CCC NET 125 Chapter 11
Server-based firewalls.
A firewall application that runs on a network operating system such as UNIX or Windows. These are normally access-control applications that run on a general-purpose OS. Because the underlying OS has inherent weaknesses, this type of firewall is generally less secure than an appliance-based device.
Appliance-based.
A firewall that is built into a dedicated hardware device known as a security appliance. These devices are specialized computers that do not have peripherals or hard drives and are less prone to failure.
The key cause of the failure was high humidity, which is an environmental threat.
A key network switch has failed because of excessive humidity. What type of physical threat caused the problem?
tracert 10.1.1.5
A network technician is investigating network connectivity from a PC to a remote host with the address 10.1.1.5. Which command, when issued on a Windows PC, will display the path to the remote host?
ipconfig /displaydns
A particular website does not appear to be responding on a Windows 7 computer. What command could the technician use to show any cached DNS entries for this web page?
! - indicates receipt of an ICMP Echo Reply message. . - Indicates that a time expired while waiting for an ICMP Echo Reply message. U - An ICMP unreachable message was received.
A ping issued from the IOS will yield one of several indications for each ICMP echo that was sent. List and explain the most common indicators.
Have a second router that is connected to another ISP.
A small company has only one router as the exit point to its ISP. Which solution could be adopted to maintain connectivity if the router itself, or its connection to the ISP, fails?
False
A weakness of wireless WPA security is that it uses a static pre-configured key to encrypt/decrypt data.
Authentication: Users and administrators must prove that they are who they say they are. Authorization: Authorization services determine which resources the user can access and which operations the user is allowed to perform. Accounting: Accounting records what the user does, including what is accessed, the amount of time the resource is accessed, and any changes that were made.
AAA, or "triple A" network security services provide the primary framework to set up access control on a network device. List and explain what the AAA represents.
Information theft Identity theft Data loss/manipulation Disruption of service
After the hacker gains access to the network, four types of threats may arise. These are:
show file systems
An administrator wants to back up a router configuration file to a USB drive that is connected to the router. Which command should the administrator use to verify that the USB drive is being recognized by the router?
An attacker is using the ping sweep to gather information on the network, making this a reconnaissance attack.
An attacker runs a ping sweep against a network. What type of attack is this?
show interfaces
Can be used to see the status of each interface
devices to learn about each other
Cisco Discovery Protocol (CDP) operates at the data link layer and allows_________________
On the File menu, click Log. Choose the location to save the file. After capture has been started, execute the show running-config or show startup-config command at the privileged EXEC prompt. When the capture is complete, select Close in the Tera Term: Log window. View the file to verify that is was not corrupted.
Configuration files can be saved/archived to a text file using Tera Term. What are the steps involved?
real-time traffic
Data traffic that carries signal output as it happens or as fast as possible. This is sensitive to latency and jitter.
Service that assigns the IP address, subnet mask, default gateway, and other information to clients. Port 67, 68.
Describe the network service this protocol provides: DHCP
Service that provides the IP address of a site based on host or domain name. Port 53.
Describe the network service this protocol provides: DNS
Services that allow the download and upload of files between a client and server. Port 20, 21.
Describe the network service this protocol provides: FTP
Most web pages are accessed using this; used to transfer information between clients and web servers. Port 80.
Describe the network service this protocol provides: HTTP
Transfers email messages between clients and servers. IMAP port 143. POP port 110. SMTP port 25.
Describe the network service this protocol provides: IMAP, SMTP, POP
Service that allows the remote login to a host. Port 23.
Describe the network service this protocol provides: Telnet
Attack mitigation.
Endpoint security also requires securing Layer 2 devices in the network infrastructure to prevent against Layer 2 attacks such as MAC address spoofing, MAC address table overflow attacks, and LAN storm attacks. This is known as:
Other programs may need the assistance of application layer services to use network resources like file transfer or network print spooling. Though transparent to an employee, these services are the programs that interface with the network and prepare the data for transfer. Different types of data, whether text, graphics or video, require different network services to ensure that they are properly prepared for processing by the functions occurring at the lower layers of the OSI model.
Explain application layer services.
VoIP devices convert analog into digital IP packets. The device could be an analog telephone adapter (ATA) that is attached between a traditional analog phone and the Ethernet switch. After the signals are converted into IP packets, the router sends those packets between corresponding locations.
Explain how VoIP works.
