Term
What are the three key goals for network security? (Describe and give broad example) |
|
Definition
|
Confidentiality - keeping data private against eavesdroppin; eg. encryption Integrity - keeping data from being altered; eg. hash/checksum verification to prevent MitM attacks Availability - keeping data/hosts/services available for intended purposes; eg. rate limiting to stop excessive flows against DoS attacks
|
|
|
Term
| What is the goal of a reconnaissance attack? |
|
Definition
|
Trying to gain info about network such as IP addresses, device types, software revisions
|
|
|
Term
| What are the common methods/tools used in a reconnassance attack? |
|
Definition
|
packet capture, ping sweeps, DNS queries
|
|
|
Term
| What methods are used to reduce the threat of reconnaissance attacks? |
|
Definition
|
use cryptographic protocols (eg. IPsec, SSL, SSH) to protect data in transit use switches instead of hubs to reduce ports/LAN segments that data is sent to
|
|
|
Term
| What are some examples of access attacks? |
|
Definition
|
password attacks trust exploitation (elevating existing privileges to root/admin level) man-in-the-middle
|
|
|
Term
| What kind of security breach consists of flooding a system with malformed packets to crash a server? |
|
Definition
|
|
Term
| What kind of security breach commonly use malware such as viruses and worms to exploit a system? |
|
Definition
|
|
Term
Identify the acronyms of the following Cisco "Self-Defending Network" solutions: IPS ASA CSANAC MARS |
|
Definition
|
IPS - Intruder Prevention System ASA - Adaptive Security Appliance (replacing PIX)
CSA - Cisco Secure Agent NAC - Network Admission Control (formerly Cisco Clean Access) MARS - Monitoring, Analysis, and Response System
|
|
|
Term
| What are the capabilities of Cisco IPS? |
|
Definition
|
monitors traffic for attacks matching signature automatically modify firewall and ACLs
|
|
|
Term
| What are the capabilities of Cisco ASA? |
|
Definition
|
firewall supports antivirus, IPsec, VPN also can integrate IPS and NAC
|
|
|
Term
| What are the capabilities of Cisco DDoS Guard? |
|
Definition
|
Detects the presence of potential Distributed Denial of Service attacks Blocks malicious traffic in real-time while not affecting the flow of legitmate/critical traffic
|
|
|
Term
| What are the capabilities of Cisco Anomaly Guard (aka Anomaly Guard and Protector)? |
|
Definition
|
Works in conjunction with DDoS Guard Uses behavior analysis to maintain profile for normal traffic Detect deviations outside of defined DDoS Guard signatures
|
|
|
Term
| What are the capabilities of CSA? |
|
Definition
|
Software installed on endpoint systems Defends against targeted attacks, spyware, rootkits, day-zero attacks Contains built-in IPS, malicious mobile code protection, OS patch assurance, audit logs
|
|
|
Term
| What are the capabilities of NAC? |
|
Definition
|
Allows admins to authenticate, authorize, evaluate, and remediate users on network Can quarantine and prevent noncompliant end hosts from accessing network
|
|
|
Term
| What are the capabilities of MARS? |
|
Definition
|
Security monitoring for security devices and host applications Supports event aggregation, device discovery, compliance reporting, notifications Assists in analysis/response of threats on network
|
|
|
Term
| What are some of the best practices for configuring security on a new Cisco router? |
|
Definition
|
use SSH instead of telnet updated IOS configure ACLs use difficult & encrypted passwords disable uneeded services
|
|
|
Term
| What are the four main uses of access lists aside from filtering traffic? |
|
Definition
|
1. classifying for QoS 2. filtering routing updates 3. defining interesting traffic for dial-on-demand 4. identify address ranges for NAT
|
|
|
Term
What are the ACL number ranges for: IP Standard ACL IP Extended ACL IP Standard Expanded Range ACL IP Extended Expanded Range ACL |
|
Definition
IP Standard ACL : 1-99 IP Extended ACL : 100-199 IP Standard Expanded Range ACL : 1300-1999 IP Extended Expanded Range ACL : 2000-2699 |
|
|
Term
| What are the characteristics and syntax of Standard ACLs? |
|
Definition
|
ACL range 1-99 / 1300-1999
Can filter only on a source network/host (classful)
Cannot filter on destination, protocol, or port Global config: access-list # [permit|deny] x.x.x.x [wildcard mask]
|
|
|
Term
| What are the characteristics and general syntax for Extended ACLs? |
|
Definition
|
ACL range 100-199 / 2000-2699
filter based on: source/destination IP/ports, protocol, ICMP message Global command:
access-list # [permit|deny] [proto] [source] [mask] (operators) [dest] [mask] (operators) (advanced opt)
|
|
|
Term
| What are the advantages of using named ACLs? |
|
Definition
|
more meaningful to read supports both standard and extended ACLs allow removal of individual lines
|
|
|
Term
What are the syntax for port operators and ICMP operators in Extended ACL config? |
|
Definition
|
Port operators:
eq (equal to port number) gt/lt (match greater/less than given port number) range (specify range) ICMP operators: echo, echo-reply, etc.
