Chapter 5 - Network Security and Monitoring

plain-text

Note: __________________ passwords are not considered a security mechanism. This is because plaintext passwords are highly vulnerable to man-in-the-middle attacks, in which they are compromised through the capture of packets.

- SNMPv1 - The Simple Network Management Protocol, a Full Internet Standard, defined in RFC 1157. - SNMPv2c - Defined in RFCs 1901 to 1908; utilizes community-string-based Administrative Framework. - SNMPv3 - Interoperable standards-based protocol originally defined in RFCs 2273 to 2275; provides secure access to devices by authenticating and encrypting packets over the network. It includes these security features: message integrity to ensure that a packet was not tampered with in transit; authentication to determine that the message is from a valid source, and encryption to prevent the contents of a message from being read by an unauthorized source.

There are several versions of SNMP (name the versions):

- Explicitly configure access links (An access link is a link that is part of only one VLAN, and normally access links are for end devices.) - Explicitly disable auto trunking (can carry multiple VLAN traffic) - Manually enable trunk links - Disable unused ports, make them access ports, and assign them to a black hole VLAN --Change the default native VLAN - Implement port security

There are several ways to mitigate VLAN attacks (6):

SNMPv3 - noAuthNoPriv - Username SNMPv3 - authNoPriv - MD5 + SHA SMPv3 - authPriv - MD5 + SHA

If you look at models, you can see that SNMPv1 and SNMPv2 level are noAuthNoPriv. They are both community string authentication. However, SNMPv3 has serial levels. SNMPv3 - noAuthNoPriv SNMPv3 - authNoPriv SMPv3 - authPriv Which one uses username and which ones use Message Digest 5 (MD5) and Secure Hash Algorithm (SHA)?

1. RSPAN Source Sessions 2. RSPAN Destination Sessions 3. RSPAN VLAN

RSPAN Terminology: 1. This is the source port/VLAN to copy traffic from. 2. This is the destination VLAN/port to send the traffic to. 3. A unique VLAN is required to transport the traffic from one switch to another. The VLAN is configured with the remote-span vlan configuration commmand. This VLAN must be defined on all switches in the path and must also be allowed on trunk ports between the source and destination.

analyzer

A packet _________________ (also known as a sniffer, packet sniffer, or traffic sniffer) is a valuable tool to help monitor and troubleshoot a network. A packet analyzer is typically software that captures packets entering and exiting a network interface card (NIC). For example, Wireshark is a packet analyzer that is commonly used to capture and analyze packets on a local computer.

CPU

Because the ______ is one of the key resources, it should be measured continuously. CPU statistics should be compiled on the NMS and graphed. Observing CPU utilization over an extended time period allows the administrator to establish a baseline estimate for CPU utilization. Threshold values can then be set relative to this baseline. When CPU utilization exceeds this threshold, notifications are sent. An SNMP graphing tool can periodically poll SNMP agents, such as a router, and graph the gathered values.

community

Both SNMPv1 and SNMPv2c use a _____________-based form of security. The community of managers able to access the agent's MIB is defined by an ACL and password.

unencrypted, unauthenticated

CDP broadcasts are sent _________________ and _________________. Therefore, an attacker could interfere with the network infrastructure by sending crafted CDP frames containing bogus device information to directly-connected Cisco devices.

3

CDP information is extremely useful in network troubleshooting. For example, CDP can be used to verify Layer 1 and 2 connectivity. If an administrator cannot ping a directly connected interface, but still receives CDP information, then the problem is most likely related to the Layer __ configuration.

unencrypted

CDP information is sent out CDP-enabled ports in periodic, __________________ broadcasts. CDP information includes the IP address of the device, IOS software version, platform, capabilities, and the native VLAN. The device receiving the CDP message updates its CDP database.

