Module 5: Securing Network Devices: Authentication, Authorization, and Accounting Flashcards
An edge router security approach that refers to an information security approach in which a series of security mechanisms and controls are thoughtfully layered throughout a computer network to protect the confidentiality, integrity, and availability of the network and the data within.
Defense in Depth (DiD) approach
An edge router security approach that is a method of providing segregation of networks and services that need to be provided to users, visitors, or partners through the use of firewalls and multiple layers of faltering and control to protect internal systems.
demilitarized zone (DMZ)
An edge router security approach that is used to connect the internal network to the external network (usually the internet). This router is responsible for all the security measures, including firewall, intrusion detection, and prevention systems.
Single Router Approach
What are the areas of router security?
- physical security
- router hardening
- router operating system and configuration file security
An area of router security where the router is secured against attacks as best as possible.
router hardening
A protocol to provide communication over the Internet or a LAN a using a virtual terminal connection.
Telnet
It allows a direct, non-network connection to the router, from a remote location
Auxiliary Port (AUX Port)
Login local needs a _______ and _______, while login only needs ______.
username
password
password
A command that allows telnet connections to the device.
transport input telnet ssh
A command that allow ssh connections.
transport input ssh
A feature that allows users to enhance the security of a router by configuring options to automatically block further login attempts when a possible denial-of-service (DoS) attack is detected.
(Cisco IOS) Login Enhancements Features
A CISCO command where all login requests are denied and the only available connection is through the console.
login block-for
login quiet-mode access-class
login on-success log
login on-failure log
login quiet-mode access-class
A CISCO command that logs the username and IP of successful login.
login block-for
login quiet-mode access-class
login on-success log
login on-failure log
login on-success log
A CISCO command used to configure the number of login on-success log.
login block-for
login on-failure log
security authentication failure rate
login quiet-mode access-class
security authentication failure rate
A protocol which allows you to connect securely to a remote computer or a server by using a text-based interface.
Secure Socket Shell (SSH)
A CISCO command used to generate Rivest, Shamir, and Adelman (RSA) key pairs
crypto key generate rsa
Level of access of User EXEC mode
privilege level 1
Level of access of Privileged EXEC mode
privilege level 15
A feature that allows the network administrator to define “views,” which are a set of operational commands and configuration capabilities that provide selective or partial access to Cisco IOS EXEC and configuration (Config) mode commands.
Role-Based CLI Access feature
A CISCO command under role-based views that enables root views.
enable root view
secret 5 root
enable view
parser view
enable view
A CISCO command under role-based that creates a view and enters view configuration mode.
enable root view
secret 5 root
enable view
parser view
parser view
A CISCO command under role-based that used to view a superview.
parser view
secret 5
view HOST
enable view
secret 5
or
view HOST
(di ko alam)
A CISCO command under role-based that associates a command-line interface (CLI) view or superview with a password.
enable root view
secret 5 root
enable view
parser view
secret 5
It is a feature in CISCO devices that enables a router to secure and maintain a working copy of the running image and configuration so that those files can withstand malicious attempts to erase the contents of persistent storage (NVRAM and flash).
Cisco IOS Resilient Configuration feature
A CISCO command that enables Cisco IOS image resilience
secure boot-image
A CISCO command under IOS image resilience that stores a secure copy of the primary bootset in persistent storage
secure boot-config
A CISCO command under IOS image resilience that displays the status of configuration resilience and the primary
bootset filename.
show secure bootset
_______ requires that authentication, authorization, and accounting (AAA) be configured so the router can determine whether the user has the correct privilege level.
Secure Copy (SCP)
What is the CISCO command to disable password recovery?
no service password-recovery
A type of management access that apply only to devices that need to be managed or monitored.
in-band management
A type of management access that mitigates the risk of passing management protocols over the production network.
out-of-band management
A type of management access that decides whether the management channel need to be open at all time.
in-band management
A type of management access that provides highest level of security.
out-of-band management
A type of management access that provides a secure dedicated alternate access method into an IT network infrastructure to administer connected devices and IT assets without using the corporate LAN.
out-of-band management
A type of management access that uses the same communications channels that the devices themselves support.
in-band management
A type of management access that uses IPsec, SSH, or SSL when possible.
in-band management
A standard for logging messages.
Syslog (System Logging Protocol)
It is used to logged messages from the set level and higher when CISCO message level are set.
Syslog (System Logging Protocol)
What syslog security level will be logged/raised when interface changed state from up to down or vice-versa?
Level 5
What syslog security level will be logged/raised when it is unable to allocate memory?
Level 2
What syslog security level will be logged/raised when the temperature is too high?
Level 1
What syslog security level will be logged/raised when it has invalid memory size?
Level 3
What syslog security level will be logged/raised when a packet is denied by ACL?
Level 6
What syslog security level will be logged/raised when crypto operation failed?
Level 4
What syslog security level will be logged/raised when CISCO IOS software could not load?
Level 0
What syslog security level will be logged/raised when a packet type is invalid?
