Day 20 - LAN Security & Device Hardening

Question 1

What are the two content security appliance products Cisco offers?

Answer 1

Cisco Email Security Appliance (ESA)
Cisco Web Security Appliance (WSA)

Question 1

Endpoints are best protected by what host based Cisco product?

Answer 1

Cisco Advanced Malware Protection (AMP)

Question 2

This is a Cisco proprietary special device designed to monitor email’s primary protocol, SMTP

Answer 2

ESA (Email Security Appliance)

Question 3

This Cisco proprietary device can block known threats, remediate against stealth malware that evades initial detection, discard emails with bad links, block access to newly infected sites and encrypt content in outgoing email to prevent data loss

Answer 3

ESA (Email Security Appliance)

Question 4

This Cisco proprietary device combines advanced malware protection, application visibility and control, acceptable use policy controls, and reporting

Answer 4

WSA (Web Security Appliance)

Question 5

What can the Cisco WSA perform?

Answer 5

Blacklisting of URLs
URL filtering
Malware scanning
URL categorization
Web app filtering
Encryption and decryption of traffic

Question 6

What is the issue with this bit of command?

R1(config)#line vty 0 4
R1(config-line)#password ci5c0
R1(config-line)#login

Answer 6

The password will be in plaintext and there is no accountability to who has logged in

Question 7

This command requires the use of a username/password pair on vty, console and aux ports

Answer 7

login local

Question 8

What are the correct commands to set up a username/password secret and have it be required to login and have access to the console and vty lines?

Answer 8

username {username} secret {secret}

line con 0
login local
no password

line vty 0 15
login local
no password

Question 9

This protocol uses plaintext, insecure transmission of both the login and data across the connection

Answer 9

Telnet (port 23)

Question 10

This protocol is more secure over Telnet

Answer 10

SSH (port 22)

Question 11

Why is SSH more secure over Telnet?

Answer 11

Required username and password, both of which are encrypted during transmission

Username and password can be auth’d using the local database method

Username is recorded when a user logs in leading to accountability

Question 12

What command would you use to verify SSH?

Answer 12

show ip ssh

Question 13

What commands would you use to set up SSH for the domain cisco.com with a username/secret pair for lines VTY 0 15?

Answer 13

ip domain cisco.com
crypto key generate rsa
1024 (bits in the modulus)

line vty 0 15
login local
transport input ssh
username hmolinar secret cisco

Question 14

How would you remove the RSA key pair?

Answer 14

crypto key zeroize rsa

Question 15

What is the minimum modulus size that Cisco recommends?

Answer 15

1024

Question 16

Router interfaces must be activated with what command?

Answer 16

no shutdown

Question 17

True or False:

With Cisco switches, an interface is activated when a device is connected to the port

Answer 17

True

Question 18

What are some security best practices for unused interface on Cisco devices?

Perform the commands on int fa0/1

Answer 18

Administratively disable unused ports

Prevent VLAN trunking by putting the port into switchport mode access

Assign the port to an unused VLAN

Change the native VLAN from VLAN 1 to an unused custom VLAN

int fa0/1
shut
sw acc mode
sw acc vlan 999
sw trunk native vlan 999

Question 19

What commands would you use to create a black hole VLAN and apply it to a range of interfaces fa0/20 to fa0/24?

Answer 19

vlan 999
name BlackHole

int range fa0/20 - 24
shut
switchport mode acc
switchport acc vlan 999

Question 20

What Cisco framework helps secure device access?

Answer 20

AAA

Authentication, authorization and accounting

Question 21

What two AAA authentication methods does Cisco support?

Answer 21

TACACS+
RADIUS

Question 22

What transport protocol and port does TACACS+ use?

Answer 22

TCP 49

Question 23

What transport protocol and port(s) does RADIUS use?

Answer 23

UDP 1645, 1812

Question 24

True or False:

Both RADIUS and TACACS+ encrypt passwords

Answer 24

True

Question 25

True or False:

Both RADIUS and TACACS+ encrypt the entire packet

Answer 25

False. Only TACACS+ encrypts the entire packet

Question 26

This protocol is a standard port based access control and authentication protocol

Answer 26

802.1X

Question 27

This standard port based access control and auth protocol is ideal for restricting unauthorized access through publicly available LAN devices, such as switches and wireless APs

Answer 27

802.1X

Question 28

802.1X defines three roles for devices in the network. What are they?