Port security - Prevents many types of attack including CAM table overflow and DHCP starvation attack. DHCP Snooping - prevents DHCP Starvation and DHCP Spoofing Attacks. Dynamic ARP inspection (DAI) - prevents ARP spoofing and ARP poisoning attack. IP Source Gaurd (IPSG) - Prevents MAC and IP address spoofing attacks.

Cisco Solution to Mitigate Layer 2 Attack Pyramid (4 layers): Name them from bottom up.

Local AAA Authentication -Local AAA uses a local database for authentication. This method is sometimes known as self-contained authentication. This method stores usernames and passwords locally in the Cisco router, and users authenticate against the local database. Local AAA is ideal for small networks. Server-Based AAA Authentication - Server-based AAA authentication is a much more scalable solution. With server-based method, the router accesses a central AAA server. The AAA server contains the usernames and password for all users and serves as a central authentication system for all infrastructure devices.

Cisco provides two common methods of implementing AAA services:

- CDP Reconnaissance Attack - Telnet Attack - Mac Address Table Flooding Attack - VLAN attack - DHCP Attacks

Common attacks against the Layer 2 LAN infrastructure include (5):

port security

Configure ___________________ on the switch to mitigate MAC address table overflow attacks.

source, destination

Configuring a local span example: PCA is connected to S1 on F0/1. Packet Analyzer is connected to S1 on F0/2. S1(config)# monitor session 1 _____________ interface fastethernet 0/1 S1(config)# monitor session 1 ____________ interface fastethernet 0/2

Trusted DHCP ports - Only ports connecting to upstream DHCP servers should be trusted. These ports should lead to legitimate DHCP servers replying with DHCP Offer and DHCP Ack messages. Trusted ports must be explicitly identified in the configuration. Untrusted ports - These ports connect to hosts that should not be providing DHCP server messages. By default, all switch ports are untrusted.

DHCP snooping recognizes two types of ports:

ACLs

Ensure that SNMP messages do not spread beyond the management consoles. __________ should be used to prevent SNMP messages from going beyond the required devices. ____________ should also be used on the monitored devices to limit access for management systems only.

frequency, bandwidth

Periodic SNMP polling does have disadvantages. First, there is a delay between the time that an event occurs and the time that it is noticed (via polling) by the NMS. Second, there is a trade-off between polling __________ and _____________ usage.

agent, MIB

SNMP agents that reside on managed devices collect and store information about the device and its operation. This information is stored by the agent locally in the MIB. The SNMP manager then uses the SNMP __________ to access information within the ____________.

- SNMP manager - SNMP agents (managed node) - Management Information Base (MIB)

SNMP is an application layer protocol that provides a message format for communication between managers and agents. The SNMP system consists of three elements:

MIB, plaintext

SNMPv1 and SNMPv2c use community strings that control access to the ________. Community strings are ______________ passwords. SNMP community strings authenticate access to MIB objects.

ACL, Read, Group, User

SNMPv3 can be secured with the four steps. The figure shows the syntax. The following describes each step: Step 1. Configure a standard ________ that will permit access for authorized SNMP managers. Step 2. Configure an SNMP view with the snmp-server view global configuration command to identify which MIB Object Identifiers (OIDs) the SNMP manager will be able to read. Configuring a view is required to limit SNMP messages to __________-only access. Step 3. Configure SNMP ___________ features with the snmp-server group global configuration command. This command has the following parameters (refer to the figure for the syntax): Configures a name for the group. Sets the SNMP version. Specifies the required authentication and encryption. Associates the view from Step 2 to the group. Specifies read or read write access. Filters the group with the ACL configured in Step 1. Step 4. Configure SNMP group ____________ features with the snmp-server user global configuration command. The command has the following parameters: Configures a username. Associates the user with the group name that was configured in Step 3. Sets the SNMP version. Sets the authentication type. SHA is preferred and should be supported by the SNMP management software. Sets the encryption type. Configures an encryption password.