Level 7
In configuring system logging, it is used to log messages to syslog server host.
logging source-interface
logging host
logging trap
logging on
logging host
In configuring system logging, it is used to limit messages logged to the syslog servers.
logging source-interface
logging host
logging trap
logging on
logging trap
In configuring system logging, it is used to specify a particular IP address for syslog messages.
logging source-interface
logging host
logging trap
logging on
logging source-interface
In configuring system logging, it is used to enable message logging.
logging source-interface
logging host
logging trap
logging on
logging on
An Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior.
Simple Network Management Protocol (SNMP)
An SNMP version that uses DEA and AES for encryption.
SNMPv3
An SNMP version that uses username match for authentication.
SNMPv3
An SNMP version that provides authentication based on HMAC-MD5 or HMAC-SHA algorithms.
SNMPv3
An SNMP version that uses community string match for authentication.
SNMPv1
SNMPv2c
What is the CISCO command to configure an SNMP view?
snmp-server user
parser view
snmp-server group
ip access-list standard permit
snmp-server view
snmp-server view
What is the CISCO command to configure an SNMP group?
snmp-server user
parser view
snmp-server group
ip access-list standard permit
snmp-server view
snmp-server group
What is the CISCO command to add a user to SNMP group?
snmp-server user
parser view
snmp-server group
ip access-list standard permit
snmp-server view
snmp-server user
A networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks.
Network Time Protocol (NTP)
A feature that examines your existing router configurations and then updates your router in order to make your router and network more secure.
Security Audit
It is a Cisco ISO feature that is based on the Cisco IOS AutoSecure feature and performs checks on and assists in configuration of almost all of the AutoSecure functions.
Security Audit
It discovery protocol that facilitates the management of Cisco devices by discovering these devices, determining how they are configured, and allowing systems using different network-layer protocols to learn about each other.
Cisco Discovery Protocol (CDP)
A Layer 2, media-independent, and network-independent protocol that runs on Cisco devices and enables networking applications to learn about directly connected devices nearby.
Cisco Discovery Protocol (CDP)
It discovery protocol that is used for network devices to advertise information about themselves to other devices on the network.
Link Layer Discovery Protocol (LLDP)
This protocol runs over the data-link layer, which allows two systems running different network layer protocols to learn about each other.
Link Layer Discovery Protocol (LLDP)
A feature that secures a router by using a single CLI command to disable common IP services that can be exploited for network attacks, enable IP services and features that can aid in the defense of a network when under attack, and simplify and harden the security configuration of the router
AutoSecure
A routing protocol for Internet Protocol (IP) networks.
Open Shortest Path First (OSPF)
A Cisco IOS feature allows users to configure a quality of service (QoS) filter that manages the traffic flow of control plane packets to protect the control plane of Cisco IOS routers and switches against reconnaissance and denial-of-service (DoS) attacks.
control plane policing
SHA
Secure Hash Algorithm
CEF
Cisco Express Forwarding
Control Plane Policing (CoPP)
Support for Distributed or Hardware Switching Platforms
Yes or No
Yes
Control Plane Policing (CoPP)
CEF required
Yes or No
No
Control Plane Policing (CoPP)
Provides a mechanism for dropping packets that are directed to closed or nonlistening TCP/UDP ports
Yes or No
No
Control Plane Policing (CoPP)
Ability to enforce limits on the number of packets for a specified protocol that are allowed in the control plane IP input queue
Yes or No
No
AAA
Authentication, Authorization, Accounting
Give types of accounting information.
- network
- connection
- system
- command
- resource
- EXEC
What is the CISCO command used to enable AAA parameters on the router?
aaa authentication login default local-case
username authentication ADMIN algorithm-type scrypt secret Str0ng5rPa55w0rd
username JR-ADMIN algorithm-type scrypt secret Str0ng5rPa55w0rd
aaa new-model
aaa new-model
What is the CISCO command used to configure AAA parameters on the router?
aaa authentication login default local-case
username authentication ADMIN algorithm-type scrypt secret Str0ng5rPa55w0rd
username JR-ADMIN algorithm-type scrypt secret Str0ng5rPa55w0rd
aaa new-model
aaa authentication login default local-case
What is the CISCO command used to add usernames and passwords to the local router for users that need administrative access to the router?
aaa authentication login default local-case
username authentication ADMIN algorithm-type scrypt secret Str0ng5rPa55w0rd
username JR-ADMIN algorithm-type scrypt secret Str0ng5rPa55w0rd
aaa new-model
username JR-ADMIN algorithm-type scrypt secret Str0ng5rPa55w0rd
What is the CISCO command used to enable AAA globally on the router?
aaa authentication login default local-case
username ADMIN algorithm-type scrypt secret Str0ng5rPa55w0rd
username JR-ADMIN algorithm-type scrypt secret Str0ng5rPa55w0rd
aaa new-model
username ADMIN algorithm-type scrypt secret Str0ng5rPa55w0rd
A type of server-based AAA that separates authentication from authorization.
tacacs+
A type of server-based AAA that does not separate authentication from authorization.
radius
A term in AAA that ensures a device or end-user is legitimate.
authentication
A term in AAA that allows or disallows authenticated users access to certain areas and programs on the network.
Authorization