Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
149 Cards in this Set
- Front
- Back
|
What command would you use to verify security zones? |
show policy-firewall config zone |
|
|
What command would you use to verify class-maps? |
show policy-firewall config class-map |
|
|
What command would you use to verify policy-maps? |
show policy-firewall config policy-map |
|
|
What command would you use to verify zone pairs and associated service polices? |
show policy-firewall config zone-pair |
|
|
What command would you use to verify active sessions in the state table? |
show policy-firewall session zone-pair |
|
|
If you make an interface a zone-member but do not have any policy configured, what happens to traffic traversing the router? |
ALL traffic is DROPPED |
|
|
What happens if you remove just ONE interface from a zone-pair with a policy configured? |
As this interface is now no longer governed by the ZBPF policy but the other interface is, this typically causes NO TRAFFIC TO PASS |
|
|
What is INTRA-ZONE traffic? |
Traffic WITHIN a zone ALL traffic is ALLOWED by default |
|
|
What is INTER-ZONE traffic? |
Traffic BETWEEN zones ALL traffic is DROPPED by default |
|
|
What is the SELF ZONE? |
Responsible for traffic destined TO or INITIATED BY the router itself (management-plane /control-plane traffic) |
|
|
AAA - if you use the "default" list, what happens |
Using the default list automatically applies it globally, affecting all device access i.e. console, VTY lines, and HTTP/HTTPS (using a custom list simply creates a list but does not apply it - you have to apply manually to console/VTY lines/HTTP/HTTPS) |
|
|
When AAA is enabled and left at default, and a remote user connects to the router, what privilege level are they assigned? |
They are assigned whatever privilege level is assigned to the VTY lines (if no privilege level is assigned to the VTY lines they are then assigned their user account privilege level) |
|
|
If you wanted to perform command authorization and accounting, what protocol would you use? |
TACACS+ (Radius cannot do command authorization or accounting because it combines authorization and authentication in ONE session at the same time, and so it is not compatible with the command authorization process) |
|
|
What protocol is used predominantly for managing Network Access? |
RADIUS (Radius supports the translation of EAPoL packets for authentication and common network access attributes) |
|
|
What are the 4 Enterprise Architecture Modules as determined by Cisco? |
- Enterprise Campus - Enterprise Edge - Service Provider Edge - Remote |
|
|
What are the 4 goals of Defense in Depth? |
1) Network Security Firewalls, ACLs, & Identity Management 2) Content & Application Security NGFW, IDS/IPS, Web/Email gateways, Advanced Malware Protection (AMP) 3) Endpoint Security Antivirus 4) Infrastructure telemetry & monitoring NTP, SNMPv3, Syslog, Netflow |
|
|
What is Cisco ISE? |
- The core of Cisco's Security Architecture - Also known as NGN Radius (next gen radius) - shares info with other security systems - CENTRALIZED secure network access control |
|
|
What Cisco product can grant network access based on the system health-state? |
Cisco ISE |
|
|
Which Cisco security products allow employees to register their own device (BYOD) ? |
- Cisco ISE - Enterprise Mobility Management (EMM)* * EMM was formerly known as Mobile Device Management (MDM) |
|
|
Regarding BYOD, which Cisco product would you use if you wanted to perform posture assessment on mobile devices? |
MDM (now EMM) MDM/EMM offers more features when it comes to mobile devices such as mobiles/tablets |
|
|
What is SGT? |
Security Group Tag (SGT) is a 16-bit value security tag/label attached to IP packets to identify users and their associated permissions It is a component of TrustSEC (Trusted Security) and is beneficial as users can access the network via different methods and therefore can have a multitude of ip addresses assigned. With SGT, the permissions are not dependent on IP address |
|
|
What is MACsec? |
MACsec (mac security) is a hop-by-hop line-rate layer 2 encryption It is a component of TrustSEC (Trusted Security). There is no tunneling of data, just protection. It is a cheap alternative to IPsec. |
|
|
What is EAP? |
Extensible Authentication Protocol (EAP) is a framework for authentication methods. It defines the many different protocols that can be used to authenticate devices. i.e. 802.1x defines how EAP is carried over a LAN or WLAN |
|
|
What is 802.1x? |
802.1X defines the encapsulation of the Extensible Authentication Protocol (EAP) over IEEE 802 (a LAN or WLAN) It essentially defines how users are authenticated and authorized when connecting to a LAN, whether it be wired/wireless connection |
