CCNAS Final Written Test
List the three things Internal LANs consist of
-Endpoints -Non-endpoint LAN devices -LAN infrastructure
Types of Firewalls
-Packet filtering firewall -Stateful firewall -Application gateway firewall (proxy firewall) -Network address translation (NAT) firewall
Common properties of a firewall
-Resistant to attacks -The only transit point between networks (all traffic flows through the firewall) -Enforces the access control policy
Describe the Disadvantages of Promiscuous Mode (IDS)
-Response action cannot stop trigger packets. -Correct tuning required for response actions. -More vulnerable to network evasion techniques.
Describe Root Guard
-Root guard enforces the placement of root bridges by limiting the switch ports out of which the root bridge can be negotiated. -If a root-guard-enabled port receives BPDUs that are superior to those that the current root bridge is sending, that port is moved to a root-inconsistent state. -This effectively is equal to an STP listening state, and no data traffic is forwarded across that port.
Describe Cisco ACS
Cisco ACS is a single solution that offers AAA services using TACACS+ or RADIUS.
Traffic filtering
Can be configured to permit specified TCP and UDP return traffic through a firewall when the connection is initiated from within the network -It accomplishes this by creating temporary openings in an ACL that would otherwise deny the traffic
When an Application Layer attack is detected what actions can the Cisco IOS firewall take?
Generate alert messages Protect system resources that could impede performance Block packets from suspected attackers
List the Actions that can be performed when a signature detects activity
Generate an alert. Log the activity. Drop or prevent the activity. Reset a TCP connection. Block future activity. Allow the activity.
List the Disadvantages of Policy-based Detection
Generic output Policy must be created
What command displays info about the state of spanning tree?
Switch# show spanning-tree summary
Network address translation (NAT) firewall
- A firewall that expands the number of IP addresses available and hides network addressing design.
Application gateway firewall (proxy firewall)
- A firewall that filters information at Layers 3, 4, 5, and 7 of the OSI reference model. Most of the firewall control and filtering is done in software.
Packet filtering firewall
- Typically is a router with the capability to filter some packet content, such as Layer 3 and sometimes Layer 4 information.
Define a LAN Storm Attack
-A LAN storm occurs when packets flood the LAN, creating excessive traffic -Errors in the protocol stack implementation, mistakes in network configurations, or users issuing a DoS attack can cause a storm -Remember that switches always forward broadcasts out all ports. Some necessary protocols, such as ARP and DHCP, use broadcasts; therefore, switches must be able to forward broadcast traffic.
Describe a LAND Attack and why it is an atomic signature
-A LAND attack is an atomic signature because it sends a spoofed TCP SYN packet (connection initiation) with the IP address of the target host and an open port as both source and destination -The reason a LAND attack works is because it causes the machine to reply to itself continuously. (One packet is required to identify this type of attack)
Describe a SANs Storage Area Network
-A SAN is a specialized network that enables fast, reliable access among servers and external storage resources -A storage device in a SAN is not the exclusive property of any one server -They are shared among all networked servers as peer resources -A SAN does not need to be a physically separate network. It can be a dedicated subnet that carries only business-critical I/O traffic such as reading / writing a file from / to a disk, between servers and storage devices -For example, it will not carry general-purpose traffic
Describe a Composite Type Signature
-A composite signature is also called a stateful signature -This type of signature identifies a sequence of operations distributed across multiple hosts over an arbitrary period of time -Unlike atomic signatures, the stateful properties of composite signatures usually require several pieces of data to match an attack signature, and an IPS device must maintain state.
What other things must be considered in an in depth defense besides firewalls?
-A significant number of intrusions come from hosts within the network. For example, firewalls often do little to protect against viruses that are downloaded through email -Firewalls do not protect against rogue modem installations -Firewalls do not replace backup and disaster recovery -Rirewalls are no substitute for informed administrators and users.
Describe a Summary Alert
-A summary alert is a single alert that indicates multiple occurrences of the same signature from the same source address or port -Alarm summary modes limit the number of alerts generated and make it difficult for an attacker to consume resources on the sensor
Describe VSANs
-A virtual storage area network (VSAN) is a collection of ports from a set of connected Fiber Channel switches that form a virtual fabric -Originally developed by Cisco but now an ANSI standard. VSANs strongly resemble VLANs -VSANs utilize hardware-based isolation, meaning that traffic is explicitly tagged across inter-switch links with VSAN membership information
Identify the ZPF Rules
-A zone must be configured before it can be assigned to a zone. -We can assign an interface to only one security zone. -If traffic is to flow between all interfaces in a router, each interface must be a member of a zone. -Traffic is implicitly allowed to flow by default among interfaces that are members of the same zone. -To permit traffic to and from a zone member interface, a policy allowing or inspecting traffic must be configured between that zone and any other zone. -Traffic cannot flow between a zone member interface and any interface that is not a zone member. -We can apply pass, inspect, and drop actions only between two zones. -Interfaces that have not been assigned to a zone function can still use a CBAC stateful packet inspection configuration. -If we do not want an interface to be part of the zone-based firewall policy, it might still be necessary to put that interface in a zone and configure a pass-all policy (also known as a dummy policy) between that zone and any other zone to which traffic flow is desired.
What Technologies are used in a firewall?
-ACLs Standard, extended, numbered and named ACLs -Advanced ACLs Stateful firewall - ACLs with the established keyword Reflexive (dynamic) ACLs, timed-based ACLs -Zone-Based Firewall Feature
Name three ways sensors can be implemented
-Added to an ISR router -Added to an ASA firewall appliance -Added to a Catalyst 6500 switch
Define and Describe a Signature File and how it is used by the IPS
-All signatures are contained in a signature file and are uploaded to an IPS on a regular basis -The signature file contains a package of network signatures intended as an update to the signature database -This signature database is used by the IPS or IDS solution to compare network traffic against data patterns within the signature-file library. -The IPS or IDS uses this comparison to detect suspected malicious network traffic behavior
Define the purpose of NAC "Network Admission Control"
-Allow only authorized and compliant systems (whether managed or unmanaged) to access the network -And to enforce network security policy.
What do dynamic ACLS do? and What is it also called?
-Also called a lock-and-key ACL -Dynamic ACLs authenticate the user and then permits limited access through your firewall router for a host or subnet for a finite period.
Describe the functions of an IPS
-An IPS device is implemented in inline mode -All traffic must flow through it for processing -An IPS does not allow packets to enter the trusted side of the network without first being analyzed -It can detect and immediately address a network problem
List the Disadvantages of Anomaly-based Detection
-An alert from an anomaly signature does not necessarily indicate an attack. It indicates only a deviation from the defined normal activity, which can sometimes occur from valid user traffic -As the network evolves, the definition of normal usually changes, so the definition of normal must be redefined -The administrator must guarantee that the network is free of attack traffic during the learning phase -When a signature does generate an alert, it might be difficult to correlate that alert back to a specific attack, because the alert indicates only that non-normal traffic has been detected
Describe an Atomic Type Signature
-An atomic signature is the simplest type of signature -It consists of a single packet, activity, or event that is examined to determine if it matches a configured signature -If it does, an alarm is triggered, and a signature action is performed -Because these signatures can be matched on a single event, they do not require an intrusion system to maintain state information (stateless)
Describe Anomaly-based Detection
-Anomaly-based detection, also known as profile-based detection, involves first defining a profile of what is considered normal for the network or host -This normal profile can be learned by monitoring activity on the network or specific applications on the host over a period of time. It can also be based on a defined specification, such as an RFC -After defining normal activity, the signature triggers an action if excessive activity occurs beyond a specified threshold that is not included in the normal profile
List the five micro engines that Cisco IOS Release 12.4(6)T has
-Atomic - Signatures that examine simple packets, such as ICMP and UDP. -Service - Signatures that examine the many services that are attacked. -String - Signatures that use regular expression-based patterns to detect intrusions. -Multi-string - Supports flexible pattern matching and Trend Labs signatures. -Other - Internal engine that handles miscellaneous signatures.