When a Cisco device boots, CDP starts by default. CDP automatically discovers neighboring Cisco devices running CDP, regardless of which Layer 3 protocol or suites are running. CDP exchanges hardware and software device information with its directly connected CDP neighbors.
Explain in detail what happens when a Cisco device boots up and has CDP - Cisco Discovery Protocol - enabled.
Applications are the software programs used to communicate over the network. Some end-user applications are network-aware, meaning that they implement application layer protocols and are able to communicate directly with the lower layers of the protocol stack. Email clients and web browsers are examples of this type of application.
Explain network applications.
A worm installs itself by exploiting known vulnerabilities in systems. After gaining access to a host, a worm copies itself to that host and then selects new targets. The attacker then has access to the host, often as a privileged user, then could escalate the privilege level to administrator.
Explain the three step process of a worm attack.
It verifies the proper operation of the protocol stack from the network layer to the physical layer and back without actually putting signal on the media.
Explain what pinging the loopback address 127.0.0.1 does.
Packet filtering: Prevents or allows access based on IP or MAC addresses. Application filtering: Prevents or allows access by specific application types based on port numbers. URL filtering: Prevents or allows access to websites based on specific URLs or keywords. Stateful packet inspection - SPI: Incoming packets must be legitimate responses to requests from internal hosts.
Firewall products use various techniques for determining what is permitted or denied access to a network. List and explain the techniques firewalls use.
Redundancy can be accomplished by installing duplicate equipment, but it can also be accomplished by supplying duplicate network links for critical areas.
How can redundancy be accomplished in a network environment?
Using different nonoverlapping channels for communication.
How can you have multiple ISRs operate in close proximity?
Type ping and then press enter.
How is "extended ping" entered on a Cisco router?
In IP telephony, the IP phone itself performs voice-to-IP conversion. Voice-enabled routers are not required within a network with an integrated IP telephony solution. IP phones use a dedicated server for call control and signaling.
How is IP Telephony different than VoIP?
during peak utilization times
How should traffic flow be captured in order to best understand traffic patterns in a network?
Integrated firewalls.
Implemented by adding firewall functionality to an existing device, such as a router. These are found on most home integrated routers but are also found on higher-end routers that run special operating systems like Cisco IOS.
A small network administrator has the ability to obtain in-person IT "snapshots" of employee application utilization for a significant portion of the employee workforce over time.
In addition to understanding changing traffic trends, a network administrator must also be aware of how network use is changing. What is one method of doing this?
redundancy
In internetworking, a network architecture designed to eliminate network downtime caused by a single point of failure. This includes the replication of devices, services, or connections that support operations even in the occurrence of a failure.
Stateful packet inspection
Incoming packets must be legitimate responses to requests from internal hosts. Unsolicited packets are blocked unless permitted specifically.
Information gathered by the protocol analyzer is evaluated based on the source and destination of the traffic, as well as the type of traffic being sent.
Information gathered by the protocol analyzer is analyzed based on what?
Trojan horse
It is a harmful piece of software that looks legitimate. Users are typically tricked into loading and executing it on their systems. After it is activated, it can achieve any number of attacks on the host, from irritating the user (popping up windows or changing desktops) to damaging the host (deleting files, stealing data, or activating and spreading other malware, such as viruses).
Network documentation - physical and logical topology. Device inventory - list of devices that use or comprise the network. Budget - itemized IT budget, including fiscal year equipment purchasing budget. Traffic analysis - protocols, applications, and services and their respective traffic requirements, should be documented.
List and explain the elements required to scale a network.
Containment: Contain the spread of the worm within the network. Compartmentalize uninfected parts of the network. Inoculation: Start patching all systems and, if possible, scanning for vulnerable systems. Quarantine: Track down each infected machine inside the network. Disconnect, remove, or block infected machines from the network. Treatment: Clean and patch each infected system. Some worms might require complete core system reinstallations to clean the system.
List and explain the recommended steps for worm attack mitigation.
RADIUS: An open standard with low use of CPU resources and memory. It is used by a range of network devices, such as switches, routers, and wireless devices. TACACS+: A security mechanism that enables modular authentication, authorizations, and accounting services. It uses a TACACS+ daemon running on a security server.
List and explain the two most popular options for external authentication of users.
Device identifiers - For example, the configured host name of a switch. Address list - Up to one network layer address for each protocol supported. Port identifier - The name of the local and remote port in the form of an ASCII character string, such as FastEthernet 0/0. Capabilities list - For example, whether this device is a router or a switch. Platform - The hardware platform of the device; for example, a Cisco 1841 series router.
