day 8 Flashcards
Cisco’s 3 layer hierarchical model
a 3 layer logical (not necessarily physical) model, that may or may not be in different devices
Core layer
only purpose of the core layer is to switch traffic as fast as possible throughout the internet
distribution layer
the communication layer between the Core and Access Layers where network security is generally provided.
ACL’s, firewalls, and address translation are implemented at this layer. DMZ’s are implemented at this layer
access layer
controls user and workgroup access to network resources, most of which will be available locally.
The organizations trusted network.
Switch port and VLAN security should be implemented at this layer
layered security
physical integrity, core configuration, dynamic configuration, network traffic
physical integrity
routers are vulnerable to attackers with full physical access
core configuration
the stored software and configuration state of the router itself.
Some items stored in core configurations are interface addresses, static routes, usernames, passwords, and privileges
dynamic configuration
routing tables, ARP tables, and audit logs
network traffic
the information that routers manage, forward, and filter, such as permitted protocols and services
physical security
physical security not only covers unauthorized access, but also environmental protection and catastrophic events
rooms containing routers should:
- be free of electrostatic or magnetic inteference
- have temperature and humidity controls
- have an uninterruptible power supply
- contain spare components/parts to speed repairs
more on security
-devices should have the max amount of memory possible. This protects against DOS attacks
IOS updates
new versions of IOS are important to have because they fix bugs and vulnerabilities, but don’t get the newest version until it has been vetted and checked out by other users.
Switch security best practices:
- control STP by using BDPU guard and root guard
- Turn off all unused ports an dassign them to an unused VLAN
- Do not use VLAN 1 (avoid all defaults)
- Designate an unused VLAN (other than VLAN 1) for the trunk native VLAN
- Manually configure access ports and disable trunk negotiation
- Enable port security to limit MAC addresses
- disable CDP ports on facing unknown networks and links without Cisco neighbors
Spanning Tree protocol security
BPDU Guard service is a way of preserving the STP topology by preventing the processing of any BPDU’s received on a port.
Root Guard provides a way to enforce the root bridge placement in the network, by not allowing a port to become a root port.