Describe an Atomic Alert
-Atomic alerts are generated every time a signature triggers -An attacker might be able to flood the monitor console with alerts by generating thousands of bogus alerts
Describe BPDU Guard
-BPDU guard is used to protect the switched network from the problems caused by receiving BPDUs on ports that should not be receiving them The receipt of unexpected BPDUs might be accidental or part of an unauthorized attempt to add a switch to the network If a port that is configured with PortFast receives a BPDU, STP can put the port into the disabled state by using BPDU guard BPDU guard is best deployed toward user-facing ports to prevent rogue switch network extensions by an attacking host
CBAC or ZPF?
-Both CBAC and zones can be enabled concurrently on a router, just not on the same interface. -For example, an interface cannot be configured as a security zone member and configured for IP inspection simultaneously.
Explain how to mitigate MAC Address Spoofing and MAC address table overflow attacks
-Both MAC spoofing and MAC address table overflow attacks can be mitigated by configuring port security on the switch -With port security, the administrator can either statically specify the MAC addresses on a particular switch port or allow the switch to dynamically learn a fixed number of MAC addresses for a switch port. (Dynamically is more scalable)
Generation of audits and alerts
-CBAC also generates real-time alerts and audit trails -Real-time alerts send syslog error messages to central management consoles upon detecting suspicious activity
Intrusion detection
-CBAC provides a limited amount of intrusion detection to protect against specific SMTP attacks -With intrusion detection, syslog messages are reviewed and monitored for specific attack signatures
What firewall solutions does Cisco Systems provide for network security professionals?
-Cisco IOS Firewall -PIX Security Appliances (this product is now end of life) -Adaptive Security Appliances
List and describe the Cisco NAC Components
-Cisco NAC Appliance Server (NAS) Device that provides in-band or out-of-band access control. -Cisco NAC Appliance Manager (NAM) A web-based interface for creating security policies and managing online users. The Cisco NAM manages the Cisco NAS, which is the enforcement component of the Cisco NAC Appliance. -Cisco NAC Appliance Agent (NAA) Optional lightweight client for device-based registry scans in unmanaged environments. It can determine whether a device has the required anti-virus dat file, security patch, or critical Windows hotfix. -Rule-set updates Provides scheduled automatic updates for antivirus, critical hotfixes, and other applications.
List some information about Updating Signatures
-Cisco investigates and creates signatures for new threats and malicious behavior as they are discovered and publishes them regularly -Typically, lower priority IPS signature files are published biweekly -If the threat is severe, Cisco publishes signature files within hours of identification To protect a network, the signature file must be updated regularly
Benefits of using a firewall in a network
-Exposure of hosts and applications to untrusted users can be prevented -The protocol flow can be sanitized, preventing the exploitation of protocol flaws -Malicious data can be blocked from servers and clients. -Security policy enforcement can be made simple, scalable, and robust -Offloading most of the network access control to a few points in the network can reduce complexity
Describe Honey Pot-based Detection
-Honey pot-based detection uses a dummy server to attract attacks. -The purpose of the honey pot approach is to distract attacks away from real network devices. -By staging different types of vulnerabilities in the honey pot server, administrators can analyze incoming types of attacks and malicious traffic patterns. They can then use this analysis to tune their sensor signatures to detect new types of malicious network traffic.
Limitations of a firewall
-If misconfigured, a firewall can have serious consequences -Data from many applications cannot be passed over firewalls securely -Users might search for ways around the firewall, exposing the network -Network performance can slow down -Unauthorized traffic can be tunneled or hidden as legitimate traffic through the firewall.
Name disadvantages of using a Network IPS
-If network data is encrypted this can essentially blind network IPS, allowing attacks to go undetected -Another problem is that IPS has a difficult time reconstructing fragmented traffic for monitoring purposes -Finally, as networks become larger in terms of bandwidth, it becomes more difficult to place network IPS at a single location and successfully capture all traffic
Describe why logging the activity is important
-In some situations, an administrator does not necessarily have enough information to stop an activity -Therefore, logging the actions or packets that are seen so that they can be analyzed later in more detail is very important
Benefits of AAA
-Increased flexibility and control of access configuration Scalability -Multiple backup systems -Standardized authentication methods
Adaptive Security Appliances
-Integrate firewall capabilities, Cisco Unified Communications (voice and video) security, Secure Sockets Layer (SSL) and IPsec VPN, IPS, and content security services -provides intelligent threat defense and secure communications services that stop attacks before they affect business continuity -designed to protect networks of all sizes
What is a Zone Based Policy Firewall?
-Interfaces are assigned to zones and then an inspection policy is applied to traffic moving between the zones -A zone-based firewall allows different inspection policies to be applied to multiple host groups connected to the same router interface -It also has the ability to prohibit traffic via a default deny-all policy between firewall zones
Step 1. Pick an interface - internal or external
-Internal and external refers to the direction of conversation -The interface in which sessions can be initiated must be selected as the internal interface. Sessions that originate from the external interface will be blocked
Describe the functions of Cisco IronPort
-IronPort is a leading provider of anti-spam, antivirus, and anti-spyware appliances -IronPort uses SenderBase, the world's largest threat detection database, to help provide preventive and reactive security measures -IronPort helps prevent Internet threats of all types from reaching the desktops of employees
Traffic inspection
-It inspects packet sequence numbers in TCP connections to see if they are within expected ranges and drops any suspicious packets -CBAC can also be configured to drop half-open connections
What are some of the benefits of ZPF?
-It is not dependent on ACLs -The router security posture is to block unless explicitly allowed -Policies are easy to read and troubleshoot with C3PL -One policy affects any given traffic, instead of needing multiple ACLs and inspection actions
If a threshold for the number of half-opened TCP sessions is exceeded, the firewall has two options:
-It sends a reset message to the endpoints of the oldest half-opened session, making resources available to service newly arriving SYN packets -It blocks all SYN packets temporarily for the duration that the threshold value is configured. When the router blocks a SYN packet, the TCP three-way handshake is never initiated, which prevents the router from using memory and processing resources that valid connections need.
Define a MAC Address Spoofing Attack
-MAC spoofing attacks occur when an attacker alters the MAC address of their host to match another known MAC address of a target host -The attacking host then sends a frame throughout the network with the newly configured MAC address. When the switch receives the frame, it examines the source MAC address. The switch overwrites the current MAC address table entry and assigns the MAC address to the new port. -It then inadvertently forwards frames destined for the target host to the attacking host
What is a "Signature" and how does an IPS use it?
-Malicious traffic displays distinct characteristics or "signatures." -A signature is a set of rules that an IDS and an IPS use to detect typical intrusive activity -Signatures uniquely identify specific worms, viruses, protocol anomalies, or malicious traffic -IPS sensors are tuned to look for matching signatures or abnormal traffic patterns
Describe iSCSI
-Maps SCSI over TCP/IP and is typically used in the LAN -Leverages existing IP networks to build and extend SANs by using TCP/IP to transport SCSI commands, data, and status between hosts or initiators and storage devices or targets, such as storage subsystems and tape devices
Describe Storm control
-Monitors packets passing from an interface to the switching bus and determines if the packet is unicast, multicast, or broadcast -The switch counts the number of packets of a specified type received within a certain time interval and compares the measurement with a predefined suppression-level threshold -Storm control then blocks traffic when the rising threshold is reached - The port remains blocked until the traffic rate drops below the falling threshold
Stateful firewall
-Monitors the state of connections, whether the connection is in an initiation, data transfer, or termination state. -Able to determine if a packet belongs to an existing flow of data. -They maintain a session table (state table) where they track all connections.
