Module 11. Security in Network Design
TACACS+ (Terminal Access Controller Access Control System Plus)
A Cisco proprietary protocol that provides AAA services.
Rogue DHCP Server
A DHCP service running on a client device that could be used to implement an on-path attack by configuring the attacker's IP address as the victim computers' default gateway or DNS server.
Group Policy
A Windows utility that is used to control what users can do and how the system can be used.
AAA (authentication, authorization, and accounting)
A category of protocols that establish a client's identity, authorize a user for certain privileges on a system or network, and keep an account of the client's system or network usage.
DAI (Dynamic ARP Inspection)
A configuration on a switch that compares incoming messages with the switch's DHCP snooping binding table to determine whether the message's source IP address is appropriately matched with its source MAC address according to DHCP assignments on the network. DAI helps protect against ARP spoofing attacks.
Kerberos
A cross-platform authentication protocol that uses key encryption to verify the identity of client devices and to securely exchange information after a client logs on to a system.
TAP (test access point)
A device connected between two devices on a network that can capture all traffic traversing the connection, for example, between a switch and a router.
security token
A device or piece of software used for authentication that stores or generates information, such as a series of numbers or letters, known only to its authorized user.
SoD (separation of duties)
A division of labor that ensures no one person can singlehandedly compromise the security of data, finances, or other resources.
RA Guard
A feature that can be configured on switches to filter RA messages according to interface, MAC or IP address, router priority, or other factors.
stateful firewall
A firewall capable of examining an incoming packet to determine whether it belongs to a currently active connection and is, therefore, a legitimate packet.
network-based firewall
A firewall configured and positioned to protect an entire network or segment of a network.
application layer firewall
A firewall that can block designated types of traffic based on application data contained within packets.
stateless firewall
A firewall that manages each incoming packet as a stand-alone entity without regard to currently active connections.
host-based firewall
A firewall that only protects the computer on which it's installed.
SSO (single sign-on)
A form of authentication in which a client signs on once to access multiple systems or resources.
2FA (two-factor authentication)
A form of identity verification where the user must provide something and know something.
ACL (Access Control List)
A list of statements used by a router or other device to permit or deny the forwarding of traffic on a network based on one or more criteria.
RBAC (Role Based Access Control)
A method of access control where a network administrator assigns only the privileges and permissions necessary for a user to perform the role required by an organization.
MAC (Mandatory Access Control)
A method of access control where resources are organized into hierarchical classifications, such as "confidential" or "top secret," and grouped into categories, perhaps by department. Users, then, are also classified and categorized. If a user's classification and category match those of a resource, then the user is given access.
DAC (Discretionary Access Control)
A method of access control where users decide for themselves who has access to that user's resources.
port mirroring
A monitoring technique in which one port on a switch is configured to send a copy of all the switch's traffic to the device connected to that port. Also called SPAN (switched port analyzer).
packet-filtering firewall
A network device or application that examines the header of every packet of data it receives on any of its interfaces to determine whether the packet should be allowed to continue traversing the network.
DHCP snooping
A security feature on switches whereby DHCP messages on the network are checked and filtered.
Zero Trust
A security model where everything in the network is considered untrustworthy until proven otherwise.
FIM (file integrity monitoring)
A security technique that alerts the system of any changes made to files that shouldn't change, such as operating system files.
proxy server
A server acting as an intermediary between the external and internal networks, screening all incoming and outgoing traffic.
IPS (Intrusion Prevention System)
A stand-alone device, an application, or a built-in feature running on a workstation, server, switch, router, or firewall that stands in-line between an attacker and the targeted network or host and can prevent traffic from reaching that network or host.
IDS (Intrusion Detection System)
A stand-alone device, an application, or a built-in feature running on a workstation, server, switch, router, or firewall. It monitors network traffic, generating alerts about suspicious activity.
Shared Responsibility Model
A theoretical model that clarifies the division of responsibilities between cloud provider and cloud customer for the security of cloud resources.
NIDS (network-based intrusion detection system)
A type of intrusion detection that protects an entire network and is situated at the edge of the network or in a network's screened subnet.
HIDS (host-based intrusion detection system)
A type of intrusion detection that runs on a single computer, such as a client or server, to alert about attacks against that one host.
NIPS (network-based intrusion prevention system)
A type of intrusion prevention that protects an entire network and is situated at the edge of the network or in a network's screened subnet.
HIPS (host-based intrusion prevention system)
A type of intrusion prevention that runs on a single computer, such as a client or server, to intercept and help prevent attacks against that one host.
Which two features on a switch or router are integrated into CoPP? Choose two.
