Term
What are the three key goals for network security? (Describe and give broad example) |
|
Definition
Confidentiality - keeping data private against eavesdroppin; eg. encryption Integrity - keeping data from being altered; eg. hash/checksum verification to prevent MitM attacks Availability - keeping data/hosts/services available for intended purposes; eg. rate limiting to stop excessive flows against DoS attacks |
|
|
Term
| What is the goal of a reconnaissance attack? |
|
Definition
Trying to gain info about network such as IP addresses, device types, software revisions |
|
|
Term
| What are the common methods/tools used in a reconnassance attack? |
|
Definition
| packet capture, ping sweeps, DNS queries |
|
|
Term
| What methods are used to reduce the threat of reconnaissance attacks? |
|
Definition
use cryptographic protocols (eg. IPsec, SSL, SSH) to protect data in transit use switches instead of hubs to reduce ports/LAN segments that data is sent to |
|
|
Term
| What are some examples of access attacks? |
|
Definition
password attacks trust exploitation (elevating existing privileges to root/admin level) man-in-the-middle |
|
|
Term
| What kind of security breach consists of flooding a system with malformed packets to crash a server? |
|
Definition
|
|
Term
| What kind of security breach commonly use malware such as viruses and worms to exploit a system? |
|
Definition
|
|
Term
Identify the acronyms of the following Cisco "Self-Defending Network" solutions: IPS ASA CSANAC MARS |
|
Definition
IPS - Intruder Prevention System ASA - Adaptive Security Appliance (replacing PIX)
CSA - Cisco Secure Agent NAC - Network Admission Control (formerly Cisco Clean Access) MARS - Monitoring, Analysis, and Response System
|
|
|
Term
| What are the capabilities of Cisco IPS? |
|
Definition
monitors traffic for attacks matching signature automatically modify firewall and ACLs |
|
|
Term
| What are the capabilities of Cisco ASA? |
|
Definition
firewall supports antivirus, IPsec, VPN also can integrate IPS and NAC |
|
|
Term
| What are the capabilities of Cisco DDoS Guard? |
|
Definition
Detects the presence of potential Distributed Denial of Service attacks Blocks malicious traffic in real-time while not affecting the flow of legitmate/critical traffic |
|
|
Term
| What are the capabilities of Cisco Anomaly Guard (aka Anomaly Guard and Protector)? |
|
Definition
Works in conjunction with DDoS Guard Uses behavior analysis to maintain profile for normal traffic Detect deviations outside of defined DDoS Guard signatures |
|
|
Term
| What are the capabilities of CSA? |
|
Definition
Software installed on endpoint systems Defends against targeted attacks, spyware, rootkits, day-zero attacks Contains built-in IPS, malicious mobile code protection, OS patch assurance, audit logs |
|
|
Term
| What are the capabilities of NAC? |
|
Definition
Allows admins to authenticate, authorize, evaluate, and remediate users on network Can quarantine and prevent noncompliant end hosts from accessing network |
|
|
Term
| What are the capabilities of MARS? |
|
Definition
Security monitoring for security devices and host applications Supports event aggregation, device discovery, compliance reporting, notifications Assists in analysis/response of threats on network |
|
|
Term
| What are some of the best practices for configuring security on a new Cisco router? |
|
Definition
use SSH instead of telnet updated IOS configure ACLs use difficult & encrypted passwords disable uneeded services |
|
|
Term
| What are the four main uses of access lists aside from filtering traffic? |
|
Definition
1. classifying for QoS 2. filtering routing updates 3. defining interesting traffic for dial-on-demand 4. identify address ranges for NAT |
|
|
Term
What are the ACL number ranges for: IP Standard ACL IP Extended ACL IP Standard Expanded Range ACL IP Extended Expanded Range ACL |
|
Definition
IP Standard ACL : 1-99 IP Extended ACL : 100-199 IP Standard Expanded Range ACL : 1300-1999 IP Extended Expanded Range ACL : 2000-2699 |
|
|
Term
| What are the characteristics and syntax of Standard ACLs? |
|
Definition
ACL range 1-99 / 1300-1999
Can filter only on a source network/host (classful)
Cannot filter on destination, protocol, or port Global config: access-list # [permit|deny] x.x.x.x [wildcard mask]
|
|
|
Term
| What are the characteristics and general syntax for Extended ACLs? |
|
Definition
ACL range 100-199 / 2000-2699
filter based on: source/destination IP/ports, protocol, ICMP message Global command:
access-list # [permit|deny] [proto] [source] [mask] (operators) [dest] [mask] (operators) (advanced opt)
|
|
|
Term
| What are the advantages of using named ACLs? |
|
Definition
more meaningful to read supports both standard and extended ACLs allow removal of individual lines |
|
|
Term
What are the syntax for port operators and ICMP operators in Extended ACL config? |
|
Definition
Port operators:
eq (equal to port number) gt/lt (match greater/less than given port number) range (specify range) ICMP operators: echo, echo-reply, etc.