Blocking Future Activity
-Most IPS devices have the capability to block future traffic by having the IPS device update the access control lists (ACLs) on one of the infrastructure devices -The ACL stops traffic from an attacking system without requiring the IPS to consume resources analyzing the traffic -After a configured period of time, the IPS device removes the ACL
Implementing CBAC is complex and can be overwhelming. Unlike ZPF, CBAC does not utilize any dedicated hierarchical data structures to modularize the implementation. CBAC has these limitations:
-Multiple inspection policies and ACLs on several interfaces on a router make it difficult to correlate the policies for traffic between multiple interfaces -Policies cannot be tied to a host group or subnet with an ACL. All traffic through a given interface is subject to the same inspection -The process relies too heavily on ACLs
Describe the Advantages of Promiscuous Mode (IDS)
-No impact on network (latency, jitter). -No network impact if there is a sensor failure or a sensor overload.
Describe Fiber Channel Zoning
-Partitioning the Fiber Channel fabric into smaller subsets is called Fiber Channel Zoning -If a SAN contains several storage devices, one device should not necessarily be allowed to interact with all the other devices in the SAN
Describe the functions of an IDS
-Passively monitors the traffic on a network -Copies the traffic stream, and analyzes the monitored traffic rather than the actual forwarded packets -Working offline, it compares the captured traffic stream with known malicious signatures -Generates an alert log when malicious traffic is found -Uses a Promiscuous interface
Describe Pattern-based Detection
-Pattern-based detection, also known as signature-based detection, is the simplest triggering mechanism because it searches for a specific, pre-defined pattern -A signature-based IDS or IPS sensor compares the network traffic to a database of known attacks and triggers an alarm or prevents communication if a match is found -It can be detected in a single packet (atomic) or in a sequence of packets (composite)
Describe Policy-based Detection "Behavior-Based Detection"
-Policy-based detection, also known as behavior-based detection, is similar to pattern-based detection, but instead of trying to define specific patterns, the administrator defines behaviors that are suspicious based on historical analysis. -The use of behaviors enables a single signature to cover an entire class of activities without having to specify each individual situation.
Describe Fiber Channel over IP (FCIP) in SANs
-Popular SAN-to-SAN connectivity model that is used over the WAN or MAN (metropolitan area network) -SAN designers can use the open-standard FCIP protocol to break the distance barrier of current Fiber Channel solutions and enable interconnection of SAN islands over extended distances.
Describe PortFast
-PortFast can be used on Layer 2 access ports that connect to a single workstation or server to allow those devices to connect to the network immediately, instead of waiting for STP to converge. -Should only be used on Access Ports -If PortFast is enabled on a port connecting to another switch, there is a risk of creating a spanning-tree loop.
Generic list that can serve as a starting point for firewall security policy
-Position firewalls at critical security boundaries -It is unwise to rely exclusively on a firewall for security -Deny all traffic by default, and permit only services that are needed -Ensure that physical access to the firewall is controlled -Regularly monitor firewall logs -Practice change management for firewall configuration changes -Firewalls primarily protect from technical attacks originating from the outside. Inside attacks tend to be nontechnical in nature.
Describe the purpose of Cisco IronPort
-Protects enterprises against Internet threats, with a focus on email and web security, two of the main endpoint security considerations
Name the two key functions of event monitoring and management
-Real-time event monitoring and management. -Analysis based on archived information (reporting).
How does SPAN work with an IDS?
-SPAN can be used to mirror traffic to another port where a probe or an IDS sensor is connected. -IDS devices need to read all packets in one or more VLANs, and SPAN can be used to get the packets to the IDS devices.
Describe SPAN
-SPAN can send a copy of traffic from one port to another port on the same switch where a network analyzer or monitoring device is connected -SPAN copies (or mirrors) traffic received, sent, or both on source ports or source VLANs to a destination port for analysis -SPAN does not affect the switching of network traffic on the source ports or VLANs -The destination port is dedicated for SPAN use -RSPAN (remote) can send a copy of traffic to a port on a different switch
Explain the difference between BPDU Guard and Root Guard
-Similar, but their impact is different. -BPDU guard disables the port upon BPDU reception if PortFast is enabled on the port -Must manually re-enable the port that is put into errdisable state or configure an errdisable timeout. -Root guard allows the device to participate in STP as long as the device does not try to become the root. -If root guard blocks the port, subsequent recovery is automatic -Recovery occurs as soon as the offending device ceases to send superior BPDUs.
Describe the Disadvantages of Inline Mode (IPS)
-Some impact on network (latency, jitter) because traffic has to go through the IPS sensor -Sensor failure or overloading impacts the network negatively -Must be appropriately sized and implemented so that time-sensitive applications, such as VoIP, are not negatively affected
What criteria does a packet filtering firewall permit or deny based on traffic?
-Source IP address -Destination IP address -Protocol -Source port number -Destination port number -Synchronize/start (SYN) packet receipt
Describe a VLAN Hopping Attack
-Spoofing DTP messages from the attacking host to cause the switch to enter trunking mode. From here, the attacker can send traffic tagged with the target VLAN, and the switch then delivers the packets to the destination -Introducing a rogue switch and enabling trunking. The attacker can then access all the VLANs on the victim switch from the rogue switch
Describe State Information in regards to an Atomic Type Signature
-State refers to situations in which multiple packets of information are required that are not necessarily received at the same time. -With atomic signatures, the entire inspection can be accomplished in an atomic operation that does not require any knowledge of past or future activities.
Describe the Advantages of Inline Mode (IPS)
-Stops trigger packets, the packets in a connection, or packets from a source IP address -Can use stream normalization techniques to reduce or eliminate many of the network security evasion capabilities that exist
What do Dynamic ACLs depend on?
-Telnet connectivity -Authentication (local or remote) -Extended ACLs
Describe the Cisco NAC Appliance
-The Cisco NAC Appliance solution condenses the four NAC functions into an appliance form and provides a turnkey solution to control network access -A natural fit for medium-sized networks requiring a self-contained, turnkey solution -The Cisco NAC Appliance is ideal for organizations that need simplified and integrated tracking of operating system and antivirus patches and vulnerability updates -It does not require a Cisco network.
Dropping or Preventing the Activity
-The IPS drops packets or prevent an activity from occurring. This action enables the device to stop an attack before it has the chance to perform malicious activity -The drop action can be expanded to drop all packets for a specific session or even all packets from a specific host for a certain amount of time
Describe the NAC Framework method
-The NAC framework uses the existing Cisco network infrastructure and third-party software to enforce security policy compliance on all endpoints -The NAC framework is suited for high-performance network environments with diverse endpoints (Large networks) -Different devices in the network, not necessarily one device, can provide the four features of NAC
Describe the PVLAN Edge (Protected Ports)
-The PVLAN Edge feature, also known as protected ports, prevents the forwarding of traffic (unicast, multicast, or broadcast) between protected ports. -Data traffic cannot be forwarded between protected ports at Layer 2; only control traffic is forwarded because these packets are processed by the CPU and forwarded in software. -All data traffic passing between protected ports must be forwarded through a Layer 3 device. -Forwarding behavior between a protected port and a non-protected port proceeds as usual. -The default is to have no protected ports defined.
Resetting a TCP Connection
-The TCP Reset Signature Action is a basic action that can be used to terminate TCP connections by generating a packet for the connection with the TCP RST flag set -Many IPS devices use the TCP reset action to abruptly end a TCP connection that is performing unwanted operations
What does the TCP Established Keyword do?
