CCNA security study guide: exam 210-260
Transcript of CCNA security study guide: exam 210-260
![Page 1: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/1.jpg)
![Page 2: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/2.jpg)
CCNA®
SecurityStudyGuideExam210-260
TroyMcMillan
![Page 3: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/3.jpg)
SeniorAcquisitionsEditor:KenyonBrownDevelopmentEditor:DavidClark
TechnicalEditors:JonBuhagiarandMarkDittmerProductionManager:KathleenWisor
CopyEditor:KimWimpsettEditorialManager:MaryBethWakefield
ExecutiveEditor:JimMinatelBookDesigner:JudyFungandBillGibson
Proofreader:AmySchneiderIndexer:JohnnaVanHooseDinse
ProjectCoordinator,Cover:BrentSavageCoverDesigner:Wiley
CoverImage:@JeremyWoodhouse/GettyImages,Inc.Copyright©2018byJohnWiley&Sons,Inc.,Indianapolis,Indiana
PublishedsimultaneouslyinCanadaISBN:978-1-119-40993-9
ISBN:978-1-119-40991-5(ebk.)ISBN:978-1-119-40988-5(ebk.)
ManufacturedintheUnitedStatesofAmericaNopartofthispublicationmaybereproduced,storedinaretrievalsystemortransmittedinanyformorbyanymeans,electronic,mechanical,photocopying,recording,scanningorotherwise,exceptaspermittedunderSections107or108ofthe1976UnitedStatesCopyrightAct,withouteitherthepriorwrittenpermissionofthePublisher,orauthorizationthroughpaymentoftheappropriateper-copyfeetotheCopyrightClearanceCenter,222RosewoodDrive,Danvers,MA01923,(978)750-8400,fax(978)646-8600.RequeststothePublisherforpermissionshouldbeaddressedtothePermissionsDepartment,JohnWiley&Sons,Inc.,111RiverStreet,Hoboken,NJ07030,(201)748-6011,fax(201)748-6008,oronlineathttp://www.wiley.com/go/permissions.
LimitofLiability/DisclaimerofWarranty:Thepublisherandtheauthormakenorepresentationsorwarrantieswithrespecttotheaccuracyorcompletenessofthecontentsofthisworkandspecificallydisclaimallwarranties,includingwithoutlimitationwarrantiesoffitnessforaparticularpurpose.Nowarrantymaybecreatedorextendedbysalesorpromotionalmaterials.Theadviceandstrategiescontainedhereinmaynotbesuitableforeverysituation.Thisworkissoldwiththeunderstandingthatthepublisherisnotengagedinrenderinglegal,accounting,orotherprofessionalservices.Ifprofessionalassistanceisrequired,theservicesofacompetentprofessionalpersonshouldbesought.Neitherthepublishernortheauthorshallbeliablefordamagesarisingherefrom.ThefactthatanorganizationorWebsiteisreferredtointhisworkasacitationand/orapotentialsourceoffurtherinformationdoesnotmeanthattheauthororthepublisherendorsestheinformationtheorganizationorWebsitemayprovideorrecommendationsitmaymake.Further,readersshouldbeawarethatInternetWebsiteslistedinthisworkmayhavechangedordisappearedbetweenwhenthisworkwaswrittenandwhenitisread.Forgeneralinformationonourotherproductsandservicesortoobtaintechnicalsupport,pleasecontactourCustomerCareDepartmentwithintheU.S.at(877)762-2974,outsidetheU.S.at(317)572-3993orfax(317)572-4002.
Wileypublishesinavarietyofprintandelectronicformatsandbyprint-on-demand.Somematerialincludedwithstandardprintversionsofthisbookmaynotbeincludedine-booksorinprint-on-demand.IfthisbookreferstomediasuchasaCDorDVDthatisnotincludedintheversionyoupurchased,youmaydownloadthismaterialathttp://booksupport.wiley.com.FormoreinformationaboutWileyproducts,visitwww.wiley.com.LibraryofCongressControlNumber:2017962360
TRADEMARKS:Wiley,theWileylogo,andtheSybexlogoaretrademarksorregisteredtrademarksofJohnWiley&Sons,Inc.and/oritsaffiliates,intheUnitedStatesandothercountries,andmaynotbeusedwithoutwrittenpermission.CCNAisaregisteredtrademarkofCiscoTechnologies,Inc.Allothertrademarksarethepropertyoftheirrespectiveowners.JohnWiley&Sons,Inc.isnotassociatedwithanyproductorvendormentionedinthisbook.
![Page 4: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/4.jpg)
Formybestfriend,WadeLong,forjustbeingagoodfriend.
![Page 5: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/5.jpg)
AcknowledgmentsSpecialthanksgotoDavidClarkforkeepingmeonscheduleandensuringallthedetailsarecorrect.Also,I’dliketothankJonBuhagiarfortheexcellenttechnicaleditthatsavedmefrommyselfattimes.Finally,asalways,I’dliketoacknowledgeKenyonBrownforhiscontinuedsupportofallmywritingefforts.
![Page 6: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/6.jpg)
AbouttheAuthorTroyMcMillanwritespracticetests,studyguides,andonlinecoursematerialsforKaplanITTraining,whilealsorunninghisownconsultingandtrainingbusiness.Heholdsmorethan30industrycertificationsandalsoappearsintrainingvideosforOnCourseLearningandPearsonPress.Troycanbereachedatmcmillantroy@hotmail.com.
![Page 7: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/7.jpg)
ContentsAcknowledgmentsAbouttheAuthorIntroduction
WhatDoesThisBookCover?InteractiveOnlineLearningEnvironmentandTestBankWhoShouldReadThisBookHowtoUseThisBookHowDoYouGoAboutTakingtheExam?CertificationExamPolicies
AssessmentTestAnswerstoAssessmentTestChapter1UnderstandingSecurityFundamentals
GoalsofSecurityNetworkTopologiesCommonNetworkSecurityZonesSummaryExamEssentialsReviewQuestions
Chapter2UnderstandingSecurityThreatsCommonNetworkAttacksSocialEngineeringMalwareDataLossandExfiltrationSummaryExamEssentialsReviewQuestions
Chapter3UnderstandingCryptographySymmetricandAsymmetricEncryptionHashingAlgorithmsKeyExchangePublicKeyInfrastructure
![Page 8: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/8.jpg)
SummaryExamEssentialsReviewQuestions
Chapter4SecuringtheRoutingProcessSecuringRouterAccessImplementingOSPFRoutingUpdateAuthenticationSecuringtheControlPlaneSummaryExamEssentialsReviewQuestions
Chapter5UnderstandingLayer2AttacksUnderstandingSTPAttacksUnderstandingARPAttacksUnderstandingMACAttacksUnderstandingCAMOverflowsUnderstandingCDP/LLDPReconnaissanceUnderstandingVLANHoppingUnderstandingDHCPSpoofingSummaryExamEssentialsReviewQuestions
Chapter6PreventingLayer2AttacksConfiguringDHCPSnoopingConfiguringDynamicARPInspectionConfiguringPortSecurityConfiguringSTPSecurityFeaturesDisablingDTPVerifyingMitigationsSummaryExamEssentialsReviewQuestions
Chapter7VLANSecurityNativeVLANsPVLANs
![Page 9: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/9.jpg)
ACLsonSwitchesSummaryExamEssentialsReviewQuestions
Chapter8SecuringManagementTrafficIn-BandandOut-of-BandManagementSecuringNetworkManagementSecuringAccessthroughSNMPv3SecuringNTPUsingSCPforFileTransferSummaryExamEssentialsReviewQuestions
Chapter9Understanding802.1xandAAA802.1xComponentsRADIUSandTACACS+TechnologiesConfiguringAdministrativeAccesswithTACACS+UnderstandingAuthenticationandAuthorizationUsingACSandISEUnderstandingtheIntegrationofActiveDirectorywithAAASummaryExamEssentialsReviewQuestions
Chapter10SecuringaBYODInitiativeTheBYODArchitectureFrameworkTheFunctionofMobileDeviceManagementSummaryExamEssentialsReviewQuestions
Chapter11UnderstandingVPNsUnderstandingIPsecUnderstandingAdvancedVPNConceptsSummaryExamEssentialsReviewQuestions
![Page 10: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/10.jpg)
Chapter12ConfiguringVPNsConfiguringRemoteAccessVPNsConfiguringSite-to-SiteVPNsSummaryExamEssentialsReviewQuestions
Chapter13UnderstandingFirewallsUnderstandingFirewallTechnologiesStatefulvs.StatelessFirewallsSummaryExamEssentialsReviewQuestions
Chapter14ConfiguringNATandZone-BasedFirewallsImplementingNATonASA9.xConfiguringZone-BasedFirewallsSummaryExamEssentialsReviewQuestions
Chapter15ConfiguringtheFirewallonanASAUnderstandingFirewallServicesUnderstandingModesofDeploymentUnderstandingMethodsofImplementingHighAvailabilityUnderstandingSecurityContextsConfiguringASAManagementAccessConfiguringCiscoASAInterfaceSecurityLevelsConfiguringSecurityAccessPoliciesConfiguringDefaultCiscoModularPolicyFramework(MPF)SummaryExamEssentialsReviewQuestions
Chapter16IntrusionPreventionIPSTerminologyEvasionTechniquesIntroducingCiscoFireSIGHT
![Page 11: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/11.jpg)
UnderstandingModesofDeploymentPositioningoftheIPSwithintheNetworkUnderstandingFalsePositives,FalseNegatives,TruePositives,andTrueNegativesSummaryExamEssentialsReviewQuestions
Chapter17ContentandEndpointSecurityMitigatingEmailThreatsMitigatingWeb-BasedThreatsMitigatingEndpointThreatsSummaryExamEssentialsReviewQuestions
AppendixAnswerstoReviewQuestionsChapter1:UnderstandingSecurityFundamentalsChapter2:UnderstandingSecurityThreatsChapter3:UnderstandingCryptographyChapter4:SecuringtheRoutingProcessChapter5:UnderstandingLayer2AttacksChapter6:PreventingLayer2AttacksChapter7:VLANSecurityChapter8:SecuringManagementTrafficChapter9:Understanding802.1xandAAAChapter10:SecuringaBYODInitiativeChapter11:UnderstandingVPNsChapter12:ConfiguringVPNsChapter13:UnderstandingFirewallsChapter14:ConfiguringNATandZone-BasedFirewallsChapter15:ConfiguringtheFirewallonanASAChapter16:IntrusionPreventionChapter17:ContentandEndpointSecurity
AdvertEULA
![Page 12: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/12.jpg)
ListofTablesChapter1
TABLE1.1
Chapter3
TABLE3.1
TABLE3.2
Chapter9
TABLE9.1
Chapter16
TABLE16.1
ListofIllustrationsChapter1
FIGURE1.1Defenseindepth
FIGURE1.2Securitycycle
FIGURE1.3Campusareanetwork
Chapter2
FIGURE2.1Pingscanwithnmap
FIGURE2.2TCPheader
FIGURE2.3NULLscan
FIGURE2.4XMASscan
FIGURE2.5TCPhandshake
FIGURE2.6SYNflood
FIGURE2.7Ping-of-deathpacket
FIGURE2.8DirectDDoS
FIGURE2.9Smurfattack
Chapter3
FIGURE3.1ROT13Caesarcipher
FIGURE3.2Vigenèrecipher
FIGURE3.3ECBprocess
![Page 13: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/13.jpg)
FIGURE3.4CBCprocess
FIGURE3.5Hashprocess
FIGURE3.6HMACprocess
FIGURE3.7Digitalsignatureprocess
FIGURE3.8PKIencryption
FIGURE3.9PKIdigitalsignature
FIGURE3.10SSLprocess
FIGURE3.11PKIhierarchy
FIGURE3.12Crosscertification
FIGURE3.13Viewingcertificates
Chapter4
FIGURE4.1CoPP
FIGURE4.2Modularpolicyframework
Chapter5
FIGURE5.1STPattack
FIGURE5.2ARPprocess
FIGURE5.3ARPcachepoisoning
FIGURE5.4MACspoofing
FIGURE5.5CAMoverflow
FIGURE5.6Switchspoofing
FIGURE5.7Doubletagging
FIGURE5.8DHCPspoofing
Chapter6
FIGURE6.1DHCPsnooping
FIGURE6.2DAIinaction
FIGURE6.3BPDUGuardinaction
Chapter7
FIGURE7.1PVLANs
FIGURE7.2PVLANproxyattack
Chapter8
![Page 14: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/14.jpg)
FIGURE8.1PartialMIB
FIGURE8.2NTPauthenticationprocess
Chapter9
FIGURE9.1802.1x
Chapter10
FIGURE10.1ISEcontext-basedaccess
FIGURE10.2CMD
FIGURE10.3SXPandSGT
FIGURE10.4Permissionmatrix
FIGURE10.5MDMwithIDE
FIGURE10.6ISEauthorizationpolicyintegration
Chapter11
FIGURE11.1Diffie-Hellman
FIGURE11.2IKEphase1
FIGURE11.3MatchingISAKMPparameters
FIGURE11.4AHprocess
FIGURE11.5AHintunnelmode
FIGURE11.6ESPintunnelmode
FIGURE11.7AHintransportmode
FIGURE11.8ESPintransportmode
FIGURE11.9IPv6headerwithextensions
FIGURE11.10Theneedforhairpinning
FIGURE11.11Hairpinconfiguration
FIGURE11.12Splittunneling
FIGURE11.13Preferences(Part2)window
FIGURE11.14NATtraversal
Chapter12
FIGURE12.1SupportedSSL/TLSalgorithms
Chapter13
FIGURE13.1TCPthree-wayhandshake
![Page 15: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/15.jpg)
FIGURE13.2Statefulfirewalloperation
Chapter14
FIGURE14.1Multipleclassmaps
FIGURE14.2Reuseofclassmaps
FIGURE14.3Defaultpolicies
FIGURE14.4Defaultpolicies(self-zone)
Chapter15
FIGURE15.1Active/Standbyfailover
FIGURE15.2Active/Activefailover
FIGURE15.3Clustering
FIGURE15.4Securitycontexts
FIGURE15.5Securitylevelsinaction
Chapter16
FIGURE16.1IPheaderfragmentationflags
FIGURE16.2Fragmentationprocess
FIGURE16.3Fragmentationattack
FIGURE16.4Injectionattack
FIGURE16.5SPAN
FIGURE16.6Tap
FIGURE16.7Inlinemode
FIGURE16.8Outsidedeployment
FIGURE16.9DMZdeployment
FIGURE16.10Insidedeployment
Chapter17
FIGURE17.1Fileretrospection
FIGURE17.2ESAinbound
FIGURE17.3ESAoutbound
FIGURE17.4Incomingmailprocessing
FIGURE17.5Outgoingmailprocessing
![Page 16: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/16.jpg)
IntroductionTheCCNASecuritycertificationprogramisoneoftheelectivepathsyoucantakewhenachievingtheCCNA.ItrequirespassingtheCCENTexam(100-105)andthenpassingtheCCNASecurityexam(210-260).
TheCiscoSecurityexamobjectivesareperiodicallyupdatedtokeepthecertificationapplicabletothemostrecenthardwareandsoftware.Thisisnecessarybecauseatechnicianmustbeabletoworkonthelatestequipment.Themostrecentrevisionstotheobjectives—andtothewholeprogram—wereintroducedin2016andarereflectedinthisbook.
ThisbookandtheSybexCCNASecurity+CompleteStudyGuide(boththeStandardandDeluxeeditions)aretoolstohelpyouprepareforthiscertification—andforthenewareasoffocusofamodernservertechnician’sjob.
WhatIstheCCNASecurityCertification?CiscoCertifiedNetworkAssociateSecurity(CCNASecurity)validatesassociate-levelknowledgeandskillsrequiredtosecureCisconetworks.WithaCCNASecuritycertification,anetworkprofessionaldemonstratestheskillsrequiredtodevelopasecurityinfrastructure,recognizethreatsandvulnerabilitiestonetworks,andmitigatesecuritythreats.TheCCNASecuritycurriculumemphasizescoresecuritytechnologies;theinstallation,troubleshooting,andmonitoringofnetworkdevicestomaintainintegrity,confidentiality,andavailabilityofdataanddevices;andcompetencyinthetechnologiesthatCiscousesinitssecuritystructure.
TheCCNASecuritycertificationisn’tawardeduntilyou’vepassedthetwotests.Forthelatestpricingontheexamsandupdatestotheregistrationprocedures,callPearsonVUEat(877)551-7587.YoucanalsogotoPearsonVUE’swebsiteatwww.vue.comforadditionalforinformationortoregisteronline.Ifyouhavefurtherquestionsaboutthescopeoftheexams,seehttps://www.cisco.com/c/en/us/training-events/training-certifications/certifications/associate/ccna-security.html.
![Page 17: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/17.jpg)
WhatDoesThisBookCover?Hereisaglanceatwhat’sineachchapter.
Chapter1:UnderstandingSecurityFundamentalscoverscommonsecurityprinciplessuchastheCIAtriad;commonsecuritytermssuchasrisk,vulnerability,andthreat;theproperapplicationofcommonsecurityzones,suchasintranet,DMZ,andextranets;adiscussionofnetworktopologiesasseenfromtheperspectiveoftheCiscoCampusAreanetwork;andmethodsofnetworksegmentationsuchasVLANs.
Chapter2:UnderstandingSecurityThreatscoverscommonnetworkattacksandtheirmotivations;attackvectorssuchasmaliciousandnon-maliciousinsidersandoutsiders,terrorists,spies,andterminatedpersonnel;variousmethodsusedtoperformnetworkreconnaissancesuchaspingscansandportscans;typesofmalware;andtheexfiltrationofsensitivedatasuchasIP,PII,andcreditcarddata.
Chapter3:UnderstandingCryptographycoverssymmetricandasymmetrickeycryptography,thehashingprocess,majorhashingalgorithms,PKIandthecomponentsthatmakeitfunction,andcommonattacksoncryptography.
Chapter4:SecuringtheRoutingProcesscoversmethodsofsecuringadministrativeaccesstotherouter,IOSprivilegelevels,IOSrole-basedCLIaccess,CiscoIOSresilientconfiguration,authenticationforrouterupdatesforbothOSPFandEIGRP,andcontrolplanepolicing.
Chapter5:UnderstandingLayer2AttackscoversSTPattackssuchasrogueswitches,ARPspoofing,MACspoofing,andCAMoverflow.ItalsodiscussesboththevalueandthedangerinusingCDPandLLDP.Finally,youwilllearnhowVLANhoppingattacksareperformed.
Chapter6:PreventingLayer2AttackscoversDHCPsnooping,DAIandhowitcanpreventARPpoisoningattacks,preventingMACoverflowattacksandtheintroductionofunauthorizeddevicestoswitchportsbyusingportsecurity,andtheuseofBPDUGuard,RootGuard,andLoopGuard,allSTPfeaturesdesignedtopreventchangestotheSTPtopology.
Chapter7:VLANSecuritycoverspreventingVLANhoppingattacksthattakeadvantageofthenativeVLAN;privateVLANs;settingportsaspromiscuous,community,andisolated;thePVLANEdgefeature;andusingACLstopreventaPVLANproxyattack.
Chapter8:SecuringManagementTrafficcoversmanagingdevicesin-bandandout-of-band,methodsofsecuringmanagementinterfacesincludingenablingtheHTTPSserver,securingSNMPv3withasecuritypolicy,applyingpasswordstoallmanagementinterfaces,andusingSSHforremotemanagement,typesofbannermessage,andsecuringtheNTPprotocol.
Chapter9:Understanding802.1xandAAAcoversAAAservicethatcanbeprovidedbyTACACS+andRADIUSservers,configuringadministrativeaccesstoarouterusing
![Page 18: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/18.jpg)
TACACS+,howAAAcanbeintegratedwithActiveDirectory,theCiscoimplementationsofaRADIUSserverincludingtheCiscoSecureAccessControlServer(ACS)andtheCiscoIdentityServicesEngine(ISR),andthefunctionsofvarious802.1Xcomponents.
Chapter10:SecuringaBYODInitiativecoverschallengesinvolvedinsupportingaBYODinitiative,componentsprovidedbyCiscoforthisincludingtheCiscoIntegratedServicesEngine(ISE),andtheCiscoTrustSecprovisioningandmanagementplatform.ItalsocoversadvancedfeaturesofCiscoISE,includingdownloadableACLs(dACLs),automaticVLANassignment,securitygroupaccess(SGAs),changeofauthorization(COA),andpostureassessment.FurtherwediscusstheauthenticationmechanismsISEcanaccept,including802.1x,MACauthenticationbypass(MAB),andwebauthentication(WebAuth).Finally,weendthechaptercoveringthethreemainfunctionsofTrustSec.
Chapter11:UnderstandingVPNscoversIPsecandthesecurityservicesitprovides;thecomponentsofIPsecsuchasISAKMP,IKE,AH,andESP;howtousehairpinningtoallowtrafficbetweentwohoststoconnecttothesameVPNinterface;andsplittunnelinganditsbenefits.
Chapter12:ConfiguringVPNscoversthevalueoftheCiscoclientlessSSLVPNandthestepsrequiredtoconfigureit,theCiscoAnyConnectSSLVPN,modulesintheCiscoAnyConnectclientthatcanprovideendpointpostureassessment,andhowtoimplementanIPsecsite-to-siteVPNwithpresharedkeyauthentication.
Chapter13:UnderstandingFirewallscoversvariousfirewalltechnologiessuchasproxy,application,personal,andstatefulfirewalls,withstatefulfirewallscoveredingreaterdetailanddescribedinrelationtotheoperationofthesefirewallsandtheTCPthree-wayhandshake.Finallyyoulearnwhatiscontainedinthestatetableofastatefulfirewall.
Chapter14:ConfiguringNATandZone-BasedFirewallscoversthreeformsofNAT:staticNAT,dynamicNAT,andPAT;theNAToptionsavailableintheASA,thebenefitsofNAT;andhowtoconfigureitandverifyitsoperation.Youwilllearnaboutclassmaps,policymaps,andservicepoliciesandtheirrespectivefunctionsinazone-basedfirewall.Finally,thestepstoconfigureandverifyazone-basedfirewallendthechapter.
Chapter15:ConfiguringtheFirewallonanASAcovershowtosetuptheASAsoyoucanremotelyadministeritusingtheASDM,thedefaultsecuritypoliciesthatareinplace,howthedefaultglobalpolicyinteractswithconfiguredpolicies,howinterfacesecuritylevelsaffecttrafficflows,howtheCiscoModularPolicyframeworkisusedtocreatepolicies;thedifferencebetweenatransparentandroutefirewall;andhighavailabilitysolutionsincludingactive-active,active-passive,andclusteringapproaches.
Chapter16:IntrusionPreventioncoversgeneralIPSconceptssuchasnetwork-basedandhost-baseddeployments;modesofdeploymentsuchasinline,SPAN,andtap;thepositioningoptionsavailable;falsepositivesandfalsenegatives;howrulesandsignaturesareusedintheprocessofidentifyingpotentialattacks;andtriggeractionsofwhichanIPSmightbecapable,suchasdropping,resetting,andalerting.
Chapter17:ContentandEndpointSecuritycoversmitigationtechniquesavailablewhen
![Page 19: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/19.jpg)
usingtheCiscoEmailSecurityAppliance,includingreputationandcontext-basedfiltering,andtheCiscoWebSecurityAppliance,whichusesblacklisting,URLfiltering,andmalwarescanningtosecurewebtrafficandwebapplications.Finally,thechapterdiscussesendpointprotectionprovidedbytheCiscoIdentityServicesEngineandCiscoTrustSectechnology.
InteractiveOnlineLearningEnvironmentandTestBankWe’veputtogethersomereallygreatonlinetoolstohelpyoupasstheCCNASecurityexam.TheinteractiveonlinelearningenvironmentthataccompaniestheCCNASecurityexamcertificationguideprovidesatestbankandstudytoolstohelpyoupreparefortheexam.Byusingthesetoolsyoucandramaticallyincreaseyourchancesofpassingtheexamonyourfirsttry.
Theonlinetestbankincludesthefollowing:
SampleTestsManysampletestsareprovidedthroughoutthisbookandonline,includingtheAssessmentTest,whichyou’llfindattheendofthisintroduction,andtheChapterTeststhatincludethereviewquestionsattheendofeachchapter.Inaddition,therearetwobonuspracticeexams.Usethesequestionstotestyourknowledgeofthestudyguidematerial.Theonlinetestbankrunsonmultipledevices.
FlashcardsTheonlinetextbankincludes100flashcardsspecificallywrittentohityouhard,sodon’tgetdiscouragedifyoudon’taceyourwaythroughthematfirst!They’retheretoensurethatyou’rereallyreadyfortheexam.Andnoworries—armedwiththereviewquestions,practiceexams,andflashcards,you’llbemorethanpreparedwhenexamdaycomes!Questionsareprovidedindigitalflashcardformat(aquestionfollowedbyasinglecorrectanswer).Youcanusetheflashcardstoreinforceyourlearningandprovidelast-minutetestprepbeforetheexam.
ResourcesAglossaryofkeytermsfromthisbookandtheirdefinitionsareavailableasafullysearchablePDF.
Gotohttp://www.wiley.com/go/Sybextestpreptoregisterandgainaccessto
thisinteractiveonlinelearningenvironmentandtestbankwithstudytools.
WhoShouldReadThisBookIfyouwanttoacquireasolidfoundationinmanagingsecurityonCiscodevicesoryourgoalistopreparefortheexamsbyfillinginanygapsinyourknowledge,thisbookisforyou.You’llfindclearexplanationsoftheconceptsyouneedtograspandplentyofhelptoachievethehighlevelofprofessionalcompetencyyouneedinordertosucceedinyourchosenfield.
![Page 20: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/20.jpg)
IfyouwanttobecomecertifiedasaCCNASecurityprofessional,thisbookisdefinitelywhatyouneed.However,ifyoujustwanttoattempttopasstheexamwithoutreallyunderstandingthebasicsofpersonalcomputers,thisguideisn’tforyou.It’swrittenforpeoplewhowanttoacquireskillsandknowledgeofserversandstoragesystems.
HowtoUseThisBookIfyouwantasolidfoundationfortheseriouseffortofpreparingfortheCiscoCCNASecurityexam,thenlooknofurther.We’vespenthundredsofhoursputtingtogetherthisbookwiththesoleintentionofhelpingyoutopasstheexamaswellasreallylearnabouttheexcitingfieldofnetworksecurity!
Thisbookisloadedwithvaluableinformation,andyouwillgetthemostoutofyourstudytimeifyouunderstandwhythebookisorganizedthewayitis.
So,tomaximizeyourbenefitfromthisbook,Irecommendthefollowingstudymethod:
1. Taketheassessmenttestthat’sprovidedattheendofthisintroduction.(Theanswersareattheendofthetest.)It’sokayifyoudon’tknowanyoftheanswers;that’swhyyouboughtthisbook!Carefullyreadovertheexplanationsforanyquestionsyougetwrongandnotethechaptersinwhichthematerialrelevanttothemiscovered.Thisinformationshouldhelpyouplanyourstudystrategy.
2. Studyeachchaptercarefully,makingsureyoufullyunderstandtheinformationandthetestobjectiveslistedatthebeginningofeachone.Payextra-closeattentiontoanychapterthatincludesmaterialcoveredinquestionsyoumissed.
3. Completeallhands-onlabsineachchapter,referringtothetextofthechaptersothatyouunderstandthereasonforeachstepyoutake.
4. Answerallofthereviewquestionsrelatedtoeachchapter.(TheanswersappearinAppendix.)Notethequestionsthatconfuseyou,andstudythetopicstheycoveragainuntiltheconceptsarecrystalclear.Andagain—donotjustskimthesequestions!Makesureyoufullycomprehendthereasonforeachcorrectanswer.Rememberthatthesewillnotbetheexactquestionsyouwillfindontheexam,butthey’rewrittentohelpyouunderstandthechaptermaterialandultimatelypasstheexam!
5. Tryyourhandatthepracticequestionsthatareexclusivetothisbook.Thequestionscanbefoundathttp://www.sybex.com/go/ccnasecuritystudyguide.
6. Testyourselfusingalltheflashcards,whicharealsofoundatthedownloadlink.Thesearebrand-newandupdatedflashcardstohelpyoupreparefortheCCNASecurityexamandawonderfulstudytool!
Tolearneverybitofthematerialcoveredinthisbook,you’llhavetoapplyyourselfregularly,andwithdiscipline.Trytosetasidethesametimeperiodeverydaytostudy,andselectacomfortableandquietplacetodoso.I’mconfidentthatifyouworkhard,you’llbesurprisedathowquicklyyoulearnthismaterial!
![Page 21: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/21.jpg)
Ifyoufollowthesestepsandreallystudyinadditiontousingthereviewquestions,thepracticeexams,andtheelectronicflashcards,itwouldactuallybehardtofailtheCCNASecurityexam.ButunderstandthatstudyingfortheCiscoexamsisalotlikegettinginshape—ifyoudonotgotothegymeveryday,it’snotgoingtohappen!
AccordingtotheCiscowebsitetheCiscoCCNASecurityexamdetailsareasfollows:
Examcode:210-260
Examdescription:Thisexamteststhecandidate’sknowledgeofsecurenetworkinfrastructure,understandingcoresecurityconcepts,managingsecureaccess,VPNencryption,firewalls,intrusionprevention,webandemailcontentsecurity,andendpointsecurityusingCiscoroutersandtheASA9x.
Numberofquestions:60–70
Typeofquestions:multiplechoice,draganddrop,testlet,simulation
Lengthoftest:90minutes
Passingscore:860(onascaleof100–900)
Language:English
HowDoYouGoAboutTakingtheExam?Whenthetimecomestoscheduleyourexamyouwillneedtocreateanaccountathttp://www.pearsonvue.com/cisco/andregisterforyourexam.CiscotestingisprovidedbytheirglobaltestingpartnerPearsonVUE.Youcanlocateyourclosesttestingcenterathttps://home.pearsonvue.com/.Youcanscheduleatanyofthelistedtestingcenters.
Topurchasetheexam,youwillneedtobuyanexamvoucherfromCisco.Thevoucherisacodetheyprovideyoutousetoscheduletheexam.Informationonpurchasingavouchercanbefoundat:http://www.pearsonvue.com/vouchers/pricelist/cisco.asp.
Whenyouhaveavoucherandhaveselectedatestingcenter,youcanscheduletheCisco210-260exambyfollowingthislink:http://www.pearsonvue.com/cisco/.ThiswilltakeyoutothePearsonVUEwebsiteandfromhereyoucanalsolocateatestingcenterorpurchasevouchersifyouhavenotalreadydoneso.
WhenyouhaveregisteredfortheCCNASecuritycertificationexamyouwillreceiveaconfirmatione-mailthatsuppliesyouwithalloftheinformationyouwillneedtotaketheexam.Remembertotakeaprintoutofthise-mailwithyoutothetestingcenter.
CertificationExamPoliciesForthemostcurrentinformationregardingCiscoexampolicies,itisrecommendedthatyoufollowthehttps://www.cisco.com/c/en/us/training-events/training-certifications/exams/policies.htmllinktobecomefamiliarwithCiscopolicies.Itcontainsa
![Page 22: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/22.jpg)
largeamountofusefulinformationregarding:
Exampolicyrequirements
Agerequirementsandpoliciesconcerningminors
Certificationandconfidentialityagreement
Candidateidentificationandauthentication
Candidaterightsandresponsibilities
Confidentialityandagreements
Embargoedcountrypolicy
Privacy
Examandtestingpolicies
Conduct
Confidentialityandagreements
Examdiscounts,vouchers,andpromotionalcodes
Examviolations
Preliminaryscorereport
Retakingexams
Postexampolicies
Certificationtrackingsystem
Correspondence
Examrecertification
Examretirement
Examscoring
Logoguidelines
TipsforTakingYourExamTheCiscoCCNASecurityexamcontains60–90multiplechoice,draganddrop,testlet,andsimulationitemquestions,andmustbecompletedin90minutesorless.Thisinformationmaychangeovertimeanditisadvisedtocheckwww.cisco.comforthelatestupdates.
Manyquestionsontheexamofferanswerchoicesthatatfirstglancelookidentical—especiallythesyntaxquestions!Soremembertoreadthroughthechoicescarefullybecauseclosejustdoesn’tcutit.Ifyougetinformationinthewrongorderorforgetonemeaslycharacter,youmaygetthequestionwrong.So,topractice,dothepracticeexamsandhands-on
![Page 23: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/23.jpg)
exercisesinthisbook’schaptersoverandoveragainuntiltheyfeelnaturaltoyou;also,andthisisveryimportant,dotheonlinesampletestuntilyoucanconsistentlyanswerallthequestionscorrectly.Relax,readthequestionoverandoveruntilyouare100%clearonwhatitisasking,andthenyoucanusuallyeliminateafewoftheobviouslywronganswers.
Herearesomegeneraltipsforexamsuccess:
Arriveearlyattheexamcentersoyoucanrelaxandreviewyourstudymaterials.
Readthequestionscarefully.Don’tjumptoconclusions.Makesureyou’reclearaboutexactlywhateachquestionasks.“Readtwice,answeronce!”
Askforapieceofpaperandpencilifitisofferedtotakedownquicknotesandmakesketchesduringtheexam.
Whenansweringmultiple-choicequestionsthatyou’renotsureabout,usetheprocessofeliminationtogetridoftheobviouslyincorrectanswersfirst.Doingthisgreatlyimprovesyouroddsifyouneedtomakeaneducatedguess.
Afteryoucompleteanexam,you’llgetimmediatenotificationofyourpassorfailstatus,aprintedexaminationscorereportthatindicatesyourpassorfailstatus,andyourexamresultsbysection.(Thetestadministratorwillgiveyoutheprintedscorereport.)TestscoresareautomaticallyforwardedtoCiscoafteryoutakethetest,soyoudon’tneedtosendyourscoretothem.Ifyoupasstheexam,you’llreceiveconfirmationfromCiscoandapackageinthepostwithanicedocumentsuitableforframingshowingthatyouarenowaCiscocertifiedengineer.
ExamObjectivesCiscogoestogreatlengthstoensurethatitscertificationprogramsaccuratelyreflecttheITindustry’sbestpractices.ThecompanydoesthisbyestablishingCornerstoneCommitteesforeachofitsexamprograms.EachcommitteecomprisesasmallgroupofITprofessionals,trainingproviders,andpublisherswhoareresponsibleforestablishingtheexam’sbaselinecompetencylevelandwhodeterminetheappropriatetargetaudiencelevel.
Oncethesefactorsaredetermined,Ciscosharesthisinformationwithagroupofhand-selectedsubject-matterexperts(SMEs).Thesefolksarethetruebrainpowerbehindthecertificationprogram.Theyreviewthecommittee’sfindings,refinethem,andshapethemintotheobjectivesyouseebeforeyou.Ciscocallsthisprocessajobtaskanalysis(JTA).
Finally,Ciscoconductsasurveytoensurethattheobjectivesandweightingstrulyreflectthejobrequirements.OnlythencantheSMEsgotoworkwritingthehundredsofquestionsneededfortheexam.And,inmanycases,theyhavetogobacktothedrawingboardforfurtherrefinementsbeforetheexamisreadytogoliveinitsfinalstate.So,restassured,thecontentyou’reabouttolearnwillserveyoulongafteryoutaketheexam.
Ciscoalsopublishesrelativeweightingsforeachoftheexam’sobjectives.Thefollowingtableliststheobjectivedomainsandtheextenttowhichthey’rerepresentedoneachexam.
![Page 24: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/24.jpg)
210-260ExamDomains %ofExam1.0SecurityConcepts 12%2.0SecureAccess4.0Security 14%3.0VPN 17%4.0SecureRoutingandSwitching 18%5.0CiscoFirewallTechnologies 18%6.0IPS 9%7.0ContentandEndpointSecurity 12%Total 100%
![Page 25: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/25.jpg)
210-260SubDomains Chapters1.2Commonsecuritythreats 21.3Cryptographyconcepts 21.4Describenetworktopologies 32.1Securemanagement 82.2AAAconcepts 92.3802.1xauthentication 92.4BYOD 103.1VPNconcepts 113.2RemoteaccessVPN 123.3Site-to-siteVPN 124.1SecurityonCiscorouters 44.2Securingroutingprotocols 44.3Securingthecontrolplane 44.4CommonLayer2attacks 54.5Mitigationprocedures 64.6VLANsecurity 75.1Describeoperationalstrengthsandweaknessesofthedifferentfirewalltechnologies
13
5.2Comparestatefulvs.statelessfirewalls 135.3ImplementNATonCiscoASA9.x 145.4Implementzone-basedfirewall 145.5FirewallfeaturesontheCiscoAdaptiveSecurityAppliance(ASA)9.x 156.1DescribeIPSdeploymentconsiderations 166.2DescribeIPStechnologies 167.1Describemitigationtechnologyforemail-basedthreats 177.2Describemitigationtechnologyforweb-basedthreats 177.3Describemitigationtechnologyforendpointthreats 17
![Page 26: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/26.jpg)
AssessmentTest1. Whenyouareconcernedwithpreventingdatafromunauthorizededitsyouareconcerned
withwhichofthefollowing?
A. integrity
B. confidentiality
C. availability
D. authorization
2. Whenasystemsadministratorisissuedbothanadministrative-levelaccountandanormaluseraccountandusestheadministrativeaccountonlywhenperforminganadministrativetask,itisanexampleofwhichconcept?
A. leastprivilege
B. splitknowledge
C. dualcontrol
D. separationofduties
3. Whatisthepurposeofmandatoryvacations?
A. crosstraining
B. fraudprevention
C. improvesmorale
D. employeeretention
4. Whichofthefollowingoccurswhenanorganizationalassetisexposedtolosses?
A. risk
B. threat
C. exposure
D. vulnerability
5. Whichofthefollowingisastandardusedbythesecurityautomationcommunitytoenumeratesoftwareflawsandconfigurationissues?
A. CSE
B. SCAP
C. CVE
D. CWE
![Page 27: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/27.jpg)
6. Whichhackertypehacksforapoliticalcause?
A. blackhats
B. whitehats
C. scriptkiddies
D. hacktivists
7. WhichofthefollowingisanemailvalidationsystemthatworksbyusingDNStodeterminewhetheranemailsentbysomeonehasbeensentbyahostsanctionedbythatdomain’sadministrator?
A. PGP
B. S/MIME
C. SMTP
D. SPF
8. Whatdoesthefollowingcommanddo?
nmap-sP192.168.0.0-100
A. portscan
B. pingscan
C. vulnerabilityscan
D. penetrationtest
9. Youjustexecutedahalfopenscanandgotnoresponse.Whatdoesthattellyou?
A. theportisopen
B. theportisclosed
C. theportisblocked
D. itcannotbedetermined
10. Whichofthefollowingisamitigationforabufferoverflow?
A. antivirussoftware
B. IOSupdates
C. inputvalidation
D. encryption
11. WhichofthefollowingisaLayer2attack?
A. bufferoverflow
B. DoS
![Page 28: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/28.jpg)
C. ARPpoisoning
D. IPspoofing
12. Whichofthefollowingisnotintellectualproperty?
A. designs
B. advertisements
C. recipes
D. contactlists
13. Whatisthebestcountermeasuretosocialengineering?
A. training
B. accesslists
C. HIDS
D. encryption
14. WhichofthefollowingisamitigationforARPpoisoning?
A. VLANs
B. DAI
C. DNSSec
D. STP
15. Inwhichcryptographicattackdoestheattackeruserecurringpatternstoreverseengineerthemessage?
A. sidechannel
B. frequency
C. plaintextonly
D. ciphertextonly
16. Youhavefiveusersinyourdepartment.Thesefiveusersonlyneedtoencryptinformationwithoneanother.Ifyouimplementasymmetricencryptionalgorithm,howmanykeyswillbeneededtosupportthedepartment?
A. 5
B. 8
C. 10
D. 12
17. Whichstatementistruewithregardtoasymmetricencryption?
![Page 29: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/29.jpg)
A. lessexpensivethansymmetric
B. slowerthansymmetric
C. hardertocrackthansymmetric
D. keycompromisecanoccurmoreeasilythanwithsymmetric
18. Whichofthefollowingisastream-basedcipher?
A. RC4
B. DES
C. 3DES
D. AES
19. WhatisthepurposeofanIV?
A. doublestheencryption
B. addsrandomness
C. performs16roundsoftransposition
D. hashesthemessage
20. WhichstepisnotrequiredtoconfigureSSHonarouter?
A. Settheroutername
B. SettherouterID
C. Settherouterdomainname
D. GeneratetheRSAkey
21. Whichofthefollowingallowsyoutoassignatechniciansetsofactivitiesthatcoincidewiththeleveltheyhavebeenassigned?
A. accesslevels
B. jobparameters
C. privilegelevels
D. rules
22. Whichofthefollowingisawaytopreventunwantedchangestotheconfiguration?
A. routerlockdown
B. resilientconfiguration
C. secureIOS
D. config-sec
![Page 30: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/30.jpg)
23. WhichofthefollowingisusedtoholdmultiplekeysusedinOSPFRoutingUpdateAuthentication?
A. keystore
B. keychain
C. keydb
D. keyauth
24. Whichofthefollowingcharacteristicsofarogueswitchcouldcauseittobecometherootbridge?
A. higherMACaddress
B. higherIPaddress
C. asuperiorBPDU
D. lowerrouterID
25. WhichofthefollowingisusedbyamaliciousindividualtopollutetheARPcacheofothermachines?
A. pingofdeath
B. bufferoverflow
C. boundviolation
D. gratuitousARP
26. WhathappenswhentheCAMtableofaswitchisfulloffakeMACaddressesandcanholdnootherMACaddresses?
A. itgetsdumped
B. theswitchshutsdown
C. theswitchstartforwardingalltrafficoutofallports
D. allportsareshutdown
27. Whichswitchfeatureusestheconceptoftrustedanduntrustedports?
A. DAI
B. DHCPsnooping
C. STP
D. RootGuard
28. Whichcommandenablesportsecurityontheswitch?
A. SW70(config-if)#switchportmodeaccess
![Page 31: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/31.jpg)
B. SW70(config-if)#switchportport-securitymaximum2
C. SW70(config-if)#switchportport-security
D. SW70(config-if)#switchportport-securityviolationshutdown
29. Whichswitchfeaturepreventstheintroductionofarogueswitchtothetopology?
A. RootGuard
B. BPDUGuard
C. LoopGuard
D. DTP
30. Whatpreventsswitchingloops?
A. DAI
B. DHCPsnooping
C. STP
D. RootGuard
![Page 32: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/32.jpg)
AnswerstoAssessmentTest1. A.Integrity,thesecondpartoftheCIAtriad,ensuresthatdataisprotectedfrom
unauthorizedmodificationordatacorruption.Thegoalofintegrityistopreservetheconsistencyofdata,includingdatastoredinfiles,databases,systems,andnetworks.
2. A.Theprincipleofleastprivilegerequiresthatauserorprocessisgivenonlytheminimumaccessprivilegeneededtoperformaparticulartask.
3. B.Withmandatoryvacations,allpersonnelarerequiredtotaketimeoff,allowingotherpersonneltofilltheirpositionwhilegone.Thisdetectiveadministrativecontrolenhancestheopportunitytodiscoverunusualactivity.
4. C.Anexposureoccurswhenanorganizationalassetisexposedtolosses.
5. B.SecurityContentAutomationProtocol(SCAP)isastandardusedbythesecurityautomationcommunitytoenumeratesoftwareflawsandconfigurationissues.Itstandardizedthenomenclatureandformatsused.
6. D.Hacktivistsarethosewhohacknotforpersonalgain,buttofurtheracause.Forexample,theAnonymousgrouphacksfromtimetotimeforvariouspoliticalreasons.
7. D.SenderPolicyFramework(SPF)isanemailvalidationsystemthatworksbyusingDNStodeterminewhetheranemailsentbysomeonehasbeensentbyahostsanctionedbythatdomain’sadministrator.Ifitcan’tbevalidated,itisnotdeliveredtotherecipient’sbox.
8. B.0–100istherangeofIPaddressestobescannedinthe192.168.0.0network.
9. C.Ifyoureceivenoresponsetheportisblockedonthefirewall.
10. C.Withproperinputvalidation,abufferoverflowattackwillcauseanaccessviolation.Withoutproperinputvalidation,theallocatedspacewillbeexceeded,andthedataatthebottomofthememorystackwillbeoverwritten.
11. C.Oneofthewaysaman-in-the-middleattackisaccomplishedisbypoisoningtheARPcacheonaswitch.TheattackeraccomplishesthispoisoningbyansweringARPrequestsforanothercomputer’sIPaddresswithhisownMACaddress.OncetheARPcachehasbeensuccessfullypoisoned,whenARPresolutionoccurs,bothcomputerswillhavetheattacker’sMACaddresslistedastheMACaddressthatmapstotheothercomputer’sIPaddress.Asaresult,botharesendingtotheattacker,placinghim“inthemiddle.”
12. B.Anadvertisementwouldbepubliclyavailable.
13. A.Thebestcountermeasureagainstsocialengineeringthreatsistoprovideusersecurityawarenesstraining.Thistrainingshouldberequiredandmustoccuronaregularbasisbecausesocialengineeringtechniquesevolveconstantly.
14. B.DynamicARPinspection(DAI)isasecurityfeaturethatinterceptsallARPrequestsand
![Page 33: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/33.jpg)
responsesandcompareseachresponse’sMACaddressandIPaddressinformationagainsttheMAC–IPbindingscontainedinatrustedbindingtable.
15. B.Oneoftheissueswithsubstitutionciphersisthatifthemessageisofsufficientlength,patternsintheencryptionbegintobecomenoticeable,whichmakesitvulnerabletoafrequencyattack.Afrequencyattackiswhentheattackerusestheserecurringpatternstoreverseengineerthemessage.
16. C.Tocalculatethenumberofkeysthatwouldbeneededinthisexample,youwouldusethefollowingformula:
#ofusers×(#ofusers–1)/2
Usingourexample,youwouldcalculate5×(4)/2or10neededkeys.
17. B.Asymmetricencryptionismoreexpensivethansymmetric,itisslowerthansymmetric,itiseasiertocrackthansymmetric,andkeycompromisecanoccurlesseasilythanwithsymmetric.
18. A.OnlyRC4isastreamcipher.
19. B.Somemodesofsymmetrickeyalgorithmsuseinitializationvectors(IVs)toensurethatpatternsarenotproducedduringencryption.TheseIVsprovidethisservicebyusingrandomvalueswiththealgorithms.
20. B.ArouterIDisnotapartoftheconfiguration.
21. C.Privilegelevelsallowyoutoassignatechniciansetsofactivitiesthatcoincidewiththeleveltheyhavebeenassigned.Thereare16levelsfrom0to15.
22. B.TheIOSResilientConfigurationfeaturecanprovideawaytoeasilyrecoverfromanattackontheconfiguration,anditcanalsohelptorecoverfromanevenworseattackinwhichtheattackerdeletesnotonlythestartupconfigurationbutalsothebootimage.
23. B.Akeychaincanbeusedtoholdmultiplekeysifrequired.
24. C.WhenamaliciousindividualintroducesarogueswitchtotheswitchingnetworkandtherogueswitchhasasuperiorBPDUtotheoneheldbythecurrentrootbridge,thenewswitchassumesthepositionofrootbridge.
25. A.GratuitousARPiscalledgratuitousbecausetheARPmessagesentisananswertoaquestionthatthetargetneverasksanditcausethetargettochangeitsARPcache.
26. C.Theresultofthisattackisthattheattackerisnowabletoreceivetrafficthathewouldnothavebeenabletoseeotherwisebecauseinthisconditiontheswitchisbasicallyoperatingasahubandnotaswitch.
27. B.DHCPsnoopingisimplementedontheswitchesinthenetwork,soitisaLayer2solution.Theswitchportsontheswitcharelabeledeithertrustedoruntrusted.TrustedportsarethosethatwillallowaDHCPmessagetotraverse.
28. C.Withoutexecutingthiscommandtheothercommandswillhavenoeffect.
![Page 34: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/34.jpg)
29. B.TheBPDUGuardfeatureisdesignedtopreventthereceptionofsuperiorBPDUsonaccessportsbypreventingthereceptionofanyBPDUframesonaccessports.
30. SpanningTreeProtocol(STP),preventsswitchingloopsinredundantswitchingnetworks.
![Page 35: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/35.jpg)
Chapter1UnderstandingSecurityFundamentalsCISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:
1.1Commonsecurityprinciples
Describeconfidentiality,integrity,availability(CIA)
Identifycommonsecurityterms
Identifycommonnetworksecurityzones
1.4Describenetworktopologies
Campusareanetwork(CAN)
Cloud,wideareanetwork(WAN)
Datacenter
Smalloffice/homeoffice(SOHO)
Networksecurityforavirtualenvironment
Securinganetworkisnoeasytask.Dailyyouprobablyhearaboutdatadisclosuresandnewnetworkattacks.However,youarenotdefenseless.ByproperlyimplementingthesecurityfeaturesavailableinCiscorouters,switches,andfirewalls,youcanreducetheriskofasecuritybreachtoamanageablelevel.Thisbookisdesignedtohelpyouunderstandtheissues,identifyyoursecurityoptions,anddeploythoseoptionsinthecorrectmanner.Intheprocess,thebookwillprepareyoufortheCiscoCCNASecuritycertification,whichvalidatestheskillsandknowledgerequiredtosecureanetworkusingCiscoproducts.
Inthischapter,youwilllearnthefollowing:
Commonsecurityprinciples
Networktopologies
GoalsofSecurityWhenyou’resecuringanetwork,severalimportantsecurityprinciplesshouldguideyourefforts.Everysecuritymeasureyouimplementshouldcontributetotheachievementofoneof
![Page 36: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/36.jpg)
threegoals.Thethreefundamentalsofsecurityareconfidentiality,integrity,andavailability(CIA),oftenreferredtoastheCIAtriad.
MostsecurityissuesresultinaviolationofatleastonefacetoftheCIAtriad.Understandingthesethreesecurityprincipleswillhelpensurethatthesecuritycontrolsandmechanismsimplementedprotectatleastoneoftheseprinciples.
EverysecuritycontrolthatisputintoplacebyanorganizationfulfillsatleastoneofthesecurityprinciplesoftheCIAtriad.Understandinghowtocircumventthesesecurityprinciplesisjustasimportantasunderstandinghowtoprovidethem.
ConfidentialityToensureconfidentiality,youmustpreventthedisclosureofdataorinformationtounauthorizedentities.Aspartofconfidentiality,thesensitivitylevelofdatamustbedeterminedbeforeputtinganyaccesscontrolsinplace.Datawithahighersensitivitylevelwillhavemoreaccesscontrolsinplacethandataatalowersensitivitylevel.Identification,authentication,andauthorizationcanbeusedtomaintaindataconfidentiality.Encryptionisanotherpopularexampleofacontrolthatprovidesconfidentiality.
IntegrityIntegrity,thesecondpartoftheCIAtriad,ensuresthatdataisprotectedfromunauthorizedmodificationordatacorruption.Thegoalofintegrityistopreservetheconsistencyofdata,includingdatastoredinfiles,databases,systems,andnetworks.
Anaccesscontrollist(ACL)isanexampleofacontrolthathelpstoprovideintegrity.Anotherexampleisthegenerationofhashvaluesthatcanbeusedtovalidatedataintegrity.
AvailabilityAvailabilitymeansensuringthatdataisaccessiblewhenandwhereitisneeded.Onlyindividualswhoneedaccesstodatashouldbeallowedaccesstothatdata.Thetwomainareaswhereavailabilityisaffectedare
Whenattacksarecarriedoutthatdisableorcrippleasystem.
Whenservicelossoccursduringandafterdisasters.Eachsystemshouldbeassessedonitscriticalitytoorganizationaloperations.Controlsareimplementedbasedoneachsystem’scriticalitylevel.
Fault-toleranttechnologies,suchasRAIDorredundantsites,areexamplesofcontrolsthathelptoimproveavailability.
GuidingPrinciplesWhenmanagingnetworksecurityandaccesstoresources,therearesomeprovenprinciplesthatshouldguideyourefforts.Theseconceptshavestoodthetestoftimebecausethey
![Page 37: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/37.jpg)
contributetosupportingtheCIAtriad.
LeastPrivilege/Need-to-KnowTheprincipleofleastprivilegerequiresthatauserorprocessisgivenonlytheminimumaccessprivilegeneededtoperformaparticulartask.Itsmainpurposeistoensurethatusersonlyhaveaccesstotheresourcestheyneedandareauthorizedtoperformonlythetaskstheyneedtoperform.Toproperlyimplementtheleastprivilegeprinciple,organizationsmustidentifyallusers’jobsandrestrictusersonlytotheidentifiedprivileges.
Theneed-to-knowprincipleiscloselyassociatedwiththeconceptofleastprivilege.Althoughleastprivilegeseekstoreduceaccesstoaminimum,theneed-to-knowprincipleactuallydefineswhattheminimumsforeachjoborbusinessfunctionare.Excessiveprivilegesbecomeaproblemwhenauserhasmorerights,privileges,andpermissionsthanheneedstodohisjob.Excessiveprivilegesarehardtocontrolinlargeenvironments.
Acommonimplementationoftheleastprivilegeandneed-to-knowprinciplesiswhenasystemsadministratorisissuedbothanadministrative-levelaccountandanormaluseraccount.Inmostday-to-dayfunctions,theadministratorshouldusehisnormaluseraccount.Whenthesystemsadministratorneedstoperformadministrative-leveltasks,heshouldusetheadministrative-levelaccount.Iftheadministratoruseshisadministrative-levelaccountwhileperformingroutinetasks,heriskscompromisingthesecurityofthesystemanduseraccountability.
Organizationalrulesthatsupporttheprincipleofleastprivilegeincludethefollowing:
Keepthenumberofadministrativeaccountstoaminimum.
Administratorsshouldusenormaluseraccountswhenperformingroutineoperations.
Permissionsontoolsthatarelikelytobeusedbyattackersshouldbeasrestrictiveaspossible.
Tomoreeasilysupporttheleastprivilegeandneed-to-knowprinciples,usersshouldbedividedintogroupstofacilitatetheconfinementofinformationtoasinglegrouporarea.Thisprocessisreferredtoascompartmentalization.
DefaulttoNoAccessDuringtheauthorizationprocess,youshouldconfigureanorganization’saccesscontrolmechanismssothatthedefaultlevelofsecurityistodefaulttonoaccess.Thismeansthatifnothinghasbeenspecificallyallowedforauserorgroup,thentheuserorgroupwillnotbeabletoaccesstheresource.Thebestsecurityapproachistostartwithnoaccessandaddrightsbasedonauser’sneedtoknowandleastprivilegeneededtoaccomplishdailytasks.
DefenseinDepthAdefense-in-depthstrategyreferstothepracticeofusingmultiplelayersofsecuritybetweendataandtheresourcesonwhichitresidesandpossibleattackers.Thefirstlayerofagood
![Page 38: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/38.jpg)
defense-in-depthstrategyisappropriateaccesscontrolstrategies.Accesscontrolsexistinallareasofaninformationsystems(IS)infrastructure(morecommonlyreferredtoasanITinfrastructure),butadefense-in-depthstrategygoesbeyondaccesscontrol.Italsoconsiderssoftwaredevelopmentsecurity,cryptography,andphysicalsecurity.Figure1.1showsanexampleofthedefense-in-depthconcept.
FIGURE1.1Defenseindepth
SeparationofDutiesSeparationofdutiesisapreventiveadministrativecontroltokeepinmindwhendesigninganorganization’sauthenticationandauthorizationpolicies.Separationofdutiespreventsfraudbydistributingtasksandtheirassociatedrightsandprivilegesbetweenmorethanoneuser.Ithelpstodeterfraudandcollusionbecausewhenanorganizationimplementsadequateseparationofduties,collusionbetweentwoormorepersonnelwouldberequiredtocarryoutfraudagainsttheorganization.Agoodexampleofseparationdutiesisauthorizingonepersontomanagebackupproceduresandanothertomanagerestoreprocedures.
Separationofdutiesisassociatedwithdualcontrolsandsplitknowledge.Withdualcontrols,twoormoreusersareauthorizedandrequiredtoperformcertainfunctions.Forexample,aretailestablishmentmightrequiretwomanagerstoopenthesafe.Splitknowledgeensuresthatnosingleuserhasalltheinformationtoperformaparticulartask.Anexampleofasplitcontrolisthemilitaryrequiringtwoindividualstoeachenterauniquecombinationtoauthorizemissilefiring.
Separationofdutiesensuresthatonepersonisnotcapableofcompromisingorganizationalsecurity.Anyactivitiesthatareidentifiedashighriskshouldbedividedintoindividualtasks,whichcanthenbeallocatedtodifferentpersonnelordepartments.
Let’slookatanexampleoftheviolationofseparationofduties.Anorganization’sinternalauditdepartmentinvestigatesapossiblebreachofsecurity.Oneoftheauditorsinterviewsthreeemployees.
Aclerkwhoworksintheaccountsreceivableofficeandisinchargeofenteringdataintothefinancesystem
Anadministrativeassistantwhoworksintheaccountspayableofficeandisinchargeofapprovingpurchaseorders
Thefinancedepartmentmanagerwhocanperformthefunctionsofboththeclerkandtheadministrativeassistant
Toavoidfuturesecuritybreaches,theauditorshouldsuggestthatthemanagershouldonlybeabletoreviewthedataandapprovepurchaseorders.
![Page 39: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/39.jpg)
JobRotationFromasecurityperspective,jobrotationreferstothedetectiveadministrativecontrolwheremultipleusersaretrainedtoperformthedutiesofapositiontohelppreventfraudbyanyindividualemployee.Theideaisthatbymakingmultiplepeoplefamiliarwiththelegitimatefunctionsoftheposition,thelikelihoodincreasesthatunusualactivitiesbyanyonepersonwillbenoticed.Jobrotationisoftenusedinconjunctionwithmandatoryvacations.Beyondthesecurityaspectsofjobrotation,additionalbenefitsincludethefollowing:
Trainedbackupincaseofemergencies
Protectionagainstfraud
Cross-trainingofemployees
MandatoryVacationWithmandatoryvacations,allpersonnelarerequiredtotaketimeoff,allowingotherpersonneltofilltheirpositionswhilegone.Thisdetectiveadministrativecontrolenhancestheopportunitytodiscoverunusualactivity.
Someofthesecuritybenefitsofusingmandatoryvacationsincludehavingthereplacementemployeedothefollowing:
Runthesameapplicationsasthevacationingemployee
Performtasksinadifferentorderfromthevacationingemployee
Performthejobfromadifferentworkstationthanthevacationingemployee
Replacementemployeesshouldavoidrunningscriptsthatwerecreatedbythevacationingemployee.Areplacementemployeeshouldeitherdeveloptheirownscriptormanuallycompletethetasksinthescript.
CommonSecurityTermsTheriskmanagementprocesscannotbediscussedwithoutunderstandingsomekeytermsusedinriskmanagement.Securityprofessionalsshouldbecomefamiliarwiththefollowingtermsastheyareusedinriskmanagement:
Assetsincludeanythingthatisofvaluetotheorganization.Assetscanbephysicalsuchasbuildings,land,andcomputers,andtheycanbeintangiblesuchasdata,plans,andrecipes.
Avulnerabilityisanabsenceorweaknessofacountermeasurethatisinplace.Vulnerabilitiescanoccurinsoftware,hardware,orpersonnel.Anexampleofavulnerabilityisunrestrictedaccesstoafolderonacomputer.Mostorganizationsimplementavulnerabilityassessmenttoidentifyvulnerabilities.
Athreatisthenextlogicalprogressioninriskmanagement.Athreatoccurswhenvulnerabilityisidentifiedorexploited.AthreatwouldoccurwhenanattackeridentifiedthefolderonthecomputerthathasaninappropriateorabsentACL.
![Page 40: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/40.jpg)
Athreatagentissomethingthatcarriesoutathreat.Continuingwiththeexample,theattackerwhotakesadvantageoftheinappropriateorabsentACListhethreatagent.Keepinmind,though,thatthreatagentscandiscoverand/orexploitvulnerabilities.Notallthreatagentswillactuallyexploitanidentifiedvulnerability.
Ariskistheprobabilitythatathreatagentwillexploitavulnerabilityandtheimpactifthethreatiscarriedout.Theriskinthevulnerabilityexamplewouldbefairlyhighifthedataresidinginthefolderisconfidential.However,ifthefoldercontainsonlypublicdata,thentheriskwouldbelow.Identifyingthepotentialimpactofariskoftenrequiressecurityprofessionalstoenlistthehelpofsubject-matterexperts.
Anexposureoccurswhenanorganizationalassetisexposedtolosses.IfthefolderwiththeinappropriateorabsentACLiscompromisedbyathreatagent,theorganizationisexposedtothepossibilityofdataexposureandloss.
Acountermeasurereducesthepotentialrisk.Countermeasuresarealsoreferredtoassafeguardsorcontrols.Threethingsmustbeconsideredwhenimplementingacountermeasure:vulnerability,threat,andrisk.Forthisexample,agoodcountermeasurewouldbetoimplementtheappropriateACLandtoencryptthedata.TheACLprotectstheintegrityofthedata,andtheencryptionprotectstheconfidentialityofthedata.
Countermeasuresorcontrolscomeinmanycategoriesandtypes.Thecategoriesandtypesofcontrolsarediscussedlaterinthischapter.
AlltheaforementionedsecurityconceptsworktogetherintherelationshipdemonstratedinFigure1.2.
![Page 41: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/41.jpg)
FIGURE1.2Securitycycle
RiskManagementProcessTheriskmanagementprocessiscomposedofaseriesofoperationsinwhichthedatafromoneoperationfeedsthenextoperation.AccordingtoNISTSP800-30,commoninformation-gatheringtechniquesusedinriskanalysisincludeautomatedriskassessmenttools,questionnaires,interviews,andpolicydocumentreviews.Keepinmindthatmultiplesourcesshouldbeusedtodeterminetheriskstoasingleasset.NISTSP800-30identifiesthefollowingstepsintheriskmanagementprocess:
1. Identifytheassetsandtheirvalue.
2. Identifythreats.
3. Identifyvulnerabilities.
4. Determinelikelihood.
5. Identifyimpact.
![Page 42: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/42.jpg)
6. Determineriskasacombinationoflikelihoodandimpact.
Thefollowingsectionsincludetheseprocessesandtwoadditionalonesthatrelatetotheidentificationofcountermeasuresandcost-benefitanalysis.
AssetClassificationThefirststepofanyriskassessmentistoidentifytheassetsanddeterminetheassetvalue,calledassetclassification.Assetsarebothtangibleandintangible.Tangibleassetsincludecomputers,facilities,supplies,andpersonnel.Intangibleassetsincludeintellectualproperty,data,andorganizationalreputation.Thevalueofanassetshouldbeconsideredinrespecttotheassetowner’sview.Thesixfollowingconsiderationscanbeusedtodeterminetheasset’svalue:
Valuetoowner
Workrequireddevelopingorobtainingtheasset
Coststomaintaintheasset
Damagethatwouldresultiftheassetwerelost
Costthatcompetitorswouldpayfortheasset
Penaltiesthatwouldresultiftheassetwaslost
Afterdeterminingthevalueoftheassets,youshoulddeterminethevulnerabilitiesandthreatstoeachasset.
DataAssetsDatashouldbeclassifiedbasedonitsvaluetotheorganizationanditssensitivitytodisclosure.Assigningavaluetodataallowsanorganizationtodeterminetheresourcesthatshouldbeusedtoprotectthedata.Resourcesthatareusedtoprotectdataincludepersonnelresources,monetaryresources,accesscontrolresources,andsoon.Classifyingdataallowsyoutoapplydifferentprotectivemeasures.Dataclassificationiscriticaltoallsystemstoprotecttheconfidentiality,integrity,andavailabilityofdata.
Afterdataisclassified,thedatacanbesegmentedbasedonitslevelofprotectionneeded.Theclassificationlevelsensurethatdataishandledandprotectedinthemostcost-effectivemannerpossible.Anorganizationshoulddeterminetheclassificationlevelsitusesbasedontheneedsoftheorganization.Severalcommercialbusinessandmilitaryandgovernmentinformationclassificationsarecommonlyused.
Theinformationlifecycleshouldalsobebasedontheclassificationofthedata.Organizationsarerequiredtoretaincertaininformation,particularlyfinancialdata,basedonlocal,state,orgovernmentlawsandregulations.
Inthissection,wewilldiscussthesensitivityandcriticalityofdata,commercialbusinessclassifications,militaryandgovernmentclassifications,informationlifecycle,databasemaintenance,anddataaudit.
![Page 43: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/43.jpg)
SENSITIVITYANDCRITICALITYSensitivityisameasureofhowfreelythedatacanbehandled.Somedatarequiresspecialcareandhandling,especiallywheninappropriatehandlingcouldresultinpenalties,identitytheft,financialloss,invasionofprivacy,orunauthorizedaccessbyanindividualormanyindividuals.Somedataisalsosubjecttoregulationbystateorfederallawsandrequiresnotificationintheeventofadisclosure.
Dataisassignedalevelofsensitivitybasedonwhoshouldhaveaccesstoitandhowmuchharmwouldbedoneifitweredisclosed.Thisassignmentofsensitivityiscalleddataclassification.
Criticalityisameasureoftheimportanceofthedata.Dataconsideredsensitivemaynotnecessarilybeconsideredcritical.Assigningalevelofcriticalitytoaparticulardatasetmusttakeintoconsiderationtheanswerstoafewquestions:
Willyoubeabletorecoverthedataincaseofdisaster?
Howlongwillittaketorecoverthedata?
Whatistheeffectofthisdowntime,includinglossofpublicstanding?
Dataisconsideredessentialwhenitiscriticaltotheorganization’sbusiness.Whenessentialdataisnotavailable,evenforabriefperiodoftime,oritsintegrityisquestionable,theorganizationwillbeunabletofunction.Dataisconsideredrequiredwhenitisimportanttotheorganization,butorganizationaloperationswouldcontinueforapredeterminedperiodoftimeevenifthedataisnotavailable.Dataisnonessentialiftheorganizationisabletooperatewithoutitduringextendedperiodsoftime.
Oncethesensitivityandcriticalityofdataisunderstoodanddocumented,theorganizationshouldthenworktocreateadataclassificationsystem.Mostorganizationswilluseeitheracommercialbusinessclassificationsystemoramilitaryandgovernmentclassificationsystem.
COMMERCIALBUSINESSCLASSIFICATIONSCommercialbusinessesusuallyclassifydatausingfourmainclassificationlevels,listedfromhighestsensitivityleveltolowest:
1. Confidential
2. Private
3. Sensitive
4. Public
Datathatisconfidentialincludestradesecrets,intellectualdata,applicationprogrammingcode,andotherdatathatcouldseriouslyaffecttheorganizationifunauthorizeddisclosureoccurred.Dataatthislevelwouldbeavailableonlytopersonnelintheorganizationwhoseworkrelatestothedata’ssubject.Accesstoconfidentialdatausuallyrequiresauthorizationforeachaccess.ConfidentialdataisexemptfromdisclosureundertheFreedomofInformation
![Page 44: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/44.jpg)
Act.Inmostcases,theonlywayforexternalentitiestohaveauthorizedaccesstoconfidentialdataisasfollows:
Aftersigningaconfidentialityagreement
Whencomplyingwithacourtorder
Aspartofagovernmentprojectorcontractprocurementagreement
Datathatisprivateincludesanyinformationrelatedtopersonnel,includinghumanresourcerecords,medicalrecords,andsalaryinformation,thatisusedonlywithintheorganization.DatathatissensitiveincludesorganizationalfinancialinformationandrequiresextrameasurestoensureitsCIAandaccuracy.Publicdataisdatathatwouldnotcauseanegativeimpactontheorganization.
MILITARYANDGOVERNMENTCLASSIFICATIONSMilitaryandgovernmentalentitiesusuallyclassifydatausingfivemainclassificationlevels,listedfromhighestsensitivityleveltolowest:
1. Topsecret
2. Secret
3. Confidential
4. Sensitivebutunclassified
5. Unclassified
Datathatistopsecretincludesweaponblueprints,technologyspecifications,spysatelliteinformation,andothermilitaryinformationthatcouldgravelydamagenationalsecurityifdisclosed.Datathatissecretincludesdeploymentplans,missileplacement,andotherinformationthatcouldseriouslydamagenationalsecurityifdisclosed.Datathatisconfidentialincludespatents,tradesecrets,andotherinformationthatcouldseriouslyaffectthegovernmentifunauthorizeddisclosureoccurred.Datathatissensitivebutunclassifiedincludesmedicalorotherpersonaldatathatmightnotcauseseriousdamagetonationalsecuritybutcouldcausecitizenstoquestionthereputationofthegovernment.MilitaryandgovernmentinformationthatdoesnotfallintoanyoftheotherfourcategoriesisconsideredunclassifiedandusuallyhastobegrantedtothepublicbasedontheFreedomofInformationAct.
OTHERCLASSIFICATIONSYSTEMSAnotherclassificationsystemcreatedbytheUnitedKingdom’sNationalInfrastructureSecurityCoordinationCentre(NISCC,nowCentreforProtectionofNationalInfrastructure)andsinceadoptedbytheISO/IECaspartoftheStandardonInformationsecuritymanagementforintersectorandinterorganizationalcommunicationsandbyCERTistheTrafficLightProtocol(TLP).Thissystemusestrafficlightcolorstoclassifyinformationassets.Table1.1showsthefourcolorsandtheirmeanings.
![Page 45: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/45.jpg)
TABLE1.1TLPclassifications
Color MeaningRed SharedonlywithinameetingAmber SharedonlywiththoseintheorganizationwithaneedtoknowGreen SharedonlywithinacommunityWhite Norestrictionbutstillsubjecttocopyrightrules
VulnerabilityIdentificationWhenidentifyingvulnerabilities,theCommonVulnerabilityScoringSystemandtheSecurityContentAutomationProtocolarestandardsusedinthisprocess.Inthissection,you’lllearnaboutthesetwomethodsforenumeratingvulnerabilitiesinacommonformat.
SecurityContentAutomationProtocol(SCAP)isastandardusedbythesecurityautomationcommunityusedtoenumeratesoftwareflawsandconfigurationissues.Itstandardizedthenomenclatureandformatsused.AvendorofsecurityautomationproductscanobtainavalidationagainstSCAP,demonstratingthatitwillinteroperatewithotherscannersandexpressthescanresultsinastandardizedway.
UnderstandingtheoperationofSCAPrequiresanunderstandingofthecomponentsofit.
CommonConfigurationEnumeration(CCE)Theseareconfigurationbest-practicestatementsmaintainedbyNIST.
CommonPlatformEnumeration(CPE)Thesearemethodsfordescribingandclassifyingoperatingsystemsapplicationsandhardwaredevices.
CommonWeaknessEnumeration(CWE)Thesearedesignflawsinthedevelopmentofsoftwarethatcanleadtovulnerabilities.
CommonVulnerabilitiesandExposures(CVE)Thesearevulnerabilitiesinpublishedoperatingsystemsandapplicationssoftware.
TheCommonVulnerabilityScoringSystem(CVSS)isasystemofrankingvulnerabilitiesthatarediscoveredbasedonpredefinedmetrics.Thissystemensuresthatthemostcriticalvulnerabilitiescanbeeasilyidentifiedandaddressedafteravulnerabilitytestismet.Scoresareawardedonascaleof0to10,withthevalueshavingthefollowingranks:
0:Noissues
0.1to3.9:Low
4.0to6.9:Medium
7.0to8.9:High
9.0to10.0:Critical
CVSSiscomposedofthreemetricgroups.Thesemetricgroupsaredescribedasfollows:
![Page 46: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/46.jpg)
Baseincludescharacteristicsofavulnerabilitythatareconstantovertimeanduserenvironments.
Temporalincludescharacteristicsofavulnerabilitythatchangeovertimebutnotamonguserenvironments.
Environmentalincludescharacteristicsofavulnerabilitythatarerelevantanduniquetoaparticularuser’senvironment.
Thebasemetricgroupincludesthefollowingmetrics:
Accessvector(AV)describeshowtheattackerwouldexploitthevulnerabilityandhasthreepossiblevalues.
LstandsforLocalandmeansthattheattackermusthavephysicalorlogicalaccesstotheaffectedsystem.
AstandsforAdjacentnetworkandmeansthattheattackermustbeonthelocalnetwork.
NstandsforNetworkandmeansthattheattackercancausethevulnerabilityfromanynetwork.
Accesscomplexity(AC)describesthedifficultyofexploitingthevulnerabilityandhasthreepossiblevalues.
HstandsforHighandmeansthatthevulnerabilityrequiresspecialconditionsthatarehardtofind.
MstandsforMediumandmeansthatthevulnerabilityrequiressomewhatspecialconditions.
LstandsforLowandmeansthatthevulnerabilitydoesnotrequirespecialconditions.
Authentication(Au)describestheauthenticationanattackerwouldneedtogetthroughtoexploitthevulnerabilityandhasthreepossiblevalues.
MstandsforMultipleandmeansthattheattackerwouldneedtogetthroughtwoormoreauthenticationmechanisms.
SstandsforSingleandmeansthattheattackerwouldneedtogetthroughoneauthenticationmechanism.
NstandsforNoneandmeansthatnoauthenticationmechanismsareinplacetostoptheexploitofthevulnerability.
Availability(A)describesthedisruptionthatmightoccurifthevulnerabilityisexploitedandhasthreepossiblevalues.
NstandsforNoneandmeansthatthereisnoavailabilityimpact.
PstandsforPartialandmeansthatsystemperformanceisdegraded.
CstandsforCompleteandmeansthatthesystemiscompletelyshutdown.
![Page 47: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/47.jpg)
Confidentiality(C)describestheinformationdisclosurethatmayoccurifthevulnerabilityisexploitedandhasthreepossiblevalues.
NstandsforNoneandmeansthatthereisnoconfidentialityimpact.
