Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
225 Cards in this Set
- Front
- Back
- 3rd side (hint)
|
Question |
Answer
|
|
|
|
What port is FTP
|
20, 21
|
|
|
|
What port is SSH
|
22
|
|
|
|
What are the firewall security levels? What level is most trustworthy?
|
1-100 --> Higher is more trusting
|
|
|
|
How does traffic flow between zones?
|
Traffic is allowed from a higher to a lower zone. Traffic is inspeted if it is from a less trustworthy zone to a higher zone. It is denied by default
|
|
|
|
How do you show IKE phase 1?
|
• Show crypto ISAKMP SA
|
|
|
|
How do you show IKE phase 2?
|
• Show crypto ipsec SA
|
|
|
|
What are the three port security modes?
|
" ? Shutdown § Puts the interface into the error-disabled state immediately and sends an SNMP trap notification
? Restrict § Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value and causes the Security Violation counter to increment. ? Protect § Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value." |
|
|
|
Where does a router save MAC addresses in port security?
|
MAC Addresses are saved to the running config
|
|
|
|
What port is HTTPS?
|
443
|
|
|
|
How do you enable spanning tree root guard?
|
Spanning-tree guard root
|
|
|
|
What key excahnge mode is used in IPSec?
|
Diffie-Hellman
|
|
|
|
What's the difference between a named method list and a default method list?
|
Named must be applied to an interface
|
|
|
|
How do you stop switchport negoiatation?
|
switchport nonnegotiate
|
|
|
|
"In a Cisco IPS, what must a signature be before any actions can be taken on it?"
|
"Enabled, unretired, and successfully compiled"
|
|
|
|
What is the most efficient logging method for Cisco routers and switches?
|
Internal buffer
|
|
|
|
What ACL types does IPv6 support?
|
Only named
|
|
|
|
What action can a ZBFW take?
|
"Drop, Pass, Inspect, and Content Filter"
|
|
|
|
What port is Telnet
|
23
|
|
|
|
What port is SMTP
|
25
|
|
|
|
What port is TACACS
|
49
|
|
|
|
What port is DNS
|
53
|
|
|
|
What port is DHCP
|
67
|
|
|
|
What port is TFTP
|
69
|
|
|
|
What port is POP3
|
110
|
|
|
|
What port is NTP
|
123
|
|
|
|
What port is SNMP
|
161, 162
|
|
|
|
What port is RADIUS
|
1812, 1645 (Authentication)
1813, 1646 (Accounting) |
|
|
|
What is Hardening a system
|
Remove known system vulnerabilities by upgrading, patching and disabling unneeded applications and services
|
|
|
|
What is a Bastion Host
|
A host which is placed in a vulnerable position such as a PC running a firewall. It is therefore expected to be hardened.
|
|
|
|
What is a Blended Threat
|
An attacker uses multiple means of propagation such as viruses with worm like capabilities.
|
|
|
|
What is a Rainbow Tables
|
A list of plain text strings and the corresponding (ND5 / SHA) hash. This allows an attacker to quickly find plaintext which would generate the required hash even though the plaintext would more than likely differ from the original hashed text.
|
|
|
|
What is a Password salting
|
One or more bits are changed in a password, the avalanche effect will result in a completely different hash reducing the risk of cracking using rainbow tables.
|
|
|
|
What is an IP Directed broadcast
|
An IP packet whose destination address is a valid broadcast address for some IP subnet which originates from a node that is not itself part of that destination subnet
|
|
|
|
What is SDM?
|
Security Device Manager (SDM) – A java/web based tool to configure and manage standalone routers
|
|
|
|
What is MARS?
|
Cisco Security Monitoring, Analyses and Response System (MARS) – Appliance based reporting and logging solution to correlate network events from all devices to identify threats. It is able to notify and reconfigure networks to reduce the impact of the threat. Risk of False positives is reduced as MARS correlates data from multiple sources.
|
|
|
|
What is IEV?
|
Cisco IDS Event Viewer (IEV) – Java based no cost solution for viewing and managing up to five IPS/IDS sensors. IEV supports SDEE communication with the sensor. IEV is currently being replaced with the Cisco IPS Express Manager (IME).
|
|
|
|
What is CSM?
|
Cisco Security Manager – A powerful GUI management platform to manage a Cisco based network containing up to thousands of devices. CSM is capable of managing many Cisco devices (ASA, HIPS, VPN etc).
|
|
|
|
What are the goals for IT security?
|
Confidentiality, integrity, availability
|
|
|
|
To prosecute an attacker what must be established?
|
Motive, opportunity, means
|
|
|
|
What should a security policy contain?
|
Standards, guidelines, and procedures
|
|
|
|
What are the steps of the system development life cycle?
|
Initiation, Acquisition and development, implementation, operations and maintenance, disposition
|
|
|
|
What is a black hat?
|
Profit financially from hacking
|
|
|
|
What is a white hack?
|
A network security tester
|
|
|
|
What is a grey hat?