-The TCP established keyword blocks all traffic coming from the Internet except for the TCP reply traffic associated with established TCP traffic initiated from the inside of the network. -The established keyword forces the router to check whether the TCP ACK or RST control flag is set. -If the ACK flag is set, the TCP traffic is allowed in. If not, it is assumed that the traffic is associated with a new connection initiated from the outside. -Not stateful
Step 3. Define inspection rules
-The administrator must define inspection rules to specify which Application Layer protocols to inspect at an interface -An inspection rule should specify each desired Application Layer protocol to inspect, as well as generic TCP, UDP, or ICMP, if desired
Name advantages and disadvantages of an IPS
-The advantage of operating in inline mode is that the IPS can stop single-packet attacks from reaching the target system -The disadvantage is that a poorly configured IPS or an inappropriate IPS solution can negatively affect the packet flow of the forwarded traffic
Name advantages and disadvantages of an IDS
-The advantage of operating with a copy of the traffic is that the IDS does not negatively affect the actual packet flow of the forwarded traffic. (Slow the network) -The disadvantage of operating on a copy of the traffic is that the IDS cannot stop malicious single-packet attacks from reaching the target before responding to the attack.
Define and Describe the "Event Horizon"
-The length of time that the signatures must maintain state is known as the event horizon. -The length of an event horizon varies from one signature to another -An IPS cannot maintain state information indefinitely without eventually running out of resources -Therefore, an IPS uses a configured event horizon to determine how long it looks for a specific attack signature
Define a MAC address table overflow Attack
-The most common way of implementing a MAC address table overflow attack is using the macof tool -This tool floods a switch with frames containing randomly generated source and destination MAC and IP addresses -Over a short period of time, the MAC address table fills up -When the MAC address table is full of invalid source MAC addresses, the switch begins to flood all frames that it receives. As long as macof is left running, the table on the switch remains full, and the switch continues to flood all received frames out of every port.
Describe Fiber Channel in SANs
-The primary SAN transport for host-to-SAN connectivity. -Fiber Channel networks provide a serial transport for the SCSI protocol.
Describe the IronPort Senderbase
-The world's largest email traffic monitoring service -SenderBase collects data from more than 100,000 ISPs -SenderBase has the most accurate view of the sending patterns of any given mail sender because of the size of the database -IronPort licenses SenderBase data to the open-source community and other institutions that are participating in the fight against spam.
Describe Signature Micro-Engines
-They categorize common signatures in groups -Cisco IOS software can then scan for multiple signatures based on group characteristics, instead of one at a time The available SMEs vary depending on the platform, Cisco IOS version, and version of the signature file
Define STP Manipulation
-To conduct an STP manipulation attack, the attacking host broadcasts STP configuration and topology change BPDUs to force spanning-tree recalculations -The BPDUs sent by the attacking host announce a lower bridge priority in an attempt to be elected as the root bridge -If successful, the attacking host becomes the root bridge and sees a variety of frames that otherwise are not accessible
Describe how to mitigate VLAN Attacks
-To mitigate VLAN hopping attacks, ensure that trunking is only enabled on ports that require trunking. -Also be sure to disable DTP (auto trunking) negotiations and manually enable trunking. -To mitigate double 802.1Q encapsulation VLAN attacks, the switch must look further into the frame to determine whether more than one VLAN tag is attached to it. -Use a dedicated native VLAN for all trunk ports. -Also disable all unused switch ports and place them in an unused VLAN.
Explain how to mitigate a VLAN Attack
-Turn off trunking on all ports, except the ones that specifically require trunking -On the required trunking ports, disable DTP (auto trunking) negotiations and manually enable trunking
Steps to AAA authorization
-User has authenticated and a session has been established to the AAA server. -When the user attempts to enter privileged EXEC mode command, the router requests authorization from a AAA server to verify that the user has the right to use it. -The AAA server returns a "PASS/FAIL" response.
Implementation/Example of Dynamic ACL
-Users who want to traverse the router are blocked by the ACL until they use Telnet to connect to the router and are authenticated. -Users authenticate using Telnet, and then dropped. -However, a single-entry dynamic ACL is added to the extended ACL that exists. -This permits traffic for a particular period; idle and absolute timeouts are possible.
Explain how enabling Port Security helps prevent MAC spoofing and MAC table overflows
-When MAC addresses are assigned to a secure port, the port does not forward frames with source MAC addresses outside the group of defined addresses -When a port configured with port security receives a frame, the source MAC address of the frame is compared to the list of secure source addresses that were manually configured or autoconfigured (learned) -If a MAC address of a device attached to the port differs from the list of secure addresses, the port either shuts down until it is administratively enabled (default mode) or drops incoming frames from the insecure host (restrict option)
When to use Dynamic ACLs?
-When you want a specific remote user or group of remote users to access a host within your network, connecting from their remote hosts via the Internet. -When you want a subset of hosts on a local network to access a host on a remote network that is protected by a firewall.
Describe Cisco Global Correlation and how it is used
-With global correlation, Cisco IPS devices receive regular threat updates from a centralized Cisco threat database called the Cisco SensorBase Network -The Cisco SensorBase Network contains real-time, detailed information about known threats on the Internet -Participating IPS devices are part of the SensorBase Network, and receive global correlation updates that include information on network devices with a reputation for malicious activity -The reputation analysis data contained in the global correlation updates is factored into the analysis of network traffic Traffic is denied or allowed based on the reputation of the source IP address
List the Fiber Channel Zoning Rules
-Zone members see only other members of the zone -Zones can be configured dynamically based on WWN -Devices can be members of more than one zone -Switched fabric zoning can take place at the port or device level, based on the physical switch port, device WWN, or LUN ID
List the four important features that NAC provides in order to maintain network stability
-authentication and authorization -posture assessment (evaluating an incoming device against the policies of the network) -quarantining of noncompliant systems -remediation of noncompliant systems.
What does a Reflexive ACL do?
-reflexive ACLS filter traffic based on source, destination addresses, and port numbers. -Also, session filtering uses temporary filters that are removed when a session is over adding a time limit on a hacker's attack opportunity. -allow IP traffic for sessions originating from their network while denying IP traffic for sessions originating outside the network. -The router examines the outbound traffic and when it sees a new connection, it adds an entry to a temporary ACL to allow replies back in.
PIX Security Appliances (this product is now end of life)
-standalone device that delivers robust user and application policy enforcement, multivector attack protection, and secure connectivity services -can scale to meet a range of requirements and network sizes
What four main functions does CBAC provide?
-traffic filtering -traffic inspection -intrusion detection -generation of audits and alerts
Steps for server-based AAA authentication
1. The client establishes a connection with the router. 2. The AAA router prompts the user for a username and password. 3. The router authenticates the username and password using a remote AAA server. 4. The user is authorized to access the network based on information on the remote AAA Server.
What is a Zero-Day Attack?
A computer attack that tries to exploit software vulnerabilities that are unknown or undisclosed by the software vendor.
Name Advantages of using a Network IPS
A network-based monitoring system can easily see attacks that are occurring across the entire network
Packet Mode
A user sends a request to establish a connection through the router with a device on the network.
Character Mode
A user sends a request to establish an EXEC mode process with the router for administrative purposes
Accounting and auditing
Accounting records what the user does, including what is accessed, the amount of time the resource is accessed, and any changes that were made
Describe the Treatment Phase
Actively infected systems are disinfected of the worm.
What two type of aging are supported?
Absolute Inactivity
Define both Absolute and Inactivity
Absolute - The secure addresses on the port are deleted after the specified aging time. Inactivity - The secure addresses on the port are deleted only if they are inactive for the specified aging time.
Describe an Access Attack
Access Attacks: Exploitation of known vulnerabilities in authentication servers, FTP services, and web services to gain confidential information. It is to retrieve data, gain access, and/or escalate access privileges.
Authorization
After the user is authenticated, authorization services determine which resources the user can access and which operations the user is allowed to perform.
Describe the Inoculation Phase
All uninfected systems are patched with the appropriate vendor patch for the vulnerability. The inoculation process further deprives the worm of any available targets
Cisco IOS Firewall
An enterprise-class firewall for support of small and medium-sized business (SMB) and enterprise branch offices. Runs on a router.
