Ccna Network Security Concepts

Front 1

The Three Primary Goals of Network Security

Back 1

Confidentiality
Integrity
Availability

Front 2

Confidentiality

Back 2

Data confidentiality implies keeping data private.

Front 3

Integrity

Back 3

Data integrity ensures that data has not been modified in transit

Front 4

Cisco defines three
security controls

Back 4

Administrative control
Physical control
Technical control

Front 5

Vulnerability

Back 5

A vulnerability in an information system is a weakness that an attacker might leverage to
gain unauthorized access to the system or its data

Front 6

exploit

Back 6

attackers write a program intended to take advantage of the vulnerability

Front 7

five broad categories of attacks

Back 7

Passive
Active
Close-in
Isider
Distribution

Front 8

Defense in Depth

Back 8

The
layers of security present in a Defense in Depth deployment should provide redundancy for
one another while offering a variety of defense strategies for protecting multiple aspects of
a network

Front 9

Source routing has two variations

Back 9

Loose
Strict

Front 10

Loose

Back 10

Loose: The attacker specifies a list of IP addresses through which a packet must travel.

Front 11

Strict

Back 11

Strict: The IP addresses in the list specified by the attacker are the only IP addresses
through which a packet is allowed to travel.

Front 12

gratuitous ARP (GARP) frames

Back 12

These GARP frames might claim that the
attacker’s Layer 2 MAC address was the MAC address of the next-hop router.

Front 13

Protecting Against an IP Spoofing Attack

Back 13

1. Use access control lists (ACL) on router interfaces
2. Encrypt traffic between devices.
3. Use cryptographic authentication

Front 14

Steganography

Back 14

steganography is sending a digital image made
up of millions of pixels, with “secret” information encoded in
specific pixels

Front 15

overt channels

Back 15

An example of using an overt
channel is tunneling one protocol inside another (for example,
sending instant messaging traffic via HTTP).

Front 16

covert channels

Back 16

which can communicate
information as a series of codes and/or events. For example,
binary data could be represented by sending a series of pings to a
destination

Front 17

Salami attack

Back 17

This is a collection of small attacks that result in a larger attack when
combined.

Front 18

Data diddling

Back 18

The process of data diddling changes data before it is stored in a
computing system.

Front 19

Trust relationship exploitation

Back 19

Different devices in a network might have a trust
relationship between themselves.

Front 20

TCP SYN flood

Back 20

One variant of a DoS attack is for an attacker to initiate multiple TCP sessions
by sending SYN segments but never completing the three-way handshake.

Front 21

“Smurf attack”

Back 21

can use ICMP traffic directed to a subnet to flood
a target system with ping replies,

Front 22

Cisco recommends the following best practices to help harden the security
of your network:

Back 22

:
■ Routinely apply patches to operating systems and applications.
■ Disable unneeded services and ports on hosts.
■ Require strong passwords, and enable password expiration.
■ Protect the physical access to computing and networking equipment.
■ Enforce secure programming practices, such as limiting valid characters that can be
entered into an application’s dialog box.
■ Regularly back up data, and routinely verify the integrity of the backups.
■ Train users on good security practices, and educate them about social engineering
tactics.
■ Use strong encryption for sensitive data.
■ Defend against technical attacks by deploying hardware- and software-based security
systems (for example, firewalls, IPS sensors, and antivirus software).
■ Create a documented security policy for company-wide use.

Front 23

operations security

Back 23

operations security attempts to secure hardware, software, and various
media while investigating anomalous network behavior.

Front 24

System Development Life Cycle
(SDLC)

Back 24

■ Initiation
■ Acquisition and development
■ Implementation
■ Operations and maintenance
■ Disposition

Front 25

Security categorization

Back 25

Security categorization, as the name suggests, categorizes
the severity of a security breach on a particular network component. For example, a
newly added network device might be categorized as having either a high, medium, or
low security level.

Front 26

Initiation

Back 26

Security categorization
Preliminary risk assessment

Front 27

Separation of
duties

Back 27

Information security personnel should be assigned
responsibilities such that no single employee can compromise a
system’s security.