PstandsforPartialandmeanssomeaccesstoinformationwouldoccur.
CstandsforCompleteandmeansallinformationonthesystemcouldbecompromised.
Integrity(I)describesthetypeofdataalterationthatmightoccurandhasthreepossiblevalues.
NstandsforNoneandmeansthatthereisnointegrityimpact.
PstandsforPartialandmeanssomeinformationmodificationwouldoccur.
CstandsforCompleteandmeansallinformationonthesystemcouldbecompromised.
TheCVSSvectorwilllooksomethinglikethis:
CVSS2#AV:L/AC:H/Au:M/C:P/I:N/A:N
Thisvectorisreadasfollows:
AV:L
AccessVector:LstandsforLocalandmeansthattheattackermusthavephysicalorlogicalaccesstotheaffectedsystem.
AC:H
AccessComplexity:HstandsforstandsforHighandmeansthatthevulnerabilityrequiresspecialconditionsthatarehardtofind.
Au:M
Authentication:MstandsforMultipleandmeansthattheattackerwouldneedtogetthroughtwoormoreauthenticationmechanisms.
C:P
Confidentiality:PstandsforPartialandmeanssomeaccesstoinformationwouldoccur.
I:N
Integrity:NstandsforNoneandmeansthatthereisnointegrityimpact.
A:N
Availability:NstandsforNoneandmeansthatthereisnoavailabilityimpact.
ControlSelectionOncetheassetshavebeenclassifiedandtheirvaluedeterminedandallvulnerabilitieshavebeenidentified,controlsormitigationsmustbeselectedtoaddressthevulnerabilities.Thiscannotbedoneuntilthelevelofriskassociatedwitheachvulnerabilityhasbeendetermined
![Page 48: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/48.jpg)
throughoneoftwomethods,qualitativeandquantitativeriskassessment.
QualitativeRiskAnalysisQualitativeriskanalysisdoesnotassignmonetaryandnumericvaluestoallfacetsoftheriskanalysisprocess.Qualitativeriskanalysistechniquesincludeintuition,experience,andbest-practicetechniques,suchasbrainstorming,focusgroups,surveys,questionnaires,meetings,interviews,andDelphi.Althoughallofthesetechniquescanbeused,mostorganizationswilldeterminethebesttechnique(ortechniques)basedonthethreatstobeassessed.Experienceandeducationonthethreatsareneeded.
Eachmemberofthegroupwhohasbeenchosentoparticipateinthequalitativeriskanalysisusestheirexperiencetorankthelikelihoodofeachthreatandthedamagethatmightresult.Aftereachgroupmemberranksthethreatpossibility,losspotential,andsafeguardadvantage,dataiscombinedinareporttopresenttomanagement.Alllevelsofstaffshouldberepresentedaspartofthequalitativeriskanalysis,butitisvitalthatsomeparticipantsinthisprocessshouldhavesomeexpertiseinriskanalysis.
QuantitativeRiskAnalysisAquantitativeriskanalysisassignsmonetaryandnumericvaluestoallfacetsoftheriskanalysisprocess,includingassetvalue,threatfrequency,vulnerabilityseverity,impact,safeguardcosts,andsoon.Equationsareusedtodeterminetotalandresidualrisks.Themostcommonequationsareforsinglelossexpectancy(SLE)andannuallossexpectancy(ALE).
TheSLEisthemonetaryimpactofeachthreatoccurrence.TodeterminetheSLE,youmustknowtheassetvalue(AV)andtheexposurefactor(EF).TheEFisthepercentvalueorfunctionalityofanassetthatwillbelostwhenathreateventoccurs.ThecalculationforobtainingtheSLEisasfollows:
SLE=AV×EF
Forexample,anorganizationhasawebserverfarmwithanAVof$10,000.Iftheriskassessmenthasdeterminedthatapowerfailureisathreatagentforthewebserverfarmandtheexposurefactorforapowerfailureis25percent,theSLEforthiseventequals$2,500.
Theannuallossexpectancy(ALE)istheexpectedriskfactorofanannualthreatevent.TodeterminetheALE,youmustknowtheSLEandtheannualizedrateofoccurrence(ARO).TheAROistheestimateofhowoftenagiventhreatmightoccurannually.ThecalculationforobtainingtheALEisasfollows:
ALE=SLE×ARO
Usingthepreviouslymentionedexample,iftheriskassessmenthasdeterminedthattheAROforthepowerfailureofthewebserverfarmis50percent,theALEforthiseventequals$1,250.
Cost-BenefitAnalysis
![Page 49: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/49.jpg)
UsingtheALE,theorganizationcandecidewhethertoimplementcontrols.IftheannualcostofthecontroltoprotectthewebserverfarmismorethantheALE,theorganizationcouldeasilychoosetoaccepttheriskbynotimplementingthecontrol.IftheannualcostofthecontroltoprotectthewebserverfarmislessthantheALE,theorganizationshouldconsiderimplementingthecontrol.
HandlingRiskRiskreductionistheprocessofalteringelementsoftheorganizationinresponsetoriskanalysis.Afteranorganizationunderstandsitstotalandresidualrisk,itmustdeterminehowtohandletherisk.Thefollowingfourbasicmethodsareusedtohandlerisk:
AvoidanceTerminatingtheactivitythatcausesariskorchoosinganalternativethatisnotasrisky
TransferPassingtheriskontoathirdparty,includinginsurancecompanies
MitigationDefiningtheacceptableriskleveltheorganizationcantolerateandreducingtherisktothatlevel
AcceptanceUnderstandingandacceptingthelevelofriskaswellasthecostofdamagesthatcanoccur
NetworkTopologiesUnderstandingthetypesofnetworktopologiesthatyoumayseewillhelpyouappreciatesomeofthesecuritymeasurescalledforinvariousscenarios.Inthissection,you’lllearnaboutsometopologiesthatmayexistinyourorganization.
CANThecampusareanetwork(CAN)comprisesthepartofthenetworkwheredata,services,andconnectivitytotheoutsideworldareprovidedtothosewhoworkinthecorporateofficeorheadquarters.Itcanbefurthersubdividedintothefollowing:
Enterprisecoreconnectstheenterprisecampusandtheintranetdatacenter.
Enterprisecampusincludestheenddevicesandprovidesthemaccesstotheoutsideworldandtotheintranetdatacenterthroughtheenterprisecore.
Intranetdatacenterincludesthedatacenterwhereresourcesaremadeavailabletotheenterprisecampusandtobranchofficesthoughtheenterprisecore.
Figure1.3showsthecomponentsoftheCAN.Itincludestwopartsthatarenotpartoftheenterprisecampus(WANedgeandInternetedge)thatcomprisethenetworksthatareusedtoconnecttotheoutsideworld.
![Page 50: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/50.jpg)
FIGURE1.3Campusareanetwork
Securityissuesintheenterprisecoreincludethefollowing:
Servicedisruptions(denialofservice[DoS],distributeddenialofservice[DDoS])
Unauthorizedaccess(intrusions,routingprotocolattacks)
Dataleaksanddatamodifications(packetsniffing,maninthemiddle[MITM]attacks)
Securityissuesintheenterprisecampusincludethefollowing:
Servicedisruptions(botnets,malware,DoS)
Unauthorizedaccess(intrusions,IPspoofing)
Dataleaksanddatamodifications(packetsniffing,MiTMattacks)
Identifytheftandfraud(phishing,emailspam)
Securityissuesintheintranetdatacenterincludethefollowing:
Unauthorizedaccess(deviceaccess,dataaccess,privilegeescalation)
Servicedisruptions(botnets,DoS)
Dataleaksanddatamodifications(MITM,malware,scripting,SQLattacks)
WANTheWANconnectionoftheorganizationiscalledtheenterpriseWANedgeintheCisconetworkmodel.ItisoneoftwomodulesthatareusedtoconnecttheCANtotheoutsideworld,theotherbeingtheenterpriseInternetedge(showninFigure1.3).ThiscomprisestheprovisionedWANconnectionstootheroffices.
SecurityissuesintheenterpriseWANedgeincludethefollowing:
Maliciousbranchclientactivity(malware,Trojans,botnets)
Transmissionthreats(MITM,sniffing)
Infrastructureattacks(reconnaissance,DoS,serviceattacks)
![Page 51: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/51.jpg)
DataCenterWhilethedatacentermaybelocatedinthecampusareanetwork,itmayalsobelocatedinthecloud.Theintroductionsofcloudenvironmentsbringmanybenefits,buttheyalsobringsecuritythreats.Thesethreatsincludethefollowing:
Accountorservicehijacking
Dataloss
Improperdevicehardeningandpatching
DoSattacks
InsecureAPIsanduserinterfaces
Maliciousproviderinsiders
Improperaccessfromothertenants
SOHOManyoftoday’sworkersoperatefromhomeratherthaninthemainofficeorheadquarters.Otheruserswillbeoperatingfromsmallerbranchoffices.Whenthisisthecase,thesmalloffice/homeoffice(SOHO)networkwillconnecttothemainofficeviatheWANedgemoduleincaseswheretheconnectionisprovisionedandviatheInternetedgemodulewhentheconnectionleveragestheInternet(suchasaVPNconnection).ThesetwoedgemoduleswereshowninFigure1.3.Sincethismoduleinterfaceswiththosetwomodules,thesecurityissuesintheSOHOnetworkwillbethesameasthosepresentintheInternetedgeandWANedgemodules.
VirtualToday’sdatacentersareincreasinglymovingtoavirtualenvironment.Whenavirtualenvironmentispresent,itmayresideinthecampusdatacenter,oritmayresideinaclouddatacenter.Also,itisnotunusualtofindthattheorganizationhasbothaphysicaldatacenterandavirtualdatacenter.Regardlessoftheexactconfiguration,therearechallengestosecuringavirtualenvironment.
Inavirtualenvironmenttherearetwotrafficpathways,onethatisusedwithinthevirtualenvironmentandoneusedbetweenthevirtualenvironmentandthephysicalenvironment.Physicalsecuritydevicescannotbeusedtoenforcesecurityonthetrafficthatneverleavesaphysicalhost(trafficbetweenVMslocatedonthesamehost)orontrafficthatneverleavesthevirtualenvironment(trafficbetweenVMsondifferenthosts).ThesolutionisthedeploymentofvirtualsecuritydevicessuchastheCiscoASAvfirewall,theCiscoCSR1000vrouter,andtheCiscoNexus1000vswitch.
CommonNetworkSecurityZones
![Page 52: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/52.jpg)
Oneofthemostbasicdesignprinciplesforasecurenetworkcallsforcreatingsecurityzones.Thesearelogicaldivisionsofthenetworkwithaccesscontrolsappliedtocontroltrafficbetweenthezones.Byorganizingresourcesinthesezonesandapplyingtheproperaccesscontrols,youcanreducethepossibilitythatunauthorizedaccesstodataisallowed.Inthissection,you’llexplorefourcommonsecurityzones.
DMZAdemilitarizedzone(DMZ)isanareawhereyoucanplaceapublicserverforaccessbypeopleyoumightnottrustotherwise.ByisolatingaserverinaDMZ,youcanhideorremoveaccesstootherareasofyournetwork.Youcanstillaccesstheserverusingyournetwork,butothersaren’tabletoaccessfurthernetworkresources.Thiscanbeaccomplishedusingfirewallstoisolateyournetwork.
WhenestablishingaDMZ,youassumethatthepersonaccessingtheresourceisn’tnecessarilysomeoneyouwouldtrustwithotherinformation.Bykeepingtherestofthenetworkfrombeingvisibletoexternalusers,thislowersthethreatofintrusionintheinternalnetwork.
Anytimeyouwanttoseparatepublicinformationfromprivateinformation,a
DMZisanacceptableoption.
TheeasiestwaytocreateaDMZistouseafirewallthatcantransmitinthesethreedirections:
Totheinternalnetwork
Totheexternalworld(Internet)
Tothepublicinformationyou’resharing(theDMZ)
Fromthere,youcandecidewhattrafficgoeswhere;forexample,HTTPtrafficwouldbesenttotheDMZ,andemailwouldgototheinternalnetwork.
IntranetandExtranetWhileDMZsareoftenusedtomakeassetspubliclyavailable,extranetsareusedtomakedataavailabletoasmallersetofthepublic—forexample,apartnerorganization.IntranetisatermtodescribetheinteriorLAN;anextranetisanetworklogicallyseparatefromtheintranet,theInternet,andtheDMZ(ifbothexistinthedesign),whereresourcesthatwillbeaccessedfromtheoutsideworldaremadeavailable.Accessmaybegrantedtocustomers,businesspartners,andthepublicingeneral.Alltrafficbetweenthisnetworkandtheintranetshouldbecloselymonitoredandsecurelycontrolled.Nothingofasensitivenatureshouldbeplacedintheextranet.
PublicandPrivate
![Page 53: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/53.jpg)
ThepurposeofcreatingsecurityzonessuchasDMZsistoseparatesensitiveassetsfromthosethatrequirelessprotection.Becausethegoalsofsecurityandofperformanceandeaseofusearetypicallymutuallyexclusive,notallnetworksshouldhavethesamelevelsofsecurity.
Informationthatisofapublicnature,orthatyouotherwisedeemnottobeofasensitivenature,canbelocatedinanyofthezonesyoucreate.However,youshouldensurethatprivatecorporatedataandespeciallypersonallyidentifiableinformation(PII)—informationthatcanbeusedtoidentifyanemployeeorcustomerandperhapsstealtheiridentity—islocatedonlyinsecurezonesandneverintheDMZortheextranet.
VLANNetworksecurityzonescanalsobecreatedatlayer2.Virtuallocalareanetworks(VLANs)arelogicalsubdivisionsofaswitchthatsegregateportsfromoneanotherasiftheywereindifferentLANs.VLANsofferanotherwaytoaddalayerofseparationbetweensensitivedevicesandtherestofthenetwork.Forexample,ifonlyonedeviceshouldbeabletoconnecttothefinanceserver,thedeviceandthefinanceservercouldbeplacedinaVLANseparatefromtheotherVLANs.AstrafficbetweenVLANscanoccuronlythrougharouter,ACLscanbeusedtocontrolthetrafficallowedbetweenVLANs.
TheseVLANscanalsospanmultipleswitches,meaningthatdevicesconnectedtoswitchesindifferentpartsofanetworkcanbeplacedinthesameVLANregardlessofphysicallocation.
SummaryThischaptercoveredcommonsecurityprinciplessuchastheCIAtriad,thegoalsofwhichshouldguideallsecurityinitiatives.Italsodiscussedcommonsecuritytermssuchasrisk,vulnerability,andthreat,aswellastheproperapplicationofcommonsecurityzones,suchasIntranet,DMZ,andextranets.ThischapteralsodiscussednetworktopologiesasseenfromtheperspectiveoftheCiscocampusareanetwork.Finally,thechapterdiscussedothermethodsofnetworksegmentationsuchasVLANs.
ExamEssentialsDescribetheCIAtriad.Everysecuritymeasureyouimplementshouldcontributetotheachievementofoneofthreegoals.Thethreefundamentalsofsecurityareconfidentiality,integrity,andavailability(CIA),oftenreferredtoastheCIAtriad.
Defineimportantsecurityterms.Securityprofessionalsshouldbecomefamiliarwithtermssuchasassets,vulnerabilities,threats,threatagent,risk,exposure,andcountermeasures.
Identifycommonsecurityzones.Describeintranet,extranet,DMZ,andtheInternet.Explaintheirproperuse.
Describecommonnetworktopologies.ExplainvarioustopologiesasseenfromtheperspectiveoftheCiscocampusareanetworksuchastheenterprisecore,enterprisecampus,
![Page 54: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/54.jpg)
intranetdatacenter,WANedge,andintranetedge.Describethecommonsecurityissuesfoundineach.
ReviewQuestions1. WhichofthefollowingisnotoneoftheCIAtriad?
A. Confidentiality
B. Integrity
C. Availability
D. Accountability
2. Whichofthefollowingrequiresthatauserorprocessisgivenonlytheminimumaccessprivilegeneededtoperformaparticulartask?
A. Leastprivilege
B. Separationofduties
C. Jobrotation
D. Mandatoryvacation
3. Whichofthefollowingoccurswhenavulnerabilityisidentifiedorexploited?
A. Risk
B. Threat
C. Exposure
D. Countermeasure
4. AccordingtoNISTSP800-30,whatisthefirststepintheriskmanagementprocess?
A. Identifythreats
B. Identifyimpact
C. Identifyvulnerabilities
D. Identifytheassetsandtheirvalue
5. Whichofthefollowingisameasureofhowfreelydatacanbehandled?
A. Criticality
B. Sensitivity
C. Integrity
D. Value
6. Whichofthefollowingisnotatypicalcommercialdataclassificationlevel?
![Page 55: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/55.jpg)
A. Sensitive
B. Confidential
C. Secret
D. Public
7. WhichofthefollowingrepresentsdatasharedonlywithinameetingintheTLPsystem?
A. Amber
B. White
C. Red
D. Green
8. Whichofthefollowingisastandardusedbythesecurityautomationcommunityusedtoenumeratesoftwareflawsandconfigurationissues?
A. TLP
B. CIA
C. SCAP
D. CAN
9. WhichofthefollowingisnotametricgroupintheCommonVulnerabilityScoringSystem?
A. Base
B. Accessvector
C. Temporal
D. Environmental
10. Whichofthefollowingisthemonetaryimpactofeachthreatoccurrence?
A. ALE
B. AV
C. ARO
D. SLE
11. Whichmethodofhandlingriskinvolvesdefiningtheacceptableriskleveltheorganizationcantolerateandreducingtherisktothatlevel?
A. Avoidance
B. Mitigation
C. Acceptance
D. Transfer
![Page 56: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/56.jpg)
12. WhatpartofthecampusareanetworkincludestheenddevicesandprovidesthemwithaccesstotheoutsideworldandtotheIntranetdatacenterthroughtheenterprisecore?
A. Intranetdatacenter
B. Enterprisecampus
C. Enterprisecore
D. EnterpriseWANedge
13. Whichofthefollowingisanareawhereyoucanplaceapublicserverforaccessbyanyone?
A. Intranet
B. DMZ
C. Internet
D. Extranet
14. Whichofthefollowingisalogicalsubdivisionofaswitchthatsegregatesportsfromoneanother?
A. VLAN
B. VPN
C. DMZ
D. STP
15. Whichofthefollowingreferstothedatabeingunalteredbyunauthorizedindividuals?
A. Confidentiality
B. Integrity
C. Availability
D. Accountability
16. Whichofthefollowingreferstothepracticeofusingmultiplelayersofsecuritybetweendataandtheresourcesonwhichitresidesandpossibleattackers?
A. Defaulttonoaccess
B. Defenseindepth
C. Separationofduties
D. Jobrotation
17. Whichofthefollowingistheprobabilitythatathreatagentwillexploitavulnerabilityandtheimpactifthethreatiscarriedout?
A. Risk
![Page 57: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/57.jpg)
B. Threat
C. Exposure
D. Countermeasure
18. Whichofthefollowingisasystemthatusestrafficlightcolorstoclassifyinformationassets?
A. DLP
B. VLAN
C. TLP
D. VTP
19. WhichcomponentofSCAPreferstovulnerabilitiesinpublishedoperatingsystemsandapplicationssoftware?
A. CWE
B. CVE
C. CCE
D. CPE
20. Whichofthefollowingisthepercentvalueorfunctionalityofanassetthatwillbelostwhenathreateventoccurs?
A. SLE
B. AV
C. EF
D. ALE
![Page 58: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/58.jpg)
Chapter2UnderstandingSecurityThreatsCISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:
1.2Commonsecuritythreats
Identifycommonnetworkattacks
Describesocialengineering
Identifymalware
Classifythevectorsofdataloss/exfiltration
Tosecureanetwork,youmusthaveaclearunderstandingofthethreatsthatthenetworkfaces.Thesethreatscomefromallsortsofsourcesandhaveavarietyofgoals.Inthischapter,youwillcontinueyourinvestigationofcommonsecuritythreatsandtheirassociatedthreatvectors.
Inthischapter,youwilllearnthefollowing:
Commonsecuritythreats
CommonNetworkAttacksWhilenewattacksandnewmotivationsforthoseattacksseemtobearrivingalmostdaily,therearesomecommonattacksandcommonmotivationsforthoseattacks.Inthischapter,you’llfirstlearnaboutcommonmotivationsforattacksandcommonattackvectorsthataresimplyvariouswaysinwhichtheattacksareimplemented.Followingthat,you’lllearnaboutsomespecificattacksthatarequitecommon.
MotivationsHackershackformanydifferentreasons.Whenyoureallygetdowntoit,theywantoneoffourthings:
Financialgain
Disruption
![Page 59: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/59.jpg)
Geopoliticalchange
Notoriety
TheFederalBureauofInvestigation(FBI)hasidentifiedthreecategoriesofthreatactors.
Organizedcrimegroupsprimarilythreateningthefinancialservicessectorandexpandingthescopeoftheirattacks
Statesponsors,usuallyforeigngovernments,interestedinpilferingdata,includingintellectualpropertyandresearchanddevelopmentdatafrommajormanufacturers,governmentagencies,anddefensecontractors
TerroristgroupsthatwanttoimpactcountriesbyusingtheInternetandothernetworkstodisruptorharmtheviabilityofourwayoflifebydamagingourcriticalinfrastructure
Whilethereareotherlessorganizedgroupsoutthere,thesethreegroupsareconsideredtobetheprimarythreatactorsbylawenforcement.However,organizationsshouldnottotallydisregardthethreatofanythreatactorsthatfalloutsidethesethreecategories.Loneactorsorsmallergroupsthatusehackingasameanstodiscoverandexploitanydiscoveredvulnerabilitycancausedamagejustlikethelarger,moreorganizedgroups.
HacktivistsThisincludesthosewhohacknotforpersonalgainbuttofurtheracause.AnexampleistheAnonymousgroupthathacksfromtimetotimeforvariouspoliticalreasons.
ThrillhackersTheseguysdoitforthenotoriety.Theydefacewebsitesandbragabouttheirconqueststotheirfellowthrillhackersonwebsiteswheretheysharetoolsandmethods.
Hackerandcrackeraretwotermsthatareoftenusedinterchangeablyinmediabutdonotactuallyhavethesamemeaning.Hackersareindividualswhoattempttobreakintosecuresystemstoobtainknowledgeaboutthesystemsandpossiblyusethatknowledgetocarryoutpranksorcommitcrimes.Crackers,ontheotherhand,areindividualswhoattempttobreakintosecuresystemswithoutusingtheknowledgegainedforanynefariouspurposes.
Inthesecurityworld,thetermswhitehat,grayhat,andblackhataremoreeasilyunderstoodandlessoftenconfusedthanthetermshackersandcrackers.Awhitehatdoesnothaveanymaliciousintent.Ablackhathasmaliciousintent.Agrayhatisconsideredsomewhereinthemiddleofthetwo.Agrayhatwillbreakintoasystem,notifytheadministratorofthesecurityhole,andoffertofixthesecurityissuesforafee.
ClassifyingAttackVectorsAfterassetshavebeenclassifiedwithregardtosensitivityandcriticality(seeChapter1),thenextstepistoidentifythreats.Whendeterminingvulnerabilitiesandthreatstoanasset,consideringthethreatagentsfirstisofteneasiest.Threatagentscanbegroupedintothefollowingsixcategories:
Humanincludesbothmaliciousandnonmaliciousinsidersandoutsiders,terrorists,spies,andterminatedpersonnel.
![Page 60: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/60.jpg)
Naturalincludesfloods,fires,tornadoes,hurricanes,earthquakes,orothernaturaldisasterorweatherevent.
Technicalincludeshardwareandsoftwarefailure,maliciouscode,andnewtechnologies.
PhysicalincludesCCTVissues,perimetermeasuresfailure,andbiometricfailure.
OperationalincludesanyprocessorprocedurethatcanaffectCIA.
Examplesofthethreatactorsincludebothinternalandexternalactorsandincludethefollowing:
Internalactors
Recklessemployee
Untrainedemployee
Partner
Disgruntledemployee
Internalspy
Governmentspy
Vendor
Thief
Externalactors
Anarchist
Competitor
Corruptgovernmentofficial
Dataminer
Governmentcyberwarrior
Irrationalindividual
Legaladversary
Mobster
Activist
Terrorist
Vandal
SpoofingSpoofing,alsoreferredtoasmasquerading,occurswhencommunicationfromanattackerappearstocomefromtrustedsources.Thegoalofthistypeofattackistoobtainaccessby
![Page 61: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/61.jpg)
pretendingtobethattrustedsource.Spoofingcanbeattemptedbasedonthefollowing:
IPaddresses
MACaddresses
Emailaddressees
Let’slookateachoneofthesetypesofspoofing.
IPAddressSpoofingIPaddressspoofingisoneofthetechniquesusedbyhackerstohidetheirtrailortomasqueradeasanothercomputer.ThehackeralterstheIPaddressasitappearsinthepacket.ThiscansometimesallowthepackettogetthroughanACLthatisbasedonIPaddresses.ItalsocanbeusedtomakeaconnectiontoasystemthattrustsonlycertainIPaddressesorrangesofIPaddresses.
MACAddressSpoofingMACaddressescanalsobespoofedandusedtogetthroughMACaddressfilters.Thesefiltersaretypicallyappliedtocontrolaccesstowirelessaccesspointsatlayer2.Theycanalsobeusedtoimpersonateanotherdeviceconnectedtothesameswitch.Inthatscenario,itenablestheimpersonatingdevicetoreceivetrafficintendedforthelegitimatedevice.InChapters4and5youwilllearnaboutmethodstopreventtheseswitch-basedattacks.
EmailSpoofingEmailspoofingistheprocessofsendinganemailthatappearstocomefromonesourcewhenitreallycomesfromanother.ItismadepossiblebyalteringthefieldsofemailheaderssuchasFrom,ReturnPath,andReply-to.Itspurposeistoconvincethereceivertotrustthemessageandreplytoitwithsomesensitiveinformationthatthereceiverwouldnothavesharedunlessitwasatrustedmessage.
Oftenthisisonestepinanattackdesignedtoharvestusernamesandpasswordsforbankingorfinancialsites.Thisattackcanbemitigatedinseveralways.OneisSMTPauthentication,which,whenenabled,disallowsthesendingofanemailbyauserwhocannotauthenticatewiththesendingserver.
AnotherpossiblemitigationtechniqueistoimplementtheSenderPolicyFramework(SPF).SPFisanemailvalidationsystemthatworksbyusingDNStodeterminewhetheranemailsentbysomeonehasbeensentbyahostsanctionedbythatdomain’sadministrator.Ifitcan’tbevalidated,itisnotdeliveredtotherecipient’sbox.
PasswordAttacksApasswordattackisonethatattemptstodiscoveruserpasswords.Thetwomostpopularpasswordthreatsaredictionaryattacksandbrute-forceattacks.
Thebestcountermeasuresagainstpasswordthreatsaretoimplementcomplexpassword
![Page 62: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/62.jpg)
policies,requireuserstochangepasswordsonaregularbasis,employaccountlockoutpolicies,encryptpasswordfiles,andusepassword-crackingtoolstodiscoverweakpasswords.
DictionaryAttackAdictionaryattackoccurswhenattackersuseadictionaryofcommonwordstodiscoverpasswords.Anautomatedprogramusesthehashofthedictionarywordandcomparesthishashvaluetoentriesinthesystempasswordfile.Althoughtheprogramcomeswithadictionary,attackersalsouseextradictionariesthatarefoundontheInternet.
Youshouldimplementasecurityrulethatsaysthatapasswordmustnotbeawordfoundinthedictionarytoprotectagainsttheseattacks.
Brute-ForceAttackBrute-forceattacksaremoredifficulttocarryoutbecausetheyworkthroughallpossiblecombinationsofnumbersandcharacters.Abrute-forceattackisalsoreferredtoasanexhaustiveattack.Itcarriesoutpasswordsearchesuntilacorrectpasswordisfound.Theseattacksarealsoverytime-consuming.
ReconnaissanceAttacksReconnaissanceattacksarecarriedouttogatherinformationabouttheorganizationalnetworkasapreludetoalargerattack.Itisalsosometimescalledfingerprintingthenetwork.Itisthefirststepthatapenetrationtesterwilltakebecauseitmimicsthefirststepofarealattacker.Thereareseveralwaysinwhichinformationcanbegatheredaboutthenetworktopology.Let’stakealookatthethreemostcommon.
PingScansPingscansinvolveidentifyingthelivehostsonanetworkorinadomainnamespace.Nmapandotherscanningtools(ScanLine,SuperScan)canbeusedforthis.Itrecordsresponsestopingssenttoeveryaddressinthenetwork.Itcanalsobecombinedwithaportscanbyusingtheproperargumentstothecommand.
Toexecutethisscanfromnmap,thecommandisnmap-sP192.168.0.0-100(0-100istherangeofIPaddressestobescannedinthe192.168.0.0network).Figure2.1showsanexampleoftheoutput.Alldevicesthatareonwillbelisted.ForeachtheMACaddresswillalsobelisted.
![Page 63: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/63.jpg)
FIGURE2.1Pingscanwithnmap
PortScansAsoperatingsystemshavewell-knownvulnerabilities,sodocommonservices.Bydeterminingtheservicesthatarerunningonasystem,theattackeralsodiscoverspotentialvulnerabilitiesoftheserviceofwhichhemayattempttotakeadvantage.Thisistypicallydonewithportscansinwhichall“open”or“listening”portsareidentified.Onceagain,thelion’sshareoftheseissueswillhavebeenmitigatedwiththepropersecuritypatches,butthatisnotalwaysthecase,anditisnotuncommonforsecurityanalyststofindthatsystemsthatarerunningvulnerableservicesaremissingtherelevantsecuritypatches.Consequently,whenperformingservicediscovery,patchesshouldbecheckedonsystemsfoundtohaveopenports.Itisalsoadvisabletocloseanyportsnotrequiredforthesystemtodoitsjob.
Nmapisoneofthemostpopularportscanningtoolsusedtoday.Byperformingscanswithcertainflagssetinthescanpackets,securityanalysts(andhackers)canmakecertainassumptionsbasedontheresponsesreceived.TheseflagsareusedtocontroltheTCPconnectionprocess,sotheyarepresentonlyinthosepackets.Figure2.2showsaTCPheader.TheflagsofwhichIspeakarecircled.Normallytheflagsthatare“turnedon”willbedoneasaresultofthenormalTCPprocess,butahackercancraftpacketswiththeflagscheckedthatthehackerdesires.
![Page 64: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/64.jpg)
FIGURE2.2TCPheader
Thesearetheflagsshown:
URG:Urgentpointerfieldsignificant
ACK:Acknowledgmentfieldsignificant
PSH:Pushfunction
RST:Resettheconnection
SYN:Synchronizesequencenumbers
FIN:Nomoredatafromsender
Byperformingscanswithcertainflagssetinthescanpackets,securityanalysts(andhackers)canmakecertainassumptionsbasedontheresponsesreceived
Nmapexploitsweaknesseswiththreescantypes.
ANULLscanisaseriesofTCPpacketsthatcontainasequencenumberof0andnosetflags.BecausetheNULLscandoesnotcontainanysetflags,itcansometimespenetratefirewallsandedgeroutersthatfilterincomingpacketswithparticularflags.Whenthispacketissent,theseresponsesarepossible:
Noresponse:Theportisopenonthetarget.
RST:Theportisclosedonthetarget.
Figure2.3showstheresultofthisscanusingthecommandnmap-sN.Inthiscase,nmapisunabletodeterminewhethertheportisopenorclosedbecausetherewasnoresponse,butyoudon’tknowiftheportisclosedorifthefirewallisblockingtheport.That’swhytheyarelistedasopen/filtered.
AFINscansetstheFINbitset.Whenthispacketissent,theseresponsesarepossible.
Noresponse:Theportisopenonthetarget.
RST/ACK:Theportisclosedonthetarget.
![Page 65: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/65.jpg)
Thefollowingissampleoutputofthisscanusingthecommandnmap-sF.Iadded-vforverboseoutput.Again,inthiscase,nmapisunabletodeterminewhethertheportisopenorclosedbecausetherewasnoresponse,butyoudon’tknowiftheportisclosedorifthefirewallisblockingtheport.That’swhytheyarelistedasopen/filtered.
FIGURE2.3NULLscan
#nmap-sF-v192.168.0.7
Startingnmap3.81at2016-01-2321:17EDT
InitiatingFINScanagainst192.168.0.7[1663ports]at21:17
TheFINScantook1.51stoscan1663totalports.
Host192.168.0.7appearstobeup...good.
Interestingportson192.168.0.7:
(The1654portsscannedbutnotshownbelowareinstate:closed)
PORTSTATESERVICE
21/tcpopen|filteredftp
22/tcpopen|filteredssh
23/tcpopen|filteredtelnet
79/tcpopen|filteredfinger
110/tcpopen|filteredpop3
111/tcpopen|filteredrpcbind
514/tcpopen|filteredshell
886/tcpopen|filteredunknown
2049/tcpopen|filterednfs
MACAddress:00:03:47:6D:28:D7(Intel)
Nmapfinished:1IPaddress(1hostup)scannedin2.276seconds
Rawpacketssent:1674(66.9KB)|Rcvd:1655(76.1KB)
AnXMASscansetstheFIN,PSH,andURGflags.Whenthispacketissent,theseresponsesarepossible:
Noresponse:Theportisopenonthetarget.
![Page 66: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/66.jpg)
RST:Theportisclosedonthetarget.
Figure2.4showstheresultofthisscanusingthecommandnmap-sX.Inthiscase,nmapisunabletodeterminewhethertheportisopenorclosedbecausetherewasnoresponse,butyoudon’tknowiftheportisclosedorifthefirewallisblockingtheport.That’swhytheyarelistedasopen/filtered.
FIGURE2.4XMASscan
Thesethreescans(NULL,FIN,andXMAS)allservethesamepurpose(todiscoveropenportsandportsblockedbyafirewall)anddifferonlyintheswitchused.Whiletherearemanymorescantypesandattacksthatcanbelaunchedwiththistool,thesescantypesarecommonlyusedduringenvironmentalreconnaissancetestingtodiscoverwhatthehackermightdiscoverbeforethehackerdoesandtakestepstocloseanygapsinsecurity.
OSFingerprintingOperatingsystemfingerprintingissimplytheprocessofusingsomemethodtodeterminetheoperatingsystemrunningonahostoraserver.ItsvaluetothehackeristhatbyidentifyingtheOSversionandbuildnumber,commonvulnerabilitiesofthatoperatingsystemcanbeidentifiedusingreadilyavailabledocumentationfromtheInternet.Whilemanyoftheissueswillhavebeenaddressedinsubsequentservicepacksandhotfixes,theremightbezero-dayweaknesses(thosethathavenotbeenwidelypublicizedoraddressedbythevendor)thehackermaybeabletoleverageintheattack.Moreover,ifanyoftherelevantsecuritypatcheshavenotbeenapplied,theweaknessesthepatchwasintendedtoaddresswillexistonthemachine.Therefore,thepurposeofattemptingOSfingerprintingduringassessmentistoassesstherelativeeasewithwhichitcanbedoneandidentifyingmethodstomakeitmoredifficult.
![Page 67: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/67.jpg)
BufferOverflowBuffersareportionsofsystemmemorythatareusedtostoreinformation.Abufferoverflowisanattackthatoccurswhentheamountofdatathatissubmittedtodataislargerthanthebuffercanhandle.Typically,thistypeofattackispossiblebecauseofpoorlywrittenapplicationoroperatingsystemcode.Thiscanresultinaninjectionofmaliciouscode,primarilyeitheradenial-of-serviceattackoraSQLinjection.
Toprotectagainstthisissue,organizationsshouldensurethatalloperatingsystemsandapplicationsareupdatedwiththelatestservicepacksandpatches.Inaddition,programmersshouldproperlytestallapplicationstocheckforoverflowconditions.Hackerscantakeadvantageofthisphenomenonbysubmittingtoomuchdata,whichcancauseanerrororinsomecasesexecutecommandsonthemachineifthehackercanlocateanareawherecommandscanbeexecuted.Notallattacksaredesignedtoexecutecommands.AnattackmayjustlockthecomputerasinaDoSattack.
Withproperinputvalidation,abufferoverflowattackwillcauseanaccessviolation.Withoutproperinputvalidation,theallocatedspacewillbeexceeded,andthedataatthebottomofthememorystackwillbeoverwritten.Thekeytopreventingmanybufferoverflowattacksisinputvalidation,inwhichanyinputischeckedforformatandlengthbeforeitisused.Bufferoverflowsandboundaryerrors(wheninputexceedstheboundariesallottedfortheinput)areafamilyoferrorconditionscalledinputvalidationerrors.
DoSAdenial-of-service(DoS)attackoccurswhenattackersfloodadevicewithenoughrequeststodegradetheperformanceofthetargeteddevice.SomepopularDoSattacksincludeSYNfloods,pingsofdeath,andsmurfattacks.Let’sexplorehowtheseattackswork.
TCPSYNFloodTounderstandaTCPSYNfloodattack,youmustunderstandthethree-wayTCPhandshake,whichoccurswheneveraTCPconnectionismade.Figure2.5displaystheprocess.
FIGURE2.5TCPhandshake
OneimportantfactnotevidentinthefigureisthatwhentherecipientoftheinitialSYNpacket
![Page 68: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/68.jpg)
receivesthatpacketandrespondsbysendingaSYN/ACKpacket,itwillreserveasmallpieceofmemoryfortheexpectedresponse(ACK).IntheattacktheattackersendsthousandsoftheseSYNpacketsandneveranswerstheSYN/ACKpacketswithanACKpacket.Atsomepoint,therecipientwillfillupitsmemory,reservingspacefortheresponsesthatnevercome.Thenthetargetwillbeunabletodoanythingandisthusthedenialofservice.Figure2.6showstheattack.AtthepointinthediagramwhereitsaysTCPQueueFull,thetargetmemoryisfull.
FIGURE2.6SYNflood
PingofDeathApingofdeathiswhenanoversizedICMPpacketissenttothetarget.ThemaximumallowableIPpacketsizeis65,535bytes,includingthepacketheader,whichistypically20bytes.AnICMPechorequestisanIPpacketwithapseudoheader,whichis8bytes.Therefore,themaximumallowablesizeofthedataareaofanICMPechorequestis65,507bytes(65,535–20–8=65,507).
AgrosslyoversizedICMPpacketcantriggerarangeofadversesystemreactionssuchasDoS,crashing,freezing,andrebooting.Figure2.7showssuchapacket.Thepacketwillbefragmentedenroute,andwhenthetargetattemptstoreassemblethepacket,itwillcrashsomesystems.
![Page 69: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/69.jpg)
FIGURE2.7Ping-of-deathpacket
DDoSAdistributedDoS(DDoS)attackisaDoSattackthatiscarriedoutfrommultipleattacklocations.Vulnerabledevicesareinfectedwithsoftwareagents,calledzombies.Thisturnsthevulnerabledevicesintobotnets,whichthencarryouttheattack.
Becauseofthedistributednatureoftheattack,identifyingalltheattackingbotnetsisvirtuallyimpossible.Thebotnetsalsohelptohidetheoriginalsourceoftheattack.Theseattackscanbedirect,reflected,andamplified.Let’slookatexamplesofeach.
DirectDDoSInadirectDDoSattack,theattackerlaunchestheattackbysendingtheattacksignaltothehandlers,whichinturnsignalthezombiestoattack,asshowninFigure2.8.Theattackisgreatlyamplifiedbytheuseofthezombies.So,adirectattackisalsoanamplifiedattack.
FIGURE2.8DirectDDoS
ReflectionInareflectedDDoSattack,theattackisbouncedoffalargenumberofdeviceswithoutactuallyrecruitingthedevicesaszombies.AgoodexampleofthereflectiontypeofDDoSisthesmurf
![Page 70: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/70.jpg)
attack.Inthesmurfattack,theattackersendsanICMPpackettothebroadcastaddressofthenetworkinwhichthetargetresides.However,thehackercreatesthisICMPpacketwithaspoofedsourceaddressandthatspoofedaddressisthatofthetarget.Wheneverydeviceinthenetworkanswersthepingrequests,theanswerswillgotothetarget.Typically,thehackerwillsetthenumberofpingstoaveryhighnumbersothatthiscontinuesforsometimeandusesalltheresourcesofthewebserver,asshowninFigure2.9.
FIGURE2.9Smurfattack
Man-in-the-MiddleAttackAman-in-the-middle(MITM)attackiswhenanactiveattackerlistenstothecommunicationbetweentwocommunicatorsandchangesthecontentsofthiscommunication.Whileperformingthisattack,theattackerpretendstobeoneofthepartiestotheotherparty.ThemostcommontypeofMITMattackisdoneatlayer2andusesthetechniquedescribedinthenextattacktopollutetheARPcacheofthetargets.
ARPPoisoningOneofthewaysaman-in-themiddleattackisaccomplishedisbypoisoningtheARPcacheonaswitch.TheattackeraccomplishesthisARPpoisoningbyansweringARPrequestsforanothercomputer’sIPaddresswiththeirownMACaddress.OncetheARPcachehasbeensuccessfullypoisoned,whenARPresolutionoccurs,bothcomputerswillhavetheattacker’sMACaddresslistedastheMACaddressthatmapstotheothercomputer’sIPaddress.Asaresult,botharesendingtotheattacker,placingtheattacker“inthemiddle.”
TwomitigationtechniquesareavailableforpreventingARPpoisoningonaCiscoswitch.
DynamicARPInspection(DAI)ThissecurityfeatureinterceptsallARPrequestsand
![Page 71: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/71.jpg)
responsesandcompareseachresponse’sMACaddressandIPaddressinformationagainsttheMAC–IPbindingscontainedinatrustedbindingtable.ThistableisbuiltbyalsomonitoringallDHCPrequestsforIPaddressesandmaintainingthemappingofeachresultingIPaddresstoaMACaddress(whichispartofDHCPsnooping).Ifanincorrectmappingisattempted,theswitchrejectsthepacket.
DHCPSnoopingThemainpurposeofDHCPsnoopingistopreventapoisoningattackontheDHCPdatabase.Thisisnotaswitchattackperse,butoneofitsfeaturescansupportDAI.ItcreatesamappingofIPaddressestoMACaddressesfromatrustedDHCPserverthatcanbeusedinthevalidationprocessofDAI.
YoumustimplementbothDAIandDHCPsnoopingbecauseDAIdependsonDHCPsnooping.BothconfigurationswillbecoveredinChapter6.
SocialEngineeringSocialengineeringattacksoccurwhenattackersusebelievablelanguageandusergullibilitytoobtainusercredentialsorsomeotherconfidentialinformation.Inthissectionwearegoingtofocusourattentiononasocialengineeringattackthathasbeeninthenewsquiteabitlately:phishing.
Phishing/PharmingPhishingisasocialengineeringattackinwhichattackerstrytolearnpersonalinformation,includingcreditcardinformationandfinancialdata.Thistypeofattackisusuallycarriedoutbyimplementingafakewebsitethatverycloselyresemblesalegitimatewebsite.Usersenterdata,includingcredentialsonthefakewebsite,allowingtheattackerstocaptureanyinformationentered.Spearphishingisaphishingattackcarriedoutagainstaspecifictargetbylearningaboutthetarget’shabitsandlikes.Spearphishingattackstakelongertocarryoutthanphishingattacksbecauseoftheinformationthatmustbegathered.
Pharmingissimilartophishing,butpharmingactuallypollutesthecontentsofacomputer’sDNScachesothatrequeststoalegitimatesiteareactuallyroutedtoanalternatesite.
PreventionThebestcountermeasureagainstsocialengineeringthreatsistoprovideusersecurityawarenesstraining.Thistrainingshouldberequiredandmustoccuronaregularbasisbecausesocialengineeringtechniquesevolveconstantly.
Cautionusersagainstusinganylinksembeddedine-mailmessages,evenifthemessageappearstohavecomefromalegitimateentity.UsersshouldalsoreviewtheaddressbaranytimetheyaccessasitewheretheirpersonalinformationisrequiredtoensurethatthesiteiscorrectandthatSSLisbeingused,whichisindicatedbyanHTTPSdesignationatthebeginningoftheURLaddress.
![Page 72: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/72.jpg)
MalwareMalicioussoftware,alsocalledmalware,isanysoftwarethatisdesignedtoperformmaliciousacts.Thefollowingarethefourclassesofmalwareyoushouldunderstand:
VirusAnymalwarethatattachesitselftoanotherapplicationtoreplicateordistributeitself
WormAnymalwarethatreplicatesitself,meaningthatitdoesnotneedanotherapplicationorhumaninteractiontopropagate
TrojanHorseAnymalwarethatdisguisesitselfasaneededapplicationwhilecarryingoutmaliciousactions
SpywareAnymalwarethatcollectsprivateuserdata,includingbrowsinghistoryorkeyboardinput
Thebestdefenseagainstmalicioussoftwareistoimplementantivirusandanti-malwaresoftware.Todaymostvendorspackagethesetwotypesofsoftwareinthesamepackage.Keepingantivirusandanti-malwaresoftwareup-to-dateisvital.Thisincludesensuringthatthelatestvirusandmalwaredefinitionsareinstalled.
DataLossandExfiltrationDataexfiltrationistheunauthorizedtransferofdatafromacomputerorfromastoragedevice.Atitsmostseriouslevel,itistheultimategoalofadvancedpersistentthreats(APTs),whicharethosethatcontinueonalong-termbasisandarecarriedoutbyhighlyskilledcybercriminals.Thesegroupsarenotinterestedinthevacationphotosofthereceptionist.Theyareinterestedinthreetypesofdatathattheycanmonetize.Let’slookatthesedatatypes.
IPIntellectualpropertyispropertythatisconsideredtobeauniquecreationofthemindandincludesbooks,music,logos,inventions,andslogans.Theseitemscanbeprotectedbycopyrights,patents,trademarks,andregistrations.However,italsoincludesthingsthatcannotbeprotectedwiththesemechanismssuchasorganizationalplans,formulas,recipes,customerlists,andothertypesofdatathatcannotbedisclosedbecauseitmighteliminateorreducetheeffectivenessofabusinessadvantage.AttackvectorsforIPincludedisgruntledemployees,competitorsperformingcorporateespionage,andinadvertentreleasesthoughsocialmedia.
PIIPersonallyidentifiableinformation(PII)isanypieceofdatathatcanbeusedaloneorwithotherinformationtoidentifyasingleperson.AnyPIIthatanorganizationcollectsmustbeprotectedinthestrongestmannerpossible.PIIincludesfullname,identificationnumbers(includingdriver’slicensenumberandSocialSecuritynumber),dateofbirth,placeofbirth,biometricdata,financialaccountnumbers(bothbankaccountandcreditcardnumbers),anddigitalidentities(includingsocialmedianamesandtags).
![Page 73: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/73.jpg)
KeepinmindthatdifferentcountriesandlevelsofgovernmentcanhavedifferentqualifiersforidentifyingPII.Securityprofessionalsmustensurethattheyunderstandinternational,national,state,andlocalregulationsandlawsregardingPII.Asthetheftofthisdatabecomesevenmoreprevalent,youcanexpectmorelawstobeenactedthatwillaffectyourjob.
CreditCardWhilePIIcanbeusedtoperformidentitytheft,stealingcreditcardinformationprovidesamuchquickerpathtomonetizingmaliciousactivities.Manyofthemosthigh-profiledatabreacheshaveinvolvedtheharvestingofthousandsofcreditcardnumbersandtherelatedinformationthatmakesthemusable.Whenanorganizationsuffersthistypeofdisclosure,ithurtstheirreputationbecausetheymustinformeveryuserwhosedatawasdisclosed.Theywillalsoberesponsibleforanyharmsufferedbythedisclosure,sothisisarealnightmarewhenitoccurs.ThebestmitigationforthisistoadoptallrecommendationsofthePaymentCardIndustryDataSecurityStandard(PCI-DSS).
SummaryThischaptercoveredcommonnetworkattacksandtheirmotivations.Italsodiscussedvariousattackvectors,suchasmaliciousandnonmaliciousinsidersandoutsiders,terrorists,spies,andterminatedpersonnel.Thechapteralsolookedatvariousmethodsusedtoperformnetworkreconnaissance,suchaspingscansandportscans.Finally,thechaptercoveredtypesofmalwareandtheexfiltrationofsensitivedatasuchasIP,PII,andcreditcarddata.
ExamEssentialsDescribeattackmotivations.Theseincludefinancialgain,disruption,geopoliticalchange,andnotoriety.Theymaybeattemptedbyorganizedcrimegroups,statesponsors,terroristgroups,hacktivists,andthrillhackers.
Identifycommonnetworkattacks.TheseincludebutarenotlimitedtoIPaddressspoofing,MACaddressspoofing,andemailspoofing.Theyalsoincludepasswordattackssuchasdictionaryandbrute-forceattacks.Finally,explainreconnaissanceattackssuchaspingscans,portscans,andSYNscans.
Explainsocialengineeringattacks.Describephishingandpharmingattacksandhowtheseattackscanleadtomalwaresuchasviruses,worms,andTrojanhorses.
Definethetypesofinformationmostsusceptibletodataexfiltration.Theseincludepersonallyidentifiableinformation(PII),intellectualproperty,andcreditcardinformation.Provideexamplesforeachtypeofdata.
ReviewQuestions
![Page 74: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/74.jpg)
1. Whatisthetypicalmotivationofahacktivist?
A. Financialgain
B. Disruption
C. Geopoliticalchange
D. Notoriety
2. WhichofthefollowingattackshasasitsgoaltogetthroughanACLonarouter?
A. IPaddressspoofing
B. MACaddressspoofing
C. Emailspoofing
D. Bufferoverflow
3. Whichofthefollowingisnotaformofpasswordattack?
A. Bruteforce
B. Dictionary
C. Portscan
D. Socialengineering
4. WhenexecutingaNULLscan,whichresponseindicatestheportisclosedonthetarget?
A. Noresponse
B. Destinationunreachable
C. RST
D. ACK
5. Whichofthefollowingisameasureusedtopreventbufferoverflows?
A. Inputvalidation
B. Multifactorauthentication
C. Complexpasswords
D. Sensitivitylabels
6. WhichofthefollowingisnotaDDoSattack?
A. SYNflood
B. Pingofdeath
C. Smurfattack
D. Man-in-the-middle
![Page 75: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/75.jpg)
7. Whichofthefollowingistypicallyusedtosetupaman-in-the-middleattack?
A. ARPpoisoning
B. DynamicARPinspection
C. Rogueswitches
D. MACoverflow
8. WhichofthefollowingismitigationforARPpoisoning?
A. Inputvalidation
B. DAI
C. Multifactorauthentication
D. Rootguard
9. WhichofthefollowingmustbeimplementedtouseDAI?
A. DTP
B. AuthenticatedARP
C. DHCPsnooping
D. NAT
10. Whichofthefollowingattachesitselftoanotherapplicationtoreplicateordistributeitself?
A. Worm
B. Rootkit
C. Spyware
D. Virus
11. Whichofthefollowingisconsideredtobeauniquecreationofthemind?
A. PII
B. IP
C. PHI
D. IPS
12. Whichofthefollowingprovidesrecommendationsforsecurelyhandlingcreditcarddata?
A. HIPAA
B. SOX
C. PCI-DSS
![Page 76: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/76.jpg)
D. GLBA
13. AtwhatOSIlayerdoesMACaddressspoofingoccur?
A. 1
B. 2
C. 3
D. 4
14. Whichofthefollowingismitigationforemailspoofing?
A. SPF
B. DAI
C. DNSSec
D. DHCPsnooping
15. Whichofthefollowingisacommontoolusedforpingandportscans?
A. Metasploit
B. Nmap
C. Netstat
D. Snort
16. WhichofthefollowingisnotaflagsetinanXMASscan?
A. FIN
B. PSH
C. SYN
D. URG
17. WhichofthefollowingattacksusesanoversizedICMPpacket?
A. Pingofdeath
B. Smurf
C. Fraggle
D. SYNflood
18. WhichofthefollowingisareflectedDDoSattack?
A. Pingofdeath
B. Smurf
C. Bufferoverflow
![Page 77: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/77.jpg)
D. XXS
19. WhichattacktypedoesDAIaddress?
A. IPspoofing
B. MACoverflow
C. ARPpoisoning
D. Pingofdeath
20. Whichofthefollowingpollutesthecontentsofacomputer’sDNScachesothatrequeststoalegitimatesiteareactuallyroutedtoanalternatesite?
A. Phishing
B. Pharming
C. Vishing
D. Whaling
![Page 78: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/78.jpg)
Chapter3UnderstandingCryptographyCISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:
1.3Cryptographyconcepts
Describekeyexchange
Describehashalgorithm
Compareandcontrastsymmetricandasymmetricencryption
Describedigitalsignatures,certificates,andPKI
Cryptographyistheuseofmathematicalalgorithmstoscrambledatasoitcannotbereadifcaptured.Inthatrolecryptographyprovidesconfidentiality,butthatisnottheonlysecuritygoalitcanachieve.Throughtheuseofhashvaluesanddigitalsignatures,itcanalsoprovideassuranceofdataintegrityandoriginauthentication.Thischapterwillcoverthetypesofcryptography,theirstrengthsandweaknesses,andsomeoftheservicesthatcryptographycanprovide.
Inthischapter,youwilllearnthefollowing:
Cryptographyconcepts
SymmetricandAsymmetricEncryptionTherearetwotypesofcryptographyalgorithmsthatyoumustunderstand,symmetricandasymmetric.Abitlaterinthissectionyouwilllearnthedifferencesbetweenthesetwosystemsandtheadvantagesanddisadvantagesofboth.You’llalsolearnwhentoapplythesealgorithmstosecurebothdataatrestanddataintransit.
Butfirstlet’slookatsomebasicconceptsusedincryptography.Firstyou’llbeintroducedtosomeofthevariouswaysalgorithmsscramblethedata.Thenyou’lllearnabouttwodifferentwaysencryptionalgorithmsoperateonthedata.
CiphersCryptographicalgorithmsareoftencalledciphersforshort,andtheseciphersare
![Page 79: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/79.jpg)
mathematicalformulasthatmovethedataaroundinvariouswaystoscrambleit.Thetwomainmethodsaresubstitutionandtransposition.I’llcovertheseinthissection,alongwithamethodofaddressingshortcomingsofsubstitution.Ciphersalsodifferintheamountofdatathatisencryptedatatime.Thetwomaintypesofalgorithmswithrespecttothisissueareblockandstreamciphers,whichwillalsobecoveredinthissection.
SubstitutionAsubstitutioncipherusesakeytosubstitutecharactersorcharacterblockswithdifferentcharactersorcharacterblocks.TheCaesarcipherandtheVigenèrecipheraretwooftheearliestformsofsubstitutionciphers.Figure3.1showstheROT13,whichisaCaesarcipher.Itrotatesthealphabet13positions.Therefore,themessage“Hello”encryptstotheciphertextURYYB.
FIGURE3.1ROT13Caesarcipher
Oneoftheissueswithsubstitutionciphersisifthemessageisofsufficientlength,patternsintheencryptionbegintobecomenoticeable,whichmakesitvulnerabletoafrequencyattack.Afrequencyattackiswhentheattackerusestheserecurringpatternstoreverseengineerthemessage.Forthisreason,thepolyalphabeticalgorithmwascreated.
PolyalphabeticToincreasethedifficultyofperformingafrequencyattack,polyalphabeticalgorithmswerecreated.Theyusemultipleinstancesofthealphabetshiftedina26×26tablecalledatableau,showninFigure3.2.ThefigureshowstheVigenèrecipher,anexampleofapolyalphabeticcipher.
![Page 80: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/80.jpg)
FIGURE3.2Vigenèrecipher
AsanexampleofamessageonwhichtheVigenèrecipherisapplied,let’susethesecuritykeySYBEXandtheplaintextmessageofWEATTACKATFIVE.ThefirstletterintheplaintextmessageisW,andthefirstletterinthekeyisS.WeshouldlocatetheletterWacrosstheheadingsforthecolumns.WefollowthatcolumndownuntilitintersectswiththerowthatstartswiththeletterS,resultingintheletterO.ThesecondletteroftheplaintextmessageisE,andthesecondletterinthekeyisY.Usingthesamemethod,weobtaintheletterC.Wecontinueinthissamemanneruntilwerunoutofkeyletters,andthenwestartoverwiththekey,whichwouldresultinthesecondAintheplaintextmessageworkingwiththeletterSofthekey.
So,applyingthistechniquetotheentiremessageofWEATTACKATFIVE,theplaintextmessageconvertstotheOCBXQSALEQXGWIciphertextmessage.
TranspositionAtranspositioncipherscramblesthelettersoftheoriginalmessageinadifferentorder.Thekeydeterminesthepositionstowhichthelettersaremoved.
Thefollowingisanexampleofasimpletranspositioncipher:
OriginalmessageSNOWFLAKESWILLFALL
BrokenintogroupsSNOWFLAKESWIFALL
Key4231231442312314
CiphertextmessageWONSLAFKIWSEALFL
Withthisexample,theoriginalmessageisSNOWFLAKESWILLFALL,andthekeyis42312314.TheciphertextmessageisWONSLAFKIWSEALFL.So,youtakethefirstfourletters
![Page 81: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/81.jpg)
oftheplaintextmessage(SNOW)andusethefirstfournumbers(4231)asthekeyfortransposition.Thekeydescribestherelativepotionsofthesamecharactersintheciphertext.Inthenewciphertext,theletterswouldbeWONS.Thenyoutakethenextfourlettersoftheplaintextmessage(FLAK)andusethenextfournumbers(2314)asthekeyfortransposition.Inthenewciphertext,theletterswouldbeLAFK.Thenyoutakethenextfourlettersoftheoriginalmessageandapplythefirstfournumbersofthekeybecauseyoudonothaveanymorenumbersinthekey.Continuethispatternuntilcomplete.
AlgorithmsWhilecryptographicalgorithmscandeployeithersubstitutionortransposition,thereisanotherkeycharacteristicthatdifferentiatestwomainclassesofalgorithms:symmetricandasymmetric.Inthenexttwosections,I’lltalkabouthowtheyaredifferent.
SymmetricSymmetricalgorithmsuseaprivateorsecretkeythatmustremainsecretbetweenthetwoparties.Eachpartypairrequiresaseparateprivatekey.Therefore,asingleuserwouldneedauniquesecretkeyforeveryuserwithwhomshecommunicates.
Consideranexamplewherethereare10uniqueusers.Eachuserneedsaseparateprivatekeytocommunicatewiththeotherusers.Tocalculatethenumberofkeysthatwouldbeneededinthisexample,youwouldusethefollowingformula:
#ofusers×(#ofusers–1)/2
Usingourexample,youwouldcalculate10×(10–1)/2,or45neededkeys.
Withsymmetricalgorithms,theencryptionkeymustremainsecure.Toobtainthesecretkey,theusersmustfindasecureout-of-bandmethodforcommunicatingthesecretkey,includingcourierordirectphysicalcontactbetweentheusers.
Aspecialtypeofsymmetrickeycalledasessionkeyencryptsmessagesbetweentwousersduringonecommunicationsession.Symmetricalgorithmscanbereferredtoassingle-key,secret-key,private-key,orshared-keycryptography.
Symmetricsystemsprovideconfidentialitybutnotauthenticationornonrepudiation.Ifbothusersusethesamekey,determiningwherethemessageoriginatedisimpossible.SymmetricalgorithmsincludeDES,AES,3DES,andRC4.Table3.1liststhestrengthsandweaknessesofsymmetricalgorithms.
![Page 82: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/82.jpg)
TABLE3.1Symmetricalgorithmstrengthsandweaknesses
Strengths WeaknessesCheapertoimplementthanasymmetric
Keycompromisecanoccurmoreeasilythanwithasymmetric
Fasterthanasymmetric DifficultyinperformingsecurekeydistributionHardtocrack Keycompromiseoccursifonepartycompromised,thereby
allowingimpersonation
Thetwobroadtypesofsymmetricalgorithmsarestream-basedciphersandblockciphers.Initializationvectors(IVs)areanimportantpartofblockciphers.Thesethreecomponentswillbediscussedinthenextsections.
BlockAnotherwayinwhichcipherscandifferisintheamountofdatathatisencryptedatatime.Blockciphersperformencryptionbybreakingthemessageintofixed-lengthunits.Amessageof1,024bitscouldbedividedinto16blocksof64bitseach.Eachofthose16blocksisprocessedbythealgorithmformulas,resultinginasingleblockofciphertext.
Advantagesofblockciphersincludethefollowing:
Theimplementationiseasierthanstream-basedcipherimplementation.
Theyaregenerallylesssusceptibletosecurityissues.
Theyaregenerallyusedmoreinsoftwareimplementations.
Blockciphersemploybothsubstitutionandtransposition.
StreamStream-basedciphersperformencryptiononabit-by-bitbasisandusekeystreamgenerators.ThekeystreamgeneratorscreateabitstreamthatisXORedwiththeplaintextbits.TheresultofthisXORoperationistheciphertext.
Asynchronousstream-basedcipherdependsonlyonthekey,andanasynchronousstreamcipherdependsonthekeyandplaintext.ThekeyensuresthatthebitstreamthatisXORedtotheplaintextisrandom.
Anexampleofastream-basedcipherisRC4.
Advantagesofstream-basedciphersincludethefollowing:
Theygenerallyhavelowererrorpropagationbecauseencryptionoccursoneachbit.
Theyaregenerallyusedmoreinhardwareimplementation.
Theyusethesamekeyforencryptionanddecryption.
Theyaregenerallycheapertoimplementthanblockciphers.
![Page 83: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/83.jpg)
Theemployonlysubstitution.
InitializationVectorsSomemodesofsymmetrickeyalgorithmsuseinitializationvectorstoensurethatpatternsarenotproducedduringencryption.TheseIVsprovidethisservicebyusingrandomvalueswiththealgorithms.WithoutusingIVs,arepeatedphrasewithinaplaintextmessagecouldresultinthesameciphertext.Attackerscanpossiblyusethesepatternstobreaktheencryption.
DigitalEncryptionStandard(DES)DigitalEncryptionStandard(DES)usesa64-bitkey,8bitsofwhichareusedforparity.Therefore,theeffectivekeylengthforDESis56bits.DESdividesthemessageinto64-bitblocks.Sixteenroundsoftranspositionandsubstitutionareperformedoneachblock,resultingina64-bitblockofciphertext.
DEShasmostlybeenreplacedby3DESandAES,bothofwhicharediscussedlaterinthischapter.
3DESBecauseoftheneedtoquicklyreplaceDES,TripleDES(3DES),aversionofDESthatincreasessecuritybyusingthree56-bitkeys,wasdeveloped.Although3DESisresistanttoattacks,itisuptothreetimesslowerthanDES.3DESdidserveasatemporaryreplacementtoDES.However,theNationalInstituteofStandardsandTechnology(NIST)hasactuallydesignatedtheAdvancedEncryptionStandard(AES)asthereplacementforDES,eventhough3DESisstillinusetoday.
DEScanoperateinanumberofdifferentmodes,butthetwomostcommonareElectronicCodeBook(ECB)andCipherBlockChaining(CBC).InECB,64-bitblocksofdataareprocessedbythealgorithmusingthekey.Theciphertextproducedcanbepaddedtoensurethattheresultisa64-bitblock.Ifanencryptionerroroccurs,onlyoneblockofthemessageisaffected.ECBoperationsruninparallel,makingitafastmethod.
AlthoughECBistheeasiestandfastestmodetouse,ithassecurityissuesbecauseevery64-bitblockisencryptedwiththesamekey.Ifanattackerdiscoversthekey,alltheblocksofdatacanberead.Ifanattackerdiscoversbothversionsofthe64-bitblock(plaintextandciphertext),thekeycanbedetermined.Forthesereasons,themodeshouldnotbeusedwhenencryptingalargeamountofdatabecausepatternswouldemerge.ECBisagoodchoiceifanorganizationneedsencryptionforitsdatabasesbecauseECBworkswellwiththeencryptionofshortmessages.
Figure3.3showstheECBencryptionprocess.
![Page 84: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/84.jpg)
FIGURE3.3ECBprocess
InCBC,each64-bitblockischainedtogetherbecauseeachresultant64-bitciphertextblockisappliedtothenextblock.So,plaintextmessageblock1isprocessedbythealgorithmusinganIV.Theresultantciphertextmessageblock1isXORedwithplaintextmessageblock2,resultinginciphertextmessage2.Thisprocesscontinuesuntilthemessageiscomplete.
UnlikeECB,CBCencryptslargefileswithouthavinganypatternswithintheresultingciphertext.IfauniqueIVisusedwitheachmessageencryption,theresultantciphertextwillbedifferenteverytimeevenincaseswherethesameplaintextmessageisused.
Figure3.4showstheCBCencryptionprocess.
FIGURE3.4CBCprocess
AdvancedEncryptionStandard(AES)AdvancedEncryptionStandard(AES)isthereplacementalgorithmforDES.AlthoughAESisconsideredthestandard,thealgorithmthatisusedintheAESstandardistheRijndaelalgorithm.TheAESandRijndaeltermsareoftenusedinterchangeably.
ThethreeblocksizesthatareusedintheRijndaelalgorithmare128,192,and256bits.A128-bitkeywitha128-bitblocksizeundergoes10transformationrounds.A192-bitkeywitha192-bitblocksizeundergoes12transformationrounds.Finally,a256-bitkeywitha256-bitblocksizeundergoes14transformationrounds.
Rijndaelemploystransformationscomposedofthreelayers:nonlinearlayer,keyadditionlayer,andlinear-maxinglayer.TheRijndaeldesignisverysimple,anditscodeiscompact,whichallowsittobeusedonavarietyofplatforms.ItistherequiredalgorithmforsensitivebutunclassifiedU.S.governmentdata.
![Page 85: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/85.jpg)
RC4AtotalofsixRCalgorithmshavebeendevelopedbyRonRivest.RC1wasneverpublished,RC2wasa64-bitblockcipher,andRC3wasbrokenbeforerelease.RC4,alsocalledARC4,isoneofthemostpopularstreamciphers.ItisusedinSSLandWEP.RC4usesavariablekeysizeof40to2,048bitsandupto256roundsoftransformation.
AsymmetricAsymmetricalgorithmsusebothapublickeyandaprivateorsecretkey.Thepublickeyisknownbyallparties,andtheprivatekeyisknownonlybyitsowner.Oneofthesekeysencryptsthemessage,andtheotherdecryptsthemessage.
Inasymmetriccryptography,determiningauser’sprivatekeyisvirtuallyimpossibleevenifthepublickeyisknown,althoughbothkeysaremathematicallyrelated.However,ifauser’sprivatekeyisdiscovered,thesystemcanbecompromised.
Asymmetricalgorithmscanbereferredtoasdual-keyorpublic-keycryptography.
Asymmetricsystemsprovideconfidentiality,integrity,authentication,andnonrepudiation.Becausebothusershaveoneuniquekeythatispartoftheprocess,determiningwherethemessageoriginatedispossible.
Ifconfidentialityistheprimaryconcernforanorganization,amessageshouldbeencryptedwiththereceiver’spublickey,whichisreferredtoasasecuremessageformat.Ifauthenticationistheprimaryconcernforanorganization,amessageshouldbeencryptedwiththesender’sprivatekey,whichisreferredtoasanopenmessageformat.Whenusingopenmessageformat,themessagecanbedecryptedbyanyonewiththepublickey.
PerhapsthemostwidelyknownandusedasymmetricalgorithmisRSA.OherasymmetricalgorithmsincludeRSA,ElGamal,DSA,andEllipticCurveCryptography(ECC).
RSARSAisthemostpopularasymmetricalgorithmandwasinventedbyRonRivest,AdiShamir,andLeonardAdleman.RSAcanprovidekeyexchange,encryption,anddigitalsignatures.ThestrengthoftheRSAalgorithmisthedifficultyoffindingtheprimefactorsofverylargenumbers.RSAusesa1,024-to4,096-bitkeyandperformsoneroundoftransformation.
Asakeyexchangeprotocol,RSAencryptsaDESorAESsymmetrickeyforsecuredistribution.RSAusesaone-wayfunctiontoprovideencryption/decryptionanddigitalsignatureverification/generation.Thepublickeyworkswiththeone-wayfunctiontoperformencryptionanddigitalsignatureverification.Theprivatekeyworkswiththeone-wayfunctiontoperformdecryptionandsignaturegeneration.Theseprocesseswillbecoveredindetailinthesection“PublicKeyInfrastructure(PKI).”
HashingAlgorithms
![Page 86: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/86.jpg)
Ahashfunctionrunsdatathroughacryptographicalgorithmtoproduceaone-waymessagedigest.Thesizeofthemessagedigestisdeterminedbythealgorithmused.Themessagedigestrepresentsthedatabutcannotbereversedinordertodeterminetheoriginaldata.Becausethemessagedigestisunique,itcanbeusedtocheckdataintegrity.
Aone-wayhashfunctionreducesamessagetoahashvalue.Acomparisonofthesender’shashvaluetothereceiver’shashvaluedeterminesmessageintegrity.Iftheresultanthashvaluesaredifferent,thenthemessagehasbeenalteredinsomeway,providedthatboththesenderandthereceiverusedthesamehashfunction.Hashfunctionsdonotpreventdataalterationbutprovideameanstodeterminewhetherdataalterationhasoccurred.
Hashfunctionsdohavelimitations.Ifanattackerinterceptsamessagethatcontainsahashvalue,theattackercanaltertheoriginalmessagetocreateasecondinvalidmessagewithanewhashvalue.Iftheattackerthensendsthesecondinvalidmessagetotheintendedrecipient,theintendedrecipientwillhavenowayofknowingthathereceivedanincorrectmessage.Whenthereceiverperformsahashvaluecalculation,theinvalidmessagewilllookvalidbecausetheinvalidmessagewasappendedwiththeattacker’snewhashvalue,nottheoriginalmessage’shashvalue.Topreventthisfromoccurring,thesendershoulduseMessageAuthenticationCode(MAC).
EncryptingthehashfunctionwithasymmetrickeyalgorithmgeneratesakeyedMAC.Thesymmetrickeydoesnotencrypttheoriginalmessage.Itisusedonlytoprotectthehashvalue.Figure3.5showsthebasicstepsofahashfunction.
FIGURE3.5Hashprocess
Twomajorhashfunctionvulnerabilitiescanoccur:collisionsandrainbowtableattacks.Acollisionoccurswhenahashfunctionproducesthesamehashvalueondifferentmessages.Arainbowtableattackoccurswhenrainbowtablesareusedtoreverseahashbycomputingallpossiblehashesandlookingupthematchingvalue.
![Page 87: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/87.jpg)
Becauseamessagedigestisdeterminedbytheoriginaldata,messagedigestscanbeusedtocomparedifferentfilestoseewhethertheyareidenticaldowntothebitlevel.Ifacomputedmessagedigestdoesnotmatchtheoriginalmessagedigestvalue,thendataintegrityhasbeencompromised.
Passwordhashvaluesareoftenstoredinsteadoftheactualpasswordstoensurethattheactualpasswordsarenotcompromised.
Whenchoosingwhichhashingfunctiontouse,itisalwaysbettertochoosethefunctionthatusesalargerhashvalue.Todeterminethehashvalueforafile,youshouldusethehashfunction.Asanexample,let’ssupposeyouhaveadocumentnamedcrypto.docthatyouneedtoensureisnotmodifiedinanyway.Todeterminethehashvalueforthefileusingthemd5hashfunction,youwouldenterthefollowingcommand:
md5crypto.doc
Thiscommandwouldresultinahashvaluethatyoushouldrecord.Later,whenusersneedaccesstothefile,theyshouldalwaysissuethemd5commandlistedtorecalculatethehashvalue.Ifthevalueisthesameastheoriginallyrecordedvalue,thefileisunchanged.Ifitisdifferent,thenthefilehasbeenchanged.
MD5TheMD5algorithmproducesa128-bithashvalue.Itperformsfourroundsofcomputations.ItwasoriginallycreatedbecauseoftheissueswithMD4,anditismorecomplexthanMD4.However,MD5isnotcollisionfree.Forthisreason,itshouldnotbeusedforSSLcertificatesordigitalsignatures.TheU.S.governmentrequirestheusageofSHA-2insteadofMD5.However,incommercialusage,manysoftwarevendorspublishtheMD5hashvaluewhenreleasingsoftwarepatchessocustomerscanverifythesoftware’sintegrityafterdownload.
SHA-1SHA-1producesa160-bithashvalueafterperforming80roundsofcomputationson512-bitblocks.SHA-1correctedtheflawinSHA-0thatmadeitsusceptibletoattacks.
SHA-2SHA-2isactuallyafamilyofhashfunctions,eachofwhichprovidesdifferentfunctionallimits.TheSHA-2familyisasfollows:
SHA-224:Producesa224-bithashvalueafterperforming64roundsofcomputationson512-bitblocks.
SHA-256:Producesa256-bithashvalueafterperforming64roundsofcomputationson512-bitblocks.
SHA-384:Producesa384-bithashvalueafterperforming80roundsofcomputationson1,024-bitblocks.
![Page 88: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/88.jpg)
SHA-512:Producesa512-bithashvalueafterperforming80roundsofcomputationson1,024-bitblocks.
SHA-512/224:Producesa224-bithashvalueafterperforming80roundsofcomputationson1,024-bitblocks.The512designationhereindicatestheinternalstatesize.
SHA-512/256:Producesa256-bithashvalueafterperforming80roundsofcomputationson1,024-bitblocks.Onceagain,the512designationindicatestheinternalstatesize.
HMACAhashMAC(HMAC)isakeyed-hashMessageAuthenticationCode(MAC)thatinvolvesahashfunctionwithsymmetrickey.HMACprovidesdataintegrityandauthentication.AnyofthepreviouslylistedhashfunctionscanbeusedwithHMAC,withtheHMACnamebeingappendedwiththehashfunctionname,asinHMAC-SHA-1.ThestrengthofHMACisdependentuponthestrengthofthehashfunction,includingthehashvaluesizeandthekeysize.