Message integrity and authentication - Transmissions from the SNMP manager (NMS) to agents (managed nodes) can be authenticated to guarantee the identity of the sender and the integrity and timeliness of a message. This ensures that a packet has not been tampered with in transit, and is from a valid source. Encryption - SNMPv3 messages may be encrypted to ensure privacy. Encryption scrambles the contents of a packet to prevent it from being seen by an unauthorized source. Access control - Restricts SNMP managers to certain actions on specific portions of data. For example, you may not want the NMS to have full access to your firewall device.

SNMPv3 provides three security features:

Ingress, Egress Source (SPAN) Destination (SPAN) Span Session Source VLAN

SPAN Terminology - ___________ Traffic is traffic that enters the switch, while ___________ is the traffic that leaves the switch. _______________ port is a port that is monitored with use of the SPAN feature. _________________ is the port that monitors source ports, usually where a packet analyzer, IDS, or IPS is connected to. This is also called the monitor port. _______________ is an association of a destination port with one or more source ports. __________ is the VLAN monitored for traffic analysis.

Packet analyzers - Using software such as Wireshark to capture and analyze traffic for troubleshooting purposes. For example, an administrator can capture traffic destined to a server to troubleshoot the sub-optimal operation of a network application. Intrusion Prevention Systems (IPSs) - IPSs are focused on the security aspect of traffic and are implemented to detect network attacks as they happen, issuing alerts or even blocking the malicious packets as the attack takes place. IPSs are typically deployed as a service on an ISR G2 router or using a dedicated device.

SPAN is commonly implemented to deliver traffic to specialized devices including (2):

DHCP Snooping

Security best practices recommend using ___________________ to mitigate DHCP spoofing attacks.

untrusted, Snoop Binding

When DHCP snooping is enabled on an interface or VLAN and a switch receives a DHCP packet on an untrusted port, the switch compares the source packet information with that held in the DHCP Snooping Binding Database. The switch will deny packets containing any of the following information: - Unauthorized DHCP server messages coming from an ___________ port - Unauthorized DHCP client messages not adhering to the DHCP ____________________ Database or rate limits.

source

When MAC addresses are assigned to a secure port, the port does not forward frames with source MAC addresses outside the group of defined addresses. When a port configured with port security receives a frame, the source MAC address of the frame is compared to the list of secure ____________ addresses that were manually configured, or auto configured (learned), on the port.

- Mac Address Table Flooding - VLAN attack - DHCP attack

Which 3 are used for disrupting the network operation?

DHCP Spoofing

Which attack allows an attacker to configure a fake DHCP server on a network to issue DHCP addresses to clients?

DHCP Starvation

Which attack floods the DHCP server with DHCP request to use all the available addresses - stimulates a DoS attack on the switch.

Brute Force

Which attack uses a "dictionary" to find common passwords - tries to initiate a telnet session using what the "dictionary" suggests for the password?

MAC flooding

Which attack uses fake MAC addresses to overflow the MAC address table?

Get an MIB variable, retrieves

Which response is this? The SNMP agent performs this function in response to a GetRequest-PDU from the network manager. The agent __________ the value of the requested MIB variable and responds to the network manager with that value.

Set an MIB variable, changes

Which response is this? The SNMP agent performs this function in response to a SetRequest-PDU from the network manager. The SNMP agent _________ the value of the MIB variable to the value specified by the network manager. An SNMP agent reply to a set request includes the new settings in the device.

CDP

Which security attack allows the attacker to see the surrounding IP addresses, software version, native VLAN information to enact a DoS attack?

CDP Reconnaissance and telnet attack

Which two attacks are focused on gaining administrative access to the network device?

IPS

While packet analyzers are commonly used for troubleshooting purposes, an ______ looks for specific patterns in traffic. As the traffic flows through the IPS, it analyzes traffic in real-time and takes action upon the discovery of malicious traffic patterns.