|
Combination of white and black
|
|
|
|
What are five attack types?
|
Reconnaissance, access attacks, denial of service, social engineering, privilege escalation
|
|
|
|
What are five categories of attacks?
|
Passive - Gather information and recon
Active - Actively trying to break into a system to leave a payload Close-in - External person manages to get physically connected to inside of network Insider - Employee attack Distribution - Back door into a system for future access |
|
|
|
What are 6 layer 2 attacks?
|
Packet capture / Reconnaissance, Denial of Service, VLAN hopping (Double tagging - setting 2 VLAN tags, Rogue switch - creating a trunk port between a new switch), STP root bridge, MAC spoofing
|
|
|
|
What is a gratuitous ARP attack?
|
gratuitous ARP message is typically sent out when an IP Address or MAC address changes. This forces all connected devices to update their tables to reflect the changes. Typically used a fail over situations such as server clustering, if the active server / LAN card fails a gratuitous ARP message is sent out to inform all clients of the new MAC address of the new active server / LAN card. This can be exploited for example if a rogue hosts sent a gratuitous ARP packet out replacing the MAC address of the default gateways IP address, all traffic destined for a gateway could be sent to the host instead. This can be mitigated using dynamic ARP inspection.
|
|
|
|
What is a man in the middle attack?
|
A rogue DHCP server is introduced into the network which could give out incorrect DNS and default router IP addresses. The incorrect address could result in network traffic passing through the attacking host in an attempt to gain confidential data / password etc. DHCP Snooping will remove the risk of unauthorised DHCP servers.
|
|
|
|
What are five types of DOS attacks?
|
Ping of death, ping flood, SMURF, DHCP exhaustion, TCP syn flood
|
|
|
|
What are 3 layer 3 reconnaissance attacks?
|
Ping sweep, port scan (scans single host), port sweep (Mulitple hosts)
|
|
|
|
What is a SMURF attack?
|
An attacker broadcasts an echo request packet using the IP address of the victim host. As many hosts will receive this echo request they will all reply to the victim server causing a potential DoS. This can be avoided if the devices are configured not to replay to pings sent to a broadcast address. Additionally ‘no ip directed-broadcast’ (default on 12.x IOS) should be configured.
|
|
|
|
What is IP source routing?
|
Allows the sender to define what route to take
|
|
|
|
What are three types of password attacks?
|
Brute force, dictionary, key loggers / trojans
|
|
|
|
What is a salami attack?
|
A number of small actions that do not in themselves cause damage but combined have a greater effect.
|
|
|
|
What is trust exploitation?
|
Indirect attack, rather than directly attack the target, attack an easier host which has a trust relationship with the target. This can then be used as a stepping stone to the target.
|
|
|
|
What is data diddling?
|
Changing data before or during input or storage,
|
|
|
|
What is a worm?
|
Spreads automatically throughout the network by looking for vulnerabilities in systems.
|
|
|
|
What is a virus?
|
Cannot spread by itself, it requires help from a user to propagate such as forwarding an infected file etc.
|
|
|
|
Trojan Horse
|
This appears to be a regular program but contains a malicious payload. Many contain a backdoor allowing remote access to an infected system.
|
|
|
|
Buffer overflow
|
A buffer overflow occurs when something inject/sends more data to a device that is larger than the buffers size. This can overwrite an applications data and cause a crash or overwrite the return address in the stack allowing malicious code to be run. Typically buffer overflow attacks are used to gain escalated privileges through root escalation / rooting the system.
|
|
|
|
What is required to configure SSH?
|
Username and password, ip domain name, crypto key generate, ip ssh version 2, line vty 0 4 - transport input ssh, login local or login aaa
|
|
|
|
How do you enable CCP or SDM beyond SSH?
|
ip http server (Or secure-server) ip http authentication local,
|
|
|
|
How do you create a resilient IOS?
|
secure boot-image, secure boot-config --- verified by show secure bootset
|
|
|
|
How do you disable password recoverY/
|
no service password recovery
|
|
|
|
What is AAA?
|
Authentication, authorization, accounting
|
|
|
|
What are the sources of AAA?
|
Local, RADIUS, TACACS+
|
|
|
|
What is RADIUS?
|
Industry standard authentication and authorization
|
|
|
|
What is TACACS?
|
Cisco's authentication and authorization - a TACACS server can respond with Accept, reject, continue, error
|
|
|
|
How do you set up RADIUS?
|
ip radius source-interface (int), radius-server host <ipadd> - may also add key or set a specific key for all servers
|
|
|
|
How do you setup a TACACS server?
|
ip tacacs source-interface <interface>
tacacs-server host <ipaddr> single connection key <key> - key is optional |
|
|
|
What are the two types of login authentication lists?
|
named and default
|
|
|
|
How do you created a login named and default method list?
|
aaa authentication login default /// aaa authentication login <name>
|
|
|
|
How do you enable a method list?
|
aaa authentication enable default
|
|
|
|
How do you create a login authorisation list?
|
aaa authorization exec <default or named>
|
|
|
|
What are the five types of method lists?
|
Enable – Use enable password for authentication.