HMAC’shashvalueoutputsizewillbethesameastheunderlyinghashfunction.HMACcanhelptoreducethecollisionrateofthehashfunction.Figure3.6showsthebasicstepsofanHMACprocess.
FIGURE3.6HMACprocess
DigitalSignaturesAdigitalsignatureisahashvalueencryptedwiththesender’sprivatekey.Adigitalsignatureprovidesauthentication,nonrepudiation,andintegrity.Ablindsignatureisaformofdigitalsignaturewherethecontentsofthemessagearemaskedbeforeitissigned.Figure3.7showstheprocess.
![Page 89: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/89.jpg)
FIGURE3.7Digitalsignatureprocess
Theprocessforcreatingadigitalsignatureisasfollows:
1. Thesignerobtainsahashvalueforthedatatobesigned.
2. Thesignerencryptsthehashvalueusinghisprivatekey.
3. Thesignerattachestheencryptedhashandacopyofhispublickeyinacertificatetothedataandsendsthemessagetothereceiver.
Theprocessforverifyingthedigitalsignatureisasfollows:
1. Thereceiverseparatesthedata,encryptedhash,andcertificate.
2. Thereceiverobtainsthehashvalueofthedata.
3. ThereceiververifiesthatthepublickeyisstillvalidusingthePKI.
4. Thereceiverdecryptstheencryptedhashvalueusingthepublickey.
5. Thereceivercomparesthetwohashvalues.Ifthevaluesarethesame,themessagehasnotbeenchanged.
Publickeycryptography,whichisdiscussedlaterinthischapter,isusedtocreatedigitalsignatures.Usersregistertheirpublickeyswithacertificationauthority(CA),whichdistributesacertificatecontainingtheuser’spublickeyandtheCA’sdigitalsignature.Thedigitalsignatureiscomputedbytheuser’spublickeyandvalidityperiodbeingcombinedwith
![Page 90: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/90.jpg)
thecertificateissueranddigitalsignaturealgorithmidentifier.
TheDigitalSignatureStandard(DSS)isafederaldigitalsecuritystandardthatgovernstheDigitalSecurityAlgorithm(DSA).DSAgeneratesamessagedigestof160bits.TheU.S.federalgovernmentrequirestheuseofDSA,RSA,orEllipticCurveDSA(ECDSA)andSHAfordigitalsignatures.
DSAisslowerthanRSAandprovidesonlydigitalsignatures.RSAprovidesdigitalsignatures,encryption,andsecuresymmetrickeydistribution.
KeyExchangeAsyouhavelearned,symmetrickeyalgorithmsaresignificantlymoreefficientatencryptinganddecryptingdatathanareasymmetricalgorithms.However,thebestwaytoillustratethehybridcryptosystemistoexplorethefunctionofSSH.
Application:SSHSecureShell(SSH)isanapplicationandprotocolthatisusedtoremotelylogintoanothercomputerusingasecuretunnel.Afterasessionkeyisexchangedandasecurechannelisestablished,allcommunicationbetweenthetwocomputersisencryptedoverthesecurechannel.SSHisasolutionthatcouldbeusedtoremotelyaccessdevices,includingswitches,routers,andservers.
SSHoffersagoodillustrationoftheuseofasymmetricalgorithmstogenerateandexchangeasymmetrickeyandthereaftertousethatkeyfordataencryption.Thestepsareasfollows:
1. Theclientconnectstotheserver,andtheserverpresentsitspublickeytotheclient.
2. Theclientandservernegotiateagroupofsettingsthatmustmatchonbothends.Itincludesthesymmetricalgorithmtheywilluse.
3. Theclientcreatesarandomsessionkeyandencryptsitwiththeserver’spublickey.
4. Theclientsendsthisencryptedsessionkeytotheserver,andtheserverdecryptsitusingitsprivatekey.
Usingthesymmetrickey,whichtheybothnowpossess,thetwostartencryptingeverythingthatgoesonfromthispoint,includingtheauthenticationprocess.
PublicKeyInfrastructureApublickeyinfrastructure(PKI)includessystems,software,andcommunicationprotocolsthatdistribute,manage,andcontrolpublickeycryptography.APKIpublishesdigitalcertificates.BecauseaPKIestablishestrustwithinanenvironment,aPKIcancertifythatapublickeyistiedtoanentityandverifythatapublickeyisvalid.Publickeysarepublishedthroughdigitalcertificates.
![Page 91: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/91.jpg)
TheX.509standardisaframeworkthatenablesauthenticationbetweennetworksandovertheInternet.APKIincludestimestampingandcertificaterevocationtoensurethatcertificatesaremanagedproperly.APKIprovidesconfidentiality,messageintegrity,authentication,andnonrepudiation.
ThestructureofaPKIincludesCAs,certificates,registrationauthorities,certificaterevocationlists,andcross-certification.ThissectiondiscussesthesePKIcomponentsaswellasafewotherPKIconcepts.
PublicandPrivateKeysInpublickeycryptography,twokeysareused,apublickeyandaprivatekey.Thesetwokeysarenotthesame,buttheyaremathematicallyrelatedinsuchawaythatifyouencryptdatawithoneofthem,youcandecryptitwiththeother.Usersanddevicesareissuedpublic/privatekeypairsthatareboundtoadigitaldocumentcalledadigitalcertificate.Thiscertificate(morespecificallythekeystowhichitisbound)canbeusedforavarietyofthingsincludingthefollowing:
Encryptingdata
Asaformofauthentication
Encryptingemail
Digitallysigningsoftware
PrivateKeyTheprivatekeythatisgeneratedaspartofthekeypairismadeavailableonlytotheuserordevicetowhichitwasissued.Thiskeymaybestoredonsoftwareintheuser’scomputer,oritmightbestoredonasmartcardifitistobeusedforauthentication.Atanyrate,thekeyconcepthereisthatitisavailableonlytotheuserordevicetowhichitwasissued.
PublicKeyThepublickeythatisgeneratedaspartofthekeypairismadeavailabletoanyonetowhomthecertificateispresentedbecauseitispartoftheinformationcontainedinthisdigitaldocument.Insomecases,publickeysmaybekeptinarepositorysotheycanberequestedbyanentityifrequired.Regardlessofthemethodusedtoobtainthepublickey,thekeyconcepthereisthatitisavailabletoanyone.
PuttingItTogetherThesekeysworktogethertoperformbothencryptionanddigitalsignatures.Toprovideencryption,thedataisencryptedwiththereceiver’spublickey,whichresultsinciphertextthatonlythereceiver’sprivatekeycandecrypt.Figure3.8showsthisprocess.
![Page 92: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/92.jpg)
FIGURE3.8PKIencryption
Todigitallysignadocument,thesendercreateswhatiscalledahashvalueofthedatabeingsent,encryptsthatvaluewiththesender’shisprivatekey,andsendsthisvaluealongwiththemessage.Thereceiverdecryptsthehashusingthesender’spublickey.Thereceiverthen,usingthesamehashingalgorithm,hashesthemessage.Thesenderthencomparesthedecryptedhashvaluetotheonejustgenerated.Iftheyarethesame,thesignature(andtheintegrityofthedata)hasbeenverified.Figure3.9showsthisprocess.
![Page 93: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/93.jpg)
FIGURE3.9PKIdigitalsignature
CertificatesAdigitalcertificateprovidesanentity,usuallyauser,withthecredentialstoproveitsidentityandassociatesthatidentitywithapublickey.Atminimum,adigitalcertificationmustprovidetheserialnumber,theissuer,thesubject(owner),andthepublickey.
AnX.509certificatecomplieswiththeX.509standard.AnX.509certificatecontainsthefollowingfields:
Version
SerialNumber
AlgorithmID
Issuer
Validity
Subject
SubjectPublicKeyInfo
PublicKeyAlgorithm
SubjectPublicKey
![Page 94: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/94.jpg)
IssuerUniqueIdentifier(optional)
SubjectUniqueIdentifier(optional)
Extensions(optional)
RevocationCertificateshaveadefinedlifetime.Whenthevalidityperiodends,thecertificatemustberenewedtocontinuetobevalid.Therearecaseswhenacertificatemustberevokedbeforeitslifetimeends.Reasonsforcertificaterevocationincludethefollowing:
Compromiseoftheassociatedkeys
Improperissuance
CompromiseoftheissuingCA
Ownerofthecertificatenolongerowningthedomainforwhichitwasissued
Ownerofthecertificateceasingoperationsentirely
Originalcertificatebeingreplacedwithadifferentcertificatefromadifferentissuer
Acertificaterevocationlist(CRL)isalistofdigitalcertificatesthataCAhasrevoked.Tofindoutwhetheradigitalcertificatehasbeenrevoked,eitherthebrowsermustchecktheCRLortheCAmustpushouttheCRLvaluestoclients.ThiscanbecomequitedauntingwhenyouconsiderthattheCRLcontainseverycertificatethathaseverbeenrevoked.
Oneconcepttokeepinmindistherevocationrequestgraceperiod.ThisperiodisthemaximumamountoftimebetweenwhentherevocationrequestisreceivedbytheCAandwhentherevocationactuallyoccurs.Ashorterrevocationperiodprovidesbettersecuritybutoftenresultsinahigherimplementationcost.
UsesCertificatescanbeusedforvarietyofoperations.Thiscanincludeauthentication,encryption,digitalsignatures,andemailtonameafew.VeriSignfirstintroducedthefollowingdigitalcertificateclasses:
Class1:Forindividualsintendedforemail.Thesecertificatesgetsavedbywebbrowsers.
Class2:Fororganizationsthatmustprovideproofofidentity.
Class3:ForserversandsoftwaresigninginwhichindependentverificationandidentityandauthoritycheckingisdonebytheissuingCA.
Class4:Foronlinebusinesstransactionsbetweencompanies.
Class5:Forprivateorganizationsorgovernmentalsecurity.
Application:SSL/TLSCertificatesareoftenusedwhenusingSSL/TLS.MostmodernsystemstodayuseTLS,butthe
![Page 95: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/95.jpg)
termSSLisoftenstillusedtorefertotheconnection.SSLisusedtoprotectmanytypesofapplications,themostcommonbeingHTTPS(asHTTPiscalledwhenusedwithSSL).
AnSSLsessionisformedbetweenawebserverandthewebbrowseroftheclient.Figure3.10depictstheprocess.
CertificateAuthoritiesAcertificationauthority(CA)istheentitythatcreatesandsignsdigitalcertificates,maintainsthecertificates,andrevokesthemwhennecessary.EveryentitythatwantstoparticipateinthePKImustcontacttheCAandrequestadigitalcertificate.ItistheultimateauthorityfortheauthenticityforeveryparticipantinthePKIandsignseachdigitalcertificate.Thecertificatebindstheidentityoftheparticipanttothepublickey.
Anyparticipantthatrequestsacertificatemustfirstgothroughtheregistrationauthority(RA),whichverifiestherequestor’sidentityandregisterstherequestor.Aftertheidentityisverified,theRApassestherequesttotheCA.Inmanycases,theCAandtheRAarethesameserver.
TherearedifferenttypesofCAs.OrganizationsexistthatprovideaPKIasapayableservicetocompaniesthatneedthem.AnexampleisVeriSign.SomeorganizationsimplementtheirownprivateCAssothattheorganizationcancontrolallaspectsofthePKIprocess.Ifanorganizationislargeenough,itmightneedtoprovideastructureofCAs,withtherootCAbeingthehighestinthehierarchy.
BecausemorethanoneentityisofteninvolvedinthePKIcertificationprocess,certificationpathvalidationallowstheparticipantstocheckthelegitimacyofthecertificatesinthecertificationpath.
WhenimplementingaPKI,mostorganizationsrelyonahierarchicalchain-of-trustmodelthatusesthreecomponentsatminimum:certificateauthorities(CAs),registrationauthorities(RAs),andacentraldirectory/distributionmanagementmechanism.
![Page 96: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/96.jpg)
FIGURE3.10SSLprocess
ACAissuescertificatesthatbindapublickeytoaspecificdistinguishedname(DN)issuedtothecertificateapplicant(user).Beforeissuingacertificate,however,theCAvalidatestheapplicant’sidentity.
Whenasubject’spubliccertificateisreceived,thesystemmustverifyitsauthenticity.Becausethecertificateincludestheissuer’sinformation,theverificationprocesscheckstoseewhetheritalreadyhastheissuer’spubliccertificate.Ifnot,itmustretrieveit.
ArootCAisatthetopofthecertificatesigninghierarchy.VeriSign,Comodo,andEntrustareexamplesofpublicrootCAs.FororganizationsthatmaintaintheirownPKI,thefirstCAcreatedwillbetherootCA.
Usingtherootcertificate,thesystemverifiestheissuersignatureandensuresthatthesubjectcertificateisnotexpiredorrevoked.Ifverificationissuccessful,thesystemacceptsthesubjectcertificateasvalid.
![Page 97: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/97.jpg)
RootCAscandelegatesigningauthoritytootherentities.TheseentitiesareknownasintermediateCAs.IntermediateCAsaretrustedonlyifthesignatureontheirpublickeycertificateisfromarootCAorcanbetraceddirectlybacktoaroot.BecausearootCAcandelegatetointermediateCAs,alengthychainoftrustcanexist.
Anysystemreceivingasubjectcertificatecanverifyitsauthenticitybysteppingupthechainoftrusttotheroot.
PKIStandardsPublicKeyCryptographyStandards(PKCS)werecreatedbyRSASecurity.WhiletheywerecreatedtohelppromotetechniquesforwhichRSAhadpatents,manyofthesestandardshavebecomestandardsbytheIETF.Table3.2showsthestandardsthathavenotsincebeenabandonedorobsoleted.
TABLE3.2PKIstandards
Standard Version Name DescriptionPKCS#1 2.2 RSA
CryptographyStandard
DefinesthemathematicalpropertiesandformatofRSApublicandprivatekeysandthebasicalgorithmsandencoding/paddingschemesforperformingRSAencryptionanddecryptionandforproducingandverifyingsignatures.
PKCS#3 1.4 Diffie-HellmanKeyAgreementStandard
Acryptographicprotocolthatallowstwopartiesthathavenopriorknowledgeofeachothertojointlyestablishasharedsecretkeyoveraninsecurecommunicationschannel.
PKCS#5 2.0 Password-BasedEncryptionStandard
Providesrecommendationsfortheimplementationofpassword-basedcryptography,coveringkeyderivationfunctions,encryptionschemes,message-authenticationschemes,andASN.1syntaxidentifyingthetechniques.
PKCS#7 1.5 CryptographicMessageSyntaxStandard
Usedtosignand/orencryptmessagesunderaPKI.FormedthebasisforS/MIME.Oftenusedforsinglesign-on.
PKCS#8 1.2 Private-KeyInformationSyntaxStandard
Usedtocarryprivatecertificatekeypairs(encryptedorunencrypted).
PKCS#9 2.0 SelectedAttributeTypes
DefinesselectedattributetypesforuseinPKCS#6extendedcertificates,PKCS#7digitallysignedmessages,PKCS#8private-keyinformation,andPKCS#10certificate-signingrequests.
![Page 98: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/98.jpg)
PKVS#10
1.7 CertificationRequestStandard
Formatofmessagessenttoacertificationauthoritytorequestcertificationofapublickey.
PKCS#11
2.4 CryptographicTokenInterface
AlsoknownasCryptoki.AnAPIdefiningagenericinterfacetocryptographictokens(seealsohardwaresecuritymodule).Oftenusedinsinglesign-on,public-keycryptographyanddiskencryption.
PKCS#12
1.1 PersonalInformationExchangeSyntaxStandard
Definesafileformatcommonlyusedtostoreprivatekeyswithaccompanyingpublickeycertificates,protectedwithapassword-basedsymmetrickey.
PKCS#15
1.1 CryptographicTokenInformationFormatStandard
Definesastandardallowingusersofcryptographictokenstoidentifythemselvestoapplications,independentoftheapplication’sCryptokiimplementation(PKCS#11)orotherAPI.
PKITopologiesAPKIcanconsistofasingleserverthatoperatesasRAandCAandistherootcertificateserver.Butinverylargeenvironments,youmaybeadvisedtocreateahierarchyofCAs.Whenthisisdone,asingleCAwillbetherootCAandthetopofthehierarchy.UnderneaththiswouldbeanumberofsubordinateCAsthatactuallyissuethecertificatestotheentities.TherootCAcreatesandsignsthecertificatesofthesubordinateCAs,whichcreatesatrustpathuptotheroot.Figure3.11showsthisarrangement.
FIGURE3.11PKIhierarchy
Insomecases,twoorganizationsmayhaveaneedtotrustoneanother’scertificates.Thiscan
![Page 99: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/99.jpg)
bedonebyconfiguringcrosscertification.Incrosscertification,atrustiscreatedbetweenthetworootCAs,whichenablebothsystemstotrustallcertificates,asshowninFigure3.12.
FIGURE3.12Crosscertification
CertificatesintheASATheCiscoAdaptiveSecurityAppliance(ASA)makesuseofcertificatesandtheassociatedkeystoprotecttheconnectionoftheadministratortotheASAusingtheAdaptiveSecurityDeviceManager(ADSM)andtosupportSSLVPNclients.Inthissection,you’lllearnaboutthedefaultcertificatethatispresentintheASA,theprocessofaddingacertificateandviewingthecertificatesthatarepresent,andtheuseoftheSimpleCertificateEnrollmentProtocol(SCEP).
DefaultCertificateTheASAhasaself-signeddefaultcertificatethatcanbeusedfortheoperationslistedintheprevioussection.Theissuewithaself-signedcertificateisthatnobrowsersordeviceswillhavetheASAlistedasatrustedCA.Becauseofthis,anyHTTPSconnectionstotheASAwillgenerateawarningmessagethatthecertificatebeingpresentedisnottrusted.Toavoidthisissue,youcaninstallarootcertificateoftheCAwhosecertificateisfoundinthebrowsersanddevicesthatwillinteractwiththeASA(eitherthatyouownorapublicCA).
ViewingandAddingCertificatesintheASDMToviewthecurrentcertificatesintheADSM,selectConfigurationatthetopoftheADSMconsoleandDeviceManagementfromthetabsontheleftsideoftheconsole,asshowninFigure3.13.Asyoucansee,thisASAcurrentlyhasnocertificatesinstalledotherthanthedefault.
![Page 100: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/100.jpg)
FIGURE3.13Viewingcertificates
Toaddacertificate,followthesesteps:
1. IntheCiscoASDMConfigurationTool,selectConfiguration DeviceManagementCertificateManagement CACertificates.
2. ClickAdd.TheInstallCertificatedialogboxappears.Youhavethreeoptions:installfromafile,pastetheinformation,oruseSCEP.IftherootCArepresentedbytherootcertificatesupportsSCEP,choosethatoption.Otherwise,usethenexttwosteps.
3. Enteratrustpointnameorusethedefaultnamethatappearsinthebox.
4. ClicktheInstallFromAFileradiobuttonandbrowsetothelocationoftheRoot.crtfilethatyouareinstalling.
5. ClicktheMoreOptionsbutton,andhereyoucanconfigurehowcertificaterevocationwillbechecked,theprotocolstobeusedforcertificateverification,andothersettings.
SCEPSimpleCertificateEnrollmentProtocolisaprotocolusedforenrollmentandotherPKIoperations.ItissupportedonmostCiscodevices.Itsimplifiestheprocessofobtainingand
![Page 101: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/101.jpg)
installingboththerootandtheidentitycertificates.TheprocesstouseSCEPisasfollows:
1. ChooseConfiguration DeviceManagement CertificateManagement IdentityCertificatesandclickAdd.
2. ClicktheAddANewIdentityCertificateradiobuttonandclicktheAdvancedbutton.
3. IntheAdvancedbox,ontheEnrollmentModetab,selectRequestFromACAandthenentertheIPaddressoftheCAthatsupportsSCEP.ClickOK.
4. IntheAddANewIdentityCertificatedialogbox,selectAddCertificate.Iftheenrollmentissuccessful,youwillreceiveanEnrollmentSucceededmessage.
CryptanalysisIncryptanalysis,cryptographyattacksarecategorizedaseitherpassiveoractiveattacks.Apassiveattackisusuallyimplementedjusttodiscoverinformationandismuchhardertodetectbecauseitisusuallycarriedoutbyeavesdroppingorpacketsniffing.Activeattacksinvolveanattackeractuallycarryingoutsteps,suchasmessagealterationorfilemodification.Cryptographyisusuallyattackedviathekey,algorithm,execution,data,orpeople.Butmostoftheseattacksareattemptingtodiscoverthekeyused.
Ciphertext-OnlyAttackInaciphertext-onlyattack,anattackerusesseveralencryptedmessages(ciphertext)tofigureoutthekeyusedintheencryptionprocess.Althoughitisacommontypeofattack,itisusuallynotsuccessfulbecausesolittleisknownabouttheencryptionused.
KnownPlaintextAttackInaknownplaintextattack,anattackerusestheplaintextandciphertextversionsofamessagetodiscoverthekeyused.Thistypeofattackimplementsreverseengineering,frequencyanalysis,orbruteforcetodeterminethekeysothatallmessagescanbedeciphered.
ChosenPlaintextAttackInachosenplaintextattack,anattackerchoosestheplaintexttogetencryptedtoobtaintheciphertext.Theattackersendsamessagehopingthattheuserwillforwardthatmessageasciphertexttoanotheruser.Theattackercapturestheciphertextversionofthemessageandtriestodeterminethekeybycomparingtheplaintextversionheoriginatedwiththecapturedciphertextversion.Onceagain,keydiscoveryisthegoalofthisattack.
ChosenCiphertextAttackAchosenciphertextattackistheoppositeofachosenplaintextattack.Inachosenciphertextattack,anattackerchoosestheciphertexttobedecryptedtoobtaintheplaintext.Thisattackismoredifficultbecausecontrolofthesystemthatimplementsthealgorithmisneeded.
BruteForce
![Page 102: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/102.jpg)
Aswithabrute-forceattackagainstpasswords,abrute-forceattackexecutedagainstacryptographicalgorithmusesallpossiblekeysuntilakeyisdiscoveredthatsuccessfullydecryptstheciphertext.Thisattackrequiresconsiderabletimeandprocessingpowerandisdifficulttocomplete.
BirthdayAttackAbirthdayattackusesthepremisethatfindingtwomessagesthatresultinthesamehashvalueiseasierthanmatchingamessageanditshashvalue.Mosthashalgorithmscanresistsimplebirthdayattacks.
Meet-in-the-MiddleAttackInameet-in-themiddleattack,anattackertriestobreakthealgorithmbyencryptingfromoneendanddecryptingfromtheothertodeterminethemathematicalproblemused.
SummaryInthischapter,youlearnedaboutsymmetricandasymmetrickeycryptographyandhowtheydiffer.Thechaptergaveexamplesofeachtypeofalgorithm,andyoulearnedhowtheycanworktogetherinahybridsystem.Youalsolearnedaboutthehashingprocessandlookedatthemajorhashingalgorithms.TherewascoverageofPKIandthecomponentsthatmakeitfunction.Finally,youlearnedaboutcommonattacksoncryptography.
ExamEssentialsDifferentiatebetweensymmetricandasymmetrickeycryptography.Thisincludesthetypesofkeysused,thescenariosinwhichtheyareused,andthedisadvantagesandadvantagesofeach.
Describethehashingprocess.Thisincludeshowhashingalgorithmswork,examplesofhashingalgorithms,andtheroleofhashingindigitalsignatures.
ExplaintheroleofaPKI.DescribethecomponentsofaPKI,thecertificateenrollmentprocess,andtheuseofpublicandprivatekeysintheprocess.
Definecryptanalyticattacks.Theseincludeciphertext-onlyattack,chosenplaintext,chosenciphertext,bruteforce,birthday,andmeet-in-the-middle.
ReviewQuestions1. Whichofthefollowingisnottrueofsymmetricalgorithms?
A. Theyuseapublickey.
B. Theyarefasterthanasymmetricalgorithms.
![Page 103: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/103.jpg)
C. Theypresentkeyexchangeissues.
D. Theyaretypicallyusedfordataatrest.
2. Whichofthefollowingisnottrueofasymmetricalgorithms?
A. Theyprovideautomatickeyexchange.
B. Theyaretypicallyusedfordataatrest.
C. Theyuseaprivateandpublickey.
D. Theyareslowerthansymmetricalgorithms.
3. Whichofthefollowingisnotanadvantageofblockciphers?
A. Theimplementationiseasierthanstream-basedcipherimplementation.
B. Generallytheyarelesssusceptibletosecurityissues.
C. Generallytheyareusedmoreinsoftwareimplementations.
D. Theyemployonlysubstitution.
4. Whichofthefollowingciphersperformencryptiononabit-by-bitbasis?
A. Block
B. Stream
C. Asymmetric
D. Polyalphabetic
5. Whichofthefollowingisusedtoensurethatpatternsarenotproducedduringencryption?
A. IVs
B. HMAC
C. RC4
D. Salting
6. InwhichofthefollowingmodesofDESisevery64-bitblockencryptedwiththesamekey?
A. CBC
B. ECB
C. ECC
D. CFB
7. Whichofthefollowingisthereplacementalgorithmfor3DES?
A. Blowfish
![Page 104: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/104.jpg)
B. AES
C. IDEA
D. RC4
8. Whichofthefollowingisthemostpopularasymmetricalgorithm?
A. RSA
B. ElGamal
C. DSA
D. ECC
9. Whichofthefollowingoccurswhenahashfunctionproducesthesamehashvalueondifferentmessages?
A. Birthdayattack
B. Keyexposure
C. Collision
D. Substitution
10. WhichofthefollowinghashingalgorithmsisrequiredbytheU.S.government?
A. MD4
B. MD5
C. SHA1
D. SHA2
11. Whichofthefollowingcanhelptoreducethecollisionrateofthehashfunction?
A. MAC
B. HMAC
C. Digitalsignatures
D. Substitution
12. Whichofthefollowingisahashvalueencryptedwiththesender’sprivatekey?
A. Salt
B. Nonce
C. Digitalsignature
D. HMAC
13. Whichofthefollowingistrueofahybridcryptosystem?
![Page 105: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/105.jpg)
A. Asymmetricalgorithmsareusedforthekeyexchange.
B. Symmetrickeysareusedforthekeyexchange.
C. Asymmetrickeysareusedforthedataencryption.
D. Asymmetrickeysareexchangeautomatically.
14. Whichofthefollowingisadigitaldocumentbindingakeypairtoanentity?
A. Certificate
B. Nonce
C. Salt
D. IV
15. Whichofthefollowingisthestandardfordigitalcertificates?
A. X.500
B. X.509
C. IEEE509
D. RFC500
16. WhichofthefollowingisalistofdigitalcertificatesthataCAhasrevoked?
A. OSCP
B. CRL
C. SCEP
D. REVC
17. Whichofthefollowingcertificateclassesisforindividualsintendedforemail?
A. 1
B. 2
C. 3
D. 4
18. WhichofthefollowingPKIcomponentsverifiestherequestor’sidentity?
A. CA
B. RA
C. DN
D. CN
19. WhichofthefollowingcanbeusedtoallowonerootCAtotrustanotherrootCA’s
![Page 106: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/106.jpg)
certificates?
A. Subordination
B. Crosscertification
C. Certlink
D. Trust
20. WhattypeofcertificatedoestheASAuseoutofthebox?
A. Public
B. Self-signed
C. Globallytrusted
D. Locallytrusted
![Page 107: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/107.jpg)
Chapter4SecuringtheRoutingProcessCISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:
4.1SecurityonCiscorouters
Configuremultipleprivilegelevels
ConfigureCiscoIOSrole-basedCLIaccess
ImplementCiscoIOSresilientconfiguration
4.2Securingroutingprotocols
ImplementroutingupdateauthenticationonOSPF
4.3Securingthecontrolplane
Explainthefunctionofcontrolplanepolicing
Toprovidesecureroutingandswitching,theroutersandswitchesthemselvesmustbesecured.Leavingtheminavulnerablestatecanrenderallothersecurityimplementationsuselessbecauseunauthorizedaccesscanallowamaliciousindividualtoalterallthesecuritysettingsthatareinplace.Additionally,whenroutersareexchangingroutingupdates,anyunauthenticatedupdatescanrevealimportantinformationaboutyournetworktoanyonewhoconvincesyourroutertoperformaroutingupdate.Inthischapter,youwillexplorefunctionalityyoushouldtakeadvantageoftosecureaccesstothedevices,tosecureroutingupdates,andtosecurethecontrolplane.
Inthischapter,youwilllearnthefollowing:
SecuringCiscorouters
Securingroutingprotocols
SecuringRouterAccessSecuringadministrativeaccesstotherouteristhefirststepinsecuringtheroutingprocess.Thispreventsunauthorizedaccesstotherouter,whichwillensurethattheconfigurationoftheroutercannotbealtered.Inthissection,you’lllearnaboutconfiguringsecureadministrative
![Page 108: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/108.jpg)
accessusingseveraltools.
FirstI’lldiscusshowtoconfigureanencryptedsessionwiththerouterusingSSHratherthanTelnet(whichtransmitsincleartext).NextI’lltalkaboutcontrollingtheoperationsofeachindividualtechnicianbyassigningprivilegelevels.Asprivilegelevelsdonotmeettheneedsofallenvironments,you’llalsolookatawaytogetmoregranularwiththeassignmentoftasksbyauthorizingfunctionsviaacommand-lineinterface(CLI)withrole-basedCLI.Finally,I’lldiscusshowtoprotecttheconfigurationoftherouterusingtheCiscoIOSresilientconfigurationfeature.
ConfiguringSSHAccessWhileTelnetcancertainlybeusedtomanagearouter,thisremoteaccesstechnologytransmitseverythingincleartext,makingitunsuitableintoday’senvironments.Forthisreason,youshouldalwaysuseSecureShell(SSH)forsecureremoteaccess.TheSSHserverontherouterwillrequireanRSApublic/privatekeypairtouseintheprocessofencryptingthetraffic.Itcangeneratethiskeypairbutmusthavecertaininformationconfiguredbeforeitcandosobecauseitusesthisinformationasthelabelforthekeypair.
Therefore,thehigh-levelstepstosetupSSHareasfollows:
1. Settheroutername.
2. Settherouterdomainname.
3. GeneratetheRSAkey.
Herearetheactualcommands:
Router(config)#hostnameR63
R63(config)#ipdomain-namemcmillan.com
R63(config)#cryptokeygeneratersa?
encryptionGenerateageneralpurposeRSAkeypairforsigningand
encryption
exportableAllowthekeytobeexported
general-keysGenerateageneralpurposeRSAkeypairforsigningand
encryption
labelProvidealabel
modulusProvidenumberofmodulusbitsonthecommandline
oncreatekeyonspecifieddevice.
redundancyAllowthekeytobesyncedtohigh-availabilitypeer
signatureGenerateageneralpurposeRSAkeypairforsigningand
encryption
storageStorekeyonspecifieddevice
usage-keysGenerateseparateRSAkeypairsforsigningandencryption
R63(config)#cryptokeygeneratersamodulus1024
Thenameforthekeyswillbe:R63.mcmillan.com
%Thekeymodulussizeis1024bits
%Generating1024bitRSAkeys,keyswillbenon-exportable...
![Page 109: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/109.jpg)
[OK](elapsedtimewas2seconds)
R63(config)#
*Mar2818:32:09.095:%SSH-5-ENABLED:SSH1.99hasbeenenabled
Inthesesteps,youcanseeIcreatedaname,R63;setthedomainnametomcmillan.com;andgeneratedakey.ThemoduluskeywordIusedsetsthelengthofthekey,whichinthiscaseis1,024bits.NoticethesyslogmessagethatindicatesSSHversion1.99hasbeenenabled.Thisindicatesitisaversion2server,whichcanacceptconnectionsfromSSHversion1devices.
Nextyouneedtodothefollowing:
1. CreateausernameandpasswordforeachuserwhoneedsSSHaccess.
2. ConfigurelinevtytoonlyacceptSSHconnections.
R63(config)#usernametroysecretmac
R63(config)#linevty?
<0-1114>FirstLinenumber
R63(config)#linevty01114
R63(config-line)#loginlocal
R63(config-line)#transportinputssh
R63(config-line)#
NoticethatIcreatedausernamedtroywithapasswordofmac.Youcancreateasingleaccounttobesharedbyallauthorizedtechniciansandnameitsomethinglikeadmin,oryoucancreateseparateaccountsforeachuser.Separateaccountswillprovideaccountability.
AlsonoticethatwhenIenteredlinevtymode,IcheckedtoseehowmanyvtylinesthisdevicehassothatwhenIrunthecommandtoenterthatmode,thecommandsIapplywillapplytoalllines.Thecommandloginlocaltellstherouterthatalluseraccountswillbefoundlocallyonthisrouterandnotonaremoteserver.That’swhyIneededtocreatethelocalaccountthatIdid.Finally,IsettheroutertoonlyacceptSSHconnectionswiththelastcommand.
ConfiguringPrivilegeLevelsinIOSPrivilegelevelsallowyoutoassignatechniciansetsofactivitiesthatcoincidewiththelevelthetechnicianhasbeenassigned.Thereare16levels,from0to15.Whenyouareinusermode(router>),youareatPrivilegelevel1.Whenyouareinprivilegedmode(router#),youareatlevel15.
Youcanassignlevelsbetween0and15,andbylinkingtheselevelswithcommands,youcancontroltheactivitiesofeachtechnician.ThiscanbedoneonbothIOSdevicesandontheCiscoAdaptiveSecurityAppliance(ASA),althoughthedetailsofeachprocessareslightlydifferent.Privilegelevelsarecreatedattheglobalconfigurationpromptrouter(config)#.Whenaleveliscreated,youalsoaddacommandatthesametime,whichmeansifyouareaddingmultiplecommandstothelevel,youwillruntheprivilegecommandseveraltimes.Oncealeveliscreated,accesstothatlevelisobtainedbyenteringapasswordassignedtothat
![Page 110: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/110.jpg)
level.Fromahighlevel,herearethestepsrequired:
1. Createthelevelandassignacommandtothatlevel.
2. Assignanyadditionalcommandstothelevel.
3. Setapasswordforthelevel.
4. Providethelevelnumberandpasswordtothetechnician(ortechnicians)whowilluseit.
FirstIwillcreatealevelnumbered12,andIwillassigntheshowinterfacescommandtoit.NoticethatwhenIdothis,Ihavetoassignthecommandtothelevelwhereitisusuallyexecuted,inthiscaseprivilegeexeclevel.
router(config)#privilegeexeclevel12showinterfaces
Todemonstratehowtoassignacommandthatisexecutedatadifferentlevel,Iamnowgoingtoaddtheinterfaceconfigurationcommand,andsincethatcommandisexecutednormallyattheglobalconfigurationmode,IwillusetheconfigurekeywordwhenIaddit.
router(config)#privilegeconfigurelevel12interface
MyintentistoallowthistechniciantochangeIPaddressesoninterfaces,soIneedtoassignhimthatcommand.Sincetheipcommand(alongwiththeparameteraddress)isexecutedafterenteringinterfaceconfigurationmode,Ihavetoreferenceinterfaceinthecommand,asshownhere:
router(config)#privilegeinterfacelevel12ip
NowI’mreadytoassignapasswordforlevel12thatIjustcreated.Thatisdonethesamewayanyenablesecretpasswordiscreated,addingtheleveltowhichitappliesasshownnext(otherwiseitwillapplytolevel15asitusuallydoes).ThepasswordIsetiswordpass.
router(config)#enablesecretlevel12wordpass
OnceIprovidethelevelnumberandpasswordtothetechnician,hewillusethepasswordtoentertheprivilegelevelasshownhere,makingitpossibletousethosecommandsandnoothers.Toverifytheapplicationofthelevel,hecantypeshowprivilegeasisalsoshown.
router#enable12
password:wordpass
router#showprivilege
Currentprivilegelevelis12
Ifheattemptstouseanyothercommands,hewillreceivetheerrormessageshownhere:
router#showrun
^
%invalidinputdetectedat‘^’marker.
ConfiguringIOSRole-BasedCLI
![Page 111: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/111.jpg)
Anotheroptionyoucanusetocontroltheoperationsoftechniciansisarole-basedCLI.Usingthisapproach,youcancreateroles,implementedassetsofoperationscalledparserviews.Theonlyviewthatexistsbydefaultiscalledroot,whichasyouwouldexpectallowsaccesstoallcommands.Accesstothisviewisprovidedwhenyousubmittheenablesecretpassword.
Onceaparserviewiscreated,youcanpermitaccesstotheviewwithapassword.Thismakesitsimpletoonboardanewtechnicianbyassigninghimtherolehewillplayinthenetwork.Everytechniciangrantedtherolewillhavethesamesetofoperationsavailable.
Fromahighlevel,herearethestepsrequired:
1. Createandnametheparserview.
2. Assignapasswordtotheparserview.
3. Assigncommandstotheparserview.
4. Providetheparserviewnameandpasswordtotechniciansintherole.
FirstIwillcreateaviewcalledOSPFAdmin.
R63(config)#parserviewOSPFAdmin
R63(config-view)#
Noticetheprompthaschanged,andnowanycommandsIrunwillaffectonlythisview.AtthispromptIcanbothsetapasswordandassigncommandstotheview.FirstI’llassignapassword.
R63(config-view)#secretOSPFp@$$
R63(config-view)#
NowIwillassigncommands.Iwon’tassignallcommandsrequiredtomanageOSPF,justenoughtoshowyouhowit’sdone.Youmustensurethatyouhaveprovidedallcommandsrequiredfortherole.
R63(config-view)#commandsexecincludeallshow
R63(config-view)#commandsexecincludealldebugipospf
R63(config-view)#commandsexecincludeallnodebug
R63(config-view)#commandsexecincludeallundebug
R63(config-view)#commandsconfigureincluderouterospf
Ihaveallowedaccessinexecmodetoallshowcommandsandtothedebugipospfcommandsrequired.ThenIallowedaccesstotherouterospfcommand,whichwillincludeallcommandwithinthatcontext.Afteratechnicianhasbeenassignedthisrole,hewillaccesstheroleusingthefollowingcommands.Noticethatyoucanverifytheapplicationoftherolebyusingtheshowparserviewcommand.
R63#enableviewOSPFAdmin
Password:OSPFp@$$
R63#showparserview
R63#currentviewis‘OSPFAdmin’
![Page 112: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/112.jpg)
ImplementingCiscoIOSResilientConfigurationWhilesecuringaccesstotheroutershouldbeenoughtoeffectivelyprotecttheconfigurationoftherouter,thereisanadditionalwaytopreventunwantedchangestotheconfiguration.TheIOSresilientconfigurationfeaturecanprovideawaytoeasilyrecoverfromanattackontheconfiguration,anditcanalsohelptorecoverfromanevenworseattackinwhichtheattackerdeletesnotonlythestartupconfigurationbutalsothebootimage.
Theconfigurationofthisfeaturecanbedonewithtwocommands.Oneenablesprotectionofthebootimage,andtheotherenablesprotectionofthestartupconfiguration.Toenableprotectionofthebootimage,issuethefollowingcommand:
R64(config)#secureboot-image
*April214:24:50.231:%IOS_Resilience-5-IMAGE_RESIL_ACTIVE:Successfully
securedrunningimage
Noticethesystemmessageindicatingthebootimageisprotected.Toenableprotectionofthestartupconfiguration,issuethefollowingcommand:
R64(config)#secureboot-config
*April214:24:50.231:%IOS_Resilience-5-CONFIG_RESIL_ACTIVE:Successfully
securedconfigarchive[flash:.runcfg-20140131-14259.ar]
Oncethesetwoitemsaresecured(calledthesecurebootset),youcannotupdatethestartupconfigurationwithoutremovingthesecureconfigurationlongenoughtomakethechangeandthenresecuringitaswasdoneinthefirstplace.Toremovethesecurestartupconfiguration,executethefollowingcommand:
R64(config)#nosecureboot-config
*April214:34:50.231:%IOS_Resilience-5-CONFIG_RESIL_INACTIVE:Disabled
secureconfigarchive[removedflash:.runcfg-20140131-14259.ar]
Whenfinishedmakingchanges,executethesecureboot-configcommandtosecuretheconfigurationagain.
Butwhatdoyoudoiftheworsthappensandthestartupconfigurationisdeleted?Itcanberestored,butyoumustknowthelocationofthesecurebootconfiguration,andyoumustreferenceitinthecommand.Toidentifyitsnameandlocation,executethefollowingcommand:
R64#showsecurebootset
IOSresiliencerouteridFTX1125A67x
IOSimageresilienceversion12.4activatedat14:24:50UTCMonApril2
2017
Securearchiveflash:/c2800nm-advipservicesk9-mz.124-25e.bintypeisimage
(elf)[]Runnableimage,entrypoint0x8000F000,runfromram
IOSimageresilienceversion12.4activatedat14:24:50UTCMonApril2
2017
Securearchiveflash:.runcfg-20140131-14259.artypeisconfig
Configurationarchivesize4060bytes
![Page 113: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/113.jpg)
Withthelocationofthesecureconfigurationsinhand,nowrunthefollowingcommandtorestoretheconfiguration:
R64(config)#secureboot-configrestoreflash:.runcfg-20140131-14259.ar
iosresilience:configurationsuccessfullyrestoredasflash:.runcfg-
20140131-14259.ar
Incaseyouwerealreadywonderingwhatwouldstopahackerfromusingthesecommands,itisworthknowingthatthesecommandscanberunonlyfromtheconsoleconnection.
ImplementingOSPFRoutingUpdateAuthenticationOneofthewaysinwhichamaliciousindividualmayattempttogatherinformationaboutyournetworkistoenabletheroutingprotocolinuseonaworkstationandconvinceyourrouterstoallowtheworkstationtobecomearoutingneighbor,allowingthemaliciousindividualtoreceiveroutingupdatesfromyourrouters.Asifthisisn’tenoughtobeconcernedabout,hemayalsoconvinceyourrouterstoacceptamaliciousroutingupdatefromhisworkstation,whichcouldpollutetheroutingtablesofyourrouters.Ifthisoccurs,itcouldresultinaninabilityoftherouterstoproperlyroute,whichwouldbeaformofdenial-of-serviceattack.Moreover,hecouldinjectroutesthatcausetraffictobedirectedtohimasapreludetoaman-in-the-middleattack.
Topreventthis,youcanconfiguretherouterstoauthenticateoneanotherwhenperformingroutingupdates.Inthefollowingtwosections,you’lllearnhowtodothisforthetwomostcommonlyusedinteriorroutingprotocols,OSPFandEIGRP.
ImplementingOSPFRoutingUpdateAuthenticationOSPFroutingupdatesaresecuredusingahashingalgorithm.YoucanuseeitherMD5orSHA-256HMAC.Beaware,however,thatsomedevicesmaysupportonlyMD5.Thefollowingarethehigh-levelstepstoconfiguringthis:
1. Defineakeychain(akeychaincanbeusedtoholdmultiplekeysifrequired).
2. Defineakeybynumberthatwillresideonthekeychain.
3. Specifythekeycharactersofthekey.
4. Specifythehashingalgorithm.
5. Applythekeychaintoaninterface.
Whilekeychainnamesandthekeynumbersdonothavetomatchonthetwo
routersoneitherendofthelink,thekeystringsandthehashingalgorithmsmustmatch!
Inthisfollowingexample,I’mgoingtouseMD5fortheconfiguration.Iwillfirstconfigure
![Page 114: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/114.jpg)
routerR64andthenrouterR65ontheotherendofthelink.Thefirststepistoconfigurethekeychainasshownhere.ThekeychainonR64willbeospf-keys.
R64(config)#key-chainospf-keys
R64(config-keychain)#
Noticetheprompthaschanged,andIamnowinkeychainconfigurationmode,whichiswhereIwilldefinethekeynumberasfollows.ThenumberIamusingis1.
R64(config-keychain)#key1
R64(config-keychain-key)#
Again,theprompthaschanged,andIaminkey1configurationmode,whichiswhereIdefinethecharactersinthekey,calledthekeystring.ThestringIamusingistroymac.
R64(config-keychain-key)#key-stringtroymac
R64(config-keychain-key)#
Thenextstepistotelltherouterthealgorithm(MD5)touseforthiskey,whichisdoneatthesamekey1prompt.
R64(config-keychain-key)#cryptographic-algorithmmd5
R64(config-keychain-key)#
ThefinalstepistoapplythekeychaintotheinterfacethatconnectstorouterR65.
R64(config-if)#ipospfauthenticationkey-chainospf-keys
R64(config-if)#
Keepinmindthatwhileoneoftheroutersissettouseauthenticationandthe
otherhasnotyetbeenconfigured,routingupdateswillfail,andthedeviceswillnolongerbeOSPFneighbors.Thiswillresolveitselfassoonastheotherrouteriscorrectlyconfigured.
TheconfigurationcanbethesameonrouterR65,butI’mgoingtochangetwoofthevaluesthatdonothavetomatchjusttoshowthattheydon’thavetomatch,whilekeepingthevaluesthatdohavetomatch(thekeystringandthehashingalgorithm)thesame.ThefollowingistheentiresetofcommandsonR65:
R65(config)#key-chainrouter-keys
R65(config-keychain)#key2
R65(config-keychain-key)#key-stringtroymac
R65(config-keychain-key)#cryptographic-algorithmmd5
R65(config-keychain-key)#end
R65(config)#intg0/1
R65(config-if)#ipospfauthenticationkey-chainrouter-keys
![Page 115: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/115.jpg)
ImplementingEIGRPRoutingUpdateAuthenticationConfiguringEIGRProutingupdateauthenticationissimilartoOSPF.However,OSPFspecifiesthehashingalgorithmsinthesamemodewhereyouspecifythekeystring,butinEIGRPyouspecifythatontheinterface.ThefollowingarethecommandsforR64andR65.Additionally,whenyouspecifythealgorithm,youspecifytheEIGRPASnumberinthesamecommand.Inthefollowingexamples,thatASnumberis66.Noticethat,again,thekeychainnamesandkeynumbersdonothavetomatch,whilethekeystringandhashingalgorithmsdohavetomatch.
R64(config)#key-chainrouter-keys
R64(config-keychain)#key1
R64(config-keychain-key)#key-stringtroymac
R64(config-keychain-key)#end
R64(config)#intg0/2
R64(config-if)#ipauthenticationkey-chainrouter-keys
R64(config-if)#upauthenticationmodeeigrp66md5
R65(config)#key-chainEIGRP-keys
R65(config-keychain)#key2
R65(config-keychain-key)#key-stringtroymac
R65(config-keychain-key)#end
R65(config)#intg0/1
R65(config-if)#ipauthenticationkey-chainEIGRP-keys
R65(config-if)#ipauthenticationmodeeigrp66md5
SecuringtheControlPlaneTherearefourtypesofpacketsthataroutermayencounter,andtheyoperateinfour“planes”oftherouter.Thefourplanesandthetypesofpacketsthatoperateintheseplanesareasfollows:
DataPlanePacketsTheseareend-station,user-generatedpacketsthatarealwaysforwardedbynetworkdevicestootherend-stationdevices.
ControlPlanePacketsThesearenetworkdevice–generatedorreceivedpacketsthatareusedforthecreationandoperationofthenetworkitself.ExamplesincludeprotocolssuchasARP,BGP,andOSPF.
ManagementPlanePacketsThesearenetworkdevice–generatedorreceivedpacketsormanagementstation–generatedorreceivedpacketsthatareusedtomanagethenetwork.ExamplesareTelnet,SSH,TFTP,SNMP,FTP,NTP,HTTP,HTTPSandotherprotocolsusedtomanagethedeviceand/ornetwork.
ServicesPlanePacketsAsubsetofdataplanepackets,servicesplanepacketsarealsouser-generatedpacketsthatareforwardedbynetworkdevicestootherend-stationdevices.ExamplesincludesuchfunctionsasGREencapsulation,QoS,MPLSVPNs,andSSL/IPsecencryption/decryption.
Theconcerninthissectioniswiththeprotectionofaccesstothecontrolplane,whichincludes
![Page 116: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/116.jpg)
thehardwareandsoftwarethatsupportsroutingandthemanagementofthedevice.Packetsinthecontrolplanearethosethatareeitherdestinedfortherouteritselforgeneratedbytherouter.Ifaccesstothecontrolplaneisnotprotected,routingtablecorruption,changestotherouterconfiguration,andDoSattacksontheroutermayresult.
ControlPlanePolicingControlplanepolicing(CoPP)isaCiscoIOSfeaturethatcanbeimplementedtopreventtheseissues.Itsimplementationisanadvancedtopicnotcoveredintheexamobjectives;however,anunderstandingofitsuseisincludedintheexamobjectives.
CoPPtreatsthecontrolplaneasastand-aloneentitywithitsowningressandegressports.Itallowsfortheimplementationofcontrolsattheingressporttothecontrolplane.Figure4.1showstherelationshipbetweenthosecontrolplaneingressandegressportsandthephysicalinterfaces.Italsoshowsthepathstakenbythefourtypesoftrafficdiscussedintheprevioussection.
FIGURE4.1CoPP
NoticethatthreetypesoftrafficcanbecontrolledbyCoPP,thatis,management,control,andservicestraffic.Alsonoticethatwhenaccesscontrollists(ACLs)areappliedtotheingressphysicalinterfaceandCoPPhasalsobeenapplied,CoPPcomesintoplayonlyfortrafficthatwasallowedthroughtheingressphysicalinterfaceACL.Asyoucansee,ultimatelyCoPPisdesignedtoprotecttherouteprocessor.Controlscanbeimplementedthatallowanddisallowcertaintypesoftrafficandcanalsobeusedtorate-limitthetrafficsoastopreventaDoSattack.
WhenCoPPisconfigured,theconfigurationfollowstheCiscoModularQoSCLI(MQC).Inthismodel,threemechanismsareused.
ClassMapsUsedtocategorizetraffictypesintoclasses.ACLsaretypicallyusedtodefinethetraffic,andthentheACLisreferencedintheclassmap.
PolicyMapsUsedtodefinetheactiontobetakenforaparticularclass.Actionsthatcanbe
![Page 117: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/117.jpg)
specifiedareallow,block,andrate-limit.
ServicePoliciesUsedtospecifywherethepolicymapshouldbeimplemented.
Figure4.2showstherelationshipbetweenthesemechanisms.
FIGURE4.2Modularpolicyframework
Thisframeworkisusedforotherfeaturesaswell,suchasQoSandtrafficshaping.
SummaryInthischapter,youlearnedaboutmethodsforsecuringadministrativeaccesstotherouterorswitch.YoualsolearnedhowIOSprivilegelevelsandIOSrole-basedCLIcanbeusedtospecifyallowedactions.TheCiscoIOSresilientconfigurationfeatureanditsbenefitswereintroduced.YoualsolearnedhowtoconfigureauthenticationforrouterupdatesforbothOSPFandEIGRP.Finally,thechapterdiscussedhowcontrolplanepolicingcanbeusedtocontrolaccesstothecontrolplane.
ExamEssentials
![Page 118: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/118.jpg)
Secureadministrativeaccesstotherouter.CompletethestepsrequiredtouseSecureShelltoadministertherouter.ThesestepsincludesettingtherouternameanddomainnameandgeneratingtheRSAkey.ItalsoincludesspecifyingtheuseofSSHonthevtylines.
Controladministrativeactions.ConfigureIOSprivilegelevelsandIOSrole-basedCLItospecifyactionsallowedbytechnicianswhenmaintainingtherouter.
ImplementCiscoIOSresilientconfiguration.ProtecttheintegrityandavailabilityofboththeIOSandthestartupconfigurationbyconfiguringtheCiscoIOSresilientconfigurationfeature.
ImplementOSPFroutingupdateauthentication.DescribethestepsinvolvedinconfiguringauthenticationbetweentwoOSPFroutersthatisinvokedateachroutingupdate.
ImplementEIGRProutingupdateauthentication.DescribethestepsinvolvedinconfiguringauthenticationbetweentwoEIGRProutersthatisinvokedateachroutingupdate.
Describethebenefitsofsecuringthecontrolplane.Understandthedangersthatconfrontthecontrolplaneofarouterandhowcontrolplanepolicingcanbeusedtocontrolaccesstothecontrolplaneandpreventattacksonit.
ReviewQuestions1. WhichofthefollowingisnotarequiredstepwhenconfiguringarouterforSSHaccess?
A. Settheroutername.
B. GeneratetheRSAkey.
C. Settherouterdomainname.
D. SettherouterloopbackIPaddress.
2. Whichofthefollowingstatementsistrueofthefollowingsystemmessage?
R63(config)#
*Mar2818:32:09.095:%SSH-5-ENABLED:SSH1.99hasbeenenabled
A. ThisrouterwillacceptconnectionsonlyfromSSHversion1devices.
B. ThisrouterwillacceptconnectionsonlyfromSSHversion2devices.
C. ThisrouterwillacceptconnectionsfromSSHversion1orSSHversion2devices.
D. ThisrouterisanSSHversion1device.
3. Whichstatementisfalsewithregardtothisconfiguration?
R63(config)#linevty01114
R63(config-line)#loginlocal
R63(config-line)#transportinputssh
R63(config-line)#
A. vtyline67isaffectedbythisconfiguration.
![Page 119: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/119.jpg)
B. Theuseraccountsforaccesstothevtylinesarecontainedonthisrouter.
C. OnlySSHisallowedtobeusedonthevtylines.
D. SSHaccesswillbecontrolledbyaTACACS+server.
4. WhichofthefollowingstatementsistruewithregardtoprivilegelevelsintheIOS?
A. Thereare16privilegelevels.
B. Level16isusermode.
C. Level0isprivilegedmode.
D. PrivilegelevelscanbedefinedonroutersbutnotASAdevices.
5. WhichofthefollowingcommandsallowsthetechniciantowhomtheprivilegelevelwillbeassignedtoonlychangeIPaddresses?
A. privilegeexeclevel12showinterfaces
B. privilegeconfigurelevel12interface
C. privilegeinterfacelevel12ip
D. enablesecretlevel12wordpass
6. Whichofthefollowingistheonlyparserviewthatexistsbydefault?
A. admin
B. root
C. exec
D. priv
7. Whichofthestatementsistruewithregardtothefollowingconfiguration?
R64(config)#secureboot-image
*April217:24:50.231:%IOS_Reslience-5-IMAGE_RESIL_ACTIVE:Successfully
securedrunningimage
A. Itsecuresthestartupconfiguration.
B. ItsecurestheIOSimage.
C. ItsecuresboththeIOSimageandthestartupconfiguration.
D. Itsecuresnothinguntilanadditionalcommandisrun.
8. WhichofthefollowingstatementsisfalsewithregardtotheCiscoIOSresilientconfiguration?
A. TheIOSimageandthestartupconfigurationarecalledthesecurebootsetwhenprotected.
B. Oncesecured,theconfigurationcannotberemoved.
![Page 120: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/120.jpg)
C. Torestorethebootset,youmustknowitslocation.
D. Torestorethebootset,youmustknowitsname.
9. Whichofthefollowingcanbedoneonlyfromaconsoleconnection?
A. SetupSSH.
B. Removeasecurebootsetconfiguration.
C. Createaprivilegelevel.
D. GenerateanSSHkey.
10. WhichofthefollowinghashingalgorithmsareusedtoimplementOSPFroutingupdateauthentication?
A. MD4
B. MD5
C. SHA1
D. SHA2
11. WhichofthefollowingconfigurationsettingsmustmatchinthetworouterswhenconfiguringOSPFroutingupdateauthentication?
A. Keychainname
B. Keynumber
C. Keystring
D. Routerpasswords
12. TowhichcomponentisthekeychainappliedwhenconfiguringOSPFroutingupdateauthentication?
A. Routingprotocol
B. Hashingalgorithm
C. Interface
D. Key
13. TowhichcomponentisthekeyappliedwhenconfiguringOSPFroutingupdateauthentication?
A. Routingprotocol
B. Hashingalgorithm
C. Interface
D. Keychain
![Page 121: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/121.jpg)
14. TowhichcomponentisthehashingalgorithmappliedwhenconfiguringOSPFroutingupdateauthentication?
A. Key
B. Hashingalgorithm
C. Interface
D. Keychain
15. HowisconfiguringEIGRProutingupdateauthenticationdifferentfromOSPF?
A. OSPFspecifiesthehashingalgorithmsinthesamemodewhereyouspecifythekeystring;inEIGRP,thatisspecifiedontheinterface.
B. EIGRPspecifiesthehashingalgorithmsinthesamemodewhereyouspecifythekeystring;inOSPF,thatisspecifiedontheinterface.
C. OSPFspecifiesthekeychaininthesamemodewhereyouspecifythekeystring:inEIGRP,thatisspecifiedontheinterface.
D. OSPFspecifiesthekeychaininthesamemodewhereyouspecifythekeystring;inEIGRP,thatisspecifiedonthehashingalgorithm.
16. WhenyouspecifythealgorithmforEIGRProuteupdateauthentication,youalsospecifywhatvalueinthesamecommand?
A. ProcessID
B. ASnumber
C. AreaID
D. Interfacenumber
17. Whichpackettypecomesfromendstationstobeforwardedbytherouter?
A. Dataplane
B. Controlplane
C. Managementplanepackets
D. Servicesplanepackets
18. Whichofthefollowingisanexampleofcontrolplanepackets?
A. Datatoberouted
B. OSPFupdates
C. Telnetpackets
D. Packetsforwardedbynetworkdevicestootherend-stationdevices
19. Packetsthatareeitherdestinedfortherouteritselforgeneratedbytherouterareinwhich
![Page 122: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/122.jpg)
plane?
A. Dataplane
B. Servicesplane
C. Controlplane
D. Servicesplane
20. WhenCoPPisconfigured,theconfigurationfollowstheCiscoModularQoSCLI(MQC).Inthismodel,whichmechanismspecifiestheactionstobetakenonthespecifiedtraffictype?
A. Classmap
B. Policymap
C. Servicepolicy
D. Actionmap
![Page 123: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/123.jpg)
Chapter5UnderstandingLayer2AttacksCISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:
4.4CommonLayer2attacks
DescribeSTPattacks
DescribeARPspoofing
DescribeMACspoofing
DescribeCAMtable(MACaddresstable)overflows
DescribeCDP/LLDPreconnaissance
DescribeVLANhopping
DescribeDHCPspoofing
Topreventacertaintypeofattack,youmustunderstandtheattack.AttackscanoccuratanumberofdifferentlayersoftheTCP/IPmodel.WhenIdiscusslayer2attacks,Iamtalkingaboutattacksthatuselayer2addresses(MACaddresses)orthatareaimedatprotocolsthatoperateatlayer2.Finally,somelayer2attackstakeadvantageoflayer3servicessuchasDHCP,buttheydosowithinalocalsubnetandthusarealsocalledlayer2attacks.Inthischapter,I’lldescribehowanumberoflayer2attacksoccur.Inthenextchapter,I’lldiscussmitigationsfortheseattacks.
Inthischapter,youwilllearnthefollowing:
Commonlayer2attacks
UnderstandingSTPAttacksSpanningTreeProtocol(STP)isusedtopreventswitchingloopsthatcanoccurwhenthereisredundancybuiltintotheswitchingnetwork.Sinceredundancyisadesirabledesignconcept,STPisafeaturethatyoucannotlivewithout.Unfortunately,thereisanattackontheswitchingnetworkthattakesadvantageoftheoperationsofSTP.ThegoodnewsisthatCiscohasdevelopedseveralresponsestotheseattacks,butyoumustunderstandtheattacksandhowthefeaturesaddressthevulnerabilitiestoproperlyimplementthesesafeguards.Inthischapter,I’ll
![Page 124: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/124.jpg)
discusstheattacksandhowtheywork,andinChapter6I’llcovertheimplementationofthemitigations.
STPattackstargettheloop-freeswitchingtopologythatiscreatedbytheswitchesusingthebridgeprotocoldataunits(BPDUs)uponwhichSTPisbased.TheseBPDUsareusedbytheswitchestoselecttherootbridgeandthereaftertoselecttheswitchportsthatareforwardingandthosethatareblocking.TheseBPDUsarealsousedwhenachangeinthetopologyoccurs(suchasalinkgoingdown)toestablishanewloop-freetopologybasedupontheremaininglinks.
Whilelinkissuescancauseachangeinthetopology,anothereventcancausethisaswell,andthatistheintroductionofanewswitchinthenetworkthatpossessesahigherbridgepriority(sometimescalledasuperiorBPDU)thanthecurrentrootbridge.WhenamaliciousindividualintroducesarogueswitchtotheswitchingnetworkandtherogueswitchhasasuperiorBPDUthantheoneheldbythecurrentrootbridge,thenewswitchassumesthepositionofrootbridge.
Sincethetopologyoftheswitchingnetworkdependsonthepositionoftherootbridgeandtherelativepositionoftheotherswitchestotherootbridge,thisaltersthetopologyinwaysthatnotonlymayimpactperformancebutmaycausealltraffictotraversethenewrogueswitch,whichwillbeunderthemanagementoftheattacker.Toseehowthiscanimpactthetopology,lookatFigure5.1.
FIGURE5.1STPattack
Again,mitigationstothisattackwillbecoveredinChapter6.
UnderstandingARPAttacks
![Page 125: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/125.jpg)
AnARPpoisoningattackisonethattakesadvantageofthenormalprocessthatdevicesusetolearnanunknownMACaddressthatadevicewithaknownIPaddresspossesses.BeforeIcovertheARPpoisoningattack,I’llreviewtheARPbroadcastprocess.
AddressResolutionProtocol(ARP),oneoftheprotocolsintheTCP/IPsuite,operatesatlayer3oftheOSImodel.Theinformationitderivesisutilizedatlayer2,however.ARP’sjobistoresolvethedestinationIPaddressplacedintheheaderbyIPtoalayer2orMACaddress.Remember,whenframesaretransmittedonalocalsegment,thetransferisdoneintermsofMACaddresses,notIPaddresses,sothisinformationmustbeknown.
Wheneverapacketissentacrossthenetwork,ateveryrouterhopandagainatthedestinationsubnetthesourceanddestinationMACaddresspairschange,butthesourceanddestinationIPaddressesdonot.TheprocessthatARPusestoperformthisresolutioniscalledanARPbroadcast.
FirstanareaofmemorycalledtheARPcacheisconsulted.IftheMACaddresshasbeenrecentlyresolved,themappingwillbeinthecache,andabroadcastisnotrequired.Iftherecordhasagedoutofthecache,ARPsendsabroadcastframetothelocalnetworkthatalldeviceswillreceive.ThedevicethatpossessestheIPaddressrespondswithitsMACaddress.ThenARPplacestheMACaddressintheframeandsendstheframe.Figure5.2illustratesthisprocess.
![Page 126: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/126.jpg)
FIGURE5.2ARPprocess
InanARPpoisoningattack,theattackersendsapackettypecalledagratuitousARPtothetargetdevicewithanincorrectIPaddresstoMACaddressmapping.
![Page 127: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/127.jpg)
What’saGratuitousARP?
AgratuitousARPiscalledgratuitousbecausetheARPmessagesentisananswertoaquestionthatthetargetneverasks.InthenormalARPprocess,adeviceneverannouncesitsMACaddresstoanotherdeviceunlessaskedtodoso.ThismeansthereisanARPrequestthatgoesfromdeviceAtodeviceBandthenanARPreplyfromdeviceBtodeviceA.InthecaseofthegratuitousARP,theARPmessageisareplytoarequestneversentbythetargetthatcausesamalicious(andincorrect)updatetothereceiver’sARPcache.
Inaclassicman-in-themiddleattack,theattackerwillsendthesegratuitousARPrequeststothetwotargetdevicesbetweenwhichhewouldliketobe“inthemiddle.”InthescenariosshowninFigure5.3,thetwotargetsaretheVictimlaptopandthedefaultgatewayoftheVictimlaptop.
FIGURE5.3ARPcachepoisoning
AfterthegratuitousARPmessagesaresentandprocessedbythetwotargets,theVictimlaptopandtherouterinterfacewouldbesendingtraffictotheattackerwhileboththinkingtheyaresendingtooneanother.MitigationsforthisattackwillbepresentedinChapter6.Stayedtuned!
UnderstandingMACAttacksMACspoofingattacksoccurwhenanattackerchangeshisMACaddresssothathisdeviceappearstobeanotherdevice.Asisthecasewithallspoofingattacks,theultimateaimistoreceivesomethingintendedfortherealdeviceortogetpastaccesscontrolsbasedonaMACaddress.
AMACaddressattackisalsoconsideredaswitchattackbecauseitleveragestheMAC
![Page 128: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/128.jpg)
addresstableintheswitchtoaccomplishthegoalofreceivingtrafficdestinedforanotherdevice.Asyouknow,theMACaddresstableispopulatedasframesaresentandreceivedbytheswitch.OntheleftsideofFigure5.4,theMACtablepriortotheattackisshown.
FIGURE5.4MACspoofing
Priortotheattack,theswitchhastheMACaddressA(shortenedforsimplicity)recordedonportFa0/1wheretherealholderofthatMACaddressresides.WhentheattackersendsaframewithaspoofedMACaddressofA,thentheswitchdoeswhataswitchissupposedtodo.ItremovestheMACaddressfromitscurrentlistingofportFa0/1andmovesittoportFa0/4,wheretheattackerresides.NowtheattackerwillreceivealltrafficdestinedforthedeviceonportFa0/1.ThiswillcontinueuntilthedeviceonportFa0/1sendsaframe.However,bycontinuallysendingframes,theattackerwillbeabletocontinuallyupdatethetabletohisadvantage.Butfearnot!Therearewaystodealwiththis,andIwillcovertheminChapter6.You’llgettheresoon.Don’tpeek!
UnderstandingCAMOverflowsAsyouknow,theMACaddresstable,alsocalledthecontentaddressablememory(CAM)table,ispopulatedbytheswitchasframesareswitchedthroughit.TheswitchrecordsthesourceMACaddressofeveryframeenteringeachport.Thereisalimitedamountofmemoryspacethatisavailableforthistable.InaCAMoverflowattack,theattackerfloodstheswitchwithframesthathaveinvalidsourceMACaddresses.Thisiseasierthanitsoundsbyusingatoolsuchasmacof.
Atsomepoint,theCAMtableisfullandcanholdnootherMACaddresses.AnyMACaddressesthatwereinthetablepriortotheattackwillstillbethere,andthosedeviceswillstillbeabletoreceivetraffic.However,itisnottheaimoftheattackertopreventaccesstothesedevices.WhenthetableisfullandframesdestinedtoMACaddressesthatarenotcurrentlyinthetablearereceived,theywillbefloodedoutallports.Ifyouthinkaboutit,thisisthenormaloperationofaswitchwhenitreceivesaframewithanunknowndestination
![Page 129: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/129.jpg)
MACaddress.Figure5.5showsthisattack,withthestepsintheprocessnumbered.
FIGURE5.5CAMoverflow
Theresultofthisattackisthattheattackerisnowabletoreceivetrafficthathewouldnothavebeenabletoseeotherwisebecauseinthisconditiontheswitchisbasicallyoperatingasahub,notaswitch.InChapter6I’lldiscusshowtopreventthisattack.
UnderstandingCDP/LLDPReconnaissanceCiscoDiscoveryProtocol(CDP)anditsstandards-basedalternativeLinkLayerDiscoveryProtocol(LLDP)areusefultools.Theycanbeusedtodisplayinformationaboutdirectlyconnecteddevices.Thiscanbeespeciallyusefulwhenyouhavenolayer3connectivitytoaneighboringdevicebecausetheprotocolsoperateatlayer2andthuscanbeusedtoextractinformationevenwhenIPisnotfunctional.Unfortunately,asisoftenthecase,thereisadarksidetothesetools.
Whenamaliciousindividualisattemptingtohackyournetwork,thefirstthingthehackerdoesisperformnetworkreconnaissance.Thisoperationadmitstogatheringallinformationpossibleaboutthelayoutofthenetworkandthedevicesinthenetwork.BycapturingtheCDPorLLDPpacketsthatareusedbyCiscodevicestoexchangeinformation,awealthofinformationcanbeobtained.
Forthisreason,manyorganizationschoosetoforgotheadvantagesofusingCDPandLLDPanddisabletheoperationofbothonCiscodevices.Disablingthesefeaturescanbedoneonaninterfacebasisorgloballyonallinterfaces.ThistimeIwon’tmakeyouwaituntilChapter6forthesolution.
![Page 130: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/130.jpg)
TodisableCDPonaninterface,usethefollowingcommandininterfaceconfigurationmode:
Router67(config-if)#nocdpenable
TodisableCDPglobally,runthefollowingcommandinglobalconfigurationmode:
Router67(config)#nocdprun
TodisableLLDPonaninterface,runthefollowingcommandsininterfaceconfigurationmode:
Router67(config-if)#nolldpreceive
Router67(config-if)#nolldptransmit
TodisableLLDPglobally,runthefollowingcommandinglobalconfigurationmode:
Router67(config)#nolldprun
UnderstandingVLANHoppingAvirtualLAN(VLAN)securityissueyoushouldbeawareofiscalledVLANhopping.Bydefault,aswitchportisanaccessport,whichmeansitcanbeamemberofonlyasingleVLAN.PortsthatareconfiguredtocarrythetrafficofmultipleVLANs,calledtrunkports,areusedtocarrytrafficbetweenswitchesandrouters.AVLANhoppingattack’saimistoreceivetrafficfromaVLANofwhichthehacker’sportisnotamember.Thiscanbedoneintwoways,coverednext.
SwitchSpoofingSwitchportscanbesettouseaprotocolcalledDynamicTrunkingProtocol(DTP)tonegotiatetheformationofatrunklink.IfanaccessportisleftconfiguredtouseDTP,itispossibleforhackerstosettheirinterfacetospoofaswitchanduseDTPtocreateatrunklink.Ifthisoccurs,theycancapturetrafficfromallVLANs.Figure5.6showsaswitchspoofingattack.
FIGURE5.6Switchspoofing
ThepreventionofthisattackwillbecoveredinChapter6.
DoubleTaggingTrunkportsuseanencapsulationprotocolcalled802.1qtoplaceaVLANtagaroundeachframetoidentifytheVLANtowhichtheframebelongs.Whenaswitchattheendofatrunklinkreceivesan802.1qframe,itstripsthisoffandforwardsthetraffictothedestinationdevice.Inadoubletaggingattack,thehackercreatesaspecialframethathastwotags.The
![Page 131: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/131.jpg)
innertagistheVLANtowhichthehackerwantstosendaframe(perhapswithmaliciouscontent),andtheoutertagistherealVLANofwhichthehackerisamember.Iftheframegoesthroughtwoswitches(whichispossiblesinceVLANscanspanswitches),thefirsttaggetstakenoffbythefirstswitch,leavingthesecond,whichallowstheframetobeforwardedtothetargetVLANbythesecondswitch.
Figure5.7showsthisprocess.Inthisexample,thenativeVLANnumberbetweentheCompanySwitchAandCompanySwitchBswitcheshasbeenchangedfromthedefaultof1to10.
FIGURE5.7Doubletagging
Doubletaggingisonlyanissueonswitchesthatuse“native”VLANs.AnativeVLANisusedforanytrafficthatisstillamemberofthedefaultVLAN,orVLAN1.ThemitigationofthisattackwillbecoveredinChapter6.
UnderstandingDHCPSpoofingDynamicHostConfigurationProtocol(DHCP)isusedtoautomatetheprocessofassigningIPconfigurationstohosts.Whenconfiguredproperly,itreducesadministrativeoverload,reducesthehumanerrorinherentinmanualassignment,andenhancesdevicemobility.Butitintroducesavulnerabilitythatwhenleveragedbyamaliciousindividualcanresultinaninabilityofhoststocommunicate(constitutingaDoSattack)andcanresultinpeer-to-peerattacks.
WhenanillegitimateDHCPserver(calledarogueDHCPserver)isintroducedtothenetwork,unsuspectinghostsmayacceptDHCPofferpacketsfromtheillegitimateDHCPserver,ratherthanthelegitimateDHCPserver.Whenthisoccurs,therogueDHCPserverwillnotonlyissuethehostanincorrectIPaddress,subnetmask,anddefaultgatewayaddress(whichmakesapeer-to-peerattackpossible)butcanalsoissueanincorrectDNSserveraddress,whichwillleadtothehostrelyingontheattacker’sDNSserverfortheIPaddressesofwebsites(suchasmajorbanks)thatleadtophishingattacks.Figure5.8showsanexampleofhowthiscanoccur.
![Page 132: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/132.jpg)
FIGURE5.8DHCPspoofing
InFigure5.8,afterreceivinganincorrectIPaddress,subnetmask,defaultgateway,andDNSserveraddressfromtherogueDHCPserver,theDHCPclientusestheattacker’sDNSservertoobtaintheIPaddressofhisbank.Thisleadshimtounwittinglyconnecttotheattacker’scopyofthebank’swebsite.Whenthecliententershiscredentialstologin,theattackernowhashisbankcredentialsandcanproceedtoemptyouthisaccount.Itsoundsscary,butluckilyIwillcovermitigationforthisattackinChapter6!
SummaryInthischapter,youlearnedaboutSTPattackssuchasrogueswitches.ThechapterdiscussedhowanARPspoofingattackworksandhowitleadstoaman-in-the-middleattack.MACspoofinganditsuseinaccessingtraffictowhichanattackerisnotauthorizedwasalsocovered.YoulearnedhowaCAMoverflowattackworksanditseffectonaswitch.YoulookedatboththevalueandthedangerofusingCDPandLLDP.Finally,youlearnedhowVLANhoppingattacksareperformed.
ExamEssentialsExplainSTPattacks.Describehowanattackercanintroducearogueswitchintothenetwork
![Page 133: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/133.jpg)
andaltertheloop-freeswitchingtopologycreatedbySTP.
DescribeARPspoofingattacks.ExplainhowanARPspoofingattackissetupandwhattheendresultofasuccessfulARPspoofingattackcanbe.