|
|
What is RADIUS? |
RADIUS is a client/server protocol that runs in the application layer, providing AAA management RADIUS runs on UDP ports 1645 for Authentication & Authorization and 1646 for Accounting (new ports 1812/1813 respectively) |
|
|
What is TACACS+ ? |
TACACS+ is a protocol that provides AAA management. Unlike RADIUS, TACACS+ encrypts the entire payload as opposed to just the password as with RADIUS. TACACS+ runs over TCP (port 49) unlike RADIUS which is UDP |
|
|
What is Security Tag eXchange Protocol? (SXP) |
It is a control-plane protocol for SGT to IP mapping propagation. - It keeps mappings across devices that do not support inline SGT - Requires P2P connection between SXP "speaker" and SXP "listener". |
|
|
What is an SGACL? (Security Group Access-Lists) |
An SGACL is an access-list defined on Cisco ISE that is downloaded by supported L3 switches to enforce. It is like a regular ACL only it deals in SGTs instead of IP addresses. |
|
|
What advantage does MACsec have over IPsec within a LAN? (besides cost) |
MACsec performs hop-by-hop encryption which allows the transit devices to be able to see the data. This allows for Application Layer Inspection whilst still maintaining security. |
|
|
What is WSA? |
WSA stands for "Web Security Appliance" and it is Ciscos Web proxy (HTTP/HTTPS/Native FTP/FTP over HTTP). 2 model types:- Physcial, Virtual 2 modes: "Explicit Proxy" (configured on user browser) or "Transparent Proxy" (traffic is redirected to WSA by the DG) |
|
|
What is CWS? |
CWS stands for "Cloud Web Security" and it is Ciscos Cloud Web proxy (HTTP/HTTPS/FTP over HTTP). It is the cloud version of WSA and can only be deployed in transparent mode with user traffic being redirected to the cloud via "connectors" (AnyConnect CWS Module/ASA/WSA) |
|
|
What is ESA? |
E-mail Security Appliance is Ciscos SMTP gateway ESA is the physical on-premises version and it can only be deployed in explicit mode (cannot be a transparent SMTP gateway) |
|
|
What is CES? |
Cloud E-mail Security (CES) is the cloud version of ESA (Email Security Appliance) |
|
|
What is IPS? |
Intrusion Prevention System is a security appliance that sits in-line and performs deep-packet inspection. It can detect, and prevent attacks as well as produce alerts. Additional IPS actions are:- drop, block, reset or shun. |
|
|
What is IDS? |
Intrusion Detection System is a security appliance that sits out-of-band and performs deep-packet inspection. It can detect attacks and produce alerts but it cannot prevent attacks. |
|
|
What is a True Positive? |
A True Positive is when MALICIOUS traffic is detected, a signature is matched, and an alarm IS raised This is desired behavior. |
|
|
What is a True Negative? |
A True Negative is when NORMAL traffic is detected, signature is NOT matched, and an alarm is NOT fired. This is desired behavior. |
|
|
What is a False Positive? |
A False Positive is when NORMAL traffic is detected, a signature is matched, and an alarm is fired. This is not desired behavior. |
|
|
What is a False Negative? |
A False Negative is when MALICIOUS traffic is detected, a signature is NOT matched, and an alarm is NOT fired. This is not desired behavior. |
|
|
What is a Vulnerability? |
A System or design weakness that can be exploited |
|
|
What is an Exploit? |
A mechanismor tool used to take advantage of a vulnerability i.e. software/a sequence ofcommands to break the system or gain access etc. |
|
|
What is a Threat? |
Anevent or circumstance that can cause damage to a system. i.e.malware/trojan/virus/worm, phishing/social engineering, fire/water/earthquakeetc. |
|
|
What is a Risk? |
Theprobability of a threat or event youcannot secure everything 100%, so the parts of the network that are not secured(typically cost related) is called "Residual Risk"or "Accepted Risk" |
|
|
What is the main difference between IPS and NGIPS? |
It adds "contextual awareness" to a regular IPS It also protects against the full attack continuum via added features |
|
|
What systems can FirePOWER manage? |
- NGFW / NGIPS - ASA with FirePOWER services - FirePOWER Threat Defense for ISR - Advanced Malware Protection (AWP) |
|
|
What is heuristic analysis? |
Heuristic Analysis is a method employed by antivirus software whereby it executes the programming commands of a questionable program or script within a virtual machine to test it Another method of HA is for the AV program to decompile the suspicious program, then analyze the source code. |
|
|
What capabilities does the AnyConnect 802.1x supplicant offer? |