List and explain what information CDP provides about each CDP neighbor device.
Password attacks Trust Exploitation Port Redirection Man-in-the-Middle
List several samples of Access attacks.
Internet queries, ping sweeps, port scans, and packet sniffers.
List several samples of Reconnaissance attacks.
show running-config show interfaces show arp show ip route show protocols show version
List some of the most popular Cisco IOS show commands.
The Cisco IOS Software version being used. The version of the system bootstrap software, stored in ROM, that was initially used to boot the router. The complete filename of the Cisco IOS image and where the bootstrap program located it. The type of CPU and the amount of RAM. The number and type of physical interfaces. The amount of NVRAM. The amount of flash memory. The currently configured value of the software configuration register in hexadecimal.
List the output from the show version command.
Viruses, worms, trojan horses.
List the three main types of malicious code attacks.
Making illegal online purchases by posing as another person is identity theft.
Making illegal online purchases is what type of security threat?
Reconnaissance attacks - the discovery and mapping of systems, services, or vulnerabilities. Access attacks - the unauthorized manipulation of data, system access, or user privileges. Denial of service - the disabling or corruption of networks, systems, or services.
Network attacks can be classified into three major categories. List and explain each.
protocol analyzer
Network monitoring device gathers information regarding the status of the network and devices attached to it. Also known as a network analyzer, or packet sniffer.
Viewing configuration files, checking the status of device interfaces and processes, and verifying the device operational status.
Network technicians use show commands extensively for:
/all
On a Windows workstation use the switch ____________ for the command ipconfig to see the most information about your NIC settings.
ping of death
On the Internet, this is a denial of service (DoS) attack caused by an attacker deliberately sending an IP packet larger than the 65,536 bytes allowed by the IP protocol. The resources it overloads are disk space, bandwidth, and buffers.
Console ports, vty ports
On which two interfaces or ports can security be improved by configuring executive timeouts?
Changing the default username and password, changing the default Linksys IP address, and changing the default DHCP IP address.
Other security implementations that can be configured on a wireless AP include:
This can be very useful when troubleshooting network traffic issues using a protocol analyzer. Administrators are better able to control access to resources on the network based on IP address when a deterministic IP addressing scheme is used.
Planning and documenting the IP addressing scheme helps the administrator to track device types. Explain two reasons why this is important.
packet filtering
Prevents or allows access based on IP or MAC addresses.
application filtering
Prevents or allows access by specific program types based on port numbers
URL filtering
Prevents or allows access to websites
Personal firewalls.
Reside on host computers and are not designed for LAN implementations. They can be available by default from the OS or can come from an outside vendor. Often used when a host device is directly connected to an ISP and provides protection only for the single host.
A company must have well-documented policies in place and employees must be aware of these rules.
Securing endpoint devices is one of the most challenging jobs of a network administrator, because it involves human nature. What must a company have to accomplish this task?
SSH
Telnet is an unsecure method of accessing a Cisco device "in band". What is a better method?
True
The SSID is a case-sensitive, alphanumeric name for your wireless network.
Technology. Configuring easily guessed passwords creates a vulnerability that can easily be exploited.
The network administrator set the admin password on a new router to pa55w0rd. The security of the router was later compromised. What type of vulnerability allowed the attack?
Through the use of redundant switch connections between multiple switches on the network and between switches and routers.
The smaller the network, the less the chance that redundancy of equipment will be affordable. What is a common way to introduce redundancy in a small network?
Vulnerability, threat, attack.
There are three network security factors. These are:
Technological, configuration, and security
There are three primary vulnerabilities or weaknesses. These are:
Network applications and application layer services.
There are two forms of software programs or processes that provide access to the network:
Worms
These are similar to viruses in that they replicate functional copies of themselves and can cause the same type of damage. In contrast to viruses, which require the spreading of an infected host file, this is standalone software and do not require a host program or human help to propagate.
Identity theft
This is a form of information theft where personal information is stolen for the purpose of taking over someone's identity. Using this information, an individual can obtain legal documents, apply for credit, and make unauthorized online purchases. Identity theft is a growing problem costing billions of dollars per year.
Virus
This is a type of malware that propagates by inserting a copy of itself into, and becoming part of, another program. It spreads from one computer to another, leaving infections as it travels.
Data loss/manipulation
This is breaking into a computer to destroy or alter data records. Examples of data loss: sending a virus that reformats a computer's hard drive. Examples of data manipulation: breaking into a records system to change information, such as the price of an item.
