Infrastructure Security Flashcards
a command-line facility that implements security measures across all three of the planes
auto secure
Specific sub-interfaces classification-handles traffic to one of the physical or logical interface of the router
-
host sub-interface
Specific sub-interfaces classification
-handles certain data plane traffic that requires CPU intervention before forwarding(such as IP Options)
transit sub-interface
Specific sub-interfaces classification
Exception traffic such as keep-alives or packets with time to live
CEF-Exception sub-interface
Syslog Levels
0 - Emergencies - System is unsuable 1 - Alerts - Immediate Action is needed 2 - Critical 3 - Error 4 - Warnings 5 - Notifications 6 - Informational 7 - Debugging
commands to secure boot image
secure boot-image
Threats to Both Ipv4 and ipv6
An attacker is using a network service in an unexpected or malicious way. To protect againts this, you can place filters to allow only the required protocols through network
Application layer attacks
Threats to Both Ipv4 and ipv6
Individuals not authorized for access are gaining access to network resources. To protect against this, use AAA service to challenge the user.
Unauthorized Access
Threats to Both Ipv4 and ipv6
Someone or something is between the two devices who believe they are communicating directly with each other. You can prevent this by implement dynamic arp inspectiong (DAI) and spanning tree protocol guards (STP)
Man-in-the-middle
Threats to Both Ipv4 and ipv6
An attacker is listening in on the network traffic of others. This could be done where the attacker has implemented a content-addressable memory (CAM) table overflow. To protect against this you can use port-security.
Snipping or eavesdropping
Threats to Both Ipv4 and ipv6
Making services that should be available to user unavailable. Performing packet inspection and rate limiting can help mitigate
Denial of Service (DOS)
Threats to Both Ipv4 and ipv6
Forge addressing or packet content. Filtering traffic that is attempting to enter the network is one of the best first steps to mitigate this type of traffic.
Spoofed packets
New potential risk with Ipv6
Network Discovery protocol (NDP) Neighbour cache resource starvation DHCPv6 Hop-by-hop extension headers Packet amplification attacks ICMPv6 Tunneling options Autoconfigurations Dual Stacks Bugs in code
IPV6 Best practices
Filter bogus addresses Filter nonlocal multicast addresses Filter ICMPv6 that is not needed Drop routing header type 0 packets use manual tunnels rather than automatic tunnels Protect IPV6 rouge devices Secure Neighbor Discovery (SeND) in IPV6
Mechanism to prevent spoofing of IPV6 addresses
IPv6 first-hop security binding table IPv6 device tracking IPv6 port-based access list support IPv6 RA guard IPV6 ND inspection
Process-switched traffic category
Receive adjacency traffic
Data plane traffic requiring special processing by CPU
command that can be used for Control Plane Policing (CoPP)
show policy-map control plane
Is a Cisco-IOS wide feature designed to allow users to manage the flow of traffic handled by the route processor of their network devices
Control Plane Policing (CoPP)
Is another feature like CoPP, that can help mitigate the effects on the CPU of traffic the requires processing by the CPU
Control Plane Protection (CPPr)
CPPr can restrict traffic with finer granuality by diving the aggregate control plane into three seperate control plane categories known as sub interfaces. The three sub interfaces are
Host sub-interface
Transit sub-interface
CEF-Exception sub-interface
Other features are;
- Port-filtering feature
- Queue-thresholding feature
Ways to secure routing protocols
by using passsword authentication with routing protocols
MD5
Layer 2 best practices
- select unused vlan except for vlan 1 and use that for native vlan. Do not use this vlan for any other thing
- avoid vlan 1
- administratively configure access port as access ports and turn off negotiate
- limit the number of mac learned on given port
- control spanning tree by using bpdu guard and root guard
- turn off CDP
- assign ununsed ports to unused vlan and shut down
Layer 2 toolkit
- BPDU guard
- Root guard
- Port security
- DHCP snooping
- Dynamic Arp inspection
- IP source guard
- 802.1x
- storm control
- access control list
Introduce by Cisco in 1994 to provide mechanism for the management system to automatically learn about devices connected to the the network
Cisco Discovery Protocol (CDP)
Is a security feature that acts like a firewall between untrusted host and truseted DHCP servers.
DHCP Snooping
Is a security feature that validates ARP packets in a network. Intercept logs, and discards ARP packets with invalid IP-to-MAC address bindings
Dynamic ARP inspection
For Cisco IOS router and switches, the Network Foundation Protection (NFP) framework is broken down in three basic planes.
- Management plane
- Data Plane
- Control Plane
Best practices to securing management plane
- Enforce password policy
- Implement Role base access control (RBAC)
- Use AAA services
- Keep accurate time using NTP
- Use encrypted version of SNMP (v2 and v3)
- Control which IP address is allow to initiate management connection
- lock down syslog
- disable unnessary services (tcp and udp small services, finger, bootp, dhcp, maintenance operation protocol (mop), DNS, packet assembler/disassembler (pad), http and https server, cdp, lldp)
Best practices for deploying control plane
deplyoing CoPP and CPPr
best practices for protecting data plane
- block unwanted traffic at the router
- reduce the chance of DOS attacks such as TCP Intercept and firewall services
- reduce spoofing attack ( blocking traffic from outside with source of internal IP)
- provide bandwidth management (rate-limiting on certain types like icmp)
- when possible use IPS
Best practices common to IPv4 and IPv6
- physical security
- device hardening
- control access between zones
- routing protocol security
- AAA
- NTP
- Mitigating DOS attacks
- have an update a security policy
command to enable timestamps in syslog messages
service timestamps log datetime
is a feature thats intended to improve recovery time by making a secure working copy of a router or image and the startup configuration files so they cannot be deleted by user
Cisco Resilient Configuration
cdp operates in layer?
layer 2
A custom privileged level. Associate with a subset of commands
Parser Views