Group – Use specified server-group (radius / tacacs+) Line – Use line password for authentication. Local –Use local username authentication. None – No authentication. There will be no login prompt. |
|
|
|
How do you set privilege level access to specific commands?
|
privilege exec level <#> <command>
|
|
|
|
What is a security audit (SDM) ?
|
SDM will audit the security of the router and give list of vulnerabilities. The user is prompted to secure individual vulnerabilities with descriptions/help. Additionally a drop down is provided to ‘Undo Security configurations’ on individual security lockdowns.
|
|
|
|
What is one step lockdown?
|
SDM will perform secure all security vulnerabilities automatically.
|
|
|
|
How does SDM and Auto secure differ?
|
Does not disable NTP
Does not enable TCP Intercept Does not configure AAA Does not configure three separate ACL to block commonly spoofed source addresses SDM will disable SNMP but not provide options for S NMPv3 |
|
|
|
What are the parts of SNMP?
|
SMNP Manager – The tool which queries, analyses and presents the data on devices.
SNMP Agent – The monitored device itself. Management Information Base (MIB) – The dictionary of object identifiers (OID) available on the device. Each OID is a variable/counter that can be read or set. |
|
|
|
What are the types of SNMP messages?
|
Get – Read only access is sufficient.
Set – Read/Write access is essential. This is very dangerous facility, it could allow an attacker to gain access to a device if not locked down. Trap – The device will send a trap message to the manager component to alert particular issues |
|
|
|
What are the SNMP versions and the differences in each version?
|
SNMPv1 – Simple to configure. All SMNP traffic is sent in clear text. Counters are limited in value so high bandwidth interfaces could over range counters.
SNMPv2c – Simple to configure. All SNMP traffic is sent in clear text. Similar to SMNPv1 but counters are capable of much larger values. SMNPv3 – Addresses weaknesses of the earlier versions by including authentication, privacy and access control. SMNPv3 operated in one of three modes (noAuthNoPriv, authNoPriv & aithPriv) using MD5/SHA to provide authentication and DES, 3DES or AES to provide the privacy. |
|
|
|
How do you configure logging to a remote system?
|
(config) # logging hostname <ipaddress / hostname> - Set Syslog server location
(config) # logging <ipaddress / hostname> - Set Syslog server location (alternative) (config) # logging trap <level> # show logging |
|
|
|
What are the logging levels?
|
Emergencies System is unusable (severity=0)
Alert Immediate action needed (severity=1) Critical Critical conditions (severity=2) Errors Error conditions (severity=3) Warnings Warning conditions (severity=4) Notifications Normal but significant conditions (severity=5) Informational Informational messages (severity=6) Debugging Debugging messages (severity=7) |
|
|
|
Where is logging found on CCP?
|
Additional tasks > Router Properties
|
|
|
|
What NTP version is secure?
|
3 and above
|
|
|
|
What are the port violation modes?
|
Protect – Allow authorised hosts through but disallow unauthorised hosts
Restrict – As above but log (SNMP & Log) unauthorised hosts Shutdown – Shutdown the port (err-disabled) |
|
|
|
What is the default mode?
|
Default violation mode – shutdown (err-disabled).
|
|
|
|
What is storm control?
|
This feature can raise a trap or shutdown an interface is a certain percentage of a ports’ traffic is a particular type. As an example, storm control can shutdown a port if it receives excessive broadcasts.
|
|
|
|
What does SPAN do?
|
Span will mirror all traffic from a source port or ports to a destination port (sometimes called the monitor port) on either the same switch or across a trunk to a different switch.
|
|
|
|
What are the three types of SPAN?
|
Local SPAN out another port on the same switch, VLAN SPAN (VSPAN) - out another port on the same VLAN, Remote Span (RSPAN) - Dedicated VLAN for monitoring
|
|
|
|
What are the three types of private VLANS?
|
Promiscuous — A promiscuous port can communicate with all interfaces, including the isolated and community ports within a PVLAN.
Isolated — An isolated port has complete Layer 2 separation from the other ports within the same PVLAN, but not from the promiscuous ports. PVLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic from isolated port is forwarded only to promiscuous ports. can communicate with the primary vlan but no other host in the and secondary vlan. Community — Community ports communicate among themselves and with their promiscuous ports. These interfaces are separated at Layer 2 from all other interfaces in other communities or isolated ports within their PVLAN. Hosts can communicate with other hosts in a secondary vlan and with the primary vlan but not with hosts in other secondary VLANs. |
|
|
|
What is DHCP Snooping?
|
Protects against rogue DHCP servers - If it recieves a DHCP offer on an untrusted port, it'll be shutdown
|
|
|
|
What is Dynamic ARP inspection (DAI)?
|
ARP Spoofing occurs when a host send an ARP request out onto the network requesting the MAC address for a particular ip address. A rogue host could respond to the request before the legitimate host which would result in an incorrect MAC address in the first host. All traffic now sent between the two hosts will now be sent to the rogue host which in turn forwards to the legitimate host forming a man in the middle attack.