UnderstandMACspoofing.DescribethepurposeofaMACspoofingattackandhowitmightenableanattackertoreceivetraffictowhichsheisnotauthorized.
ExplaintheCAMoverflowattack.ListthestepsthatcancauseaCAMoverflowanddescribethepotentialbenefittoamaliciousindividual.
UnderstandtheissueswithCDPandLLDP.DescribethereasonfordisablingCDPandLLDPandexplainhowtoimplementthis.
DescribeaVLANhoppingattack.ListthewaystoaccomplishaVLANhoppingattackandexplainthepurposeofthisattack.
ExplainDHCPsnooping.DescribeaDHCPspoofingattackandunderstandtheattackstowhichitcanlead.
ReviewQuestions1. WhichofthefollowingistrueofanSTPattack?
A. Itoccurswiththeintroductionofanewswitchinthenetworkthatismorepowerfulthanthecurrentrootbridge.
B. ItoccurswiththeintroductionofanewswitchinthenetworkthatpossessesaninferiorBPDUthanthecurrentrootbridge.
C. ItoccurswiththeintroductionofanewswitchinthenetworkthatpossessesasuperiorBPDUthanthecurrentrootbridge.
D. Itmaycausealltraffictobypassthenewrogueswitch,whichwillbeunderthemanagementoftheattacker.
2. WhichofthefollowingtakesadvantageofthenormalprocessthatdevicesusetolearnanunknownMACaddressthatadevicewithaknownIPaddresspossesses?
A. CAMoverflow
B. ARPpoisoningattack
C. DHCPspoofing
D. STPattack
3. WhichofthefollowingisusedbyanattackertopollutetheARPcacheofhosts?
A. GratuitousARP
B. SuperiorBPDU
![Page 134: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/134.jpg)
C. InferiorBPDU
D. DTP
4. WhichofthefollowingischeckedpriortoahostperforminganARPbroadcast?
A. CAMtable
B. Hostfile
C. ARPcache
D. LMhostsfile
5. Whichofthefollowingoccurswhenanattackerchangeshisphysicaladdresssothathisdeviceappearstobeanotherdevice?
A. DHCPspoofing
B. CAMoverflow
C. MACspoofing
D. Switchspoofing
6. Whichofthefollowingisalsoconsideredaswitchattack?
A. MACspoofing
B. DHCPspoofing
C. RogueDHCP
D. ARPspoofing
7. Thecontentaddressablememorytableisalsoknownaswhichofthefollowing?
A. ARPcache
B. DNSresolvercache
C. MACtable
D. DHCPscope
8. WhichofthefollowingattacksfloodstheswitchwithframesthathaveinvalidsourceMACaddresses?
A. Smurfattack
B. CAMoverflow
C. SYNflood
D. Fraggleattack
9. Whichofthefollowingattackscausesaswitchtobasicallyoperateasahubandnotaswitch?
![Page 135: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/135.jpg)
A. Smurfattack
B. CAMoverflow
C. SYNflood
D. Fraggleattack
10. Whichofthefollowingisstandardsbased?
A. LLDP
B. CDP
C. EIGRP
D. DTP
11. WhichofthefollowingcommandsdisablesCDPonallinterfaceswhenappliedattheglobalconfigurationprompt?
A. cdpdisable
B. nocdpenable
C. nocdprun
D. nocdpreceive
12. WhichofthefollowingcommandsdisablesLLDPreceptiononaninterfacewhenappliedattheinterfaceconfigurationprompt?
A. lldpdisable
B. nolldpenable
C. nolldprun
D. nolldpreceive
13. Whichattack’saimistoreceivetrafficfromaVLANofwhichthehacker’sportisnotamember?
A. CDPreconnaissance
B. VLANhopping
C. DHCPsnooping
D. STPattack
14. WhichofthefollowingisanexampleofaVLANhoppingattack?
A. Switchspoofing
B. Man-in-the-middle
C. LLDPreconnaissance
![Page 136: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/136.jpg)
D. ARPspoofing
15. WhatprotocoldoestheattackerleverageinaswitchspoofingattackusedtoperformVLANhopping?
A. CDP
B. LLDP
C. DTP
D. STP
16. Whichattackisonlyanissueonswitchesthatuse“native”VLANs?
A. Switchspoofing
B. Doubletagging
C. ARPpollution
D. CAMoverflow
17. Whichserviceintroducesavulnerabilitythatwhenleveragedbyamaliciousindividualcanresultinaninabilityofhoststocommunicate(constitutingaDoSattack)andpeer-to-peerattacks?
A. DHCP
B. DNS
C. DTP
D. NAT
18. Whichofthefollowingattackscanleadtoaphishingattack?
A. DHCPspoofing
B. CAMoverflow
C. Doubletagging
D. Switchspoofing
19. Whichattackoccursontrunklinks?
A. Doubletagging
B. ARPpollution
C. CAMoverflow
D. DHCPspoofing
20. Whatprotocolisusedtonegotiatetheformationofatrunklink?
A. CDP
![Page 137: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/137.jpg)
B. NTP
C. DTP
D. VTP
![Page 138: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/138.jpg)
Chapter6PreventingLayer2AttacksCISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:
4.5Mitigationprocedures
ImplementDHCPsnooping
ImplementDynamicARPInspection
Implementportsecurity
DescribeBPDUguard,rootguard,loopguard
Verifymitigationprocedures
Nowthatyouunderstandsomeofthelayer2attacksthatcanbeaimedatyourswitchinginfrastructure,youarereadytolearnaboutthemitigationsthatareavailabletoaddresseachoftheseattacks.ThischapterwilldiscusshowtopreventSTPattacks,ARPpollution,MACspoofing,andCAMoverflows.ThechapterwillalsodiscussthepreventionofVLANhoppingattacksandrogueDHCPservers.Finally,thechapterwilldiscusshowtoverifytheproperapplicationofthemitigationsdiscussedinthechapter.
Inthischapter,youwilllearnthefollowing:
Mitigationsforcommonlayer2attacks
ConfiguringDHCPSnoopingInChapter5youlearnedthatarogueDHCPservercancreatesignificantsecurityissuesforyourenvironment.WhenarogueDHCPserverissuesanincorrectIPaddress,anincorrectsubnetmask,andincorrectdefaultgatewayinformationtothehost,itcanpreventpropercommunicationsforthosehosts,amountingtoaDoSattack.Moreover,itcanalsoresultintrafficbeingdirectedthroughthisdevicesothatitcapturesalltraffic.Finally,iftherogueDHCPserverissuesanincorrectDNSserveraddress,itcanresultinarogueDNSserverrespondingtoqueriesforsensitivewebsiteIPaddressessuchasbankswithincorrectinformationthat,whenusedbyunsuspectingusers,canleadtothecaptureofusercredentials.
Thereisawaytopreventallofthis,however,byimplementingafeaturecalledDHCP
![Page 139: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/139.jpg)
snooping.ThisfeatureworksbyfilteringtheDHCPmessagessentbytherogueDHCPserversothattheyareneverreceivedbytheunsuspectinghosts.ItalsousesthemessagessenttoandfromthelegitimateDHCPservertobuildabindingdatabasethatmapstheMACaddressesofhoststotheIPaddressestheyreceivedfromthelegitimateDHCPserver.
DHCPsnoopingisimplementedontheswitchesinthenetwork,soitisalayer2solution.Theswitchportsontheswitcharelabeledeithertrustedoruntrusted.TrustedportsarethosethatwillallowaDHCPmessagetotraverse.TheonlyaccessportsontheswitchthatshouldbelabeledastrustedarethoseleadingtolegitimateDHCPservers.
AllinterswitchportsshouldalsobelabeledastrustedsincetheymightbeusedtosendtheDHCPmessagefromthelegitimateservertohostslocatedonaswitchtowhichthelegitimateDHCPserverisnotcommitted.Allotheraccessportsontheswitchesshouldbelabeledasuntrusted(orleftunlabeled,inwhichcasetheywillbeconsidereduntrusted).ThispreventsarogueDHCPserverconnectedtooneoftheseportsfromrespondingtotheDHCPdiscoverpacketssentbythehosts.Asamatteroffact,anyserverresponsepackets(DHCPOFFER,DHCPACK,orDHCPNACK)willbedroppedbytheseinterfaces.
Figure6.1showsanexampleofhowtheseportsshouldbeconfiguredinasamplenetworkcontainingbothalegitimateandrogueDHCPserver.NoticeinthisscenariothatthelegitimateDHCPserverislocatedontheothersideofanetworkoflayer3switches;therefore,allportsleadingfromthelayer2switchestowardthelegitimateDHCPserverarelabeledastrustedsothatanyoftheseportscanbeusedforcommunicationbythelegitimateDHCPserver.Alsonoticethatallaccessportsonthetwolayer2switcheshavebeenleftunlabeled,whichmakesthemuntrusted.ThispreventstherogueDHCPserverfromrespondingtoanyDHCPdiscoverpackets.
![Page 140: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/140.jpg)
FIGURE6.1DHCPsnooping
Fromahighlevel,thestepsthatarerequiredtoimplementDHCPsnoopingareasfollows:
1. EnableDHCPsnoopinggloballyoneachswitch.
2. EnableDHCPsnoopingexplicitlyforeachVLANwithmembersontheswitch.
3. LabelallaccessportsthatconnecttolegitimateDHCPserversastrusted.
4. Leaveallotheraccessportsunlabeled,whichmakesthemuntrusted.
5. Labelanyinterswitchportsastrusted.
AnoptionalstepyoumaywanttotakeistospecifyafileinflashmemorytoholdtheDHCPsnoopingdatabasethatiscreatedby“snooping”onlegitimateDHCPservertraffic.Intheabsenceofdoingthis,thedatabasewillbestoredinRAM.So,ifyouwantthedatabasetopersistthroughaswitchreload,configureafileinflashforthispurpose.
Let’sgoovereachofthesestepsusingFigure6.1asourguide.Firstlet’senableDHCPsnoopinggloballyonthelayer2switches.I’llcallthemSW67andSW68.
SW67(config)#ipdhcpsnooping
SW68(config)#ipdhcpsnooping
![Page 141: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/141.jpg)
Thisisnotindicatedonthediagram,butlet’sassumeyouhavefourVLANs,VLANs2–5,onthetwoswitches.Nowlet’sexplicitlyenableDHCPsnoopingonthoseVLANs.
SW67(config)#ipdhcpsnoopingvlan2-5
SW68(config)#ipdhcpsnoopingvlan2-5
Therearenoaccessportsonthetwolayer2switchesthatcontainlegitimateDHCPservers,soyoucanleavethemallunlabeled,whichwillmakethemuntrustedbydefault.However,youwillneedtomarkallfouroftheinterfacesleadingfromthelayer2switchestothelayer3switchesastrusted.Whilenotlabeledonthediagram,let’sidentifythisasgi0/1andgi0/2onSW67andgi0/3andgi0/4onSW68.
SW67(config)#intgi0/1-2
SW67(config-if-range)#ipdhcpsnoopingtrust
SW68(config)#intgi0/3-4
SW68(config-if-range)#ipdhcpsnoopingtrust
Finally,justtoseehowit’sdone,let’sconfigureafileinflashfortheDHCPsnoopingdatabase.Theniftheswitchesreloadforsomereason,theywillretainthisdatabase.Callthefilemysnooperonbothdevices.
SW67(config)#ipdhcpsnoopingdatabaseflash:/mysnooper
SW68(config)#ipdhcpsnoopingdatabaseflash:/mysnooper
Inthenextsection,I’llshowyouanadditionalusefortheDHCPsnoopingdatabase.Staytuned!
ConfiguringDynamicARPInspectionAsyoulearnedinChapter5,ARPattacksaretargetedattheARPcachethatisusedbyalldevicestostorerecentlyresolvedIPaddresstoMACaddressmappings.ThesemappingsbecomeknowntothehoststhroughtheARPbroadcastprocessandstoredintheARPcacheforashortperiodoftimetoeliminatetheneedtorepeattheARPbroadcastprocessforeverypacketinalargestreamofpackets.Eachtimeanentryinthecacheisused,thetimerthatagesitoutofthecacheisupdated.ARPpollutionattacksusegratuitousARPpacketstoforceincorrectentriesintotheARPcache,withtheaimofsendingtraffictotheattackerthatshouldbesentelsewhere.
TheattackcanbepreventedbyimplementingafeatureontheswitchescalledDynamicARPInspection(DAI).ThisfeaturerequiresthatDHCPsnoopingalsobeenabledbecauseitdependsontheDHCPsnoopingdatabasethatiscreatedwhenDHCPsnoopingisenabled.Whenenabled,itallowstheswitchtointerceptARPpacketsonportsthatyoudesignateasuntrustedandwillverifythateachinterceptedpackethasavalidMACtoIPaddressmappingbeforeupdatingtheARPcacheandforwardingthepacket.ThisvalidationisperformedbyusingtheDHCPsnoopingdatabase.
Whenproperlyconfigured,DAIoperatesasshowninFigure6.2.Anattackersendsa
![Page 142: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/142.jpg)
gratuitousARPmessagetopollutetheARPcacheofthehostat10.1.1.2.Whentheswitchreceivesthismessage,itconsultstheDHCPsnoopingdatabase,andwhendiscoveringthatthepacketcontainsanincorrectMACtoIPaddressmapping,itdropsthepacket.
FIGURE6.2DAIinaction
InthescenarioshowninFigure6.2,theDAIimplementationwouldrequirethattheportsontheswitchconnectedtothehostsbelabeledasuntrusted(forthepurposesofDAI)andallinterswitchportsbelabeledastrusted.BypassingthesecuritycheckbetweenswitchesissafeifDAIisenabledonalloftheswitchesbecausetheswitcheswillonlybesendingpacketstooneanotherthathavealreadybeencheckedwhenreceivedbytheswitch.
IncaseswhereinterfaceswithstaticIPaddressesarepresent(suchasdefaultgatewaysonrouters),additionalstepsarerequiredbecausethoseinterfacesandtheirIPtoMACaddressmappingswillnotbefoundintheDHCPsnoopingdatabasebecausethat’snothowthoseinterfacesgottheirIPaddresses.TheseinterfaceswillrequirethatyoucreateatypeofACLontheswitchcalledanARPACL.ThisACLidentifiesthecorrectIPtoMACaddressmappingfortheinterface,andtheACLisreferencedasafilterintheDAIconfiguration.ThismakestheACLavailabletotheDAIprocessasanadditiontotheDHCPsnoopingdatabase.
ToenableDAI,thehigh-levelstepsareasfollows:
1. EnableDAIforeachVLAN.
2. Specifyinterswitchportsastrusted.
3. Leaveallotherportstothedefaultofuntrusted.
4. ForanyinterfacessuchasdefaultgatewaysthathavestaticIPaddresses,createanARPACLthatmapstheIPaddressoftheinterfacetoitsMACaddressoftheinterface.
5. ReferenceanyARPACLsthathavebeencreatedwhenenablingDAI.
UsingthediagraminFigure6.2,let’sperformeachstep.Firstlet’senableDAIontheswitchforVLAN3.
SW69(config)iparpinspectionvlan3
Whilenotshowninthediagram,let’spretendtheswitchhasanuplinkcalledgi/04,which
![Page 143: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/143.jpg)
connectstoanotherswitch.Youneedtomarkthisinterfaceastrusted,solet’sdoit.
SW69(config)#intgi0/4
SW69(config-if)#iparpinspectiontrust
Allotherportsneedtobelabeleduntrusted,whichisthedefault,soyoucanleavethemastheyare.SincethedefaultgatewayontherouterhasastaticIPaddressof10.1.1.1,youneedtocreateanARPACLthatcreatestheIPtoMACaddressmapping.Let’sdothisandusetheMACaddressaaaa.bbbb.cccc.ItsnamewillbeStatic-IP-VLAN3.NoticethatthisisaninstancewhereanACLisusednottoalloworblocktrafficbuttoidentifyanitem(inthiscasetheIPtoMACaddressmapping)forspecialtreatment.
SW69(config)#arpaccess-listStaticIP-VLAN3
SW69(config-arp-acl)#permitiphost10.1.1.1machostaaaa.bbbb.cccc
ThelastitemyouneedtotakecareofistoreferencethenameoftheARPACLintheDAIconfiguration.Whenyoudothis,youalsohavetoreferencetheVLANtowhichitapplies.
SW69(config)#iparpinspectionfilterStaticIP-VLAN3vlan3
WhileyouusedtheVLANnumberinthenameoftheACL,thatisnotwhattiesittoVLAN.ItistheexplicitreferencetoVLAN3attheendofthecommandthatdoesit.
ConfiguringPortSecurityInChapter5youlearnedhowamaliciousindividualcoulduseaCAMoverflowattacktofilltheCAMtableoftheswitch,resultingintheswitchfloodingalltrafficoutallports.Thisbasicallyturnstheswitchintoahubandtherebyallowstheattackertoreceivealltraffic,regardlessoftheVLANtowhichtheframebelongs.However,youcanpreventthisbyusingafeaturecalledportsecurity.Thisfeaturecancontrolthefollowing:
ThemaximumnumberofMACaddressesthatcanbeseenonaport(whichwillsolvetheCAMoverflowissue)
ExactlywhichMACaddressescantransmitonaport(preventingunauthorizedaccesstothenetwork)
Let’slookathowyoumightpreventaCAMoverflowattackbylimitingthenumberofMACaddressesthatcanbeseenonaninterface.Fromahighlevel,thesearethestepsrequired.Thecommandswillfollowlater.
1. Specifytheportasanaccessport(ifnotalreadydone).
2. Enableportsecurityontheport.
3. SpecifythemaximumnumberofMACaddressesallowedontheport.
4. Specifytheactiontobetakenwhenaviolationoccurs.
Let’sconfigurethesestepsonaCiscoswitch.Firstspecifytheportgi0/2asanaccessport.
![Page 144: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/144.jpg)
SW70(config)#intgi0/2
SW70(config-if)#switchportmodeaccess
Thenextstepistoenableportsecurityontheinterface.Thatisdonewiththefollowingcommand:
SW70(config-if)#switchportport-security
TospecifythemaximumnumberofMACaddressesthatcanbeseenontheport,usethefollowingcommand.Inthiscase,youareallowingtwobecausetheuserhasbothaPCandanIPphoneconnectedtothesameport.
SW70(config-if)#switchportport-securitymaximum2
Finally,let’sspecifythatifaviolationoccurs,theportwillbeshutdown.Youcanalsochoosethefollowingactionsusingalternativekeywordstotheshutdownkeyword:
protect:Theoffendingframewillbedropped.
restrict:TheframeisdroppedandanSNMPtrapandasyslogmessagearegenerated.
SW70(config-if)#switchportport-securityviolationshutdown
Withthisconfigurationinplace,theportwillbeprotectedbyaCAMoverflowattack.Ifoneoccurs,theportwillbeshutdown.
PortsecuritycanalsobeusedtospecifytheexactMACaddressesthatareallowedontheport.Thiswillpreventanunauthorizeddevicefromusingtheport.YoucanspecifytheMACaddress(oraddresses)manually,oryoucanuseacoolcommandoptioncalledmac-addressstickythattellstheporttolearntheMACaddressesofthedevicescurrentlyconnectedtotheportandmakethoseMACaddressestheonlyonesallowedontheport.Assumingyouhavespecifiedtheportasanaccessportandenabledportsecurityontheport,thisiseasilydonewiththissinglecommand:
SW70(config-if)#switchportport-securitymac-addresssticky
Withtheportconfiguredlikethis,theportisprotectedbothfromunauthorizeddevicesandfromCAMoverflowattacks.
ConfiguringSTPSecurityFeaturesInChapter5youwereintroducedtoanattackaimedattheSpanningTreeProtocol(STP).WhenamaliciousindividualintroducesarogueswitchtotheswitchingnetworkandtherogueswitchhasasuperiorBPDUcomparedtotheoneheldbythecurrentrootbridge,thenewswitchassumesthepositionofrootbridge.
Sincethetopologyoftheswitchingnetworkdependsonthepositionoftherootbridgeandtherelativepositionoftheotherswitchestotherootbridge,thisaltersthetopologyinwaysthatnotonlymayimpactperformancebutmaycausealltraffictotraversethenewrogueswitch,
![Page 145: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/145.jpg)
whichwillbeunderthemanagementoftheattacker.Topreventthisfromoccurring,youcanmakeuseofthreefeatures:BPDUGuard,RootGuard,andLoopGuard.Let’slookatallthreefeatures.
BPDUGuardTheBPDUGuardfeatureisdesignedtopreventthereceptionofsuperiorBPDUsonaccessportsbypreventingthereceptionofanyBPDUframesontheaccessport.Itshouldbeimplementedonlyonaccessports,becauseifimplementedontrunks,itwouldinterferewiththenormaloperationofSTP,whichdependsontheseframesforitsoperation.However,itshouldbeimplementedonallaccessports.Whenimplemented,ithastheeffectshowninFigure6.3.ByblockingthesuperiorBPDUsentbytheattacker,theSTPtopologyremainsunchanged.
FIGURE6.3BPDUGuardinaction
TheimplementationofBPDUGuardcanbedoneattheinterfaceleveloritcanbedoneglobally,whichwillimplementthefeatureonallaccessportsontheswitch.Let’simplementitfirstattheinterfacelevel.Thisisdonewiththefollowingcommand:
SW71(config)#intgi0/5
SW71(config-if)#spanning-treebpduguardenable
Toenablethisfeatureonallaccessports,executethefollowingcommandattheglobalconfigurationprompt.YoumustensurebeforeyourunthiscommandthatallaccessportsareconfiguredwithPortFast.ThisfeatureallowsaccessportstoimmediatelyproceedtotheforwardingstatewithoutgoingthroughtheinterimportstatesofSTPaswouldbedoneonatrunkport.
![Page 146: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/146.jpg)
ThefollowingcommandwillenablebothPortFastandBPDUGuardonallaccessports:
SW71(config)#spanning-treeportfastbpduguarddefault
Whenaviolationoccurs,theportwillbeplacedinanerr-disabledstateandwillnotpasstrafficuntilitisenabledagainmanually.
RootGuardAnotherfeaturethatisdesignedtopreventachangeintherootbridgeisRootGuard.Thisfeatureisalsoimplementedonaccessports.Itisimplementedonallportsoftherootbridge.ItpreventsthereceptionofsuperiorBPDUsonly,notallBPDUs.Moreover,whenaviolationoccurs,theportisnoterr-disabledasinthecasewithBPDUGuard.Rather,itisplacedinaninconsistentstateandwillrecoverandreturntoanormalstatewhenthereceptionofsuperiorBPDUsceases.Thisfeatureisimplementedonlyattheinterfacelevel,asshownhere:
SW71(config)#intgi0/5
SW71(config-if)#spanning-treeguardroot
LoopGuardAnSTPloopcanbecreatedwhenablockingportinaredundanttopologyerroneouslytransitionstotheforwardingstate.ThisusuallyhappensbecauseoneoftheportsnolongerreceivesSTPBPDUs.Initsoperation,STPreliesoncontinuousreceptionortransmissionofBPDUsbasedontheportrole.TheSTPLoopGuardfeatureprovidesadditionalprotectionagainstlayer2forwardingloops(STPloops).
TopreventthisanomalyfromalteringtheSTPtopology,usetheLoopGuardfeature.ThisfeaturemakesadditionalchecksifBPDUsarenotreceivedonanondesignatedport.WithLoopGuardenabled,thatportmovesintotheSTPloop-inconsistentblockingstate,insteadofthelistening/learning/forwardingstate.WithouttheLoopGuardfeature,theportassumesthedesignatedportrole,movestotheSTPforwardingstate,andcreatesaloop.
ToenableLoopGuard,usethefollowingcommand:
SW77(config)#interfacegigabitEthernet1/1
SW77(config-if)#spanning-treeguardloop
DisablingDTPInChapter5youlearnedthatarogueswitchaddedtoyournetworkbyamaliciousindividualcanalteryourSTPtopologyandmayevencausetherogueswitchtobecometherootbridge.IfDynamicTrunkingProtocol(DTP)isenabledonyourswitchinterfacesandiftheinterfaceissettoeitherdynamicdesirableordynamicauto,itispossibleforarogueswitchconnectedtosuchaconfiguredinterfacetobecomepartoftheSTPtopology.Bysettingtheportstateoftherogueswitchtodynamicdesirable,atrunklinkwillautomaticallybeformed.
Topreventthis,disableDTPonallswitchinterfaces.Settheportstatesofallinterfacesto
![Page 147: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/147.jpg)
eithertrunkoraccessasrequiredbysettingtheirportstatestotrunkoraccess.TodisableDTPonallports,usethefollowingcommand:
SW71(config)#intfa0/1-24
SW71(config-if)#switchportnonegotiate
VerifyingMitigationsWhenusingtheconfigurationscoveredinthischapter,itisalwaysagoodideatoverifythesuccessfulapplicationofeach.Itisalsohelpfultoknowhowtocheckfortheseconfigurationswhenyouareunfamiliarwithaspecificswitch.Thissectionwillcovertheseverifications.
DHCPSnoopingToverifytheconfigurationofDHCPsnooping,usetheshowipdhcpsnoopingcommand,asshownhere.Theoutputistruncatedtoshowthecriticalparts.
SW72#shipdhcpsnooping
SwitchDHCPsnoopingisenabled
DHCPsnoopingisconfiguredonfollowingVLANs:
1-200
Insertionofoption82isenabled
InterfaceTrustedRatelimit(pps)
——————————–—————–
FastEthernet0/1yesunlimited
SW72#
Notethefollowing:
DHCPsnoopingisgloballyenabled.
ItisoperationalonVLANs1–200.
FastEthernet0/1isthetrustedinterface.
DAIToverifytheconfigurationofDAI,usetheshowiparpinspectioncommand,asshownhere:
Switch73#showiparpinspection
SourceMacValidation:Disabled
DestinationMacValidation:Disabled
IPAddressValidation:Disabled
VlanConfigurationOperationACLMatchStaticACL
–––––––––––––––––––––––––––––––––––––––––––––
10EnabledActive
VlanACLLoggingDHCPLoggingProbeLogging
![Page 148: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/148.jpg)
––––––––––––––––––––––––––––––––––––––––
10DenyDenyOff
VlanForwardedDroppedDHCPDropsACLDrops
–––––––––––––––––––––––––––––––––––––––
10010100
VlanDHCPPermitsACLPermitsProbePermitsSourceMACFailures
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
100000
VlanDestMACFailuresIPValidationFailuresInvalidProtocolData
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
10000
Notethefollowing:
ItisenabledforVLAN10.
TenpacketshavebeendroppedbyDAI.
PortSecurityToverifytheconfigurationofportsecurity,usetheshowportsecuritycommand,asshownhere:
SW74#showport-security
SecurePortMaxSecureAddrCurrentAddrSecurityViolationSecurity
Action
(Count)(Count)(Count)
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
Fa5/111110Shutdown
Fa5/51550Restrict
Fa5/11540Protect
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
TotalAddressesinSystem:21
MaxAddresseslimitinSystem:128
Notethefollowing:
PortssecurityisenabledontheFa5/1,Fa5/5,andFa5/11interfaces.
Therehavebeennoviolationsthusfar.
Ifaviolationoccurs,thefa5/1interfacewillnotforwardtheoffendingtraffic,willshutdown,willsendanSNMPtrapandsyslogmessage,andwillincrementtheviolationcounter.
Ifaviolationoccurs,thefa5/5interfacewillnotforwardtheoffendingtraffic,willsendan
![Page 149: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/149.jpg)
SNMPtrapandsyslogmessage,andwillincrementtheviolationcounter,butitwillstillpasslegitimatetraffic.
Ifaviolationoccurs,thefa5/5interfacewillnotforwardtheoffendingtraffic,willnotsendanSNMPtraporsyslogmessage,andwillnotincrementtheviolationcounter,butitwillstillpasslegitimatetraffic.
STPFeaturesInthissection,you’lllearnhowtoverifytheproperapplicationofBPDUGuard,RootGuard,LoopGuard,andDTP.
BPDUGuardToverifythatBPDUGuardhasbeenconfiguredcorrectly,executetheshowspanning-treesummarytotalscommand.NotethatPortFastBPDUGuardisenabledgloballyonthisswitch.
SW75#showspanning-treesummarytotals
Rootbridgefor:none.PortFastBPDUGuardisenabled
UplinkFastisdisabled
BackboneFastisdisabled
Spanningtreedefaultpathcostmethodusedisshort
NameBlockingListeningLearningForwardingSTPActive
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
1VLAN00011
RootGuardToverifythatRootGuardhasbeenconfiguredcorrectly,executetheshowspanning-treeinterface<intid>detailcommand.NotethatRootGuardisenabledonthisport.
SW76#showspanning-treeintfa0/22detail
Port24(FastEthernet0/22)ofVLAN0001isbroken(RootInconsistent)
Portpathcost19,Portpriority128,PortIdentifier128.24.
Designatedroothaspriority4097,address000d.bc51.6d00
Designatedbridgehaspriority24577,address0018.1820.2700
Designatedportidis128.24,designatedpathcost57
Timers:messageage3,forwarddelay0,hold0
Numberoftransitionstoforwardingstate:2
Linktypeispoint-to-pointbydefault
Rootguardisenabledontheport
BPDU:sent502,received1701
LoopGuardToverifythatLoopGuardhasbeenconfiguredcorrectly,executetheshowspanning-tree
![Page 150: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/150.jpg)
summarycommand.NotethatLoopGuardisenabled.
Router#showspanning-treesummary
Switchisinpvstmode
Rootbridgefor:none
EtherChannelmisconfigguardisenabled
ExtendedsystemIDisdisabled
PortfastDefaultisdisabled
PortFastBPDUGuardDefaultisdisabled
PortfastBPDUFilterDefaultisdisabledLoopguardDefaultis
enabled
UplinkFastisdisabled
BackboneFastisdisabled
Pathcostmethodusedisshort
NameBlockingListeningLearningForwardingSTPActive
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
Total00000
DTPToverifythatDynamicTrunkingProtocolhasbeenproperlydisabled,executetheshowinterfacesswitchportcommand,asshownhere:
SW1#showinterfacesfastEthernet0/24switchport
Name:Fa0/24
Switchport:Enabled
AdministrativeMode:staticaccess
OperationalMode:staticaccess
AdministrativeTrunkingEncapsulation:negotiate
OperationalTrunkingEncapsulation:nativeNegotiationofTrunking:Off
Notethefollowing:
DTPnegotiationisdisabled(seethelastline).
Thisisanaccessport.
SummaryInthischapter,youlearnedtoconfigureDHCPsnoopingtopreventtheintroductionofrogueDHCPservers.Thechapteralsodiscussedhow,whencombinedwithDHCPsnooping,DAIcanpreventARPpoisoningattacks.YoulearnedhowtopreventMACoverflowattacksandlearnedabouthowunauthorizeddevicescanswitchportsbyusingportsecurity.Finally,thechapterdiscussedBPDUGuard,RootGuard,andLoopGuard,allSTPfeaturesdesignedtopreventchangestotheSTPtopology.
ExamEssentials
![Page 151: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/151.jpg)
ImplementDHCPsnooping.ConfigureandverifyDHCPsnoopingtopreventtheissuescausedbyarogueDHCPserverandtosupporttheapplicationofDynamicARPInspection.
DeployDAI.ImplementDynamicARPInspectiontopreventARPpollution,whichcanleadtoaman-in-the-middleattack.
Configureportsecurity.PreventMACoverflowattacksandtheintroductionofunauthorizeddevicestoswitchportsbysecuringtheportusingtheportsecurityfeature.
DescribethebenefitsofSTPsecurityfeatures.ThesefeaturesincludeBPDUGuard,RootGuard,andLoopGuard.
ReviewQuestions1. WhichofthefollowingistrueofDHCPsnooping?
A. Itpreventstheintroductionofrogueswitches.
B. Itisimplementedonrouters.
C. ItbuildsabindingdatabasethatmapstheMACaddressesofhoststotheIPaddressestheyreceivedfromthelegitimateDHCPserver.
D. Whenimplementingit,allportsshouldbeuntrusted.
2. WhichDHCPpackettypesaredroppedonuntrustedinterfacesprotectedbyDHCPsnooping?
A. DHCPACK
B. DHCPOFFER
C. DHCPNACK
D. Alloftheabove
3. WhichofthefollowingfeaturesmustbeconfiguredfortheoperationofDAI?
A. LoopGuard
B. DHCPsnooping
C. RootGuard
D. BPDUGuard
4. WhatisrequiredtoenableDAIonaninterfacewithastaticIPaddress?
A. AnACL
B. LoopGuard
C. PortFast
D. RootGuard
![Page 152: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/152.jpg)
5. Whichofthefollowingcommandscausestheswitchtodroptheoffendingtrafficwhenaviolationoccursbutneithershutsdowntheinterfacenorsendssyslogmessages?
A. switchportport-securityviolationshutdown
B. switchportport-securityviolationrestrict
C. switchportport-securityviolationdeny
D. switchportport-securityviolationprotect
6. Whichattackdoestheswitchportport-securitymaximum2commandprevent?
A. MACspoofing
B. CAMoverflow
C. RogueDHCP
D. ARPspoofing
7. Whichofthefollowingshouldbeimplementedonlyonaccessports?
A. BPDUGuard
B. RootGuard
C. LoopGuard
D. DTP
8. WhichtypeoftrafficispreventedonportswhereRootGuardisenabled?
A. Alltraffic
B. AllBPDUs
C. SuperiorBPDUs
D. InferiorBPDUs
9. WhatstatedoesaportconfiguredwithLoopGuardenterwhenthereceptionofBPDUsstops?
A. Shutdown
B. Loop-inconsistent
C. Err-disabled
D. Blocking
10. Whichfeatureisdisabledwiththecommandswitchportnonegotiate?
A. STP
B. DTP
C. VTP
![Page 153: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/153.jpg)
D. CDP
11. Inthefollowingconfiguration,whichportwillnotforwardtheoffendingtraffic,willnotsendanSNMPtraporsyslogmessage,andwillnotincrementtheviolationcounterbutwillstillpasslegitimatetraffic?
SW74#showport–security
SecurePortMaxSecureAddrCurrentAddrSecurityViolationSecurityAction
(Count)(Count)(Count)
Fa5/111110Shutdown
Fa5/51550Restrict
Fa5/11540Protect
Fa5/12320Shutdown
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
TotalAddressesinSystem:21
MaxAddresseslimitinSystem:128
A. Fa5/1
B. Fa5/5
C. Fa5/11
D. Fa5/12
12. Whichofthefollowingfeaturespreventstheintroductionofarogueswitch?
A. BPDUGuard
B. DAI
C. DHCPsnooping
D. LoopGuard
13. WhichcommandshouldbeconfiguredonaportwherethelegitimateDHCPserverresides?
A. ipdhcpsnoopingtrust
B. ipdhcpsnoopingenable
C. ipdhcpsnooping
D. ipdhcpsnoopinguntrust
14. Whatisthepurposeofthecommandipdhcpsnoopingdatabaseflash:/mysnooper?
A. Theswitchwillretainthedatabasethroughareboot.
B. Theswitchwillsharethedatabasewithdirectlyconnectedswitches.
C. TheswitchwillapplythedatabasetoallVLANs.
![Page 154: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/154.jpg)
D. Theswitchwilldeletethefileduringareboot.
15. WhatisthedefaultstateofaportwithrespecttoDAI?
A. Trusted
B. Untrusted
C. Null
D. Nonegotiate
16. Inthefollowingcommand,whatisthenameoftheACL?SW69(config)#iparpinspectionfilterStaticIP-VLAN3vlan3
A. vlan3
B. 3
C. StaticIP-VLAN3
D. filterStaticIP
17. Whichcommandenablesportsecurityonaninterface?
A. switchportport-security
B. switchportport-securitymaximum2
C. switchportport-securityviolationshutdown
D. switchportport-securitymac-addresssticky
18. WhichofthefollowingisnotamitigationtoSTPattacks?
A. RootGuard
B. BPDUGuard
C. DisablingDTP
D. DAI
19. WhenaviolationoccursonaBPDUGuard–enabledport,inwhatstateistheportplaced?
A. Shutdown
B. Portinconsistent
C. Err-disabled
D. Restrict
20. WhichportsshouldhaveDTPdisabled?
A. Accessports
B. Trunkports
![Page 155: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/155.jpg)
C. Etherchannels
D. Allports
![Page 156: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/156.jpg)
Chapter7VLANSecurityCISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:
4.6VLANsecurity
DescribethesecurityimplicationsofaPVLAN
DescribethesecurityimplicationsofanativeVLAN
VLANscanbeusedtosegmentaLANandcanspanmultipleswitches,providingbothsecurityandtheabilitytolocateusersinthesameVLANinphysicallydispersedlocations.TherearesecurityissueswithVLANs,asyoulearnedinChapter5.ThischapterwillexpandyourknowledgeofVLANissuesbyintroducingprivateVLANs(PVLANs)andthesecurityimplicationsofdeployingthem.IwillalsotalkaboutsecurityissueswithnativeVLANs.I’llwrapupthechapterbyintroducinghowtouseaccesslistsonswitches.
Inthischapter,youwilllearnthefollowing:
SecurityimplicationsofaPVLAN
SecurityimplicationsofanativeVLAN
SwitchACLs
NativeVLANsInChapter5youlearnedaboutdoubletaggingandhowanattackercancraftapacketwithtwo802.1qtagswiththeinnertagsettotheVLANtowhichhewouldliketosendtraffic.ThisattacktakesadvantageofthenativeVLAN.Iftheattacker’saccessportissettothesameVLANasthenativeVLAN,thisattackbecomespossible.
MitigationThesolutionistosetthenativeVLAN(number1bydefault)tooneinwhichnoneoftheaccessportsresides.Thisisdoneonlyonthetrunkports.TochangethenativeVLANofthetrunkportgi0/1to78,usethefollowingcommand:
![Page 157: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/157.jpg)
Switch79(config)#intgi0/1
Switch79(config-if)#switchporttrunknativevlan78
AfterchangingthenativeVLANfrom1to78,simplyensurethatnoaccessportsaremembersofVLAN78.
PVLANsWhenhostsaresegregatedintoVLANs,theyarealsoplacedintoseparateIPsubnets.Serviceprovidersoftenfindthisarrangementtobeproblematic,especiallywhenthereisneedforadditionalsecurityacrossaVLANbeingsharedbymultiplecustomersandperhapsbytheISPserversthemselves.WhileaseparateVLANforeachcustomerisanoption,itpresentsthefollowingchallenges:
Therequirementofahighnumberofinterfacesonserviceproviderdevicestosupportthesubnets
Theincreasedmanagementcomplexityofdividingthenetworkaddressspaceandthepotentialwastingofaddressspace
ThemanagementofmultipleACLstomaintainsecurityacrosstheVLANs
AfeaturethatcanbeasolutioninthesecasesistheimplementationofprivateVLANs.TheseprovideseparationwithinaVLANatlayer2,whilestillleavingallmembersoftheoriginalVLAN(calledtheprimaryVLAN)inthesamesubnet.CommunicationbetweenportsintheprimaryVLANiscontrollednotwithACLsbutwiththeproperassignmentofoneofthreeporttypes.
PromiscuousportsTheseareportsthatcancommunicatewithaportofanyothertype.TypicalcandidatesforthisportassignmentarethoseportsleadingtotherouterorfirewallthatactasthedefaultgatewayfortheprimaryVLAN.
IsolatedportsTheseareportsthatonlycommunicatewithapromiscuousport.TheseportsareusedtoisolateasinglehostfromallotherhostsintheprimaryVLAN.Sincetheseportscanonlycommunicatewithpromiscuousports,theonlywayanotherhostcancommunicatewithanisolatedportisthroughtherouter,whereanACLmightbeappliedforcontrol.
CommunityportsTheseareportsthatcancommunicatewithothermembersofthesamecommunityandwithpromiscuousports.Therefore,hostsconnectedtocommunityportscancommunicatewithothercommunitiesandwithisolatedportsonlythroughtherouter.
Figure7.1showsanexampleofaprimaryVLANthathasbeendividedintoPVLANs.Inthisexample,keepinmindthatallhostsconnectedtotheswitchareinthesameprimaryVLANandthesameIPsubnet.PortGe0/1isapromiscuousport,whiletheportsleadingtoSRV1andSRV2arecommunityportsthataremembersofPVLAN101.Noticetheycancommunicatewithoneanotherandwiththedefaultgatewaysinceitisapromiscuousport.
![Page 158: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/158.jpg)
FIGURE7.1PVLANs
AlsonoticethattheportsleadingtoSRV3andSRV4areisolatedportsthataremembersofPVLAN102.NoticethateventhoughSRV3andSRV4resideinthesameprimaryVLANandthesamesecondaryVLAN(102),theycannotcommunicatewithoneanotherbecauseisolatedportscanonlycommunicatewiththepromiscuousport,whichinthiscaseisthedefaultgateway.
TosetupPVLANs,thestepsincludethefollowing:
![Page 159: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/159.jpg)
1. ConfiguretheprimaryVLAN,specifyingitasaprimaryPVLAN.
2. ConfigureanyrequiredsecondaryPVLANs,specifyingthetype.
3. SpecifyeachinterfaceasaprivateVLANhostportandassociateitwithaprivateVLANpair.
ThefollowingarethestepstoconfigureVLAN10asaprimaryVLAN,VLAN201asanisolatedVLAN,andVLANs202and203ascommunityVLANs;toassociatetheminaprivateVLAN;andtoverifytheconfiguration:
Switch#configureterminal
Switch(config)#vlan10
Switch(config-vlan)#private-vlanprimary
Switch(config-vlan)#exit
Switch(config)#vlan201
Switch(config-vlan)#private-vlanisolated
Switch(config-vlan)#exit
Switch(config)#vlan202
Switch(config-vlan)#private-vlancommunity
Switch(config-vlan)#exit
Switch(config)#vlan203
Switch(config-vlan)#private-vlancommunity
Switch(config-vlan)#exit
Switch(config)#vlan10
Switch(config-vlan)#private-vlanassociation201-203
Switch(config-vlan)#end
Switch(config)#showvlanprivatevlan
PrimarySecondaryTypePorts
–––––––––––––––––––––––––––––––––
––––––––––––––––––––––––––––––––––––––––––
10201isolated
10202community
10203community
10204non-operational
Noticethatthelastcommand,private-vlanassociation201-203,executedundertheVLAN10configurationiswhattiesthePVLANstotheprimaryVLAN.
TosetaporttoitspropertypeandPVLAN,usethiscommand:
Switch#configureterminal
Switch(config)#interfacegigatibethernet0/22
Switch(config-if)#switchportmodeprivate-vlanhost
Switch(config-if)#switchportprivate-vlanhost-association10202
Switch(config-if)#end
Inthepreviousconfiguration,portGi0/22wasassignedtoprimaryVLAN10andPVLAN202.SincePVLAN202wascreatedasacommunityVLAN,portGi0/22willbeacommunityport.
PVLANEdge
![Page 160: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/160.jpg)
Insomecases,youmayfindthereisnoreasonforanycommunicationbetweenportsconnectedtothesameswitch.Whenthatisthecase,itmaybebeneficialtotakeadvantageofanotherfeaturecalledthePVLANEdgefeature.PreventingcommunicationsbetweenportswhenpossiblecanbothpreventattackssuchasARPpoisoningattacksandimpairtheabilityofahackertomovefromacompromisedhosttootherhosts.
WhenaporthasbeendesignatedasaPVLANEdgeport(calledaprotectedport),ithasthefollowingfeatures:
Notrafficwillbesentfromoneprotectedporttoanotherprotectedportonthesameswitch.Anydatatrafficmustgothroughtherouterfirst.
Forwardingbehaviorbetweenaprotectedportandunprotectedportsproceedsasusual.
Thereisnoisolationbetweenprotectedportslocatedondifferentswitches.
WhilePVLANEdgeisonlyeffectivebetweenportsonthesameswitch,itissimplertoconfigurethanPVLANsandcanbethesolutionincertaincases.Tospecifyaportas“protected,”usethefollowingcommand:
Switch(config)#interfacefa0/1
Switch(config-if-range)#switchportprotected
PVLANProxyAttackAswithmanyfeatures,maliciousindividualshavefiguredoutawaytoattackPVLANconfigurations.InaPVLANproxyattack,anattackersendsapacket(usingthepromiscuousport)withthesourceIPandMACaddressoftheattacker,adestinationIPaddressofthetarget,andtheMACaddressoftherouter.Whentherouterreceivesthepacket,therouterrewritesthedestinationMACaddresstothatofthetargetandsendsthepackettothetarget.ItisthepresenceoftheMACaddressoftherouterinthepacket,ratherthanthatofthetarget,thatcausesthistobepossible.Thiscausesthepackettobecomingfromtherouter,whichisallowedsincetherouterisonapromiscuousport.SincetherouterisbeingusedasthesourceMAC,therouterisconsidereda“proxy.”Figure7.2showstheattack.
![Page 161: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/161.jpg)
FIGURE7.2PVLANproxyattack
MitigationTopreventPVLANproxyattacks,implementACLsontherouterinterfacethatdenytrafficfromthelocalsubnettothelocalsubnet.Anexampleofsuchanaccesslist,appliedtotherouterinterface,wouldsolvetheissueshowninFigure7.2.
Router(config)#access-list101denyip172.16.0.00.0.255.255172.16.0.0
0.0.255.255
Router(config)#access-list101permitipanyany
Router(config)#intfa0/1
Router(config)#ipaccess-group101in
ACLsonSwitchesAccesslistscanbeappliednotonlytorouterinterfacesbutcanalsobeusedonlayer2interfacesonswitches.Whenusedonswitches,therearethreetypesofaccessliststhatcanbeused.
Portaccesslists(PACLs)Theseareappliedtolayer2interfaceseitheronalayer2switchoronamultilayerswitch.Whenappliedtoalayer2interfaceonamultilayerswitch,theycanbeappliedonlyinbound.TheselistscanbeeitherIPACLsorMACACLs.
VLANaccesslists(VACLs)TheseusemapstocontroltrafficonaVLAN.TheycanbeappliedeithertotrafficroutedintooroutofaVLANortoalltrafficbridgedwithinaVLAN.
RouterACLsUsedtocontroltrafficbetweenVLANs,routerACLscanbeappliedeithertoarouterinterfaceortoaswitchedvirtualinterface(SVI)onamultilayerswitch.
Firstlet’slookatconfiguringportACLs.
![Page 162: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/162.jpg)
PortACLsPortsACLscanbeappliedeitherasIPaccesslistsorasMACaccesslists.Theproceduretocreateandapplybothtypesisasfollows:
Switch(config)#ipaccess-listextendedsimple-ip-acl
Switch(config-ext-nacl)#permithost10.0.0.1any
Switch(config)#intgi0/22
Switch(config-if)#ipaccess-groupsimple-ip-aclin
Switch(config)#macaccess-listextendedsimple-mac-acl
Switch(config-ext-nacl)#permithost0000.aaaa.bbbbany
Switch(config)#intgi0/22
Switch(config-if)#macaccess-groupsimple-ip-aclin
VLANACLsVLANaccesslistsapplytoalltrafficinaVLANandarenotconfiguredwithadirection.Theseaccesslistsusemapstodefineboththetrafficinquestionandtheactiontobetaken.Themapscanreferenceotheraccesslistswhenspecifyingthesevalues.Fromahighlevel,thestepstosetupaVACLareasfollows:
1. CreateanACLthatdefinesthespecifiedtraffictype.
2. Createamapthatreferencestheaccesslistandspecifiesanaction.
3. ApplytheaccessmaptotheappropriateVLAN.
HereisthecreationofanaccesslistdefiningthetrafficasHTTPS(port443):
Switch(config)ipaccess-listextendedpermit_HTTPS
Switch(config-ext-nacl)#permittcpanyanyeq443
ThenextstepistocreatethemapreferencingtheACLandspecifyinganaction:
Switch(config)#vlanaccess-mapAllow_HTTPS
Switch(config-access-map)#matchipaddresspermit_HTTPS
Switch(config-access-map)#actionforward
Finally,hereisthecommandtoapplytheaccessmaptoaVLAN,inthiscaseVLAN403:
Switch(config)#vlanfilterAllow_HTTPSvlan-list403
NotethatyouuseaVLANlisttospecifytheVLANstowhichthemapapplies,evenwhenthelistconsistsofonlyoneVLAN.
SummaryInthischapter,youlearnedaboutpreventingVLANhoppingattacksthattakeadvantageofthenativeVLAN.YoualsolookedathowtobreakupaVLANintoprivateVLANs.YoulearnedthatconfiguringPVLANsisamatterofsettingportsaspromiscuous,community,andisolated.
![Page 163: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/163.jpg)
ThechapterdiscussedthePVLANEdgefeatureasanotherwayofprovidingisolationbetweenswitchports.Finally,youlearnedhowtouseACLstopreventaPVLANproxyattack.
ExamEssentialsMitigatenativeVLANsecurityissues.PreventVLANhoppingattacksthatusedoubletaggingbysettingthenativeVLANnumbertooneinwhichnoneoftheaccessportsreside.
DescribethebenefitsofPVLANs.TheseincludetheabilitytosegregatewithinaprimaryVLAN,whilesavingIPaddressspace,decreasingmanagementcomplexity,andreducingtheneedformultipleACLstomaintainsecurityacrosstheVLANs.
IdentifytheporttypesusedinPVLANs.Theseincludepromiscuous,community,andisolatedports.TheyallowforgroupingdeviceswithaVLAN(community),forisolatingdeviceswithinaVLAN(isolated),andforprovidingaccesstoalldevicesbacktotherouter(promiscuous).
ExplainthefunctionalityofthePVLANEdgefeature.Thisfeatureisusedtoprovideisolationbetweenprotectedportslocatedonthesameswitch.
MitigateaPVLANproxyattack.TopreventPVLANproxyattacks,implementACLsontherouterinterfacethatdenytrafficfromthelocalsubnettothelocalsubnet.
ReviewQuestions1. WhichofthefollowingattackstakesadvantageofthenativeVLAN?
A. Doubletagging
B. ARPpoisoning
C. Bufferoverflow
D. PVLANproxy
2. HowshouldthenativeVLANbeconfiguredtothwartadoubletaggingattack?
A. Itshouldbedisabled.
B. ItshouldbethesameVLANnumberwherehostsreside.
C. ItshouldbethesameasthemanagementVLAN.
D. ItshouldbesettoaVLANnumberinwhichnoneoftheaccessportsreside.
3. WhichofthefollowingisnottrueaboutserviceprovidersprovidingaseparateVLANpercustomer?
A. Itrequiresahighnumberofinterfacesonserviceproviderdevicestosupportthesubnets.
![Page 164: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/164.jpg)
B. Itincreasesmanagementcomplexityofdividingthenetworkaddressspaceandthepotentialwastingofaddressspace.
C. MultipleACLsmustbemanagedtomaintainsecurityacrosstheVLANs.
D. Itdecreasessecurity.
4. Whatfeatureallowsforprovidinglayer2separationwithinaVLAN?
A. PVLANs
B. LoopGuard
C. DAI
D. RootGuard
5. WhichofthefollowingcommandschangesthenativeVLANfrom1to78?
A. switchporttrunknativevlan78
B. switchportnativevlan78
C. switchportnativevlantrunk78
D. switchportvlan78
6. WhichtypeofPVLANportcancommunicatewithaportofanyothertype?
A. Promiscuous
B. Isolated
C. Community
D. Private
7. WhichofthefollowingisnotastepinsettingupPVLANs?
A. ConfiguringtheprimaryVLAN,specifyingitasaprimaryPVLAN
B. SpecifyingeachinterfaceasaprivateVLANhostportandassociatingitwithaprivateVLANpair
C. ConfiguringanyrequiredsecondaryPVLANs,specifyingthetype
D. SettingthenativeVLANnumbertooneinwhichnoneoftheaccessportsresides
8. WhichofthefollowingcommandsconfigurestheprimaryPVLAN?
A. primary-vlanprimary
B. private-vlanprivate
C. private-vlanprimary
D. vlanprimary
9. Towhatportstateshouldthedefaultgatewayportbeset?
![Page 165: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/165.jpg)
A. Promiscuous
B. Isolated
C. Community
D. Private
10. WhichcommandassociatestwoprivateVLANswiththeprimaryVLAN?
A. vlanassociation501-503
B. private-vlan501-503
C. private-vlanassociation501-503
D. private-vlan501-503associate
11. WhichcommandsetsaportasaPVLANport?
A. switchportmodeprivate-vlanhost
B. switchportprivate-vlanhost-association10202
C. switchporthost-association10202
D. switchportmodehost-association10202
12. WhichofthefollowingcommandsassignsaPVLANporttoitsPVLAN?
A. switchportmodeprivate-vlanhost
B. switchportprivate-vlanhost-association10202
C. switchporthost-association10202
D. switchportmodehost-association10202
13. WhichtypeofattackcanbepreventedbythePVLANEdgefeature?
A. Doubletagging
B. ARPpoisoning
C. Bufferoverflow
D. PVLANproxy
14. Whatisthepurposeofthefollowingsetofcommands?
Switch(config)#vlan10
Switch(config-vlan)#private-vlanassociation501
A. TiesthePVLAN10totheprimaryVLAN501
B. TiesthePVLAN501tothePVLAN10
C. TiesPVLAN501totheprimaryVLAN10
![Page 166: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/166.jpg)
D. TiesthePVLAN10tothesecondaryVLAN501
15. WhatstatementisfalseaboutthePVLANEdgefeature?
A. Notrafficwillbesentfromoneprotectedporttoanotherprotectedportonthesameswitch.
B. Forwardingbehaviorbetweenaprotectedportandunprotectedportsproceedsasusual.
C. Thereisnoisolationbetweenprotectedportslocatedondifferentswitches.
D. Forwardingbetweenaprotectedportandunprotectedportsisnotpermitted.
16. WhatisaportprotectedbythePVLANEdgefeaturecalled?
A. Isolated
B. Protected
C. Hidden
D. Promiscuous
17. WhichcommandspecifiesaportasPVLANEdge?
A. switchportprotected
B. switchportedge
C. switchportsecurityedge
D. switchportprotectededge
18. WhichofthefollowingdescribesapacketsentbyanattackerattemptingthePVLANproxyattack?
A. ItcontainsasourceIPandMACaddressoftheattacker,adestinationIPaddressofthetarget,andadestinationMACaddressoftherouter.
B. ItcontainsasourceMACaddressoftheattackerandsourceIPaddressofthetarget,adestinationIPaddressofthetarget,andtheIPaddressandMACaddressoftherouter.
C. ItcontainsasourceIPaddressoftheattackerandsourceMACaddressofthetarget,adestinationIPaddressofthetarget,andtheMACaddressoftherouter.
D. ItcontainsasourceIPandMACaddressoftheattacker,adestinationIPaddressofthetarget,andtheMACaddressoftherouter.
19. InaPVLANproxyattack,whichdeviceisactingastheproxy?
A. Thetarget
B. Theattacker
C. Therouter
![Page 167: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/167.jpg)
D. Theswitch
20. HowareVLANproxyattacksprevented?
A. ImplementACLsontherouterinterfacethatallowtrafficfromthelocalsubnettothelocalsubnet
B. ImplementACLsontherouterinterfacethatdenytrafficfromremotesubnetstothelocalsubnet
C. ImplementACLsontherouterinterfacethatdenytrafficfromthelocalsubnettoremotesubnets
D. ImplementACLsontherouterinterfacethatdenytrafficfromthelocalsubnettothelocalsubnet
![Page 168: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/168.jpg)
Chapter8SecuringManagementTrafficCISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:
2.1Securemanagement
Comparein-bandandout-of-band
Configuresecurenetworkmanagement
ConfigureandverifysecureaccessthroughSNMPv3usinganACL
ConfigureandverifysecurityforNTP
UseSCPforfiletransfer
Controllingaccesstothemanagementinterfaceofarouterorswitchiscriticaltoensuringthatthereisnounauthorizedaccessthatcanintroducemaliciouschangestotheconfigurationofthedevice.Moreover,whennetworkmanagementandtimesynchronizationprotocolssuchasSMTPandNTPareinuse,accesstothisinformationmustbesecured.Finally,asatechnician,youshouldusesecureprotocolswhenperformingfiletransfers.Thischapterwillcoverallofthesesecuremanagementtopics.
Inthischapter,youwilllearnthefollowing:
Comparingin-bandandout-of-band
Configuringsecurenetworkmanagement
ConfiguringandverifyingsecureaccessthroughSNMPv3usinganACL
ConfiguringandverifyingsecurityforNTP
UsingSCPforfiletransfer
In-BandandOut-of-BandManagementManyoptionsareavailabletoconnecttoaCiscodeviceformanagingthedevice.Methodscanbeclassifiedaseitherin-bandorout-of-band.Anin-bandconnectionisonethatusesthenetworkasitstransmissionmedium.In-bandconnectiontypesincludeSNMP,virtualterminal(VTY),andHTTPSconnections.Out-of-bandconnectionsincludetheconsoleportandthe
![Page 169: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/169.jpg)
AUXport,bothphysicalconnectionsthatdonotusethenetworkasthetransmissionmedium.Itisgoodpracticetohavebothin-bandandout-of-bandmethodsavailableforredundancy.
AUXPortTheAUXportcomprisesadirectserialconnectiontothedeviceandisconsideredanout-of-bandmethodofmanagingthedevice.OneoptionistoconnectamodemtotheAUXportanddialintothemodemwhenaccesstotheCLIisrequiredandwhennetworkaccessisnotavailable.TosetuptheAUXportforthisandtoalsosetapasswordfortheAUXport,youneedtoknowthelinenumberusedbytheAUXport.Thiscanbedeterminedwiththeshowlinecommand,asshownhere:
R1#showline
TtyTypTx/RxAModemRotyAccOAccIUsesNoiseOverrunsInt
*0CTY-----000/0
-
65AUX9600/9600-----010/0
-
66VTY-----000/0
-
67VTY-----000/0
-
Inthepreviousoutput,theAUXportisusingline65,whichyouwillneedtoreferenceinthefollowingsetofcommands,whichsettheAUXporttouseamodemwithaspeedof1115200.Thecommandsalsosettheflowcontroltohardwareandsetthepasswordtocisco.Don’tforgetthelogincommand,whichisthecommandthatspecifiesaskingforapasswordatconnectiontime!
R1#conft
R1(config)#line65
R1(config-line)#modeminout
R1(config-line)#speed115200
R1(config-line)#transportinputall
R1(config-line)#flowcontrolhardware
R1(config-line)#login
R1(config-line)#passwordcisco
R1(config-line)#end
VTYPortsThevirtualterminal(VTY)portsareconsideredanin-bandmethodastheseconnectionsusethenetworkasthetransmissionmedium.Theseportscanuseseveralprotocols,amongthemTelnetandSSH.Whileyouwilllearnlaterinthechaptertoconfigurethesecurealternativetoclear-textTelnet,hereIwillcoversecuringthelineswithpasswordsandaddingphysicalredundancytotheconnectionsbysettingaloopbackaddress.WhenaloopbackaddressisconfiguredandusedasthemanagementIPaddress,anyphysicalinterfaceonthedevicecanaccepttheconnectionattemptiftheloopbackaddressisincludedindynamicroutingadvertisementsoradvertisedviaastaticroute.Whenmanagementaccessistiedtoaphysical
![Page 170: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/170.jpg)
IPaddress,thedevicewillbeunreachablewhenthatphysicalinterfaceisdown.
Toconfigurealoopbackaddressformanagement,usethefollowingcommand:
R1(config)#intloopback0
R1(config-if)#ipaddress192.168.5.5255.255.255.0
R1(config-if)#noshut
ToincludetheIPaddressinEIGRPorOSPFroutingadvertisements,usethefollowingcommands.Thiswillensurethatyoucanreachthisaddressfromaremotenetwork.
R1(config)#routereigrp10
R1(config-rtr)#network192.168.5.00.255.255.255
R1(config)#routerospf1
R1(config-rtr)#network192.168.5.00.255.255.255
BeforesettingapasswordontheVTYlines,youshoulddeterminehowmanyoftheselinesexistonthedevice(whichvaries)sothatyousecurethemall.UsethiscommandtolearnthenumberofVTYlines:
R1(config)#linevty?
R1(c0nfig)#linevty<015>
Nowyouknowthereare16linesonthisdevice,soreferto16lineswhenyouexecuteanycommanddesignedtoapplytoallVTYlines.TosetapasswordontheVTYlines,usethefollowingsetofcommands:
R1(config)#linevty015
R1(config-line)#passwordcisco
R1(config-line)#login
HTTPSConnectionManyCiscodevicesoffertheoptionofmanagingthedevicefromaGUIinterface.Thiswouldbeconsideredanin-bandconnectionasitusesthenetwork.WhiletheinitialconfigurationmustbecompletedattheCLI,onceaninterfacehasbeenassignedanIPaddressandisfunctionalandtheHTTPorHTTPSserverhasbeenenabled,thesedevicescanbemanagedusingthisinterface.WhiletheHTTPserveriscertainlyfunctional,whenmanagingthedevice,youshouldalwaysuseasecureconnectionasprovidedwithHTTPS.
Laterinthischapter,youwilllearnhowtoconfigureHTTPS.
SNMPAnotheroptionforconfigurationmanagementisSNMP.Aswithothermethodsthatusethenetworkasatransmissionmedium,itisalsoconsideredanin-bandmethod.SMTPstoresthesettingsinaMIB.Thisisarepositorywithahierarchicalstructurewithstandardizedlocationsforeachpieceofconfigurationorstatusinformation.TheselocationsandtheirassociateddataarecalledOIDs.TheOIDnumberdescribesthepaththroughthetree-likestructurewherethespecificpieceofinformationislocated.Figure8.1showsaportionoftheMIB.Anexampleof
![Page 171: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/171.jpg)
anOIDwouldbe1.3.6.1.2.1.1.5(systemname),whichwouldbeoneofthesubsectionsofsysDescr(1.3.6.2.1.1).
FIGURE8.1PartialMIB
Noticealsothatthereisaprivatebranchinthetreewherevendorscanincludesettingsandstatusinformationthatmightbeuniquetotheirproducts.Therefore,thepathtoCisco-specificdatais1.3.6.1.4.1.9.Accesstoinformationstoredbyanindividualdeviceisdoneusinggetorsetcommands,whilereferencingtheOID.getcommandsretrieveinformation,whilesetcommandsmakeconfigurationchangestoIODsthatcanbechanged.SNMPalsoallowsforthecreationoftrapsondevices,whichcantriggeramessagetothemanagementstationwhenathresholdismetoraneventoccurs.InSMTPversion2,thesetrapmessagesarecalledinforms.
SNMPhasundergonethreeversionchangesovertheyears.Versions1and2usedtheknowledgeofacommunitystringastheaccesscontrolmechanismtotheMIBsofthedevices.Asthisisquiteaflimsysecuritysystem,version3adoptedauser-basedsecuritymodelthatprovidesforauthentication,integrityhashing,andencryptionoftransmissions.Thesefunctionscanbeconfiguredusingthreemodesthatrepresentvariouscombinationsofthesecapabilities.
noAuthNoPriv:Nohashingtosecureauthenticationorencryptionofdata(referencedasnoauthinthecommand)
AuthNoPriv:Hashingtosecureauthenticationbutnoencryptionofdata(referencedasauthinthecommand)
AuthPriv:Hashingtosecureauthenticationandencryptionofdata(referencedasprivin
![Page 172: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/172.jpg)
thecommand)
Laterinthischapter,youwilllearnhowtoconfigureSNMPv3.
ConsolePortTheconsoleportalsocomprisesaserialconnectionthatisconsideredanout-of-bandconnection.Accesscontrolcanbeappliedtothisinterfacebyusingthelineconsole0command.Forexample,hereIhaveappliedapasswordinthissinglelineandbyusingthelogincommandhavespecifiedthatthepasswordisrequired:
R83(config)lineconsole0
R83(config-line)#passwordcisco
R83(config-line)#login
SecuringNetworkManagementRegardlessoftheinterfacewithwhichyoumanageaCiscodevice,youshouldensurethatthemethodusedissecure.Inthissection,you’lllookatsecuringVTYportsandHTTPconnectionsandusingACLsasafurtherlineofdefenseinprotectingthesecriticalmanagementinterfaces.Finally,I’lldiscussbannermessagesandtheroletheycanplayinsecuringmanagementinterfaces.
SSHWhenaccessingadeviceusingtheVTYports,youshouldalwaysconfigureanduseSSHratherthanTelnetfortheconnection.FormoreinformationonconfiguringSSH,seeChapter4.
HTTPSTodisabletheHTTPserverandenabletheHTTPSserver,executethefollowingcommands:
R81(config)#noiphttpserver
R81(config)#iphttpssecure-server
R81(config)#copyrunstart
Oncethesecommandsareexecuted,thedevicewillgenerateanRSAkeyandwillusethekeytoencryptalltransmissions.
ACLsAnadditionallayerofsecuritythatcanbeappliedtoanymanagementinterfaceistheapplicationofACLs.AftertheACLhasbeencreated,itcanbeappliedtotheVTY,HTTPS,andSNMPv3processes.Forexample,considerthefollowingaccesslistthatallowsaccessonlytoandfromhostsinthe192.168.5.0/24network(presumablyonethatcontainsonlymanagementstations).
R84(config)#access-list99permit192.168.5.00.0.0.255
![Page 173: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/173.jpg)
ThisACLcanbeappliedtoeachofthesemanagementinterfacesasfollows:
SSH
R84(config)#linevty015
R84(config-line)#access-class99in
HTTPS
R84(config)#iphttpaccess-class99
SNMPv3ToapplyACL99atthegrouplevel,usethiscommand,whichreferstothegrouptest-groupusingtheprivsecuritypolicywithwriteaccesstoaviewcalledwrite-view:
R84(config)#snmp-servergrouptest-groupv3privwritewrite-viewaccess99
ToapplyACL99attheuserlevel,usethefollowingcommand,whichreferstoausernamednms-userwhoisamemberofthegroupnms-groupusingtheauthsecuritypolicy.ThispolicyusesSHAhashingforauthenticationwithasharedsecretofauth-pass.Ituses128-bitAESforencryptionusingasharedsecretofpriv-pass.The99attheendofthecommandisthereferencetocontrollingaccesswithACL99.
R84(config)#snmp-serverusernms-usernms-groupv3authshaauth-passpriv
aes128priv-pass99
BannerMessagesWhilebannermessageswillneverpreventunauthorizedaccesstoadevice,theyshouldbeimplementedtoprovidelegalnoticetounauthorizedindividualsthattheyarebreakingthelawwhenattemptingtoachieveunauthorizedaccess.Whilethespecificwordingrequiredforthisvariesfromjurisdictiontojurisdiction,therearesomegeneralguidelinesregardingthiswording.
UseofwordssuchasWelcomemaybeusedlaterasadefensethataccesswasencouraged.
IfyouplantouseAAAaccountingrecordsinanysubsequentlegalproceeding,youmustinformintruderstheyarebeingaudited.
Youshouldalwaysstatetheownerofthesystemsotherewillbenolaterdefensethattheintruderwasunawareofthesystemowner.
Topreventanyfuturedefensethatpermissionwasimplied,alwaysstate“authorizedaccessonly.”
Therearethreetypesofbannermessage,andtheydifferinwhentheyaredisplayed.Let’slookatconfiguringeachtypeanddiscusswhentheywillappear.Themessagesuseddonotconstituteanyrecommendationsastowording.
MessageoftheDay(MOTD)
![Page 174: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/174.jpg)
Amessageoftheday(MOTD)appearsatconnectiontimeandbeforetheloginbanner(ifconfigured).Theymaybeusedtocommunicatescheduledmaintenancewindowsorothergeneralinformation.Tocreateamessagethatsays“Wewillbedownfor2hoursat12p.m.,”usethefollowingcommand.Themessagecanbesurroundedwithanycharacter(inthiscase')aslongasthatcharacterdoesnotappearinthemessage.
R85(config)#bannermotd'
Entertextmessage,Endwithcharacter'''
Wewillbedownfor2hoursat12PM.'
EXECBannerThisbannerappearsaftersuccessfulauthenticationbutbeforethefirstcommandpromptappears.ToconfiguretheEXECbannertosay“Thisisyourlastchancetoleaveifyouareunauthorized,”usethiscommand:
R85(config)#bannerexec'
Entertextmessage,Endwithcharacter'''
Thisisyourlastchancetoleaveifyouareunauthorized.'
LoginBannerThisbannerappearsaftertheMOTDbanner(ifconfigured),beforetheloginprompt,andbeforetheEXECbanner(ifconfigured).Toconfiguretheloginbannertosay“Thisisyourfirstchancetoleaveifyouareunauthorized,”usethiscommand:
R85(config)#bannerlogin'
Entertextmessage,Endwithcharacter'''
Thisisyourfirstchancetoleaveifyouareunauthorized.'
VerificationTocheckyourwork,let’sconnectfromR86usingTelnetandseewhatyouget:
R86#telnet10.10.10.10
Trying10.10.10.10...Open
Wewillbedownfor2hoursat12PM
Thisisyourfirstchancetoleaveifyouareunauthorized
Username:Admin
Password:<hidden>
Thisisyourlastchancetoleaveifyouareunauthorized
Asyoucansee,youreceivedthemessagesasconfiguredintheorderyouexpected.
SecuringAccessthroughSNMPv3ConfiguringSNMPrequiresyoutosetanengineIDforanydeviceusedtomanageSNMP.ThisisanIDnumbercomposedof24hexcharacters.Wheninformmessagesaresenttostations,itistheengineIDthatidentifiesthestation.Itisenteredasa12-characterstring.SettingtheSNMPv3engineIDforthemanagementstationonarouterisdoneasfollows:
![Page 175: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/175.jpg)
R82(config)#snmp-serverengineIDlocal000010000203
OncetheengineIDhasbeendefined,thehigh-levelstepstocontrolaccesstoSNMPareasfollows:
1. DefineanSNMPgroupandspecifythecryptographicpolicytobeusedbythegroup.Inthissamecommand,youcanassignanMIBview.
2. DefineSNMPusersandassignthemausergroup,aview,anauthenticationhashingalgorithmandsharedsecret,andwhenusedanencryptionalgorithm.
3. DefineSNMPviews,eachofwhichwillcontroltheinformationthatcanbeaccessedbyuserswhohavebeenassignedtheview.
4. DefinetheSNMPhostthatwillbetherecipientoftraps.Youwillalsospecifyinthesamecommandtheuseraccount(andthealgorithmsandkeysassociatedwiththataccount)underwhosesecuritycontextthetrapswillbesent.
Firstlet’sdefineanSMTPgroupnamedsnmp-group,specifyversion3,andsetittousetheprivsecuritypolicyandtohaveread-onlyaccesstotheviewnamedread-view(tobecreatedinalaterstep).
R82(config)#snmp-servergroupsnmp-groupv3privreadread-view
Nextlet’sdefineanSNMPusernamedread-user,assigntheusertothegroupsnmp-group,settheversionasversion3,configureSHAastheauthenticationalgorithmusingasharedkeyoftroy-key,andconfigure128-bitAESastheencryptionalgorithmusingmac-keyasthesharedkeyforAES.
R82(config)#snmp-serveruserread-usersnmp-groupv3authshatroy-keypriv
aes128mac-key
Nowlet’sdefinetheviewthatyoureferencedinthecommandcreatingthegroup.TheviewwillonlyallowreadaccesstotheOID1.3.6.1.2.1andbelow.
R82(config)#snmp-serverviewread-view1.3.6.1.2.1included
Finally,let’ssettheIPaddressofthemanagementstationtowhichanytrapsshouldbesentalongwiththeversionnumber,acryptographicpolicyofauth,andauseraccountnamedtest-userunderwhosesecuritycontextthetrapswillbesent.Thisisanaccountyoudidnotcreateinthisexample.
R82(config)#snmp-serverhost10.10.10.10version3privtest-user
SecuringNTPSynchronizationoftimeamonginfrastructuredeviceshasbecomemoreandmorecriticaltotheproperoperationofnetworks.Digitalcertificateshaveexplicitvalidityperiods,certainWindowsoperationsrequirestricttimesynchronization,andanalysisofintegratedlogfiles
![Page 176: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/176.jpg)
becomesanightmarewhenthedevicesfromwhichthelogfilescomehavenotbeensynchronized.Moreover,somecompliancestandardscallforstricttimesynchronization.
WhiletheneedtouseNTPiswithoutquestion,networkattacksleveragingNTPhaveappearedthatnowrequireyoutosecuretheoperationofNTPtopreventsuchattacks.TheseattackscanbepreventedbyconfiguringNTPauthentication.ThisinvolvessettingasharedsecretbetweentheNTPclientsandtheNTPserverthatwillbeusedtocomputeahashvalueoftheupdatesenttotheclient.Theclientwillperformahashcalculationoftheupdateusingthesamesharedkeyandwillcomparetheresults.AmatchservesasassurancethattheupdatecamefromthelegitimateNTPserver.Itisimportanttonotethatthisdoesnotencrypttheupdate;itonlyverifiesitsoriginandtrustworthiness.Figure8.2showstheprocess.
FIGURE8.2NTPauthenticationprocess
ToconfigureNTPauthentication,thehigh-levelsteps(tobeperformedonbothserverandclient)areasfollows:
1. ConfigureanNTPauthenticationkeynumberandMD5string(sharedsecret).
2. Specifyatleastonetrustedkeynumberreferencingthekeynumberinstep1.
3. EnableNTPauthentication.
Forthefirststep,let’sconfigureanNTPkeynumbered87withanassociatedMD5string(thesharedsecret)ofmykeyontworouters.
R88(config)#ntpauthentication-key87md5mykey
R89(config)#ntpauthentication-key87md5mykey
Nowlet’sspecifytheuseofkeynumber87anditsassociatedMD5stringtobeusedforNTPauthentication.
R88(config)#ntptrusted-key87
R89(config)#ntptrusted-key87
Finally,allyouneeddoisenableNTPauthentication.
