Chapter 5 Flashcards
What AAA function verifies identity?
Authentication
What AAA function determines user permissions?
Authorization
What AAA function monitors resources being used and logs session statistics?
Accounting
What does an AAA server typically do when it receives an authentication request?
Challenges the user’s credentials by asking for username and password
What does the AAA server do after a user’s credentials are authenticated?
Authorizes them and decides which user profile to apply to the specific user
Describe the last process in the AAA framework
Accounts for everything the user is doing within the network and monitors resource usage and session statistics
What are two protocols used in IPsec?
ESP (encapsulating security payload)
AH (authentication header)
Which protocol transports data in a site-to-site VPN?
IPsec
How is encrypted multicast traffic carried between remote sites?
GRE (multicast) over IPsec (encryption)
What category of traffic is sent with IPsec?
Unicast traffic between two endpoints
What IPsec mode and protocol encrypt and encapsulate the entire packet?
Tunnel (encrypts) ESP (encapsulates)
What does Internet Key Exchange (IKE) do?
Handles negotiation of protocols and algorithms. Generates the encryption and authentication keys
Whats the difference between ESP tunnel and transport mode?
Tunnel protects the routing info by encrypting the IP header while transport mode only encrypts the payload and ESP trailer. Tunnel mode is used in site-to-site VPNs and transport mode is used in client-to-site VPNs.
Which security program describes badge authentication for building access?
Physical access control
Which security program describes purposely sending emails to their staff that simulates an attack?
User awareness
What formats are available to select when configuring a WLAN with a WPA2 PSK in the GUI?
ASCII, hexadecimal
What type of encryption is used for WPA2-PSK?
AES-128
What is an enhancement that was implemented with WPA3?
Forward secrecy
SAE for authentication (protection against brute force attacks)
192-bit key encryption
What encryption does WPA1 use?
TKIP
Which WPA mode uses PSK for authentication?
Personal or WPA-PSK
Which wireless security protocols use block chain cipher types?
WPA2, WPA3
What does WPA3 replace PSK with?
SAE
How many ASCII text characters can can a WPA pre-shared key contain?
8-63
How many hexadecimal characters can can a WPA pre-shared key contain?
64 minimum
What is a CRL?
Certificate Revocation List
Informs devices when a certificate is revoked/withdrawn
What is a CA?
Certificate Authority
A trusted entity that grants digital certificates to individuals/organizations to establish secure connections
What is 802.11x?
An authentication protocol to allow network access with a RADIUS server
What is a mitigation technique for ARP spoofing?
Dynamic ARP inspection
What is a mitigation technique for 802.1q double tagging?
Configuring a VLAN access control list (VACL)
What is a mitigation technique for unwanted BPDUs on PortFast ports?
BPDU guard
What is a mitigation technique for MAC flooding attacks?
Port security
Authentication with AAA server
802.1x
What does DHCP snooping do?
Determines whether or not traffic sources are trusted or untrusted
Filters messages and rate-limits traffic from untrusted sources
What threats can DHCP snooping mitigate?
Rogue DHCP server
Rogue clients on the network
Man-in-the-middle attacks
What can be done in response to ARP poisoning?
Dynamic ARP inspection (DAI)
What is a zero-day exploit?
When a new network vulnerability is found before a fix is available
How can you control which devices can talk to a CPU?
CPU ACL
What is access-class used for?
To tie an ACL to vty lines
What is access-group used for?
To tie an ACL to an interface
Where do you want to configure extended access lists?
As close to the source as possible
What does implicit deny refer to?
If any ACL is configured, its the invisible “deny all” at the end
What is the standard ACL range and extended range?
1-99
1300-1999
Where do you want to configure standard access lists?
Closest to the destination
How do you configure a standard access list?
access-list n [permit/deny] [source address] [wildcard]
How do you configure an ACL to block or forward data?
ip access-group [acl#] [in/out]
How can you verify if an access-group is configured?
show ip interface
How do you configure an extended access list?
access-list n [permit/deny] [protocol] [source/wild] [destination/wild] [port number]
What is the extended ACL range and extended range?
100-199
2000-2699
What additional things can you configure extended ACLs for over standard ACLs?
Destination IP
Port numbers
What command is used to edit existing ACLs?
ip access-list [extended] n
What command can you use to verify ACL configuration?
show ip access-lists
show access-lists
For DHCP snooping, what interface should be configured as trusted on a switch?
The one connected to the DHCP server
What can be done to mitigate VLAN hopping?
Put access ports in use into a VLAN that isn’t the native VLAN
Manually configure trunks and disable DTP
How can you configure port security to dynamically learned MAC addresses?
switchport port-security mac-address sticky
How should port security be configured if you want logs generated?
switchport port-security violation restrict
What does protect do in port security configuration?
Drops packets from unknown sources but does not increase the counter
Which two modes of port security drop packets when receiving packets from an unknown source?
Restrict
Protect
What is the difference between the shutdown and restrict commands in port security?
Both send traps, but restrict drops the packet and shutdown puts the interface in an err-disabled state upon receiving a packet from an unknown source
What is the default behavior of port-security?
Only one MAC address can be learned and the default violation action is shutdown
What encryption is applied with enable secret by default?
MD5 hash
How do you configure a Telnet password?
line vty 0 15
password [password]
[login]
How do you configure a password for console login?
line console 0
password [password]
login
What happens if enable password and enable secret are configured?
The password is ignored
What configuration can you apply to encrypt a password?
service password-encryption
How would you configure a SHA-256 password?
enable algorithm-type sha256 secret [password]
What kind of attacks can be mitigated with user awareness or training?
Brute-force attacks
Pharming
Social engineering
What kind of attacks can be mitigated with physical access control?
Burglary
Tailgating
What does DAI filter?
ARP messages received on untrusted ports
What kind of encryption does WEP use?
RC4
What is CCMP?
Cipher Block Chaining Message Authentication Code Protocol
Part of the 802.11i standard, uses the AES cipher to encrypt data
Which wireless security protocol has an optional 192-bit encryption?
WPA3 Enterprise
What is the configuration needed for DAI?
DHCP snooping enabled
ip arp inspection vlan n
ip arp inspection trust
What is the configuration needed for DHCP snooping
ip dhcp snooping
ip dhcp snooping vlan n
(config-if)ip dhcp snooping trust/untrust
What types of WLC deployments are there?
Unified/Centralized
Cloud-Based
Embedded
Mobility Express
What is backdoor malware?
A type of Trojan that allows attackers to gain remote access to a system by negating normal authentication procedures
What is a feature of RSA?
Asymmetric encryption algorithm
Public-key cryptosystem
What privilege level grants the user access to privilege-exec mode?
15
What privilege level grants the user access to user-exec mode?
1