Define a "False Negative"
Attack Traffic No Alarm Generated Tune Alarm
Define a "True Positive"
Attack Traffic Alarm Generated Ideal
AAA
Authentication, Authorization and Accounting
Describe Cisco Autosecure
AutoSecure is a single privileged EXEC program that allows elimination of many potential security threats quickly and easily. AutoSecure helps to make you more efficient at securing Cisco routers. It can lockdown planes
Chapter 1
Begin
Chapter 2
Begin
Chapter 3
Begin
Chapter 4
Begin
List the three security appliances offered by IronPort
C-Series S-Series M-Series
Define the IronPort C-Series
C-Series - An email security appliance for virus and spam control.
Describe NFP
Cisco Network Foundation Protection (NFP) framework provides guidelines for protecting a network.
List the Four Phases of treating a Worm infection
Containment Inoculation Quarantine Treatment
List the three planes of NFP
Control Plane Management Plane Data Plane (forwarding plane)
Describe the Control Plane
Control Plane: Responsible for routing data correctly. Consists of device generated packets required for the operation of the network. (OSPF advertisements, ARP messages).
Describe the Data Plane
Data Plane (Forwarding Plane): Responsible for forwarding data. User generated packets being forwarded between endstations.
Describe a DoS Attack
Denial of Service Attacks: sends extremely large number of requests over the internet, and the excessive requests cause the target to run slow or halt. Maliciously formatted input data can also cause a crash.
List some VLAN Security Best Practices
Disable auto-trunking on user facing ports (DTP off) Explicitly configure trunking on infrastructure ports Disable unused ports and put them in an unused VLAN Use distinct VLAN assignments for management, native, user/data, voice, black hole, and private Be paranoid - Do not use VLAN 1 for anything except for Layer 2 protocol control traffic
Define the Layers of Defense in-Depth
Endpoint security: Provides identity and device security policy compliance. Perimeter security: Secures boundaries between zones. Core network security: Protects against malicious software and traffic anomalies, enforces network policies, and ensures survivability. Disaster recovery: Achieved with offsite storage and redundant architecture.
List the Advantages of Pattern-based Detection
Easy configuration Fewer false positives Good signature design
More info about monitoring
Event monitoring and management can be hosted on a single server or on separate servers for larger deployments. It is recommended that a maximum of 25 well-tuned sensors report to a single IPS management console. The Cisco IOS IPS feature can send a syslog message or an alarm in Secure Device Event Exchange (SDEE) format. An SDEE system alarm message has this type of format: %IPS-4-SIGNATURE:Sig:1107 Subsig:0 Sev:2 RFC1918 address [192.168.121.1:137 ->192.168.121.255:137]
Configs for Storm Control
Example: SW1(config-if)# storm-control broadcast level 75.5 SW1(config-if)# storm-control multicast level pps 2k 1k SW1(config-if)# storm-control action shutdown The trap and shutdown options are independent of each other. If the trap action is configured, the switch will send an SNMP log message when a storm occurs. If the shutdown action is configured, the port is error-disabled during a storm, and the no shutdown interface configuration command must be used to bring the interface out of this state.
List the major SAN Transport Technologies
Fiber Channel Fiber Channel over IP (FCIP) Internet Small Computer Systems Interface (iSCSI) Gigabit Ethernet Optical network
Step 4. Identify subset within zones and merge traffic requirements
For each firewall device in the design, the administrator must identify zone subsets connected to its interfaces and merge the traffic requirements for those zones, resulting in a device-specific interzone policy.
Step 2. Establish policies between zones
For each pair of source-destination zones, the sessions that clients in source zones are allowed to open to servers in destination zones are defined. For traffic that is not based on the concept of sessions (for example, IPsec Encapsulating Security Payload [ESP]), the administrator must define unidirectional traffic flows from source to destination and vice versa.
Step 2. Configure IP ACLs at the interface
Guidelines for configuring IP ACLs on a Cisco IOS Firewall: -Start with a basic configuration. A basic initial configuration allows all network traffic to flow from protected networks to unprotected networks while blocking network traffic from unprotected networks -Permit traffic that the Cisco IOS Firewall is to inspect -Use extended ACLs to filter traffic that enters the router from unprotected networks -Set up antispoofing protection by denying any inbound traffic (incoming on an external interface) from a source address that matches an address on the protected network -Deny broadcast messages with a source address of 255.255.255.255. This entry helps prevent broadcast attacks -By default, the last entry in an ACL is an implicit denial of all IP traffic that is not specifically allowed by other entries in the ACL
Describe the TrsutSec solution
In the NAC Appliance-based TrustSec approach, Cisco NAC Manager (NAM) is a policy server that works with Cisco NAC Server (NAS) to authenticate users and assess their devices over LAN, wireless, or VPN connections.
What is TCP Established?
In 1995, the first generation IOS traffic filtering solution based on the TCP established keyword for extended IP ACLs.
Describe the parameter Shutdown
In this mode, a port security violation causes the interface to immediately become error-disabled and turns off the port LED It also sends an SNMP trap, logs a syslog message, and increments the violation counter When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command, or you can manually re-enable it by entering the shutdown and no shutdown interface configuration commands
Describe the parameter Shutdown vlan
In this mode, only the VLAN on which the violation occurred is error-disabled
What does Context-based access control (CBAC) do?
Intelligently filters TCP and UDP packets based on Application Layer protocol session information. -It provides stateful Application Layer filtering, including protocols that are specific to unique applications, as well as multimedia applications and protocols that require multiple channels for communication Monitors TCP connection setup Tracks TCP sequence numbers Monitors UDP session information Inspects DNS queries and replies Inspects common ICMP message types Supports applications that rely on multiple connections Inspects embedded addresses Inspects Application Layer information
List and describe the two modes of operation within AutoSecure
Interactive mode: Prompts to choose the way you want to configure router services and other security-related features. Noninteractive mode: Configures security-related features on your router based on a set of Cisco defaults.
Step 1. Determine the Zones: Define
Internetworking infrastructure under consideration is split into well-documented separate zones with various security levels
List some endpoint devices
Laptops Desktops IP phones Personal digital assistants (PDAs) Servers Printers
Explain the underlying threats to Layer 2
Layer 2 can be a very weak link to the higher OSI Layers because if Layer 2 is compromised, hackers can work their way up. It is important for the network security professional to remember that Layer 2 attacks typically require internal access
Describe the Containment Phase
Limiting the spread of a worm infection to areas of the network that are already affected. This requires compartmentalization and segmentation of the network to slow down or stop the worm and prevent currently infected hosts from targeting and infecting other systems.
Name the two types of AAA Authentification
Local AAA Server Based AAA
Local AAA Authentication
Local AAA uses a local database for authentication. This method stores usernames and passwords locally in the Cisco router, and users authenticate against the local database. This database is the same one required for establishing role-based CLI. Local AAA is ideal for small networks.
List the Four Levels a Signature can be tuned to
Low: Abnormal network activity is detected that could be perceived as malicious, but an immediate threat is not likely. Medium: Abnormal network activity is detected that could be perceived as malicious, and an immediate threat is likely. High: Attacks used to gain access or cause a DoS attack are detected, and an immediate threat is extremely likely. Informational: Activity that triggers the signature is not considered an immediate threat, but the information provided is useful information.
Define the IronPort M-Series
M-Series - A security management appliance that compliments the email and web security appliances by managing and monitoring an organization's policy settings and audit information
List the Layer 2 attacks that must be mitigated in the layer 2 infrastructure
MAC address spoofing STP manipulation MAC address table overflows LAN storms VLAN attacks.
List some of the LAN attacks that must be mitigated
MAC address spoofing attacks STP manipulation attacks MAC address table overflow attacks LAN storm attacks VLAN attacks
List some Layer 2 Security Best Practices
Manage switches in secure a manner (SSH, out-of-band management, ACLs, etc.) Set all user ports to non-trunking ports (unless you are using Cisco VoIP) Use port security where possible for access ports Use CDP only where necessary - with phones it is useful Configure PortFast on all non-trunking ports Configure BPDU guard on all non-trunking ports Configure root guard on STP root ports
Describe the Management Plane
Management Plane: Responsible for managing network elements. Management plane traffic is generated either by network devices or network management stations using processes and protocols such as Telnet, SSH, TFTP, FTP, NTP, AAA, SNMP, syslog, TACACS+, RADIUS, and NetFlow.