Version, Community

snmpget utility command with several parameters, including: -v2c - __________ of SNMP -c community - SNMP password, called a ____________ string 10.250.250.14 - IP address of monitored device 1.3.6.1.4.1.9.2.1.58.0 - OID of MIB variable

port security

The simplest and most effective method to prevent MAC table flooding attacks is to enable _____________________.

read or write

To view or set MIB variables, the user must specify the appropriate community string for ________ or __________ access.

destination

A SPAN session is the association between source ports (or VLANs) and a ____________________.

set, actions

A ________ request is used by the network management system (NMS) to change configuration variables in the agent device. A set request can also initiate ____________ within a device. For example, a set can cause a router to reboot, send a configuration file, or receive a configuration file.

DHCP Spoofing

A ________________ attack occurs when a rogue DHCP server is connected to the network and provides false IP configuration parameters to legitimate clients. DHCP spoofing is dangerous because clients can be leased IP information for malicious DNS server addresses, malicious default gateways, and malicious IP assignments.

snmp-server enable traps ?

A list of over 60 trap notification types can be seen with the ______________________________ command.

servers, TACACS+

AAA-enabled router uses either the Terminal Access Controller Access Control System (TACACS+) protocol or the Remote Authentication Dial-In User Service (RADIUS) protocol to communicate with the AAA __________________. While both protocols can be used to communicate between a router and AAA servers, _____________ is considered the more secure protocol.

an obtained CPU value. Example - SNMPv2-SMI::enterprises.9.2.1.58.0 = Integer: 11 (obtained CPU value). The 9.2.1.58.0 is actual value of the MIB location.

After you use a command like snmpget - you'll get a response. What is this response?

managers, agents, MIBS

All versions use SNMP ____________, ____________, and __________. Cisco IOS software supports the above three versions. Version 1 is a legacy solution and not often encountered in networks today; therefore, this course focuses on versions 2c and 3.

Get

An NMS periodically polls the SNMP agents residing on managed devices, by querying the device for data using the ________ request. Using this process, a network management application can collect information to monitor traffic loads and to verify device configurations of managed devices. devices.The information can be displayed via a GUI on the NMS. Averages, minimums, or maximums can be calculated, the data can be graphed, or thresholds can be set to trigger a notification process when the thresholds are exceeded.

Switch(config) monitor session [number] destination [interface (specify) | vlan (specify)]

Associate a SPAN session with a destination port(command):

Switch(config)# monitor session [number] source [interface (which interface) | vlan (which vlan)]

Associate a SPAN session with a source port (command):

2

Basic operation of a modern switched network disables the packet analyzer ability to capture traffic from other sources. Layer __ switch populates its MAC address table based on the source MAC address and the ingress port of the Ethernet frame. After the table is built, the switch only forwards traffic destined for a MAC address directly to the corresponding port. This prevents a packet analyzer connected to another port on the switch from "hearing" other switch traffic. Solution: Enable port mirroring. The port mirroring feature allows a switch to copy and send Ethernet frames from specific ports to the destination port connected to a packet analyzer. The original frame is still forwarded in the usual manner.

security

If a port is configured as a secure port and the maximum number of MAC addresses is reached, any additional attempts to connect by unknown MAC addresses will generate a ____________ violation.

packet analyzer

Older systems with faulty NICs can also cause issues. If SPAN is enabled on a switch to send traffic to a ___________________, a network technician can detect and isolate the end device causing the excess traffic.

2

In addition to protecting Layer 3 to Layer 7, network security professionals must also mitigate threats against the Layer __ LAN infrastructure.

MAC address flooding attack

One of the most basic and common LAN switch attacks is the ______________________. This attack is also known as a MAC address table overflow attack, or a CAM table overflow attack.

2

Layer __ LANs are often considered to be a safe and secure environment. However, as shown in the figure, if Layer __ is compromised then all layers above it are also affected. Today, with BYOD and more sophisticated attacks, LANs have become more vulnerable.

limited

MAC address tables are ____________ in size. MAC flooding attacks exploit this limitation with fake source MAC addresses until the switch MAC address table is full and the switch is overwhelmed.