R88(config)#ntpauthenticate
R89(config)#ntpauthenticate
![Page 177: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/177.jpg)
UsingSCPforFileTransferWhileFTPandTFTPcanbeusedtotransferconfigurationsandIOSimagesacrossthenetwork,theseprotocolslacktheabilitytoencryptthetransmission.AbetteralternativeisSecureCopyProtocol(SCP).ThisisanimplementationoftheRemoteCopyProtocol(RCP)thatoperatesoveranSSHconnection.TheserverthatisusedtostoreimagesandconfigurationsmustbeconfiguredasanSCPserverwithakeythatcanbevalidatedbytheCiscodevices.Thatsetupisbeyondthescopeofthisbook;however,wewillcoverthecommandstobeusedontheCiscodevicestoperformanSCPtransfer.
Withtheserversetupinplace,yousimplyreferencetheSCPserverbyURLinthecopycommand.Forexample,iftheserverwerenamedscp-srvandyouwantedtocopytherunningconfigurationtoitunderthesecuritycontextofanaccountnamedAdminwithapasswordofmypass,whilenamingthefileR88-config.txt,youwouldusethefollowingcommand:
R88#copyrunscp://scp-srv/admin:mypass/r88-config.txt
Torestorethatfiletothestartupconfiguration,youwouldusethefollowingcommand:
R88#copyscp://scp-srv/admin:mypass/r88-config.txtstart
SummaryInthischapter,youlearnedaboutthesecuritydifferencesinmanagingdevicesfromin-bandandout-of-bandinterfaces.Youalsolearnedthatin-bandinterfacesincludeHTTP,VTY,andthephysicalinterfacesonthedeviceandthatout-of-bandinterfacesincludetheconsoleandAUXports.ThechapteralsodiscussedmethodsofsecuringmanagementinterfacesincludingenablingtheHTTPSserver,securingSNMPv3withasecuritypolicy,applyingpasswordstoallmanagementinterfaces,andusingSSHforremotemanagement.AmongtheothertopicscoveredinthischapterwerethetypesofbannermessagethatcanbeconfiguredandthesecuringoftheNTPprotocol.
ExamEssentialsIdentifyin-bandandout-of-bandinterfaces.In-bandinterfacesincludeHTTP,VTY,andthephysicalinterfacesonthedevice.Out-of-bandinterfacesincludetheconsoleandAUXports.
Describemethodstosecuremanagementinterfaces.TheseincludedisablingtheHTTPserverandenablingtheHTTPSserver,securingSNMPv3withasecuritypolicy,applyingpasswordstoallmanagementinterfaces,andusingSSHforremotemanagementratherthanTelnet.ItalsoincludesapplyingACLstoallmanagementinterfaces.
Identifythetypesofbannermessagesandtheiruse.Theseincludethemessageofthedaybanner,whichappearswhenaconnectionismade,andloginbanners,whichappearafterauthentication,aftertheMOTDandEXECbannersthatappear.
![Page 178: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/178.jpg)
ListthethreesecuritypoliciesthatcanbeappliedtoSNMPv3.TheseincludeAuthNoPriv,whichisnohashingtosecureauthenticationorencryptionofdata;AuthNoPriv,whichishashingtosecureauthenticationbutnoencryptionofdata;andAuthPriv,whichishashingtosecureauthenticationandencryptionofdata.
DescribethestepstoconfigureNTPauthentication.ThesestepsareconfiguringanNTPauthenticationkeynumberandMD5string(sharedsecret),specifyingatleastonetrustedkeynumberreferencingthekeynumberinthefirststep,andenablingNTPauthentication.
ReviewQuestions1. Whichofthefollowingisanout-of-bandconnection?
A. HTTP
B. Con0
C. Gi0/1
D. VTY
2. WhatinformationisrequiredtosetupamodemontheAUXport?
A. Linenumber
B. AUXpassword
C. Transmissionrate
D. Modemmodel
3. Whichofthefollowingisavalidreasonforconfiguringaloopbackinterfaceasthemanagementinterface?
A. Itismoresecure.
B. Itprovidesbetterperformance.
C. Itisalwaysup.
D. Itispreconfigured.
4. WhatcommandenablesyoutoidentifythetotalnumberofVTYportsinthedevice?
A. R1(config)#line?
B. R1(config)#linevty?
C. R1#line?
D. R1#linevty?
5. HowarethelocationsofinformationcontainedinSNMPidentified?
A. MIB
![Page 179: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/179.jpg)
B. OID
C. Informs
D. Traps
6. WhichSNMPsecuritypolicyprovideshashingtosecureauthenticationbutnoencryptionofdata?
A. noAuthNoPriv
B. AuthNoPriv
C. AuthPriv
D. Priv
7. Whichinterfacesshouldbeprotectedbypasswords?
A. VTY
B. Console
C. HTPS
D. Alloftheabove
8. WhichofthefollowingcommandsenablesencryptionofHTTPtransfers?
A. R81(config)#iphttpssecure
B. R81(config)#iphttpsserver
C. R81(config)#iphttpssecure-server
D. R81(config-line)#iphttpssecure-server
9. WhichcommandappliesACL99atthegrouplevel,whilereferringtothegrouptest-groupusingtheprivsecuritypolicywithwriteaccesstoaviewcalledwrite-view?
A. R84#snmp-servergrouptest-groupv3privwritewrite-viewaccess99
B. R84(config)#snmp-servertest-groupv3privwritewrite-viewaccess99
C. R84(config)#snmp-servergrouptest-groupv3privwrite-viewaccess99
D. R84(config)#snmp-servergrouptest-groupv3privwritewrite-viewaccess99
10. Whichofthefollowingisnotarecommendationforbannermessagewording?
A. UseofwordssuchasWelcomeshouldbeencouraged.
B. IfyouplantouseAAAaccountingrecordsinanysubsequentlegalproceeding,youmustinformintruderstheyarebeingaudited.
C. Youshouldalwaysstatetheownerofthesystemsotherewillbenolaterdefensethattheintruderwasunawareofthesystemowner.
![Page 180: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/180.jpg)
D. Topreventanyfuturedefensethatpermissionwasimplied,alwaysstate“authorizedaccessonly.”
11. Whichofthefollowingisnotabannertype?
A. MOTD
B. EXEC
C. Login
D. Maintenance
12. Whichofthefollowingbannermessagesappearsatconnectiontime?
A. MOTD
B. EXEC
C. Login
D. Maintenance
13. WhenSNMPinformmessagesaresenttostations,whatvalueidentifiesthestation?
A. ProcessID
B. MACaddress
C. EngineID
D. RouterID
14. WhichofthefollowingstepsinconfiguringSNMPv3securityisoptional?
A. DefineanSNMPgroup
B. AssignanMIBview
C. Specifythecryptographicpolicytobeusedbythegroup
D. DefineSNMPusersandassignthemausergroup
15. Whatstatementisfalsewithregardtothefollowingcommand?R82(config)#snmp-serverviewread-view1.3.6.1.2.1included
A. Theviewisnameread-view.
B. read-viewisthegroupname.
C. 1.3.6.1.2.1istheOID.
D. Thiscommanddefinesaview.
16. HowisMD5usedinNTPauthentication?
A. Encryptsthedata
B. Hashestheupdate
![Page 181: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/181.jpg)
C. Hashesthepassword
D. Encryptsthesharedsecret
17. WhichstepisnotpartofconfiguringNTPauthentication?
A. ConfigureanNTPauthenticationkeynumberandMD5string
B. Specifyatleastonetrustedkeynumberreferencingthekeynumber
C. Encryptthekeynumber
D. EnableNTPauthentication
18. WhichofthefollowingshouldbeusedasasecurealternativetoTFTPorFTP?
A. SCP
B. RTP
C. VTP
D. STP
19. WhenusingSCPtocopyfilestoanSCPserver,howdoyoureferencetheSCPserverinthecopycommand?
A. MACaddress
B. IPaddress
C. URL
D. Portnumber
20. InwhatrepositoryisSNMPdatacontained?
A. OID
B. MIB
C. Registry
D. Hardwareregister
![Page 182: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/182.jpg)
Chapter9Understanding802.1xandAAACISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:
2.2AAAconcepts
DescribeRADIUSandTACACS+technologies
ConfigureadministrativeaccessonaCiscorouterusingTACACS+
VerifyconnectivityonaCiscoroutertoaTACACS+server
ExplaintheintegrationofActiveDirectorywithAAA
DescribeauthenticationandauthorizationusingACSandISE
2.3802.1xauthentication
Identifythefunctionsof802.1xcomponents
Whileaccesstothenetworkandtonetworkresourcescanbecontrolledbyperforminguserauthenticationatthepointofentryintothenetwork,thisapproachcreatesalargerandlargermanagementheadacheasthenumberofnetworkentrydevicesgrows.Infact,creatingandmanaginguseraccountsanduserpasswordsacrossmultiplewirelessaccesspoints,RASservers,andVPNserversbecomesalmostunworkable.The802.1xstandardwascreatedtoaddressthisissue.Inthischapter,you’llexplore802.1xandtwocloselyrelatedtechnologiesthatmakeitpossible.
Inthischapter,youwilllearnthefollowing:
UnderstandingAAA802.1xcomponents
UsingRADIUSandTACACS+technologies
ConfiguringadministrativeaccesswithTACACS+
VerifyingrouterconnectivitytoTACACS+
IntegratingActiveDirectorywithAAA
PerformingauthenticationandauthorizationusingACSandISE
![Page 183: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/183.jpg)
802.1xComponentsThe802.1xstandarddefinesaframeworkforcentralizedport-basedauthentication.Itcanbeappliedtobothwirelessandwirednetworksandusesthreecomponents.
Supplicant:Theuserordevicerequestingaccesstothenetwork
Authenticator:Thedevicethroughwhichthesupplicantisattemptingtoaccessthenetwork
Authenticationserver:Thecentralizeddevicethatperformsauthentication
Theroleoftheauthenticatorcanbeperformedbyawidevarietyofnetworkaccessdevices,includingremoteaccessservers(bothdial-upandVPN),switches,andwirelessaccesspoints.TheroleoftheauthenticationservercanbeperformedbyaRemoteAuthenticationDial-inUserService(RADIUS)orTerminalAccessControllerAccessControlSystem+(TACACS+)server.Theauthenticatorrequestscredentialsfromthesupplicantand,uponreceiptofthosecredentials,relaysthemtotheauthenticationserver,wheretheyarevalidated.Uponsuccessfulverification,theauthenticatorisnotifiedtoopentheportforthesupplicanttoallownetworkaccess.
Figure9.1illustratesthisprocess.
FIGURE9.1802.1x
RADIUSandTACACS+TechnologiesWhileRADIUSandTACACS+performthesameroles,theyhavedifferentcharacteristics.Thesedifferencesmustbetakenintoconsiderationwhenchoosingamethod.KeepinmindalsothatwhileRADIUSisastandard,TACACS+isCiscoproprietary.Table9.1comparesthem.
![Page 184: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/184.jpg)
TABLE9.1RADIUSandTACACS+
Protocol TransportProtocol
Confidentiality Authentication,Authorization,andAccounting
SupportedLayer3Protocols
Devices Traffic
RADIUS UDP Passwordonly Combinesthethreeprocesses
AllbutRAS,NetBIOS,orX.25
NosupportforsecuringCiscocommands
Less
TACACS+ TCP EntirebodyexceptTACACs+header
Separatesthethreeprocesses
All SupportforsecuringCiscocommands
More
Manyconsiderenabling802.1xauthenticationonalldevicestobethebestprotectionyoucanprovideanetwork.
ConfiguringAdministrativeAccesswithTACACS+EarlieryoulearnedhowtosecureadministrativeaccesstoaCiscodeviceusingSSHovertheVTYlines.Youalsolearnedhowtocontroltheactivitiesofthosewithadministrativeaccessusingprivilegelevels.BothoperationscanalsobedoneusingAAAservices.Asyounowknow,theusernamesandpasswordscanbelocatedonanAAAserverratherthanonthelocaldevice.Havingsaidthat,itisalsopossibletotakeadvantageoftheseserviceswhilelocatingtheusernamesandpasswordonthelocaldevice.Regardingcontrollingtheactivitiesofthosewithadministrativeaccess,usinguseraccountsratherthanprivilegelevelsprovidesmoreaccountability.Inthissection,you’lllookathowusingAAAserviceschangestheseconfigurations.
LocalAAAAuthenticationandAccountingLocalAAAauthenticationandaccountingisaformofAAAinwhichtheuseraccountsarelocatedonthedeviceratherthanonanAAAserver.TouseAAAservicesforanytypeofauthentication,itmustbeenabledonthedevice.Includingthisstep,thehigh-levelstepstoconfigurelocalAAAauthenticationandaccountingareasfollows:
1. Createuseraccountswithanassignedprivilegelevelandpassword.
2. EnableAAAservices.
3. Configureanauthenticationmethodthatspecifieslocalauthentication.
4. ConfigureanauthorizationmethodforaccesstotheCLIthatspecifieslocalauthentication.
Let’sbeginbycreatingauseraccountnamedadminsrthathasaprivilegelevelof7withanencrypted(secret)passwordofsrpass.
![Page 185: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/185.jpg)
R89(config)#usernameadminsrprivilege7secretsrpass
Nowlet’senableAAAservicesontherouter.
R89(config)#aaanew-model
Toconfigureanauthenticationmethodthatspecifieslocalauthenticationonalllines(byaddingthedefaultkeyword),usethiscommand:
R89(config)#aaaauthenticationlogindefaultlocal
Finally,let’sconfigureanauthorizationmethodthatprovidesaccesstotheCLI(byincludingtheexeckeyword)onalllines(byaddingthedefaultkeyword).
R89(config)#aaaauthorizationexecdefaultlocal
TheconfigurationwillapplyalllinesexceptfortheCon0.ThisgivesyouafallbackmethodtoaccesstheCLIifamisconfigurationofauthorizationlocksyouout.
SSHUsingAAAInChapter8,youlearnedhowtoconfigureSSHaccessontheVTYlines.Whenyoudidthat,youcreatedlocalaccountsandpasswordstoauthenticatethoseconnectingwithSSH.YoualsolearnedinChapter8howtoassignprivilegelevelstouseraccounts.IfyouuseAAAauthenticationforSSH,thenyoucanuseAAAtoauthorizetheassignedprivilegelevelofthesameaccountwhenauthenticationoccurs.Laterinthischapter,youwilllearnhowtouseaTACACS+serverastheauthenticationmethod.Inthisexample,youwillcontinuetousealocalAAAdatabase.Todothis,completethefollowingtasks:
1. EnableAAAservices.
2. Configureanauthenticationmethodthatspecifieslocalauthentication.
3. ConfigureanauthorizationmethodforaccesstotheCLIthatspecifieslocalauthentication.
ThesecommandsareexecutedmuchthesameaswhenyouweresettinguplocalAAAauthenticationandaccountingintheprevioussection.
ToenableAAAservicesontherouter,usethiscommand:
R89(config)#aaanew-model
Toconfigureanauthenticationmethodthatspecifieslocalauthenticationonalllines(byaddingthedefaultkeyword),usethiscommand:
R89(config)#aaaauthenticationlogindefaultlocal
ToconfigureanauthorizationmethodthatprovideaccesstotheCLI(byincludingtheexeckeyword)onalllines(byaddingthedefaultkeyword),usethiscommand:
R89(config)#aaaauthorizationexecdefaultlocal
![Page 186: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/186.jpg)
Again,theconfigurationwillapplyalllinesexceptfortheCon0.ThisgivesyouafallbackmethodtoaccesstheCLIifamisconfigurationofauthorizationlocksyouout.
UnderstandingAuthenticationandAuthorizationUsingACSandISETofullyrealizethebenefitsofthe802.1xsecuritysolution,useraccountsandthesecuritypolicessurroundingthoseaccountsshouldbeinacentralizeddatabaseavailabletoalldevicesoperatingasauthenticators.Thedeviceoperatingastheauthenticationserverinthe802.1xframeworkistheAAAserver.
CiscoofferstwoAAAserversthatcanfulfilltheroleofauthenticatingserver.TheCiscoSecureAccessControlServer(ACS)canoperateeitherasaRADIUSserverorasaTACACS+server.TheCiscoIdentityServicesEngine(ISE)supportsonlyRADIUSatthetimeofthiswriting.However,itsupportsfunctionalitynotpresentintheCiscoACS.Additionalfeaturesincludethefollowing:
Profilingtodeterminethetypeofdevicefromwhichanetworkaccessrequestoriginatesandtoapplyasetofaccesspoliciesspecifictotheprofileattachedtothatdevice.Thismeansausermighthavemultipleprofileseachattachedtothevariousdevicestheyuse.
Postureassessmenttoverifytheminimumsecurityrequirementsofadevicebeforeallowingaccess.IfissuesarisesuchasmissingOSorsecurityupdates,thedevicemaybeeitherremediatedordeniedentry.
Centralizedwebaccessforguestaccesstothenetwork.
UnderstandingtheIntegrationofActiveDirectorywithAAABothCiscoAAAofferingssupportthecentralizationofuseraccountsandcredentialsontheAAAserver.However,inmostcases,doingsowouldconstituteaduplicationofeffortssincethissameinformationisalreadycontainedinadirectoryservicesserversuchasMicrosoftActiveDirectory.BothCiscoACSandCiscoISEcanconsultotherdatabasesforinformation.
TheabilityofthesetwoofferingstoutilizeanexternalenterpriseuserIDrepositoryisakeyfeature.WhilesomeCiscodevices,suchastheCiscoAdaptiveSecurityAppliance(ASA),cancommunicatedirectlywithLDAPrepositoriesorActiveDirectoryforauthenticationpurposes,mostdonot.Therefore,thedeploymentofanAAAserverservesasanimportantlinkbetweentheauthenticatorsinthe802.1xframeworkandtheexternalenterprisedirectoryservice.Inthenextsection,you’lllearnhowanauthenticatormightspeaktoanexternalenterprisedatabasethroughtheAAAserver,andyou’lldiscoverhowtosetupaCiscoroutertouseaTACACs+-basedAAAserver.
TACACS+onIOS
![Page 187: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/187.jpg)
WhileanAAAservercanbepopulatedwithusernamesandcredentials,anAAAservercanalsoutilizethesameinformationthatresidesinanenterprisedirectoryservicesuchasActiveDirectory.Whenthisisthecase,theprocessthatoccursduringarequestfornetworkaccessoccursasfollows.Inthiscase,aTACACS+serverisinuse.
1. Thesupplicantestablishesaconnectionwiththeauthenticator(router,WAP,VPNserver).
2. Theauthenticatorchallengesthesupplicantforcredentials.
3. Thesuppliantrespondswithcredentials.
4. Theauthenticatorpassesthecredentialstotheauthenticationserver(AAAserver).
5. TheTACACS+serverconsultstheLDAPserver.
6. TheLDAPserverperformsauthentication.
7. Theauthenticatorpassestheresulttothesupplicant.
ConfiguringaRoutertoUseaTACACS+ServerThestepstoconfigurearoutertouseaTACACS+serverareasfollows:
1. EnableAAAauthentication.
2. SpecifytheTACACs+servername.
3. SpecifytheTACACs+serverIPaddressandtype(IPv4orIPv6).
4. SpecifythekeystringusedasasharedsecretbetweentherouterandtheTACACS+server.
5. SpecifytheuseofTACACS+inthemethodlistforauthenticationandauthorization,whilealsospecifyingabackupmethod.
6. CreatelocalusernamesandcredentialsforuseincaseoflossofaccesstotheTACACS+server.
7. Enableper-commandauthorization(optional).
8. Enableaccountingofadministrativesessionsandoftheuseofspecificcommands(optional).
First,let’senableAAAasyouhavedonebefore.
R90(config#)AAAnew-model
Next,youmustdothefollowing:
R90(config)#tacacsserverservertac
R90(config-server-tacacs)#addressipv4192.168.56.6
R90(config-server-tacacs)#keymysecetkey
R90(config-server-tacacs)#exit
Next,let’sspecifytheuseofTACACS+inthemethodlistforauthenticationandauthorization,whilealsospecifyingabackupmethod.Inthiscase,thebackupislocalauthentication.
![Page 188: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/188.jpg)
R90(config)#aaaauthenticationlogindefaultgrouptacacs+local
R90(config)#aaaauthorizationexecdefaultgrouptacacs+local
Asyouareusinglocalauthenticationasabackup,youneedtocreateanaccountforthatprocessshoulditbenecessary.Thisprocessisthesameasyoulearnedearlier.
R90(config)#usernameadminsrprivilege7secretsrpass
Optionally,youcanenableper-commandauthorization.Inthefollowingexample,therouterwillconsulttheTACACS+serverwheneveranadministratorentersanyprivilegelevel15commandsoranyconfigurationcommands.Iftheaccountlackstheauthorization,itwillbedenied,andanerrormessagewillappear.Again,youhavespecifiedlocalasthebackupmethodhere.
R90(config)#aaaauthorizationcommands15defaultgrouptacacs+local
R90(config)#aaaauthorizationconfig-commands
Optionally,youcanalsoenableaccountingofadministrativesessionsandoftheuseofspecificcommands.Inthefollowingexample,anaccountingrecordwillbesentatthestartofanadministrativesessiontotheEXECprocess,andanotherwillbesentattheendofthesession.
R90(config)#aaaaccountingexecdefaultstart-stopgrouptacacs+
Finally(againoptionally),thefollowingcommandcausesanaccountingrecordtobesentforeveryprivilegelevel15commandandeveryconfigurationcommand:
R90(config)#aaaaccountingcommands15defaultstop-onlygrouptacacs+
VerifyRouterConnectivitytoTACACS+OnceyouhaveconfiguredtherouterwiththeIPaddressoftheTACACS+server,youshouldverifythatyouhaveconnectivitybetweenthedevices.ThiscanbedonebyusingthetestcommandtotestanauthenticationusingtheTACACS+server.Forexample,totesttheusernamemytestwithapasswordofmypass,usethefollowingcommand:
R99(config)#testaaagrouptacacsmytestmypassnew-code
Sendingpassword
Usersucessfullyauthenticated
USERATTRIBUTES
Username0"mytest"
Reply-message0"Password:"
Asyoucansee,theauthenticationsucceeded,whichindicatesthatyouhaveconnectivitytotheTACACS+server.
SummaryInthischapter,youlearnedabouttheAAAservicethatcanbeprovidedbyTACACS+andRADIUSservers.Youalsolookedatconfiguringadministrativeaccesstoarouterusing
![Page 189: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/189.jpg)
TACACS+.YoulearnedhowAAAcanbeintegratedwithActiveDirectory.YoulookedattheCiscoimplementationsofaRADIUSserverincludingtheCiscoSecureAccessControlServer(ACS)andtheCiscoIdentityServicesEngine(ISR).Finally,youlearnedaboutthefunctionsofvarious802.1xcomponents.
ExamEssentialsDescribetheRADIUSandTACACS+technologies.Understandthebenefitsofthesetechnologies,whichincludecentralizationofauthenticationandreductionofadministrativeoverhead.Alsoidentifythedifferencesbetweenthesetechnologies,whichincludetheportsusedandthewayintheyhandleauthentication,authorization,andaccountingfunctions.
ConfigureandverifyadministrativeaccesstoarouterusingTACACS+.ThisincludesenablingAAAservices,specifyingtheTACACs+servername,specifyingtheTACACs+serverIPaddressandtype(IPv4orIPv6),specifyingthekeystringusedasasharedsecretbetweentherouterandtheTACACS+server,andspecifyingtheuseofTACACS+inthemethodlistforauthenticationandauthorization,whilealsospecifyingabackupmethod.
ExplaintheintegrationofActiveDirectorywithAAA.DescribehowanActiveDirectoryservercanbeusedbyanAAAserverasarepositoryforusernamesandcredentials.
IdentifyCiscoimplementationsofAAAservers.TheseincludetheCiscoSecureAccessControlServer(ACS),whichcanoperateeitherasaRADIUSserverorasaTACACS+server.TheCiscoIdentityServicesEngine(ISR)supportsonlyRADIUSatthetimeofthiswriting.However,itsupportsfunctionalitynotpresentintheCiscoACS.
Identifythefunctionsof802.1xcomponents.Theseincludethesupplicant(thedevicerequestingaccess),theauthenticator(thenetworkaccessdevicetowhichyouareconnecting),andtheauthenticationserver(AAAserver).
ReviewQuestions1. Whichofthefollowingisanexampleoftheauthenticatorinthe802.1xstandard?
A. WirelessAP
B. TACACS+server
C. Userlaptop
D. AAAserver
2. WhichofthefollowingistrueaboutTACACs+?
A. Encryptsonlythepassword
B. SeparatesthethreeAAAprocesses
C. UsesUDP
![Page 190: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/190.jpg)
D. CreateslesstrafficthanRADIUS
3. WhichofthefollowingcommandsenablesAAAservicesonarouter?
A. aaaenable
B. aaanew-model
C. enableaaa
D. aaaauthentication
4. Whatcommandconfiguresanauthenticationmethodthatspecifieslocalauthentication?
A. aaaauthenticationdefaultlocal
B. aaaauthenticationloginlocaldefault
C. aaaauthenticationlogindefaultlocal
D. aaalogindefaultlocal
5. WhenconfiguringanauthorizationmethodthatprovidesaccesstotheCLI,towhichlinedoestheconfigurationnotapply?
A. VTY0
B. CON0
C. AUX0
D. VTY1
6. WhichofthefollowingisaCiscoimplementationofanAAAserver?
A. SDM
B. ACS
C. PIX
D. ASA
7. WhichdevicecancommunicatedirectlywithLDAPrepositoriesorActiveDirectoryforauthenticationpurposes?
A. SDM
B. VTP
C. PIX
D. ASA
8. WhichofthefollowingcommandsspecifiestheTACACS+serverforarouter?
A. tacacsserverservername
B. serverservername
![Page 191: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/191.jpg)
C. tacacsserveripaddress
D. serveripaddress
9. WhichcommandteststheauthenticationprocessandverifiesconnectivitytotheTACACS+server?
A. testaaagrouptacacsusernamepasswordnew-code
B. testaaagrouptacacspasswordnew-code
C. testaaagrouptacacsusernamenew-codepassword
D. testaaagrouptacacsusernamepassword
10. WhichofthefollowingcommandsspecifiestheuseofTACACS+inamethodlistforauthorizationwhilealsospecifyingabackupmethod?
A. aaaauthorizationdefaultgrouptacacs+local
B. aaaauthorizationexecdefaultgrouptacacs+local
C. aaaauthorizationexecdefaulttacacs+local
D. aaaauthorizationexecgrouptacacs+local
11. WhichofthefollowingstepsinconfiguringaroutertouseaTACACS+serverisoptional?
A. EnableAAAauthentication
B. SpecifytheTACACs+servername
C. Enableper-commandauthorization
D. SpecifytheTACACs+serverIPaddressandtype
12. WhenAAAservicesmakeuseofanLDAPserver,whichcomponentperformstheauthentication?
A. AAAserver
B. LDAPserver
C. Networkaccessdevice
D. Supplicant
13. Whichofthefollowingistheabilitytoverifyminimumsecurityrequirementsofadevicebeforeallowingaccess?
A. Profiling
B. Postureassessment
C. Supplication
D. Authorization
![Page 192: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/192.jpg)
14. WhichofthefollowingcommandsconfiguresalocalauthorizationmethodthatprovidesaccesstotheCLIonalllines?
A. aaaauthorizationdefaultlocal
B. aaaauthorizationdefaultexeclocal
C. aaaauthorizationexecdefaultlocal
D. aaaauthorizationexecdefault
15. Whichcommandcreatesauseraccountnamedadminsrthathasaprivilegelevelof7withanencrypted(secret)passwordofsrpass?
A. usernameadminsrprivilege7secretsrpass
B. usernameadminsrprivilegesecret7srpass
C. usernameadminsrprivilegesrpass7secret
D. usernameprivilege7adminsrsecretsrpass
16. Regardingcontrollingtheactivitiesofthosewithadministrativeaccess,whyshouldyouuseuseraccountsratherthanprivilegelevels?
A. Betterperformance
B. Moreaccountability
C. Simplerconfiguration
D. Encryptedprocesses
17. WhichofthefollowingisfalseofRADIUS?
A. Industrystandard
B. UsesUDP
C. SupportsCiscocommands
D. Protectsonlythepassword
18. Whichstandardprovidesasecurityframeworkthatincludesasupplicant,authenticator,andauthenticationserver?
A. 802.11
B. 802.3
C. 802.1x
D. 802.5
19. Inthe802.1xframework,whichdevicecanoperateastheauthenticationserver?
A. RADIUS
![Page 193: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/193.jpg)
B. WirelessAP
C. Userlaptop
D. VPNserver
20. Whichofthefollowingistheabilitytodeterminethetypeofdevicefromwhichanetworkaccessrequestisoriginating?
A. Postureassessment
B. Profiling
C. Classification
D. Contextualawareness
![Page 194: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/194.jpg)
Chapter10SecuringaBYODInitiativeCISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:
2.4BYOD
TheBYODarchitectureframework
Describethefunctionofmobiledevicemanagement(MDM)
Despitethesecuritychallenges,usersareincreasinglydemandingtherighttousetheirpersonalmobiledevicesintheenterprise.Somewhatliketheclamorforwirelessaccesswitnessedmorethanadecadeago,thisoutcryforabringyourowndevice(BYOD)initiativehasreachedthepointwhereitcannolongerbeignored.Ithasgivenrisetothedevelopmentofmobilemanagementsoftwaretogaincontroloverthesepersonaldevices.
Inthischapter,youwilllearnthefollowing:
TheBYODarchitectureframework
Thefunctionofmobiledevicemanagement(MDM)
TheBYODArchitectureFrameworkToenablethesecuredeploymentofaBYODinitiative,Ciscohascreatedanarchitecturalframeworkthatprovidesthecomponentsrequiredtoallowuseofpersonaldeviceswhileensuringthatthesedevicesaresecureandfreefrommalwareeverytimetheyaccessthenetwork.Theframeworkmayincludethefollowingfunctions:
The802.1xframework
Mobiledevicemanagementsoftware
TheCiscoIntegratedServicesEngine
TheCiscoTrustSecprovisioningandmanagementplatform
Whileyoualreadyunderstandtherolethatthe802.1xframeworkplays,inthefollowingsections,therolethateachoftheotherfeaturesplaysintheCiscoBYODarchitecturalframeworkwillbediscussed.
![Page 195: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/195.jpg)
CiscoISETheCiscoIntegratedServicesEngine(ISE)isacentralizedidentity-basedpolicyplatformthatprovidescontext-basedaccesscontrolforwired,wireless,andVPNconnections.ItcombinesAAA,postureassessmentandprofiling,andguestaccessmanagement.Thenetworkaccessdevices(NADs)canbewiredswitches,VPNservers,wirelessaccesspoints,andcontrollersandrouters.
ISEcantakemanyitemsintoaccountwhenassessingaconnectionrequest.Moreover,itcantakethesamecontext-baseditemintoaccountwhenaccessingauthorizationrequests.AsshowninFigure10.1,thefollowingcanbeconsideredduringboththeaccessrequestandtheauthorizationrequest:
Whoistheindividual?
Whatdevicearetheyusing?
Wherearetheyconnectingfrom?
Whenaretheyconnecting?
Howaretheyconnecting?
FIGURE10.1ISEcontext-basedaccess
TheISEcanmakeuseofseveraladvancedfeaturestoprovidegranularanddynamicaccesscontrolpolicies.Amongthesearethefollowing:
DownloadableACLs(dACLs):IP-basedACLsthatareimplementedondeviceswhenthepolicycallsforit
AutomaticVLANassignment:Toanemployee,guest,or,inthecaseofafailedhealthcheck,aremediationVLAN
SecurityGroupAccess(SGAs):Appliesasecuritygrouptag(SGT)thatuniformlyenforcesthesecuritygrouppolicyregardlessoftopology
![Page 196: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/196.jpg)
Changeofauthorization(COA)updates:TheabilityofISEtochangetheauthorizationpolicyinrealtimeaftertheadministratormakesachangewithoutrequiringalog-offforthechangetotakeeffect
Postureassessment:Cancheckthehealthofadevicebeforeallowingaccessandifthecheckfailscanremediatethedevice
Finally,theISEcanacceptmanyauthenticationmechanisms,includingthefollowing:
802.1x:TheISEisafullyfunctionalAAAserver.
MACauthenticationbypass(MAB):Thisisaport-basedaccesscontrolusingtheMACaddressoftheendpoint.
Webauthentication(WebAuth):ThisenablesnetworkaccessforendhoststhatdonotsupportIEEE802.1Xauthentication.
Laterinthischapter,you’llseehowISEintegrateswithmobiledevicemanagementtomakesuccessfulandsecureBYODpossible.
CiscoTrustSecAnothercomponentintheCiscoBYODarchitectureframeworkisCiscoTrustSec.ItworksinconcertwithISEandothersecuritydevicestousesecuritygrouptagsandsecuritygroupACLs(SACLs)toprovideimprovedvisibilityintoanaccessrequest.Ituseslogicalpolicygroupingstodefinepoliciesthatcontrolbothaccessandauthorization.ThethreemainfunctionsofTrustSecaretodothefollowing:
Classifyeachdevicebyassigningasecuritygrouptag(SGT)toitsIPaddress.
Transportorcommunicatethisclassificationinformationthroughoutthenetworkusingaprocesscalledinlinetagging(forthosenetworkingdevicesthatsupportinlinetagging)orbyusingtheSGTeXchangeProtocol(SXP)forthosenetworkingdevicesthatdonot.
EnforcementofaccessrulesthroughtheexaminationoftheSGTs.
Let’slookathowTrustSecdoesthis.
SGTClassificationClassificationofadeviceisdonethroughtheSGTclassificationusingSGTtags.Thesetags,whichare16bitsinlength,canbeapplieddynamicallyorstatically.DynamictaggingisappliedthroughtheCiscoISE.Dynamictaggingispossiblewhentheauthenticationmethodis802.1x,MACbypass,orthroughwebauthentication.Indynamictagging,theISEpushestheSGTtothenetworkaccessdevice(NAD).
Statictaggingcanalsobeperformed,andwhendone,itcanbedoneeitherontheISEordirectlyintheNAD.ExamplesofthiscouldbetomapanentiresubnettoanSGTortomapaVLANtoanSGT.
InlineSGTTransport
![Page 197: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/197.jpg)
Forthosedevicesthatsupportthefeature,inlineSGTtransportcanbeusedtopropagateSGTsthroughoutthenetwork.ThesendingdevicewillembedtheSGTintotheEthernetframeonegress.Thistagwillbereadbythereceivingdeviceandpropagatedtothenextdevice.TheSGTwillbeinanewsectionoftheEthernetheadercalledtheCiscoMetadata(CMD)header.ItslocationisshowninFigure10.2.Asyoucansee,theCMDholdsotherinformationbesidestheSGT.Overall,thisadds20bytestothesizeoftheheader.
FIGURE10.2CMD
Onethingtonoteisthatincaseswheretwonetworkingdevicesarealsousing802.1aesecurity(MACSec),theadditionofthe802.1aeheaderandICVfieldwillresultinatotaladditiontotheEthernetheaderof40bytes.
SGTExchangeProtocolForthosedevicesthatdonotsupportinlineSGTtransport,theSGTeXchangeProtocol(SXP)canbeusedtotransporttheSGTmappings.Thegoalistogettheclassificationinformation(intheformofSGTs)appliedtothetraffictotheupstreamdevicesthatmustenforcethesecurity.
SXPconnectionsareusedforthispurposeandarepoint-to-pointTCP-basedconnectionscreatedbetweentwoendpoints,oneofwhichmustbedesignatedasthespeakerandtheotherasthelistener(anyothercombinationofthetworoleswillfail).InFigure10.3,the2960switchontheleftiscapableofSXPandusesittosendtheSGTinformationandanupstreamdevice(the3750switch)thatisSGTcapable,sowhenthe3560sendstotheCAT6500(whichisalsoSGTcapable),thetrafficistaggedasdescribedintheprevioussection.
![Page 198: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/198.jpg)
FIGURE10.3SXPandSGT
AlsonoticeinFigure10.3thatattheCAT6500anenforcementactionhasoccurred,blockingtrafficatthatpointasresultoftheSGTinformation.ThefourversionsofSXPcanbedescribedasfollows:
Version1:SupportsonlyIPv4bindingpropagation.
Version2:SupportsbothIPv4andIPv6bindingpropagation.
Version3:AddssupportforsubnettoSGTmappings.Ifspeakingtoalower-versionlistener,thespeakerwillexpandthesubnet.
Version4:Addsloopdetectionandprevention,capabilityexchange,andabuilt-inkeep-alivemechanism.
EnforcingSGACLsTrustSecmaintainsapermissionmatrixwithsourcegroupnumbers(SGTs)ononeaxisanddestinationgroupnumbers(SGTs)ontheother.Eachcellorintersectionofarowandcolumncontainsanorderedlistofrules(SAGLs)controllingtheaccessbetweenthosetwoentities.Thesecuritygroupaccesslists(SGACLs)donotcontainreferencestotheSGTs.Theactionlistedineachcellisincorporatedintotheaccesslistforapplication.ThisallowsasingleACLtobeappliedtomanycellswithapotentiallydifferentresultbasedonthecellcontents.Figure10.4showsanexampleofapermissionmatrix.
![Page 199: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/199.jpg)
FIGURE10.4Permissionmatrix
EnforcementUsingSGFWTheCiscoAdaptiveSecurityApplianceandseveralotherroutingplatformsuseadifferentmethodtoenforceTrustSec.WhileISEmanagesSGACLscentrally,thesedevicesareconfiguredindividuallywithACLsthatreferencetheSGTnumbersorsecuritygroupnames.FortheASAtobeabletousetheseSGTsorsecuritygroupnames,theASAmustalsobeconfiguredwithasecuritygrouptabletomapsecuritygroupnamestotags,andanSGTtoIPaddressmappingexists.
BenefitsIntheabsenceofTrustSectechnology,accesscontrollists(ACLs)mustbeupdatedwheneverthefollowingeventsoccur:
Newbuildingonthecampus
Newbranchoffice
Newbusinesspartner
Expansionofwirelesscoverage
Additionofnewservers
SincetheseACLsareeachtiedtoadeviceandmustbewrittenfromthenetworkperspectiveofthatdevice,keepingtheseACLsupdatedandmaintainedcanbeanightmare.ThisisalleasiertomanagewiththeTrustSectechnology.
UsingTrustSec,anynewdevicesmustsimplybeclassifiedattheingresspointofthenetwork,andthesecurityforthatdeviceismaintainedthroughoutthenetworkbytheassociatedsecuritygroupACL(SAGL).Incaseswheretheintroductionofanewdevicemightrequirethecreationofanewsecuritygroup,ratherthantheadditiontoanexistinggroup,anewrowandcolumnareaddedtotheaccessmatrix.ThismatrixisupdatedandmaintainedbytheISE,andchangesaredynamicallypropagatedacrosstheTrustSecdomain.
![Page 200: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/200.jpg)
TheFunctionofMobileDeviceManagementMobiledevicemanagementsoftwareisdesignedtomakeitpossibletoexertcontroloverpersonalmobiledevicesthatuserswanttouseontheenterprisenetwork.WhenusedinconjunctionwithISE,thecombinationcanbeapowerfulandsecureidentityandauthenticationsolutionforbothcompany-ownedandnon-company-owneddevices.
InthecontextofaBYODarchitecture,theISEwhenworkingincombinationwithamobilemanagementpolicytiestogethertheprovisioningofmobiledevicesalongwithahealthcheckofthedeviceateachconnectionrequest,asshowninFigure10.5.
FIGURE10.5MDMwithIDE
IntegrationwithISEAuthorizationPoliciesBeyondthehealthcheckthatcanbeperformed,asdescribedintheprevioussection,anMDMsolutioncanintegratewithISEauthorizationpolicies.Forexample,let’sconsiderascenariowhereanorganizationusesEAP-TLSfortheauthenticationofcompany-owneddevices.AsEAP-TLSisamechanismthatrequiresacertificateonboththeauthenticationserverandthesupplicant,company-owneddeviceswillpossesssuchacertificatewhileemployee-onboardeddeviceswillnot.
Usingthisinformation,ISEcanperformanassessment(asshowninFigure10.6),identifythedevicetype,andapplyauniqueauthorizationprofileforbothgroupsofdevices.
![Page 201: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/201.jpg)
FIGURE10.6ISEauthorizationpolicyintegration
SummaryInthischapter,youlearnedaboutthechallengesinvolvedinsupportingaBYODinitiative.ThechapterdiscussedthecomponentsprovidedbyCiscoforthis,includingtheCiscoIntegratedServicesEngine(ISE)andtheCiscoTrustSecprovisioningandmanagementplatform.YoualsolearnedabouttheadvancedfeaturesofCiscoISE,includingdownloadableACLs(dACLs),automaticVLANassignment,securitygroupaccess(SGA),changeofauthorization(COA),andpostureassessment.Further,thechapterdiscussedtheauthenticationmechanismsISEcanaccept,including802.1x,MACauthenticationbypass(MAB),andwebauthentication(WebAuth).Finally,thechapterendedbycoveringthethreemainfunctionsofTrustSec.
ExamEssentialsIdentifythepossiblecomponentsofaBYODarchitecturalframework.Theframeworkmayincludethefollowingfunctions:the802.1xframework,mobiledevicemanagementsoftware,theCiscoIntegratedServicesEngine(ISE),andtheCiscoTrustSecprovisioningandmanagementplatform.
DescribetheadvancedfeaturesofCiscoISE.TheseservicesincludedownloadableACLs(dACLs),automaticVLANassignment,securitygroupaccess(SGAs),changeofauthorization(COA),andpostureassessment.
IdentifytheauthenticationmechanismsISEcanaccept.TheISEcanacceptmanyauthenticationmechanisms,including802.1x,MACauthenticationbypass(MAB),andwebauthentication(WebAuth).
IdentifythethreemainfunctionsofTrustSec.ThethreemainfunctionsofTrustSecaretoclassifyeachdevicebyassigningasecuritygrouptag(SGT)toitsIPaddress,totransportorcommunicatethisclassificationinformationthroughoutthenetworkusingaprocesscalledinlinetagging(fornetworkingdevicesthatsupportinlinetagging)orusingtheSGTeXchangeProtocol(SXP)forthosenetworkingdevicesthatdonot,andtoenforceaccessrulesthroughtheexaminationoftheSGTs.
![Page 202: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/202.jpg)
ReviewQuestions1. Whichofthefollowingisacentralizedidentity-basedpolicyplatformthatprovides
context-basedaccesscontrolforwired,wireless,andVPNconnections?
A. BYOD
B. TACACS+server
C. ISE
D. TrustSec
2. UsingISE,whichofthefollowingcannotbeconsideredduringboththeaccessrequestandthefollowingauthorizationrequest?
A. Whyaretheyconnecting?
B. Whatdevicearetheyusing?
C. Whoistheindividual?
D. Wherearetheyconnectingfrom?
3. Whichofthefollowingareimplementedondeviceswhenapolicycallsforit?
A. dACLs
B. SAGs
C. COA
D. Postureassessment
4. WhichISEfeatureappliesasecuritygrouptag(SGT)thatuniformlyenforcesthesecuritygrouppolicyregardlessoftopology?
A. dACLs
B. SAGs
C. COA
D. Postureassessment
5. WhichISEfeatureprovidestheabilityofISEtochangetheauthorizationpolicyinrealtime?
A. dACLs
B. SAGs
C. COA
D. Postureassessment
6. WhichofthefollowingISEfeatureschecksthehealthofadevicebeforeallowingaccess
![Page 203: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/203.jpg)
and,ifthecheckfails,canremediatethedevice?
A. dACLs
B. SAGs
C. COA
D. Postureassessment
7. WhichISEauthenticationmechanismenablesnetworkaccessforendhoststhatdonotsupportIEEE802.1Xauthentication?
A. WebAuth
B. MACbypass
C. WEP
D. WPA
8. WhichofthefollowingisnotamainfunctionofTrustSec?
A. Classificationofdevices
B. Assessmentofdevices
C. Transportofclassificationinformation
D. Enforcementofaccessrules
9. Whichofthefollowingisusedtoclassifyadevice?
A. SGA
B. SGT
C. SXP
D. NAD
10. Whichofthefollowingisusedtotransportorcommunicateclassificationinformationforthosenetworkingdevicesthatdonotsupportinlinetagging?
A. SXP
B. SGA
C. SGT
D. SGFW
11. Withwhichofthefollowingauthenticationmethodsisdynamictaggingnotpossible?
A. WEP
B. 802.1x
C. WebAuth
![Page 204: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/204.jpg)
D. MACbypass
12. WhereistheSGTfoundwhenusinginlinetransport?
A. CMDheader
B. IPheader
C. 802.1aeheader
D. ICV
13. HowmuchdoestheCMDaddtothesizeoftheEthernetheader?
A. 16bytes
B. 18bytes
C. 20bytes
D. 22bytes
14. Incaseswheretwonetworkingdevicesarealsousing802.1aesecurity(MACSec),whatwillbethetotaladditiontotheEthernetheader?
A. 20bytes
B. 28bytes
C. 30bytes
D. 40bytes
15. WhichisthefollowingistheonlycombinationofSXProlesthatwillresultinasuccessfulSXPconnectionbetweentwodevices?
A. Speakerandspeaker
B. Listenerandspeaker
C. Transmitterandreceiver
D. Speakerandreceiver
16. WhichSXPversionaddedsupportforsubnettoSGTmappings?
A. 1
B. 2
C. 3
D. 4
17. WhichmethodofenforcementdoestheASAuse?
A. SGFW
B. Inline
![Page 205: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/205.jpg)
C. SXP
D. 802.1x
18. Whichofthefollowingmakesitpossibletoexertcontroloverpersonalmobiledevicesthatuserswanttouseontheenterprisenetwork?
A. MDM
B. 802.11i
C. VTP
D. DTP
19. WhatadditionalfunctionalitydoestheadditionofISEtoMDMprovidefordevicesconnecting?
A. Postureassessment
B. IPidentification
C. TACACS+
D. NAT
20. Whichofthefollowingisexaminedtoenforceaccessrules?
A. NAT
B. SGT
C. SXP
D. MAC
![Page 206: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/206.jpg)
Chapter11UnderstandingVPNsCISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:
3.1VPNconcepts
DescribeIPsecprotocolsanddeliverymodes(IKE,ESP,AH,tunnelmode,transportmode)
Describehairpinning,splittunneling,always-on,NATtraversal
Virtualprivatenetwork(VPN)connectionsarewidelyusedtoprovideasecuremethodofremoteaccesstotheenterprisenetwork.Asthesophisticationoftheseconnectiontypeshasevolved,manyadditionaluseshavebeenfoundforthisconcept.TodayweusetheseconnectionsbetweenofficesintheplaceofWANconnectionsforwhichweoncepaid.Inthischapter,wewillintroducetheunderlyingconceptsthatmakeVPNsfunctionalandsecure.
Inthischapter,youwilllearnthefollowing:
TheprotocolsthatcompriseIPsecandthedeliverymodesinwhichIPseccanbeconfigured
AdvancedfeaturesofVPNconnectionsincludinghairpinning,splittunneling,andalways-onVPNsandNATtraversal
UnderstandingIPsecWhileIPsecisaprotocol,itisalsoaframeworkthatprovidesmanychoicestopeopleconfiguringanIPsecconnection.Theframeworkdoesnotlockoneintoacertainencryptionalgorithm,hashingalgorithm,orauthenticationmechanism.DependingonthechoiceofcomponentsthatarepartoftheIPsecprotocolsuite,youcangetseveraldifferentsecurityservices.Inthissection,you’lllearnaboutthoseservicesandtheprotocolsandcomponentsthatmakethempossible.You’llalsolearnaboutthepossibledeliverymodesofIPsecandaboutIPsec’srelationshiptotheIPv6protocol.
SecurityServices
![Page 207: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/207.jpg)
ThesecurityservicesofferedbyIPsecareimpressive,whichiswhyithasbecomesowidelyembraced.OneofitsmorefrequentimplementationsisitsuseinVPNconnections.Theseconnectionscanbeoftwotypes:remoteaccessVPNsinwhichthetraditionaldial-upconnectionisupdatedtocreateasecure(andfree)pathwaythroughthemostuntrustednetworkthereis(theInternet),andsite-to-siteVPNs,whichcanreplaceWANconnectionsthatcostmoneywithsecure(andfree)tunnelsforalltraffictraversingthesites.Let’slookatthesecurityservicesthathavemadeIPsecsoubiquitous.
ConfidentialityConfidentialitycanbeprovidedwithIPsecandrepresentsoneofthechoicesthatcanbemadewhensettingupaconnection.Asyouwilllearnlaterinthechapter,whenyouchoosetouseESP,oneoftheprotocolsinthesuite,attheleastthedatapayloadwillbeencrypted,and,dependingonthedeliverymode,theentirepacketincludingtheheadermaybeencrypted.
DataIntegrityIPsecwillalwaysprovidedataintegrity,whichmeansyoucanbeassuredthatthedatahasnotbeenchangedorcorruptedintransit.Itdoesthisbyusingthehashingalgorithmyouselectduringimplementation.Thisiscalledhash-basedmessageauthentication(HMAC).
OriginAuthenticationIPsecwillalsoalwaysprovidethissecurityserviceaswell.Originauthenticationmeansthatyoucanbeassureditcamefromwhoitappearstocomefrom.IPsecwillauthenticatetheconnectionbyusingthefollowing:
PSKs
Digitalcertificates
RSA-encryptednonces
Whiletheseprocessesauthenticatethesystemconnecting,extendedauthenticationprovidesauthenticationoftheuserbehindthesystemandisoptional.
Anti-ReplayIPsecsupportsanti-replay.Topreventthereplayofauthenticationpackets,IPsecexaminessequencenumbersinthepackets.Ifapacketarriveslateorisaduplicateofanearlierpacket,itwillbedropped.
KeyManagementThekeymanagementprocessinIPsecprovidesforthedynamicgenerationofkeystobeusedforencryptionandfortheirsecureexchangeoveranuntrustednetwork,suchastheInternet.IftheDiffie-Hellmankeyexchangealgorithmisused,anasymmetricalgorithmisusedtocreateandexchangesymmetrickeysforthisprocess.ThisispartofalargerprocesscalledtheInternetKeyExchange(IKE).Figure11.1showsasimplifiedversionofthekeygenerationand
![Page 208: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/208.jpg)
exchangeprocess.AformulaisusedtogeneratebothBobandAlice’ssecretintegerbasenumbers(thefirststep,whichtheyperformindependentofoneanother).Theyexchangethosevaluesandusethemwithanalgorithminthesecondstep,whichresultsinthemgeneratingkeystobeusedforencryption.
FIGURE11.1Diffie-Hellman
AvariantofthisprocesscalledtheEllipticalCurvedigitalsignaturealgorithm(ECDSA)isalsoavailableandispartoftheSuiteBstandard.
SuiteBCryptographicStandardIn2005,theNSAidentifiedasetofcryptographicalgorithmsthatarethepreferredmethodforsecurityofinformation.ItcalledthesealgorithmsSuiteB.Thesealgorithmsuseaminimumkey
![Page 209: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/209.jpg)
lengthofatleast128bits.TheuseofthesealgorithmshelpstoensurecompliancewithmanystandardssuchasPCI-DSS,HIPAA,andFIPS.
SuiteBcryptographyusesthefollowingalgorithms:
AESencryptionwitheither128-or256-bitkeys
SHA-2hashing
EllipticalCurvedigitalsignaturealgorithm(ECDSA)fordigitalsignaturesusing256-and384-bitprimemoduli
KeyexchangeusingECDHECDSA
ProtocolsTherearefourprotocolsusedintheIPsecprocess.Oneofthem,theInternetKeyExchange,hastwoversions.Inthenextsections,wewilldiscusseachoftheseprotocolsandtheroleeachplaysintheprocess.
IKEv1TheInternetKeyExchange(IKE)protocolisusedformanyfunctionsintheIPsecframework.
Automatickeygeneration:ThishappensasdiscussedearlierwithDiffie-Hellman.
Automatickeyrefresh:Thisincludesthegenerationofnewkeysperiodically.
Negotiationofthesecurityassociation(SA):Asecurityassociationisnegotiatedsuccessfullyifcertainconfigurationselectionsmatchonbothendsoftheconnection.
TherearetwoversionsofIKE.IKEv2wasdesignedtoovercomelimitationsinherentinIKEv1.IKEv2willbecoveredlaterinthissection.IKEoperatesintwophases.
Phase1Inphase1,IKEnegotiatesthepolicysets(theconfigurationselectionsmadeoneitherend),authenticatesthepeerdevicestooneanother,andsetsupasecurechannel.Thisphasecanbeperformedintwodifferentmodes,MainandAggressive.Achoicemustbemadebetweenthetwo,andusuallythischoiceisbasedonwhetherthemainconcernisperformanceorsecurity.WhileMainmoderequiresmoremessages,itdoesnotexposetheidentityofthepeers.WhileAggressivemoderequiresfewermessages,peeridentitiesareexposedbeforethesecurechanneliscreated.
MainModeMainmodeconsistsofthreeexchanges.
Peersnegotiatetheencryptionandhashingalgorithmstobeused.
TheDiffie-Hellmanprotocolisusedtogenerateasharedsymmetrickey.
![Page 210: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/210.jpg)
TheSAisbuilt,andthenthepeersauthenticateoneanotherwithintheSA.
Figure11.2showsthisprocess.
FIGURE11.2IKEphase1
AggressiveModeInAggressivemode,thereareonlytwomessages.TheinitiatorpassesallinformationrequiredfortheSA,andtherespondersendstheproposalkeymaterialandIDandperformsauthenticationinthenextmessage.Thismakesnegotiationquicker.WhileAggressivemoderequiresfewermessages,peeridentitiesareexposedbeforethesecurechanneliscreated.
Phase2Whilethepurposeofphase1istocreateasecurechannelforthephase2operations;inphase2,theparametersthatdefinetheIPsecconnectionarenegotiated.Inphase2,thefollowingfunctionsareperformed:
TheIPsectransformsetisnegotiated.
TheSAisestablished.
PeriodicallytheSAisrenegotiated.
OptionalDHkeyexchangesthathavebeenconfiguredwillbeperfumed.
TherewillbetwoSAscreatedbecausetheseareunidirectional.
IKEv2TheenhancementsprovidedwithIKEv2areasfollows:
Fewertransactions,whichresultsinincreasedspeed
IncorporatesextensionssuchasNATtraversalanddeadpeerdetection
Strongersecuritythroughdenial-of-serviceprotection
Morereliabilityusingsequencenumbersandacknowledgments
![Page 211: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/211.jpg)
SupportsmobilitythroughtheIKEv2MobilityandMultihomingProtocol(MOBIKE)
ISAKMPInternetSecurityAssociationKeyManagementProtocol(ISAKMP)istheframeworkwithinwhichIKEperformsthedynamicgenerationofkeys.UsingIKEandDiffie-Hellman,theresultisasecurityassociation.Thisassociationisbasedonthesuccessfulnegotiationofsecurityparameters.InFigure11.3,theparametersthatmustmatchbetweentwodevices,R1andR2,areshown,andinthiscase,theymatch.
FIGURE11.3MatchingISAKMPparameters
AHWhenconfidentialityofanIPsecconnectionisnotrequired,theAuthenticationHeaders(AH)protocolcanbeused.Whileitdoesprovidedataintegrityandoriginauthenticationandanti-replayprotection,thedataissentincleartext.Toprovidethesefeatures,thefollowingstepsareused:
1. TheimmutablefieldsoftheIPheader,thedata,andthesharedkeyaresentthroughahashingalgorithm.
2. Theresultinghashvalueisprependedtotheoriginalpacket.
3. Thepacketistransmittedtothepeer.
4. Thepeercalculatesahashvaluefromthereceivedpacketandcomparesthisvaluetotheonereceived.Iftheymatchdataintegrityandorigin,authenticationisvalidated.
Figure11.4showsthisprocess.
![Page 212: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/212.jpg)
FIGURE11.4AHprocess
ESPWhenEncryptingSecurityPayload(ESP)isselected,yougetalltheprotectionsprovidedbyAHplusencryption.Theextentofthisencryptiondependsonthedeliverymodeselected.
DeliveryModesTherearetwomodesofdeliveryavailablewithIPsec,andthedifferencebetweenthetwomodesiswithpartsofthepacketthatareprotectedbyAHandESP.Let’slookathowthesetwomodesoperateinbothAHandESP.
TunnelModeIntunnelmode,theentireoriginalpacketisprotectedbyeitherencryptionorauthentication.Inaddition,inbothAHandESP,whentunnelmodeisused,anewIPheaderiscreatedthatincludesthetunnelsourceanddestinationaddress.Firstlet’sseehowtunnelmodelookswhenusingAH.
AHWhenAHisusedintunnelmode,theentirepacketisauthenticated,andanewIPheaderisadded,asshowninFigure11.5.
![Page 213: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/213.jpg)
FIGURE11.5AHintunnelmode
ESPWhenESPisusedintunnelmode,theentirepacketisencrypted,andanewIPheaderisadded,asshowninFigure11.6.AnewESPheaderisaddedandencapsulatedwiththeoriginalpacket.Finally,anewIPheaderisadded.NoticethatallbutthenewIPheaderisalsoauthenticated.
FIGURE11.6ESPintunnelmode
TransportModeIntransportmode,onlythepayloadisprotectedbyeitherencryptionorauthentication.Firstlet’sseehowtransportmodelookswhenusingAH.
AHWhenAHisusedintransportmode,onlythepayloadisauthenticated,asshowninFigure11.7.
FIGURE11.7AHintransportmode
![Page 214: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/214.jpg)
ESPWhenESPisusedintransportmode,onlythepayloadisencrypted,asshowninFigure11.8.NoticeagainthatallbuttheIPheaderisalsoauthenticated.
FIGURE11.8ESPintransportmode
IPsecwithIPV6WhiletheuseofIPsecisnotrequiredwhenusingIPv6,theIPv6packetstructurewasredesignedtoaccommodateitsuse.InIPv4,AHandESPwereimplementedasIPprotocolheaders.InIPv6,extensionheadersareusedinstead.Theseheaders,whenused,comeaftertheoriginalIPv6header.ThenextheaderfieldintheoriginalIPv6headerisusedtoindicatewhethertheextensionheaderisAHorESP.Itusestheprotocolvalueof50forESPand51forAH.Figure11.9showstheIPv6header.Notethenextheaderfield.AlsonotethattheextensionheaderliesbetweentheIPv6headerandthepayload.
FIGURE11.9IPv6headerwithextensions
UnderstandingAdvancedVPNConceptsWhenimplementingIPsec,somescenariosmaypresentchallenges.Inthissection,you’lllearnhowtoovercomespecificissuesandlearnaboutsomeadditionaladvancedconfigurations
![Page 215: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/215.jpg)
topics.
HairpinningWhenusingaremoteaccessVPN,twodefaultbehaviorscancauseissues.
Onceatunnelisoperational,alltrafficleavingtheVPNclientmustpassthroughthetunnel.
Bydefault,anASAwillnotforwardpacketsbackoutthesameinterfaceinwhichitwasreceived.
Thiscancauseconnectivityissues.InthescenarioshowninFigure11.10,thereisaVPNtunnelbetweentheR1andtheASA1.Becauseofthesetworules,theInternetPCcannotreachSRV1(becauseofrule2)orresourcesinsite3(becauseofrule1forcingthetrafficthroughtheendofthetunnelandrule2becauseitcannotreenterthatinterface).
![Page 216: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/216.jpg)
FIGURE11.10Theneedforhairpinning
Tosolvethisissue,youmustenableanoptioncalledEnableTrafficBetweenTwoOrMoreHostsConnectedToTheSameInterface.Thisiscommonlyreferredtoashairpinning.ThisoptionisfoundbynavigatingintheASDMtoConfiguration DeviceSetup Interfaces.ThisselectionmustbemadeontheASAthatterminatestheVPNconnection.You’llfindthisselectionatthebottomoftheInterfacepage,asshowninFigure11.11.Youshouldhavetheinterfaceinquestionhighlightedwhenyoumaketheselection.
![Page 217: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/217.jpg)
FIGURE11.11Hairpinconfiguration
SplitTunnelingAnotheradvancedoptionyoucanenableiscalledsplittunneling.Whenenabled,itallowsausertohavethetunnelupandusethesameinterfacetoaccesstheInternetwithouttraversingthetunnel.Whenthisisdone,anACLisusedtodeterminethetrafficthatgoesthroughthetunnel(alltrafficexceptforInternettraffic)andthetrafficthatdoesnotgothroughthetunnel(Internet).
Tomakethispossible,followthesesteps:
1. NavigateintheADSMtoConfiguration RemoteAccessVPN Network(Client)Access GroupPolicies.Thepoliciesthathavebeendefinedwillappear.SelectthepolicythatwascreatedwhenyousetuptheremoteaccessVPNconnectionandselectEdit.
2. IntheEditInternalGroupPolicywindow,navigatetoAdvanced SplitTunneling.DeselecttheInheritboxfortheNetworkListfield.Thispreventsthepolicyfrominheritingthecurrentpolicy.NextclicktheManagementbuttontotherightofthefield.TheACLManagerwindowwillappear.
3. SelecttheStandardACLtabandthenselectAdd AddACL.
4. IntheAddACLbox,givethisACLaname,suchasRA-split-tunnel.
5. ClickOKandthenhighlighttheACLandselectAdd AddACE.HereaddthenetworkIDofthedestinationLANandselectPermit.
Thatdefinesthetraffictogothroughthetunnel.Allundefinedtrafficwillnotgothroughthetunnelandwillthereforenotbeimpactedbythetworulesdiscussedearlier.Fromaconceptualview,whatwillnowbeallowedisshowninFigure11.12.
![Page 218: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/218.jpg)
FIGURE11.12Splittunneling
Always-onVPNWhentheCiscoAnyConnectisusedtocreateaVPNconnection,itispossibletohavetheconnectionbroughtupanytimetheuserlogsontohisdevice.ThisiscalledAlways-OnVPN.
ToenableAlways-OnVPN,youmustfirstenableTrustedNetworkDetectioninaprofilethatappliestotheuser.ThisfeatureenablesthedevicetoknowwhenitisconnectedtothecorporateLANandwhenitisnot.ThenyouspecifythatwhennotconnectedtothecorporateLAN,theVPNconnectionshouldbestarted.
1. IntheASDM,navigatetoConfiguration RemoteAccessVPN NetworkAnyConnectClientProfile.Inthisconfigurationmode,youcanaddanewAnyConnectprofile.ClicktheAddbuttonandchooseaprofilenameandprofilelocation.YoucanalsoapplythisprofiletoaGroupPolicy.Butthiscouldbealsoaddedlaterwiththecommand.ClickOKandApply.
2. SelectthenewprofileandthenontheleftselectPreferencesPart2.YouwillseethescreenshowninFigure11.13.
3. CheckAutomaticVPNPolicyandselectDisconnectonTrustedNetworkPolicyandConnectonUntrustedNetworkPolicy.YoumustalsoentertheDNSdomainnameforyourtrustednetwork,andyoushouldalsoaddDNSservers.
![Page 219: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/219.jpg)
FIGURE11.13Preferences(Part2)window
NATTraversalAsESPdoesnotutilizetheconceptofsourceanddestinationports,NAThasdifficultyoperatingwhenIPsectrafficarrivesattheNATdevice.NATtraversalencapsulatesIPsecwithinUDP,providingtherequisiteportsforNAT.
ConfiguringNATtraversalorNAT-TisdonewithasimplecheckboxfoundintheGlobalParameterssectionofIKEintheASDM.NavigatetoConfiguration VPN IKE GlobalParametersintheASDM.
SelecttheinterfaceintheenableIKEboxandthenselectEnableIPSecOverNAT-T,asshowninFigure11.14.
![Page 220: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/220.jpg)
FIGURE11.14NATtraversal
SummaryInthischapter,youlearnedaboutIPsecandthesecurityservicesitprovides.ThechapterdiscussedthecomponentsofIPsecsuchasISAKMP,IKE,AH,andESP.YoualsolearnedhowtousehairpinningtoallowtrafficbetweentwohoststoconnecttothesameVPNinterface.Finally,splittunnelinganditsbenefitswerediscussed.
ExamEssentialsIdentifythesecurityservicesprovidedbyIPsec.Theyincludeconfidentiality,integrity,originauthentication,anti-replay,andkeymanagement.
ListthecomponentsanddeliverymodesofIPsec.TheseincludeISAKMP,IKE,AH,andESP.Deliverymodesincludetransportandtunnelmode.
Describetheoperationofhairpinning.HairpinningcanbeusedtoallowtrafficbetweentwohoststoconnecttothesameVPNinterface.ItisrequiredbecauseofthedefaultrulethatanASAwillnotforwardpacketsbackoutthesameinterfaceinwhichtheywerereceived.
Describetheoperationofsplittunneling.Whenenabled,itallowsausertohavethetunnelupandusethesameinterfacetoaccesstheInternetwithouttraversingthetunnel.
ReviewQuestions1. WhichIPseccomponentprovidesconfidentiality?
A. AH
![Page 221: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/221.jpg)
B. IKE
C. ESP
D. ISAKMP
2. WhichIPseccomponentprovidesintegrity?
A. HMAC
B. IKE
C. ESP
D. ISAKMP
3. WhichIPseccomponentprovidesonlydataintegrity,originauthentication,andanti-replayprotection?
A. HMAC
B. AH
C. ESP
D. ISAKMP
4. WhichIPseccomponentprovideskeyexchange?
A. HMAC
B. AH
C. Diffie-Hellman
D. ISAKMP
5. WhatistheminimumkeylengthforSuiteBalgorithms?
A. 64-bit
B. 80-bit
C. 128-bit
D. 160-bit
6. WhathashingalgorithmisrequiredbytheSuiteBstandard?
A. MD5
B. SHA-1
C. SHA-2
D. AES
7. WhichofthefollowingisnotafunctionofIKE?
![Page 222: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/222.jpg)
A. Automatickeygeneration
B. Automatickeyrefresh
C. keyexchange
D. Negotiationofthesecurityassociation(SA)
8. Whichofthefollowingdoesnotoccurinphase1ofIKE?
A. Negotiatesthepolicysets.
B. Setsupasecurechannel.
C. Authenticatesthepeerdevicestooneanother.
D. TheIPsectransformsetisnegotiated.
9. WhichofthefollowingistrueoftheMainandAggressiveIKEmodes?
A. Mainmodeusestwomessages,andAggressivemodeusesthree.
B. Mainmodeusesthreemessages,andAggressivemodeusestwo.
C. Bothmodesusethreemessages.
D. Bothmodesusetwomessages.
10. WhichofthefollowingisnotperformedduringIKEphase2?
A. PeriodicrenegotiationoftheSA.
B. TheSAisestablished.
C. TheIPsectransformsetisnegotiated.
D. TheDiffie-Hellmanprotocolisusedtogenerateasharedsymmetrickey.
11. WhichofthefollowingisnottrueofIKEv2whencomparedwithIKEv1?
A. Moretransactionsthatresultindecreasedspeed
B. Strongersecuritythroughdenial-of-serviceprotection
C. SupportsEAPasanauthenticationmethod
D. IncorporatesextensionssuchasNATtraversalanddeadpeerdetection
12. WhenusingAHintransportmode,whichpartsofthepacketareauthenticated?
A. Onlytheheader
B. Onlythepayload
C. Headerandpayload
D. None
13. WhenusingESPintunnelmode,whichpartsofthepacketareencrypted?
![Page 223: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/223.jpg)
A. Onlytheheader
B. Onlythepayload
C. Headerandpayload
D. None
14. WhichifthefollowingisnottrueofIPsecinIPv6andIPv4?
A. IPsecisrequiredinIPv6.
B. InIPv4,AHandESPareimplementedasIPprotocolheaders.
C. InIPv6,extensionheadersareusedtoimplementIPsec.
D. InIPv6,theextensionheaderliesbetweentheIPv6headerandthepayload.
15. Whichofthefollowingistrue?
A. Bydefault,anASAwillnotforwardpacketsbackoutthesameinterfaceinwhichitwasreceived.
B. Bydefault,anASAwillforwardpacketsbackoutthesameinterfaceinwhichitwasreceived.
C. Onceatunnelisoperational,alltrafficleavingtheVPNclientneednotpassthroughthetunnel.
D. InIPv4,AHandESPareimplementedasIPprotocolheaders.
16. Whichofthefollowingfeaturescanbeusedtoallowtraffictore-entertheendofanIPsectunnel?
A. Splithorizon
B. Hairpinning
C. Splittunnel
D. Poisonreverse
17. Whichfeature,whenenabled,allowsausertohavethetunnelupandusethesameinterfacetoaccesstheInternetwithouttraversingthetunnel?
A. Splithorizon
B. Hairpinning
C. Splittunnel
D. Poisonreverse
18. WhichadditionalfeaturemustbeenabledtouseAlways-onVPN?
A. MDM
B. Trustednetworkdetection
![Page 224: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/224.jpg)
C. Hairpinning
D. STP
19. WhatfeatureencapsulatesIPsecwithinUDP?
A. NAT-T
B. DNSSec
C. Splittunnel
D. Trustednetworkdetection
20. WhatprotocolnumberisusedforESP?
A. 48
B. 49
C. 50
D. 51
![Page 225: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/225.jpg)
Chapter12ConfiguringVPNsCISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:
3.2RemoteaccessVPN
ImplementbasicclientlessSSLVPNusingASDM
Verifyclientlessconnection
ImplementbasicAnyConnectSSLVPNusingASDM
VerifyAnyConnectconnection
Identifyendpointpostureassessment
3.3Site-to-siteVPN
ImplementanIPsecsite-to-siteVPNwithpresharedkeyauthenticationonCiscoroutersandASAfirewalls
VerifyanIPsecsite-to-siteVPN
Virtualprivatenetwork(VPN)connectionscanbeconfiguredintwobasicforms,asremoteaccessVPNsorassite-to-siteVPNs.Whileoneisdesignedtoprovideasecureremoteaccessconnectionforatelecommuterorremoteuser,theotherisdesignedtoprovideasecuretunneltocarryalltrafficbetweentwolocations.Inthischapter,you’lllearnhowtoconfigureandverifybothVPNtypes.Moreover,you’lllearnabouttwodifferentwaystoimplementtheremoteaccessVPN.
Inthischapter,youwilllearnthefollowing:
HowtoconfigureandverifyaclientlessSSLVPNusingASDM
HowtoimplementandverifyanAnyConnectSSLVPNusingASDM
HowaCiscoendpointpostureassessmentcanhelpprotectthenetworkfrommalwareandothertypesofattacks
HowtoimplementandverifyanIPsecsite-to-siteVPNwithpresharedkeyauthenticationonCiscoroutersandASAfirewalls
![Page 226: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/226.jpg)
ConfiguringRemoteAccessVPNsCiscoremoteaccessVPNscanbedeployedeitherbyinstallingtheAnyConnectclientontheuser’sdeviceorbyconfiguringtheclientlessSSLVPNsolutioninwhichnoclientisrequiredontheuserdevice.Additionally,youcanuseaCiscoclientlessconnectiontodeploytheAnyConnectclienttotheuserdevice.Finally,whencombinedwithaCiscoendpointpostureassessment,thesecuritypostureofthedevicecanbeverifiedbeforeallowingtheremotedevicetoaccessthenetwork,helpingtoprotectthenetworkfrommalwareandotherthreats.Inthissection,you’lllearnhowtoimplementthesetwotypesofremoteaccesssolutionsandexaminethebenefitsofutilizingaCiscoendpointpostureassessment.
BasicClientlessSSLVPNUsingASDMWhiletheclientlessSSLVPNcanbedeployedontheCiscoAdaptiveSecurityApplianceusingthecommandline,itissimplertodosousingtheCiscoAdaptiveSecurityDeviceManager(ASDM).Beforedivingintotheconfiguration,itishelpfultolookattheprotocolthatprovidesconfidentiality,integrity,andauthenticationservicesfortheconnection.
SSL/TLSTransportLayerSecurity(TLS)isusedtoprovidesecurityservicesforboththeclientlessSSLVPNandtheAnyConnectVPN.WhileitspredecessorisSecureSocketsLayer(SSL),thetermSSLVPNhaspersistedandisstillusedtodescribetheconnectioneventhoughmostmodernsystemsuseTLS.Theseprotocolsusepublickeycryptographyanddigitalcertificatesintheiroperation.Whilecertificatescanbedeployedonboththeclientandtheservertoenablemutualauthentication,inmostcasesacertificateisdeployedonlyontheserverbecausethatcansecuretheconnectionaswellaswhencertificatesaredeployedonbothends.
SSL/TLShasagreatdealofflexibilityregardingtheencryptionalgorithms,hashingalgorithms,authenticationmechanisms,andkeymanagementprotocolsthatcanbeused.Figure12.1depictsthechoicesavailableforeachofthesecomponents.
![Page 227: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/227.jpg)
FIGURE12.1SupportedSSL/TLSalgorithms
Itisalsohelpfultounderstandtheprocessthatoccurswhenoneoftheseconnectionsisestablishedbetweentheclientandtheserver.Thestepsthatoccurareasfollows:
1. TheclientinitiatestheprocessbystartingtheexchangeofhellopacketsbetweentheclientandtheVPNgateway(theASA).Thisstepallowsthetwotonegotiateandagreeontheencryptionalgorithms,hashingalgorithms,authenticationmechanisms,andkeymanagementprotocolstobeused.
2. Theservertransmitsitscertificatetotheclient(whichwillincludeitspublickey).IftheRSAkeyexchangealgorithmisinuse,theclientsendsapremasterkeytotheserverusingthepublickeyoftheservertoprotectthetransmission.
3. Ifmutualauthenticationisrequired,theclientthensendsitscertificatetotheserver,asessionkeyiscalculated,andtheciphersuiteisactivated.Integritywillbeprovidedbytheselectedhashingalgorithm(MD5orSHA-1),andencryptionwillbeprovidedbytheselectedcipher(RC4,3DES,AES,orIDEA).