This uses the database created by the DHCP Snooping feature and this forms trusted mapping database. If a switch receives an ARP request on an un-trusted port and the MAC-IP mapping is in the trusted mapping database then that ARP request is forwarded. If the MAC-IP mapping is not in the trusted database the ARP request is dropped. Also known as ARP Cache Poisoning / ARP Spoofing |
|
|
|
What is IP Source guard?
|
Prevents a host from using another hosts' IP. Only allows a specific IP from that port
|
|
|
|
What are layer 2 best practices?
|
Use secure management (SSH, OOB, Access-class on VTY lines).
Make an audit sheet (portfast, bpduguard etc). Try to reduce the use of VLAN 1 and don’t use it as the native VLAN. Disable dynamic trunking (set all non trunking ports as access ports). Lock down SNMP (Set ACLs, keep community strings secret, avoid RW access). Unused port recommendation- Disable the port (shutdown) Set the port to an assess port (switchport mode access) Assign the port to another Vlan (switchport access vlan 99) |
|
|
|
What are the types of firewall?
|
Stateless, Stateful, Application layer gateways (proxies), transparent
|
|
|
|
What are the four layers of a layered defense strategy?
|
Perimeter, Communicatiosn security, core network security, endpoint security
|
|
|
|
What is the standard ACL range?
|
1-99, 1300-1999
|
|
|
|
What are the signature severity levels?
|
Informational, low, medium, high
|
|
|
|
What actions can an IPS take?
|
Deny Attacker Inline – Denies the source IP address of the offending packets (Creates dynamic ACL) for a defined period of time.
Deny Connection Inline – Stops the offending packets but not other traffic from the source. Deny Packet Inline – Drop this packet only. Produce Alert – Generate an alarm/alert message Reset TCP Connection – Send a TCP reset to terminate the traffic flow |
|
|
|
What is a 4200 series appliance?
|
Dedicated appliance for IPS. Can be run in the routing path or on a SPAN port. The sensors contain at least two interfaces, the command and control interface and the monitoring interface.
|
|
|
|
What is an IDS Network / AIM Module (AIM-IPS)?
|
– Fit inside a router to perform the IDS function taking the load off the routers processor.
|
|
|
|
What is a Catalyst 6500 ISDM-2
|
Fits inside a Cisco 6500 series switches. Able to monitor inter VLAN traffic etc.
|
|
|
|
What is a HIPS (Cisco CSA)?
|
Client software that sits on the end client to identify suspicious traffic on the client. This can capture encrypted attacks which network based solutions cannot detect.
|
|
|
|
What is Security Device Event Exchange (SDEE)?
|
logging method designed specifically for alerting on security devices. SDM can pull these events or the router can be configured to export them to an external server. The router can store up to 1000 (200 by default) events for later retrieval. HTTP/HTTPS must also be enabled to use SDEE.
|
|
|
|
What is PKCS#1?
|
RSA Cryptography standard
|
|
|
|
What is PKCS#3?
|
DH Key agreement standard
|
|
|
|
What is PKCS#5?
|
Password based cryptography standard
|
|
|
|
What is PKCS#7?
|
Cryptography message syntax
|
|
|
|
What is PKCS#10?
|
Used for sending certificate requests using SCEP
|
|
|
|
What is a chosen plain text attack / cipher attack?
|
The attacker is able to encrypt some chosen plaintext and vire the cipher text. Improves the chances of deriving the key
|
|
|
|
What is a known plain text attack?
|
The attacker has both the cipher text and some knowledge of the corresponding plaintext. This can be used in an attempt to derive the key
|
|
|
|
What are 3 hashing algorithms and how big are they?
|
MD5 - 128bit, SHA-1 - 168 bit, SHA-224, 256, 384 (SHA-2)
|
|
|
|
What is HMAC?
|
Hashing functions by themselves cannot guarantee the authenticity of the message as anyone can generate a message and calculate a hash. HMAC adds a secret key to the message before applying thehashing routine resulting in a hash that depends on both the message and the key. The receiver of the message can then generate the hash of the plaintext message using the same secret key, if the hash matches then the message is authentic.
|
|
|
|
What is symmetric encryption?
|
The same key is used to encrypt and decrypt. Typically referred to as a shared secret encryption.
|
|
|
|
What is asymmetric encryption?
|
A key pair is required, one to encrypt and another to decrypt. Up 100 times slower than symmetric encryption in software and up to 1000 times in hardware.
|
|
|
|
What are asymmetric encryption methods?
|
RSA, Elliptic cruves, Diffe Hellman
|
|
|
|
What are symmetric encryption methods?