Name the Two methods in which NAC can be implemented and their main purpose
NAC Framework Cisco NAC Appliance The goal of both the NAC framework and the Cisco NAC Appliance is to ensure that only hosts that are authenticated and have had their security posture examined and approved are permitted onto the network.
Define a Firewall
Network firewalls separate protected from non-protected areas preventing unauthorized users from accessing protected network resources.
Name the privilege levels limitations
No access control to specific interfaces, ports, logical interfaces, and slots on a router. Commands available at lower privilege levels are always executable at higher levels. Commands specifically set on a higher privilege level are not available for lower privileged users. Assigning a command with multiple keywords to a specific privilege level also assigns all commands associated with the first keywords to the same privilege level. An example is the show ip route command. If an administrator needs to create a user account that has access to most but not all commands, privilege exec statements must be configured for every command that must be executed at a privilege level lower than 15. This can be a tedious process.
List the Disadvantages of Pattern-based Detection
No detection of unknown signatures Initially a lot of false positives Signatures must be created, updated, and tuned
Define a "False Positive"
Normal User Traffic Alarm Generated Tune Alarm
Define a "True Negative"
Normal User Traffic No Alarm Generated Ideal
Describe Operating System Security
Operating System Security: secure the features and performance of the router operating systems o Config router with max memory. Protects from DoS o Use latest version of the OS o Keep a backup of the router OS image and router config file
List the four types of Signature Triggers
Pattern-based detection Policy-based detection Anomaly-based detection Honey pot-based detection
What are the three areas of Router Security? (Securing Network Devices)
Physical Security Router Hardening Operating System Security
Describe Physical Security
Physical Security: Provide physical security for the routers o Locked room o Cooling/moisture control o Uninterruptable power system UPS o Free of electrostatic/magnetic interference
Diameter Protocol
Planned replacement for RADIUS. Diameter uses a new transport protocol called Stream Control Transmission Protocol (SCTP) and TCP instead of UDP.
Define Port Aging
Port security aging can be used to set the aging time for static and dynamic secure addresses on a port
List the four violation rules (parameters) for access port security
Protect Restrict Shutdown Shutdown vlan
What are the domains of network security?
Provides an organized framework to help learn about network security. There are 12 specificed by the ISO/IEC. (don't need to memorize) • Risk assessment • Security policy • Assest management • Etc 1.1.4.1
Name some things that the Cisco NAC Appliance can be used for
Recognize users, their devices, and their roles in the network Evaluate whether machines are compliant with security policies Enforce security policies by blocking, isolating, and repairing noncompliant machines Provide easy and secure guest access Simplify non-authenticating device access Audit and report whom is on the network
List the three types of Network Attacks
Reconnaissance Access Denial of Service (DOS)
Describe a Reconnaissance Attack
Reconnaissance Attacks: The unauthorized discovery and mapping of systems, services, or vulnerabilities in a network. Often by using packet sniffers/port scanners. Typically a precursor to further attacks.
Difference between TACACS+ and RADIUS
Refer to Slide#18 CCNAS_3 PPT#2
Root Guard Commands
Root guard is best deployed toward ports that connect to switches that should not be the root bridge using the interface configuration command: Switch(config-if)#spanning-tree guard root Verify SW1# show spanning-tree inconsistentports
Critical factors for RADIUS include:
Remote Authentication Dial-In User Services -Uses RADIUS proxy servers for scalability -Combines RADIUS authentication and authorization as one process -Encrypts only the password -Utilizes UDP -Supports remote-access technologies, 802.1X, and Session Initiation Protocol (SIP)
Give more details on Role Based CLIs
Root view is the highest administrative view. Creating and modifying a view or 'superview' is possible only from root view. The difference between root view and privilege Level 15 is that only a root view user can create or modify views and superviews. Role-Based CLI views require AAA new-model: This is necessary even with local view authentication. A maximum of 15 CLI views can exist in addition to the root view.
Describe Router Hardening
Router Hardening: Eliminate potential abuse of unused ports and services o Secure admin control o Disable unused ports o Disable unnecessary services
What command is used to remove CBAC from the router?
Router(config)#no ip inspect This command removes all CBAC commands, the state table, and all temporary ACL entries created by CBAC. It also resets all timeout and threshold values to their factory defaults
Define the IronPort S-Series
S-Series - A web security appliance for spyware filtering, URL filtering, and anti-malware
What are the three major network security organizations?
SANS (SysAdmin, Audit, Network, Security) CERT (Computer Emergency Response Team) (ISC)2
List some security measures for the Control Plane
Security measures for Control Plane: o Cisco AutoSecure: CLI script that disables nonessential services. It makes recommendations and then modifies the router config. o Routing Protocol Authentication: prevents a router from accepting fake routing updates o Control Plane Policing (CoPP): allows user to control the flow of traffic that is handled by the route processor of a network device
List some security measures for the Data Plane
Security measures for Data Plane: o Blocking unwanted traffic or users: ACLs o Reducing the chance of DoS Attacks: o Mitigating spoofing attacks: ACLs o Providing bandwidth control: ACLs can prevent excess traffic o Classifying traffic to protect the Management and Control Planes: ACLs can be applied on a VTY line
List some security measures for the Management Plane
Security measures for Management Plane: o Login and Password Policy: restricts device accessibility o Present legal notification: banners o Ensure the confidentiality of data: o Role-based access control (RBAC): AAA service that ensures access is only granted to permitted users o Authorize Actions: restricts actions or views that are permitted by any particular group/service. o Enable management access reporting: logs and accounts for all access.
List the Advantages of Policy-based Detection
Simple and reliable Customized policies Can detect unknown attacks
ACL Placement
Standard ACLs are placed as close to the destination as possible. Extended ACLs are placed on routers as close to the source as possible that is being filtered.
Steps to Configure a Reflexive ACL
Step 1. Create an internal ACL that looks for new outbound sessions and creates temporary reflexive ACEs. Step 2. Create an external ACL that uses the reflexive ACLs to examine return traffic. Step 3. Activate the Named ACLs on the appropriate interfaces.
Steps to configuring AAA services to authenticate administrator access
Step 1. Add usernames and passwords to the local router database for users that need administrative access to the router. Step 2. Enable AAA globally on the router. Step 3. Configure AAA parameters on the router. Step 4. Confirm and troubleshoot the AAA configuration.
List the steps to password recovery
Step 1. Connect to the console port. Step 2. Use the show version command to view and record the configuration register. The configuration register is usually set to 0x2102 or 0x102. Step 3. Use the power switch to power cycle the router. Step 4. Issue the break sequence within 60 seconds of power up to put the router into ROMmon. Step 5. Type confreg 0x2142 at the rommon 1> prompt. Step 6. Type reset at the rommon 2> prompt. The router reboots, but ignores the saved configuration. Step 7. Type no after each setup question, or press Ctrl-C to skip the initial setup procedure. Step 8. Type enable at the Router> prompt. This puts the router into enable mode and allows you to see the Router# prompt. Step 9. Type copy startup-config running-config to copy the NVRAM into memory. Be careful not to type copy running-config startup-config or the startup configuration will be erased. Step 10. Type show running-config. In this configuration, the shutdown command appears under all interfaces because all interfaces are currently shut down. An administrator can now see the passwords (enable password, enable secret, vty, and console passwords) either in encrypted or unencrypted format. Unencrypted passwords can be reused, but encrypted passwords need a new password to be created. Step 11. Enter global configuration and type the enable secret command to change the enable secret password. For example: Step 12. Issue the no shutdown command on every interface to be used. Then issue the show ip interface brief command in privileged EXEC mode to confirm that the interface configuration is correct. Every interface to be used should display "up up." Step 13. From global configuration mode type config-register configuration_register_setting. The configuration register setting is either the value recorded in step 2 or 0x2102 . For example: R1(config)# config-register 0x2102 Step 14. Save the configuration changes using the copy running-config startup-config command.