|
|
|
Term
What is the syntax for applying an ACL on: interface telnet/ssh |
|
Definition
Interface config: ip access-group [acl#] [in|out] Line vty config: access-class [acl#] [in|out] |
|
|
Term
What are the three advanced options/keywords that can be configured on an ACL line? What are their functions and what kind of ACLs support them? |
|
Definition
log : logs source address to show log every time a match is made (at 5 min intervals); supports standard and extended ACL log-input : also logs L2 source MAC or DLCI number; supported for extended ACL only
established : allow traffic only if TCP session already established; only for extended ACLs filtering TCP |
|
|
Term
| What is the procedure/syntax to configure a named ACL? |
|
Definition
R(config)#ip access-list [standard|extended] [name] R(config-ext-nacl)#[permit|deny] ... ...etc.
|
|
|
Term
| What are the commands to verify (show) the configuration of ACLs? |
|
Definition
show ACLs - shows what ACLS are configured show access-list
show ip ACLs - shows only the IP ACLs show ip interface - shows the direction and placement of ACLs |
|
|
Term
| What is implied at the end/default of an ACL? |
|
Definition
| "... deny any any" statement |
|
|
Term
| Where should standard / extended ACLs be placed in the network? |
|
Definition
standard - close to the destination of filtered traffic extended - close to the source of filtered traffic |
|
|
Term
| In NAT, what does the "inside" refer to? |
|
Definition
Private side of the network Usually the source of addresses being translated |
|
|
Term
| In NAT, what does the "outside" refer to? |
|
Definition
Public side of the network Address space to which inside/private hosts are being translated to |
|
|
Term
| In NAT, what does the "inside local" refer to? |
|
Definition
located on the "inside" addresses assigned to inside/private hosts, which are the ones being translated |
|
|
Term
| In NAT, what does the "inside global" refer to? |
|
Definition
located on the "outside" addresses to which the inside local address get translated to usually IPs registered with the ISP |
|
|
Term
| In NAT, what does the "outside global" refer to? |
|
Definition
located on the outside registered IPs assigned to web servers, mail servers, or any host reachable on the public network itself |
|
|
Term
| In NAT, what does the "outside local" refer to? |
|
Definition
addresses of the outside global hosts as they appear on the inside network may or may not have been translated, depending on configuration |
|
|
Term
| What is the "overlapping address space" issue that NAT is used to resolve? |
|
Definition
| When a network connects with another network that uses the same IP range (eg. during a merger) |
|
|
Term
| What is the "Well-Meaning Admin Error" that NAT is meant to resolve? |
|
Definition
| Designer of network fails to plan for future growth of network or makes a mistake (eg. giving private hosts addresses of public IPs belonging to someone else) |
|
|
Term
| How does NAT contribute to load distribution? |
|
Definition
| Give a cluster of machines a single IP for clients to use |
|
|
Term
| What are the main advantages of NAT? |
|
Definition
conserves the registered IP address space security by hiding originating IP & preventing inside access |
|
|
Term
| What are the main disadvantages of NAT? |
|
Definition
Application incompatibilities with the nature of changing the source IP of traffic introduces additional latency to transmission |
|
|
Term
| What are the characteristics and general use of static NAT? |
|
Definition
one-on-one mapping of inside local to inside global IP gives hosts such as mail/web servers on the private network access to the public internet & vice-versa |
|
|
Term
| What are the commands/procedure to configure a static NAT mapping? |
|
Definition
Global command: ip nat inside source static [in-local ip] [in-global ip] On interfaces: ip nat [inside|outside]
|
|
|
Term
What are the characteristics of Dynamic NAT? |
|
Definition
enables an inside host to get to an outside address when/as needed still doesn't conserve IP |
|
|
Term
| What is commonly used to define the outside and inside IP ranges in dynamic NAT? |
|
Definition
inside source: access list outside IP range: NAT pool |
|
|
Term
| What are the commands used to configure dynamic NAT using a pool as the outside range and an ACL for the inside source? |
|
Definition
Global: ip nat pool [name] [1stIP] [lastIP] netmask [mask] or ip nat pool [name] [1stIP] [lastIP] prefix-length [#] ip nat inside source list [acl#] pool [name] Interface: ip nat [inside|outside]
|
|
|
Term
| What is PAT and how is it related to NAT? |
|
Definition
Port Address Translation aka extended NAT entry uses source ports of hosts to distinguish translated flows, possibly to a single outside address |
|
|
Term
| What are the commands to enable PAT? |
|
Definition
Global: ip nat inside source [...] interface [intfc] overload Interface: ip nat inside/outside
|
|
|
Term
What are the commands to verify (show) NAT configuration/stats? What is the command to clear dynamic NAT entries? |
|
Definition
show ip nat translations show ip nat statistics - snapshot of how many translations performed, overview of config, amount of pool used clear ip nat translation * |
|
|