|
DES, 3DES, AES, IDEA, Blowfish, RC2/4/5/6, SEAL
|
|
|
|
What is a Caesar / Substitution Cipher
|
Characters of a message are substituted with another character from ‘n’ spaces in the alphabet, e.g. ‘a’ becomes ‘m’, ‘b’ becomes ‘n’ etc
|
|
|
|
Vigenere Cipher
|
A substitution cipher where the number of characters / spaces moved for each character depends on a corresponding character in a key word, making it invulnerable to a frequency analysis attack. Suppose the phrase ‘ATTACK AT DAWN’ is coded using the key ‘SECRETKEY’, the resulting message will be ‘SXVRGDKXBSAP’.
|
|
|
|
One Time Pad / Vernam Cipher
|
Uses the principle of a Vigenere cipher but the key is a stream of random characters equal to the length of the message. This results in an almost unbreakable code but with limitations. Creation of a truly random key is almost impossible and it is very difficult to distribute the key. The Vernam Cipher instead XORs the each character of the message with the corresponding key character.
|
|
|
|
Transposition Cipher
|
The characters are simply rearranged in the message using a secret sequence. An example is the rail fence cipher
|
|
|
|
What are types of block ciphers?
|
DES, 3DES, AES, IDEA, Blowfish, RC2/4/5/6, SEAL
|
|
|
|
What are stream ciphers?
|
RC4, SEAL
|
|
|
|
What are RSA vulnerabilities?
|
Timing attack – An attacker could measure the decryption times for a number of cipher texts and if the hardware is known the decryption key could be deduced quickly. Most RSA implementations use a scheme known as blinding to stop the decryption time being correlated to the cipher text.
Adaptive chosen cipher text attack – Uses weaknesses in RSA / PKCS #1 when used in SSL protocols and is used to recovery session keys. An updated version of PKCS #1 has been released which is not vulnerable to this attack. Branch Prediction Analysis (BPA) attack – Used in modern processors that use branch prediction and Simultaneous multithreading (SMT). An attack uses a spy process to statistically discover the private key when being processed using these processors |
|
|
|
What is PKI?
|
Public key infrastructure
|
|
|
|
What does a certificate contain?
|
1. Public key of the device/server.
2. Device signature (name and other information) encrypted with the private key of the device/server. This can only be decrypted using the public key, proves the device/router is who he says he is. 3. Certificate Authority Signature. This is the name of the CA encrypted with the CA private key. Only the CA public key can decrypt the signature proving the certificate was signed by the certification authority. |
|
|
|
What is SCEP?
|
SCEP (Simple Certificate Enrolment Protocol) – SCEP is an automated method to manage certificates. It allows a number of operations, certificate enrolment, certificate revocation, certificate query request, CRL query etc. To request a certificate a host will create a request containing all required information using PKCS #10, package this up in a PKCS #7 message then send it to the CA for generation/signing. Operates in two modes-
Manual – Administrator approves the request Pre-shared key – Devices will pass a key to the CA to allow the CA to automatically generate the certificate. |
|
|
|
What are the types of CA's?
|
Single root – Difficult to scale and vulnerable in that if the root key is compromised all certificates generated are invalid.
Hierarchical – A root CA in turn issues certificates to subordinate CA’s. The subordinate CA’s then issue certificates to end users. This improves scalability and reduces the impact if a key is compromised. Cross-certifying – A CA will cross certify with another CA on different PKI installation, in effect creating a trust relationship. |
|
|
|
What are the four benefits of RSA?
|
Authentication – Ensures the connection is made with the correct remote endpoint.
Data Integrity – Hashing (HMAC-MD5, HMAC-SHA-1) Confidentiality – Data is encrypted as it flows through the VPN Anti-Relay – Ensures each packet is unique. Stops man in the middle devices replaying packets in an attempt to cause system issues. |
|
|
|
What are the two IPSec operation modes? What's the difference?
|
Transport: | Data | ESP | IP | MAC|
Tunnel: Data | IP | ESP | IP | MAC| |
|
|
|
What are the two modes of IPSec?
|
Main and Aggressive
|
|
|
|
What happens in phase 1 of IKE in main mode?
|
1. The initiator sends all data required to initiate an SA. This data is sent unencrypted
2. The responder replies with the proposal, key, ID and authenticates the session. 3. The initiator replies by authenticating the session. |
|
|
|
What happens in phase 1 of IKE in aggressive mode?
|
1. Exchange and negotiate policy and algorithms..
2. Exchange DH keys. 3. Identity verification / authenticates an Internet Security Association and Kay Management Protocol (ISAKMP) session using PSK or certificates. |
|
|
|
How can IPSec authenticate?
|
Username and password, via VPN, one time password, pre shared key, certificate
|
|
|
|
What are ways to authenticate a port?
|
Diffie-Hellman CHAP, CHAP, PAP, FCPAP
|
|
|
|
How can you secure SAN?
|
LUN Masking (Authorizing access to the LUN at the HBA), soft zoning (stops advertisements of WWN's), hard zoning (ACL's), VSANS
|
|
|
|
What is Cisco IronPort?
|
Protects networks from internet based threats - email and web securtiy
|
|
|
|
What are the 3 Iron port series?
