Chap 26 - Network Device Access Control and Infrastructure Security

Question 1

What are 5 types of ACLs?

Answer 1

• Numbered Standard
• Numbered Extended
• Named ACLs
• Port ACLs (PACLs)
• VLAN ACLs (VACLs)

Question 2

What is the range for Standard Numbered ACLs?

Answer 2

• 1 - 99
• 1300 - 1999

Question 3

What is the range for Numbered Extended ACLs?

Answer 3

• 100 - 199
• 2000 - 2699

Question 4

What is the only thing a Numbered Standard ACL can filter on?

Answer 4

Source IP address

Question 5

What is the command to enter ACL command mode?

Answer 5

ip access-list extended NAME_OF_ACL

Question 6

What are the 4 restrictions for PACLs?

Answer 6

• They only filter inbound traffic
• They cannot filter L2 control packets (CDP, VTP, DTP, PAgP, UDLD, STP)
• They are only supported in hardware
• They do not support filtering IPv6, ARP, and MPLS

Question 7

What does the Port ACL feature provide?

Answer 7

It provides the ability to perform access control on specific Layer 2 ports. A Layer 2 port is a physical LAN or trunk port that belongs to a VLAN. Port ACLs are applied only on the ingress traffic. The port ACL feature is supported only in hardware (port ACLs are not applied to any packets routed in software).

Question 8

What are the 2 modes supported by PACLs?

Answer 8

• Prefer port mode
• Merge mode (default)

Question 9

What is Prefer Port mode?

Answer 9

If a PACL is configured on a Layer 2 interface, the PACL takes effect and overwrites the effect of other ACLs (Cisco IOS ACL and VACL)

Question 10

What is Merge mode?

Answer 10

The PACL, VACL, and Cisco IOS ACLs are merged in the ingress direction following the logical serial model shown in Figure 51-2. This is the default access group mode.

Question 11

If a PACL, VACL, and RACL are applied on the same VLAN and incoming traffic is bridged what order are they processed?

Answer 11

1. Inbound PACL on the switchport
2. Inbound VACL on the VLAN 3
3. Outbound VACL on the VLAN

Question 12

If a PACL, VACL, and RACL are applied on the same VLAN and incoming traffic is routed what order are they processed?

Answer 12

1. Inbound PACL on the switchport
2. Inbound VACL on the VLAN
3. Inbound ACL on the SVI 4) Outbound ACL on the SVI 5) Outbound VACL on the VLAN

Question 13

What are the 3 methods of gaining access to the CLI on an IOS device?

Answer 13

• Console (cty) port - line con 0
• Aux (aux) port - line aux 0
• Virtual Terminal (vty) lines - line vty 0 4

Question 14

What are the 3 ways to password-protect the lines?

Answer 14

• password configured directly on the line
• username-based authentication
• Using a AAA server

Question 15

What is a Type 0 password?

Answer 15

• configured with ‘enable password’
• clear text

Question 16

What is a Type 5 password?

Answer 16

These passwords use an improved Cisco proprietary encryption algorithm that makes use of the MD5 hashing algorithm. Only crackable by brute force attacks.

Question 17

What is a Type 7 password?

Answer 17

These passwords use a Cisco proprietary Vigenere cypher encryption algorithm and are known to be weak. There are multiple online password utilities available that can decipher type 7 encrypted passwords in less than a second. Enabled with service password-encryption

Question 18

What is a Type 8 password?

Answer 18

Type 8 passwords specify a Password-Based Key Derivation Function 2 (PBKDF2) with a SHA-256 hashed secret and are considered to be uncrackable.

Question 19

What is a Type 9 password?

Answer 19

These use the SCRYPT hashing algorithm. Just like type 8 passwords, they are considered to be uncrackable.

Question 20

To enable a password on line con, aux, or vty what 2 commands are required?

Answer 20

• password MYPASS
• login

Question 21

What are 3 ways to enable username password authentication?

Answer 21

• username password
• username secret
• username algorithm type secret

Question 22

What 2 commands will enable username password authentication on line con, aux, vty?

Answer 22

• global config username password
• under line configuration ‘login local’

Question 23

What are 3 privilege levels?

Answer 23

• privilege level 0
• privilege level 1
• privilege level 15

Question 24

What can you do with privilege level 0?

Answer 24

• disable
• enable
• exit
• help
• logout

Question 25

What can you do with privilege level 1?

Answer 25

• User exec level
• Everything except configuration changes.

Question 26

What can you do with privilege level 15?

Answer 26

• Privileged EXEC mode
• Highest privilege level
• You can do everything

Question 27

What are the 2 versions of SSH?

Answer 27

• SSHv1
• SSHv2

Question 28

What are the 3 steps required to enable SSHv2?

Answer 28

• Configure a hostname
• Configure a domain name (ip domain-name yum.tgr.net)
• Generate crypto keys (crypto key generate 768)

Question 29

What determines the version of SSH in use?

Answer 29

A modulus of 768 or greater enables SSHv2

Question 30

What is SSH 1.99?

Answer 30

Means that both SSHv1 and SSHv2 are enabled.

Question 31

How do you make sure only SSHv2 is used?

Answer 31

Use the command ‘ip ssh version 2’

Question 32

What is the command to disable the AUX port?

Answer 32

• line aux 0
• no exec

Question 33

What does the command ‘exec timeout’ by itself do?

Answer 33

Times out the session after 10 minutes

Question 34

What is the command to kick someone out after a certain amount of time whether the line is in use or not?

Answer 34

absolute-timeout (minutes) The command ‘logout warning (seconds)’ should be used in conjunction with absolute-timeout

Question 35

Why is TACACS+ the protocol of choice for network device administration?