- EAP-FAST - EAP-Chaining - Allows a single NIC to be active on the endpoint |
|
|
In the absence of ISE, how can we perform posture/health check on remote devices connecting via VPN? |
AnyConnect ASA Posture module |
|
|
How can we perform posture/health check on remote devices (in the absence of MDM/EEM) |
AnyConnect ISE Posture module (not dependent on connection type like AC ASA Posture module) |
|
|
How can we protect end users against malware and viruses? |
Advanced Malware Protection (AMP) (via AnyConnect AMP Enabler module) |
|
|
How does AMP protect against unknown stealth malware? |
via continuous analysis (AMP offers File Trajectory and Device Trajectory also to monitor where malicious files were seen on the network and what the files did) |
|
|
What is Cisco TALOS? |
TALOS is essentially "Big Data Analytics" purely for the scope of Threat Defense. AKA "Cisco Collective Security Intelligence Cloud" (a huge team of dedicated engineers that constantly monitor the internet and various resources for new Malware) (Also where Cisco store the detection and analytics engines/signatures) |
|
|
What is MDM? |
Mobile Device Management (MDM) is the system which allows the configuration and enforcement of health/security compliance policies for mobile devices (preferred over ISE for the management of mobile devices) |
|
|
What attack is hashing (MD5/SHA) most susceptible to? |
Collision Attacks (attackers take advantage of a collision whereby different data inputs can actually produce the same hash output) |
|
|
What is HMAC? |
Keyed Hash Message Authentication Code (HMAC) is a variation of hashing that protects against MiTM attacks by adding a secret key to the hash input. Regular hash just hashes the data packet and so an attacker could intercept the traffic, amend the packet and rehash, then forward onto the recipient. |
|
|
What are some commonly used asymmetric algorithms? |
- RSA - DSA - DH - ECC* * Eliptic Curve Cryptography (ECDH, ECDSA) |
|
|
What is the primary advantage of ECC over standard asymmetric encryption? |
The primary advantage of ECC based cryptography is reduced key size and, therefore, speed. |
|
|
What is the main scope of PKI? |
The main scope of Public Key Infrastructure is to address the lack of authentication in asymmetric encryption e.g. when exchanging keys, there is no way to verify that the public key received belongs to the intended peer |
|
|
What is a digital certificate? (also known as a public-key certificate or identity certificate) |
A digital certificate is an electronic document used to prove ownership of a public-key. It includes the owners public key, information about the owners identity, and is 'signed' (encrypted) using the CA's private key. Its scope is to provide authentication for asymmetric encryption. |
|
|
What is a Certificate Authority and what is its scope? |
A CA's main scope is to generate, issue, and validate digital certificates as part of the Public Key Infrastructure (PKI) |
|
|
How does a digital certificate work in regards to authentication? |
The digital certificate contains information on the identity of the sender (i.e. CA), as well as the senders public key. The certificate is then encrypted ("signed") using the senders private key. Upon receipt, the recipient then uses the attached public key to decrypt the certificate which, if it works, then confirms that the public key received is that of the CA. |
|
|
What are the steps of obtaining a digital certificate from a CA as per PKI? |
1) The CA generates a private-public key pair 2) The applicant requests the CA's ("CA Authentication") certificate 3) The CA creates a self-signed certificate, then computes a hash of it, and encrypts the hash ("signs" it) before sending it to applicant 4) The applicant then uses the attached public key to decrypt the hash, compute its own hash and compare it in order to prove integrity and origin, this confirms the identity of the CA. 5) The applicant then generates its own key pair, and creates a CSR (certificate signing request) and "signs" (encrypts a hash of the data) the CSR with its private key before sending it to the CA. 6) Upon receipt, the CA then uses the attached public key to decrypt the hash, then it computes a hash of the data itself and compares the hash with the decrypted hash of the CSR, which if it matches, then proves the origin of the CSR and proves that the public key belongs to the applicant. 7) The CA then compares the identity details in the CSR with the identity of the applicant and if it matches, the CA then issues an identity certificate, signing it with its private key for validation. 8) The applicant receives the digital certificate and stores it |