4. Oncethesessionkeysareexchanged,thedatatransferbegins.WhenthetrafficgetsbeyondtheASA,theinformationwillbeincleartextbutwillbeencryptedbetweentheclientandtheASA.
![Page 228: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/228.jpg)
ConfigurationWhenusingtheCiscoclientlessSSLVPN,theremotedeviceusesthebrowsertoconnecttoanSSL-enabledwebsiteontheASAoronaCiscorouter.Oncethesecurityappliancehasauthenticatedtheuser,theservercertificateisusedtoestablishtheSSLtunnel.Thenthesecurityappliancepresentstheuserwithawebportalthatcontainsalinktotheinternalresourcesthathavebeenmadeavailable.
Fromahighlevel,thestepstobecompletedtoconfiguretheCiscoclientlessSSLVPNareasfollows:
1. EnableclientlessSSLVPNtrafficterminationonanASAinterface.
2. ConfigureclientlessSSLserverauthenticationbyprovisioninganidentitycertificateandattachingittotheinterface.
3. Configureuserauthentication,whichcomprisesthreesubtasks.
a. CreateaccountsfortheVPNusers.
b. ConfigureagrouppolicyfortheVPNusersspecifyinginthepolicyclientlessSSLVPNasthetunnelingprotocol.
c. CreateaconnectionprofilefortheVPNusersandconnectthepolicytotheprofile.
4. Setupbookmarksthatwillappearwhentheusersconnecttothewebportal.
![Page 229: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/229.jpg)
ConfiguringClientlessSSLVPNInthisprocedure,youwillconfigureaclientlessSSLVPNusingthelocaluserdatabaseoftheASA.
1. IntheASDM,navigatetoWizards VPNWizards ClientlessSSLVPNWizard.
2. OntheStep1pageofthewizard,provideaninformationaldescriptionfortheconnectionandclickNext.
3. WhentheStep2pageappears,givetheconnectionprofileanameintheConnectionProfileNamebox.Justbelowthat,selecttheinterfacethatwillhosttheconnectionandclickNext.
4. IntheStep3dialogbox,selecttheAuthenticateUsingTheLocalUserDatabaseradiobutton.ClicktheAddbuttonandcreateauseraccountfortheuser,specifyingbothausernameandapassword.ThenclickNext.
5. OntheStep4pageofthewizard,createagrouppolicyfortheuserbyselectingtheCreateANewGroupPolicyradiobuttonandgivethepolicyaname.ThenclickNext.
6. IntheStep5dialogbox,youwillcreateabookmarklistandthenaddbookmarkstothelist.JusttotherightoftheBookmarksListfield,clicktheManagebutton.TheConfigureGUIcustomizationdialogboxappears.ClicktheAddbutton,andwhentheAddBookmarkListdialogboxappears,givethebookmarklistaname.ThenclicktheAddbuttoninthisdialogbox.WhentheSelectBookmarkTypedialogboxappears,accepttheURLwiththeGETorPOSTmethodoptionandclickOK.
7. Nowyouwilladdabookmarkforawebresourceyouwillmakeavailable.IntheAddBookmarkdialogbox,givethebookmarkaname,selecttheHTTPprotocol,andentertheIPaddressoftheserverprovidingthisresource.Whenyouhaveaddedallthebookmarksyouneedonthispage,clickOK.
8. OntheConfigureGUICustomizationpage,clickOK.
9. IntheStep5window,ensurethatyourbookmarklistisselectedandclickNext.
10. ReviewthesummaryPage6windowandclickFinish.
VerifyaClientlessConnectionNaturallythemosteffectivewaytoverifytheproperconfigurationoftheclientlessSSLVPNistoensurethataconnectioncanbemade.Thisinvolvesthefollowing:
1. ConnectingtothesiteURL
2. Specifyingthegroupconfiguredfortheuser
3. Enteringthenameandthepasswordfortheuser
4. Verifyingthatthebookmarksappearwhenauthenticationiscomplete
![Page 230: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/230.jpg)
5. Testingthebookmarkstoensurethattheyconnecttothecorrectresource
BasicAnyConnectSSLVPNUsingASDMToutilizeaCiscoAnyConnectSSLVPN,aVPNclientcalledtheAnyConnectclientmustbeinstalledontheuserdevice.Whenconfiguringtheconnection,youwillmakethisclientavailabletobedownloadedandinstalledontheuserdevicethefirsttimetheuserconnects,makingamanualinstallationoftheclientunnecessary.
Fromahighlevel,thestepstobecompletedtoconfiguretheCiscoAnyConnectSSLVPNareasfollows:
1. CreateaconnectionprofileandattachittotheexternalinterfaceoftheASA.
2. Generateaself-signedcertificatefortheASA(oruseanexistingoneifitexistsalready).
3. MaketheAnyConnectclientavailablefordownloadwhentheuserconnects.
4. CreateanaccountandpasswordfortheuserontheASA.
5. CreateapoolofIPaddressesthatcanbeissuedtoAnyConnectclients.
6. ExempttheinternalnetworkfromtheNATprocess.
7. SelecttoallowtheweblaunchoftheAnyConnectclient.
8. Createagrouppolicyfortheremoteaccessconnectionandassignittotheuser.
![Page 231: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/231.jpg)
ConfiguringAnyConnectSSLVPNInthisprocedure,youwillconfigureanAnyConnectSSLVPNusingthelocaluserdatabaseoftheASA.
1. IntheASDMwindow,navigatetoWizards VPNWizards AnyConnectVPNWizard.Whenthewizardopens,clickNextonthefirstpage.
2. Next,ontheConnectionProfileIdentificationpage,enteraprofilenamefortheconnectionprofileandensurethatVPNAccessInterfaceissettotheInternetinterface.
3. OntheVPNProtocolpage,selectSSL.IntheDeviceCertificateWithRSAKeydrop-downbox,selectanexistingcertificateorclickManageandgenerateacertificate.
4. OntheClientImagespage,clicktheAddbutton.IntheAddAnyConnectClientImagewindow,clicktheUploadbutton.BrowsetothelocationoftheAnyConnectimagefileandselectthe.pkgversion.VerifytheselectionbyclickingSelect,UploadFile,OK,andOK.
5. OntheAuthenticationMethodspage,createausernameandpasswordfortheuser.
6. OntheClientAddressAssignmentpage,clickNewandcreateascopeofIPaddressestobeavailabletotheAnyConnectclients.
7. OntheNetworkResolutionpage,entertheIPaddressofaDNSserver.
8. OntheNATExemptpage,iftheASAisalsoperformingNAT,selecttheExemptVPMTrafficFromNetworkAddressTranslationcheckbox.ClickNext.
9. FortheAnyConnectClientDeploymentstep,selectAllowWebLaunch.
10. OntheSummarypage,reviewyoursettingsandclickFinish.
VerifyanAnyConnectConnectionAgain,themosteffectivewaytoverifytheproperconfigurationoftheAnyConnectSSLVPNistoensurethataconnectioncanbemadeandthattheclientinstallsandallowsfullVPNaccess.Thisinvolvesthefollowing:
1. ConnectingtothesiteURL
2. Specifyingthegroupconfiguredfortheuser
3. Enteringthenameandthepasswordfortheuser
4. EnsuringthattheuserisofferedtheoptiontoinstalltheAnyConnectclient
5. Ensuringtheclientsuccessfullyinstalls
6. EnsuringthattheuserisgivenfulltunnelVPNaccesstothenetwork
EndpointPostureAssessment
![Page 232: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/232.jpg)
TheCiscoAnyConnectclientalsoincludesmodulesthatcanenhanceitscapabilities.TwoofthesemodulesaretheASAPosturemoduleandISEPosturemodule.Bothmodulesoffertheabilitytoaccessanendpoint’scompliancewithrequirementsregardingoperatingsystemversion,antivirusupdates,andothersecurity-relatedissuesthroughanendpointpostureassessment.Thisgivesyoutheabilitytoverifythesecurityposturebeforeallowingthedeviceaccesstothenetwork.
WhiletheASAmoduleperformsaserver-sideassessment,ISEsendsthepolicyrequirementstotheendpoint,wheretheassessmentthenoccurs.TheASAmodulecollectsthehealthinformationintheformofattributesandsendsthemtotheASA,wheretheassessmentoccurs.
Bothsystemscandenyaccesstotheendpointsthatfailtheassessment,andbothofferremediationcapabilitiesaswell.RemediationwiththeASAmoduleislimitedtoworkingwiththesoftwarepresentontheendpoint,meaningitcanenable,disable,orupdatethatsoftware.ISEquarantinesthedeviceanddirectsittoserversthatremediatetheissues.Onlythenistheendpointallowedfullaccesstothenetwork.
ConfiguringSite-to-SiteVPNsSite-to-siteVPNconnectionshaveanendpointinonelocationorofficeandanotherendpointinanotheroffice.WhilebothSSLandIPseccanbeusedfortheseVPNs,thissectionwillfocusontheIPsecsite-to-siteVPN.Also,whiletheauthenticationcanbedonewithothermeans,wewillfocusontheuseofapresharedkey.
ImplementanIPsecSite-to-SiteVPNwithPresharedKeyAuthenticationACiscoIPsecsite-to-siteVPNcanbeconfiguredonanASAusingtheASDM,oritcanbesetuponaCiscorouter.Youwilllearnaboutbothmethodsinthefollowingsections.Followingthis,youwilllearnhowtoverifytheconfiguration.Forbothprocesses,thehigh-levelstepsrequiredareasfollows:
1. EnsurethatallACLsarecompatiblewithIPsec.
2. ConfigureanISAKMPpolicythatcontainstheISAKMPparameters.
3. DefinetheIPsectransformset,whichincludestheencryptionandintegrityalgorithms.
4. CreateacryptoACLthatdefinesthetraffictypestobesentandprotectedthroughthetunnel.
5. Createacryptomapthatdefinesthepeers,appliestheparametersofthecryptoACLtothem,andappliesthecryptoACLtotheinterface.
CiscoRoutersHereyouwilllearnhowtodotheimplementation.
![Page 233: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/233.jpg)
ImplementanIPsecSite-to-SiteVPNwithPresharedKeyAuthenticationwithaCiscoRouterInthisprocedure,youwillimplementanIPsecsite-to-siteVPNwithpresharedkeyauthenticationwithaCiscorouter.
1. Executetheshowruncommandandlocatethesectionfortheinterfacewheretheconnectionwillbeconfigured.ExaminetheACLappliedtothatinterfaceifoneexists.Ensurethatthefollowingpermitstatementsarepresentand,ifnotpresent,applythemtothelist,takingcaretosequencethemintheproperlocation:
permitahphostipaddressofthepeerrouterhostipaddressofthe
localrouter
permitesphostipaddressofthepeerrouterhostipaddressofthe
localrouter
permitudphostipaddressofthepeerrouterhostipaddressofthe
localroutereqisakmp
permitudphostipaddressofthepeerrouterhostipaddressofthe
localroutereqnon500-isakmp
2. NowdefineanISAKMPpolicyandnumberit111.Whenyouaredone,thepromptwillchange,andthenextcommandswillbepartofthepolicy.
Router70(config)#cryptoisakmppolicy111
3. Nowcompletethepolicyspecifyingthefollowingsettings:
Authentication:presharedkey
Encryptionalgorithm128-bitAES
1024-bitDiffie-Hellmanforkeyexchange(specifygroup5)
SHAalgorithmforintegrity
SecurityAssociationlifetime1day(86400seconds)
Usethefollowingcommandsforthis:
Router70(config-isakmp)#authenticationpre-share
Router70(config-isakmp)#encryptionaes128
Router70(config-isakmp)#group5
Router70(config-isakmp)#hashsha
Router70(config-isakmp)#lifetime86400
EnsurethatthepeerrouterhasatleastoneISAKMPpolicythatincudesthesesettings.RememberthatpolicynamesandPSKsarecase-sensitive.
4. SpecifytheISAKMPkeyandtheIPaddressofthepeerrouterattheglobalconfigurationprompt.Inthiscase,thepeerisat102.168.5.3,andthePSKisMAC321.
![Page 234: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/234.jpg)
Router70(config)#cryptoisakmpMAC321102.168.5.3
5. ConfiguretheIPsectransformsetbyspecifyingthefollowing:
Transformsetname:AES_SHA
Mechanismforpayloadauthentication:ESPHMAC
Mechanismforpayloadencryption:ESP
IPsecmode:tunnel(defaultstotunnel)
Usethefollowingcommandsforthis:
Router70(config)#cryptoipsectransform-setAES_SHAesp-aesesp-sha-
hmac
6. CreateacryptoACL(anextendedaccesslist)thatspecifiestheinboundandoutboundtrafficthatIPsecshouldprotect.Inthiscase,protectallTCPtraffic.ItwillbespecifiedusingthesourcenetworkIDandthedestinationnetworkIDusingwildcardmasks.Thesourcenetworkis10.0.2.0/24,andthedestinationis10.0.1.0/24.
Router70(config)#access-list110permittcp10.0.2.00.0.0.255
10.0.1.00.0.0.255
7. CreateacrytpomapthatspecifiestheACLnumber110,thetransformsetname,andtheIPsecpeer.UseamapnameofmymapandsettheSAlifetimeto86400.
Router70(config)#cryptomapmymap10ipsec-isakmp
Router70(config-crypto-map)#matchaddress110
Router70(config-crypto-map)#setpeer102.168.5.3
Router70(config-crypto-map)#settransform-setAES_SHA
Router70(config-crypto-map)#setsecurity-associationlifetime86400
8. ApplythecryptomaptotheinterfaceSerial0/1.
Router70(config)#ints0/1
Router70(config)#cryptomapmymap
ASAFirewallsWhenconfiguringasite-to-siteVPNbetweentwoASAfirewalls,youwillinmostcasesmakeuseoftheASDM.Therefore,youwilllearntheprocedurefordoingthis.
![Page 235: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/235.jpg)
ImplementanIPsecSite-to-SiteVPNwithPresharedKeyAuthenticationonASAwiththeASDMInthisprocedure,youwillimplementanIPsecsite-to-siteVPNwithpresharedkeyauthenticationonASA.
1. IntheASDM,navigatetoWizards VPNWizards Site-to-SiteVPNWizard.OntheIntroductionscreen,clickNext.
2. OnthePeerDeviceIdentificationscreen,entertheIPaddressofthepeerASAdeviceandselecttheexternalinterfaceleadingtothepeer.ClickNext.
3. OntheTrafficToProtectscreen,enterthenetworkIDofthelocalnetworkintheLocalNetworkfieldandthenetworkIDoftheremotenetworkintheRemoteNetworkfield.ClickNext.
4. IntheSecuritypanel,selectSimpleConfigurationandenterthepresharedkeyfortheconnection.
5. OntheNATExemptpage,iftheASAisalsoperformingNAT,selecttheExemptVPNTrafficFromNetworkAddressTranslationcheckbox.ThenclickNext.
6. IntheSummarywindow,verifyyourselections.Whensatisfied,selectFinish.
VerifyanIPsecSite-to-SiteVPNRegardlessofthemethodusedtosetupthesite-to-siteVPN,theverificationmethodisthesame.Youneedtogenerateinterestingtrafficfromoneofthesitestotheotherandverifythattheconnectionisfunctional.Inthesetwoexamples,alltrafficisinterestingtraffic,soallyouneeddoispingfromadeviceinonelocationtoadeviceintheotherlocation.Ifthepingsucceeds,theconnectionisworking.Ifthefirstpingfails,tryagainandkeepinmindthatittakessometimetonegotiatethesecurityoftheSA.
SummaryInthischapter,youlearnedthevalueoftheCiscoclientlessSSLVPNandthestepsrequiredtoconfigureit.ThechapteralsodiscussedanalternativetothisVPNtype,theCiscoAnyConnectSSLVPN,whichprovidesafull-tableexperiencebutrequiresclientsoftwareontheuser’sdevice.YoualsolearnedaboutmodulesintheCiscoAnyConnectclientthatcanprovideendpointpostureassessment.Finally,thechaptercoveredhowtoimplementanIPsecsite-to-siteVPNwithpresharedkeyauthentication.
ExamEssentialsIdentifythestepstobecompletedtoconfiguretheCiscoclientlessSSLVPN.ThesestepsarefirsttoenableclientlessSSLVPNtrafficterminationonanASAinterfaceandthento
![Page 236: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/236.jpg)
configureclientlessSSLserverauthenticationbyprovisioninganidentitycertificateandattachingittotheinterface.Nextconfigureuserauthenticationandfinallycreatebookmarksforthelinkstotheresourcesthatwillappearwhentheusersconnecttothewebportal.
ListthestepstobecompletedtoconfiguretheCiscoAnyConnectSSLVPN.Thesestepsincludethefollowing:CreateaconnectionprofileandattachittotheexternalinterfaceoftheASA.Generateaself-signedcertificatefortheASA(oruseanexistingoneifitexistsalready).GenerateanidentitycertificatefortheASAandattachittothekeypair.MaketheAnyConnectclientavailablefordownloadwhentheuserconnects.CreateanaccountandpasswordfortheuserontheASA.CreateapoolofIPaddressesthatcanbeissuedtoAnyConnectclients.ExempttheinternalnetworkfromtheNATprocess.SelecttoallowtheweblaunchoftheAnyConnectclient.Createagrouppolicyfortheremoteaccessconnectionandassignittotheuser.
Describethecomponentsthatprovideendpointpostureassessment.TheCiscoAnyConnectclientalsoincludesmodulesthatcanenhanceitscapabilities.TwoofthesemodulesaretheASAPosturemoduleandtheISEPosturemodule.Bothmodulesoffertheabilitytoaccessanendpoint’scompliancewithrequirementsregardingoperatingsystemversion,antivirusupdates,andothersecurity-relatedissues.Thisgivesyoutheabilitytoverifythesecurityposturebeforegivingthedeviceaccesstothenetwork.
ListthestepstoimplementanIPsecsite-to-siteVPNwithpresharedkeyauthentication.Thesestepsincludethefollowing:EnsurethatallACLsarecompatiblewithIPsec.ConfigureanISAKMPpolicythatcontainstheISAKMPparameters.DefinetheIPsectransformset,whichincludestheencryptionandintegrityalgorithms.CreateacryptoACLthatdefinesthetraffictypestobesentandprotectedthroughthetunnel.Createacryptomapthatdefinesthepeers,appliestheparametersofthecryptoACLtothem,andappliesthecryptoACLtotheinterface.
ReviewQuestions1. WhichconfidentialityalgorithmisnotsupportedforanSSL/TLSVPN?
A. DES
B. 3DES
C. AES
D. RC4
2. InanSSL/TLSVPN,whatfunctioncantheDSAalgorithmbeusedfor?
A. Authentication
B. Integrity
C. Confidentiality
![Page 237: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/237.jpg)
D. Keymanagement
3. IntheSSLconnectionprocess,whichstepoccurslast?
A. Sessionkeysareexchanged.
B. Theservertransmitsitscertificatetotheclient.
C. Theclientsendshellopackets.
D. Theclientsendsitscertificatetotheserver.
4. WhichofthefollowingisnotasubtaskofconfiguringuserauthenticationforaCiscoclientlessSSLVPNconnection?
A. CreateaconnectionprofilefortheVPNusers
B. ConfigureagrouppolicyfortheVPNusers
C. CreateaccountsfortheVPNusers
D. Createbookmarksforthelinkstotheresources
5. Whichofthefollowingisfalseregardinganendpointpostureassessment?
A. TheISEmoduleperformsaserver-sideassessment.
B. BothISEandASAposturemodulesoffertheabilitytoaccessanendpoint’scompliance.
C. Bothsystemscandenyaccesstotheendpointsthatfailtheassessment,andbothofferremediationcapabilities.
D. TheISEquarantinesanoncompliantdeviceanddirectsittoserversthatremediatetheissues.
6. WhenimplementinganIPsecsite-to-siteVPN,inwhichsteparetheencryptionandintegrityalgorithmsdefined?
A. Creatingacryptomap
B. CreatingacryptoACL
C. DefiningtheIPsectransformset
D. SpecifyingtheISAKMPkey
7. Whichofthefollowingcommandsspecifiedthedetailsofthekeyexchangealgorithm?
A. Router70(config-isakmp)#lifetime86400
B. Router70(config-isakmp)#encryptionaes128
C. Router70(config-isakmp)#group5
D. Router70(config-isakmp)#authenticationpre-share
8. Inthefollowingcommand,whatdoesthenumber10represent?
![Page 238: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/238.jpg)
Router70(config)#cryptomapmymap10ipsec-isakmp
A. Sequencenumber
B. ACLnumber
C. Mapname
D. SAlifetime
9. Whichofthefollowingispossiblewhencertificatesarepresentonboththeclientandtheserver?
A. Hairpinning
B. Mutualauthentication
C. Onlinecertificateverification
D. Splittunneling
10. WhichofthefollowingisnotapossibleauthenticationmechanismavailableintheSSLVPN?
A. RSA
B. CHAP
C. DSA
D. EC
11. Whichofthefollowingwillbeincludedinthecertificatetheserverpresentstotheclient?
A. PSK
B. Privatekey
C. Transformset
D. Publickey
12. Whatstepmakessecuredataexchangepossible?
A. Exchangeofhellos
B. Exchangeofsessionkeys
C. Exchangeofcertificates
D. Exchangeofcredentials
13. InwhichtypeofVPNdoestheuserusethebrowsertoconnecttoanSSL-enabledwebsite?
A. AnyConnect
B. Clientless
C. IPsecwithpresharedkey
![Page 239: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/239.jpg)
D. IPsecsite-to-site
14. WhatisthefunctionoftheMD5algorithmintheSSLVPNprocess?
A. Authentication
B. Integrity
C. Confidentiality
D. Keyexchange
15. Whichofthefollowingdefinesthetraffictypestobesentandprotectedthroughthetunnel?
A. Cryptomap
B. CryptoACL
C. IPsectransformset
D. ISAKMPkey
16. Whatdoesthefollowingcommandcontrol?Router70(config-isakmp)#lifetime86400
A. Authenticationtimeout
B. SAlifetime
C. PSKlifetime
D. Inactivitytimer
17. Inthefollowingcommand,whatdoesAES_SHAdefine?Router70(config)#cryptoipsectransform-setAES_SHAesp-aesesp-sha-hmac
A. Thenameofthetransformset
B. Themechanismforthepayloadauthentication
C. Themechanismforthepayloadencryption
D. Thetunnelmode
18. WhichofthefollowingisnotasupportedkeymanagementalgorithminanSSLVPN?
A. MD5
B. Quantum
C. DH
D. ECC
19. WhatVPNmethodrequiressoftwareontheuserdevice?
A. IPsecsite-to-site
![Page 240: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/240.jpg)
B. AnyConnect
C. Clientless
D. IPsecwithPSK
20. Whatstatementisfalseregardingendpointpostureassessment?
A. TheISEmodulequarantinesanoncompliantdeviceanddirectsittoserversthatremediatetheissues.
B. TheISEmoduleislimitedtoworkingwiththesoftwarepresentontheendpoint.
C. Bothsystemscandenyaccesstotheendpointsthatfailtheassessment.
D. TheASAmoduleperformsaserver-sideassessment.
![Page 241: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/241.jpg)
Chapter13UnderstandingFirewallsCISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:
5.1Describeoperationalstrengthsandweaknessesofthedifferentfirewalltechnologies
Proxyfirewalls
Applicationfirewall
Personalfirewall
5.2Comparestatefulvs.statelessfirewalls
Operations
Functionofthestatetable
Firewallsarepartofthefoundationofsecurityinanetwork.Theyprotectthenetworkperimeterandcontrolaccessbetweensecurityzoneswithinyournetworks.Youwillalsotypicallydeployfirewallsinlayers,meaningyouwillplacefirewallsoneachdevice.Firewallsdifferinthewaytheyexaminethetraffictheyaredesignedtocontrolandintheeffecttheyhaveonnetworkperformance.
Inthischapter,youwilllearnthefollowing:
Theoperationalstrengthsandweaknessesofthedifferentfirewalltechnologies
Thefunctionsofstatefulandstatelessfirewalls
UnderstandingFirewallTechnologiesFirewallscomewitharangeofabilitiesandgoabouttheirjobsindifferentwaysdependingonthejobforwhichtheyweredesigned.TheycandifferintheOSIlayeronwhichtheyoperateandinthetypesofactionstheycantakeandtheattacktypestheycanmitigate.Inthissection,you’lllearnaboutavarietyofthesedevices.Inthesectionfollowingthisone,you’lllookatonefirewallcapabilitythatdeservesasectionallitsown.
PacketFiltering
![Page 242: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/242.jpg)
PacketfilteringfirewallsaretheleastdetrimentaltothroughputbecausetheyonlyinspecttheheaderofthepacketforallowedIPaddressesorportnumbers.Althoughevenperformingthisfunctionwillslowtraffic,itinvolvesonlylookingatthebeginningofthepacketandmakingaquickallowordisallowdecision.
Althoughpacketfilteringfirewallsserveanimportantfunction,theycannotpreventmanyattacktypes.TheycannotpreventIPspoofing,attacksthatarespecifictoanapplication,attacksthatdependonpacketfragmentation,orattacksthattakeadvantageoftheTCPhandshake.Moreadvancedinspectionfirewalltypesarerequiredtostoptheseattacks.
ProxyFirewallsProxyfirewallsstandbetweeneachconnectionfromtheoutsidetotheinsideandmaketheconnectiononbehalfoftheendpoints.Therefore,thereisnodirectconnection.Theproxyfirewallactsasarelaybetweenthetwoendpoints.ProxyfirewallscanoperateattwodifferentlayersoftheOSImodel.Botharediscussedshortly.
Circuit-levelproxiesoperateattheSessionlayer(layer5)oftheOSImodel.TheymakedecisionsbasedontheprotocolheaderandSessionlayerinformation.Becausetheydonotdodeeppacketinspection(atlayer7ortheApplicationlayer),theyareconsideredapplication-independentandcanbeusedforwiderangesoflayer7protocoltypes.
ASOCKSfirewallisanexampleofacircuit-levelfirewall.ThisrequiresaSOCKSclientonthecomputers.ManyvendorshaveintegratedtheirsoftwarewithSOCKStomakeusingthistypeoffirewalleasier.
Akernelproxyfirewallisanexampleofafifth-generationfirewall.ItinspectsthepacketateverylayeroftheOSImodelbutdoesnotintroducetheperformancehitthatanApplicationlayerfirewallwillbecauseitdoesthisatthekernellayer.Italsofollowstheproxymodelinthatitstandsbetweenthetwosystemsandcreatesconnectionsontheirbehalf.
Proxyserverscanbeappliances,ortheycanbesoftwarethatisinstalledonaserveroperatingsystem.Theseserversactlikeaproxyfirewallinthattheycreatethewebconnectionbetweensystemsontheirbehalf,buttheycantypicallyallowanddisallowtrafficonamoregranularbasis.Forexample,aproxyservermightallowtheSalesgrouptogotocertainwebsiteswhilenotallowingtheDataEntrygroupaccesstothesesamesites.ThefunctionalityextendsbeyondHTTPtoothertraffictypes,suchasFTPandothers.
Proxyserverscanprovideanadditionalbeneficialfunctioncalledwebcaching.Whenaproxyserverisconfiguredtoprovidewebcaching,itsavesacopyofallwebpagesthathavebeendeliveredtointernalcomputersinawebcache.Ifanyuserrequeststhesamepagelater,theproxyserverhasalocalcopyandneednotspendthetimeandefforttoretrieveitfromtheInternet.Thisgreatlyimproveswebperformanceforfrequentlyrequestedpages.
ApplicationFirewallApplication-levelproxiesperformdeeppacketinspection.Thistypeoffirewallunderstands
![Page 243: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/243.jpg)
thedetailsofthecommunicationprocessatlayer7fortheapplicationofinterest.Anapplication-levelfirewallmaintainsadifferentproxyfunctionforeachprotocol.Forexample,forHTTPtheproxywillbeabletoreadandfiltertrafficbasedonspecificHTTPcommands.Operatingatthislayerrequireseachpackettobecompletelyopenedandclosed,makingthisfirewallthemostimpactfulonperformance.
PersonalFirewallPersonalfirewallsmaybethosethatcomewithanoperatingsystemliketheWindowsFirewall,ortheymaybethird-partyhostfirewallssuchasKasperskyInternetSecurityorZoneAlarmProFirewall.Thesefirewalls,calledeitherhostorpersonalfirewalls,protectonlythedeviceonwhichthesoftwareisinstalled.
Whileneverareplacementforproperlypositionednetworkfirewalls,theyareanexcellentcomplementtotheprotectionprovidedbythenetworkfirewalls,andinstallingbothtypesoffirewallsisanexampleofexercisingtheconceptofdefenseindepth.Thisconceptprescribesthatyoushouldalwaysdeploymultiplebarrierstounauthorizedaccess.
Onekeyfeaturethatapersonalfirewallcanprovide(althoughinmanycasesthisisnotconfiguredbydefault)istheabilitytocontrolegresstraffic.Thisistrafficleavingthedeviceandcanhelptopreventmalwarethat“callshome”toacommand-and-controlserverfromfunctioning.Thesefirewallscanalsohelpprotectsystemsfromothersystemsinsidethenetworkperimeter.
Statefulvs.StatelessFirewallsOnekeytypeoffirewallthatwesavedfortheendofthischapterisastatefulfirewall.StatefulfirewallsarethosethatareawareoftheproperfunctioningoftheTCPhandshake,keeptrackofthestateofallconnectionswithrespecttothisprocess,andcanrecognizewhenpacketsaretryingtoenterthenetworkthatdon’tmakesenseinthecontextoftheTCPhandshake.Justasareview,Figure13.1showstheprocess.
![Page 244: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/244.jpg)
FIGURE13.1TCPthree-wayhandshake
Inthisprocess,apacketshouldneverarriveatafirewallfordeliverythathasboththeSYNflagandtheACKflagsetunlessitispartofanexistinghandshakeprocess,anditshouldbeinresponsetoapacketsentfrominsidethenetworkwiththeSYNflagset.Thisisthetypeofpacketthatthestatefulfirewallwoulddisallow.Italsocanrecognizeotherattacktypesthatattempttomisusethisprocess.Itdoesthisbymaintainingastatetableaboutallcurrentconnectionsandthestatusofeachconnectionprocess.Thisallowsittorecognizeanytrafficthatdoesn’tmakesensewiththecurrentstateoftheconnection.Ofcourse,maintainingthistableandreferencingthetablecausesthisfirewalltypetohavemoreofaneffectonperformancethanapacketfilteringfirewall.
OperationsFigure13.2showstheoperationofastatefulfirewall.
![Page 245: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/245.jpg)
FIGURE13.2Statefulfirewalloperation
ThedeviceC1ontherightissendingaSYNpackettothedeviceH1.Thefirewallpermittedandrecordedthatoperationinitsstatetableandwillmonitorthattablewheneverapacketarrivesatthefirewalltoensurethatanypacketspermittedeitherareconnectionrequestsfromtheinside(SYNpacketsonly)orarepartofanexistingconnectionandthatallrulesofthehandshakeareenforced.Forexample,inthescenario,apacketfromtheoutsidedestinedforC1fromH1withanACKflagsetwouldberejectedbecausethenextexpectedpackettypeinthehandshakewouldbeapacketwiththeSYNandACKflagsset.
StateTableThestatetableisusedtomonitorallallowedconnections.Thefollowingarethekeyitemsthataretypicallyrecordedbyastatefulfirewallwithrespecttoeachconnection:
SourceIPaddress
Sourceportnumber
DestinationIPaddress
Destinationportnumber
IPProtocol
Flags
Timeout
SummaryInthischapter,youlearnedaboutvariousfirewalltechnologiessuchasproxy,application,personal,andstatefulfirewalls.Youlearnedtheirstrengthandweaknesses.Youalsolearned
![Page 246: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/246.jpg)
aboutstatefulfirewallsingreaterdetailanddescribedtherelationshipbetweentheoperationofthesefirewallsandtheTCPthree-wayhandshake.Finally,youlearnedwhatiscontainedinthestatetableofastatefulfirewall.
ExamEssentialsIdentifytheoperationalstrengthandweaknessesoffirewalltechnologies.Theseincludeproxy,application,personal,andstatefulfirewalls.Describeeachtechnology’simpactonperformanceandthefeaturesthateachprovides.
DescribetherelationshipbetweentheTCPthree-wayhandshakeandstatefulfirewalls.Statefulfirewallsunderstandthethree-wayhandshakeandcanrecognizeillegalpacketsthatdon’tmakesenseintheTCPconnectionprocess.
Identifycontentsofastatetable.Keyitemsthataretypicallyrecordedbyastatefulfirewallwithrespecttoeachconnectionaresourceportnumber,destinationIPaddress,destinationportnumber,IPprotocol,flags,andtimeout.
ReviewQuestions1. Whichfirewalltechnologyistheleastdetrimentaltoperformance?
A. Proxy
B. Stateful
C. Packetfiltering
D. SOCKS
2. Whichfirewalltypeoperatesatthesessionlayer?
A. Circuit-levelproxy
B. Stateful
C. Packetfiltering
D. SOCKS
3. Whichstatementistrueofakernel-levelproxy?
A. OperatesattheTransportlayer
B. Consideredafifth-generationfirewall
C. Maintainsastatetable
D. Examinesonlytheheader
4. Whichofthefollowingisnotaproxyfirewall?
![Page 247: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/247.jpg)
A. Kernel
B. Circuit-level
C. SOCKS
D. Application
5. WhichtypeoffirewallisZoneAlarmProFirewall?
A. Personal
B. Stateful
C. Packetfiltering
D. SOCKS
6. Whichvalueforeachconnectionisnotcontainedinthestatetableofastatefulfirewall?
A. DestinationMACaddress
B. SourceIPaddress
C. DestinationIPaddress
D. Flags
7. Youhaveselectedafirewallthatperformsdeeppacketinspectionbutalsocreatesaperformancehitonthroughput.Whattypedidyouselect?
A. Personal
B. Applicationlevel
C. Packetfiltering
D. SOCKS
8. Whichalsooffersthebenefitofwebpagecaching?
A. Personalfirewalls
B. Application-levelfirewalls
C. Proxyservers
D. SOCKSfirewalls
9. AtwhatlayeroftheOSImodeldocircuit-levelproxiesoperate?
A. Network
B. Transport
C. Application
D. Session
![Page 248: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/248.jpg)
10. WhichofthefollowingismostsusceptibletoIPspoofingattacks?
A. Packet-filteringfirewalls
B. Application-levelfirewalls
C. Proxyservers
D. SOCKSfirewalls
11. WhichofthefollowingwillbeabletoreadandfiltertrafficbasedonspecificHTTPcommands?
A. Packet-filteringfirewalls
B. Application-levelfirewalls
C. Proxyservers
D. SOCKSfirewalls
12. WhatistheonlylegitimateresponsetoapacketwiththeSYNflagset?
A. SYN/FIN
B. ACK
C. SYN/ACK
D. FIN
13. ApacketwasjustreceivedwiththeSYN/ACKflagsset.Whatdatastructurewillastatefulfirewallusetodeterminewhetherthispacketisallowed?
A. ARPcache
B. Routingtable
C. DNSresolvercache
D. Statetable
14. Installingbothpersonalandnetworkfirewallsisanexampleofexercisingwhatconcept?
A. Defenseindepth
B. Separationofduties
C. Leastprivilege
D. Needtoknow
15. ASOCKSfirewallisanexampleofwhichfirewalltechnology?
A. Packet-filteringfirewalls
B. Circuit-levelfirewall
C. Proxyservers
![Page 249: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/249.jpg)
D. Statefulfirewalls
16. Whichtraffictypewouldbeacceptedbyastatefulfirewall?
A. ASYN/ACKpacketthatisnotrelatedtoacurrentconnection
B. AnACKpacketthatisinresponsetoaSYNpacketinacurrentconnectionsetup
C. ASYN/ACKpacketinresponsetoaSYNpacketinacurrentconnectionsetup
D. AnACKpacketthatisnotrelatedtoacurrentconnection
17. Whichofthefollowingisnotaproxyfirewall?
A. SOCKSfirewalls
B. Circuit-levelfirewalls
C. Statefulfirewalls
D. Kernel-levelfirewalls
18. Whichstatementisnottrueofpersonalfirewalls?
A. MaybethosethatcomewithanoperatingsystemliketheWindowsFirewallormaybethird-partyhostedfirewalls
B. Protectonlythedeviceonwhichthesoftwareisinstalled
C. Cancontrolegresstraffic
D. Canbeareplacementforproperlypositionednetworkfirewalls
19. Whichfirewalltechnologyisthemostdetrimentaltoperformance?
A. Applicationlevel
B. Stateful
C. Packetfiltering
D. SOCKS
20. WhichfirewalltypeoperatesattheNetworkandTransportlayers?
A. Circuit-levelproxy
B. Packetfiltering
C. Stateful
D. SOCKS
![Page 250: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/250.jpg)
Chapter14ConfiguringNATandZone-BasedFirewallsCISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:
5.3ImplementNATonCiscoASA9.x
Static
Dynamic
PAT
PolicyNAT
VerifyNAToperations
5.4Implementzone-basedfirewall
Zonetozone
Self-zone
NetworkAddressTranslation(NAT)isafeaturefoundinfirewallsandmanyrouterplatformsthatallowsforthetranslationofprivateIPaddressestopublicIPaddressesatthenetworkedge.WhileoneofthedrivingforcesbehindthedevelopmentofNATwastheconservationofpublicIPv4addressspace,NATalsohasasecuritycomponentinthattheprocesshelpstohidetheinterioraddressingscheme.Zone-basedfirewallingisanapproachthatmakestrafficfilteringdecisionsbetweenzonesratherthanbyspecificIPaddresses.Inthischapter,youwilllearnhowtoimplementseveraltypesofNATandconfigurezone-basedfirewalling.
Inthischapter,youwilllearnthefollowing:
HowtoimplementNATonCiscoASA9.xplatforms
Howtoimplementzone-basedfirewalls
ImplementingNATonASA9.xTherearethreetypesofNATthatcanbeimplemented.Thissectiondiscusseshowthesethreetypesoperate,andyou’lllearnhowtoimplementeachtypeontheAdaptiveSecurity
![Page 251: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/251.jpg)
Appliance(ASA).
InstaticNAT,eachprivateIPaddressismappedtoapublicIPaddress.WhilethisdoesnotsaveanyofthepublicIPv4addressspace,itdoeshavethebenefitofhidingyourinternalnetworkaddressschemefromtheoutsideworld.
IndynamicNAT,apoolofpublicIPaddressesisobtainedthatisatleastequaltothenumberofprivateIPaddressesthatrequiretranslation.However,ratherthanmappingtheprivateIPaddressestothepublicIPaddresses,theNATdevicemapsthepublicIPaddressesfromthepoolonadynamicbasismuchlikeaDHCPserverdoeswhenassigningIPaddresses.
Finally,PortAddressTranslation(PAT)isaformofNATinwhichallprivateIPaddressesaremappedtoasinglepublicIPaddress.ThisprovidesbothbenefitsofsavingtheIPv4addressspaceandhidingthenetworkaddressscheme.ThissystemiscalledPATbecausetheephemeralportnumbersthatdeviceschooseasthesourceportforaconnection(whicharechosenrandomlyfromtheupperrangesoftheportnumbers)areusedtoidentifyeachsourcecomputerinthenetwork.ThisisrequiredsincealldevicesaremappedtothesamepublicIPaddress.
WhenconfiguringNATontheASA,youneedtounderstandthatitusesanobject-orientedapproach.Inotherwords,anobjectiscreatedforeachhost,foreachtranslatedaddress,andforeachservicethatisusedinthetranslationprocess.Translationsareconfiguredasnetworkobjects.AnetworkobjectisdefinedasasingleaddressorasanetworkID.
TheresultinghostornetworkdefinedinanetworkobjectisusedtorepresenttheprivateIPaddresspriortotranslation.WhenACLsareusedtodefinetrafficallowedfromalower-securityinterfacetoahigher-securityinterface,thesepretranslationobjectsarereferenced.
TheASAusesaNATtabletoholdthetranslations.Thistablehasthreesections.WhenanoutgoingpacketarrivesattheASA,thesectionsarereadfromtoptobottom,andthefirsttranslationmatchisapplied.Thethreesectionsareasfollows:
ManualNATThiscontainstranslationsthathavebeendefinedtobeappliedbytheappliancebeforetheothersectionsareconsulted.ThesetranslationsaretypicallyveryspecificandmayindicateatranslationonboththesourceanddestinationIPaddresses.
AutoNATInthissection,alsocalledobjectNAT,translationsthataredefinedontheobjectitselfarecontained.Thesetranslations,oneforeachobject,aretypicallyeitherstatictranslationsforserversthatmustbereachedfromtheoutsideworld(andrequirethesamepublicIPaddressalways)ordynamictranslationsforclientstryingtoreachtheInternet.
ManualNATafterAutoNATThiscontainsmoregeneraltranslationsnothandledbythefirsttwosections.Theseareusedonlywhennotranslationmatchesinthefirsttwosections.
Ifapacketdoesn’tmatchanyofthemappingsfoundinanyofthethreetables,thepacketsaresentuntranslated.
Static
![Page 252: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/252.jpg)
ToconfigureastaticNATtranslation,followthestepsinthenextprocedure.
ConfiguringStaticNATInthisprocedure,youwillcreateastaticNATmappingforadevice.
1. ConnecttotheASAusingtheAdaptiveSecurityDeviceManager(ASDM).
2. NavigatetoConfiguration Firewall NetworkObjects Groups.SelectAddNetworkObject.Definetheparametersofthisobject.EnterthetypeandtheIPaddressofthedevicetobetranslatedwiththestaticmapping.EnsurethatthisisthepretranslationIPaddress.
3. IntheNATsectionoftheAddNetworkObjectdialogbox,selecttheAddAutomaticAddressTranslationRulescheckboxandselectStaticasthetypeinthedrop-downboxjustbelowtheAddAutomaticAddressTranslationRulescheckbox.
4. Justbelowthedrop-downboxwhereyouselectStaticistheTranslatedAddrfield.IntheTranslatedAddrfield,clicktheBrowsebutton.Youcanbrowseforobjectsthathavebeencreatedhere,butyouwillbecreatinganewobject,soclicktheAddbuttonatthetopofthepage.
5. WhentheAddNetworkObjectdialogboxappears,enteranameforthetranslatedobjectandtheaddresstypeandpublicIPaddresstowhichthedeviceshouldbetranslated.ThenclickOK.
6. BackontheAddNetworkObjectpagewhereyoudefinedthepretranslationinformation,clicktheAdvancedbuttonintheNATsection.IntheAdvancedNATSettingsdialogbox,selectthesourceinterfaceforthetranslationandthedestinationinterface.ThesewillbenetworkobjectsthatwouldneedtohavebeencreatedpreviouslytorepresenttheinternalandexternalinterfacesontheASA.Youwillchoosethesefromadrop-downbox.
7. ClickOKandthenApply.Theconfigurationisnowcomplete.
DynamicToconfiguredynamicNATtranslation,followthestepsinthenextprocedure.
![Page 253: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/253.jpg)
ConfiguringDynamicNAT
1. ConnecttotheASAusingtheASDM.
2. NavigatetoConfiguration Firewall NetworkObjects Groups.SelectAddNetworkObject.Definetheparametersofthisobject.EnterthetypeandtheIPaddressofthedevicetobetranslatedwiththestaticmapping.EnsurethatthisisthepretranslationIPaddress.
3. IntheNATsectionoftheAddNetworkObjectdialogbox,selecttheAddAutomaticAddressTranslationRulescheckboxandselectDynamicasthetypeinthedrop-downboxjustbelowtheAddAutomaticAddressTranslationRulescheckbox.
4. Justbelowthedrop-downboxwhereyouselectStaticistheTranslatedAddrfield.IntheTranslatedAddrfield,clicktheBrowsebutton.Youcanbrowseforobjectsthathavebeencreatedhere,butyouwillbecreatinganewobject,soclicktheAddbuttonatthetopofthepage.
5. Inthiscase,theobjectyouwillbecreatingwillbearangeofpublicIPaddresses,whichyouwillnameTranslatedPool.EnterarangeofaddressesusingtheStartAddressandEndAddressfields.Whileyouarecreatingonlyonemappingtothepoolinthisexercise,intherealworldensurethatyouhaveenoughpublicIPaddressesinthepoolfortheprivateaddresstobetranslated.
6. BackontheAddNetworkObjectpagewhereyoudefinedthepretranslationinformation,choosethenewnetworkobjectbydouble-clickingitandthenclicktheAdvancedbuttonintheNATsection.IntheAdvancedNATSettingsdialogbox,selectthesourceinterfaceforthetranslationandthedestinationinterface.ThesewillbenetworkobjectsthatwouldneedtohavebeencreatedpreviouslytorepresenttheinternalandexternalinterfacesontheASA.Youwillchoosethesefromadrop-downbox.
7. ClickOKandthenApply.Theconfigurationisnowcomplete.
PATToconfigurePATtranslation,followthestepsinthenextprocedure.
![Page 254: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/254.jpg)
ConfiguringPAT
1. ConnecttotheASAusingtheASDM.
2. NavigatetoConfiguration Firewall NetworkObjects Groups.SelectAddNetworkObject.Definetheparametersofthisobject.EnterthetypeandtheIPaddressofthedevicetobetranslatedwiththestaticmapping.EnsurethatthisisthepretranslationIPaddress.
3. IntheNATsectionoftheAddNetworkObjectdialogbox,selecttheAddAutomaticAddressTranslationRulescheckboxandselectDynamicPAT(Hide)asthetypeinthedrop-downboxjustbelowtheAddAutomaticAddressTranslationRulescheckbox.
4. Inthiscase,youarenotmappingtoanindividualIPaddressortoapoolofIPaddresses;youwillbemappingtotheInternet-facinginterfaceoftheASA.WhenyoudothiswithPAT(Hide)selected,allmappingswillusethepublicaddressconfiguredonthatInternetinterface.UsetheBrowsebuttontobrowsetotheInternet-facinginterfaceontheASA.Ifanobjecthasnotbeencreatedfortheinterface,dosonowbyspecifyingitspublicIPaddress.
5. BackontheAddNetworkObjectpagewhereyoudefinedthepretranslationinformation,choosethenewnetworkobjectbydouble-clickingitandthenclickingtheAdvancedbuttonintheNATsection.IntheAdvancedNATSettingsdialogbox,selectthesourceinterfaceforthetranslationandthedestinationinterface.ThesewillbenetworkobjectsthatwouldneedtohavebeencreatedpreviouslytorepresenttheinternalandexternalinterfacesoftheASA.Youwillchoosethesefromadrop-downbox.
6. ClickOKandthenApply.Theconfigurationisnowcomplete.
PolicyNATInsomescenarios,youmayneedmoreoptionsthanareavailablewithAutoNAT(asyouwillseeinthenextprocedure),oryoumayneedtospecifyexceptionstotheAutoNATrules.ByusingtheManualNATsection,theseoptionswillbeavailabletoyou.Thissectionalsohastheadvantageofbeingcheckedforatranslationmatchbeforetheothertwosections.Whenyoudothis,itisalsocalledPolicyNAT.ItisalsosometimescalledTwiceNATbecausethesamerulecanperformtranslationinbothdirections(translatingnotonlytheaddressinthedeviceinsidethenetworkoutgoingbutalsotheIPaddressoftheexteriordeviceincoming).
Inthescenarioyouwilluseinthenextprocedure,youwillusePolicyNATtocreateamappingforaninternaldevicethatiseffectiveonlywhentheinternaldeviceiscommunicatingwithonespecificexteriordeviceandnoteffectiveotherwise.
![Page 255: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/255.jpg)
ToconfigurePolicyNATtosupportthisscenario,followthestepsinthenextprocedure.
ConfiguringPolicyNAT
1. ConnecttotheASAusingtheASDM.
2. NavigatetoConfiguration Firewall Objects NetworkObjects/Groups.SelectAddNetworkObject.
3. Createthreenetworkobjects:onefortheprivateIPaddressoftheinternaldevice,oneforthepublicIPaddresstowhichtheinternaldevicewillbemapped,andonefortheprivateIPaddresstowhichtheexternaldevicewillbemappedincoming.Definetheparametersofeachobject.Whenyouarefinished,clickApply.
4. Nowyouwilldefinethemanualtranslationthatwillapplyonlybetweenthesetwosystems.NavigatetoConfiguration Firewall NATRules.
5. TheNATRulestableappears.WhenyouconfiguremanualNATentries,theycanbeappliedeitherbeforeorafterNetworkObjectNATrulessuchasthoseyouconfiguredintheearlierprocedures.Inthiscase,youwantthisruletoapplybeforethoserulesdo,soclickAddandthenAddNATRulebefore“NetworkObject”NATRules.TheAddNATRuleboxappears.
6. ThetopsectionoftheAddNATRuledialogboxiswhereyouconfigurehowthepacketwillbeidentifiedfortransitionusingthisrule.IntheSourceInterfacefield,selectAnyfromthedrop-downbox,andintheSourceAddressfieldusethedrop-downboxtoselecttheobjectyoucreatedinstep3representingtheprivateIPaddressoftheinternaldevice.
7. IntheDestinationInterfacefield,selectAnyfromthedrop-downbox,andintheDestinationAddressfieldusethedrop-downboxtoselecttheobjectyoucreatedinstep3representingthepublicIPaddressoftheexternaldevice.
8. Nowthatyouhavedefinedthematchparametersforthetranslation,youneedtoconfigurethetranslation.IntheAction:TranslationPacketsectionintheSourceNATTypedrop-downbox,selectStatic.IntheSourceAddressdrop-downbox,selecttheobjectyoucreatedinstep3representingthepublicIPaddresstowhichtheinternaldeviceshouldbetranslated.IntheDestinationAddressfield,selectOriginalfromthedrop-downbox.
9. SelectOKandthenApply.Theconfigurationisnowcomplete.
VerifyingNATOperationsThereareseveralwaystoverifythatNATisoperatingcorrectly.TheyincludeviewingtheNATtranslationsinthetranslationtableusingtheshowxlatecommand,andincaseswhere
![Page 256: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/256.jpg)
youarenotgettinganyNATtranslations,youcanviewtheconfigurationandcheckforerrorsusingtheshownatcommand.
ViewingTranslationsUsingtheshowxlatecommandonanASAonwhichPAThasbeenconfigured,youcanseeinthefollowingoutputthatthreetranslationshaveoccurred.AsPATisinuse,allthreehavereceivedthesamepublicIPaddress.
hostname#showxlate
3inuse,3mostused
PATGlobal103.61.3.9(0)Local10.1.1.15ICMPid340
PATGlobal103.61.3.9(1024)Local10.1.1.15(1028)
PATGlobal103.61.3.9(1024)Local10.1.1.15(516)
Thefollowingissampleoutputfromtheshowxlatedetailcommand.ItshowsthetranslationtypeandinterfaceinformationwiththreeactivePATs.
TherflagindicatesthatthetranslationisPAT.Theiflagindicatesthatthetranslationappliestotheinsideaddressport.
hostname#showxlatedetail
3inuse,3mostused
Flags:D-DNS,d-dump,I-identity,i-inside,n-norandom,
r-portmap,s-static
TCPPATfrominside:10.1.1.15/1026tooutside:103.61.3.9/1024flagsri
UDPPATfrominside:10.1.1.15/1028tooutside:103.61.3.9/1024flagsri
ICMPPATfrominside:10.1.1.15/21505tooutside:103.61.3.9/0flagsri
ViewingtheConfigurationUsingtheshownatcommand,youcanviewtheconfiguration.Inthefollowingoutput,thereisasinglestatictranslationconfiguredintheinsideinterfacethattranslatesthehostat192.168.5.6to128.10.6.2.Youcanalsoseethattherehavebeennotranslations(hits)ineitherdirectionusingthisconfiguration.
hostname(config)#shownat
NATpoliciesonInterfaceinside:
matchipinsidehost192.168.5.6outsideany
statictranslationto128.10.6.2
translate_hits=0,untranslate_hits=0
ConfiguringZone-BasedFirewallsZonesarecollectionsofnetworksreachableoverarouterinterface.Zonepairsareusedtodefineaunidirectionalfirewallpolicy.Thedirectionisindicatedbyspecifyingthesourceanddestinationzones.Thereisonespecialtypeofzonethatwillbecoveredinthenextsection.
![Page 257: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/257.jpg)
Whenzone-basedfirewallingisused,eachinterface(includingbothphysicalandvirtualinterfaces)isassignedtoazone,andapolicyisappliedtotrafficmovingbetweenzones.TheseconfigurationsuseasyntaxknownastheCiscoCommonClassificationPolicyLanguage.WhenusingtheCiscoCommonClassificationPolicyLanguage,classmapsareusedtodefinetrafficclasses,andpolicymapsareusedtoapplypolicies(actions)tothesetrafficclasses.Finally,servicepoliciesareusedtoactivatepolicymapsonzonepairs.
Whileonlyasingleservicepolicycanbeusedonazonepair,thepolicymapswithincanincludemultipleclassmaps.Theseclassmapswillbecheckedforatrafficmatchintheorderinwhichtheyareconfigured.Ifamatchisnotfoundinthefirstmap,thesecondwillbeconsulted.Whentherearenomatches,thedefaultpolicywillbeappliedtothetraffic.Figure14.1showsthislogic.
FIGURE14.1Multipleclassmaps
Moreover,theseclassmapscanbeusedinmorethanoneservicepolicy.InFigure14.2,twoclassmapshavebeencreated,andtheyhavebothbeenusedintwodifferentservicepolices.
![Page 258: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/258.jpg)
FIGURE14.2Reuseofclassmaps
ClassMapsClassmapshavetwoparts;thefirstidentifiesthetraffic,andthesecondspecifiesanaction.Amatchstatementisusedtospecifythetrafficandcanmatchtrafficbasedonthefollowing:
AnACL
Aprotocol
Anotherclassmap
Theactionsthatcanbedefinedusingactionstatements.Theactionscanbeasfollows:
Inspect:Triggersstatefulpacketinspection
Drop:Deniestraffic
Pass:Permitstraffic
DefaultPoliciesWhennoclassmapmatchesthetraffictype,thedefaultpolicyisinvoked.Thispolicy’sactionsdependonwhethertheinterfacehasbeenassignedtoazoneand,ifso,whatpolicyiscurrentlyineffectforthatzonepairifitexists.Soundcomplicated?Itcanbe.Figure14.3showstherules.
![Page 259: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/259.jpg)
FIGURE14.3Defaultpolicies
Figure14.3appliestotrafficthatisnotcomingfromordestinedtotherouter(self-zone).Whenthatisthecase,therulesareasshowninFigure14.4.
FIGURE14.4Defaultpolicies(self-zone)
UnderstandingtheSelf-ZoneTheself-zoneisaspecialzonethathasnointerfacemembers.Itappliestoanytrafficdestinedfortherouterratherthantrafficthattherouterisrouting.AnexampleofthistypeoftrafficwouldbetraffictomanagethedeviceusingSSH.Italsoappliestotrafficgeneratedbytherouter.ThetrafficgoingfromtherouterbacktothedevicemakingtheSSHconnectiontomanagethedevicewouldbeanexampleofsuchrouter-generatedtraffic.
ConfiguringZone-to-ZoneAccessThefirewallyouwilluseinthefollowingprocedurehasthreeinterfaces:oneconnectedtotheInternet,oneconnectedtotheLAN,andanotherconnectedtotheDMZ.Toconfigurezone-
![Page 260: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/260.jpg)
basedpoliciestosupportthisscenario,followthestepsinthenextprocedure.
ConfiguringZone-BasedFirewallInthisprocedure,youwillconfigureapolicythatperformsstatefulinspectionofHTTPandFTPtrafficcomingtotheDMZfromtheInternet.
1. Definethreesecurityzones:Inside,Outside,andDMZ.Usethefollowingcommandstodoso:
RTR64(config)#zonesecurityinside
RTR64(config)#zonesecurityoutside
RTR64(config)#zonesecuritydmz
2. Assigneachinterfacetoitsproperzone.
RTR64(config)#intgi0/1
RTR64(config-if)#zone-memberinside
RTR64(config)#intgi0/2
RTR64(config-if)#zone-memberoutside
RTR64(config)#intgi0/3
RTR64(config-if)#zone-memberdmz
3. Createaclassmapthatdefinesthetraffic.Inthiscase,thattrafficwillbeHTTPorFTP.ThemapwillbenamedHTTP_FTP_filterandwillperformstatefulinspectionoftheHTTPtraffic.
RTR64(config)#class-maptypeinspectmatch-anyHTTP_FTP_filter
RTR64(config-cmap)#matchprotocolhttp
RTR64(config-cmap)#matchprotocolftp
4. DefineapolicymapnamedDMZ_inspectthatspecifiestrafficthatmatchestheHTTP_FTP_filterclassmap.
RTR64(config)#policy-maptypeinspectDMZ_inspect
RTR64(config-pmap)#classtypeinspectHTTP_FTP_filter
RTR64(config-pmap-c)#inspect
5. Defineazonepaircalledoutside_to_DMZwiththeoutsidezonebeingthesourceandtheDMZzonebeingthedestination.
RTR64(config)#zone-pairsecurityoutside_to_DMZsourceoutside
destinationdmz
6. ApplytheDMZ_inspectpolicytothezonepaircalledoutside_to_DMZ.
RTR64(config-sec-zone-pair)#service-policytypeinspectDMZ_inspect
Theconfigurationisnowcomplete.
![Page 261: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/261.jpg)
SummaryInthischapter,youlearnedaboutthethreeformsofNAT:staticNAT,dynamicNAT,andPAT.YoualsolearnedabouttheNAToptionsavailableintheASA.YoulearnedaboutthebenefitsofNATandhowtoconfigureitandverifyitsoperation.Classmaps,policymaps,andservicepoliciesandtheirrespectivefunctionsinazone-basedfirewallwerecoveredaswell.Finally,thestepstoconfigureandverifyazone-basedfirewallendedthechapter.
ExamEssentialsIdentifytheformsofNetworkAddressTranslation(NAT).TheseincludestaticNAT,dynamicNAT,andPortAddressTranslation(PAT).
DescribethethreesectionsoftheNATtableintheASA.TheManualNATsectionrepresentstranslationsthathavebeendefinedtobeappliedbytheappliancebeforetheothersectionsareconsulted.TheAutoNATsectionrepresentstranslationsthataredefinedontheobjectitself.TheManualNATAfterAutoNATsectioncontainsmoregeneraltranslationsnothandledbythefirsttwosections.
IdentifybenefitsofpolicyNAT.Insomescenarios,youmayneedmoreoptionsthanareavailablewithAutoNAT,oryoumayneedtospecifyexceptionstotheAutoNATrules.ByusingtheManualNATsection,theseoptionswillbeavailabletoyou.Thissectionalsohastheadvantageofbeingcheckedforatranslationmatchbeforetheothertwosections.
VerifyNAToperations.ThereareseveralwaystoverifythatNATisoperatingcorrectly.TheyincludeviewingtheNATtranslationsinthetranslationtableusingtheshowxlatecommand,andincaseswhereyouarenotgettinganyNATtranslations,youcanviewtheconfigurationandcheckforerrorsusingtheshownatcommand.
Describethecomponentsofazone-basedfirewallconfiguration.Classmapsareusedtodefinetrafficclasses,andpolicymapsareusedtoapplypolicies(actions)tothesetrafficclasses.Finally,servicepoliciesareusedtoactivatepolicymapsonzonepairs.
Listthestepstoconfigurezone-to-zoneaccess.Fromahighlevel,toconfigurezone-to-zoneaccess,thefollowingstepsmustbeperformed:1)definezones,2)definezonepairs,3)defineclassmapsthatdefinetraffic,4)definepolicymapsthatapplyactionstotheclassmaps,5)applypolicymapstozonepairs,and6)assigninterfacestozones.
ReviewQuestions1. InwhichtypeofNATiseachprivateIPaddressmanuallymappedtoapublicIPaddress?
A. Dynamic
B. Static
C. PAT
![Page 262: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/262.jpg)
D. SAT
2. WhichsectionoftheNATtableintheASAisreadlast?
A. AutoNAT
B. ManualNAT
C. DynamicNAT
D. ManualNATAfterAutoNAT
3. Youneedtocreateamappingforaninternaldevicethatiseffectiveonlywhentheinternaldeviceiscommunicatingwithonespecificexteriordeviceandnoteffectiveotherwise.WhattypeofNATmustyouuse?
A. AutoNAT
B. StaticNAT
C. DynamicNAT
D. PolicyNAT
4. Whatcommandgeneratedthefollowingoutput?
3inuse,3mostused
PATGlobal103.61.3.9(0)Local10.1.1.15ICMPid340
PATGlobal103.61.3.9(1024)Local10.1.1.15(1028)
PATGlobal103.61.3.9(1024)Local10.1.1.15(516)
A. shownat
B. shownatdetail
C. showxlate
D. showpat
5. Inthefollowingcommandoutput,whatdoestherstandfor?
TCPPATfrominside:10.1.1.15/1026tooutside:103.61.3.9/1024flagsri
UDPPATfrominside:10.1.1.15/1028tooutside:103.61.3.9/1024flagsri
ICMPPATfrominside:10.1.1.15/21505tooutside:103.61.3.9/0flagsri
A. Routed
B. Remote
C. PortAddressTranslation
D. Reverse
6. Whichofthefollowingarecollectionsofnetworks?
A. Zonepairs
B. Zones
![Page 263: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/263.jpg)
C. Policymaps
D. Classmaps
7. Amatchstatementcanbebasedonallofthefollowingexceptwhichone?
A. AnACL
B. Protocol
C. Anotherclassmap
D. Devicename
8. Whichofthefollowingactionstriggersstatefulinspectionofthetraffic?
A. Drop
B. Permit
C. Inspect
D. Pass
9. Whichzonehasnointerfacemembers?
A. DMZ
B. Self
C. Inside
D. Outside
10. InwhichtypeofNATareallprivateIPaddressesmappedtoasinglepublicIPaddress?
A. Dynamic
B. Static
C. PAT
D. SAT
11. Inthefollowingcommandoutput,whatdoesthevalue21505represent?
TCPPATfrominside:10.1.1.15/1026tooutside:103.61.3.9/1024flagsri
UDPPATfrominside:10.1.1.15/1028tooutside:103.61.3.9/1024flagsri
ICMPPATfrominside:10.1.1.15/21505tooutside:103.61.3.9/0flagsri
A. Destinationportnumber
B. Sequencenumber
C. Sourceportnumber
D. Acknowledgmentnumber
12. Whichofthefollowingisusedtodefinetrafficclasses?
![Page 264: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/264.jpg)
A. Servicepolicy
B. Zones
C. Policymaps
D. Classmaps
13. Whatcommanddefinesasecurityzone?
A. Zonemember
B. Zonesecurity
C. Setzone
D. Zone
14. TraffictomanagethedeviceusingSSHwouldbelongtowhatzone?
A. Inside
B. DMZ
C. Self
D. Outside
15. Whatcommandassignsaninterfacetoazone?
A. zone-member
B. zone-security
C. setzone
D. zone
16. Whichofthefollowingisusedtoapplyactionstotrafficclasses?
A. Servicepolicy
B. Zones
C. Policymaps
D. Classmaps
17. Whichofthefollowingisusedtodefineaunidirectionalfirewallpolicy?
A. Zonepairs
B. Zones
C. Policymaps
D. Classmaps
18. Inthefollowingcommandoutput,whatdoestheistandfor?
![Page 265: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/265.jpg)
TCPPATfrominside:10.1.1.15/1026tooutside:103.61.3.9/1024flagsri
UDPPATfrominside:10.1.1.15/1028tooutside:103.61.3.9/1024flagsri
ICMPPATfrominside:10.1.1.15/21505tooutside:103.61.3.9/0flagsri
A. Insideaddressport
B. Interior
C. IGP
D. StaticNAT
19. InwhichsectionsoftheNATtableintheASAaretranslationsdefinedontheobjectitself?
A. AutoNAT
B. ManualNAT
C. DynamicNAT
D. ManualNATAfterAutoNAT
20. InwhichtypeofNATisapoolofpublicIPaddressesobtainedthatisatleastequaltothenumberofprivateIPaddressesthatrequiretranslation?
A. Dynamic
B. Static
C. PAT
D. SAT
![Page 266: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/266.jpg)
Chapter15ConfiguringtheFirewallonanASACISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:
5.5FirewallfeaturesontheCiscoAdaptiveSecurityAppliance(ASA)9.x
ConfigureASAaccessmanagement
Configuresecurityaccesspolicies
ConfigureCiscoASAinterfacesecuritylevels
ConfiguredefaultCiscoModularPolicyFramework(MPF)
Describemodesofdeployment(routedfirewall,transparentfirewall)
Describemethodsofimplementinghighavailability
Describesecuritycontexts
Describefirewallservices
Therearemanyadditionalfirewallconceptsyoualsoshouldunderstandbeyondconfiguringzone-basedfirewallingandnetworkaddresstranslation.Inthischapterwe’lllookatsomeotherfirewallservicesaswellasdiscussthedifferencebetweenaroutedandatransparentfirewall.Moreover,we’llcoversecuritycontextsandconfiguringASAmanagementaccess.Finally,towardtheendofthischaptertheModularPolicyFrameworkapproachtoconfigurationwillbecovered.
Inthischapter,youwilllearnthefollowing:
ConfiguringASAaccessmanagement
Configuringsecurityaccesspolicies
ConfiguringCiscoASAinterfacesecuritylevels
ConfiguringthedefaultCiscoModularPolicyFramework(MPF)
Modesofdeployment(routedfirewall,transparentfirewall)
Methodsofimplementinghighavailability
Securitycontexts
![Page 267: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/267.jpg)
Firewallservices
UnderstandingFirewallServicesTheCiscoASA9.xfirewallseries(whichisthefirewalltestedintheCCNASecurityexam)hasarichsetoffeaturestooffer.Whileitcertainlycanperformthefirewalldutieswehavecometoexpectfromanyenterprise-levelfirewall,suchastrafficfilteringandcontrol,italsooffersmanyotherfunctions.Amongtheseare:
ApplicationInspectionControl(AIC)—Alsocalledapplicationprotocolcontrol,thisfeatureverifiestheconformanceofmajorapplicationlayerprotocoloperationstoRFCstandards.Itcanhelppreventmanyofthetunnelingattemptsandapplicationlayerattacksthatviolateprotocolspecifications.
NetworkAddressTranslation(NAT)—AsyoulearnedinChapter14,theASAsupportsmanyimplementationsofNATincludingpolicyNAT,insideandoutsideNAT,one-to-oneandone-to-manyNAT,andportforwarding(staticNAT)
IPRouting—TheASAhasroutingcapabilitiesincludingstaticanddynamicroutingwithsupportforallmajorroutingprotocolssuchasEIGRP,RIP,OSPF,andBGP.
IPv6support—TheASAsupportsIPv6networkingnativelyandcancontrolaccessbetweenIPv6securitydomains.
DHCP—TheASAcanbeintegratedaseitheraDHCPserveroraDHCPclient.
Multicastsupport—TheASAnativelyintegrateswithmulticastnetworkssupportingInternetGroupManagementProtocol(IGMP)andbothProtocolIndependentMulticastSparseMode(PIM-SM)andbidirectionalProtocolIndependentMulticast(PIM).
UnderstandingModesofDeploymentTheASAcanbedeployedinoneoftwomodes,routedandtransparent.Themodeyouchoosewilldependonrequirementsandneeds.Inthissection,wedifferentiatethesetwomodesofoperation.
RoutedFirewallInroutermode,theASAisservingasarouterandthuseachofitsinterfaceswillresideinaseparateIPsubnet.ItcanuseallmajorroutingprotocolsincludingRIP,EIGRP,OSPF,andBGP.Inenvironmentswherestaticroutingisinuse,itcanuseIPSLAtoperformstaticroutetrackingtodetectwhenonestaticrouteisunavailableandthereforeswitchtoasecondstaticroute.
TransparentFirewallIntransparentmode,theASAisnotactingasarouterandassumesalayer2identitymuchasa
![Page 268: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/268.jpg)
switchdoes.ThismakestheASAtransparenttodevicesoneitherside(fromalayer3perspective);thusthenametransparentmode.Aswithaswitch,however,itispossibletoconfiguretheASAwithamanagementIPaddressforconnectingtoandmanagingtheASA.
UnderstandingMethodsofImplementingHighAvailabilityRegardlessofwhethertheASAisoperatinginroutedortransparentmode,itisprovidingvaluableservicestothenetwork.Therefore,providinghighavailabilityfortheASAandthusfortheservicesitprovidesishighlydesirable.TheASAhasseveralredundancyoptionsavailabletosatisfythisneed.Inthissectionwe’llcoverthreewaysthatmultipleASAscanbedeployedtoprovidethisredundancy.
Active/StandbyFailoverInActive/Standbyfailovertwosecurityappliancesaredeployedwithonlyoneoftheappliancesprocessingtrafficwhilethesecondoneservesasahotstandby.ThisdeploymentmodelisshowninFigure15.1.
FIGURE15.1Active/Standbyfailover
Active/ActiveFailoverInActive/Activefailovertwosecurityappliancesaredeployedwithbothappliancesprocessingtrafficwiththeabilitytosurviveasingledevicefailure.ThisdeploymentmodelisshowninFigure15.2.
![Page 269: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/269.jpg)
FIGURE15.2Active/Activefailover
ClusteringInClustering,threeormoresecurityappliancesaredeployedasasinglelogicaldevice.ThisallowsforthemanagementofthemultipleASAsasaunit.Itprovidesincreasedthroughputandredundancy.ThisdeploymentmodelisshowninFigure15.3.
FIGURE15.3Clustering
![Page 270: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/270.jpg)
UnderstandingSecurityContextsTheASAcanbepartitionedintomultiplevirtualfirewallsorsecuritycontexts.Eachcontextcanhaveitsowninterfaces,policies,andadministrators.ThisresultsfunctionallyinmultiplevirtualfirewallsasshowninFigure15.4,wheremultiplecontextsarebeingusedtosupportmultiplecustomers.
FIGURE15.4Securitycontexts
ConfiguringASAManagementAccessWhilemanyadministratorschoosetomanageandconfiguretheASAusingtheAdaptiveSecurityDeviceManager(ASDM),whenyoudeployanewASAyouwillhavetobeginbysettinguptheASAusingtheCLI.OnlyafteraninterfacewithanIPconfigurationisenabledwillyoubeabletoconnecttothedeviceusingtheASDM.WewillfirstcoverthisinitialconfigurationandwillthenfollowwiththecommandsrequiredtoallowconnectionsfortheASDM.
InitialConfigurationToperformtheinitialconfigurationoftheASA,connecttothedevicefromtheconsoleportandperformtheoperationscoveredinthenextprocedure.
InitialConfigurationoftheASAInthisprocedure,youwillconfiguretheinterfacesoftheASAwithIPaddresses,subnetmasks,andsecuritylevels.Finally,youwillenablethoseinterfaces.
1. ConnecttotheASAusingaconsolecable.
2. Enterinterfaceconfigurationmodefortheexternal(Internetfacing)interface.
![Page 271: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/271.jpg)
asa70(config)#intGi0/1
asa70(config-if)#
3. ConfigureanIPaddressandsubnetmaskfortheinterface.
asa70(config-if)#ipaddress201.16.5.5255.255.255.0
4. Givetheinterfaceaname.Inthiscase,nameitoutside.
asa70(config-if)#nameifoutside
5. Enabletheinterface.
asa70(config-if)#noshutdown
6. Usingthesamecommandsconfigureandenabletwootherinterfaces,namingtheinterfaceleadingtotheDMZasdmzandtheinterfaceleadingtotheprivatenetwork(theLAN)inside.
asa70(config)#intgi0/2
asa70(configif)#ipaddress172.168.5.5255.255.255.0
asa70(configif)#nameifdmz
asa70(configif)#noshutdown
asa70(config)#intgi0/3
asa70(configif)#ipaddress192.168.5.5255.255.255.0
asa70(configif)#nameifinside
asa70(configif)#noshutdown
7. NowweneedtoenabletheHTTPserverontheASA,whichisrequiredtoconnecttothedeviceusingtheASDM.
asa70(config)#httpserverenable
8. NowwewilldefineanIPaddressontheinsidenetworkthatwillbeallowedtoconnecttotheASAusingeitherSSHorHTTPtomanagetheASA.
asa70(config)#http192.168.5.20255.555.255.255inside
asa70(config)#ssh192.168.5.20255.555.255.255inside
9. Finallywe’llcreatealocalaccountontheASAforthetechnicianwhowillconnectusingHTTPorSSHandenablelocalauthenticationontheASA.TheusernamewillbeBobandthepasswordpassbob.Givehimlevel15(admin)access.
asa70(config)#usernamebobpasswordpassbobencryptedprivilege15
10. Normallyatthispointonewouldalsoconfigureasecuritylevel.Wewilldothatinthenextexerciseafterwediscusssecuritylevels.
ConfiguringCiscoASAInterfaceSecurityLevelsBeforewegetintointerfaceconfigurationweneedtodiscussaconceptthatmaybenewtoyou
![Page 272: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/272.jpg)
ifyouhaveonlyconfiguredrouters.IntheASAinterfaceshavesecuritylevels.ThesesecuritylevelsareoneofthewaystheASAcontrolsaccessfromoneinterfacetoanother.Securitylevelsdefinethetrustworthinessoftheinterface.Thehigherthelevelthemoretrustedtheinterface.
SecurityLevelsThemostcommonconfigurationistosettheexteriorinterface(Internet)toalevelofzero(orsomethingverylowinrelationtotheotherinterfaces)andtheinteriorinterface(LAN)toaveryhighsecuritylevelvalue.Anyotherinterfaces(suchasaDMZ)canbesettoalevelthatproperlyreflectsthetrustplacedinthatinterface.Withthisconfigurationinplacethetypicaltrafficflowsinyournetworkwillbeasfollows:
Inboundtrafficwillflowfromalow-securityinterfacetoahigh-securityinterface.Anotherwayofsayingthisisthatitwillflowfromalesstrustedinterfacetoamoretrustedinterface.