Information theft
This is breaking into a computer to obtain confidential information. Information can be used or sold for various purposes. Example: stealing an organization's proprietary information, such as research and development information.
Disruption of service
This is preventing legitimate users from accessing services to which they should be entitled. Examples: Denial of Service (DoS) attacks on servers, network devices, or network communications links
FAT16
To be compatible with a Cisco router, a USB flash drive must be formatted in a _________________ format.
Capture traffic during peak utilization times to get a good representation of the different traffic types. Perform the capture on different network segments; some traffic will be local to a particular segment.
To determine traffic flow patterns, it is important to:
1. Secure file and mail servers in a centralized location. 2. Protect the location from unauthorized access by implementing physical and logical security measures. 3. Create redundancy in the server farm that ensures if one device fails, files are not lost. 4. Configure redundant paths to the servers.
To help ensure availability to network services, the network designer should take the following steps:
Use a password length of at least 8 characters, preferably 10 or more characters. Make passwords complex. Avoid passwords based on repetition, common dictionary words, or other easily identifiable pieces of information. Deliberately misspell a password. Change passwords often. Do not write passwords down and leave them in obvious places.
To protect network devices, it is important to use strong passwords. What are standard guidelines for creating strong passwords?
Real-Time Transport Protocol - RTP and Real-Time Transport Control Protocol - RTCP are two protocols that support this requirement.
To transport streaming media effectively, the network must be able to support applications that require delay-sensitive delivery. List two protocols that support this requirement.
Change default values for the SSID, usernames, and passwords. Disable broadcast SSID. Configure encryption using WEP or WPA.
What are some basic security measures you can take with an ISR?
Default usernames and passwords should be changed immediately. Access to system resources should be restricted to only the individuals that are authorized to use those resources. Any unnecessary services and applications should be turned off and uninstalled when possible.
What are some simple steps that should be taken that apply to most operating systems?
Cost, speed and types of ports/interfaces, expandability, operating system features and services.
What are the factors to consider when planning a small network?
no cdp run
What command can you use to disable CDP globally?
copy run usbflash0:/
What command do you use to copy the configuration file to the USB flash drive?
Threats include the people interested and qualified in taking advantage of each security weakness. Such individuals can be expected to continually search for new exploits and weaknesses.
What do network threats include?
It returns a list of hops as a packet is routed through a network.
What does the Microsoft command tracert or the Cisco IOS command traceroute accomplish?
Reveals the IP address of a neighboring device.
What does the show cdp neighbors detail command reveal about a neighboring device?
The IP address, status, and protocol.
What does the show ip interface brief output display?
Information about the currently loaded software version, along with hardware and device information.
What does the show version command on a switch display?
A protocol analyzer.
What enables a network professional to quickly compile statistical information about traffic flows on a network?
Traffic should be captured on different network segments during peak utilization times to ensure that all traffic types are collected.
What factors should be taken into account when using a protocol analyzer to determine traffic flow in a network?
IP address, subnet mask, default gateway.
What information does the ipconfig command give you?
Wired Equivalency protocol - WEP - is an advanced security feature that encrypts network traffic as it travels through the air. It uses preconfigured keys to encrypt and decrypt data.
What is WEP?
To transport streaming media effectively, the network must be able to support applications that require delay-sensitive delivery.
What is a concern when implementing Real-time applications?
A process for studying the network at regular intervals to ensure that the network is working as designed. It is more than a single report detailing the health of the network at a certain point in time. It is accomplished over a period of time.
What is a network baseline?
Service set identifier, a case-sensitive, alphanumeric name for your wireless network, used to tell wireless devices which WLAN they belong to and with which other devices they can communicate.
What is a wireless SSID?
A multifunction device.
What is an integrated router (ISR)?
Download security updates from the operating system vendor and patch all vulnerable systems.
What is considered the most effective way to mitigate a worm attack?
Vulnerability is the degree of weakness that is inherent in every network and device. This includes routers, switches, desktops, servers, and even security devices.
What is network vulnerability?
firewalls
What is one of the most effective security tools available for protecting users from external threats?
Create a central patch server that all systems must communicate with after a set period of time. Any patches that are not applied to a host are automatically downloaded from the patch server and installed without user intervention.
What is one solution to the management of critical security patches?
The most effective way to mitigate a worm attack is to download security updates from the operating system vendor and patch all vulnerable systems.
What is the most effective way to mitigate a worm attack?
Containment Inoculation Quarantine Treatment
What is the order of steps recommended to mitigate a worm attack?