|
|
What is a CSR? |
A CSR (Certificate Signing Request) contains information such the organization’s name, domain name, and location, and is submitted to a CA. The information in the CSR is then used by the CA to verify and create an SSL certificate, which acts to digitally bind the organisations details to its public key. When an SSL certificate is installed on a web server, it activates https protocol and allows secure connections from a web server to a browser i.g. paypal.com |
|
|
In regards to PKI; to provide integrity, which key would you use and how? |
To provide integrity the sender computes a hash of the data and then encrypts the hash with their PRIVATE-KEY, essentially "signing" the data. The recipient can then use the public key of the sender to decrypt the hash, then compute a hash of the data itself, and then compare it with the decrypted hash. If the hash is the same then it confirms the data has not been altered and also proves its origin. |
|
|
In regards to PKI; to provide confidentiality, which key would you use and how? |
To provide confidentiality, the sender encrypts data with the recipients PUBLIC-KEY. Upon receipt, the recipient can then use their private-key to decrypt the message (private key will have been exchanged previously) |
|
|
What show command would you use to verify if the NTP server is sane? |
show ntp associations detail |
|
|
What is Private VLAN Edge? |
Private VLAN Edge blocks ALL traffic between configured ports of a switch - Does not function across switches - All traffic between protected ports are BLOCKED - All traffic between protected and non-protectedports is ALLOWED |
|
|
What command would you use to isolate switchports in the same vlan from one another? |
SW1(config-if)#switchport protected |
|
|
Which command would you use to verify a private vlan edge port? |
show interfaces switchport |
|
|
What is a Private VLAN? Explain about it... |
A Private VLAN allows for Layer 2 isolation between ports within the same vlan. It uses "sub-VLANS" within the Primary VLAN. There are 2 types of secondary VLANs:- - Community (communicates with members of same community vlan & promiscuous ports) - Isolated (can only communicate with promiscuous ports) |
|
|
What consideration must be made regarding VTP and Private VLANs? |
The switch MUST be in VTP Transparent mode for private vlans to work. - private vlans are NOT replicated by VTP. |
|
|
What type of Private VLAN do promiscuous ports reside in? |
Promiscuous ports should be the only ports in the Primary VLAN (All hosts are part of the Primary VLAN by extension but no hosts are actually in the Private VLAN) |
|
|
What is CoPP? |
Control-Plane Policing (CoPP) is a feature that limits the control-plane packets from overwhelming the routers CPU. It is not typically implemented as it requires A LOT of testing. It uses Modular QoS CLI (MQC) syntax (like ZBF and QoS) |
|
|
What is CPPr? |
Control-Plane Protection (CPPr) is like an advanced version of CoPP Control-plane is separated into 3 sub-planes:- 1. Host (SSH, SNMP, EIGRP, BGP, tunnel terminated onrouter) 2. Transit (Traffic transiting the router which cannot be CEF-switched) 3. CEF-exception (Traffic that is usually CEF-switched but exception such as packet fragmentation OR Traffic that is handled directly by the interface driver:- non-IP traffic such as ARP, CDP, LLDP and IP traffic such as LDP,OSPF) |
|
|
What is MPP? |
Management-Plane Protection (MPP) is an embedded feature within CPPr Host Sub-Plane. It allows the router to control on which physical interfaces it can receive inbound management traffic |
|
|
What command would you use to control which interface management traffic can be received on? |
R1(config)#control-plane host R1(config-cp-host)#management-interface GigabitEthernet 0/0 allow ssh telnet |
|
|
In regards to CIA, explain Confidentiality |
Ensure only AUTHORIZED users have access to network resources. |
|
|
In regards to CIA, explain Integrity |
Ensure data is INTACT and has not been altered or tampered with in any way |
|
|
In regards to CIA, explain Availability |
Ensure that data and resources are available whenever needed |
|
|
Name some common network attacks |
- Phishing Attacks - Dos/DDos Attacks - Spoofing Attacks - Reflection Attack - Amplification Attack - Password Attacks - Reconnaissance Attacks - Buffer Overflow Attacks - MiTM Attacks |
|
|
Explain what a Phishing Attack is? |
Phishing attacks are a form of social engineering whereby the attacker manipulates a user into providing access/information. - Pharming(based on DNS) - Vishing(via phone calls) - Smishing(via SMS) |