|
IronPort C Series - Email security
IronPort S-Series - Web security using web reputation data Ironport M-Series - Management report and spam quarantine management |
|
|
|
What is Cisco CSA?
|
Cisco Security Agent - Host based IPS (HIPS) - has a file interceptor, network interceptor, configuration interceptor, execution space interceptor
|
|
|
|
What is NAC? What is the NAC Process?
|
NAC is designed to only allow authorised and compliant systems access to the network by providing four main features-
Authentication and authorisation Posture assessment – Evaluates the security of the device against defines policies Quarantining of noncompliant systems Remediation of noncompliant systems Process: 1. The user attempt to access a network resource // 2. User is redirected to a login page. // 3. The host is scanned for posture compliance. a. It not compliant the host if quarantined to a separate VLAN which only allows the host to be patched / remediated b. If complaints the host is granted access to the network. |
|
|
|
What are components of a NAC?
|
Cisco NAC Appliance – A self contained appliance that performs all the NAC functions. Does not require Cisco infrastructure.
Cisco NAC Appliance Server (NAS) – A device that perms network access control and device compliance checks as users access the network. Cisco NAC Appliance Manager (NAM) – A centralised web based administrative tool for managing users and security policies. Cisco NAC Appliance Agent – Software that runs on the client / endpoint computer that is used to audit the endpoint to compliance and launch updates. |
|
|
|
What is required to configure a site to site VPN?
|
Also known as quick setup - external interface, origination interface, remote peer IP, remote destination IP, authentication type - Uses defaults otherwise:
Phase 1: 3DES, SHA1, DH2 Phase 2: ESP,3DES, ESP_SHA_HMAC |
|
|
|
What IP protocol is ISAKMP?
|
UDP 500
|
|
|
|
What IP Protocol is ESP?
|
50
|
|
|
|
What IP Protocol is AH?
|
51
|
|
|
|
What are two types of attacks on an end point?
|
Driect and indirect - direct - attacker gets an application to preform a task, indirect - attack compromises a different system
|
|
|
|
What are the five phases of an attack?
|
Probe – Find vulnerable targets using ping sweeps, open ports scans etc.
Penetrate – Once a vulnerable system is found, take advantage of the vulnerability to gain access to the system.. Persist – Once the vulnerable code is on the target and running, find a way of ensuring the code runs at all times even after a reboot. Propagate – Find other vulnerable systems in order to spread the attack to other systems. Paralyse – Carry out the malicious action (erase data, steal data, cause DoS, launch a distributes DoS attack etc). |
|
|
|
What are classification roles?
|
Owner - initially determines classification level, gives custodian responsibility of protecting data
Custodian - Keeps up to date backups, verifies backups, restores backups, ect User - Accesses the date with an established security policy - only uses it for oganizational purposes |
|
|
|
What is a governing policy?
|
Addresses the high level security concerns of an organization such as
Identifying the issue addressed by the policy Discussing the organization’s view of the issue Examining the relevance of the policy to the work environment Explaining how employees are to comply with the policy Enumerating appropriate activities, actions, and processes Explaining the consequences of noncompliance |
|
|
|
What are examples of technical policies?
|
Email, wireless, remote access policies
|
|
|
|
What is an end user policy?
|
End-user policies address security issues and procedures relevant to end users. For example, an end user might be asked to sign an acceptable use policy (AUP) for Internet access. That AUP might state that Internet access is only for business purposes. Then, if an end user is found using the Internet for personal reasons, he or she could face the consequences outlined in the governing policy.
|
|
|
|
What are standards?
|
Standards support consistency within a network. For example, a standard might specify a limited number of operating systems to be supported in the organization, because it would be impractical for the IT staff to support any operating system that a user happened to select. Also, standards could apply to configuring devices, such as routers (for example, having a standard routing protocol).
|
|
|
|
What are guidelines?
|
Whereas standards tend to be mandatory practices, guidelines tend to be suggestions. For example, a series of best practices might constitute a security policy’s guidelines.
|
|
|
|
What are procedures?
|
To support consistency in the network, and as dictated by the previously mentioned standards, a security policy might include a collection of procedures. These procedures are very detailed documents providing step-by-step instructions for completing specific tasks (such as steps for configuring port security on a Cisco Catalyst switch).
|
|
|
|
What is a vulnerability?
|
Vulnerability in an information system is a weakness that an attacker might leverage to gain unauthorized access to the system or its data
|
|
|
|
What is ALE?
|
Annual loss expectancy = Asset value * Exposure factor * Annual rate of occurance
|
|
|
|
What is SLE?
|
Single Loss Expectancy = Asset Value (AV) * Exposure Factor (EF)
|
|
|
|
What are the ways of reducing risk?
|
Avoid, Reduce, Transfer, Accept
|
|
|
|
What is the idea of least privilege?
|
Allowing a user the least possible privilege to do their job
|
|
|
|
What comprises a risk rating?
