Day 20 - LAN Security & Device Hardening Flashcards
What are the two content security appliance products Cisco offers?
Cisco Email Security Appliance (ESA)
Cisco Web Security Appliance (WSA)
Endpoints are best protected by what host based Cisco product?
Cisco Advanced Malware Protection (AMP)
This is a Cisco proprietary special device designed to monitor email’s primary protocol, SMTP
ESA (Email Security Appliance)
This Cisco proprietary device can block known threats, remediate against stealth malware that evades initial detection, discard emails with bad links, block access to newly infected sites and encrypt content in outgoing email to prevent data loss
ESA (Email Security Appliance)
This Cisco proprietary device combines advanced malware protection, application visibility and control, acceptable use policy controls, and reporting
WSA (Web Security Appliance)
What can the Cisco WSA perform?
Blacklisting of URLs
URL filtering
Malware scanning
URL categorization
Web app filtering
Encryption and decryption of traffic
What is the issue with this bit of command?
R1(config)#line vty 0 4
R1(config-line)#password ci5c0
R1(config-line)#login
The password will be in plaintext and there is no accountability to who has logged in
This command requires the use of a username/password pair on vty, console and aux ports
login local
What are the correct commands to set up a username/password secret and have it be required to login and have access to the console and vty lines?
username {username} secret {secret}
line con 0
login local
no password
line vty 0 15
login local
no password
This protocol uses plaintext, insecure transmission of both the login and data across the connection
Telnet (port 23)
This protocol is more secure over Telnet
SSH (port 22)
Why is SSH more secure over Telnet?
Required username and password, both of which are encrypted during transmission
Username and password can be auth’d using the local database method
Username is recorded when a user logs in leading to accountability
What command would you use to verify SSH?
show ip ssh
What commands would you use to set up SSH for the domain cisco.com with a username/secret pair for lines VTY 0 15?
ip domain cisco.com
crypto key generate rsa
1024 (bits in the modulus)
line vty 0 15
login local
transport input ssh
username hmolinar secret cisco
How would you remove the RSA key pair?
crypto key zeroize rsa
What is the minimum modulus size that Cisco recommends?
1024
Router interfaces must be activated with what command?
no shutdown
True or False:
With Cisco switches, an interface is activated when a device is connected to the port
True
What are some security best practices for unused interface on Cisco devices?
Perform the commands on int fa0/1
Administratively disable unused ports
Prevent VLAN trunking by putting the port into switchport mode access
Assign the port to an unused VLAN
Change the native VLAN from VLAN 1 to an unused custom VLAN
int fa0/1
shut
sw acc mode
sw acc vlan 999
sw trunk native vlan 999
What commands would you use to create a black hole VLAN and apply it to a range of interfaces fa0/20 to fa0/24?
vlan 999
name BlackHole
int range fa0/20 - 24
shut
switchport mode acc
switchport acc vlan 999
What Cisco framework helps secure device access?
AAA
Authentication, authorization and accounting
What two AAA authentication methods does Cisco support?
TACACS+
RADIUS
What transport protocol and port does TACACS+ use?
TCP 49
What transport protocol and port(s) does RADIUS use?
UDP 1645, 1812
True or False:
Both RADIUS and TACACS+ encrypt passwords
True
True or False:
Both RADIUS and TACACS+ encrypt the entire packet
False. Only TACACS+ encrypts the entire packet
This protocol is a standard port based access control and authentication protocol
802.1X
This standard port based access control and auth protocol is ideal for restricting unauthorized access through publicly available LAN devices, such as switches and wireless APs
802.1X
802.1X defines three roles for devices in the network. What are they?
Client (Supplicant)
Switch (Authenticator)
Authentication Server
For port security, one of the steps is to make the port an access port which means the port is not doing any what?
VLAN trunking
What are the basic commands to throw port security onto an interface?
int {int}
switchport mode access
switchport port-security
What command overrides the maximum number of allowed MAC addresses associated with the interface?
switchport port-security maximum {number}
What command predefines any allowed source MAC address(es) for an interface?
int {int}
switchport port-security mac-address {mac-address}
What command will allow an interface to dynamically learn and configure the MAC addresses of currently connected hosts?
int {int}
switchport port-security mac-address sticky
True or False:
In regards to port security violations – protect, restrict and shutdown all discard offending traffic
True
True or False:
In regards to port security violations – protect, restrict and shutdown all send log and SNMP messages?
False. Only restrict and shutdown do this
True or False:
In regards to port security violations – protect, restrict and shutdown all disable the interface discarding all traffic
False. Only shutdown does this.
What is a general command to show port security configuration?
show port-security
What is a more granular command to show port security of an interface?
show port-security interface {int}
This protocol can be used to set the aging time for static and dynamic secure addresses on a port
Port Security Aging
What two types of aging are supported per port?
Absolute and Inactivity
This port aging type deletes secure addresses on the port after the specified aging time
Absolute
This port aging type deletes secure addresses only if they are inactive for the specified aging time
Inactivty
What two ways can a port security violation occur?
Max number of secure MAC addresses has been added to the MAC address table for that interface
An address learned is seen on another secure interface in the same VLAN
What three ways can VLAN attacks be launched?
Spoofing DTP messages
Introducing a rogue switch and enabling trunking
Mounting a double tagging attack
What are some ways to avoid VLAN hopping attacks?
Give the commands to achieve this on Fa0/1
Disable DTP
Disable unused ports and put them in an unused VLAN
Manually enable the trunk link on a trunk port instead of having DTP do it
Set the native vlan to another VLAN other than 1
vlan 1000
name Native
int fa0/1
sw nonegotiate
shut
sw trunk native vlan 1000
What are the two types of DHCP attacks?
Starvation and spoofing
This type of DHCP attack aims to create a DOS condition for connecting clients
Starvation attack
This type of DHCP attack occurs when a rogue DHCP server is connected to the network and provides false IP configuration parameters to legitimate clients
Spoofing attack
To protect against DHCP attacks, __________ ___________ uses the concept of Trusted and __________ ports
DHCP snooping
Trusted
Untrusted
What are 4 critical features of DHCP snooping configuration?
Trusted ports
Untrusted ports, server messages
Untrusted ports, client messages
Rate limiting
What would be the commands to:
Enable DHCP snooping
Trust DHCP messages on Fa0/1
Limit the rate of DHCP messages to 6 on ports fa0/5 - 24
Enable DHCP snooping on VLAN 5,10,50,51,52
ip dhcp snooping
int fa0/1
ip dhcp snooping trust
exit
int range fa0/5 - 24
ip dhcp snooping limit rate 6
exit
ip dhcp snooping vlan 5,10,50-52
On Ethernet LANs, hosts are allowed to send unsolicited ARP replies known as what?
Gratuitous ARP message
Dynamic ARP inspection (DAI) requires what other feature to be enabled to work?
DHCP snooping
What 3 ways could you mitigate the chances of ARP spoofing and ARP poisoning?
Enable DHCP snooping
Enable DAI on selected VLANs
Configure trusted interfaces for DHCP snooping and ARP inspection
What commands would you use to enable DAI configuration for VLAN 10 while trusting int fa0/24?
ip dhcp snooping
ip dhcp snooping vlan 10
ip arp inspection vlan 10
int fa0/24
ip dhcp snooping trust
ip arp inspection trust