|
|
Explain what a DoS/DDoS Attack is? |
DoS/DDoS attacks work by maxing out the control plane of a device. - Ping of death (sends lots of ICMP packets to crash a network device/resource) - TCP SYN flood (sends lots of TCP SYN packets to consume all tcp sessions and therefore deny service to legitimate users) DoS = single source DDoS = multiple sources (via botnets) |
|
|
Explain what a Spoofing Attack is? |
Spoofing is when an attacker claims another identity. It is technically a MiTM attack and comes in the following forms. - MAC/ARP spoofing (possible only when attacker is on LAN) - IP spoofing - DHCP spoofing - DNS Spoofing |
|
|
Explain what a Reflection Attack is? |
A Reflection Attack is a type of DoS attack that makes use of IP Source Address Spoofing 1. The attacker spoofs the victims ip address 2. The attacker then initiates a large amount ofrequests with the spoofed source 3. Session responders will reply to the victim,flooding it with packets and causing a DoS |
|
|
Explain what an Amplification Attack is? |
An Amplification Attack is the exact same as a Reflection attack only it initiates a large amount of small request packets to a service with the spoofed source in order to trigger a large reply causing a bandwidth DDoS for the victim. |
|
|
Explain what a Dictionary Attack is? |
A Dictionary Attack exploits common passwords or password algorithms to "guess" a password. |
|
|
Explain what a Brute-Force Attack is? |
A Brute-force attack exploits short-length, weak passwords, and algorithm vulnerabilities. Essentially trying a series of weak passwords until one works. This attack typically employs software to achieve its goal. |
|
|
Explain what a Reconnaissance Attack is? |
This is when an attacker discreetly accesses the network and discovers information in preparation for another attack. Ø Navigate the network and learn the topology Ø Identify which hosts are running at what times Ø Identify what services are running and on what Common methods employ a combination of CDP, ICMP, and port/ip/application scanners. |
|
|
Explain what a Buffer Overflow Attack is?
|
Typically launched after a Reconnaissance Attack, the attacker sends a large payload to a service overloading the buffer and taking the service out of commission temporarily
|
|
|
What is a MiTM Attack?
|
A “Man in The Middle” attack requires theattacker to be in the line of transit. It uses various spoofing methods in order to get "in the middle" i.e. attacker sends a gratuitous arp to the victim announcing itself as the DG. The attacker can then isolate the victim or monitor its traffic undetected. |
|
|
Explain what a MiTB Attack is?
|
Man in The Browser attacks are facilitated by Malicious code installed on the victims browser that sends a copy of all the victims traffic to the attacker. This attack doesn’t require the attacker to be in the line of transit. |
|
|
What is a Virus?
|
A specific type of malware that spreads itself once it has initially been run. It’s different from other malware because it can behave like a parasite and spread and infect everywhere by attaching to files on your machine. |
|
|
What is a Worm?
|
Worms are a type of self-contained virus that searches outother machines to infect and spreads across the network. They do not need to attach to files like a virus as they can move around on their own. Think of it like a smart virus. |
|
|
What is a Trojan Horse?
|
Much like a Trojan Horse (large wooden horse filled with soldiers armed with spears) this is a virus that attaches itself to a file or application so that when you run it it unleashes the virus i.e. infected pdfs,infected .exe files etc. |
|
|
What is an Advanced Persistent Threat?
|
An APT is a set of very specific hacking processes or attacks with a specific target that are very discreet. They operate stealthily and can lie dormant for a long time before becoming active. The scope is to evade detection and keep running. They typically take advantage of zero-day vulnerabilities. |
|
|
What is a Script Kiddie?
|
Script Kiddies refer to “hacking tools” which take the knowledge and experience out of hacking making it easy for anyone to make use of them and become a hacker e.g Kali Linux (a linux distribution with built-inhacking tools). |
|
|
What is "Malware as a Service"?
|
Malware as a Service is a service whereby you provide the details i.e.victim/target, access details, type of attack etc and they will “build” a bespoke hacking tool for you to use. Some even offer support services to maintain the hacking tools. |
|
|
Why would we configure authentication for routing protocols?