ACLs, QoS
What characteristic of ARP makes it particularly vulnerable to being used in a DoS attack?
ARP performs no authentication.
Which access control technique is responsible for detection of an intruder who succeeds in accessing a network?
Accounting
Which of the following is not one of the AAA services provided by RADIUS and TACACS+?
Administration
Implicit Deny
An ACL (access control list) rule that ensures that any traffic the ACL does not explicitly permit is denied by default.
What is the purpose of an ACL when configuring CoPP?
An ACL identifies which traffic is relevant to CoPP policies.
What's the essential difference between an IPS and an IDS?
An IDS can only detect and log suspicious activity. An IPS can react when alerted to such activity.
CoPP (Control Plane Policing)
An adaptation of QoS (quality of service) filters used to rate-limit traffic on the control plane and management plane of routers and switches.
ARP spoofing
An attack in which fake ARP replies are used to alter ARP tables in a network. Also called ARP poisoning.
MFA (Multifactor Authentication)
An authentication process that requires information from two or more categories of authentication factors.
Which of the following criteria can a packet-filtering firewall not use to determine whether to accept or deny traffic?
Application data
Which firewall type can protect a home network from adult content not suitable for the family's children?
Application layer firewall
What kinds of issues might indicate a misconfigured ACL?
Connectivity and performance issues between two hosts in which some applications or ports can make the connection while others can't could indicate an ACL misconfiguration
What are the two primary features that give proxy servers an advantage over NAT?
Content filtering and file caching
Which device would allow an attacker to make network clients use an illegitimate default gateway?
DHCP server
What causes most firewall failures?
Firewall misconfiguration
signature
Identifiable patterns of code that are known to indicate specific vulnerabilities, exploits, or other undesirable traffic.
Which policy ensures messages are discarded when they don't match a specific firewall rule?
Implicit deny
ticket
In Kerberos terminology, a temporary set of credentials that a client uses to prove its identity has been validated by the authentication service.
principal
In Kerberos terminology, a user or client.
KDC (Key Distribution Center)
In Kerberos terminology, the server that issues keys to clients during initial client authentication.
accounting
In the context of network security, the process of logging users' access and activities on a network.
At what layer of the OSI model do proxy servers operate?
Layer 7
Active Directory and 389 Directory Server are both compatible with which directory access protocol?
Lightweight Directory Access Protocol
Which security device relies on a TAP or port mirroring?
NIDS (network-based intrusion detection system)
Access Control
One or more security techniques for managing users' access to a network and its resources.
Which device can be used to increase network performance by caching websites?
Proxy server
Which of the following defenses addresses a weakness of IPv6?
RA guard
Which authentication protocol is optimized for wireless clients?
RADIUS (Remote Authentication Dial-In User Service)
Which authorization method will allow Nancy, a custodian, to access the company's email application but not its accounting system?
RBAC (role-based access control)
Which principle ensures auditing processes are managed by someone other than the employees whose activities are being audited?
Separation of duties
What information in a transmitted message might an IDS use to identify network threats?
Signature
AAAA (authentication, authorization, accounting, and auditing)
Similar to AAA, a category of protocols that establish a client's identity, authorize a user for certain privileges on a system or network, and keep an account of the client's system or network usage. AAAA adds the component of auditing, which consists of a posture assessment to analyze the network for vulnerabilities.
SIEM (Security Information and Event Management)
Software that can be configured to evaluate data logs from IDS, IPS, firewalls, and proxy servers to detect significant events that require the attention of IT staff according to predefined rules.
What kind of ticket is held by Kerberos's TGS?
TGT (ticket-granting ticket)
Who is responsible for the security of hardware on which a public cloud runs?
The cloud provider
Why would you need separate RA guard policies for network hosts and routers attached to a switch?
The hosts policy blocks all RA messages for interfaces with that policy applied, while the ROUTERS policy would only need to filter RA messages to ensure they're coming from a trusted router.
Signature Management
The process of regularly updating the signatures used to monitor a network's traffic.
authorization
The process that determines what a user can and cannot do with network resources.
What does a client present to a network server to access a resource on that server?
Ticket
Why do network administrators create domain groups to manage user security privileges?
To simplify the process of granting rights to users
Which ACL rule will prevent pings from a host at 192.168.2.100?
access-list acl_2 deny icmp host 192.168.2.100 any
Which of the following ACL commands would permit web-browsing traffic from any IP address to any IP address?
access-list acl_2 permit https any any
Any traffic that is not explicitly permitted in the ACL is blank 1, which is called the blank 2.
denied; implicit deny rule