Answer 28

Client (Supplicant)
Switch (Authenticator)
Authentication Server

Question 29

For port security, one of the steps is to make the port an access port which means the port is not doing any what?

Answer 29

VLAN trunking

Question 30

What are the basic commands to throw port security onto an interface?

Answer 30

int {int}
switchport mode access
switchport port-security

Question 31

What command overrides the maximum number of allowed MAC addresses associated with the interface?

Answer 31

switchport port-security maximum {number}

Question 32

What command predefines any allowed source MAC address(es) for an interface?

Answer 32

int {int}
switchport port-security mac-address {mac-address}

Question 33

What command will allow an interface to dynamically learn and configure the MAC addresses of currently connected hosts?

Answer 33

int {int}
switchport port-security mac-address sticky

Question 34

True or False:

In regards to port security violations – protect, restrict and shutdown all discard offending traffic

Answer 34

True

Question 35

True or False:

In regards to port security violations – protect, restrict and shutdown all send log and SNMP messages?

Answer 35

False. Only restrict and shutdown do this

Question 36

True or False:

In regards to port security violations – protect, restrict and shutdown all disable the interface discarding all traffic

Answer 36

False. Only shutdown does this.

Question 37

What is a general command to show port security configuration?

Answer 37

show port-security

Question 38

What is a more granular command to show port security of an interface?

Answer 38

show port-security interface {int}

Question 39

This protocol can be used to set the aging time for static and dynamic secure addresses on a port

Answer 39

Port Security Aging

Question 40

What two types of aging are supported per port?

Answer 40

Absolute and Inactivity

Question 41

This port aging type deletes secure addresses on the port after the specified aging time

Answer 41

Absolute

Question 42

This port aging type deletes secure addresses only if they are inactive for the specified aging time

Answer 42

Inactivty

Question 43

What two ways can a port security violation occur?

Answer 43

Max number of secure MAC addresses has been added to the MAC address table for that interface

An address learned is seen on another secure interface in the same VLAN

Question 44

What three ways can VLAN attacks be launched?

Answer 44

Spoofing DTP messages
Introducing a rogue switch and enabling trunking
Mounting a double tagging attack

Question 45

What are some ways to avoid VLAN hopping attacks?

Give the commands to achieve this on Fa0/1

Answer 45

Disable DTP

Disable unused ports and put them in an unused VLAN

Manually enable the trunk link on a trunk port instead of having DTP do it

Set the native vlan to another VLAN other than 1

vlan 1000
name Native

int fa0/1
sw nonegotiate
shut
sw trunk native vlan 1000

Question 46

What are the two types of DHCP attacks?

Answer 46

Starvation and spoofing

Question 47

This type of DHCP attack aims to create a DOS condition for connecting clients

Answer 47

Starvation attack

Question 48

This type of DHCP attack occurs when a rogue DHCP server is connected to the network and provides false IP configuration parameters to legitimate clients

Answer 48

Spoofing attack

Question 49

To protect against DHCP attacks, __________ ___________ uses the concept of Trusted and __________ ports

Answer 49

DHCP snooping
Trusted
Untrusted

Question 50

What are 4 critical features of DHCP snooping configuration?

Answer 50

Trusted ports
Untrusted ports, server messages
Untrusted ports, client messages
Rate limiting

Question 51

What would be the commands to:

Enable DHCP snooping
Trust DHCP messages on Fa0/1
Limit the rate of DHCP messages to 6 on ports fa0/5 - 24
Enable DHCP snooping on VLAN 5,10,50,51,52

Answer 51

ip dhcp snooping

int fa0/1
ip dhcp snooping trust
exit

int range fa0/5 - 24
ip dhcp snooping limit rate 6
exit

ip dhcp snooping vlan 5,10,50-52

Question 52

On Ethernet LANs, hosts are allowed to send unsolicited ARP replies known as what?

Answer 52

Gratuitous ARP message

Question 53

Dynamic ARP inspection (DAI) requires what other feature to be enabled to work?

Answer 53

DHCP snooping

Question 54

What 3 ways could you mitigate the chances of ARP spoofing and ARP poisoning?

Answer 54

Enable DHCP snooping
Enable DAI on selected VLANs
Configure trusted interfaces for DHCP snooping and ARP inspection

Question 55

What commands would you use to enable DAI configuration for VLAN 10 while trusting int fa0/24?

Answer 55

ip dhcp snooping
ip dhcp snooping vlan 10
ip arp inspection vlan 10

int fa0/24
ip dhcp snooping trust
ip arp inspection trust