|
To defend against spoofing attacks
|
|
|
What size is an MD5 hash value? |
128-bit |
|
|
What size is a SHA-1 hash value? |
160-bit |
|
|
What size hash values does SHA-2 support? |
224-bit 256-bit 384-bit 512-bit |
|
|
What command would you use to ascertain opsf authentication is active? |
sh ip ospf interface |
|
|
What command would you use to ascertain eigrp authentication is active? |
sh ip eigrp interface detail |
|
|
What command would you use to ascertain if ntp is authenticated? |
show ntp associations detail |
|
|
What pre-requisites are required to run SCP on a Cisco IOS router? |
- AAA Authentication and Authorization enabled AND configured - SSH enabled - RSA key-pair needs to be generated (for SSH) |
|
|
What command enables SCP on Cisco IOS routers? |
ip scp server enable example config: aaa new-model aaa authentication login default local aaa authorization exec default local crypto key generate rsa ip scp server enable |
|
|
Explain what a DHCP starvation Attack is? |
A DHCP starvation attack is when an attacker sends a flurry of DHCP requests to a DHCP server from spoofed hosts, essentially draining all of the leases so no real hosts can obtain an address. It is typically used to facilitate a MiTM Attack but can also be used to isolate a victim. To facilitate a MiTM Attack, the attacker also deploys a spoofed dhcp server to then issue dhcp leases announcing themselves as the DG. |
|
|
How can we protect against DHCP starvation attacks? |
1) Port Security 2) DHCP Snooping 3) Manual DHCP Snooping* *DHCP requests use UDP port 67 and DHCP reply uses UDP port 68 so you can make use of a VACL or PACL to only allow traffic on UDP 67 & 68 from your DHCP server.
|
|
|
What is DHCP Snooping? |
DHCP Snooping is a L2 switching feature to protect against DHCP spoofing. DHCP Snooping works by listening and intercepting DHCP traffic between client and server and then builds an IP to MAC mapping on a per interface basis (DHCP snooping table). Legitimate DHCP servers are validated by making their connecting interface a "trusted port". DHCP traffic is not inspected on trusted ports. |
|
|
Why is port security not enough to protect against DHCP Starvation Attacks? |
Because most DHCP implementations don’t actually use client source mac address but use the DHCP Client-identifier inside the DHCP request payload. The attacker can use 1 mac address and changethe DHCP client-identifier across packets. |
|
|
Explain what an ARP Spoofing Attack is? |
An ARP Spoofing attack is when an attacker sends a gratuitous arp out on the network advertising itself with the mac address of the DG. Victims then send traffic to DG but it actually goes to attacker. The Attacker can then forward the traffic onto the real DG and the victim never knows their traffic is beingintercepted. |
|
|
How can we protect against ARP Spoofing Attacks? |
DAI Dynamic Arp Inspection uses the DHCP Snooping table (requires DHCP snooping to be configured) to verify correct mac addresses. |
|
|
What commands do you need to configure DHCP Snooping? |
SW1(config)#ip dhcp snooping SW1(config)#ip dhcp snooping vlan 10 SW1(config)#int fa0/20 SW1(config)#ip dhcp snooping trust If DHCP server is in the same VLAN as the DHCPclients, disable option 82 injection by the switch SW1(config)#no ip dhcp snooping information option |
|
|
What commands do you need to verify DHCP snooping? |
SW1#show ip dhcp snooping SW1#show ip dhcp snooping binding |
|
|
What commands do you need to configure DAI? |
SW1(config)#ip arp inspection vlan 10 For interfaces connetced to DHCP Server:- SW1(config)#int fa0/10 SW1(config-if)#ip arp inspection trust |
|
|
What commands do you need to verify DAI? |
show ip arp inspection |
|
|
What shortcoming of symmetric encryption does asymmetric encryption address? |
The need for a pre-shared secret |
|
|
In regards to Ciscos Authentication Servers, which server is mostly used with Radius and which one is mostly used with TACACS+ ? |
Access Control System (ACS) is mostly used for TACACS+ Identity Services Engine (ISE) is mostly used for RADIUS |
|
|
How do you enable root view? |
R1#enable view Enter in user or exec mode. You then need to enter the enable secret/password * AAA is required to access root view |
|
|
In regards to role-based CLI access, how do you configure a view? |