- Always use secure variants of these protocols such as SSH, SCP, SSL, SNMPv3, and SFTP. - Always use strong passwords and change them often. - Enable CDP on select ports only. - Secure Telnet access. - Use a dedicated management VLAN where nothing but management traffic resides. -Use ACLs to filter unwanted access.

Many network management protocols including Telnet, Syslog, SNMP, TFTP, and FTP are insecure. There are several strategies to help secure Layer 2 of a network:

remote

Modern networks are switched environments. Therefore, SPAN is crucial for effective IPS operation. SPAN can be implemented as either Local SPAN or __________ SPAN (RSPAN).

get-request, get-next-request, get-bulk-request, get-response, set-request

Name all the SNMP Operations (5):

spoofing attack

One type of VLAN threat which is the switch ______________. The attacker attempts to gain VLAN access by configuring a host to spoof a switch and use the 802.1Q trunking protocol and the Cisco-proprietary Dynamic Trunking Protocol (DTP) feature to trunk with the connecting switch. If successful and the switch establishes a trunk link with the host and the attacker can then access all the VLANS on the switch and hop (i.e., send and receive) traffic on all the VLANs.

802.1X

Network user authentication can be provided with AAA server-based authentication. The ___________ protocol/standard can be used to authenticate network devices on the corporate network.

advanced

Note: IP Source Guard (IPSG) and Dynamic ARP Inspection (DAI) are ______________ switch security solutions discussed in the CCNA Security course.

transmit, recieve

Note: Link Layer Discovery Protocol (LLDP) in also vulnerable to reconnaissance attacks. Configure no lldp run to disable LLDP globally. To disable LLDP on the interface, configure no lldp __________and no lldp ___________.

authenticate, encryption

Note: SNMPv1 and SNMPv2c offer minimal security features. Specifically, SNMPv1 and SNMPv2c can neither _______________ the source of a management message nor provide ______________. SNMPv3 is most currently described in RFCs 3410 to 3415. It adds methods to ensure the secure transmission of critical data between managed devices.

Iso (1) -> org (3) -> dod (6) -> internet (1) -> private (4) -> enterprise (1) - cisco (9) = 1.3.6.1.4.1.9

OIDs belonging to Cisco, are numbered as follows: .iso (1).org (3).dod (6).internet (1).private (4).enterprises (1).cisco (9). Therefore the OID is __________________.

not

RADIUS does __________ encrypt user names, accounting information, or any other information carried in the RADIUS message.

two

RSPAN uses __________ sessions. One session is used as the source and one session is used to copy or receive the traffic from a VLAN. The traffic for each RSPAN session is carried over trunk links in a user-specified RSPAN VLAN that is dedicated (for that RSPAN session) in all participating switches.

2

Security is only as strong as the weakest link in the system, and Layer __ is considered to be that weakest link. Therefore, Layer ___ security solutions must be implemented to help secure a network.

authenticates, encrypts

Simple Network Management Protocol version 3 (SNMPv3) authenticates and encrypts packets over the network to provide secure access to devices. Adding authentication and encryption to SNMPv3 addresses the vulnerabilities of earlier versions of SNMP. SNMPv3 ________________ and _____________ packets over the network to provide secure access to devices, as shown in the figure. This addressed the vulnerabilities of earlier versions of SNMP.

snmp-server community string ro | rw

Step 1. (Required) Configure the community string and access level (read-only or read-write) with the __________________________ command.