Answer 35

After authenticating a user it can authorize every command the user types in. RADIUS can’t do that.

Question 36

Why is RADIUS the protocol of choice for secure network access?

Answer 36

It supports EAP. TACACS does not.

Question 37

What is a stateful firewall?

Answer 37

A firewall capable of looking into Layers 4 through 7 of a network packet to verify the state of the transmission. A stateful firewall can detect whether a port is being piggybacked and can mitigate DDoS intrusions.

Question 38

What is a Zone-based Firewall (ZBFW)?

Answer 38

Integrated stateful firewall technology included in IOS. It reduces the need for a branch office to have a firewall. Assigns interfaces to zones (Inside, Outside, DMZ)

Question 39

What are the 2 system-built zones in a ZBFW?

Answer 39

• Self
• Default

Question 40

What is the Self zone?

Answer 40

It is a system-level zone and includes all the routers’ IP addresses. By default, traffic to and from this zone is permitted to support management (for example, SSH protocol, SNMP) and control plane (for example, EIGRP, BGP) functions.

Question 41

What happens after a policy is applied to the self zone and another security zone?

Answer 41

All interzone communication must be explicitly defined.

Question 42

What is the Default zone?

Answer 42

The default zone is a system-level zone, and any interface that is not a member of another security zone is placed in this zone automatically.

Question 43

If an interface is in the Default zone can other zones communicate with it?

Answer 43

Yes, when the unassigned interfaces are in the default zone, a policy map can be created between the two security zones.

Question 44

What is the command for creating a class-map for a ZBFW?

Answer 44

class-map type inspect

Question 45

What is an Inspection Policy Map?

Answer 45

A policy-map which applies firewall policy actions to the class maps defined in the policy map.

Question 46

What makes a firewall stateful?

Answer 46

The router maintains connection/ session information and permits return traffic from the destination zone without the need to specify it in a second policy.

Question 47

What is the command to create a security zone?

Answer 47

zone security (zone-name)

Question 48

What is the command to create class-maps for the purpose of inspection?

Answer 48

class-map type inspect [match-all | match-any] (class-name)

Question 49

Under class-map configuration what does ‘match access-group name’ do?

Answer 49

It is used to match against previously created ACLs. (match access-group name MYACL)

Question 50

What is the command to create policy maps for inspection purposes?

Answer 50

policy-map type inspect (policy-name)

Question 51

What is the difference between the policy map actions PASS and INSPECT?

Answer 51

• PASS - forwards traffic in one direction only. Another policy map would be needed for return traffic
• INSPECT - The router maintains connection/ session information and permits return traffic from the destination zone without the need to specify it in a second policy.

Question 52

What is the command to create a zone-pair?

Answer 52

zone-pair security MYZONEPAIR source OUTSIDE destination SELF

Question 53

What is the command to associate a policy-map with a zone-pair?

Answer 53

In zone-pair configuration mode - ‘service-policy type inspect MYPOLICY’

Question 54

What is the command to associate an interface with a security zone?

Answer 54

zone-member security OUTSIDE

Question 55

What is Control Plane Policing (CoPP)?

Answer 55

A control plane policing (CoPP) policy is a QoS policy that is applied to traffic to or sourced by the router’s control plane CPU.

Question 56

What are CoPP policies used for?

Answer 56

CoPP policies are used to limit known traffic to a given rate while protecting the CPU from unexpected extreme rates of traffic that could impact the stability of the router.

Question 57

What is Cisco EPC?

Answer 57

Cisco Embedded Packet Capture

Question 58

How do you tell which protocols need policing on the control plane?

Answer 58

Documentation and Cisco EPC captures

Question 59

What are the 5 steps to follow to do CoPP?

Answer 59

• Determine what traffic to police
• Create ACLs to match the traffic
• Create class-maps to categorize the traffic
• Create a policy-map referencing the class-maps
• Apply the policy-map to the control plane

Question 60

When performing CoPP what should you do at first to ensure that CoPP doesn’t cause problems?

Answer 60

In order to guarantee that CoPP does not introduce issues, in the policy-map the violate action is set to transmit for all the vital classes until a baseline for normal traffic flows is established.

Question 61

In a CoPP policy-map what is the purpose of the class-default?

Answer 61

By allowing a minimal amount of traffic within this class and monitoring the policy permits discovery of new or unknown traffic that would have otherwise been denied.

Question 62

To harden a router what 7 things should be disabled?

Answer 62

• CDP on outside interface
• TCP and UDP small servers
• IP Redirects
• Proxy ARP
• no service config
• MOP
• PAD service

Question 63

What should be done if you disable TCP and UDP small servers?

Answer 63

Add the commands service tcp-keepalive-in and service tcp-keepalive-out ensure that devices send TCP keepalives for inbound/ outbound TCP sessions. This ensures that the device on the remote end of the connection is still accessible and that half-open or orphaned connections are removed from the local device.

Question 64

Why should the ‘no service config’ command be used to harden a router?

Answer 64

It prevents the router from trying to pull a configuration from a TFTP server on bootup.

Question 65

What is MOP?

Answer 65

Maintenance Operation Protocol - part of the DECnet suite, allows access to a device that can only operate at the datalink layer.

Question 66

What is PAD?

Answer 66

Packet Assembler/Disassembler - used for x.25 connections only

Question 67

Determine if a vty line is in use

Answer 67

show line (the line in use has an asterisk)

Question 68

Verify the inspect class-map configuration

Answer 68

show class-map type inspect

Question 69

Verify the inspection policy-map

Answer 69

show policy-map type inspect

Question 70

Verify the zone pair policy-map

Answer 70

show policy-map type inspect zone-pair

Question 71

Verify the policy for CoPP

Answer 71

show policy-map control-plane input