Outboundtrafficwillflowfromahigh-securityinterfacetoalow-securityinterface.Anotherwayofsayingthisisthatitwillflowfromamoretrustedinterfacetoalesstrustedinterface.
Bydefault,theASAusestheserulestocontroltrafficbetweeninterfaces:
Thereisanimplicitpermitfortrafficflowingfromahigh-securityinterfacetoalow-securityinterface.
Thereisanimplicitdenyfortrafficflowingfromalow-securityinterfacetoahigh-securityinterface.
Thereisanimplicitdenyfortrafficflowingbetweentwointerfaceswiththesamesecuritylevel.
Ofcourse,thesedefaultscanbechangedandoftenarechanged.Figure15.5showshowthiswouldworkusingsecuritylevelvalues0,50,and100.Greenlinesrepresentallowedtrafficwhiletheredlinesrepresentdeniedtraffic.
![Page 273: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/273.jpg)
FIGURE15.5Securitylevelsinaction
SettingSecurityLevels
Inthisprocedure,youwillconfiguretheinterfacesoftheASAsecuritylevelsreflectingtherelativetrustworthinessoftheinside,outside,anddmzinterfaces.Theinterfacesinthisprocedurealignwiththelastprocedure,NOTwithFigure15.5,whichisadifferentexample.
1. Enterinterfaceconfigurationmodefortheinside,outside,anddmzinterfacesandassignthesecuritylevels100,50,and0respectively.
asa70(config)#intgi0/3
asa70(config)#security-level100
asa70(config)#intgi0/2
asa70(config)#security-level50
asa70(config)#intgi0/3
asa70(config)#security-level0
AtthispointyoushouldbeabletoconnecttotheASAusingtheASDMasBobfromthemachineat192.168.5.20.
ConfiguringSecurityAccessPoliciesInitsroleasafirewalltheASAusessecurityaccesspoliciestocontroltraffictypesallowedtoflowfromoneinterfacetoanother.Theseaccesspoliciescanbeconfiguredasinterfaceaccessrules(muchliketheACLsyoumayhaveexperiencewithonarouter)orbycreatingandlinkingobjectgroups.Inthissection,we’lldiscussbothmethods.
![Page 274: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/274.jpg)
InterfaceAccessRulesIfyouapplynointerfaceaccessrulesontheASAthedefaultrules(ascoveredearlier)are:
Thereisanimplicitpermitfortrafficflowingfromahigh-securityinterfacetoalow-securityinterface.
Thereisanimplicitdenyfortrafficflowingfromalow-securityinterfacetoahigh-securityinterface.
Thereisanimplicitdenyfortrafficflowingbetweentwointerfaceswiththesamesecuritylevel.
Thismeansthatyouwillneedtocreateanaccessruletoallowtrafficineachofthefollowingscenarios:
Betweeninterfacesofthesamesecuritylevel
Trafficfromalower-securityinterfacetoahigher-securityinterface
WhenUsingNAT!
ACLsthatpermittrafficfromalower-securityinterfacetoahigher-security
interfacemustreferencethe“real”ornon-translatedIPaddressoftheinsidehostratherthanthetranslatedormappedIPaddress.
WhileinterfacerulesoperatelikeACLsyoumay(dependingonyourCLIexperiencewiththeASA)finditeasiertocreatetheserulesintheASDMratherthanatthecommandline.Inthenextprocedure,youwillseehowthisisdoneintheASDM.
![Page 275: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/275.jpg)
CreatingInterfaceAccessRulesinASDMInthisprocedure,youwillconfiguretwointerfaceaccessrulesintheASDM.TheASAyoumanagehasthreeinterfacesthatyouhavelabeledinside(LAN),outside(Internet),anddmz.Thesecuritylevelsyouhaveassignedare100,0,and50respectively.Currentlytheonlyrulesinplacearetheglobaldefaultrulesdiscussedinthefirstsetofbulletpointsinthesection“InterfaceAccessRules”earlierinthissection.
Youneedtoconfigurethefollowingrules:
AllowonlyHTTPaccessfromtheoutsideinterfacetothedmz.
AllowonlyHTTPfromtheinsidetothedmz.
1. ConnecttotheASAwiththeASDM.
2. NavigatetoConfiguration Firewall AccessRules.
3. ClickAdd,andchooseAddAccessRule.
4. WewillfirstcreatetheruleallowingonlyHTTPaccessfromtheoutsideinterfacetothedmz.IntheAddAccessRuledialogbox,selectoutsideastheinterfaceonwhichtoapplytherule.IntheActionsection,selectthePermitradiobutton.Inthedrop-downboxforsourceIPaddress,selectANY.Inthedrop-downboxfordestinationIPaddress,selectANY.IntheServicebox,typeorselectHTTP.ClickOK.OntheASDMmainpage,clickApply.
5. ClickAdd,andchooseAddAccessRule.
6. WewillnextcreatetheruleallowingonlyHTTPaccessfromtheinsideinterfacetothedmz.IntheAddAccessRuledialogbox,selectinsideastheinterfaceonwhichtoapplytherule.IntheActionsection,selectthePermitradiobutton.Inthedrop-downboxforsourceIPaddress,selectANY.Inthedrop-downboxfordestinationIPaddress,selectANY.IntheServicebox,typeorselectHTTP.ClickOK.OntheASDMmainpage,clickApply.
Theconfigurationisnowcomplete.
ObjectGroupsWhilethepreviousprocedureusedthekeywordANYtoselectsourceanddestinationandHTTPforservice,notverymanyconfigurationsarethatsimple.Inmanycasesweneedtoallowonlyaselectgroupofdevicesratherthanalldevices,orweneedonlyallowdevicesonaspecificnetworktosendtrafficonaninterfacewhentherearemultiplenetworksthatmightbetraversingthatinterface.Tomakethecreationandapplicationofruleseasier,theASAcanalsouseanobject-basedmodelforcertainrules.
![Page 276: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/276.jpg)
Objectscanbecreatedtorepresentanyofthefollowing:
Networks
Individualhosts
Groupsofservices
Resources
Oncetheseobjectshavebeencreated,theycanbelinkedtogethertocreaterulesaswedidinthepreviousprocedureandsimplyusethebrowsebuttonnexttoeachofthedrop-downboxesintheAddAccessRuledialogboxtolinkthemtogether.Inthenextprocedure,youwillcreateobjectsandthenusetheminanaccessrule.
CreatingandUsingObjectsinanAccessRuleInthisprocedure,youwillcreatethreeobjectsandusetheminanaccessrule.YouneedtoallowHTTPtrafficfromthe192.168.5.0/24networkinsidetheLANtoawebserverwiththeIPaddressof201.3.3.3intheDMZ.Therefore,youwill
Createanetworkobjecttorepresentthe192.168.5.0/24network
CreateaserviceobjecttorepresentHTTP
Createahostobjecttorepresenttheserverat201.3.3.3
Linktheseobjectsinanaccessruleandapplyittotheinsideinterface
Note:interfaceobjectshavebeencreatedandnamedinside,outside,anddmzwithsecuritylevelsof100,0,and50.
1. ConnecttotheASAwiththeASDM.
2. NavigatetoConfiguration Firewall Objects NetworkObjects/Groups.
3. SelectAdd,thenNetworkObject.
4. IntheNamefield,enterHTTP_group_internal.
5. IntheIPaddressandnetworkmasksections,enter192.168.5.0and255.255.255.0.ThenselectOK.
6. SelectAdd,thenNetworkObjects/Groups.
7. IntheNamefield,enterDMZ_web.
8. IntheIPaddresssection,enter201.3.3.3.ThenselectOK.
9. SelectObject,thenServiceObjects/GroupsandfinallyAddServiceGroup.
10. IntheAddServiceGroupdialogbox,enteranameforDMZ_services.
11. IntheExistingservicegroupsection,selectTCP-HTTPandTCP-HTTPSandselectAdd.ThenclickOK.
![Page 277: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/277.jpg)
12. InthemainASDMwindow,selectApplytocreatetheobjects.
13. NavigatetoConfiguration Firewall AccessRules.
14. ClickAdd,andchooseAddAccessRule.
15. IntheAddAccessRuledialogbox,selectinsideastheinterfaceonwhichtoapplytherule.IntheActionsection,selectthePermitradiobutton.Inthedrop-downboxforsourceIPaddress,selecttheobjectyoucreatedcalledHTTP_group_internal.Inthedrop-downboxfordestinationIPaddress,selecttheobjectyoucreatedcalledDMZ_web.IntheServicebox,selecttheobjectyoucreatedcalledDMZ_services.ClickOK.OntheASDMmainpage,clickApply.
Theconfigurationisnowcomplete.
ConfiguringDefaultCiscoModularPolicyFramework(MPF)InChapters4and14youlearnedabouttheCiscoModularPolicyFramework(MPF).Asreview,therearethreecomponentsthatareusedasbuildingblockstoimplementpoliciesinthisframework:
Classmapsareusedtocategorizetraffictypesintoclasses.ACLsaretypicallyusedtodefinethetrafficandthentheACLisreferencedintheclassmap.
Policymapsareusedtodefinetheactiontobetakenforaparticularclass.Actionsthatcanbespecifiedareallow,block,andrate-limit.
Servicepoliciesareusedtospecifywherethepolicy-mapshouldbeimplemented.
Inthenextprocedure,youwillusethisframeworktocreateanewpolicybycreatingaclassmapthatidentifiesTelnetasthetrafficandapolicymapthatidentifiesanactionofdenyandapplythetwotoallinterfaceswithaservicepolicy.
![Page 278: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/278.jpg)
ConfiguringDefaultCiscoModularPolicyFramework(MPF)Inthisexercise,youwillcreateanewpolicybycreatingaclassmapthatidentifiesTelnetasthetrafficandapolicy-mapthatidentifiesanactionofdenyandapplythetwotoallinterfaceswithaservicepolicy.
1. ConnecttotheASAwiththeASDM.
2. NavigatetoConfiguration Firewall ServicePolicyRulesandclickAdd,thenServicePolicyrule.
3. NametheservicepolicyNo_telnetandselecttheGlobalradiobutton(whichappliesittoallinterfaces).ClickNext.
4. IntheTrafficClassCriteriadialogbox,selectCreateANewTrafficClass.NametheclassTelnet_deny.
5. IntheTrafficMatchCriteriasection,checktheboxforTCPOrUDPDestinationPortandselectNext.
6. IntheservicefieldofthenextboxenterTCP/23inboththeSourceandDestinationfields.ClickNext.
7. SelectFinish.Theconfigurationiscomplete.
SummaryInthischapter,youlearnedhowtosetuptheASAsoyoucanremotelyadministeritusingtheASDM.Youalsolearnedthedefaultsecuritypoliciesthatareinplaceandhowthedefaultglobalpolicyinteractswithconfiguredpolicies.Youalsolearnedaboutinterfacesecuritylevelsandtheeffecttheyhaveontrafficflows.ThechapterreviewedtheCiscoModularPolicyframeworkandhowitisusedtocreatepolicies.Italsodiscussedthedifferencebetweenatransparentandroutedfirewall.Finally,high-availabilitysolutionswereintroducedincludingactive-active,active-passive,andclusteringapproaches.
ExamEssentialsIdentifyfirewallservicesprovidedbytheASA.TheseincludeApplicationInspectionControl(AIC),NetworkAddressTranslation(NAT),IPRouting,IPv6support,DHCP,andMulticastsupport.
DescribethetwomodesofdeployingtheASA.TheASAcanbedeployedinoneoftwomodes,routedandtransparent.Inroutermode,theASAisservingasarouterandthuseachofitsinterfaceswillresideinaseparateIPsubnet.Intransparentmode,theASAisnotactingasarouterandassumesalayer2identitymuchasaswitchdoes.
IdentifyASAhigh-availabilitymethods.TheseincludeActive/Standbyfailover,
![Page 279: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/279.jpg)
Active/Activefailover,andclustering.
DefinesecuritycontextsintheASA.TheASAcanbepartitionedintomultiplevirtualfirewallsorsecuritycontexts.Eachcontextcanhaveitsowninterfaces,policies,andadministrators.
DescribethestepsrequiredforinitialsetupoftheASA.ThesestepsincludeassigninganIPaddressandmasktointerfaces,enablinginterfaces,andenablingtheHTTPserver.TheyalsoincludepermittingtheremotemanagementtrafficgeneratedwhenconnectingwiththeASDM.
ListthedefaulttrafficrulesintheASA.Bydefault,theASAusestheserulestocontroltrafficbetweeninterfaces:thereisanimplicitpermitfortrafficflowingfromahigh-securityinterfacetoalow-securityinterface,thereisanimplicitdenyfortrafficflowingfromalow-securityinterfacetoahigh-securityinterface,andthereisanimplicitdenyfortrafficflowingbetweentwointerfaceswiththesamesecuritylevel.
IdentifyexamplesofitemsforwhichobjectscanbecreatedintheASA.Objectscanbecreatedtorepresentanyofthefollowing:networks,individualhosts,groupsofservices,orresources.
DescribethecomponentsoftheCiscoModularPolicyFramework(MPF).Therearethreecomponentsthatareusedasbuildingblockstoimplementpoliciesinthisframework:classmaps,usedtocategorizetraffictypesintoclasses(ACLsaretypicallyusedtodefinethetrafficandthentheACLisreferencedintheclassmap);policymaps,usedtodefinetheactiontobetakenforaparticularclass(actionsthatcanbespecifiedareallow,block,andrate-limit);andservicepolicies,usedtospecifywherethepolicymapshouldbeimplemented.
ReviewQuestions1. Whichfirewallfeaturecanhelppreventmanytunnelingattemptsandapplicationlayer
attacks?
A. AIC
B. NAT
C. DHCP
D. PIM-SIM
2. InwhichmodedoestheASAassumealayer2identity?
A. Switch
B. Transparent
C. Active/Standby
D. Routed
3. Inwhichhigh-availabilityapproacharethreeormoresecurityappliancesdeployedasa
![Page 280: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/280.jpg)
singlelogicaldevice?
A. Active/Active
B. Stackwise
C. Clustering
D. Active/Standby
4. WhatisitcalledwhentheASAispartitionedintomultiplevirtualfirewalls?
A. securitycontexts
B. securitydomains
C. securityrealms
D. securityareas
5. WhichcommandisusedtoapplythenameoutsidetoaninterfaceontheASA?
A. asa70(config-if)#nameoutside
B. asa70(config-if)#nameifoutside
C. asa70(config-if)#outside
D. asa70(config)#nameifoutside
6. WhichcommandisrequiredtoconnecttothedeviceusingtheASDM?
A. asa70(config)#httpserver
B. asa70(config)#httpenable
C. asa70(config)#httpserverenable
D. asa70(config)#enablehttpserver
7. WhichcommanddefinesanIPaddressontheinsidenetworkthatwillbeallowedtoconnecttotheASAusingHTTPtomanagetheASA?
A. asa70(config)#http192.168.5.20255.555.255.255
B. asa70(config)#http192.168.5.20/32inside
C. asa70(config)#http192.168.5.20inside
D. asa70(config)#http192.168.5.20255.555.255.255inside
8. WhatvalueisusedtodeterminetheallowedtrafficflowsbetweentheinterfacesintheASA?
A. securitylevel
B. IPaddress
C. MACaddress
![Page 281: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/281.jpg)
D. name
9. Thereisanimplicitpermitfortrafficflowingfroma_______securityinterfacetoasecurity________interface.
A. low,low
B. high,low
C. high,high
D. low,high
10. Whichcommandassignsthesecuritylevel100toaninterface?
A. asa70(config)#security100
B. asa70(config)#100security-level
C. asa70(config)#security-level100
D. asa70(config)#level100
11. Inwhichofthefollowingscenarioswillyouneedtocreateanaccessruletoallowtraffic?
A. betweeninterfacesofthesamesecuritylevel
B. traffictotheself-zone
C. trafficfromahigher-securityinterfacetoalower-securityinterface
D. inallscenarios
12. Whichofthefollowingisusedtorepresentaselectgroupofdevicesratherthanalldevicesinanetwork?
A. servicepolicy
B. objectgroup
C. policymap
D. securitygroup
13. WhichofthefollowingisusedtocategorizetraffictypesintheMPF?
A. zonepairs
B. zones
C. policymaps
D. classmaps
14. YouwouldliketoapplyaservicepolicytoallinterfacesoftheASA.WhatradiobuttondoyouchooseforthisintheASDM?
A. global
![Page 282: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/282.jpg)
B. composite
C. self
D. all
15. YouneedtoallowHTTPtrafficfromthe192.168.5.0/24networkinsidetheLANtoawebserverwiththeIPaddressof201.3.3.3intheDMZ.WhattypeofobjectdoyoucreatetorepresenttheHTTPtraffic?
A. networkobject
B. serviceobject
C. hostobject
D. resourceobject
16. WhichofthefollowingisusedtospecifywhereapolicymapshouldbeimplementedintheMPF?
A. zonepairs
B. zones
C. servicepolicy
D. classmaps
17. TheASAyoumanagehasthreeinterfacesthatyouhavelabeledinside(LAN),outside(Internet),anddmz.Thesecuritylevelsyouhaveassignedare100,0,and50respectively.Currentlytheonlyrulesinplacearetheglobaldefaultrules.Whichtrafficisallowed?
A. insidetooutside
B. outsidetodmz
C. dmztooutside
D. insidetodmz
18. Inthefollowingcommandoutputwhatdoesinsiderepresent?asa70(config)#ssh192.168.5.20255.555.255.255inside
A. ACLname
B. securitylevel
C. interfaceIPaddress
D. trafficdirection
19. WhichofthefollowingisusedtodefinetheactiontobetakenforatraffictypeintheMPF?
A. zonepairs
![Page 283: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/283.jpg)
B. zones
C. policymaps
D. classmaps
20. Thereisanimplicitdenyfortrafficflowingfroma________securityinterfacetoa________interface.
A. low,low
B. high,low
C. high,high
D. low,high
![Page 284: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/284.jpg)
Chapter16IntrusionPreventionCISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:
6.1DescribeIPSdeploymentconsiderations
Network-basedIPSvs.host-basedIPS
Modesofdeployment(inline,promiscuous-SPAN,tap)
Placement(positioningoftheIPSwithinthenetwork)
Falsepositives,falsenegatives,truepositives,truenegatives
6.2DescribeIPStechnologies
Rules/signatures
Detection/signatureengines
Triggeractions/responses(drop,reset,block,alert,monitor/log,shun)
Blacklist(staticanddynamic)
Itisnolongeracceptabletositandwaitforthenextattackandreactafterward.Intoday’sthreat-filledlandscape,securityprofessionalsmusttakeaproactiveapproachtopreventingintrusions.Intrusionpreventionsystemsaredesignedtoidentifyandpreventattacksinrealtime.Inthischapter,youwillexploretheintrusionpreventioncapabilitiesoftheASA.
Inthischapter,youwilllearnthefollowing:
DeploymentoptionsofanIPS
AdvantagesanddisadvantagesofanHIPSandanNIPS
ProperpositioningofanIPS
Managementoffalsepositivesandnegatives
Threatidentificationmethods
Methodsofimplementinghighavailability
Triggeractions
![Page 285: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/285.jpg)
IPSTerminologyTobeginthischapter,you’lllearnanumberoftermsandconceptsthatapplytotheprocessofintrusionprevention.Aclearunderstandingofthesewillhelpsupporttherestofthechapter.
ThreatAthreatisanidentifiedsecurityweaknesstowhichanyspecificenvironmentmayormaynotbevulnerable.Forexample,athreatmightexistintheformofanewattackonOracledatabaseservers,butifyouuseMicrosoftSQLServer,itisathreattowhichyouarenotvulnerable.Riskispresentonlywhenathreatandavulnerabilitytothethreatbothexist.
RiskRiskiscreatedwhenathreatexiststowhichasystemisvulnerable.Unlessthesetwoconditionsarebothpresent,noriskexists.
VulnerabilityAvulnerabilityisanysusceptibilitytoanexternalthreatthatadeviceorsystemmaypossess.Athreatbecomesavulnerabilityonlywhenthethreattargetispresentinyourenvironmentandisinthestaterequiredtotakeadvantageofthevulnerability.Forexample,ifathreattoafileserverexistsonlyifthefileserverislackingasecuritypatchandyourfileserverhasthepatchinstalled,thethreatisnotavulnerability.Examplesofvulnerabilitiesincludethefollowing:
Weakpasswords
Missingsecuritypatches
Lackofinputvalidation
ExploitAnexploitoccurswhenathreatandavulnerabilitybothexistandathreatactortakesadvantageofthesituation.Thetermexploitalsoreferstothespecifictoolorattackmethodologyused.Someexamplesincludethefollowing:
Scripts
Malware
Passwordcrackers
Zero-DayThreatAzero-daythreatisanythreatnotyetremediatedbymalwarevendorsorsoftwarevendors.Thistypeofthreatcannotbedetectedthroughattacksignature-basedmethodsandisusuallydiscoveredonlybymalwareorIPS/IDSsoftwarethatusesheuristics.Thisapproachidentifiesattacksbyidentifyingtrafficthatisconsistentwithanattackratherthanusingasignature.
![Page 286: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/286.jpg)
ActionsActionsrefertotheoperationsthatanintrusionpreventionsystem(IPS)cantakewhenanattackisrecognized.Someexamplesoftheseactionsareasfollows:
DropsmeanstheIPSquietlydropsthepacketsinvolved.
ResetsendsapacketwiththeRSTflagthatendsanyTCPconnection.
Shunaccomplishesthesamepurposeasaresetfornon-TCPconnections.
BlockiswhentheIPSdirectsanotherdevice(arouterorfirewall)toblockthetraffic.
Network-BasedIPSvs.Host-BasedIPSThemostcommonwaytoclassifyanIPSisbasedonitsinformationsource:networkbasedandhostbased.Ahost-basedintrusiondetectionsystem(HIPS)isinstalledonthedevice(forthepurposesofthisdiscussion,aserver),andthesystemfocusessolelyonidentifyingattacksonthatdeviceonly.Thisisincontrasttoanetwork-basedsystem,whichmonitorsalltrafficthatgoesthroughitlookingforsignsofattackonanymachineinthenetwork.
Host-BasedIPSAnHIPScanbeconfiguredtoalsofocusonattacksthatmayberelevanttotherolethattheserverisperforming(forexample,lookingforDNSpollutionattacksonDNSservers).Buttherearedrawbackstothesesystems.
Ahighnumberoffalsepositivescancausealaxattitudeonthepartofthesecurityteam.
Constantupdatingofsignaturesisneeded.
There’salagtimebetweenthereleaseoftheattackandthereleaseofthesignature.
AnHIPScannotaddressauthenticationissues.
Encryptedpacketscannotbeanalyzed.
Insomecases,IPSsoftwareissusceptibleitselftoattacks.
Despitetheseshortcomings,anHIPScanplayanimportantroleinamultilayerdefensesystem.
Network-BasedIPSAnetwork-basedIPS(NIPS)monitorsnetworktrafficonalocalnetworksegment.Thisisincontrasttoahost-basedIPS(HIPS)thatmonitorsasinglemachine.
OneofthedisadvantagesofanNIPS(whichisanadvantageofanHIPS)isthatitcannotmonitoranyinternalactivitythatoccurswithinasystem,suchasanattackagainstasystemthatiscarriedoutbyloggingontothesystem’slocalterminal.
MostIPSsareprogrammedtoreactincertainwaysinspecificsituations.EventnotificationandalertsarecrucialtoIPSs.Thesenotificationsandalertsinformadministratorsandsecurity
![Page 287: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/287.jpg)
professionalswhenandwhereattacksaredetected.
PromiscuousModeTomonitortrafficonthenetworksegment,thenetworkinterfacecard(NIC)mustbeoperatinginpromiscuousmode.Moreover,anNIPSisaffectedbyaswitchednetworkbecausegenerallyanNIPSmonitorsonlyasinglenetworksegment,andeachswitchportisaseparatecollisiondomain.
DetectionMethodsThesesystemscanuseseveralmethodsofdetectingintrusions.Thetwomainmethodsareasfollows:
SignatureBasedAnalyzestrafficandcomparespatterns,calledsignatures,thatresidewithintheIDSdatabase.Thismeansitrequiresconstantupdatingofthesignaturedatabase.
AnomalyBasedAnalyzestrafficandcomparesittonormaltraffictodeterminewhetherthetrafficisathreat.Thismeansanytrafficoutoftheordinarywillsetoffanalert.
EvasionTechniquesWhileIPSscandosomeamazingthings,theyarenotinfallible.SeveraltechniqueshavebeendevelopedovertheyearsbymaliciousindividualsthatallowthemtogetmaliciouscodepasttheIPS.Someofthemorecommonapproachesarecoveredinthissection.
PacketFragmentationPacketfragmentationistheprocessofbreakingapacketthatislargerthanthemaximumtransmissionunit(MTU)intosmallerpiecescalledfragmentsthatabidebythesizelimitsoftheMTU.VariousnetworkingtechnologiesenforcedifferentMTUs.Forexample,whiletheMTUinEthernetis1,500bytes,inanFDDInetworktheMTUis4,470bytes.
RoutersonthenetworkenforcetheMTUandperformfragmentationofpacketsasneededtomeettheMTU.Whenthefragmentsarriveatthedestination,theyarereassembled.Tocommunicateexactlyhowthereassemblyshouldoccur,severalheaderfieldsareusedintheIPheader.Figure16.1showstheIPheader.
![Page 288: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/288.jpg)
FIGURE16.1IPheaderfragmentationflags
Threefieldsareofinterest.
Identificationprovidesanumberthatidentifiespacketsthatbelongtothesametransmissionthatneedtobereassembled.
Flagisafieldconsistingofthreebits.AsshowninFigure16.1,thefirstbitposition0isreservedandnotusedinthefragmentationprocess;thesecondpositionwhencheckedmeansdon’tfragmentthispacket,inwhichcaseifthepacketisoversized,anICMPmessagewillbesenttothesourceindicatingitcannotbesentwithoutfragmentation.Thethirdpositionwhencheckedmeansthispacketispartofaseriesoffragmentsandtherearemoretocome.Ifthisisthelastfragmentinaseriesoffragments,thisbitwillnotbechecked.
FragmentOffsetvaluesindicatestothereassemblinghostwherethisfragmentbelongs.Itdoessobyindicatinghowmanybytesawayfromthebeginningofthepayloadthefragmentis.
Thefragmentationprocessfollowsthissequence:
1. Aroutermakesthedecisionthatapacketmustbefragmented.
2. Theroutersplitsthepacketintofragments,eachwithanidenticalIPheaderapartfromtheflagbitsandtheoffsetvalues.
3. Thedestinationreassemblesthefragments.Itrecognizesthefirstfragmentbecauseithasanoffsetvalueof0.Itthenusestheoffsetvaluesofeachfragmenttoproperlypositionthefragments.ItrecognizesthelastfragmentbecausetheMoreFragmentsbitisoff.
ThisprocessisillustratedinFigure16.2,whereanMTUof3,300bytesisenforcedonapacketthatis11,980bytes.Asyoucansee,thefirstfragmentisgivenanOffsetof0andtheMoreFragmentsbitison,indicatingmorefragmentstothereceiver.Thesecondpackethasan
![Page 289: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/289.jpg)
Offsetvalueof410andhastheMoreFragmentsbiton.ThethirdandfinalfragmenthasanOffsetvalueof820,andsinceitisthelastfragment,theMoreFragmentsbitisoff.
FIGURE16.2Fragmentationprocess
So,howdoesthefragmentationattackwork?TheattackerfragmentsthepacketcontainingthemaliciouscodesothatitbecomesdifficultfortheIPStorecognizethecodeinsuchafragmentedfashion.ThisprocessisshowninFigure16.3,whereamaliciousCGIscriptthat,asshownintheoriginalIPpacketatthetop,wouldprobablyberecognizedbytheIPSissplitintofragmentsthatmaynotberecognizedbytheIPS.(Itisnotimportanttounderstandthescript.)Inthiscase,atoolcalledfragroutewasusedtosplitthepacketintofragments.
![Page 290: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/290.jpg)
FIGURE16.3Fragmentationattack
Themitigationstothisattackaretodothefollowing:
UseanIPSthatperformssignatureanalysisagainsttheentirepacketratherthanindividualfragments.Thisrequirestheabilitytoperformstreamreassembly.
Useprotocolanalysistoevaluatetheentirepacketforviolationofprotocolstandards.
InjectionAttacksInaninjectionattack,theattackerinsertsdatathatwillbeacceptedbytheIPSbutwillbeignoredbythetargetsystem.OneapproachtakesadvantageoftheTTLfeatureofIPandfragmentation.Thetime-to-live(TTL)valueisusedinIPtopreventapacketfromloopingendlessly.Whenapacket’sTTLvaluegoestozero(decrementedateachhop),itgetsdroppedbytherouter.
Intheattack(asshowninFigure16.4),theattackerinjectsabogusstringintotheattackcodeandthenbreakstheattackintothreefragments.ThenhemanipulatestheTTLvalueofthefragmentcontainingthebogusstringinsuchawaythatthefragmentdies(andnevergetsdelivered)beforeitreachesthedestination.IftheIPSdoesnotconsiderthefragmentoffsetvaluesorTTLvalues,itwilldetectthebogusstringratherthantheactualpayload.TheresultisthatafterinspectionbytheIPS,thebogusstringdoesnotgetdelivered.Theattackpayloaddoes.
![Page 291: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/291.jpg)
FIGURE16.4Injectionattack
Mitigationstothisattackareasfollows:
UseanIPSthatperformsstreamreassembly,whichallowstheIPStorecognizetheattack.
UseanIPSthatperformsTTLvalueassessment,whichallowstheIPStorecognizethelowerTTLforthefragmentcontainingthebogusstring.
AlternateStringExpressionsInmanyprotocols,informationcanbecommunicatedorexpressedinmultipleways.Forexample,HTTPcanacceptstringsexpressedinhexadecimal,Unicode,orstandardtextexpressions.AttackerscanusethistoevadeanIPSsensor.IftheIPScannotperformprotocolnormalization(whichdecodesthepayloadtodiscoveritssignificance),thisattackmaysucceed.
Mitigationstothisattackareasfollows:
Protocolanalysis
Protocolnormalization
IntroducingCiscoFireSIGHT
![Page 292: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/292.jpg)
CiscoFireSIGHToffersthreatprotectioncapabilitiesthatgobeyondmostIPSs.Itnotonlydetectsandtakesactiontopreventattacks,itenablesabetterunderstandingoftheexposuresyourenvironmentmaypossessandhelpsyoutotakecorrectiveactionstoeliminatethem.ThissectionsurveysthecapabilitiesofFireSIGHTandtheroleitcanplayatvariousstagesofanattack.
CapabilitiesTherearefourcategoriesoffunctionsofwhichFireSIGHTiscapable.
Detection:Attackdetectiontechnologiesincludethefollowing:
IPS:Monitorsformaliciousandsuspiciousactivity.
Discovery:Enablesvisibilityintoallhosts,services,andapplicationsrunningonthenetwork.Thisincludestrafficdiscoveryinwhichyoucanidentifythewaysinwhichresourcesarebeingutilized.
Learning:Reportsonthestateoftheenvironmentanddetectswhenchangesoccurinrealtime.
Adapting:Whenchangesaredetected,FireSIGHTcanadaptitsconfigurationtomitigatenewrisks.
Acting:Actionsthatareavailableincludethefollowing:
Block,alert,ormodifysuspicioustraffic
Remediatethroughcustomresponsessuchasblockingadownstreamrouterorscanningadevice
Automateresponseandreporting
FireSIGHTismanagedusingtheFireSIGHTManagementCenter.ThisapplicationcanbehostedonaFireSIGHTManagementCenterapplianceorhostedonavirtualapplianceonaVMwareserver.
ProtectionsTheoperationsandfeaturesofFireSIGHTarebestdescribedintermsofhowtheywouldbeutilizedduringanattack.Therefore,youwilllookattheseprotectionsinthisway.
BeforeanAttackThebestwaytomitigateattacksistoaddressthembeforetheyoccur.FireSIGHTprovidesthefollowingpreventativetechnologiesforthis:
Blacklisting:TraffictoandfromspecificIPaddressescanbeblacklisted,whichmeansthatyourtrafficwillbeneithersenttonorreceivedfromtheIPaddress.WhenyouidentifyproblematicIPaddresses,thisisanactionyoutake.Moreover,theFireSIGHTManagementCentercandynamicallydownloadatconfigurableintervalsacollectionofIP
![Page 293: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/293.jpg)
addressesthathavebeenidentifiedbyathreatintelligenceteamcalledTalos(https://www.talosintelligence.com/)ashavingabadreputationinthisregard.Youcanchoosetoaddthesetothislistifdesired.AdvancedMalwareProtection(AMP):TwoAMPproductsareincluded.CiscoAMPforEndpointsiscomposedofconnectorsinstalledonendpoints.Itusesacloud-baseddetectionprocessthatoffloadsthedetectionburdentothecloud.CiscoAMPforNetworksusesFirePOWER(coveredindetaillaterinthischapter)appliancestodetectmalwareintransit.Italsocanutilizethecloudforthelatestmalware.ThesystemcanalsostoredetectedfilesforsubmissiontotheCiscoCollectiveSecurityIntelligenceCloudfordynamicanalysis.
DuringanAttackWhileFireSIGHTusestheaforementionedmethodstopreventattacks,preventionisnotalwayspossible.Onceanattackisunderway,theFireSIGHTIPSprimarilytakesactionsbyidentifyingandblockingmalicioustraffic.TheIPSisapolicy-basedfeaturethatallowsformonitoringandblockingoralteringmalicioustrafficwhentheIPSisdeployedinline(deploymentoptionsarecoveredinthenextsectionofthischapter).
FireSIGHTusesSnorttechnology(anIDS).Thistechnologymakesuseofpreprocessors,whichexaminetrafficandinsomecasesmodifythetrafficinsuchawaythatattacksthatcannotberecognizedbythesignaturecanberecognized.Forexample,onepreprocessorhelpstorecognizemaliciouscodehiddenbyanIPfragmentationattack.
AnIPSpolicyconsistsofthefollowing:
Rulesthatinspecttheheadercontent,packetsize,andpayload
RulestateconfigurationbasedonFireSIGHTrecommendations
Preprocessorsandotherdetectionfeatures
FireSIGHTalsogeneratesintrusioneventinformationinalogthatincludesdetailssuchasthefollowing:
Dateandtime
Eventpriority
Briefdescription
Nameofthedevice
SourceIPaddressandportfortheevent
DestinationIPaddressandportfortheevent
Nameofthelogged-inuser
Impactflag
![Page 294: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/294.jpg)
AfteranAttackAftertheattack,FireSIGHTprovidesanassessmentoftheattack,containstheattack,andhelpsbringthenetworkbackintoanormalstate.Todothis,itusesseveralfeatures:
FireSIGHTdiscoveryandawareness:Thiscollectsinformationabouthosts,operatingsystems,applications,users,files,networks,geolocationinformation,andvulnerabilitiesthatisusedtoreportindicatorsofcompromise.
Dynamicfileanalysis:CapturedfilescanbesubmittedtotheCiscoCollectiveSecurityIntelligenceCloudforanalysis.ThecloudrunsatestandreturnsathreatscoretotheFireSIGHTManagementCenter.
Connectiondataandsummaries:Connectiondataisinformationaboutdetectedsessions,includingtimestamps,IPaddresses,geolocation,andapplications.
UnderstandingModesofDeploymentTheFireSIGHTManagementCentercanalsomanageothermonitoringdevicessuchasappliances,virtualappliances,andASAfirewallsrunningsoftwarereleaseASA9.2andlater.ItisalsocommonlydeployedinbranchofficesintheformoftheFireSIGHTmoduleintheASA.
ThedevicesmanagedbytheFireSIGHTManagementCenteractinginthesameroleaslegacyIPSsensorscanbedeployedintwomodes.
PassiveThesensorreceivesacopyofthenetworktraffictoanalyzewhiletheoriginaltrafficflowsthroughthenetwork.Becausethesensoronlyreceivesacopy,andbecausebythetimethecopyisanalyzed,theoriginaltrafficislonggone,FireSIGHTcanonlyfunctionasanintrusiondetectionsystem(IDS)whendeployedinthismode.Therearetwowaystoimplementpassivemode.
SPANFigure16.5illustratesthismode.ThesensorisconnectedtoaportontheswitchtowhichalltraffichasbeenmirroredbymakingtheportaSPANport.NoticethatthetrafficflowfromthedeviceinsidethenetworktoadeviceontheInternet(blackdashedline)andthenback(graydashedline)isnotinterrupted.
![Page 295: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/295.jpg)
FIGURE16.5SPAN
TapInthisdeploymentmode,thesensorisimplementedasanetworktap,asshowninFigure16.6.Thetapisplacedbetweentherouterandthelayer3switch.Itprovidesfull-duplexconnectivitybetweenthedevicesandsplitsofftwosimplexmirrorsofthefull-duplextraffic.Alltrafficbetweenthetwodevicesmusttraversethesensor.
FIGURE16.6Tap
InlineInthismode,thesensingdeviceisplacedinthelineoftrafficandanalyzestheoriginaltraffic,notacopyinrealtime.Therefore,itcantakeactionsonthetrafficthatallowittooperateasatrueIPS.Figure16.7showsthismode’soperation.
![Page 296: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/296.jpg)
FIGURE16.7Inlinemode
PositioningoftheIPSwithintheNetworkWhenmakingthiskeydecision,considerthefollowingfactors:
Thefeaturesyouareutilizing(attackdetection,policyenforcement,surveillance,anomalydetection,etc.)
Locationofcriticalassets
Bandwidthutilization
Topology
OutsideOneoftheoptionsistoplacethesensoroutsidetheperimeterfirewall(ASA).Whenplacedhere,thesensorwillgenerateaveryhighnumberofalarmsbecausethisisanexposuretothemostuntrustednetwork,theInternet.Itwillalsogeneratemanyalarmsthatyouwillassesstobefalsepositives(moreonfalsepositivesinthefinalsectionofthischapter)becauseitwillbecomposedoftrafficthattheASAwouldhaveneverallowedintothenetwork.Figure16.8showsthisoption.
![Page 297: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/297.jpg)
FIGURE16.8Outsidedeployment
DMZServersintheDMZareexposedtotheInternetbydesign.Whileplacingasensorherewillhelptoidentifyattacksontheseexposeddevices,keepinmindthatiftheseserversarebeingdeployedaccordingtobestpractices,theywillcontainnosensitiveinformationandwillhavebeensignificantlyhardened.Figure16.9showsthisoption.
![Page 298: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/298.jpg)
FIGURE16.9DMZdeployment
InsideThisisapositioningthatyieldsthemostbenefit.WhiletheperimeterASAcanprovideprotection,keepinmindthattheusersoftheseinteriordeviceshavevaryinglevelsofsecurityexpertise.Thisisalsowhereallcriticaldatawillbelocated.Therefore,thiswillbethebestplacetodeployasinglesensor.Figure16.10showsthisoption.Inthisoption,FireSIGHTisdeployedasamoduleintheASAandisexaminingtrafficdestinedfortheinternalnetwork.
![Page 299: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/299.jpg)
FIGURE16.10Insidedeployment
UnderstandingFalsePositives,FalseNegatives,TruePositives,andTrueNegativesAllIPSsandIDSs,includingFireSIGHT,makeincorrectassessments.Insomecases,theyfailtoidentifyattacksormalicioustraffic.Inothercases,theyalertyouthatanattackisunderwaywhenthatisnotthecase.Theyalsomakecorrectassessments,alertingyoutoarealattackorignoringtrafficthatisnotanattack.Therearetermsusedtodescribeallfourofthesescenarios.Table16.1identifiestheseterms.KeepinmindthattruemeanstheIPSwascorrectinitsassessmentandfalsemeansitwasincorrectinitsassessment.
![Page 300: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/300.jpg)
TABLE16.1Assessmentterms
Term MeaningTruepositive TheIPSalertedyoutoanattackthatisreal.Truenegative TheIPSdidnotalertyoutoanonexistentattack.Falsepositive TheIPSalertedyoutoanattackthatisnonexistent.Falsenegative TheIPSdidnotalertyoutoarealattack.
SummaryInthischapter,youlearnedaboutsomegeneralIPSconcepts,suchasnetwork-basedandhost-baseddeployments;modesofdeploymentsuchasinline,SPAN,andtap;andthepositioningoptionsavailable.Youalsowereintroducedtofalsepositivesandfalsenegativesandtheinterpretationofthese.Thechaptercoveredhowbothrulesandsignaturesareusedintheprocessofidentifyingpotentialattacks.Finallyassessmentterms(falsepositive,falsenegative,etc.)werediscussed.
ExamEssentialsDefineIPSterminology.Thesetermsincludethreat,risk,vulnerability,exploit,andzero-daythreat.
DescribetheactionsofwhichanIPSiscapable.Someexamplesoftheseactionsaredrops,whichmeanstheIPSquietlydropsthepacketsinvolved;reset,whichsendsapacketwiththeRSTflag,whichendsanyTCPconnection;shun,whichaccomplishesthesamepurposeasaresetfornon-TCPconnections;andblock,wheretheIPSdirectsanotherdevice(arouterorfirewall)toblockthetraffic.
Differentiatenetwork-basedandhost-basedIPS.Ahost-basedintrusionpreventionsystem(HIPS)isinstalledonthedevice(forthepurposesofthisdiscussion,aserver),andthesystemfocusessolelyonidentifyingattacksonthatdeviceonly.Thisisincontrasttoanetwork-basedsystem,whichmonitorsalltrafficthatgoesthroughitlookingforsignsofattackonanymachineinthenetwork.
IdentifyevasiontechniquesemployedtodefeatanIPS.Theseincludepacketfragmentation,injectionattacks,andalternatestringexpressions.
ListfourcategoriesoffunctionsofwhichFireSIGHTiscapable.Thesefunctionsincludedetection,learning,adapting,andacting.
DescribethedeploymentmodesofanIPS.Theseincludepassivemodes,suchasSPANandtap,wherethedevicecanonlyoperateanIDS.Italsoincludesinlinemode,inwhichthedevicecantakeactionsontrafficasatrueIPS.
![Page 301: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/301.jpg)
ReviewQuestions1. Whichofthefollowingisanidentifiedsecurityweaknesstowhichanyspecific
environmentmayormaynotbevulnerable?
A. Threat
B. Risk
C. Vulnerability
D. Exploit
2. UsingwhichactiondoestheIPSquietlydropthepacketsinvolved?
A. Drop
B. Reset
C. Shun
D. Block
3. Whichofthefollowingisnotadrawbackofahost-basedIPS?
A. Ahighnumberoffalsepositivescancausealaxattitudeonthepartofthesecurityteam.
B. Encryptedpacketscannotbeanalyzed.
C. Itcannotmonitoranyinternalactivitythatoccurswithinasystem.
D. Itcannotaddressauthenticationissues.
4. WhichevasiontechniquedividesthepacketintosmallerpiecescontainingthemaliciouscodesothatitbecomesdifficultfortheIPStorecognizethecode?
A. Packetfragmentation
B. Injectionattacks
C. Injectionattacks
D. Cross-sitescripting
5. WhichofthefollowingisnotoneofthefourcategoriesoffunctionsofwhichFireSIGHTiscapable?
A. Detection
B. Learning
C. Adapting
D. Block
6. Whichofthefollowingisanythreatnotyetremediatedbymalwarevendorsorsoftware
![Page 302: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/302.jpg)
vendors?
A. Zero-dayattack
B. Risk
C. Vulnerability
D. Exploit
7. WhichcapabilityofFireSIGHTisaimedatmalware?
A. Blacklisting
B. AMP
C. SNORTtechnology
D. Discoveryandawareness
8. Whichdeploymentmodehasthesensorconnectedtoaportontheswitchtowhichalltraffichasbeenmirrored?
A. SPAN
B. Tap
C. Inline
D. Promiscuous
9. Whichevasiontechniquereliesonthefactthatmanyprotocols’informationcanbecommunicatedorexpressedinmultipleways?
A. Packetfragmentation
B. Bufferoverflows
C. Injectionattacks
D. Cross-sitescripting
10. Whichofthefollowingissusceptibletoanexternalthreatthatadeviceorsystemmaypossess?
A. Zero-dayattack
B. Risk
C. Vulnerability
D. Exploit
11. UsingwhichactiondoestheIPSaccomplishthesamepurposeasaresetfornon-TCPconnections?
A. Drop
![Page 303: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/303.jpg)
B. Reset
C. Shun
D. Block
12. Inwhichdeploymentmodeisthesensorplacedinthelineoftraffictoanalyzetheoriginaltraffic,notacopyinrealtime?
A. SPAN
B. Tap
C. Inline
D. Promiscuous
13. InwhichpositioningoptionwilltheIPSsensorgenerateaveryhighnumberofalarms?
A. Outside
B. DMZ
C. Inside
D. Remote
14. Whichofthefollowingoccurswhenathreatandavulnerabilitybothexistandathreatactortakesadvantageofthesituation?
A. Zero-dayattack
B. Risk
C. Vulnerability
D. Exploit
15. UsingwhichactiondoestheIPSdirectanotherdevice(arouterorfirewall)toblockthetraffic?
A. Drop
B. Reset
C. Shun
D. Block
16. Inwhichdeploymentmodeisthesensorplacedbetweentwolayer3devicesprovidingfull-duplexconnectivitybetweenthedevicesandsplittingofftwosimplexmirrorsofthefull-duplextraffic?
A. SPAN
B. Tap
C. Inline
![Page 304: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/304.jpg)
D. Promiscuous
17. WhichevasiontechniqueinsertsdatathatwillbeacceptedbytheIPSbutwillbeignoredbythetargetsystem?
A. Packetfragmentation
B. Bufferoverflow
C. Injectionattacks
D. Cross-sitescripting
18. Whichofthefollowingisadrawbackofnetwork-basedIPS?
A. Ahighnumberoffalsepositivescancausealaxattitudeonthepartofthesecurityteam.
B. Encryptedpacketscannotbeanalyzed.
C. Itcannotmonitoranyinternalactivitythatoccurswithinasystem.
D. Itcannotaddressauthenticationissues.
19. UsingwhichactiondoestheIPSendanyTCPconnection?
A. Drop
B. Reset
C. Shun
D. Block
20. Whichofthefollowingiscreatedwhenathreatexiststowhichasystemisvulnerable?
A. Zero-dayattack
B. Risk
C. Mitigation
D. Exploit
![Page 305: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/305.jpg)
Chapter17ContentandEndpointSecurityCISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:
7.1Describemitigationtechnologyforemail-basedthreats
Spamfiltering,anti-malwarefiltering,DLP,blacklisting,emailencryption
7.2Describemitigationtechnologyforweb-basedthreats
Localandcloud-basedwebproxies
Blacklisting,URLfiltering,malwarescanning,URLcategorization,webapplicationfiltering,TLS/SSLdecryption
7.3Describemitigationtechnologyforendpointthreats
Anti-virus/anti-malware
Personalfirewall/HIPS
Hardware/softwareencryptionoflocaldata
Endpointdevicesinthenetworksuchaslaptops,printers,workstations,scanners,cameras,andothersuchdevicesrepresentoneofourbiggestchallengesinsecuringtheenvironment.First,therearesomanymoreofthesethanthereareinfrastructuredevices.Moreover,thesedevicesaremostlikelyinthehandsofuserswhoeitherlacksecurityknowledgeorjustdon’tcareaboutit.Inthischapter,you’lllearnhowtoovercomethesechallengesandsecuretheendpointsintheenvironment.
Inthischapter,youwilllearnthefollowing:
Mitigationtechnologyforemail-basedthreats,includingSPAMfiltering,anti-malwarefiltering,datalossprevention(DLP),blacklisting,andemailencryption
Mitigationtechnologyforweb-basedthreats,includinglocalandcloud-basedwebproxies,blacklisting,URLfiltering,malwarescanning,URLcategorization,webapplicationfiltering,andTLS/SSLdecryption
Mitigationtechnologyforendpointthreats,includingantivirus/anti-malware,personalfirewall/HIPS,andhardware/softwareencryptionoflocaldata
![Page 306: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/306.jpg)
MitigatingEmailThreatsThreatstoemailstrikeattheveryheartofyourenterprisecommunicationsystem.Ithasbecomeevidentthateventech-savvyuserscanfallpreytothesethreats.Inthissection,you’lllearnaboutafewmethodsyoucanusetomitigatethesethreats.Thesemethodsarenotmutuallyexclusive,andwhendeployedtogether,theystandasagoodexampleofexercisingtheprincipleofalayereddefenseordefenseindepth.Followingthat,you’lllearnaboutthewaystheCiscoEmailSecurityAppliance(ESA)canaddressthesethreats.
SpamFilteringSpamisbothanannoyancetousersandanaggravationtoemailadministratorswhomustdealwiththeextraspacethespamtakesupontheservers.Spamfiltersaredesignedtopreventspamfrombeingdeliveredtomailboxes.Theissuewithspamfiltersisthatoftenlegitimateemailismarkedasspam.Findingtherightsettingcanbechallenging.Usersshouldbeadvisedthatnofilterisperfectandthattheyshouldregularlycheckquarantinedemailforlegitimateemails.
Reputation-basedfilteringreliesontheidentificationofemailserversthathavebecomeknownforsendingspam.Whenasystemcandothis,itmustrelyonsomeservicefordevelopingthese“reputations.”Asyouwillseelater,anexampleistheCiscoSenderBase.ThisisthesystemtheCiscoEmailSecurityAppliance(ESA)uses.Thisrepositorymanagesreputation“scores”forserversbasedonanymaliciousactivityinwhichtheserverisreportedtohavebeeninvolved.
Context-BasedFilteringContext-basedfilteringfiltersthemessageandattachmentsforsenderidentities,messagecontent,embeddedURLs,andemailformatting.Thesesystemsusealgorithmstoexaminetheseitemstoidentifyspam.
Anti-malwareFilteringEmailcanalsointroducemalwareintotheenvironmentthroughbothmaliciousattachmentsanddeceptivelinksinemails.Whileusertrainingisthebestapproachtopreventingemail-basedmalware,weknowthatitdoesn’talwayswork.Evensecurityprofessionalshaveinadvertentlyclickedmaliciouslinksandattachmentsbymistake.Toaugmenttraining,theexaminationofallemailformalwareandthefilteringofsuchmaliciousmailshouldbepartsofprovidingsecureemail.
DLPDataleakageoccurswhensensitivedataisdisclosedtounauthorizedpersonneleitherintentionallyorinadvertently.Datalossprevention(DLP)softwareattemptstopreventdataleakage.Itdoesthisbymaintainingawarenessofactionsthatcanandcannotbetakenwithrespecttoadocument.Forexample,itmightallowprintingofadocumentbutonlyatthe
![Page 307: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/307.jpg)
companyoffice.Itmightalsodisallowsendingthedocumentthroughemail.DLPsoftwareusesingressandegressfilterstoidentifysensitivedatathatisleavingtheorganizationandcanpreventsuchleakage.Anotherscenariomightbethereleaseofproductplansthatshouldbeavailableonlytothesalesgroup.Thepolicyyoucouldsetforthatdocumentisasfollows:
Itcannotbeemailedtoanyoneotherthansalesgroupmembers.
Itcannotbeprinted.
Itcannotbecopied.
TherearetwolocationsatwhichDLPcanbeimplemented.
NetworkDLPInstalledatnetworkegresspointsneartheperimeter,networkDLPanalyzesnetworktraffic.
EndpointDLPEndpointDLPrunsonend-userworkstationsorserversintheorganization.
Youcanusebothpreciseandimprecisemethodstodeterminewhatissensitive.
PrecisemethodsThesemethodsinvolvecontentregistrationandtriggeralmostzerofalse-positiveincidents.
ImprecisemethodsThesecanincludekeywords,lexicons,regularexpressions,extendedregularexpressions,metadatatags,Bayesiananalysis,andstatisticalanalysis.
ThevalueofaDLPsystemresidesinthelevelofprecisionwithwhichitcanlocateandpreventtheleakageofsensitivedata.
BlacklistingBlacklistingidentifiesbadsenders.Whitelistingoccurswhenalistofacceptablee-mailaddresses,Internetaddresses,websites,applications,orotheridentifiersareconfiguredasgoodsendersorasallowed.Graylistingissomewhereinbetweenthetwowhenanentitycannotbeidentifiedasawhitelistorblacklistitem.Inthecaseofgraylisting,thenewentitymustpassthroughaseriesofteststodeterminewhetheritwillbewhitelistedorblacklisted.Whitelisting,blacklisting,andgraylistingarecommonlyusedwithspamfilteringtools.
EmailEncryptionEmailtraffic,likeanyothertraffictype,canbecapturedinitsrawformwithaprotocolanalyzer.Iftheemailiscleartext,itcanberead.Forthisreason,encryptionshouldbeusedforallemailsofasensitivenature.Whilethiscanbedoneusingthedigitalcertificateoftheintendedrecipient,thisistypicallypossibleonlyiftherecipientispartofyourorganizationandyourcompanyhasapublickeyinfrastructure(PKI).Manyemailproductsincludenativesupportfordigitalsigningandencryptionofmessagesusingdigitalcertificates.
WhileitispossibletouseemailencryptionprogramslikePrettyGoodPrivacy(PGP),itisconfusingformanyuserstousetheseproductscorrectlywithouttraining.Anotheroptionistouseanencryptionapplianceorservicethatautomatestheencryptionofemail.Regardlessof
![Page 308: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/308.jpg)
thespecificapproach,encryptionofmessagesistheonlymitigationforinformationdisclosurefromcapturedpackets.
CiscoEmailSecurityApplianceTheCiscoEmailSecurityAppliancecanaddresseachoftheseconcerns.ThefeaturesthataddressemailissuesintheESAarecoveredinthissection.AttheendofthesectionisadiscussionofthemessageflowwhenusingESA.
ReputationandContext-BasedFilteringESAperformsbothtypesoffiltering.WhenutilizingtheCiscoSenderBase,theactionstakenbyESAdependonthereputationscoreofthesource.Ifthesenderscoreisbetween–1and+10,theemailisaccepted.Ifitis–1and–3,theemailisacceptedbutadditionalemailsarethrottled.Ifitisbetween–10and–3,itisblocked.
VirusesandAnti-malwareESAusesamultilayerapproachtothisissue.Thethreelayersofdefenseareasfollows:
OutbreakFiltersDownloadedfromtheCiscoSenderBase.Thesefiltersaregeneratedbywatchingglobalemailtrafficpatternsandlookingforsignsofanoutbreak.Whenanemailisreceivedfromaserveronthelist,itisquarantineduntilantivirussignaturesareupdatedthataddresstherisk.
AntivirusSignaturesUsedinthesamewayanyanti-malwareproductusesthem:toidentifythepresenceofmalwareintheemail.
OutboundScanningScansemailthatisleavingforthepresenceofmalware.
EmailDataLossPreventionandEncryptionESA’sDLPfeaturesuserulesforidentifyingclassesofsensitiveinformationsuchaspersonallyidentifiableinformation(PII),paymentcardnumbers,bankroutingnumbers,financialaccountinformation,governmentIDnumbers,personalnames,addressesandphonenumbers,andhealthcarerecords.Moreover,youcandesignyourownclassesthatincludedatanotinthesecategories.Encryptionisalsopossibletoprotectanysensitiveinformationthatmustbesent.
AdvancedMalwareProtectionAdvancedMalwareProtection(AMP)isthemalwarecomponentinESAthatusesacombinationofseveraltechnologiestoprotectyoufromemail-basedmalware.
FileReputationAfingerprintofeveryfilethattraversestheCiscoemailsecuritygatewayissenttoAMP’scloud-basedintelligencenetworkforareputationverdict.Basedontheseresults,youcanblockmaliciousfilesidentifiedashavingabadreputation.
FileRetrospectionSometimesfilesenterthenetworkandarelateridentifiedasbeingathreat.
![Page 309: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/309.jpg)
Thisallowsfortheidentificationandremovalofthesefileslater.Ifmaliciousbehaviorisspottedlater,AMPsendsaretrospectivealertsothatyoucancontainandremediatethemalware.ThisprocessisdepictedinFigure17.1.
FIGURE17.1Fileretrospection
FileSandboxingThisprovidestheabilitytoanalyzefilesthattraversethegateway.Theninthesafesandboxedenvironment,AMPcanobtaindetailsaboutthethreatlevelofthemalwareandcommunicatethatinformationtotheCiscoTalosintelligencenetworktoupdatetheAMPclouddataforall.
ESAMessageFlowESAperformsitsjobbyactingasamessagetransferagent(MTA)intheemailsystem.Anothernameforthisfunctionisemailrelay.Figure17.2showsanormalinboundmessageflow.
![Page 310: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/310.jpg)
FIGURE17.2ESAinbound
Figure17.3showsanormaloutboundmessageflow.
![Page 311: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/311.jpg)
FIGURE17.3ESAoutbound
PuttingthePiecesTogetherThevariouscomponentsthatESAbringstobearinitsroleasanemailsecurityutilityworktogetherinanintegratedfashion,asshowninFigure17.4,whichishowESAoperatesagainstincomingemail.
![Page 312: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/312.jpg)
FIGURE17.4Incomingmailprocessing
Regardingemailthatisleavingtheorganization,theoperationsofthesecomponentsaredepictedinFigure17.5.
FIGURE17.5Outgoingmailprocessing
MitigatingWeb-BasedThreatsAnotherthreatthatpresentsitselftomostenterprisesisaimedattheirwebservices.Whilenoteveryorganizationhastheneedforane-commerceserver,almosteveryorganizationhasawebsiteorsometypeofwebpresence.Evenadefacingofapublicwebsite,whilenotcostlyfromamonetarystandpoint,hurtsthereputationandimageofanorganization.
Oneofthecommonwaysofaddressingthreatsagainstwebapplicationsandthewebserversoftwareuponwhichtheyoperateisawebproxy.ProxyserversingeneralstandbetweeninternalusersorinternalapplicationsandpotentiallymaliciousrequestscomingfromtheInternet.WebproxiesareatypeofproxythatstandsbetweenawebapplicationandwebrequestcomingfromtheInternet.Thissectiondiscusseswebproxiesandthefunctionstheyperform.
UnderstandingWebProxiesProxyserverscanbeappliances,ortheycanbeinstalledonaserveroperatingsystem.Theseserversactlikeaproxyfirewallinthattheycreatethewebconnectionbetweensystemson
![Page 313: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/313.jpg)
theirbehalf,buttheycantypicallyallowanddisallowtrafficonamoregranularbasis.Forexample,aproxyservermayallowthesalesgrouptogotocertainwebsiteswhilenotallowingthedataentrygroupaccesstothosesamesites.ThefunctionalityextendsbeyondHTTPtoothertraffictype,suchasFTPtraffic.
Proxyserverscanprovideanadditionalbeneficialfunctioncalledwebcaching.Whenaproxyserverisconfiguredtoprovidewebcaching,itsavesacopyofallwebpagesthathavebeendeliveredtointernalcomputersinawebcache.Ifanyuserrequeststhesamepagelater,theproxyserverhasalocalcopyandneednotspendthetimeandefforttoretrieveitfromtheInternet.Thisgreatlyimproveswebperformanceforfrequentlyrequestedpages.
Fromadeploymentperspective,webproxiescanbeimplementedintwoways.
LocalAlocalproxyisonethatisinstalledonthepremisesinwhichalloftheprocessingoccursonthelocalwebproxy.
Cloud-BasedAcloud-basedwebproxyisonethattransmitsthetraffictoacloudlocationwherealltheoperationsthatwouldoccuronalocalwebproxyoccurinthecloud.Insomecases,thisofferstheadvantageofadditionalintelligenceservicesthatcanaggregateandanalyzetelemetrydatafrombillionsofwebrequests,malwaresamples,andemergingattackmethods.
CiscoWebSecurityApplianceTheCiscoWebSecurityAppliance(WSA)isawebproxythatintegrateswithothernetworkcomponentstomonitorandcontroloutboundrequestsforwebcontent.TrafficcanbedirectedtotheWSAexplicitlyontheendhostorbyusingWebCacheControlProtocolonaninlinedeviceliketheperimeterrouter.ThefeaturesitprovidesarecoveredinthissectionandwillbefollowedbyadescriptionoftrafficflowwhenusingaWSA.
BlacklistingBlacklistingandwhitelistingcanbeusedtocreateandsupporttheacceptableusepolicy(AUP)oftheorganization.Moreover,ithelpstopreventmalwarefrommalicioussitesfromenteringthenetwork.
URLFilteringTheWSAreputationfiltersoperatemuchlikethereputationfiltersusedinESA,withthedifferencebeingthattheyoperateagainstwebdomainsratherthanemailsources.ByleveragingCiscoSecurityIntelligenceOperations(SIO),CiscoIronportreputationfiltersanalyzemorethan50webandnetworkparameterstoevaluateawebsite’strustworthiness.
MalwareScanning
![Page 314: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/314.jpg)
TheWSAanti-malwaresystemusesmultiplescanningenginesinasingleappliance.ItusestheDynamicVectoringandStreamingEngineandverdictenginesfrombothWebRootandMcAfee.
URLCategorizationTheCiscoURLfilterscanalsobemanagedusingaccesspoliciesbasedon52predefinedcategoriesandanunlimitednumberofcustomercategoriesofsites.Thesecanbeusedalongwithtime-basedpolicestoaddadditionalflexibility.
WebApplicationFilteringWSAusesApplicationVisibilityandControl(AVC)toallowforthecontroloftheuseofwebapplications.GranularpolicycontrolallowsadministratorstopermittheuseofapplicationssuchasDropboxorFacebookwhileblockingusersfromactivitiessuchasuploadingdocumentsorclickingtheLikebutton.
TLS/SSLDecryptionInCiscoAsyncOS9.0.0-485,theoperatingsysteminWSA,youcannowenableanddisableSSLv3andvariousversionsofTLSforseveralservices.DisablingSSLv3forallservicesisrecommendedforbestsecurity.Youalsocanenableaprotocolfallbackoption.
MitigatingEndpointThreatsThissectiondiscussestheprotectionofendpoints.Manyoftheitemsdiscussedinthissectioncanbemanagedmanuallyorwiththird-partytools,butmanyoftheitemscanbemanagedautomaticallyusingtheIdentityServicesEngine(ISE).BeforewediscussthesecuritymeasuresinthissectionandtheirpotentialrelationshipwithISE,let’stakeabrieflookatISE.
CiscoIdentityServicesEngine(ISE)Finally,iftheorganizationisimplementingaBYODpolicy,itcanstreamlinethiswithself-serviceonboardingandmanagement.Whilemanyofthesefeaturesarebeyondthescopeofthisbook,wearegoingtodiscusshowitcanhandlethesettingsinthissection.
Antivirus/Anti-malwareTheCiscoISEpostureserviceinterrogatesadevicerequestingaccessforinformationregardingthepresenceofandproperconfigurationofantivirusand/oranti-malwaresoftware.Italsochecksforthepresenceofthelatestavailableupdates.Onlywhenthemachineisfullycompliantisitallowedfullaccesstothenetwork.
PersonalFirewallWhiletheCiscoISEpostureserviceverifiesthepresenceofandproperconfigurationofantivirusand/oranti-malwaresoftware,itdoesn’tstopthere.Itcanalsoverifythefunctionand
![Page 315: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/315.jpg)
settingsofthepersonalfirewall.Itcancomparethiswithabaselineforcomplianceinthesamewayitverifiestheantivirusand/oranti-malwaresoftware.
Hardware/SoftwareEncryptionofLocalDataFinally,sensitivedatalocatedinendpointsshouldbesecuredwitheitherhardwareorsoftwareencryption.CiscoISEcanbeusedtoimplementamobilemanagementsolutionthatcanrequireencryptionofthestorageinbotheasilystolenmobiledevicesandotherdevicesthatmaycontainsensitiveinformation.
HIPSWhilenotafunctionthatcanbecontrolledthroughISEorTrustSec,ahost-basedIPS(HIPS)monitorstrafficonasinglesystem.Itsprimaryresponsibilityistoprotectthesystemonwhichitisinstalled.AnHIPStypicallyworkscloselywithanti-malwareproductsandhostfirewallproducts.Theygenerallymonitortheinteractionofsitesandapplicationswiththeoperatingsystemandstopanymaliciousactivityor,insomecases,asktheusertoapprovechangesthattheapplicationorsitewouldliketomaketothesystem.
Thesesystemscanuseseveralmethodsofdetectingintrusions.Thetwomainmethodsareasfollows:
Signaturebased:Analyzestrafficandcomparespatterns,calledsignatures,thatresidewithintheIDSdatabase.Thisrequiresconstantupdatingofthesignaturedatabase.
Anomalybased:Analyzestrafficandcomparesittonormaltraffictodeterminewhetherthetrafficisathreat.Thismeansanytrafficoutoftheordinarywillsetoffanalert.
SummaryInthischapter,youlearnedmitigationtechniquesavailablewhenusingtheCiscoEmailSecurityAppliance.Thisincludedreputationandcontext-basedfiltering.YoualsowereintroducedtotheCiscoWebSecurityAppliance,whichcanuseblacklisting,URLfiltering,andmalwarescanningtosecurewebtrafficandwebapplications.Finally,thechapterdiscussedendpointprotectionprovidedbytheCiscoIdentityServicesEngineandCiscoTrustSectechnology.
ExamEssentialsIdentifytheprocessesusedbyCiscoESAtoprotectemail.Theseprocessesincludespamfiltering,reputation-basedfiltering,context-basedfiltering,anti-malwarefiltering,datalossprevention,blacklisting,andemailencryption.
DescribetheactionsofwhichtheCiscoWebSecurityApplianceiscapable.Someexamplesoftheseactionsareblacklisting,URLfiltering,malwarescanning,URLcategorization,webapplicationfiltering,andTLS/SSLdecryption.
![Page 316: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/316.jpg)
Differentiateendpointthreats.Thesethreatsincludevirusesandmalware,datadisclosure,peer-to-peerattacks,andunauthorizedaccess.
IdentifytechniquesemployedbytheCiscoIdentityServicesEngine.Theseincludeaccessmanagement,802.1x,healthandpatchassessment,andverificationofsettingsinthepersonalfirewall.
ReviewQuestions1. Whichofthefollowingreliesontheidentificationofemailserversthathavebecome
knownforsendingspam?
A. Context-basedfiltering
B. Reputation-basedfiltering
C. Data-basedfiltering
D. Domain-basedfiltering
2. Whichofthefollowingoccurswhensensitivedataisdisclosedtounauthorizedpersonneleitherintentionallyorinadvertently?
A. Dataleakage
B. Dataegress
C. Informationcorruption
D. Unintendedrelease
3. Whichofthefollowingisinstalledatnetworkegresspointsneartheperimeter?
A. ClientDLP
B. NetworkDLP
C. EndpointDLP
D. CompositeDLP
4. Whichofthefollowingtriggeralmostzerofalse-positiveincidents?
A. Precisemethods
B. Completemethods
C. Imprecisemethods
D. Sparsemethods
5. WithwhichsenderscoredoesESAacceptanemail?
A. Between–1and+10
![Page 317: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/317.jpg)
B. Between–1and–3
C. Between–10and–3
D. Between+10and+20
6. WhichofthefollowingisthemalwarecomponentinESA?
A. AMP
B. MAP
C. CMP
D. EMP
7. WhichcapabilityofAMPsendsafingerprintofeveryfilethattraversestheCiscoemailsecuritygatewaytoAMP’scloud-basedintelligencenetwork?
A. Filereputation
B. Fileretrospection
C. Filesandboxing
D. Fileexamination
8. Whichofthefollowingusesreal-timeanalysisonavast,diverse,andglobaldatasettodetectURLsthatcontainsomeformofmalware?
A. SPAN
B. WBRS
C. WCCP
D. SIO
9. Whichofthefollowingisawebproxythatintegrateswithothernetworkcomponentstomonitorandcontroloutboundrequestsforwebcontent?
A. ESA
B. AMP
C. WSA
D. ISE
10. Whichcomponentanalyzesmorethan50webandnetworkparameterstoevaluateawebsite’strustworthiness?
A. CiscoIronport
B. DynamicVectoringandStreamingEngine
C. WebCacheControlProtocol
![Page 318: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/318.jpg)
D. MessageTransferAgent(MTA)
11. WithwhichsenderscoredoesESAblocktheemail?
A. Between–1and+10
B. Between–1and–3
C. Between–10and–3
D. Between+10and+20
12. WhichcapabilityofAMPprovidestheabilitytoanalyzefilesthattraversethegateway?
A. Filereputation
B. Fileretrospection
C. Filesandboxing
D. Fileexamination
13. WhichofthefollowingusestheDynamicVectoringandStreamingEngine?
A. ESA
B. AMP
C. WSA
D. ISE
14. WhichofthefollowingallowsadministratorstopermittheuseofapplicationssuchasDropboxorFacebook?
A. ESA
B. AMP
C. WSA
D. AVC
15. WhichofthefollowingcanprovideAAAservicessothatyoucandeploy802.1xsecurity?
A. ESA
B. ISE
C. WSA
D. AVC
16. WhichcapabilityofAMPallowsfortheidentificationandremovalofthesefilesaftertheyareaccepted?
A. Filereputation
B. Fileretrospection
![Page 319: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/319.jpg)
C. Filesandboxing
D. Fileexamination
17. WithwhichsenderscoredoesESAaccepttheemailbutadditionalemailsarethrottled?
A. Between–1and+10
B. Between–1and–3
C. Between–10and–3
D. Between+10and+20
18. Whichofthefollowingcanincludekeywords,lexicons,andregularexpressions?
A. Precisemethods
B. Completemethods
C. Imprecisemethods
D. Sparsemethods
19. Whichofthefollowingisinstalledonend-userworkstations?
A. ClientDLP
B. NetworkDLP
C. EndpointDLP
D. CompositeDLP
20. Whichofthefollowingfiltersthemessageandattachmentsforsenderidentities,messagecontent,embeddedURLs,andemailformatting?
A. Context-basedfiltering
B. Reputation-basedfiltering
C. Data-basedfiltering
D. Domain-basedfiltering
![Page 320: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/320.jpg)
AppendixAnswerstoReviewQuestions
![Page 321: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/321.jpg)
Chapter1:UnderstandingSecurityFundamentals1. D.Accountability,althoughimportant,isnotpartoftheCIAtriad.TheCIAtriadincludes
confidentiality,integrity,andavailability.
2. A.Theprincipleofleastprivilegerequiresthatauserorprocessisgivenonlytheminimumaccessprivilegeneededtoperformaparticulartask.Itsmainpurposeistoensurethatusershaveaccessonlytotheresourcestheyneedandareauthorizedtoperformonlythetaskstheyneedtoperform.
3. B.Athreatoccurswhenvulnerabilityisidentifiedorexploited.Athreatwouldoccurwhenanattackeridentifiedthefolderonthecomputerthathasaninappropriateorabsentaccesscontrollist.
4. D.NISTSP800-30identifiesthefollowingstepsintheriskmanagementprocess:
1. Identifytheassetsandtheirvalue.
2. Identifythreats.
3. Identifyvulnerabilities.
4. Determinelikelihood.
5. Identifyimpact.
5. B.Sensitivityisameasureofhowfreelythedatacanbehandled.Somedatarequiresspecialcareandhandling,especiallywheninappropriatehandlingcouldresultinpenalties,identitytheft,financialloss,invasionofprivacy,orunauthorizedaccessbyanindividualormanyindividuals.
6. C.Thesearetypicalcommercialclassifications:
1. Confidential
2. Private
3. Sensitive
4. Public
7. C.TheTrafficLightProtocolclassificationsare:
Color MeaningRed SharedonlywithinameetingAmber SharedonlywiththoseintheorganizationwithaneedtoknowGreen SharedonlywithinacommunityWhite Norestrictionbutstillsubjecttocopyrightrules
8. C.SecurityContentAutomationProtocol(SCAP)isastandardusedbythesecurityautomationcommunityusedtoenumeratesoftwareflawsandconfigurationissues.It
![Page 322: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/322.jpg)
standardizedthenomenclatureandformatsused.
9. B.Thesemetricgroupsaredescribedasfollows:
Base:Characteristicsofavulnerabilitythatareconstantovertimeanduserenvironments
Temporal:Characteristicsofavulnerabilitythatchangeovertimebutnotamonguserenvironments
Environmental:Characteristicsofavulnerabilitythatarerelevantanduniquetoaparticularuser’senvironment
10. D.TheSLEisthemonetaryimpactofeachthreatoccurrence.TodeterminetheSLE,youmustknowtheassetvalue(AV)andtheexposurefactor(EF).TheEFisthepercentvalueorfunctionalityofanassetthatwillbelostwhenathreateventoccurs.ThecalculationforobtainingtheSLEisasfollows:
SLE=AV×EF
11. B.Mitigationistheprocessofselectingacontrolthatwillreducetherisktoanacceptablelevel.
12. B.TheenterprisecampusincludestheenddevicesandprovidesthemwithaccesstotheoutsideworldandtotheIntranetdatacenterthroughtheenterprisecore.
13. B.Ademilitarizedzone(DMZ)isanareawhereyoucanplaceapublicserverforaccessbypeopleyoumightnottrustotherwise.ByisolatingaserverinaDMZ,youcanhideorremoveaccesstootherareasofyournetwork.
14. A.Networksecurityzonescanalsobecreatedatlayer2.Virtuallocalareanetworks(VLANs)arelogicalsubdivisionsofaswitchthatsegregateportsfromoneanotherasiftheywereindifferentLANs.
15. B.Integrity,thesecondpartoftheCIAtriad,ensuresthatdataisprotectedfromunauthorizedmodificationordatacorruption.Thegoalofintegrityistopreservetheconsistencyofdata,includingdatastoredinfiles,databases,systems,andnetworks.