2. snmp-server location [text] 3. snmp-server contact [text] 4. snmp-server community [string access-list-number-or-name] 5. snmp-server host host-id [version {1| 2c | 3 [auth | noauth | priv]}] community-string 6. snmp-server enable traps notification-types

Step 2. (Optional) Document the location of the device using the ________________________ command. Step 3. (Optional) Document the system contact using the _____________________ command. Step 4. (Optional) Restrict SNMP access to NMS hosts (SNMP managers) that are permitted by an ACL: define the ACL and then reference the ACL with the ________________________________________ command. This Step 5. (Optional) Specify the recipient of the SNMP trap operations with the _________________________ command. By default, no trap manager is defined. Step 6. (Optional) Enable traps on an SNMP agent with the __________________________ command. If no trap notification types are specified in this command, then all trap types are sent. Repeated use of this command is required if a particular subset of trap types is desired. Note: By default, SNMP does not have any traps set. Without this command, SNMP managers must poll for all relevant information.

1

Steps for Configuring SNMP - All the steps are optional besides step ___, which is required.

T

T or F? 802.1X port-based authentication adds security to the access layer.

T

T or F? All TACACS+ protocol exchanges are encrytped.

F

T or F? When an 802.1X port is in the unauthorized state, the port allows all traffic except for 802.1X protocol packets.

True

T or F? Only ports connecting to upstream DHJCP server should be trusted.

802.1X

The IEEE _____________ standard defines a port-based access control and authentication protocol. IEEE ____________ restricts unauthorized workstations from connecting to a LAN through publicly accessible switch ports. The authentication server authenticates each workstation that is connected to a switch port before making available any services offered by the switch or the LAN.

Object ID (OID)

The MIB organizes variables hierarchically. MIB variables enable the management software to monitor and control the network device. Formally, the MIB defines each variable as an _____________ (OID). OIDs uniquely identify managed objects in the MIB hierarchy. The MIB organizes the OIDs based on RFC standards into a hierarchy of OIDs, usually shown as a tree.

show snmp community

The show snmp command output does not display information relating to the SNMP community string or, if applicable, the associated ACL. Figure 5 displays the SNMP community string and ACL information, using the ___________________________ command.

client, MIB

The SNMP agent and MIB reside on SNMP __________ devices. Network devices that must be managed, such as switches, routers, servers, firewalls, and workstations, are equipped with an SMNP agent software module. MIBs store data about the device and operational statistics and are meant to be available to authenticated remote users. The SNMP agent is responsible for providing access to the local _____________.

Get an MIB variable, and set an MIB variable

The SNMP agent responds to SNMP manager requests as follows (2):

get, set, trap.

The SNMP manager is part of a network management system (NMS). The SNMP manager runs SNMP management software. As shown in the figure, the SNMP manager can collect information from an SNMP agent using the "______" action and can change configurations on an agent using the "______" action. In addition, SNMP agents can forward information directly to a network manager using "_______".

161, 162

The SNMP manager polls the agents and queries the MIB for SNMP agents on UDP port _________. SNMP agents send any SNMP traps to the SNMP manager on UDP port ________.

destination

The SPAN feature is said to be local when the monitored ports are all located on the same switch as the _________________ port.

show monitor

The _________________ command is used to verify the SPAN session. The command displays the type of the session, the source ports for each traffic direction, and the destination port.

Authentication, Authorization

The __________________, ___________________, and Accounting (AAA) framework is used to help secure device access. AAA Authentication can be used to authenticate users for administrative access or it can be used to authenticate users for remote network access.

Cisco Discovery Protocol

The ___________________ (CDP) is a proprietary Layer 2 link discovery protocol. It is enabled on all Cisco devices by default. CDP can automatically discover other CDP-enabled devices and help auto-configure their connection. Network administrators also use CDP to help configure and troubleshoot network devices.

snmpget

The data is retrieved via the ____________ utility, issued on the NMS. Using the ____________ utility, one can manually retrieve real-time data or have the NMS run a report which would give you a period of time that you could use the data to get the average. The ___________ utility requires that the SNMP version, the correct community, the IP address of the network device to query, and the OID number are set. Figure 3 demonstrates the use of the freeware snmpget utility, which allows quick retrieval of information from the MIB.