|
Fidelity * severity * target-value rating / 100^3
|
|
|
|
What is the target value rating?
|
Value used to change the risk rating higher or lower based on the target of the attack (user defined);
75—Low Asset Value , 100—Medium Asset value , 150—High Asset Value, 200—Mission Critical Asset Value |
|
|
|
What is the alert severity rating?
|
Relative result or damage if the attack succeeds (predefined); 25—Information, 50—Low, 75—Medium, 100—
High |
|
|
|
What is the signature fidelity rating?
|
Relative measure of the accuracy of the signature (predefined); 0–100 Set by Cisco Systems, Inc.
|
|
|
|
What is a boarderless end zone?
|
Where devices connect to the network - Network Admission Control (NAC) and Identity Services Engine (ISE) live here.
|
|
|
|
What is a Boarder-less Data Center?
|
Cloud - Intrusion Prevention systems (IPS) and network admission control (NAC) live here
|
|
|
|
What is a Policy Management Point ?
|
Where you can control access from - Cisco Security Manager (CSM), Cisco Access Control Server (ACS)
|
|
|
|
What is scan safe?
|
Looks for malicious links and zero day exploits
|
|
|
|
What do CoPP and CPPr do?
|
Control Plane Policing (CoPP) - Filter traffic for a destination or ensuring traffic is 'limited'
Control Plane Protection (CPPr) - Authenticating Updates - more detailed than CoPP - Specify CPU prevention before forward - TTL or keepalives - CPPr can classify more traffic |
|
|
|
What is NFP?
|
Cisco NFP provides infrastructure protection with a series of IOS features designed specifically to protect the device control plane by "locking down" services and routing protocols; the device data plane from malicious traffic; and the device management plane.
|
|
|
|
What is the control plane?
|
Device to device communication not involving the administrator
|
|
|
|
What is the data plane?
|
Traffic being forwarded on the network - accessing servers
ACLs, Spanning Tree, VLANS, IOS IPS, Zone based firewall, TCP Intercept (# of half formed sessions) Blocking traffic at the router Additional ProtectioN: Port security, DHCP snooping to prevent rouge DHCP, DIA protects against ARP spoofing, IP source guard |
|
|
|
What is the management plane?
|
Protocols and traffic between administrator's workstation and the router or switch - remote management using SSH
Security Techniques: Password policies - length, login attempts, Role based access controls (RBAC), Use an AAA service, Keep accurate time across the network, Encrypted and authenticated SNMP (Version 3 - some features were in v2), Lockdown system logs - Using out of band (OOB) VLANS to manage system logs |
|
|
|
In CCP, what is the purpose of templates?
|
§ Creating an identical configuration on multiple routers - can use variables for items you want to change such as IP's, hostnames, ect - Also known as parameterizing
§ Created under the application - template - create |
|
|
|
In CCP, what is the purpose of user profiles?
|
Enable you to select what features show up in CCP
Can hide specific configuration options such as routing protocols |
|
|
|
In CCP, what is a community?
|
§ Groups of routers that share something in common - Be it geography, access or some other function
§ Maximum of 10 devices per community § Will be prompted to create a community upon first access |
|
|
|
What is Cisco ACS Solution Engine?
|
Dedicated server contains usernames, their passwords and other information on what they can access.
|
Check this
|
|
|
What Privilege level is the highest?
|
15
|
|
|
|
How do you set the login list?
|
aaa authentication login <List name or default>
|
|
|
|
How do you enable only certain commands?
|
Aaa authorizations commands <#> TAC<#> group tacas+ local
|
|
|
|
What are the SNMPv3 Modes? What encryption and authentication is used?
|
§ noAuthNoPriv - Using community strings and no encryption
§ AuthnoPriv - Authentication but no privacy - uses MD5 or SHMAC or SHA § AuthPriv - Offers HMAC, MD5, SHA authentication - uses block encryption |
|
|
|
How do you configure NTP?
|
Configure > Router > Time > NTP and SNTP
|
|
|
|
What is Cisco ISE?
|
Identity Services Engine (ISE) - NAC client which validates a computer meets the requirements for virus definitions and service packs ect
|
|
|
|
What is RA guard?
|
The IPv6 RA Guard feature provides support for allowing the network administrator to block or reject unwanted or rogue router advertisement (RA) guard messages that arrive at the network device platform. RAs are used by devices to announce themselves on the link. The IPv6 RA Guard feature analyzes these RAs and filters out RAs that are sent by unauthorized devices. In host mode, all RA and router redirect messages are disallowed on the port. The RA guard feature compares configuration information on the Layer 2 (L2) device with the information found in the received RA frame. Once the L2 device has validated the content of the RA frame and router redirect frame against the configuration, it forwards the RA to its unicast or multicast destination. If the RA frame content is not validated, the RA is dropped
|
|
|
|
What is SEND?
|
Secure version of NDP - Uses public key infrastructure to authenticate
|
|
|
|
What does TACAS Encrypt?
|
Only the payload
|
|
|
|
What is Cisco SIO?