16. B.Adefense-in-depthstrategyreferstothepracticeofusingmultiplelayersofsecuritybetweendataandtheresourcesonwhichitresidesandpossibleattackers.Thefirstlayerofagooddefense-in-depthstrategyisappropriateaccesscontrolstrategies.
17. A.Ariskistheprobabilitythatathreatagentwillexploitavulnerabilityandtheimpactifthethreatiscarriedout.Theriskinthevulnerabilityexamplewouldbefairlyhighifthedataresidinginthefolderisconfidential.However,ifthefoldercontainsonlypublicdata,thentheriskwouldbelow.
18. C.ThisclassificationsystemcreatedbytheUnitedKingdom’sNationalInfrastructureSecurityCoordinationCentre(NISCC,nowCentreforProtectionofNationalInfrastructure)andsinceadoptedbytheISO/IECaspartoftheStandardonInformationsecuritymanagementforintersectorandinterorganizationalcommunicationsandbyCERTistheTrafficLightProtocol(TLP).Thissystemusestrafficlightcolorstoclassify
![Page 323: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/323.jpg)
informationassets.
19. B.CommonVulnerabilitiesandExposures(CVE)isacompilationofcommonvulnerabilitiesfoundinoperatingsystemsandapplications.
20. C.Theexposurefactor(EF)isthepercentvalueorfunctionalityofanassetthatwillbelostwhenathreateventoccurs.
![Page 324: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/324.jpg)
Chapter2:UnderstandingSecurityThreats1. C.Hacktivistsincludethosewhohacknotforpersonalgainbuttofurtheracause.An
exampleistheAnonymousgroupthathacksfromtimetotimeforvariouspoliticalreasons.
2. A.IPaddressspoofingisoneofthetechniquesusedbyhackerstohidetheirtrailortomasqueradeasanothercomputer.ThehackeralterstheIPaddressasitappearsinthepacket.ThiscansometimesallowthepackettogetthroughanACLthatisbasedonIPaddresses.
3. C.Portscanningisnotapasswordattack.Bydeterminingtheservicesthatarerunningonasystem,theattackeralsodiscoverspotentialvulnerabilitiesoftheserviceofwhichtheattackermayattempttotakeadvantage.Thisistypicallydonewithaportscaninwhichall“open”or“listening”portsareidentified.
4. C.Whenthispacketissent,theseresponsesarepossible:
Noresponse:Theportisopenonthetarget.
RST:Theportisclosedonthetarget.
5. A.Withproperinputvalidation,abufferoverflowattackwillcauseanaccessviolation.Withoutproperinputvalidation,theallocatedspacewillbeexceeded,andthedataatthebottomofthememorystackwillbeoverwritten.Thekeytopreventingmanybufferoverflowattacksisinputvalidation,inwhichanyinputischeckedforformatandlengthbeforeitisused.
6. D.Aman-in-the-middleattackislaunchedfromasinglemaliciousindividual,whileDDoSattackscomefrommultipledevices.
7. A.Oneofthewaysaman-in-the-middleattackisaccomplishedisbypoisoningtheARPcacheonaswitch.TheattackeraccomplishesthispoisoningbyansweringARPrequestsforanothercomputer’sIPaddresswiththeattacker’sownMACaddress.OncetheARPcachehasbeensuccessfullypoisoned,whenARPresolutionoccurs,bothcomputerswillhavetheattacker’sMACaddresslistedastheMACaddressthatmapstotheothercomputer’sIPaddress.Asaresult,botharesendingtotheattacker,placingtheattacker“inthemiddle.”
8. B.DynamicARPinspection(DAI)isasecurityfeaturethatinterceptsallARPrequestsandresponsesandcompareseachresponse’sMACaddressandIPaddressinformationagainsttheMAC–IPbindingscontainedinatrustedbindingtable.ThistableisbuiltbyalsomonitoringallDHCPrequestsforIPaddressesandmaintainingthemappingofeachresultingIPaddresstoaMACaddress(whichispartofDHCPsnooping).Ifanincorrectmappingisattempted,theswitchrejectsthepacket.
9. C.ThemainpurposeofDHCPsnoopingistopreventapoisoningattackontheDHCPdatabase.Thisisnotaswitchattackperse,butoneofitsfeaturescansupportDAI.ItcreatesamappingofIPaddressestoMACaddressesfromatrustedDHCPserverthatcanbeusedinthevalidationprocessofDAI.
![Page 325: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/325.jpg)
10. D.Avirusisanymalwarethatattachesitselftoanotherapplicationtoreplicateordistributeitself.
11. B.Intellectualpropertyispropertythatisconsideredtobeauniquecreationofthemindandincludesbooks,music,logos,inventions,andslogans.
12. C.ThebestmitigationforcreditdatatheftistoadoptallrecommendationsofthePaymentCardIndustryDataSecurityStandard(PCI-DSS).
13. B.MACaddressescanalsobespoofedandusedtogetthroughMACaddressfilters.Thesefiltersaretypicallyappliedtocontrolaccesstowirelessaccesspointsatlayer2.
14. A.ApossiblemitigationtechniqueistoimplementtheSenderPolicyFramework(SPF).SPFisanemailvalidationsystemthatworksbyusingDNStodeterminewhetheranemailsentbysomeonehasbeensentbyahostsanctionedbythatdomain’sadministrator.Ifitcan’tbevalidated,itisnotdeliveredtotherecipient’sbox.
15. B.Nmapisoneofthemostpopularportscanningtoolsusedtoday.Byperformingscanswithcertainflagssetinthescanpackets,securityanalysts(andhackers)canmakecertainassumptionsbasedontheresponsesreceived.
16. C.AnXMASscansetstheFIN,PSH,andURGflags.Whenthispacketissent,theseresponsesarepossible:
Noresponse:Theportisopenonthetarget.
RST:Theportisclosedonthetarget.
17. A.Theping-of-deathattackisoneinwhichanoversizedICMPpacketissenttothetarget.ThemaximumallowableIPpacketsizeis65,535bytes,includingthepacketheader,whichistypically20bytes.AnICMPechorequestisanIPpacketwithapseudoheader,whichis8bytes.Therefore,themaximumallowablesizeofthedataareaofanICMPechorequestis65,507bytes(65,535–20–8=65,507).
18. B.InareflectedDDoSattack,theattackisbouncedoffalargenumberofdeviceswithoutactuallyrecruitingthedevicesaszombies.AgoodexampleofthistypeofDDoSisthesmurfattack.
19. C.ThedynamicARPinspectionsecurityfeatureinterceptsallARPrequestsandresponsesandcompareseachresponse’sMACaddressandIPaddressinformationagainsttheMAC–IPbindingscontainedinatrustedbindingtable.ThispreventsARPpoisoningattacks.
20. B.Pharmingissimilartophishing,butpharmingactuallypollutesthecontentsofacomputer’sDNScachesothatrequeststoalegitimatesiteareactuallyroutedtoanalternatesite.
![Page 326: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/326.jpg)
Chapter3:UnderstandingCryptography1. A.Asymmetrickeyalgorithmdoesnotuseapublickey.Itusesamatchingorprivatekey
forbothencryptionanddecryption.
2. B.Asymmetricalgorithmsarenottypicallyusedfordataatrestbecausetheyareveryslowinrelationtosymmetricalgorithmsatthistask.Asymmetricalgorithmsareusedfordataintransit.
3. D.Blockciphersemploybothsubstitutionandtransposition.
4. B.Stream-basedciphersperformencryptiononabit-by-bitbasisandusekeystreamgenerators.ThekeystreamgeneratorscreateabitstreamthatisXORedwiththeplaintextbits.TheresultofthisXORoperationistheciphertext.
5. A.Somemodesofsymmetrickeyalgorithmsuseinitializationvectors(IVs)toensurethatpatternsarenotproducedduringencryption.TheseIVsprovidethisservicebyusingrandomvalueswiththealgorithms.
6. B.AlthoughElectronicCodebook(ECB)istheeasiestandfastestmodetouse,ithassecurityissuesbecauseevery64-bitblockisencryptedwiththesamekey.Ifanattackerdiscoversthekey,alltheblocksofdatacanberead.
7. B.AESisthereplacementalgorithmfor3DESandDES.AlthoughAESisconsideredthestandard,thealgorithmthatisusedintheAESstandardistheRijndaelalgorithm.TheAESandRijndaeltermsareoftenusedinterchangeably.
8. A.RSAisthemostpopularasymmetricalgorithmandwasinventedbyRonRivest,AdiShamir,andLeonardAdleman.RSAcanprovidekeyexchange,encryption,anddigitalsignatures.ThestrengthoftheRSAalgorithmisthedifficultyoffindingtheprimefactorsofverylargenumbers.
9. C.Acollisionoccurswhenahashfunctionproducesthesamehashvalueondifferentmessages.
10. D.TheU.S.governmentrequirestheusageofSHA-2insteadofMD5.
11. B.AhashMAC(HMAC)isakeyed-hashMACthatinvolvesahashfunctionwithasymmetrickey.HMACcanhelpreducethecollisionrateofthehashfunction.
12. C.Adigitalsignatureisahashvalueencryptedwiththesender’sprivatekey.Adigitalsignatureprovidesauthentication,nonrepudiation,andintegrity.
13. A.Tousesymmetrickeyalgorithmsforencryptingdata,thetwopartiesmustshareanidenticalsymmetrickey.Thismeansweneedsomesecurewaytogetidenticalsymmetrickeysonthetwoendpoints.Thisisdonebyusingasymmetricalgorithmsforthekeyexchangeand,oncethekeysaregeneratedandexchanged,usingthesymmetrickeysandasymmetrickeyalgorithmfortheencryptionofthedata.Thisisoftencalledahybridcryptosystem.
![Page 327: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/327.jpg)
14. A.Usersanddevicesareissuedpublic/privatekeypairsthatareboundtoadigitaldocumentcalledadigitalcertificate.Thiscertificate(morespecificallythekeystowhichitisbound)canbeusedforavarietyofthingsincluding:
Encryptingdata
Asaformofauthentication
Encryptingemail
Digitallysigningsoftware
15. B.AnX.509certificatecomplieswiththeX.509standard.
16. B.ACRLisalistofdigitalcertificatesthataCAhasrevoked.Tofindoutwhetheradigitalcertificatehasbeenrevoked,thebrowsermusteitherchecktheCRLorpushouttheCRLvaluestoclients.
17. A.VeriSignfirstintroducedthefollowingdigitalcertificateclasses:
Class1:Forindividualsintendedfore-mail.Thesecertificatesgetsavedbywebbrowsers.
Class2:Fororganizationsthatmustprovideproofofidentity.
Class3:ForserversandsoftwaresigninginwhichindependentverificationandidentityandauthoritycheckingisdonebytheissuingCA.
Class4:Foronlinebusinesstransactionsbetweencompanies.
Class5:Forprivateorganizationsorgovernmentalsecurity.
18. B.Anyparticipantthatrequestsacertificatemustfirstgothroughtheregistrationauthority(RA),whichverifiestherequestor’sidentityandregisterstherequestor.Aftertheidentityisverified,theRApassestherequesttotheCA.Inmanycases,theCAandtheRAarethesameserver.
19. B.Insomecases,twoorganizationsmayhaveaneedtotrustoneanother’scertificates.Thiscanbedonebyconfiguringcrosscertification.Incrosscertification,atrustiscreatedbetweenthetworootCAs,whichenablesbothsystemstotrustallcertificates.
20. B.TheASAhasaself-signeddefaultcertificatethatcanbeused,althoughinmostcasesitwillbedesirabletoinstallacertificatefromyourPKI.
![Page 328: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/328.jpg)
Chapter4:SecuringtheRoutingProcess1. D.WhileconfiguringaloopbackIPaddresstobeusedformanagementaccessiscertainly
advisable,itisnotrequiredwhenconfiguringarouterforSSHaccess.
2. C.ThesyslogmessageindicatesthatSSHversion1.99hasbeenenabled.Thisindicatesthatitisaversion2serverthatcanacceptconnectionsfromSSHversion1devices.
3. D.Thelineintheconfigurationthatsaysloginlocalspecifiesthattheuseraccountswillbelocaltothisrouter.
4. A.Privilegelevelsallowyoutoassignatechniciansetsofactivitiesthatcoincidewiththelevelthetechnicianhasbeenassigned.Thereare16levels,from0to15.Whenyouareinusermode(router>),youareatprivilegelevel0.Whenyouareinprivilegedmode(router#),youareatlevel15.
5. C.IftheintentistoallowthistechniciantochangeIPaddressesoninterfaces,assignhimthatcommand.Sincetheipcommand(alongwiththeparameteraddress)isexecutedafterenteringinterfaceconfigurationmode,youhavetoreferenceinterfaceinthecommand,asshownhere:router(config)#privilegeinterfacelevel12ip
6. B.Theonlyviewthatexistsbydefaultiscalledroot,whichasyouwouldexpectallowsaccesstoallcommands.Accesstothisviewisprovidedwhenyousubmittheenablesecretpassword.
7. B.Toenabletheprotectionofthebootimage,issuethefollowingcommand:R64(config)#secureboot-image
*April214:24:50.231:%IOS_Reslience-5-IMAGE_RESIL_ACTIVE:Successfully
securedrunningimage
Noticethesystemmessageindicatingthebootimageisprotected.
8. B.Asecureconfigurationcanberemoved.Oncethesetwoitemsaresecured(calledthesecurebootset),youcannotupdatethestartupconfigurationwithoutremovingthesecureconfigurationlongenoughtomakethechangeandresecuringitaswasdoneinthefirstplace.
9. B.Commandsthatremoveasecurebootsetconfigurationcanberunonlyfromtheconsoleconnection.
10. B.OSPFroutingupdatesaresecuredusingahashingalgorithm.YoucanuseeitherMD5orSHA-256HMAC.Beaware,however,thatsomedevicesmaysupportonlyMD5.
11. C.Whilekeychainnamesandthekeynumbersdonothavetomatchonthetworoutersoneitherendofthelink,thekeystringsandthehashingalgorithmsmustmatch!
12. C.Thefinalstepistoapplythekeychaintotheinterfacethatconnectstotheneighboringrouter.
![Page 329: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/329.jpg)
13. A.Keychainconfigurationmodeisthemodeinwhichyouwilldefinethekeynumberasfollows.ThenumberIamusingis1.R64(config-keychain)#key1
R64(config-keychain-key)#
14. A.Tellingtherouterthealgorithm(MD5)touseforthiskeyisdoneatthesamekeypromptasfollows:R64(config-keychain-key)#cryptographic-algorithmmd5
R64(config-keychain-key)#
15. A.ConfiguringEIGRProutingupdateauthenticationissimilartoOSPF.However,OSPFspecifiesthehashingalgorithmsinthesamemodewhereyouspecifythekeystring,butinEIGRP,thatisspecifiedontheinterface.
16. B.Whenyouspecifythealgorithm,youalsospecifytheEIGRPASnumberinthesamecommandasfollows,where66istheASnumber:R64(config-if)#upauthenticationmodeeigrp66md5
17. A.Therearefourtypesofpacketsthataroutermayencounter.Dataplanepacketsareend-station,user-generatedpacketsthatarealwaysforwardedbynetworkdevicestootherend-stationdevices.
18. B.Therearefourtypesofpacketsthataroutermayencounter.Controlplanepacketsarenetworkdevice–generatedorreceivedpacketsthatareusedforthecreationandoperationofthenetwork.ExamplesincludeprotocolssuchasARP,BGP,andOSPF.
19. C.Packetsinthecontrolplanearethosethatareeitherdestinedfortherouteritselforpacketsgeneratedbytherouter.
20. B.Inthismodel,threemechanismsareused.Classmapsareusedtocategorizetraffictypesintoclasses.ACLsaretypicallyusedtodefinethetraffic,andthentheACLisreferencedintheclassmap.Policymapsareusedtodefinetheactiontobetakenforaparticularclass.Actionsthatcanbespecifiedareallow,block,andrate-limit.Servicepoliciesareusedtospecifywherethepolicymapshouldbeimplemented.
![Page 330: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/330.jpg)
Chapter5:UnderstandingLayer2Attacks1. C.Whenamaliciousindividualintroducesarogueswitchtotheswitchingnetworkandthe
rogueswitchhasasuperiorBPDUtotheoneheldbythecurrentrootbridge,thenewswitchassumesthepositionofrootbridge.
2. B.AnARPpoisoningattackisonethattakesadvantageofthenormalprocessthatdevicesusetolearnanunknownMACaddressthatadevicewithaknownIPaddresspossesses.ByusingagratuitousARP,theARPcacheofotherdevicescanbepoisoned.
3. A.InanARPpoisoningattack,theattackersendsapackettypecalledagratuitousARPtothetargetdevicewithanincorrectIPaddresstoMACaddressmapping.
4. C.FirstanareaofmemorycalledtheARPcacheisconsulted.IftheMACaddresshasbeenrecentlyresolved,themappingwillbeinthecache,andabroadcastisnotrequired.Iftherecordhasagedoutofthecache,ARPsendsabroadcastframetothelocalnetworkthatalldeviceswillreceive.
5. C.MACspoofingattacksoccurwhenanattackerchangeshisMACaddresssothatheappearstobeanotherdevice,andasisthecasewithallspoofingattacks,theultimateaimistoreceivesomethingintendedfortherealdeviceortogetpastaccesscontrolsbasedonaMACaddress.
6. A.AMACaddressattackisalsoconsideredaswitchattackbecauseitleveragestheMACaddresstableintheswitchtoaccomplishthegoalofreceivingtrafficdestinedforanotherdevice.
7. C.TheMACaddresstableisalsocalledthecontentaddressablememory(CAM)tableandispopulatedbytheswitchasframesareswitchedthroughit.
8. B.ThereisalimitedamountofmemoryspacethatisavailablefortheCAMtable.InaCAMoverflowattack,theattackerfloodstheswitchwithframesthathaveinvalidsourceMACaddresses.Thisiseasierthanitsoundsbyusingatoolsuchasmacof.
9. B.Theresultofthisattackisthattheattackerisnowabletoreceivetrafficthathewouldnothavebeenabletoseeotherwisebecauseinthisconditiontheswitchisbasicallyoperatingasahubandnotaswitch.
10. A.CiscoDiscoveryProtocol(CDP)anditsstandards-basedalternativeLinkLayerDiscoveryProtocol(LLDP)areusefultools.Theycanbeusedtodisplayinformationaboutdirectlyconnecteddevices.
11. C.TodisableCDPglobally,runthefollowingcommandinglobalconfigurationmode:Router67(config)#nocdprun
12. D.TodisableLLDPonaninterface,runthefollowingcommandininterfaceconfigurationmode:Router67(config-if)#nolldpreceive
![Page 331: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/331.jpg)
13. B.AVLANhoppingattack’saimistoreceivetrafficfromaVLANofwhichthehacker’sportisnotamember.
14. A.AVLANhoppingattack’saimistoreceivetrafficfromaVLANofwhichthehacker’sportisnotamember.Itcanbedonetwoways:switchspoofinganddoubletagging.
15. C.SwitchportscanbesettouseaprotocolcalledDynamicTrunkingProtocol(DTP)tonegotiatetheformationofatrunklink.IfanaccessportisleftconfiguredtouseDTP,itispossibleforhackerstosettheirinterfacetospoofaswitchanduseDTPtocreateatrunklink.Ifthisoccurs,theycancapturetrafficfromallVLANs.
16. B.Doubletaggingisonlyanissueonswitchesthatuse“native”VLANs.AnativeVLANisusedforanytrafficthatisstillamemberofthedefaultVLAN,orVLAN1.
17. A.Whenconfiguredproperly,DHCPreducesadministrativeoverload,reducesthehumanerrorinherentinmanualassignment,andenhancesdevicemobility.Butitintroducesavulnerabilitythatwhenleveragedbyamaliciousindividualcanresultinaninabilityofhoststocommunicate(constitutingaDoSattack)andcanresultinpeer-to-peerattacks.
18. A.AfterreceivinganincorrectIPaddress,subnetmask,defaultgateway,andDNSserveraddressfromtherogueDHCPserver,theDHCPclientmightusetheattacker’sDNSservertoobtaintheIPaddressofhisbank.Thisleadshimtounwittinglyconnecttotheattacker’scopyofthebank’swebsite.Whenthecliententershiscredentialstologin,theattackernowhashisbankcredentialsandcanproceedtoemptyouthisaccount.
19. A.Trunkportsuseanencapsulationprotocolcalled802.1qtoplaceaVLANtagaroundeachframetoidentitytheVLANtowhichtheframebelongs.Whenaswitchattheendofatrunklinkreceivesan802.1qframe,itstripsthisoffandforwardsthetraffictothedestinationdevice.Inadoubletaggingattack,thehackercreatesaspecialframethathastwotags.TheinnertagistheVLANtowhichthehackerwantstosendaframe(perhapswithmaliciouscontent),andtheoutertagistherealVLANofwhichthehackerisamember.Iftheframegoesthroughtwoswitches(whichispossiblesinceVLANscanspanswitches),thefirsttaggetstakenoffbythefirstswitch,leavingthesecond,whichallowstheframetobeforwardedtothetargetVLANbythesecondswitch.
20. C.SwitchportscanbesettouseaprotocolcalledDynamicTrunkingProtocol(DTP)tonegotiatetheformationofatrunklink.IfanaccessportisleftconfiguredtouseDTP,itispossibleforhackerstosettheirinterfacetospoofaswitchanduseDTPtocreateatrunklink.Ifthisoccurs,theycancapturetrafficfromallVLANs.
![Page 332: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/332.jpg)
Chapter6:PreventingLayer2Attacks1. C.ThisfeatureworksbyfilteringtheDHCPmessagessentbytherogueDHCPserverso
thattheyareneverreceivedbytheunsuspectinghosts.ItalsousesthemessagessenttoandfromthelegitimateDHCPservertobuildabindingdatabasethatmapstheMACaddressesofhoststotheIPaddressestheyreceivedfromthelegitimateDHCPserver.
2. D.Asamatteroffact,anyserverresponsepackets(DHCPOFFER,DHCPACK,orDHCPNACK)willbedroppedbytheseinterfaces.
3. B.TheDAIfeaturerequiresthatDHCPsnoopingalsobeenabledbecauseitdependsontheDHCPsnoopingdatabasethatiscreatedwhenDHCPsnoopingisenabled.
4. A.TheseinterfaceswillrequirethatyoucreateatypeofACLontheswitchcalledanARPACL.ThisACLidentifiesthecorrectIPtoMACaddressmappingfortheinterface,andtheACLisreferencedasafilterintheDAIconfiguration.ThismakestheACLavailabletotheDAIprocessasanadditiontotheDHCPsnoopingdatabase.
5. D.Youcanalsochoosethefollowingactionsusingalternativekeywordstotheshutdownkeyword:
protect:Theoffendingframewillbedropped.
restrict:Theframeisdropped,andanSNMPtrapandasyslogmessagearegenerated.
6. B.BylimitingthenumberofMACaddressesthatcanbeseenonaport,CAMoverflowattackscanbeprevented.
7. A.BPDUGuardshouldbeimplementedonlyonaccessportsbecauseifimplementedontrunks,itwouldinterferewiththenormaloperationofSTP,whichdependsontheseframesforitsoperation.
8. C.RootGuardpreventsthereceptionofsuperiorBPDUsonly,notallBPDUs.
9. B.ThisfeaturemakesadditionalchecksifBPDUsarenotreceivedonanondesignatedport.WithLoopGuardenabled,thatportmovesintotheSTPloop-inconsistentblockingstate,insteadofthelistening/learning/forwardingstate.
10. B.TodisableDTPonallports,usethefollowingcommand:SW71(config)#intfa0/1-24
SW71(config-if)#switchportnonegotiate
11. C.WiththeRestrictsetting,ifaviolationoccurs,thefa5/5interfacewillnotforwardtheoffendingtraffic,willnotsendanSNMPtraporsyslogmessage,andwillnotincrementtheviolationcounter,butwillstillpasslegitimatetraffic.
12. A.TheBPDUGuardfeatureisdesignedtopreventthereceptionofsuperiorBPDUsonaccessportsbypreventingthereceptionofanyBPDUframesontheaccessport.Bydoingso,itpreventstheintroductionofarogueswitch.
![Page 333: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/333.jpg)
13. A.TheportwherethelegitimateDHCPserverresidesmustbemarkedastrustedsothatDHCPserverresponsesareallowedonthatport.
14. A.IfyouconfigureafileinflashmemoryfortheDHCPsnoopingdatabaseandtheswitchesreloadforsomereason,theywillretainthisdatabase.
15. B.Thedefaultstateisuntrusted.
16. C.WhiletheVLANnumberisusedinthenameoftheACL(StaticIP-VLAN3),thatisnotwhattiesittoVLAN.ItistheexplicitreferencetoVLAN3attheendofthecommandthatdoesit.
17. A.Beforetheothercommandsbecomeeffective,youmustenableportsecuritywiththeswitchportport-securitycommand.
18. D.WhileDAIcanpreventARPattacks,itcannotpreventSTPattacks.
19. C.Whenaviolationoccurs,theportwillbeplacedinanerr-disabledstateandwillnotpasstrafficuntilitisenabledagainmanually.
20. D.DTPshouldbedisabledonallports,bothtrunkandaccess.
![Page 334: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/334.jpg)
Chapter7:VLANSecurity1. A.Inadoubletaggingattack,theattackercraftsapacketwithtwo802.1qtags,withthe
innertagsettotheVLANtowhichhewouldliketosendtraffic.ThisattacktakesadvantageofthenativeVLAN.Iftheattacker’saccessportissettothesameVLANasthenativeVLAN,thisattackbecomespossible.
2. D.ThesolutionistosetthenativeVLANnumbertooneinwhichnoneoftheaccessportsresides.Thisisdoneonlyonthetrunkports.TochangethenativeVLANofthetrunkportGi0/1to78,usethefollowingcommand:Switch79(config)#intgi0/1
Switch79(config-if)#switchporttrunknativevlan78
3. D.TherearemanychallengestoprovidingaseparateVLANpercustomer,butadecreaseinsecurityisnotoneofthem.
4. A.PrivateVLANsprovideseparationwithinaVLANatlayer2,whilestillleavingallmembersoftheoriginalVLAN(calledtheprimaryVLAN)inthesamesubnet.
5. A.TochangethenativeVLANofthetrunkportGi0/1to78,usethefollowingcommand:Switch79(config)#intgi0/1
Switch79(config-if)#switchporttrunknativevlan78
6. A.Promiscuousportscancommunicatewithaportofanyothertype.TypicalcandidatesforthisportassignmentarethoseportsleadingtotherouterorfirewallthatactasthedefaultgatewayfortheprimaryVLAN.
7. D.Whileagoodideatopreventdoubletaggingattacks,settingthenativeVLANnumbertooneinwhichnoneoftheaccessportsresidesisnotastepinsettingupPVLANs.
8. C.ToconfiguretheprimaryVLANas10,specifyingitasaprimaryPVLAN,usethefollowingcommands:Switch#configureterminal
Switch(config)#vlan10
Switch(config-vlan)#private-vlanprimary
9. A.TypicalcandidatesforthisportassignmentarethoseportsleadingtotherouterorfirewallthatactasthedefaultgatewayfortheprimaryVLAN.
10. C.ToassociateprivateVLANs501,502,and503withaprimaryVLAN10,usethefollowingcommands:Switch(config)#vlan10
Switch(config-vlan)#private-vlanassociation501-503
11. A.Thecommandswitchportmodeprivate-vlanhostmakestheportaPVLANport.
12. B.Thecommandswitchportprivate-vlanhost-association10202assignsa
![Page 335: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/335.jpg)
porttoprimaryVLAN10andPVLAN202.
13. B.Insomecases,youmayfindthereisnoreasonforanycommunicationbetweenportsconnectedtothesameswitch.Whenthatisthecase,itmaybebeneficialtotakeadvantageofanotherfeaturecalledthePVLANEdgefeature.PreventingcommunicationsbetweenportswhenpossiblecanpreventattackssuchasARPpoisoningattacksandcanimpairtheabilityofahackertomovefromacompromisedhosttootherhosts.
14. C.Thecommandprivate-vlanassociation501executedundertheVLAN10configurationiswhattiesthePVLAN501totheprimaryVLAN10.
15. D.Forwardingbehaviorbetweenaprotectedportandunprotectedportsproceedsasusual.
16. B.WhenaporthasbeendesignatedasaPVLANEdgeport,itiscalledaprotectedport.
17. A.Tospecifyaportas“protected,”usethefollowingcommand:Switch(config)#interfacefa0/1
Switch(config-if-range)#switchportprotected
18. D.InaPVLANproxyattack,anattackersendsapacket(usingthepromiscuousport)withthesourceIPandMACaddressoftheattacker,adestinationIPaddressofthetarget,andtheMACaddressoftherouter.Whentherouterreceivesthepacket,therouterrewritesthedestinationMACaddresstothatofthetargetandsendsthepackettothetarget.ItisthepresenceoftheMACaddressoftherouterinthepacket,ratherthanthatofthetarget,thatcausesthistobepossible.
19. C.SincetherouterisbeingusedasthesourceMAC,therouterisconsidereda“proxy.”
20. D.TopreventPVLANproxyattacks,implementACLsontherouterinterfacethatdenytrafficfromthelocalsubnettothelocalsubnet.
![Page 336: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/336.jpg)
Chapter8:SecuringManagementTraffic1. B.In-bandconnectiontypesincludeSNMP,virtualterminal(VTY),andHTTPS
connections.Out-of-bandconnectionsincludetheconsoleportandtheAUXport,bothphysicalconnectionsthatdonotusethenetworkasthetransmissionmedium.
2. A.TosetuptheAUXport,youneedtoknowthelinenumberusedbytheAUXport.Thiscanbedeterminedwiththeshowlinecommand.
3. C.WhenaloopbackaddressisconfiguredandusedasthemanagementIPaddress,anyphysicalinterfaceonthedevicecanaccepttheconnectionattemptiftheloopbackaddressisincludedindynamicroutingadvertisementsoradvertisedviaastaticroute.WhenmanagementaccessistiedtoaphysicalIPaddress,thedevicewillbeunreachablewhenthatphysicalinterfaceisdown.
4. B.BeforesettingapasswordontheVTYlines,youshoulddeterminehowmanyoftheselinesexistonthedevice(whichvaries)sothatyousecurethemall.UsethiscommandtolearnthenumberofVTYlines:R1(config)#linevty?
R1(c0nfig)#linevty<015>
5. B.TheselocationsandtheirassociateddataarecalledOIDs.TheOIDnumberdescribesthepaththroughthetree-likestructurewherethespecificpieceofinformationislocated.
6. B.Thesefunctionscanbeconfiguredusingthreemodes,whichrepresentvariouscombinationsofthesecapabilities:noAuthNoPriv,whichisnohashingtosecureauthenticationorencryptionofdata(referencedasnoauthinthecommand);AuthNoPriv,whichishashingtosecureauthenticationbutnoencryptionofdata(referencedasauthinthecommand);andAuthPriv,whichishashingtosecureauthenticationandencryptionofdata(referencedasprivinthecommand).
7. D.Allmanagementinterfacesshouldbeprotectedbypasswords.
8. C.TodisabletheHTTPserverandenabletheHTTPSserver,executethefollowingcommands:R81(config)#nohttpserver
R81(config)#iphttpssecure-server
9. D.Thecommandsyntaxisasfollowsandisexecutedattheglobalconfigurationprompt:
snmp-servergroupgroup-namev3securitypolicyaccess-typeview-nameaccess-listnumber
10. A.UseofwordssuchasWelcomemaybeusedlaterasadefensethataccesswasencouraged.
11. D.Therearethreetypesofbannermessages:messageoftheday,EXEC,andlogin.
12. A.MOTDmessagesappearatconnectiontimeandbeforetheloginbanner(ifconfigured).
![Page 337: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/337.jpg)
13. C.ConfiguringSNMPrequiresyoutosetanengineIDforanydeviceusedtomanageSNMP.ThisisanIDnumbercomposedof24hexcharacters.Wheninformmessagesaresenttostations,itistheengineIDthatidentifiesthestation.
14. B.Assigningviewsisoptional.Intheabsenceofthis,userswillbeabletoviewtheentireMIB.
15. C.read-viewisthenameoftheviewthatiscreatedbythecommand,notthegroupname.
16. B.MD5willbeusedtocomputeahashvalueoftheupdatesenttotheclient.Theclientwillperformahashcalculationoftheupdateusingthesamesharedkeyandwillcomparetheresults.AmatchinresultsservesasassurancethattheupdatecamefromthelegitimateNTPserver.
17. A.ToconfigureNTPauthentication,thehigh-levelsteps(tobeperformedonboththeserverandclient)areconfiguringanNTPauthenticationkeynumberandMD5string(sharedsecret),specifyingatleastonetrustedkeynumberreferencingthekeynumberinthefirststep,andenablingNTPauthentication.
18. A.WhileFTPandTFTPcanbeusedtotransferconfigurationsandIOSimagesacrossthenetwork,theseprotocolslacktheabilitytoencryptthetransmission.AbetteralternativeistheSecureCopyProtocol(SCP).ThisanimplementationoftheRemoteCopyProtocol(RCP)thatoperatesoveranSSHconnection.
19. C.Withtheserversetupinplace,yousimplyreferencetheSCPserverbyputtingtheURLinthecopycommand.Forexample,iftheserverwerenamedscp-srvandyouwantedtocopytherunningconfigurationtoitunderthesecuritycontextofanaccountnamedAdminwithapasswordofmypass,whilenamingthefileR88-config.txt,youwouldusethefollowingcommand:R88#copyrunscp://scp-srv/admin:mypass/r88-config.txt
20. B.SMTPstoresthesettingsinaMIB.Thisisarepositorywithahierarchicalstructure,withstandardizedlocationsforeachpieceofconfigurationorstatusinformation.
![Page 338: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/338.jpg)
Chapter9:Understanding802.1xandAAA1. A.The802.1xstandarddefinesaframeworkforcentralizedport-basedauthentication.It
canbeappliedtobothwirelessandwirednetworksandusesthesethreecomponents:
Supplicant:Theuserordevicerequestingaccesstothenetwork
Authenticator:Thedevicethroughwhichthesupplicantisattemptingtoaccessthenetwork
Authenticationserver:Thecentralizeddevicethatperformsauthentication
2. B.WhileTACACS+doesseparatethethreeAAAprocesses,itusesTCPratherthanUDP;itcreatesmoretrafficthanRADIUSandencryptstheentirebodyexcepttheTACACs+header.
3. B.Thecommandaaanew-modelenablesAAAservices.
4. C.Toconfigureanauthenticationmethodthatspecifieslocalauthenticationonalllines(byaddingthedefaultkeyword),usethiscommand:aaaauthenticationlogindefaultlocal
5. B.TheconfigurationwillapplyalllinesexceptfortheCon0.ThisgivesyouafallbackmethodtoaccesstheCLIifamisconfigurationofauthorizationlocksyouout.
6. B.TheCiscoSecureAccessControlServer(ACS)canoperateeitherasaRADIUSserverorasaTACACS+server.
7. D.WhilesomeCiscodevices,suchastheCiscoAdaptiveSecurityAppliance(ASA),cancommunicatedirectlywithLDAPrepositoriesorActiveDirectoryforauthenticationpurposes,mostdonot.
8. C.SpecifyanamefortheTACACS+server.Thisnamedoesnotneedtomatchtheactualnameoftheserverandisonlylocallysignificant.Whenyouexecutethiscommand,thepromptwillchangeattheensuingpromptwhereyouwillentertheIPaddressandtypeandthesharedsecret.
9. A.ThiscanbedonebyusingthetestcommandtotestanauthenticationusingtheTACACS+server.Forexample,totesttheusernamemytestwithapasswordofmypass,usethefollowingcommand:R99(config)#testaaagrouptacacsmytestmypassnew-code
Sendingpassword
Usersuccessfullyauthenticated
USERATTRIBUTES
Username0"mytest"
Reply-message0"Password:"
10. B.TospecifytheuseofTACACS+inthemethodlistforauthorizationwhilealsospecifyingabackupmethod,usethefollowingcommand:
![Page 339: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/339.jpg)
aaaauthorizationexecdefaultgrouptacacs+local
Inthiscase,thebackupislocalauthentication.
11. C.Enablingper-commandauthorizationisoptionaltotheprocess.
12. B.TheTACACS+serverconsultstheLDAPserver,theLDAPserverperformsauthentication,andtheAAAserverpassestheresulttothesupplicant.
13. B.Postureassessmentistheabilitytoverifytheminimumsecurityrequirementsofadevicebeforeallowingaccess.IfissuesarisesuchasmissingOSorsecurityupdates,thedevicemaybeeitherremediatedordeniedentry.
14. B.ThiscommandprovidesaccesstotheCLI(byincludingtheexeckeyword)onalllines(byaddingthedefaultkeyword).
15. A.Thiscommandcreatesauseraccountnamedadminsrthathasaprivilegelevelof7withanencrypted(secret)passwordofsrpass.
16. B.Controllingtheactivitiesofthosewithadministrativeaccessbyusinguseraccountsratherthanprivilegelevelsprovidesmoreaccountability.
17. C.WhileTACACS+supportsCiscocommands,RADIUSdoesnot.
18. C.802.1xisastandardthatdefinesaframeworkforcentralizedport-basedauthentication.Itcanbeappliedtobothwirelessandwirednetworksandusesthreecomponents.
Supplicant:Theuserordevicerequestingaccesstothenetwork
Authenticator:Thedevicethroughwhichthesupplicantisattemptingtoaccessthenetwork
Authenticationserver:Thecentralizeddevicethatperformsauthentication
19. A.TheroleoftheauthenticationservercanbeperformedbyaRemoteAuthenticationDial-inUserService(RADIUS)orTerminalAccessControllerAccessControlSystem+(TACACS+)server.
20. B.Profilingistheabilitytodeterminethetypeofdevicefromwhichanetworkaccessrequestisoriginatingandtoapplyasetofaccesspoliciesspecifictotheprofileattachedtothatdevice.Thismeansausermighthavemultipleprofileseachattachedtothevariousdevicestheyuse.
![Page 340: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/340.jpg)
Chapter10:SecuringaBYODInitiative1. C.TheCiscoIntegratedServicesEngine(ISE)isacentralizedidentity-basedpolicy
platformthatprovidescontext-basedaccesscontrolforwired,wireless,andVPNconnections.ItcombinesAAA,postureassessmentandprofiling,andguestaccessmanagement.
2. A.Thefollowingcanbeconsideredduringboththeaccessrequestandthefollowingauthorizationrequest:
Whoistheindividual?
Whatdevicearetheyusing?
Wherearetheyconnectingfrom?
Whenaretheyconnecting?
Howaretheyconnecting?
3. A.TheISEcanmakeuseofseveraladvancedfeaturestoprovidegranularanddynamicaccesscontrolpolicies.AmongthesearedownloadableACLs(dACLs),whichareIP-basedACLsthatareimplementedondeviceswhenthepolicycallsforit.
4. B.Securitygroupaccess(SGAs)appliesasecuritygrouptag(SGT)thatuniformlyenforcesthesecuritygrouppolicyregardlessoftopology.
5. C.Changeofauthorization(COA)updatesprovidetheabilityofISEtochangetheauthorizationpolicyinrealtimeaftertheadministratormakesachangewithoutrequiringalog-offforthechangetotakeeffect.
6. D.Postureassessmentcancheckthehealthofadevicebeforeallowingaccessand,ifthecheckfails,canremediatethedevice.
7. A.Webauthentication(WebAuth)enablesnetworkaccessforendhoststhatdonotsupportIEEE802.1xauthentication.
8. C.ThethreemainfunctionsofTrustSecaretoclassifyeachdevicebyassigningasecuritygrouptag(SGT)toitsIPaddress,totransportorcommunicatethisclassificationinformationthroughoutthenetworkusingaprocesscalledinlinetagging(forthosenetworkingdevicesthatsupportinlinetagging)orusingtheSGTeXchangeProtocol(SXP)forthosenetworkingdevicesthatdonot,andtoenforceaccessrulesthroughtheexaminationoftheSGTs.
9. B.ClassificationofadeviceisdonethroughtheapplicationofanSGT.Thesetags,16bitsinlength,canbeapplieddynamicallyorstatically.
10. A.Transportationorcommunicationofthisclassificationinformationthroughoutthenetworkusesaprocesscalledinlinetagging(fornetworkingdevicesthatsupportinlinetagging)orusingtheSGTeXchangeProtocol(SXP)forthosenetworkingdevicesthatdonot.
![Page 341: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/341.jpg)
11. A.Dynamictaggingispossiblewhentheauthenticationmethodis802.1x,MACbypass,orthroughwebauthentication.Indynamictagging,theISEpushestheSGTtothenetworkaccessdevice(NAD).
12. A.TheSGTwillbeinanewsectionoftheEthernetheadercalledtheCiscoMetadata(CMD)header.
13. C.TheCMDholdsotherinformationbesidestheSGT.Overall,thisadds20bytestothesizeoftheheader.
14. D.Onethingtonoteisthatincaseswheretwonetworkingdevicesarealsousing802.1aesecurity(MACSec),theadditionofthe802.1aeheaderandICVfieldwillresultinatotaladditiontotheEthernetheaderof40bytes.
15. A.SXPconnectionsarepoint-to-pointTCP-basedconnectionscreatedbetweentwoendpoints;onemustbedesignatedasthespeakerandtheotherasthelistener(anyothercombinationofthetworoleswillfail).
16. C.Version1onlysupportsIPv4bindingpropagation.Version2supportsbothIPv4andIPv6bindingpropagation.Version3addedsupportforsubnettoSGTmappings.Ifspeakingtoalower-versionlistener,thespeakerwillexpandthesubnet.Version4addedloopdetectionandprevention,capabilityexchange,andabuilt-inkeep-alivemechanism.
17. A.TheCiscoAdaptiveSecurityApplianceandseveralotherroutingplatformsuseadifferentmethodtoenforceTrustSec.WhileISEmanagesSGACLscentrally,thesedevicesareconfiguredindividuallywithACLsthatreferencetheSGTnumbersorsecuritygroupnames.ThisiscalledSecurityGroupFirewall(SGFW).
18. A.Mobiledevicemanagementsoftwareisdesignedtomakeitpossibletoexertcontroloverpersonalmobiledevicesthatuserswanttouseontheenterprisenetwork.WhenusedinconjunctionwithISE,thecombinationcanbeapowerfulandsecureidentityandauthenticationsolutionforbothcompany-ownedandnon-company-owneddevices.
19. A.InthecontextofaBYODarchitecture,theISEwhenworkingincombinationwithmobilemanagementtiestogethertheprovisioningofmobiledevicesalongwithahealthcheckofthedeviceateachconnectionrequest.
20. B.OneofthethreemainfunctionsofTrustSecistheenforcementofaccessrulesthroughtheexaminationoftheSGTs.
![Page 342: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/342.jpg)
Chapter11:UnderstandingVPNs1. C.WhenthechoiceismadetouseESP,oneoftheprotocolsinthesuite,attheleastthe
datapayloadwillbeencrypted,anddependingonthedeliverymode,theentirepacketincludingtheheadermaybeencrypted.
2. A.Itdoesthisbyusingthehashingalgorithmyouselectduringimplementation.Thisishash-basedmessageauthentication(HMAC).
3. B.WhenconfidentialityofanIPsecconnectionisnotrequired,theAuthenticationHeaders(AH)protocolcanbeused.Whileitdoesprovidedataintegrityandoriginauthenticationandanti-replayprotection,thedataissentincleartext.
4. C.ThekeymanagementprocessinIPsecprovidesforthedynamicgenerationofkeystobeusedforencryptionandfortheirsecureexchangeoveranuntrustednetwork,suchastheInternet.TheDiffie-Hellmankeyexchangealgorithmisused,andanasymmetricalgorithmisusedtocreateandexchangesymmetrickeysforthisprocess.
5. C.In2005,theNSAidentifiedasetofcryptographicalgorithmsthatarethepreferredmethodforsecuringinformation.ItcalledthesealgorithmsSuiteB.Thesealgorithmsuseaminimumkeylengthofatleast128bits.
6. C.SuiteBcryptographyusesthefollowingalgorithms:
AESencryptionwitheither128-or256-bitkeys
SHA-2hashing
EllipticalCurvedigitalsignaturealgorithm(ECDSA)fordigitalsignaturesusing256-bitand384-bitprimemoduli
KeyexchangeusingEllipticCurveDiffie-HellmanExchange(ECDHE)
7. C.ThekeyexchangeisperformedbytheDiffie-Hellmanalgorithm.
8. D.TheIPsectransformsetisnegotiatedinphase2ofIKE.
9. B.Mainmodeconsistsofthreeexchanges.
Peersnegotiatetheencryptionandhashingalgorithmstobeused.
TheDiffie-Hellmanprotocolisusedtogenerateasharedsymmetrickey.
TheSAisbuilt,andthenthepeersauthenticateoneanotherwithintheSA.
10. D.TheDiffie-HellmanprotocolisusedtogenerateasharedsymmetrickeyintheMainmodeofphase1.
11. A.IKEv2hasfewertransactions;thisresultsinincreasedspeed.
12. B.WhenAHisusedintransportmode,onlythepayloadisauthenticated.
13. C.WhenESPisusedintunnelmode,theentirepacketisencrypted,andanewIPheaderisadded.
![Page 343: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/343.jpg)
14. A.WhiletheuseofIPsecisnotrequiredwhenusingIPv6,theIPv6packetstructurewasredesignedtoaccommodateitsuse.
15. A.WhenusingaremoteaccessVPN,therearetwodefaultbehaviorsthatcancauseissues.Thetwobehaviorsareasfollows:
Onceatunnelisoperational,alltrafficleavingtheVPNclientmustpassthroughthetunnel.
Bydefault,anASAwillnotforwardpacketsbackoutthesameinterfaceinwhichitwasreceived.
16. B.Tosolvethisissue,youmustenableanoptioncalledEnableTrafficBetweenTwoOrMoreHostsConnectedToTheSameInterface.Thisiscommonlyreferredtoashairpinning.ThisoptionisfoundbynavigatingintheASDMtoConfiguration DeviceSetup Interfaces.
17. C.Anotheradvancedoptionyoucanenableiscalledsplittunneling,andwhenenabled,itallowsausertohavethetunnelupandusethesameinterfacetoaccesstheInternetwithouttraversingthetunnel.Whenthisisdone,anACLisusedtodeterminethetrafficthatgoesthroughthetunnel(alltrafficexceptforInternet)andthetrafficthatdoesnotgothroughthetunnel(Internet).
18. B.ToenableAlways-On,youmustfirstenableTrustedNetworkDetectioninaprofilethatappliestotheuser.ThisfeatureenablesthedevicetoknowwhenitisconnectedtothecorporateLANandwhenitisnot.
19. A.AsESPdoesnotutilizetheconceptofsourceanddestinationports,NAThasdifficultyoperatingwhenIPsectrafficarrivesattheNATdevice.NATtraversalencapsulatesIPsecwithinUDP,providingtherequisiteportsforNAT.
20. C.InIPv6,extensionheadersareused.Theseheaders,whenused,comeaftertheoriginalIPv6header.ThenextheaderfieldintheoriginalIPv6headerisusedtoindicatewhethertheextensionheaderisAHorESP.Itusestheprotocolvalueof50forESPand51forAH.
![Page 344: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/344.jpg)
Chapter12:ConfiguringVPNs1. A.Thesupportedalgorithmsare3DES,IDEA,RC4,andAES.
2. A.AnSSL/TLSVPNcanuseRSA,DSA,andECCforauthentication.
3. A.Thestepsareasfollows:
1. TheclientinitiatestheprocessbystartingtheexchangeofhellopacketsbetweentheclientandtheVPNgateway(theASA).
2. Theservertransmitsitscertificatetotheclient(whichwillincludeitspublickey).
3. Ifmutualauthenticationisrequired,theclientsendsitscertificatetotheserver.
4. Sessionkeysareexchanged,andthedatatransferbegins.
4. D.Configuringuserauthenticationcomprisesthreesubtasks:creatingaccountsfortheVPNusers,configuringagrouppolicyfortheVPNusersspecifyinginthepolicyclientlessSSLVPNasthetunnelingprotocol,andcreatingaconnectionprofilefortheVPNusersandconnectingthepolicytotheprofile.
5. A.TheISEmoduleperformsaclient-sideassessment.
6. C.DefiningtheIPsectransformsetincludesspecifyingtheencryptionandintegrityalgorithms.
7. C.Thegroup5commandspecifies1024-bitDiffie-Hellmanforkeyexchange.
8. A.Thenumber10referstothesequencenumberofthelineinthecryptomap.Thenameofthemapismymap.
9. B.Whilecertificatescanbedeployedonboththeclientandtheservertoenablemutualauthentication,inmostcasesacertificateisdeployedonlyontheserverbecausethatcansecuretheconnectionaswellaswhencertificatesaredeployedonbothends.
10. B.ThepossibleauthenticationmechanismsavailableareDSA,ECC,andRSA.
11. D.Inthesecondstep,theservertransmitsitscertificatetotheclient(whichwillincludeitspublickey).
12. B.Oncethesessionkeysareexchanged,thedatatransferbegins.WhenthetrafficgetsbeyondtheASA,theinformationwillbeincleartextbutwillbeencryptedbetweentheclientandtheASA.
13. B.WhenusingtheCiscoclientlessSSLVPN,theremotedeviceusesthebrowsertoconnecttoanSSL-enabledwebsiteontheASAoronaCiscorouter.
14. B.MD5isoneofthreeintegrityalgorithmsthatcanbeused,includingSHA1andSHA2.
15. B.AcryptoACLdefinesthetraffictypestobesentandprotectedthroughthetunnel.
16. B.Itdefinesasecurityassociationlifetimeof1day(86400seconds).
![Page 345: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/345.jpg)
17. A.AES_SHAisthenameofthetransformset.ThemechanismforpayloadauthenticationisESPHMAC.ThemechanismforpayloadencryptionisESP,andtheIPsecmodeistunnel(defaultstotunnel).
18. B.ThekeyexchangemanagementalgorithmsavailableinanSSLVPNareDH,DSS,andRSA.
19. B.ToutilizeaCiscoAnyConnectSSLVPN,aVPNclientcalledtheAnyConnectclientmustbeinstalledontheuserdevice.
20. B.RemediationwiththeASAmodule,nottheISEmodule,islimitedtoworkingwiththesoftwarepresentontheendpoint,meaningitcanenable,disable,orupdatethatsoftware.
![Page 346: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/346.jpg)
Chapter13:UnderstandingFirewalls1. C.Packetfilteringfirewallsaretheleastdetrimentaltothroughputbecausetheyonly
inspecttheheaderofthepacketforallowedIPaddressesorportnumbers.
2. A.Circuit-levelproxiesoperateattheSessionlayer(layer5)oftheOSImodel.TheymakedecisionsbasedontheprotocolheaderandSessionlayerinformation.
3. B.Akernelproxyfirewallisanexampleofafifth-generationfirewall.ItinspectsthepacketateverylayeroftheOSImodelbutdoesnotintroducetheperformancehitthatanApplicationlayerfirewallwillbecauseitdoesthisatthekernellayer.
4. D.Applicationfirewallsoperateattheapplicationlayerandarenotconsideredproxyfirewalls.
5. A.PersonalfirewallseithermaybethosethatcomewithanoperatingsystemliketheWindowsFirewallormaybethird-partyhostfirewallssuchasKasperskyInternetSecurityorZoneAlarmProFirewall.Thesefirewallsarecalledeitherhostorpersonalfirewallsandprotectonlythedeviceonwhichthesoftwareisinstalled.
6. A.Thecontentsofthestatetableincludethefollowingforeachconnection:sourceIPaddress,sourceportnumber,destinationIPaddress,destinationportnumber,IPprotocol,flags,andtimeout.
7. B.Application-levelproxiesperformdeeppacketinspection.Operatingatthislayerrequireseachpackettobecompletelyopenedandclosed,makingthisfirewallthemostimpactfulonperformance.
8. C.Proxyserverscanprovideanadditionalbeneficialfunctioncalledwebcaching.Whenaproxyserverisconfiguredtoprovidewebcaching,itsavesacopyofallwebpagesthathavebeendeliveredtointernalcomputersinawebcache.Ifanyuserrequeststhesamepagelater,theproxyserverhasalocalcopyandneednotspendthetimeandefforttoretrieveitfromtheInternet.Thisgreatlyimproveswebperformanceforfrequentlyrequestedpages.
9. D.Circuit-levelproxiesoperateattheSessionlayer(layer5)oftheOSImodel.TheymakedecisionsbasedontheprotocolheaderandSessionlayerinformation.
10. A.Althoughpacketfilteringfirewallsserveanimportantfunction,theycannotpreventmanyattacktypes.TheycannotpreventIPspoofing,attacksthatarespecifictoanapplication,attacksthatdependonpacketfragmentation,orattacksthattakeadvantageoftheTCPhandshake.
11. B.Anapplication-levelfirewallmaintainsadifferentproxyfunctionforeachprotocol.Forexample,forHTTPtheproxywillbeabletoreadandfiltertrafficbasedonspecificHTTPcommands.
12. C.ApacketshouldneverarriveatafirewallfordeliverythathasboththeSYNflagandtheACKflagsetunlessitispartofanexistinghandshakeprocess,anditshouldbein
![Page 347: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/347.jpg)
responsetoapacketsentfrominsidethenetworkwiththeSYNflagset.
13. D.Thefirewallrecordsalloperationsinitsstatetableandwillmonitorthattablewheneverapacketarrivesatthefirewalltoensurethatanypacketspermittedeitherareconnectionrequestsfromtheinside(SYNpacketsonly)orarepartofanexistingconnectionandthatallrulesofthehandshakeareenforced.
14. A.Whileneverareplacementforproperlypositionednetworkfirewalls,personalfirewallsareanexcellentcomplementtotheprotectionprovidedbythenetworkfirewalls,andinstallingbothtypesoffirewallsisanexampleofexercisingtheconceptofdefenseindepth.Thisconceptprescribesthatyoualwaysdeploymultiplebarrierstounauthorizedaccess.
15. B.ASOCKSfirewallisanexampleofacircuit-levelfirewall.ThisrequiresaSOCKSclientonthecomputers.ManyvendorshaveintegratedtheirsoftwarewithSOCKStomakeusingthistypeoffirewalleasier.
16. B.ASYN/ACKpacketinresponsetoaSYNpacketinacurrentconnectionsetupisnormalandwouldbeallowed.
17. C.ProxyfirewallsincludeSOCKSfirewalls,circuit-levelfirewalls,andkernel-levelfirewalls.
18. D.Whileneverareplacementforproperlypositionednetworkfirewalls,theyareanexcellentcomplementtotheprotectionprovidedbythenetworkfirewalls,andinstallingbothtypesoffirewallsisanexampleofexercisingtheconceptofdefenseindepth.
19. A.OperatingattheApplicationlayerrequireseachpackettobecompletelyopenedandclosed,makingthisfirewallthemostimpactfulonperformance.
20. B.PacketfilteringfirewallsinspecttheheaderofthepacketforallowedIPaddressesorportnumbers.SincethesevaluesresideattheNetworkandTransportlayers,respectively,thesefirewallsoperateatthoselayers.
![Page 348: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/348.jpg)
Chapter14:ConfiguringNATandZone-BasedFirewalls1. B.InstaticNAT,eachprivateIPaddressismappedtoapublicIPaddress.Whilethisdoes
notsaveanyofthepublicIPv4addressspace,itdoeshavethebenefitofhidingyourinternalnetworkaddressschemefromtheoutsideworld.
2. D.TheManualNATAfterAutoNATisreadlastandcontainsmoregeneraltranslationsnothandledbythefirsttwosections.Theseareusedonlywhennotranslationmatchesinthefirsttwosections.
3. D.Insomescenarios,youmayneedmoreoptionsthanareavailablewithAutoNAT,oryoumayneedtospecifyexceptionstotheAutoNATrules.ByusingtheManualNATsection,theseoptionswillbeavailabletoyou.
4. C.TheshowxlatecommandonanASAshowsthetranslationsthathaveoccurred.
5. C.TherflagindicatesthatthetranslationisaPAT.Theiflagindicatesthatthetranslationappliestotheinsideaddressport.
6. B.Zonesarecollectionsofnetworksreachableoverarouterinterface.
7. D.AmatchstatementisusedtospecifythetrafficandcanmatchtrafficbasedonanACL,protocol,oranotherclassmap.
8. C.Theactionscanbedefinedusingactionstatements.Theactionscanbeinspect(triggersstatefulpacketinspection),drop(deniestraffic),orpass(permitstraffic).
9. B.Theself-zoneisaspecialzonethathasnointerfacemembers.Itappliestoanytrafficdestinedfortherouterratherthantrafficthattherouterisrouting.
10. C.InPAT,eachprivateIPaddressismappedtoapublicIPaddress.WhilethisdoesnotsaveanyofthepublicIPv4addressspace,itdoeshavethebenefitofhidingyourinternalnetworkaddressschemefromtheoutsideworld.
11. C.Thevalue21505isthesourceportnumberselectedbythedeviceat10.1.1.15fortheICMPsession.
12. D.WhenusingtheCiscoCommonClassificationPolicyLanguage,classmapsareusedtodefinetrafficclasses.
13. B.Usethefollowingcommandstocreatethezonecalledinside.RTR64(config)#zonesecurityinside
14. C.Theself-zoneisaspecialzonethathasnointerfacemembers.Itappliestoanytrafficdestinedfortherouterratherthantrafficthattherouterisrouting.AnexampleofthistypeoftrafficwouldbetraffictomanagethedeviceusingSSH.Italsoappliestotrafficgeneratedbytherouter.ThetrafficgoingfromtherouterbacktothedevicemakingtheSSHconnectiontomanagethedevicewouldbeanexampleofsuchrouter-generatedtraffic.
15. A.Appliedattheinterfaceconfigurationprompt,thecommandtoassignaninterfacetotheoutsidezoneisasfollows:
![Page 349: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/349.jpg)
RTR64(config-if)#zone-memberinside
16. C.WhenusingtheCiscoCommonClassificationPolicyLanguage,classmapsareusedtodefinetrafficclasses,andpolicymapsareusedtoapplypolicies(actions)tothesetrafficclasses.
17. A.Zonepairsareusedtodefineaunidirectionalfirewallpolicy.Thedirectionisindicatedbyspecifyingthesourceanddestinationzone.
18. A.TherflagindicatesthatthetranslationisaPAT.Theiflagindicatesthatthetranslationappliestotheinsideaddressport.
19. A.Inthissection,alsocalledobjectNAT,translationsthataredefinedontheobjectitselfarecontained.Thesetranslations,oneforeachobject,aretypicallyeitherstatictranslationsforserversthatmustbereachedfromtheoutsideworld(andrequirethesamepublicIPaddressalways)ordynamictranslationsforclientstryingtoreachtheInternet.
20. A.IndynamicNAT,apoolofpublicIPaddressesisobtainedthatisatleastequaltothenumberofprivateIPaddressesthatrequiretranslation.However,ratherthanmappingtheprivateIPaddressestothepublicIPaddresses,theNATdevicemapsthepublicIPaddressesfromthepoolonadynamicbasismuchlikeaDHCPserverdoeswhenassigningIPaddresses.
![Page 350: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/350.jpg)
Chapter15:ConfiguringtheFirewallonanASA1. A.ApplicationInspectionControl(AIC)orapplicationprotocolcontrolasitisalsocalled
verifiestheconformanceofmajorapplicationlayerprotocolsoperationstoRFCstandards.
2. B.Intransparentmode,theASAisnotactingasarouterandassumesalayer2identitymuchasaswitchdoes.ThismakestheASAtransparenttodevicesoneitherside(fromalayer3perspective);thusthenametransparentmode.
3. C.InClustering,threeormoresecurityappliancesaredeployedasasinglelogicaldevice.ThisallowsforthemanagementofthemultipleASAsasaunit.Itprovidesincreasedthroughputandredundancy.
4. A.TheASAcanbepartitionedintomultiplevirtualfirewallsorsecuritycontexts.Eachcontextcanhaveitsowninterfaces,policies,andadministrators.
5. B.Thenameifcommandisusedattheinterfaceconfigurationprompt.
6. C.ThehttpserverenablecommandisrequiredtostarttheHTTPserviceontheASA.
7. D.ThecommandhttpipaddressmaskinterfaceisusedtodefineanIPaddressonthespecifiednetworkthatwillbeallowedtoconnecttotheASAusingHTTPtomanagetheASA.
8. A.Securitylevelsdefinethetrustworthinessoftheinterface.Thehigherthelevelthemoretrustedtheinterface.
9. B.Thereisanimplicitpermitfortrafficflowingfromahigh-securityinterfacetoalow-securityinterface.Highandlowaredefinedbythesecurityvalueassigned.
10. C.Thecommandsecurity-levelvalueisusedattheinterfaceconfigurationprompt.
11. A.Youwillneedtocreateanaccessruletoallowtrafficineachofthefollowingscenarios:betweeninterfacesofthesamesecuritylevel,andtrafficfromalower-securityinterfacetoahigher-securityinterface.
12. B.Inmanycasesweneedtoallowonlyaselectgroupofdevicesratherthanalldevices,orweneedonlyallowdevicesonaspecificnetworktosendtrafficonaninterfacewhentherearemultiplenetworksthatmightbetraversingthatinterface.Tomakethecreationandapplicationofruleseasier,theASAcanalsouseanobject-basedmodelforcertainrules.
13. D.IntheCiscoModularPolicyFramework,class-mapsareusedtocategorizetraffictypesintoclasses.
14. A.OntheServicePolicyrulepage,theGlobalradiobuttonappliesthepolicytoallinterfaces.
15. B.Youwillneedtocreateanetworkobjecttorepresentthe192.168.5.0/24network,createaserviceobjecttorepresentHTTP,andcreateahostobjecttorepresenttheserverat201.3.3.3.
![Page 351: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/351.jpg)
16. C.IntheCiscoModularPolicyFramework,servicepoliciesareusedtospecifywherethepolicymapshouldbeimplemented.
17. B.Sinceoutsidehasasecuritylevelof0andthedmzhasalevelof50,trafficfromthelowerlevel(0)tothehigherlevel(50)willbedisallowed.
18. C.ThecommanddefinesanIPaddressontheinsidenetwork(definedbytheinterfacename)thatwillbeallowedtoconnecttotheASAusingeitherSSHorHTTPtomanagetheASA.
19. C.IntheCiscoModularPolicyFramework,policymapsareusedtodefinetheactiontobetakenforaclass.Actionsthatcanbespecifiedareallow,blockandrate-limit.
20. D.Thereisanimplicitdenyfortrafficflowingfromalow-securityinterfacetoahigh-securityinterface.Highandlowaredefinedbythesecurityvalueassigned.
![Page 352: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/352.jpg)
Chapter16:IntrusionPrevention1. A.Athreatisanidentifiedsecurityweaknesstowhichanyspecificenvironmentmayor
maynotbevulnerable.Forexample,athreatmightexistintheformofanewattackonOracledatabaseservers,butifyouuseMicrosoftSQLServer,itisathreattowhichyouarenotvulnerable.
2. A.Actionsrefertotheoperationsanintrusionpreventionsystem(IPS)cantakewhenanattackisrecognizedtoblockthetraffic.DropsmeanstheIPSquietlydropsthepacketsinvolved.
3. C.Theabilitytomonitoranyinternalactivitythatoccurswithinasystem,suchasanattackagainstasystemthatiscarriedoutbyloggingontothesystem’slocalterminal,isastrengthofhost-basedIPSandaweaknessofnetwork-basedIPS.
4. A.TheattackfragmentsthepacketcontainingthemaliciouscodesothatitbecomesdifficultfortheIPStorecognizethecodeinsuchafragmentedfashion.
5. D.TherearefourcategoriesoffunctionsofwhichFireSIGHTiscapable.Theyincludedetection,learning,adapting,andacting.Blockingisaformofacting.
6. A.Azero-daythreatisanythreatnotyetremediatedbymalwarevendorsorsoftwarevendors.Thistypeofthreatcannotbedetectedthroughattacksignature-basedmethodsandisusuallyonlydiscoveredbymalwareorIPS/IDSsoftwarethatusesheuristics.
7. B.CiscoAMPforEndpointsiscomposedofconnectorsinstalledonendpoints.Itusesacloud-baseddetectionprocessthatoffloadsthedetectionburdentothecloud.CiscoAMPforNetworksusesFirePOWERappliancestodetectmalwareintransit.
8. A.ThesensorisconnectedtoaportontheswitchtowhichalltraffichasbeenmirroredbymakingtheportaSPANport.
9. C.Manyprotocols’informationcanbecommunicatedorexpressedinmultipleways.Forexample,HTTPcanacceptstringsexpressedinhexadecimal,Unicode,orstandardtextexpressions.AttackerscanusethistoevadeanIPSsensor.IftheIPScannotperformprotocolnormalization(decodingthepayloadtodiscoveritssignificance),thisattackmaysucceed.
10. C.Avulnerabilityisanysusceptibilitytoanexternalthreatthatadeviceorsystemmaypossess.Athreatonlybecomesavulnerabilitywhenthethreattargetispresentinyourenvironmentandisinthestaterequiredtotakeadvantageofthevulnerability.
11. C.Actionsrefertotheoperationsanintrusionpreventionsystem(IPS)cantakewhenanattackisrecognized.ShunsendsapacketwiththeRSTflagwhenanon-TCPconnectionisencountered.
12. C.Inthismode,thesensingdeviceisplacedinthelineoftrafficandanalyzestheoriginaltraffic,notacopyinrealtime.Therefore,itcantakeactionsonthetraffic,allowingittooperateasatrueIPS.
![Page 353: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/353.jpg)
13. A.Oneoftheoptionsistoplacethesensoroutsidetheperimeterfirewall(ASA).Whenplacedhere,thesensorwillgenerateaveryhighnumberofalarmsbecausethisisanexposuretothemostuntrustednetwork,theInternet.
14. D.Anexploitoccurswhenathreatandvulnerabilitybothexistandathreatactortakesadvantageofthesituation.Thetermexploitalsoreferstothespecifictoolorattackmethodologyused.
15. D.Actionsrefertotheoperationsanintrusionpreventionsystem(IPS)cantakewhenanattackisrecognized.Whenblocking,theIPSdirectsanotherdevice(arouterorfirewall)toblockthetraffic.
16. B.Thetapisplacedbetweentherouterandthelayer3switch.Itprovidesfull-duplexconnectivitybetweenthedevicesandsplitsofftwosimplexmirrorsofthefull-duplextraffic.Alltrafficbetweenthetwodevicesmusttraversethesensor.
17. A.Theattackerinjectsabogusstringintotheattackcodeandbreakstheattackintofragments.ThenhemanipulatestheTTLvalueofthefragmentcontainingthebogusstringinsuchawaythatthefragmentdies(andnevergetsdelivered)beforeitreachesthedestination.IftheIPSdoesnotconsiderthefragmentoffsetvaluesorTTLvalues,itwilldetectthebogusstringratherthantheactualpayload.TheresultisthatafterinspectionbytheIPS,thebogusstringdoesnotgetdelivered;theattackpayloaddoes.
18. C.Theinabilitytomonitoranyinternalactivitythatoccurswithinasystem,suchasanattackagainstasystemthatiscarriedoutbyloggingontothesystem’slocalterminal,isastrengthofhost-basedIPSandaweaknessofnetwork-basedIPS.
19. B.Actionsrefertotheoperationsanintrusionpreventionsystem(IPS)cantakewhenanattackisrecognized.ResetsendsapacketwiththeRSTflagthatendsanyTCPconnection.
20. B.Ariskiscreatedwhenathreatexiststowhichasystemisvulnerable.
![Page 354: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/354.jpg)
Chapter17:ContentandEndpointSecurity1. B.Reputation-basedfilteringreliesontheidentificationofemailserversthathavebecome
knownforsendingspam.Whenasystemcandothis,itmustrelyonsomeservicefordevelopingthese“reputations.”
2. A.Dataleakageoccurswhensensitivedataisdisclosedtounauthorizedpersonneleitherintentionallyorinadvertently.Datalossprevention(DLP)softwareattemptstopreventdataleakage.
3. B.NetworkDLPisinstalledatnetworkegresspointsneartheperimeter,whereitanalyzesnetworktraffic.
4. A.Precisemethodsinvolvecontentregistrationandtriggeralmostzerofalse-positiveincidents.
5. A.Ifthesenderscoreisbetween−1and+10,theemailisaccepted.Ifitisbetween−1and−3,theemailisaccepted,butadditionalemailsarethrottled.Ifitisbetween−10and−3,itisblocked.
6. A.AdvancedMalwareProtection(AMP)isthemalwarecomponentinESAthatusesacombinationofseveraltechnologiestoprotectyoufromemail-basedmalware.
7. A.FilereputationsendsafingerprintofeveryfilethattraversestheCiscoemailsecuritygatewaytoAMP’scloud-basedintelligencenetworkforareputationverdict.Basedontheseresults,youcanblockmaliciousfilesidentifiedashavingabadreputation.
8. B.TheCiscoWebReputationSystem(WBRS)usesreal-timeanalysisonavast,diverse,andglobaldatasettodetectURLsthatcontainsomeformofmalware.WBRSisacriticalpartoftheCiscosecuritydatabase,whichprotectscustomersfromblendedthreatsfromemailorwebtraffic.
9. C.TheCiscoWebSecurityAppliance(WSA)isawebproxythatintegrateswithothernetworkcomponentstomonitorandcontroloutboundrequestsforwebcontent.TrafficcanbedirectedtotheWSAexplicitlyontheendhostorbyusingtheWebCacheControlProtocolonaninlinedeviceliketheperimeterrouter.
10. A.ByleveragingCiscoSecurityIntelligenceOperations(SIO),CiscoIronportreputationfiltersanalyzemorethan50webandnetworkparameterstoevaluateawebsite’strustworthiness.
11. C.Ifthesenderscoreisbetween−1and+10,theemailisaccepted.Ifitisbetween−1and−3,theemailisaccepted,butadditionalemailsarethrottled.Ifitisbetween−10and−3,itisblocked.
12. C.Inthesafesandboxedenvironment,AMPcanobtaindetailsaboutthethreatlevelofthemalwareandcommunicatethatinformationtotheCiscoTalosintelligencenetworktoupdatetheAMPclouddataforall.
13. C.TheWSAanti-malwaresystemusesmultiplescanningenginesinasingleappliance.
![Page 355: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/355.jpg)
ItusestheDynamicVectoringandStreamingEngineandverdictenginesfrombothWebRootandMcAfee.
14. D.WSAusesApplicationVisibilityandControl(AVC)toallowforthecontroloftheuseofwebapplications.GranularpolicycontrolallowsadministratorstopermittheuseofapplicationssuchasDropboxorFacebookwhileblockingusersfromactivitiessuchasuploadingdocumentsorclickingtheLikebutton.
15. B.ThemaintaskofCiscoISEistomanageaccesstothenetwork,butitsabilitiesgobeyondthat.ItcanprovideAAAservicessothatyoucandeploy802.1xsecurity.UsingCiscoTrustSectechnology,italsocanenforceendpointsecuritypoliciesthatensurethatmanyofthesecuritymeasuresinthissectionarecompliantwiththepolicy.
16. B.Fileretrospectionallowsfortheidentificationandremovalofthesefileslater.Ifmaliciousbehaviorisspottedlater,AMPsendsaretrospectivealertsothatyoucancontainandremediatethemalware.
17. B.Ifthesenderscoreisbetween−1and+10,theemailisaccepted.Ifitisbetween−1and−3,theemailisaccepted,butadditionalemailsarethrottled.Ifitisbetween−10and−3,itisblocked.
18. C.Imprecisemethodscanincludekeywords,lexicons,regularexpressions,extendedregularexpressions,metadatatags,Bayesiananalysis,andstatisticalanalysis.
19. C.EndpointDLPrunsonend-userworkstationsorserversintheorganization.
20. A.Context-basedfilteringfiltersthemessageandattachmentsforsenderidentities,messagecontent,embeddedURLs,andemailformatting.Thesesystemsusealgorithmstoexaminetheseitemstoidentifyspam.
![Page 356: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/356.jpg)
ComprehensiveOnlineLearningEnvironment
RegistertogainoneyearofFREEaccesstotheonlineinteractivelearningenvironmentandtestbanktohelpyoustudyforyourCCNASecuritycertificationexam—includedwithyour
purchaseofthisbook!
Theonlinetestbankincludesthefollowing:
AssessmentTesttohelpyoufocusyourstudytospecificobjectives
ChapterTeststoreinforcewhatyou’velearned
PracticeExamstotestyourknowledgeofthematerial
DigitalFlashcardstoreinforceyourlearningandprovidelast-minutetestprepbeforetheexam
SearchableGlossarytodefinethekeytermsyou’llneedtoknowfortheexam
RegisterandAccesstheOnlineTestBankToregisteryourbookandgetaccesstotheonlinetestbank,followthesesteps:
1. Gotobit.ly/SybexTest.
2. Selectyourbookfromthelist.
3. Completetherequiredregistrationinformationincludingansweringthesecurityverificationprovingbookownership.Youwillbeemailedapincode.
4. Gotohttp://www.wiley.com/go/sybextestprepandfindyourbookonthatpageandclickthe“RegisterorLogin”linkunderyourbook.
5. Ifyoualreadyhaveanaccountattestbanks.wiley.com,loginandthenclickthe“RedeemAccessCode”buttontoaddyournewbookwiththepincodeyoureceived.Ifyoudon’thaveanaccountalready,createanewaccountandusethePINcodeyoureceived.
![Page 357: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/357.jpg)
WILEYENDUSERLICENSEAGREEMENTGotowww.wiley.com/go/eulatoaccessWiley’sebookEULA.
![Page 358: CCNA security study guide: exam 210-260](https://reader035.fdocuments.us/reader035/viewer/2022070222/613c16b522e01a42d40e8b6e/html5/thumbnails/358.jpg)