- Disable DTP (auto trunking) negotiations on non-trunking ports and explicitly force the access ports by using the switchport mode access interface configuration command.. - Manually enable the trunk link on a trunking port using the switchport mode trunk interface configuration command. - Disable DTP (auto trunking) negotiations on trunking and non-trunking ports using the switchport nonegotiate interface configuration command. - Set the native VLAN to be something other than VLAN 1. Set it on an unused VLAN using the switchport trunk native vlan vlan_number interface configuration mode command. - Disable unused ports and assign them to an unused VLAN.

The figure shows the best way to prevent basic VLAN attacks (5):

fail-open mode

The switch keeps updating its MAC address table with the information in the fake frames. Eventually, the MAC address table becomes full of fake MAC addresses and enters into what is known as ____________________. In this mode, the switch broadcasts all frames to all machines on the network. As a result, the attacker can capture all of the frames, even frames that are not addressed to its MAC address table.

switch port analyzer

The_____________________(SPAN) feature on Cisco switches is a type of port mirroring that sends copies of the frame entering a port, out another port on the same switch. SPAN allows administrators or devices to collect and analyze traffic.

group

There are a number of other global configuration mode commands that a network administrator can implement to take advantage of the authentication and encryption support in SNMPv3: The snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}} command creates a new SNMP ____________ on the device. The snmp-server user username groupname v3 [encrypted] [auth {md5 | sha} auth-password] [priv {des | 3des | aes {128 | 192 | 256}} priv-password] command is used to add a new user to the SNMP group specified in the snmp-server group groupname command.

- Use SSH instead - Strong Password - Limit access to the vty lines using an access control list (ACL) permitting only administrator devices and denying all other devices. - Authenticate and authorize administrative access to the device using AAA with either TACACS+ or RADIUS protocols.

There are several way to mitigate against Telnet attacks (3):

The destination port cannot be a source port, and the source port cannot be a destination port. The number of destination ports is platform-dependent. Some platforms allow for more than one destination port. The destination port is no longer a normal switch port. Only monitored traffic passes through that port.

There are three important things to consider when configuring SPAN:

show snmp

To verify the SNMP configuration, use any of the variations of the _______________ privileged EXEC mode command. The most useful command is simply the show snmp command, as it displays the information that is commonly of interest when examining the SNMP configuration. Unless there is an involved SNMPv3 configuration, for the most part the other command options only display selected portions of the output of the show snmp command.

DHCP spoofing attack - An attacker configures a fake DHCP server on the network to issue IP addresses to clients. This type of attack forces the clients to use both a false Domain Name System (DNS) server and a computer which is under the control of the attacker as their default gateway. DHCP starvation attack - An attacker floods the DHCP server with bogus DHCP requests and eventually leases all of the available IP addresses in the DHCP server pool. After these IP addresses are issued, the server cannot issue any more addresses, and this situation produces a denial-of-service (DoS) attack as new clients cannot obtain network access.

There are two types of DHCP attacks which can be performed against a switched network:

Brute Force Password Attack Telnet DoS Attack - The attacker continuously requests Telnet connections in an attempt to render the Telnet service unavailable and preventing an administrator from remotely accessing a switch

There are two types of Telnet attacks:

Read-only (ro) - Provides access to the MIB variables, but does not allow these variables to be changed, only read. Because security is minimal in version 2c, many organizations use SNMPv2c in read-only mode. Read-write (rw) - Provides read and write access to all objects in the MIB.

There are two types of community strings:

monitor session

This command is used to associate a source port and a destination port with a SPAN session. A separate __________________ command is used for each session. A VLAN can be specified instead of a physical port.

no cdp run, cdp run

To disable CDP globally on a device, use the _________________________ global configuration mode command. To enable CDP globally, use the ___________ global configuration command.

edge

To mitigate the exploitation of CDP, limit the use of CDP on devices or ports. For example, disable CDP on ___________ ports that connect to untrusted devices.

traps

To mitigate these disadvantages, it is possible for SNMP agents to generate and send ___________ to inform the NMS immediately of certain events. Traps are unsolicited messages alerting the SNMP manager to a condition or event on the network. Examples of trap conditions include, but are not limited to, improper user authentication, restarts, link status (up or down), MAC address tracking, closing of a TCP connection, loss of connection to a neighbor, or other significant events.

reduce

Trap-directed notifications _____________ network and agent resources, by eliminating the need for some of SNMP polling requests.

get and set

Two primary SNMP manager requests? What are they?