|
SIO operates as the telemetry hub for Cisco's email, web, and IPS services. These systems participate in a network of data analysis and that calculates threat risk ratings and reputation scores. What sets the Cisco's SIO apart from other solutions is their unique ability to leverage a well established footprint of security solutions to provide the widest range of sampling data. Cisco then uses this telemetry data to increase blocking accuracy and capture rate as well as fine-tune its signature-based systems; such as the IronPort Email Security Appliance, the IronPort Web Security Appliance, and the Cisco IPS.
|
|
|
|
What traffic is permitted into zone based firewall
|
Traffic which matches a class map
|
|
|
|
What are the standard ACL #'s?
|
1-99, 1,300 - 1,999
|
|
|
|
What are the extended ACL #'s?
|
100-199, 2000-2699
|
|
|
|
Where can you configure ACL's?
|
○ Configure > Router > ACL > ACL Summary
○ Configure > Interface Management > Interface and Connections ○ Configure > Router > ACL > Object Groups > Network Object Groups ○ Configure > Router > Logging |
Check this
|
|
|
What are the pro's and con's of static packet filtering?
|
Pro: Simple to implement, Minimal impact on performance, Configurable on most routers
Con: Hard to maintain, Doesn't monitor fragmented packets, Stateless - doesn't maintain sessions |
|
|
|
What are the pro's and con's of stateful packet filtering?
|
Advantages: Primary means of defense by filtering unwanted traffic, Implemented on routers and dedicated firewalls
Disadvantages: Can't defend against application layer attack, UDP and ICMP |
|
|
|
What are the pro's and con's of a proxy server (Application layer gateway)?
|
Pro: Very tight control, Difficult to implement, Detailed logging
Con: Processor intensive, Not all applications support it, Special software may be required |
|
|
|
What is a transparent firewall?
|
Implemented at layer 2 (As opposed to layer 3), Can implement a stateful, application, or packet based filter - Only traffic permitted by default is ARP
|
|
|
|
What is the inside local IP?
|
Real IP of original host
|
|
|
|
What is inside global?
|
Mapped global adderss for which the router swapping the inside local IP for
|
|
|
|
What is outside local?
|
Only used if there's NAT on the other side of the router
|
|
|
|
What is outside global?
|
IP on external interface
|
|
|
|
What is an orphaned rule?
|
A rule that will never be reached
|
|
|
|
What are class maps?
|
Identify traffi based on layers 3-7
|
|
|
|
What traffic is allowed to the self zone?
|
By default all traffic is allowed
|
|
|
|
What is a policy map?
|
Defines what action is to be taken on a given type of traffic
|
|
|
|
What are the two modes of a ZBF?
|
Basic and Advanced - Advanced allows 3 zones
|
|
|
|
What are the security levels in a ZBF?
|
§ High □ Firewall identifies and drops instant messaging and peer to peer traffic □ Application inspection for web and email traffic - drops non compliant traffic □ Generic TCP and UDP inspection
§ Medium □ Doesn't check web and email traffic § Low □ No application layer inspect - only checks generic tcp udp |
|
|
|
How do you configure a class map?
|
class-map type inspect match any
|
|
|
|
How do you configure a policy map to use a class map?
|
○ Policy-map type inspect <name>
§ Class type inspect <class name> |
|
|
|
What are the firewall security levels? What level is most trustworthy?
|
1-100 --> Higher is more trusting
|
|
|
|
How does traffic flow between zones?
|
Traffic is allowed from a higher to a lower zone. Traffic is inspeted if it is from a less trustworthy zone to a higher zone. It is denied by default
|
|
|
|
How do you show IKE phase 1?
|
• Show crypto ISAKMP SA
|
|
|
|
How do you show IKE phase 2?
|
• Show crypto ipsec SA
|
|
|
|
What are the three port security modes?
|
○ Shutdown § Puts the interface into the error-disabled state immediately and sends an SNMP trap notification.
○ Restrict § Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value and causes the Security Violation counter to increment. ○ Protect § Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value. |
|
|
|
Where does a router save MAC addresses in port security?
|
MAC Addresses are saved to the running config
|
|
|
|
What port is HTTPS?
|
443
|
|
|
|
How do you enable spanning tree root guard?
|
Spanning-tree guard root
|
|
|
|
What key excahnge mode is used in IPSec?
|
Diffie-Hellman
|
|
|
|
What's the difference between a named method list and a default method list?
|
Named must be applied to an interface
|
|
|
|
How do you stop switchport negoiatation?
|
switchport nonnegotiate
|
|
|
|
In a Cisco IPS, what must a signature be before any actions can be taken on it?
|
Enabled, unretired, and successfully compiled
|
|
|
|
What is the most efficient logging method for Cisco routers and switches?
|
Internal buffer
|
|
|
|
What ACL types does IPv6 support?
|
Only named
|
|
|
|
What action can a ZBFW take?
|
Drop, Pass, Inspect, and Content Filter
|
|