Router(config)# parser view Router(config-view)# secret Router(config-view)# command exec include show version Router(config-view)# command exec include configure terminal Router(config-view)# command exec include all show ip Router(config-view)# exit This creates a parser view that allows the following commands:- - show version - configure terminal - show ip |
|
|
What prerequisites are required to enable root view? |
1) You must have AAA configured (aaa new-model) 2) You must have an enable password/secret configured |
|
|
What prerequisites are required to configure a view in IOS? |
You must be in root view to access root view, you first need AAA and the enable password/secret configured. You must then enter the command (from user or exec mode:- R1>enable view |
|
|
What commands are required to implement IOS Resilient Configuration? |
R1(config)#secure boot-image R1(config)#secure boot-config - secure boot-image backs up the IOS - secure boot-config backs up the running config |
|
|
What command do you use to verify if IOS Resilient Configuration is in effect? |
R1# show secure bootset |
|
|
How do you restore a config using IOS Resiliant Configuration? |
rommon 1 > dir slot0: rommon 2 > boot slot0:c3745-js2-mz exit out of --- System Configuration Dialog --- Router(config)# secure boot-config restore slot0:rescue-cfg Router(config)# end Router# copy slot0:rescue-cfg running-config |
|
|
What command do you use to test AAA authentication? |
R1#test aaa group legacy |
|
|
What is MPF and what is its function? |
Modular Policy Framework (MPF) is used in ASA to perform:- - L3/L4 Inspection - DPI - Advanced TCP inspection - QoS - redirects traffic to the IPS/Sourcefire/Firepower module |
|
|
What is Nat Traversal (NAT-T) and how does it work? |
NAT-T is a feature that allows IKE/IPsec traffic to traverse a PAT device. ESP packets cannot traverse a PAT device because they do not have a port to be translated, so NAT-T works by encapsulating the ESP packet in a UDP packet with a source and dest port of 4500.
When a packet with source & dest port of 4500 is sent through a PAT device, the PAT device will change the source port from 4500 to a random high port, while keeping the destination port of 4500. This allows multiple IPsec clients through, i.e. host A will be assigned a source port of say 600 by the PAT device, wher as host B will be assigned a source of 601 etc and so on. |
|
|
Explain VLAN hopping |
VLAN hopping is when an attacker traverses vlans without going via a L3 device. This is achieved in 2 ways:- 1) The attacker directly forms a trunk with the switch using DTP 2) The attacker manipulates vlan tags to double tag packets with 2 vlan tags (outer tag acts as "padding" and inside is the vlan of the victim) Attacker must be on the Ethernet network to do this. |
|
|
What commands are required to configure Private VLANs? |
SW1(config)#vtp mode transparent SW1(config)#vlan 20 SW1(config-vlan)#private-vlan isolated SW1(config)#vlan 30 SW1(config-vlan)#private-vlan community SW1(config)#vlan 10 SW1(config-vlan)#private-vlan primary SW1(config-vlan)#private-vlan association 20,30 SW1(config)#interface fa0/10 SW1(config-if)#switchport mode private-vlan host SW1(config-if)#switchport mode private-vlan host-association 10 20 SW1(config)#interface fa0/11 SW1(config-if)#switchport mode private-vlan host SW1(config-if)#switchport mode private-vlan host-association 10 30 SW1(config)#interface fa0/20 SW1(config-if)#switchport mode private-vlan promiscuous SW1(config-if)#switchport private-vlan mapping 10 20,30 |
|
|
Explain about BPDU Guard and Root Guard |
Root Guard is applied on downstream facing interfaces on the root bridge to protect against superior BPDUs being received from other switches. Offending interface is put into root-inconsistent state upon receiving asuperior BPDU. BPDU Guard* is applied on host facing interfaces to protect against superior BPDUs being received from an attacker. Offending interface is put into err-disabled state upon receiving a superior BPDU. * BPDU Guard requires Portfast to be enabled on the port |
|
|
How do you configure and verify BPDU Guard? |
SW1(config)#int fa0/10 SW1(config-if)#spanning-tree bpduguard enable SW1#show spanning-tree summary |
|
|
How do you configure and verify STP Root Guard? |
SW1(config)#int fa0/10 SW1(config-if)#spanning-tree guard root SW1#show spanning-tree interface FastEthernet fa0/10 detail |
|
|
In regards to IPS, what are the 4 additional actions and what do they do? |