What are the steps for configuring ZPF with the CLI?
Step 1. Create the zones for the firewall with the zone security command. Step 2. Define traffic classes with the class-map type inspect command. Step 3. Specify firewall policies with the policy-map type inspect command. Step 4. Apply firewall policies to pairs of source and destination zones using the zone-pair security command. Step 5. Assign router interfaces to zones using the zone-member security interface command.
Name the 4 steps of designing a ZPF
Step 1. Determine the Zones Step 2. Establish policies between zones Step 3. Design the physical infrastructure Step 4. Identify subset within zones and merge traffic requirements
Steps to configure server-based authentication:
Step 1. Globally enable AAA to allow the use of all AAA elements. This step is a prerequisite for all other AAA commands. Step 2. Specify the Cisco Secure ACS that will provide AAA services for the router. This can be a TACACS+ or RADIUS server. Step 3. Configure the encryption key needed to encrypt the data transfer between the network access server and Cisco Secure ACS. Step 4. Configure the AAA authentication method list to refer to the TACACS+ or RADIUS server. For redundancy, it is possible to configure more than one server.
What are the four steps to configure CBAC?
Step 1. Pick an interface - internal or external. Step 2. Configure IP ACLs at the interface. Step 3. Define inspection rules. Step 4. Apply an inspection rule to an interface.
List/Explain the steps to Configuring SSH
Step 1: Configure the IP domain name: ip domain-name span.com Step 2: Generate one-way secret RSA keys: crypto key generate rsa general-keys modulus 1024 Step 3: Create a local database username entry: username Bob secret cisco Step 4: Enable VTY inbound SSH sessions: R1(config)# line vty 0 4 R1(config-line)# login local R1(config-line)# transport input ssh
Name the four methods that Storm Control uses to measure traffic activity
Storm control uses one of these methods to measure traffic activity Bandwidth as a percentage of the total available bandwidth of the port that can be used by the broadcast, multicast, or unicast traffic. Traffic rate in packets per second at which broadcast, multicast, or unicast packets are received. Traffic rate in bits per second at which broadcast, multicast, or unicast packets are received. Traffic rate in packets per second and for small frames. This feature is enabled globally. The threshold for small frames is configured for each interface.
Configs for SPAN
Switch(config)# monitor session 1 source interface gigabitethernet0/1 Switch(config)# monitor session 1 destination interface gigabitethernet0/2 encapsulation replicate Switch(config)# end Another example illustrates the capture of received and transmitted traffic for VLANs 10 and 20, respectively. Switch(config)# monitor session 1 source vlan 10 rx Switch(config)# monitor session 1 source vlan 20 tx Switch(config)# monitor session 1 destination interface FastEthernet 3/4 To verify SPAN configuration, use the show monitor session session-number command.
Configuring BPDU Guard
Switch(config)# spanning-tree portfast bpduguard default
List the Steps for configuring Port Security on an Access Port
Switch(config-if)# switchport mode access Switch(config-if)# switchport port-security maximum value Switch(config-if)# switchport port-security [mac-address mac-address Switch(config-if)# switchport port-security mac-address sticky Step 3. (Optional) Set the maximum number of secure MAC addresses for the interface. Switch(config-if)# switchport port-security maximum value The range is 1 to 132. The default is 1.
Configs to enable port aging
Switch(config-if)# switchport port-security aging {static | time minutes | type {absolute | inactivity}}
How to configure Parameters
Switch(config-if)# switchport port-security violation {protect | restrict | shutdown | shutdown vlan}
List some Non-endpoint LAN devices
Switches Wireless devices IP telephony devices Storage area networking (SAN) devices
Name and describe the two components of a Syslog System
Syslog server: A host that accepts and processes log messages from one or more syslog clients. Syslog client: A host that generates log messages and forwards them to a syslog server. Routers, switches, PIXs, ASAs, APs, servers, ...
Critical factors for TACACS+ include
Terminal Access Control Access Control Server Plus -Is incompatible with its predecessors TACACS and XTACACS -Separates authentication and authorization -Encrypts all communication -Utilizes TCP port 49
Describe Role Based CLI (Views)
The Role-Based CLI Access feature allows the administrator to define "views". Views are a set of operational commands and configuration capabilities that provide selective or partial access to Cisco IOS EXEC and configuration mode commands. Views restrict user access to Cisco IOS CLI and configuration information; that is, a view can define what commands are accepted and what configuration information is visible.
Describe a Self Zone
The ZPF rules for a zone-based policy firewall are different when the router is the source or the destination of the traffic. When an interface is configured to be a zone member, the hosts that are connected to the interface are included in the zone. However, traffic to the router is not subject to the zone policies. By default, all router IP interfaces are part of the self zone. A zone-pair that includes the self zone and associated policy, applies to router generated or traffic destined to the router. It does not apply to traffic traversing the router. A policy can be defined using the self zone as either the source or the destination zone. The self zone is a system-defined zone. It does not require any interfaces to be configured as members
Step 3. Design the physical infrastructure
The administrator must design the physical infrastructure.
List the Advantage of Anomaly-based Detection
The advantage of anomaly-based detection is that new and previously unpublished attacks can be detected
Allowing the Activity
The allow action is necessary so that an administrator can define exceptions to configured signatures. When an IPS device is configured to disallow certain activities, sometimes there is a need to allow a few systems or users to be exceptions to the configured rule
Describe BPDU Filtering
The feature can be configured globally or at the interface level. -Globally: Portfast hosts connected to these interfaces do not send BPDUs. The interfaces still send a few BPDUs at link-up before the switch begins to filter outbound BPDUs. If a BPDU is received on a PortFast-enabled interface because it is connected to a switch, the interface loses its PortFast-operational status, and BPDU filtering is disabled. -Interface(may not have portfast): Prevents the interface from sending or receiving BPDUs. Note: same as disabling spanning tree and can result in spanning-tree loops.
Describe Privilege Levels
The needs of a network security operator may not be the same as that of WAN engineer. Cisco routers allow configuration at various privilege levels for administrators. Different passwords can be configured to control who has access to the various privilege levels. There are 16 privilege levels. Levels 2 to 14 can be configured using the privilege global configuration command.
Server-based AAA Authentication
The server-based method uses an external database server resource that leverages RADIUS or TACACS+ protocols. Examples include Cisco Secure Access Control Server (ACS) for Windows Server, Cisco Secure ACS Solution Engine, or Cisco Secure ACS Express. If there are multiple routers, server-based AAA is more appropriate.
Define the Signature Trigger "Alarm"
The signature trigger for an IPS sensor could be anything that can reliably signal an intrusion or security policy violation. EX: a packet with a payload containing a specific string going to a specific port.
Configs for VLAN security
There are three steps to create trunk links: Step 1. Use the switchport mode trunk interface configuration command to cause the interface to become a trunk link. Step 2. Use the switchport nonegotiate interface configuration command to prevent the generation of DTP frames. Step 3. Use the switchport trunk native vlan vlan_number interface configuration command to set the native VLAN on the trunk to an unused VLAN. The default native VLAN is VLAN 1.