|
|
|
Term
What is the syntax for applying an ACL on: interface telnet/ssh |
|
Definition
|
Interface config: ip access-group [acl#] [in|out] Line vty config: access-class [acl#] [in|out]
|
|
|
Term
What are the three advanced options/keywords that can be configured on an ACL line? What are their functions and what kind of ACLs support them? |
|
Definition
|
log : logs source address to show log every time a match is made (at 5 min intervals); supports standard and extended ACL log-input : also logs L2 source MAC or DLCI number; supported for extended ACL only
established : allow traffic only if TCP session already established; only for extended ACLs filtering TCP
|
|
|
Term
| What is the procedure/syntax to configure a named ACL? |
|
Definition
|
R(config)#ip access-list [standard|extended] [name] R(config-ext-nacl)#[permit|deny] ... ...etc.
|
|
|
Term
| What are the commands to verify (show) the configuration of ACLs? |
|
Definition
|
show ACLs - shows what ACLS are configured show access-list
show ip ACLs - shows only the IP ACLs show ip interface - shows the direction and placement of ACLs
|
|
|
Term
| What is implied at the end/default of an ACL? |
|
Definition
|
"... deny any any" statement
|
|
|
Term
| Where should standard / extended ACLs be placed in the network? |
|
Definition
|
standard - close to the destination of filtered traffic extended - close to the source of filtered traffic
|
|
|
Term
| In NAT, what does the "inside" refer to? |
|
Definition
|
Private side of the network Usually the source of addresses being translated
|
|
|
Term
| In NAT, what does the "outside" refer to? |
|
Definition
|
Public side of the network Address space to which inside/private hosts are being translated to
|
|
|
Term
| In NAT, what does the "inside local" refer to? |
|
Definition
|
located on the "inside" addresses assigned to inside/private hosts, which are the ones being translated
|
|
|
Term
| In NAT, what does the "inside global" refer to? |
|
Definition
|
located on the "outside" addresses to which the inside local address get translated to usually IPs registered with the ISP
|
|
|
Term
| In NAT, what does the "outside global" refer to? |
|
Definition
|
located on the outside registered IPs assigned to web servers, mail servers, or any host reachable on the public network itself
|
|
|
Term
| In NAT, what does the "outside local" refer to? |
|
Definition
|
addresses of the outside global hosts as they appear on the inside network may or may not have been translated, depending on configuration
|
|
|
Term
| What is the "overlapping address space" issue that NAT is used to resolve? |
|
Definition
|
When a network connects with another network that uses the same IP range (eg. during a merger)
|
|
|
Term
| What is the "Well-Meaning Admin Error" that NAT is meant to resolve? |
|
Definition
|
Designer of network fails to plan for future growth of network or makes a mistake (eg. giving private hosts addresses of public IPs belonging to someone else)
|
|
|
Term
| How does NAT contribute to load distribution? |
|
Definition
|
Give a cluster of machines a single IP for clients to use
|
|
|
Term
| What are the main advantages of NAT? |
|
Definition
|
conserves the registered IP address space security by hiding originating IP & preventing inside access
|
|
|
Term
| What are the main disadvantages of NAT? |
|
Definition
|
Application incompatibilities with the nature of changing the source IP of traffic introduces additional latency to transmission
|
|
|
Term
| What are the characteristics and general use of static NAT? |
|
Definition
|
one-on-one mapping of inside local to inside global IP gives hosts such as mail/web servers on the private network access to the public internet & vice-versa
|
|
|
Term
| What are the commands/procedure to configure a static NAT mapping? |
|
Definition
|
Global command: ip nat inside source static [in-local ip] [in-global ip] On interfaces: ip nat [inside|outside]
|
|
|
Term
What are the characteristics of Dynamic NAT? |
|
Definition
|
enables an inside host to get to an outside address when/as needed still doesn't conserve IP
|
|
|
Term
| What is commonly used to define the outside and inside IP ranges in dynamic NAT? |
|
Definition
|
inside source: access list outside IP range: NAT pool
|
|
|
Term
| What are the commands used to configure dynamic NAT using a pool as the outside range and an ACL for the inside source? |
|
Definition
|
Global: ip nat pool [name] [1stIP] [lastIP] netmask [mask] or ip nat pool [name] [1stIP] [lastIP] prefix-length [#] ip nat inside source list [acl#] pool [name] Interface: ip nat [inside|outside]
|
|
|
Term
| What is PAT and how is it related to NAT? |
|
Definition
|
Port Address Translation aka extended NAT entry uses source ports of hosts to distinguish translated flows, possibly to a single outside address
|
|
|
Term
| What are the commands to enable PAT? |
|
Definition
|
Global: ip nat inside source [...] interface [intfc] overload Interface: ip nat inside/outside
|
|
|
Term
What are the commands to verify (show) NAT configuration/stats? What is the command to clear dynamic NAT entries? |
|
Definition
|
show ip nat translations show ip nat statistics - snapshot of how many translations performed, overview of config, amount of pool used clear ip nat translation *
|
|
|