Drop - Drops the traffic Block - Blocks the source (the attacker) Reset - resets the session Shun - signals to other security systems within the network to block the traffic |
|
|
Where would you place an IDS/IPS solution in your network? |
AFTER the firewall (i.e. closer to the interior or private network) Because the IDS/IPS device is doing DPI, which is computationally expensive, we want to limit the load to only legitimate traffic. |
|
|
In regards to a clientless SSL VPN, how does the connected user access network resources? |
With a clientless SSL VPN connection, the firewall acts as a proxy. Network resources have to be specified via http/https bookmarks or ASA plugins for things like RDP |
|
|
Regarding PSK's for Site-to-Site IPsec VPNs, what is the difference between IOS and ASA? |
In IOS the PSK is configured globally In ASA you have to:- 1) Enable ISAKMP/IKE on the VPN terminating interface 2) Configure a tunnel-group/connection profile of type L2L 3) Specify the PSK to be used |
|
|
IOS & ASA IPsec VPN verification commands comparison |
IOS - show crypto isakmp sa - show crypto ipsec sa - show crypto session detail ASA - show crypto ikev1 sa - show crypto ipsec sa - show vpn-sessiondb detail l2l |
|
|
IOS & ASA IPsec VPN PHASE 1 configuration commands comparison |
ASA crypto ikev1 policy 1 hash md5 auth pre group 2 encr 3des tunnel-group 80.15.221.36 type ipsec-l2l tunnel-group 80.15.221.36 ipsec-attributes ikev1 pre-shared-key cisco IOS crypto isakmp policy 1 hash md5 auth pre group 2 encr 3des crypto isakmp key cisco address 80.15.221.36 |
|
|
IOS & ASA IPsec VPN PHASE 2 configuration commands comparison |
ASA crypto ipsec ikev1 transform-set TSET_R1-R3 esp-aes-256 esp-sha-hmac access-list VPN extended permit ip 172.16.50.0 255.255.255.0 192.168.1.0 255.255.255.0 crypto map CMAP 1 match address VPN crypto map CMAP 1 set peer 20.20.20.20 crypto map CMAP 1 set ikev1 transform-set TSET crypto map CMAP interface OUTSIDE IOS crypto ipsec transform-set TSET_R1-R3 esp-aes-256 esp-sha-hmac ip access-list extended VPN_ACL permit 192.168.1.0 0.0.0.255 172.16.50.0 0.0.0.255 crypto map CMAP 1 ipsec-isakmp set peer 10.10.10.10 set transform set TSET_R1-R3 match address VPN_ACL Int Gi0/0 crypto map CMAP |
|
|
How many crypto maps can you have assigned to one interface? |
1 You can only have ONE cryptomap assigned to an interface |
|
|
Explain the NAT terms Inside/outside local/global |
|
|
|
In What order does the ASA process NAT types? |
1) Twice-NAT (manual NAT) 2) Object-NAT (auto NAT) 3) After-Auto Twice NAT (manualNAT again – must be configured to check again) |
|
|
What is Dynamic NAT? |
When you configure source or destination NAT to or from a pool of addresses as opposed to single addresses |
|
|
What is Policy NAT? |
When you configure twice-NAT under conditions i.e. configure source NAT ONLY if the destination is 10.10.10.12 /32 |
|
|
When configuring an ACL for NAT traffic, which address do you reference in the ACL? The untranslated traffic or the translated traffic? |
Translated traffic. Traffic received INBOUND is translated BEFORE it hits the ACL. OUTSIDE ----> NAT --> ACL --> INSIDE |
|
|
In regards to ASA, what is the difference between ROUTED mode and TRANSPARENT mode? |
In ROUTED mode, the ASA acts as a L3 device with it's interfaces belonging to different subnets. It is typically the DG for each of its connected interfaces subnets. In TRANSPARENT mode, the ASA acts as an invisible L2 device and simply bridges its interfaces. |
|
|
In regards to ASA, how does transparent mode work? |
In TRANSPARENT mode, the ASA acts as an invisible L2 device and simply bridges its interfaces. It sits inline in a subnet/vlan between hosts and the DG. It has a Bridged Virtual IP Address for management. |
|
|
Explain the modes of High Availability for ASA |
ACTIVE-STANDBY - only 1 ASA active at a time with one on standby - when active fails, config and session state table is transferred over to standby to take over so no sessions are lost - Cannot run multi-context mode ACTIVE-ACTIVE - 2 identical ASAs, both active - requires multi-context mode - load-balances contexts - it is active-standby mode WITHIN contexts CLUSTERING - A group of ASAs clustered into one logical unit - Can cluster up to 16 ASAs (depends on model and code) - Used for increased performance - remaining ASAs pick up slack from failed units |