Front 28

Rotation of duties

Back 28

The potential for a single employee to cause an ongoing security
breach is lessened by having multiple employees periodically
rotate duties.

Front 29

Trusted recovery

Back 29

Trusted recovery implies making preparations for a system
failure (for example, backing up sensitive data and securing
those backups) and having a plan to recover data in the event of a
failure

Front 30

Configuration and
change control

Back 30

When making changes to an information system, multiple
personnel should review the changes beforehand to anticipate
any issues that could result

Front 31

Three phases of recovery include

Back 31

■ Emergency response phase
■ Recovery phase
■ Return to normal operations phase

Front 32

Disruption Categories

Back 32

Nondisaster
Disaster
Catastrophe

Front 33

main purpose of a security

Back 33

The main purpose of a security policy is to protect an organization’s assets.

Front 34

other purposes of the security policy

Back 34

■ Making employees aware of their obligations as far as security practices
■ Identifying specific security solutions required to meet the goals of the security policy
■ Acting as a baseline for ongoing security monitoring

Front 35

acceptable use policy
(AUP), also known as an appropriate use policy

Back 35

An AUP identifies what users of a network
are and are not allowed to do on the network.

Front 36

Governing Policy

Back 36

At a very high level, a governing policy addresses security concepts deemed important to
an organization

Front 37

Technical Policies

Back 37

Security and IT personnel are the intended targets
of these technical policies, and these personnel use these policies in performing their day to day tasks

Front 38

End-User Policies

Back 38

End-user policies address security issues and procedures relevant to end users

Front 39

More-Detailed Documents

Back 39

Standards
Guidelines
Procedures

Front 40

threat
identification

Back 40

identify threats facing the network

Front 41

risk analysis

Back 41

analyzing the probability that a threat will occur and the severity of the consequences if that
threat does occur

Front 42

risk analysis approches

Back 42

quantitative
qualitative.

Front 43

Risk management:

Back 43

Risk management assumes that not all potential threats can be
eliminated. It attempts to reduce the anticipated damage from risks to an acceptable
level.

Front 44

Risk avoidance

Back 44

Risk avoidance can eliminate the identified risks by not exposing a
system to end users

Front 45

Consider the following elements of a secure network design:

Back 45

Business needs
Risk Analysis
Security Policy
Best Practices
Security Operations

Front 46

Cisco Self-Defending Network Core Characteristics

Back 46

Integrated
Collaborative
Adaptive

Front 47

Integrated

Back 47

Security is built in to the network, as opposed to being added to an
existing network.

Front 48

Collaborative

Back 48

IT personnel focusing on security collaborate with IT personnel
focusing on network operations.

Front 49

Adaptive

Back 49

Security solutions can adapt to evolving threats.

Front 50

IOS Security Features

Back 50

Stateful Firewall
Intrusion Prevention System
VPN Routing and Forwarding-aware
VPN

Front 51

Stateful Firewall

Back 51

The Cisco IOS firewall feature allows an IOS router to perform
stateful inspection of traffic

Front 52

IPS

Back 52

The IOS Intrusion Prevention System (IPS) feature can detect
malicious network traffic inline and stop it before it reaches its
destination.

Front 53

VPN Routing and Forwarding-aware

Back 53

A VRF-aware firewall maintains a separate routing and
forwarding table for each VPN

Front 54

ISR Enhanced Features

Back 54

Integrated VPN acceleration
Dedicated voice hardware
Advanced Integration Modules
USB port

Front 55

Cisco guidelines for selecting a strong router password

Back 55

Select a password that is at least ten characters long
Use a mixture of alphabetic
The password should not be a common word found in a dictionary
Create a policy that dictates how and when passwords are to be changed.

