Section 8. Managing Network Device Security Flashcards
Q1-What are five common threats network devices face?
Five common threats network devices face are
Remote access threats: Include unauthorized remote access to network devices.
Local access and physical threats: These threats include physical damage to network device hardware, password recovery by weak physical security, and theft.
Environmental threats: Temperature extremes (heat or cold) or humidity extremes and storms.
Electrical threats: Voltage spikes, brownouts, noise, and power loss.
Maintenance threats: The improper handling of important electronic components, lack of critical spare parts, poor cabling and labeling, and poor change policies.
Q2-How do you mitigate remote access threats for network devices?
Mitigation of remote access threats includes configuration of strong authentication and encryption for remote access, configuration of a login banner, the use of ACLs, and VPN access.
Q3-What are some techniques used to mitigate local access and physical threats facing network devices?
Techniques used to mitigate local access and physical threats include locking wiring closets, providing physical access control, and blocking physical access through a dropped ceiling, raised floor, window, ductwork, or other points of entries. You can also monitor facilities with security cameras.
Q4-What are techniques used to mitigate environmental threats?
Mitigation techniques include creating a proper operating environment through temperature control, humidity control, airflow, remote environmental alarms, environment monitoring and recording, and policies/plans for environmental storms.
Q5-What can one do to mitigate electrical threats facing network devices?
Mitigation of electrical threats includes using surge protectors, installing UPS systems and generators, providing redundant power supplies, following a preventive maintenance plan, and using remote monitoring.
Q6-What are some ways to mitigate network device maintenance threats?
Ways to mitigate network device maintenance threats include neat cabling runs, proper labeling of components, stocking critical spares, access by only authorized personnel, proper change management procedures, and ensuring that network documentation is accurate and up to date.
Q7-On a Cisco router, how do you set a password to restrict access to privileged EXEC mode?
The enable password and enable secret global configuration commands can set passwords to restrict access to privileged EXEC mode.
The enable password command restricts access to privileged EXEC mode but stores the password in the configuration unencrypted. The enable secret command creates an encrypted form of the enable password. The following example configures an encrypted password to privilege mode with ICND as the password:
RouterA(config)# enable secret ICND
Q8-When you view the configuration on Cisco routers, only the enable secret password is encrypted. How do you encrypt passwords that protect user mode access and the enable password?
To encrypt passwords that protect user mode access and the enable password, use the service password-encryption global command, as follows:
RouterA(config)# service password-encryption
Q9-On a Cisco router, how do you add a password to the console line?
To add a password to the console terminal, use the line console 0 global configuration command, followed by the login and password password line subcommands, as follows:
RouterA(config)# line console 0
RouterA(config-line)# login
RouterA(config-line)# password ICND
The login subcommand forces the router to prompt for authentication. Without this command, the router does not authenticate the line password. The password ICND subcommand sets the console password to ICND. The password set is case sensitive.
Q10-How do you add a password to the VTY lines on a Cisco router?
The VTY lines provide access to telnet to a Cisco device. To add a password to the VTY lines, enter the line vty 0 4 global configuration command, the login command, and finally the password line subcommand. The password is case sensitive. In the following example, the Telnet password is set to ciscopress:
RouterA(config)# line vty 0 4
RouterA(config-line)# login
RouterA(config-line)# password ciscopress
Q11-What are the four steps to configure SSH on a Cisco router or switch?
The four steps to configure SSH are
- Use the hostname command to configure a host name of the device.
- Configure the DNS domain with the ip domain-name command
- Generate RSA keys with the crypto key generate rsa command.
- Configure the user credentials to be used for authentication.
Q12-As a network administrator, you configure SSH on your Cisco device for remote access. What command will allow you to only permit SSH access and block Telnet access to the vty lines?
The vty line configuration mode command transport input ssh will limit access to the device through SSH while blocking Telnet.
Q13-What IOS command can you use to display whether SSH is configured on your Cisco device?
Use the show ip ssh command.
Q14-Create an access list that permits only vty access from network 192.168.10.0 255.255.255.0 to connect to the Cisco router.
To create an access list that permits only vty access from network 192.168.10.0 255.255.255.0 to connect to the Cisco router, enter the following:
RouterA(config)# access list 10 permit 192.168.10.0 0.0.0.255
RouterA(config)# line vty 0 15
RouterA(config-if)# access-class 10 in
Q15-What are the two most popular external authentication options for connecting to Cisco devices?
The two most popular options are RADIUS and TACACS+.
RADIUS is an open standard with low use of CPU resources and memory.
TACACS+ is a security mechanism that enables modular authentication, authorization, and accounting services. It uses a TACACS+ daemon running on a security server.
Q16-What is AAA?
Authentication, authorization, and accounting (AAA) is a security architecture for distributed systems that enables control over access to systems and determines which users are allowed access to particular services. AAA allows access to a device based on entering correct credentials, and any actions are accounted for (logged).
Q17-What are some of the reasons a network administrator would want to secure unused device interfaces?
Unused interfaces on a network device, such as a switch, can be a security risk. For example, an unauthorized user can plug into an unused port on a switch and gain access to the network.