Network protocols support the applications and services used by employees in a small network.
What is the purpose of Network protocols?
Allows the administrator to move around to different directories and list the files in a directory, and to create subdirectories in flash memory or on a disk.
What is the purpose of the Cisco IOS File System (IFS)?
The arp command enables the creation, editing, and display of mappings of physical addresses to known IPv4 addresses.
What is the purpose of the arp command?
Application layer services prepare the data for transfer over the network; they are based on standards and do not provide any sort of human interface. Application programs interface with the user.
What is true of an application layer service?
A Trojan horse is a program that is disguised as another program to trick the user into executing it.
What name is given to a program that is disguised as another program to attack a system?
The show version command will display the configuration register.
What show command can be issued on a Cisco router to view the configuration register value?
A smurf attack overloads a network link by causing multiple Echo Replies to be directed against a target, making it a denial of service attack.
What type of attack is a smurf attack?
voice
What type of traffic would most likely have the highest priority through the network?
Redundancy is eliminating any single point of failure. This could include equipment or links. Keeping a configured device as a spare will assist in the troubleshooting process but is not considered redundancy. Additionally having a switch that functions at both Layer 2 and Layer 3 is still a single point of failure and is not considered redundancy.
What would be considered examples of redundancy in network design?
show file systems
When backing up to a USB port, it is a good idea to issue the _______________________________ command to verify that the USB drive is there and confirm the name.
On a TFTP server or a USB drive.
Where can backup configuration files be stored?
security passwords min-length
Which Cisco IOS command ensures that all configured passwords are a minimum of a specified length?
service password-encryption
Which Cisco IOS command prevents unauthorized individuals from viewing passwords in plaintext in the configuration file?
show file systems
Which command can be used to view the file systems on a Catalyst switch or Cisco router?
ping
Which command is an effective way to test connectivity?
RouterA(config)# login block-for 30 attempts 2 within 10
Which command will block login attempts on RouterA for a period of 30 seconds if there are 2 failed login attempts within 10 seconds?
network documentation
Which element of scaling a network involves identifying the physical and logical topologies?
FTP and FTPS allow files to be moved on the network. HTTP and HTTPS allow communication between a host and a web server. Telnet and SSH both allow remote login to a device. Secure versions of these protocols should be used whenever possible.
Which network protocol should a network administrator use to remotely configure a network device?
use a RADIUS server to pass authentication traffic
Which of the following is not a basic security measure for wireless?
The five focus areas when implementing a small network are cost, expandability, manageability, speed, and ports. Type of cable run would fall under cost, upgrades to network devices are part of expandability, prioritization of data traffic and IP addressing schemes are part of manageability, bandwidth requirement is part of speed, and number of interfaces required would be ports.
Which planning and design factors would be considered as part of manageability focus when implementing a small network?
'U' may indicate that a router along the path did not contain a route to the destination address and that the ping was unsuccessful.
Which statement is true about Cisco IOS ping indicators?
Voice traffic is very sensitive to delay and should be given the highest priority on the network.
Which type of traffic should be given the highest priority on a network?
It generates new, dynamic keys each time a client establishes a connection with the AP.
Why is Wi-Fi protected access - WPA - a better choice than WEP?
By carefully planning and documenting the address space, troubleshooting, access control, and security are greatly simplified.
Why should the IP addressing scheme be carefully planned and documented?
It allows possible latency issues to be detected. If the ping test is successful with a longer value, a connection exists between the hosts, but latency might be an issue on the network.
Why would a network administrator enter a longer timeout period than the default when running an extended ping from a router?
With stateful packet inspection - SPI - only legitimate responses from internal requests are permitted through the firewall.
With regard to firewall technology, what is stateful packet inspection?
VoIP
_____ allows users of analog phones to take advantage of the IP network.
exec-timeout 10
disconnect a user after a set time of inactivity
show protocols
displays information about any configured protocols running on the router
show version
displays system hardware and software information, including the value of the configuration register.
show arp
displays the contents of the router's ARP table
show ip route
displays the contents of the router's IP routing table
ping ip address
provides a method for checking the protocol stack and IPv4 address configuration on a host as well as testing connectivity to local or remote destination hosts
tracert address
returns a list of hops as a packet is routed through a network
banner motd #message#
set a security notice to users who connect to the device
SSH
telnet is un-secure so connect using this protocol to manage a Cisco device
ping 127.0.0.1
verify the internal IP configuration on the local host