Term
What are some of the best practices for configuring security on a new Cisco router? |
|
Definition
use SSH instead of telnet
updated IOS
configure ACLs
use difficult & encrypted passwords
disable unneeded services |
|
|
Term
What are the ACL number ranges for:
IP Standard ACL
IP Extended ACL
IP Standard Expanded Range ACL
IP Extended Expanded Range ACL |
|
Definition
IP Standard ACL : 1-99
IP Extended ACL : 100-199
IP Standard Expanded Range ACL : 1300-1999
IP Extended Expanded Range ACL : 2000-2699
|
|
|
Term
What are the characteristics and syntax of Standard ACLs? |
|
Definition
Can filter only on a source network/host (classful)
Cannot filter on destination, protocol, or port
Global config:
access-list # [permit|deny] x.x.x.x [wildcard mask] |
|
|
Term
What are the characteristics and general syntax for Extended ACLs? |
|
Definition
filter based on: source/destination IP/ports, protocol, ICMP message
Global command:
access-list # [permit|deny] [proto] [source] [mask] (operators) [dest] [mask] (operators) (advanced opt) |
|
|
Term
What are the characteristics/advantages of named ACLs?
What is the syntax for configuring it? |
|
Definition
Meaningful to read, allows removal of individual lines
Supports both standard and extended ACLs
R(config)#ip access-list [standard|extended] [name]
R(config-ext-nacl)#[permit|deny] ...
...etc. |
|
|
Term
What are the syntax for port operators and ICMP operators in Extended ACL config? |
|
Definition
Port operators:
eq (equal to port number)
gt/lt (match greater/less than given port number)
range (specify range)
ICMP operators:
echo, echo-reply, etc. |
|
|
Term
What are the three advanced options/keywords that can be configured on an ACL line?
What are their functions and what kind of ACLs support them? |
|
Definition
log : logs source IP to log buffer when a match is made (5 min intervals); supports standard and extended ACL
log-input : also logs L2 source MAC or DLCI number; supported for extended ACL only
established : allow traffic only if TCP session already established; only for extended ACLs filtering TCP |
|
|
Term
What are the commands to verify (show) the configuration of ACLs? |
|
Definition
"show ACLs" - shows what ACLS are configured
"show access-list" & "show ip ACLs"
- shows only the IP ACLs
"show ip interface" - shows the direction and placement of ACLs |
|
|
Term
What is implied at the end/default of an ACL? |
|
Definition
"... deny any any" statement |
|
|
Term
Where should standard / extended ACLs be placed in the network? |
|
Definition
standard - close to the destination of filtered traffic extended - close to the source of filtered traffic |
|
|
Term
In NAT, what does the "inside" and "outside" refer to? |
|
Definition
Inside: Private side of the network, usually the source of addresses being translated (eg. "your" company network)
Outside: Public side of the network; address space to which inside/private hosts are being translated to (eg. "another's" company network) |
|
|
Term
In NAT, what does "inside local", "inside global", "outside local", "outside global" refer to? |
|
Definition
Inside local: addresses assigned on your private network
Inside global: public addresses assigned by the ISP to represent your private addresses
Outside global: Internet routeable IP of a host outside your company
Outside local: private IP address of the end host on the other/destination private network |
|
|
Term
What are the characteristics of the following issues that NAT is used to resolve?
1. Overlapping address space
2. Well-meaning admin error |
|
Definition
1. Overlapping address space: When a network connects with another network that uses the same IP range (eg. during a merger)
2. Well-meaning admin error: Designer of network fails to plan for future growth of network or makes a mistake (eg. giving private hosts addresses of public IPs belonging to someone else) |
|
|
Term
How does NAT contribute to load distribution? |
|
Definition
Give a cluster of machines a single IP for clients to use |
|
|
Term
What are the main advantages and disadvatages of NAT? |
|
Definition
Pros: Conserves the registered IP address space, adds security by hiding originating IP & preventing inside access
Cons: Application incompatibilities with the nature of changing the source IP of traffic, introduces additional latency to transmission |
|
|
Term
What are the characteristics, general use, and config syntax of static NAT? |
|
Definition
One-on-one mapping of inside local to inside global IP
Gives hosts such as mail/web servers on the private network access to the public internet & vice-versa
Global command:
ip nat inside source static [in-local ip] [in-global ip]
On interfaces:
ip nat [inside|outside] |
|
|
Term
What are the characteristics of Dynamic NAT?
(Any cons?) |
|
Definition
Enables an inside host to get to an outside address when/as needed.
Cons: Still doesn't conserve IP |
|
|
Term
What is PAT and how is it related to NAT?
What is the config syntax? |
|
Definition
Port Address Translation (aka extended NAT entry)
Uses source ports of hosts to distinguish translated flows, possibly to a single outside address
Global config:
ip nat inside source [...] interface [intfc] overload |
|
|
Term
What are the commands to verify (show) NAT configuration/stats?
What is the command to clear dynamic NAT entries? |
|
Definition
show ip nat translations
"show ip nat statistics" - snapshot of how many translations performed, overview of config, amount of pool used
clear ip nat translation * |
|
|
Term
What are the characteristics of dynamic access lists and how what benefits does it offer over standard and static extended ACLs? |
|
Definition
AKA Lock and Key
Dynamic user access through firewall, based on telnet connection and authentication
- Challenge mechanism to authenticate users
- Simplified management in large internetworks
- Reduction in router processing
- Reduction of chance for network break-ins
|
|
|
Term
What are the characteristics of reflexive ACLs and what are its benefits over normal ACLs? |
|
Definition
AKA IP-Session-Filtering ACLs
Denies traffic from outside sources, while allowing traffic for a session initiated from the inside network.
- Can be included in a firewall defense
- Simple to use
- Greater control of packets entering network
- Additional security against spoofing and DoS
|
|
|
Term
What is commonly used to define the outside and inside IP ranges in dynamic NAT?
What is the config syntax? |
|
Definition
inside source: access list
outside IP range: NAT pool
Global config:
ip nat pool [name] [1stIP] [lastIP] netmask [mask]
or
ip nat pool [name] [1stIP] [lastIP] prefix-length [#]
ip nat inside source list [acl#] pool [name] |
|
|
Term
What is the syntax for applying an ACL on an interface versus for telnet/ssh?
|
|
Definition
Interface config:
ip access-group [acl#] [in|out]
Line vty config:
access-class [acl#] [in|out] |
|
|
Term
Where are the ACL commands for access-class vs access-group placed? |
|
Definition
access-class on line vty
access-group on the interface |
|
|
Term
What commands are configured on the interface level for general NAT configuration? |
|
Definition
ip nat inside
ip nat outside |
|
|