Front 56

To better secure these passwords, con 0, aux 0, vty 0 4

Back 56

service password-encryption

Front 57

To avoid th reset a password using the ROM monitor

Back 57

no service password-recovery

Front 58

Limit how many failures authentication password to avoid brute force attack

Back 58

security authentication failure rate 5 log

Front 59

Default inactivity timer in a router

Back 59

10 minutes

Cisco Recomandation: 3 minutes

Front 60

Inactivity timer command:

Back 60

exec-timeout

Ex.

exec-timeout 2 30

2 minutes 30 seconds

Front 61

n disable the inactivity timer (not recommended)

Back 61

exec-timeout 0 0

Front 62

Cisco supported priviledge levels

Back 62

0 to 15

Front 63

Priviledge level default

Back 63

user mode level 0
after enable level 15

Front 64

Configuring a Privilege Level
(set also enable to level 5)

Back 64

privilege exec level 5 debug
enable secret level 5 passxxxx

Front 65

Cisco IOS Resilient Configuration Steps

Back 65

Step 1: Enable
image resilience
Step 2: Secure the
boot configuration
Step 3: Verify the
security of the
bootset

Front 66

Enable
image resilience

Back 66

secure boot-image

Front 67

Secure the
boot configuration

Back 67

secure boot-config

Front 68

Verify the
security of the
bootset

Back 68

show secure bootset

Front 69

How to protect the routers from virtual connections like telnet, ssh or https

Back 69

Create a delay between repeated login attempts.
Suspend the login process if a denial-of-service (DoS) attack is suspected.
Create syslog messages upon the success and/or failure of a login attempt.

Front 70

login enhancements command

Back 70

login block-for

Front 71

show if SDM is installed

Back 71

show flash

Front 72

AAA

Back 72

Authentication, Authorization, and Accounting

Front 73

Authentication

Back 73

Authentication is the process by which users and administrators prove
that they are who they claim to

Front 74

Authorization

Back 74

After the user or administrator has been authenticated, authorization
services are used to decide which resources he is allowed to access,

Front 75

Accounting and auditing:

Back 75

It is the role of accounting and auditing to
record what the user or administrator actually did with this access, what he accessed,
and how long he accessed it.

Front 76

Cisco provides three ways to implement AAA services for Cisco routers:

Back 76

Cisco Secure ACS Solution Engine
Cisco Secure Access Control Server (ACS) for Windows Server:
Self-contained AAA:

Front 77

Cisco Secure ACS Solution Engine:

Back 77

AAA services on either
the router or network access server (NAS), which acts as a gateway to guard access to
protected resources

Front 78

Cisco Secure Access Control Server (ACS) for Windows Server:

Back 78

AAA services on the
router or NAS contact an external Cisco Secure ACS for Microsoft Windows systems.
You need a separate license for CSA if this is what you want.

Front 79

Self-contained AAA

Back 79

AAA services are self-contained in either a router or NAS.
Implemented in this fashion, this form of authentication is also known as local
authentication.

Front 80

Six steps are required to configure a Cisco router for local authentication:

Back 80

Step 1 Secure access to privileged EXEC mode.
Step 2 Use the aaa new-model command to enable AAA globally on the
perimeter router.
Step 3 Configure AAA authentication lists.
Step 4 Configure AAA authorization for use after the user has passed
authentication.
Step 5 Configure the AAA accounting options.
Step 6 Verify the configuration.

Front 81

aaa authentication (IMPORTANT COMMANDS)

Back 81

learn the following three commands and how to implement them in an AAA environment:
■ The aaa authentication login command
■ The aaa authentication ppp command
■ The aaa authentication enable default command

Front 82

aaa authentication login

Back 82

Use the aaa authentication login global configuration
command to set AAA authentication at login

Front 83

aaa authentication enable default

Back 83

Use the aaa authentication enable default global
configuration command to enable AAA authentication to
determine if a user can access the privileged command level.

Front 84

aaa authentication ppp

Back 84

Use the aaa authentication ppp global configuration
command to specify one or more AAA authentication
methods for use on serial interfaces running PPP.

Front 85

Using the CLI to Troubleshoot AAA for Cisco Routers

Back 85

debug aaa authentication
debug aaa authorization
debug aaa accounting