Commands for Configuring Portfast
This command configures PortFast for all non-trunking ports at once: Switch(config)# spanning-tree portfast default This command configures Portfast on an interface: Switch(config-if)# spanning-tree portfast This command verifies that PortFast has been configured on an interface: Switch# show running-config interface FastEthernet 0/8
Step 4. Apply an inspection rule to an interface
This is the command syntax used to activate an inspection rule on an interface: Router(config-if)# ip inspect inspection_name {in | out} There are two guiding principles for applying inspection rules and ACLs on the router: -On the interface where traffic initiates, apply the ACL in the inward direction that permits only wanted traffic and apply the rule in the inward direction that inspects wanted traffic -On all other interfaces, apply the ACL in the inward direction that denies all traffic, except traffic that has not been inspected by the firewall, such as GRE and ICMP traffic that is not related to echo and echo reply messages
What is a Time-Based ACL?
Time-based ACLs allow for access control based on time. To implement time-based ACLs: Create a time range that defines specific times of the day and week. Identify the time range with a name and then refer to it by a function. The time restrictions are imposed on the function itself.
Cisco IOS Firewall provides three thresholds against TCP-based DoS attacks
Total number of half-opened TCP sessions Number of half-opened sessions in a time interval Number of half-opened TCP sessions per host
Describe the Quarantine Phase
Tracking down and identifying infected machines within the contained areas and disconnecting, blocking, or removing them.
Describe a Trojan Horse
Trojan Horses: Malware that carries out malicious operations under the guise of a desired function. It contains malicious code that exploits the privileges of the user
Name the Signatures three distinctive attributes
Type (Either Atomic or Composite) Trigger (alarm) Action
Authentication
Users and administrators must prove that they are who they say they are
List some types of VLAN Attacks
VLAN Hopping Double-Tagging VLAN Hopping Attack
Describe a Virus
Viruses: Malicious software that attaches itself to another program to execute an unwanted function on a computer o Most require user activation o Can lay dormant o Can be harmless or dangerous to a machine
What does it mean to enable MAC Address Sticky?
When sticky learning is enabled, the interface adds all secure MAC addresses that are dynamically learned, up to the maximum number configured, to the running configuration and converts these addresses to sticky secure MAC addresses
Describe the parameter Protect
When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses You are not notified that a security violation has occurred
Describe the parameter Restrict
When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses You are notified that a security violation has occurred. A Simple Network Management Protocol (SNMP) trap is sent, a syslog message is logged, and the violation counter increments
Describe a Worm
Worms: executes arbitrary code and installs copies of itself in the memory and then infects other hosts. They do not require user actions and can run/spread on their own. Usually slow the network down. Exploit weaknesses in software applications
Name the two types of alerts that a signature uses
atomic alerts summary alerts.
To configure command authorization, use the aaa authorization {network | exec | commands level} {default | list-name} method1...[method4] command. The service type can specify the types of commands or services
commands level - for exec (shell) commands exec - for starting an exec (shell) network - for network services (PPP, SLIP, ARAP)
Explain mitigation tools for LAN Storms
configuring storm control
Explain how to mitigate STP Mitigation
enable PortFast, root guard and BPDU guard
Config commands for BPDU Filtering
for global spanning-tree portfast bpdufilter default for interface spanning-tree bpdufilter enable verification SW1# show spanning-tree summary
List and Describe the three Major worm attack components
o Enabling Vulnerability: installs itself using an exploit o Propagation Mechanism: replicates and finds new targets o Payload: the malicious code that hurts the network acts
Describe how to mitigate a DoS Attack
o IPS and firewalls (Cisco ASAs and ISRs) o Antispoofing technologies: port security DHCP snooping, ACLs o Quality of Service - traffic policing: limiting traffic from any one source
Describe how to mitigate a Reconnaissance Attack
o Implement authentication to ensure proper access. o Use encryption to render packet sniffer attacks useless. o Use anti-sniffer tools to detect packet sniffer attacks. o Implement a switched infrastructure. o Use a firewall and IPS.
Describe the 10 networks security policies to mitigating attacks
o Keep patches up-to-date by installing them weekly or daily, if possible, to prevent buffer overflow and privilege escalation attacks. o Shut down unnecessary services and ports. o Use strong passwords and change them often. o Control physical access to systems. o Avoid unnecessary web page inputs. Some websites allow users to enter usernames and passwords. A hacker can enter more than just a username. For example, entering "jdoe; rm -rf /" might allow an attacker to remove the root file system from a UNIX server. Programmers should limit input characters and not accept invalid characters such as | ; < > as input. o Perform backups and test the backed up files on a regular basis. o Educate employees about the risks of social engineering, and develop strategies to validate identities over the phone, via email, or in person. o Encrypt and password protect sensitive data. o Implement security hardware and software such as firewalls, IPSs, virtual private network (VPN) devices, antivirus software, and content filtering. o Develop a written security policy for the company
List four types of Reconnaissance attacks
o Packet sniffers o Ping Sweeps o Port Scans o Internet Information queries
List and Describe the five types of Access Attacks
o Password Attack: attempts to guess passwords o Trust exploitation: uses privileges granted to a system in an unauthorized way o Port Redirection: compromised system is used as a starting point for other attacks o Man in the middle attack: attacker sits in between two communications in order to read/modify passing data o Buffer Overflow: a program writes data beyond the allocated buffer memory. This allows malicious code to be executed.
List and describe the three types of DoS Attacks
o Ping of Death: sends an echo request in an IP packet larger than the max packet size of 65,535 bytes. o Smurf Attack: sends a large number of ICMPs to a broadcast address. All hosts on the network will reply to each packet o TCP SYN Flood: flood of forged TCP SYN packets it sent and the host sends back a SYN ACK request but the hacker never replies thus exhausting available connections.
List and Describe the 5 Phases of worm attack methods
o Probe Phase: Identify vulnerable targets by using scanning methods to map the network then hacking passwords to vulnerable systems. o Penetrate Phase: The exploit code is transferred to the target and it is executed. o Persist Phase: ensure that the attacker code is available even if the system is rebooted often done by manipulating files or installing new code o Propagate Phase: extend the attack to other targets by finding vulnerable neighboring machines o Paralyze Phase: Damage is done. Erased files, crashed systems, stolen info, DoS.
Describe how to mitigate an Access Attack
o Strong password security o Principle of minimum trust o Cryptography o Applying operating system and application patches
Name the password protection guidelines and how they keep the password more secure.
o Use a password length of 10 or more characters. T o Make passwords complex by including a mix of UPPERCASE and lowercase letters, numbers, symbols, and spaces. o Avoid passwords based on repetition, dictionary words, letter or number sequences, usernames, relative or pet names, biographical information, such as birthdates, ID numbers, ancestor names, or other easily identifiable pieces of information. o Deliberately misspell a password. o Change passwords often o Do not write passwords down and leave them in obvious places o Use Passphrases: a sentence / phrase that serves as a more secure password
What Cisco IOS commands can be used to increase password security?
• Enforce minimum password length: security passwords min-length. • Disable unattended connections: exec-timeout. • Encrypt config file passwords: service password-encryption
Describe SANS (SysAdmin, Audit, Network, Security)
• Focus is to provide information security training and certification • Develops research documents about information security (free on request) • Develops security courses that prep for Global Information Assurance Certification (GIAC)
What parameters should be configured in order to improve security for virtual logins?
• Implement delays between successive login attempts: login block-for 120 attempts 5 within 60 • Enable login shutdown if DoS attacks are suspected: login quiet-mode access-class PERMIT-ADMIN • Generate system logging messages for login detection: login on-success log, login on-failurelog
In what paths can information flow between management hosts and the managed devices?
• Out of Band (OOB): Information flows within a network on which no production traffic resides. • In-Band: Information flows across the enterprise production network or the Internet (or both).
Describe the CERT (Computer Emergency Response Team)
• Part of federally funded Software engineering institute (SEI) at Carnegie Mellon • CERT Coordination center (CERT/CC) coordinates communication among experts during security emergencies • Responds to major security incidents and analyzes vulnerabilities to prevent attacks in the future
Describe the (ISC)2 (International Information Systems Security Certification Consortium)
• Provides education products and career services • Mission is to make the cyber world safer by elevating information security to the public • Has 4 famous information security certs (CISSP)