timeout
Ex. exec-timeout 2 30 2 minutes 30 seconds |
|
n disable the inactivity timer (not recommended)
|
exec-timeout 0 0
|
|
Cisco supported priviledge levels
|
0 to 15
|
|
Priviledge level default
|
user mode level 0
after enable level 15 |
|
Configuring a Privilege Level
(set also enable to level 5) |
privilege exec level 5 debug
enable secret level 5 passxxxx |
|
Cisco IOS Resilient Configuration Steps
|
Step 1: Enable
image resilience Step 2: Secure the boot configuration Step 3: Verify the security of the bootset |
|
Enable
image resilience |
secure boot-image
|
|
Secure the
boot configuration |
secure boot-config
|
|
Verify the
security of the bootset |
show secure bootset
|
|
How to protect the routers from virtual connections like telnet, ssh or https
|
Create a delay between repeated login attempts.
Suspend the login process if a denial-of-service (DoS) attack is suspected. Create syslog messages upon the success and/or failure of a login attempt. |
|
login enhancements command
|
login block-for
|
|
show if SDM is installed
|
show flash
|
|
AAA
|
Authentication, Authorization, and Accounting
|
|
Authentication
|
Authentication is the process by which users and administrators prove
that they are who they claim to |
|
Authorization
|
After the user or administrator has been authenticated, authorization
services are used to decide which resources he is allowed to access, |
|
Accounting and auditing:
|
It is the role of accounting and auditing to
record what the user or administrator actually did with this access, what he accessed, and how long he accessed it. |
|
Cisco provides three ways to implement AAA services for Cisco routers:
|
Cisco Secure ACS Solution Engine
Cisco Secure Access Control Server (ACS) for Windows Server: Self-contained AAA: |
|
Cisco Secure ACS Solution Engine:
|
AAA services on either
the router or network access server (NAS), which acts as a gateway to guard access to protected resources |
|
Cisco Secure Access Control Server (ACS) for Windows Server:
|
AAA services on the
router or NAS contact an external Cisco Secure ACS for Microsoft Windows systems. You need a separate license for CSA if this is what you want. |
|
Self-contained AAA
|
AAA services are self-contained in either a router or NAS.
Implemented in this fashion, this form of authentication is also known as local authentication. |
|
Six steps are required to configure a Cisco router for local authentication:
|
Step 1 Secure access to privileged EXEC mode.
Step 2 Use the aaa new-model command to enable AAA globally on the perimeter router. Step 3 Configure AAA authentication lists. Step 4 Configure AAA authorization for use after the user has passed authentication. Step 5 Configure the AAA accounting options. Step 6 Verify the configuration. |
|
aaa authentication (IMPORTANT COMMANDS)
|
learn the following three commands and how to implement them in an AAA environment:
■ The aaa authentication login command ■ The aaa authentication ppp command ■ The aaa authentication enable default command |
|
aaa authentication login
|
Use the aaa authentication login global configuration
command to set AAA authentication at login |
|
aaa authentication enable default
|
Use the aaa authentication enable default global
configuration command to enable AAA authentication to determine if a user can access the privileged command level. |
|
aaa authentication ppp
|
Use the aaa authentication ppp global configuration
command to specify one or more AAA authentication methods for use on serial interfaces running PPP. |
|
Using the CLI to Troubleshoot AAA for Cisco Routers
|
debug aaa authentication
debug aaa authorization debug aaa accounting |