SNMPv2c

Unlike SNMPv1, _____________ includes a bulk retrieval mechanism and more detailed error message reporting to management stations. The bulk retrieval mechanism retrieves tables and large quantities of information, minimizing the number of round-trips required. The SNMPv2c improved error-handling includes expanded error codes that distinguish different kinds of error conditions. These conditions are reported through a single error code in SNMPv1. Error return codes in SNMPv2c include the error type.

1. Version 3 2. Both 3. Version 2c 4. Both 5. Version 3 6. Version 2c 7. Version 2c 8. Version 3

Version 2c or 3 or both? 1. Authenticates the source of management messages. 2. Provides services for security models. 3. Cannot provide encrypted management messages. 4. Supportbed by Cisco IOS software 5. Provides services for both security models and security levels. 6. Includes expanded error codes with types. 7. Uses community-based forms of security 8. Used for interoperability and includeds message integrity reporting.

copy and send

What if a network administrator wanted to capture packets from many other key devices and not just the local NIC? A solution is to configure networking devices to _________ and ______ traffic going to ports of interest to a port connected to a packet analyzer. The administrator could then analyze network traffic from various sources in the network.

Client (Supplicant) - 802.1X-enabled port on the device. The device requests access to LAN and switch services and then responds to requests from the switch. There is a 802.1-X compliant software. Another supplicant is the 802.1X-compliant wireless device such as a laptop or tablet. Switch (Authenticator) - This controls physical access to the network based on the authentication status of the client. The switch acts as an intermediary (proxy) between the client and the authentication server. It requests identifying information from the client, verifies that information with the authentication server, and relays a response to the client. The switch uses a RADIUS software agent, which is responsible for encapsulating and de-encapsulating the EAP (Extensible Authentication Protocol) frames and interacting with the authentication server. Another device that could act as authenticator is a wireless access point acting as the intermediary between the wireless client and the authentication server. Authentication Server - This performs the actual authentication of the client. The authentication server validates the identity of the client and notifies the switch or other authenticator such as a wireless access point whether the client is authorized to access the LAN and switch services. Because the switch acts as the proxy, the authentication service is transparent to the client. The RADIUS security system with EAP extensions is the only supported authentication server.

With 802.1X port-based authentication, the devices in the network have specific roles. What are the three roles?

Local

____________ SPAN is when traffic on a switch is mirrored to another port on that switch. Various terms are used to identify incoming and outgoing ports.

Remote

________________ SPAN (RSPAN) allows source and destination ports to be in different switches. RSPAN is useful when the packet analyzer or IPS is on a different switch than the traffic being monitored.

SNMPv3

_________________ provides for both security models and security levels. A security model is an authentication strategy set up for a user and the group within which the user resides. A security level is the permitted level of security within a security model. A combination of the security level and the security model determine which security mechanism is used when handling an SNMP packet. Available security models are SNMPv1, SNMPv2c, and SNMPv3.

Port Security

__________________ allows an administrator to statically specify MAC addresses for a port, or to permit the switch to dynamically learn a limited number of MAC addresses. By limiting the number of permitted MAC addresses on a port to one, port security can be used to control unauthorized expansion of the network.

Simple Network Management Protocol (SNMP)

________________________ was developed to allow administrators to manage nodes such as servers, workstations, routers, switches, and security appliances, on an IP network. It enables network administrators to monitor and manage network performance, find and solve network problems, and plan for network growth.