CNT 216: Module 10 - LAN Security Concepts

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

Cisco ESA (Email Security Appliance) Functions (5)

1. Block known threats. 2. Remediate against stealth malware that evaded initial detection. 3. Discard emails with bad links (as shown in the figure). 4. Block access to newly infected sites. 5. Encrypt content in outgoing email to prevent data loss.

describe steps to spear phishing attack attempt with a Cisco ESA implemented

1. threat actor sends phishing email to an important organization employee in the network 2. the firewall forwards the email to the Cisco ESA 3. the Cisco ESA analyzes the email, logs it, and discards it if it contains malware

Authenticator (Switch)

802.1X Authentication Process: The switch acts as an intermediary between the client and the authentication server. It requests identifying information from the client, verifies that information with the authentication server, and relays a response to the client. Another device that could act as authenticator is a wireless access point.

Client (supplicant)

802.1X Authentication Process: This is a device running 802.1X-compliant client software, which is available for wired or wireless devices.

IP address spoofing attack

A threat actor constructs an IP packet that appears to originate from a valid address inside the corporate intranet. The legitimate network IP address is hijacked by the threat actor

spear phishing

A variation of phishing in which the phisher sends fraudulent emails to high-profile organization employees or executives that may have elevated login credentials.

ARP poisoning

An attack that corrupts the ARP cache.

DHCP spoofing attack

An attacker configures a fake DHCP server on the network to issue IP configuration to client. They may provide... - a nefarious website as DNS server - an incorrect IP address --> DoS attack - their own address as the default gateway -- MITM attack

VLAN hopping

An exploit that allows an attacker on a VLAN to gain access to traffic on other VLANs that would normally not be accessible by negotiating to become a trunk link

What three services are provided by the AAA framework?

Authentication - who are you? Authorization - what are your rights? Accounting - documentation of actions

Because of implemented security controls, a user can only access a server with FTP. Which AAA component accomplishes this?

Authorization; The protocols they are authorized to use have been limited

Which service is enabled on a Cisco router by default that can reveal significant information about the router and potentially make it more vulnerable to attack?

CDP (Cisco Discovery Protocol)

CDP Reconnaissance

CDP broadcasts are sent unencrypted and unauthenticated. Therefore, an attacker could interfere with the network infrastructure by sending crafted CDP frames containing bogus device information to directly-connected Cisco devices.

Which Layer 2 attack will result in legitimate users not getting valid IP addresses?

DHCP Starvation

DHCP starvation attack

DOS attack on the DHCP server where attacker broadcasts forged DHCP requests to use all available leases

VLAN Attack Mitigation (3 things)

Disable trunking on all access ports. Disable auto trunking on trunk links so that trunks must be manually enabled. Be sure that the native VLAN is only used for trunk links.

Which device monitors SMTP traffic to block threats and encrypt outgoing messages to prevent data loss?

ESA

Which Cisco solution helps prevent MAC and IP address spoofing attacks?

IP Source Guard

Why is authentication with AAA preferred over a local database method?

It provides a fallback authentication method if the administrator forgets that username or password

When security is a concern, which OSI Layer is considered to be the weakest link in a network system?​

Layer 2

Which Layer 2 attack will result in a switch flooding incoming frames to all ports?

MAC Address Overflow

Which attack encrypts the data on hosts in an attempt to extract a monetary payment from the victim?

Ransomware

What two protocols are supported on Cisco devices for AAA communications?

TACACS+ & RADIUS

VLAN Double Tagging Attack

The attacker sends a double tagged frame to the switch. The outer header contains the native VLAN of the switch, the inner tag is the victim VLAN. On arriving at the first switch, the switch reads the native VLAN and therefore forwards it out of all the native VLAN ports. The native VLAN is then stripped from the frame The frame then arrives at the second switch which is unaware of the fact it should have gone to the native VLAN and forwards the frame to the inner VLAN tag.

Authentication Server

The server validates the identity of the client and notifies the switch or wireless access point that the client is or is not authorized to access the LAN and switch services.

Data Breach

This is an attack in which an organization's data servers or hosts are compromised to steal confidential information.

Malware

This is an attack in which an organization's hosts are infected with malicious software that cause a variety of problems. For example, ransomware such as WannaCry, shown in the figure, encrypts the data on a host and locks access to it until a ransom is paid.

Which devices are specifically designed for network security?

VPN-enabled router, NGFW, and NAC

Which device monitors HTTP traffic to block access to risky sites and encrypt outgoing messages?

WSA

Today endpoints are best protected by...

a combination of NAC, host-based AMP software, an email security appliance (ESA), and a web security appliance (WSA)

Distributed Denial of Service (DDoS)

a coordinated attack from many devices, called zombies, with the intention of degrading or halting public access to an organization's website and resources.

Cisco ESA (Email Security Appliance)

a device that is designed to monitor Simple Mail Transfer Protocol (SMTP). It's constantly updated by real-time feeds from the Cisco Talos, which detects and correlates threats and solutions by using a worldwide database monitoring system. This threat intelligence data is pulled by the Cisco ESA every three to five minutes.

IEEE 802.1X

a port-based access control and authentication protocol. This protocol restricts unauthorized workstations from connecting to a LAN through publicly accessible switch ports. The authentication server authenticates each workstation that is connected to a switch port before making available any services offered by the switch or the LAN.

Address Spoofing

attacks occur when the threat actor changes the MAC and/or IP address of the threat actor's device to pose as another legitimate device, such as the default gateway

NAC (Network Access Control) Device

device includes authentication, authorization, and accounting (AAA) services. In larger enterprises, these services might be incorporated into an appliance that can manage access policies across a wide variety of users and device types. The Cisco Identity Services Engine (ISE) is an example

phishing attack

entices the user to click a link or open an attachment to gain sensitive information

Cisco WSA (Web Security Appliance)

mitigation technology for web-based threats. It helps organizations address the challenges of securing and controlling web traffic. The Cisco WSA combines advanced malware protection, application visibility and control, acceptable use policy controls, and reporting.

VPN-Enabled Router

provides a secure connection to remote users across a public network and into the enterprise network. VPN services can be integrated into the firewall.

NGFW (Next Generation Firewall)

provides stateful packet inspection, application visibility and control, a next-generation intrusion prevention system (NGIPS), advanced malware protection (AMP), and URL filtering.

STP Attack

the attacking host broadcasts STP bridge protocol data units (BPDUs) containing configuration and topology changes that will force spanning-tree recalculations, as shown in the figure. The BPDUs sent by the attacking host announce a lower bridge priority in an attempt to be elected as the root bridge.

no cdp run

turns off CDP for entire router (global config); mitigates CRP Reconnaissance attacks

no cdp enable

turns off CDP on specific interface; mitigates CRP Reconnaissance attacks

ARP spoofing

uses false gratuitous ARP replies to map any IP address to any MAC address


Kaugnay na mga set ng pag-aaral

The Planets of Our Solar System - The Inner Planets

View Set

Insurance Commissioner/Department

View Set

The Art of Public Speaking - Chapters 1-11, 15, 18

View Set

HESI Comprehensive Exam Practice

View Set