Section 8. Managing Network Device Security

Question 1

Q1-What are five common threats network devices face?

Answer 1

Five common threats network devices face are

Remote access threats: Include unauthorized remote access to network devices.

Local access and physical threats: These threats include physical damage to network device hardware, password recovery by weak physical security, and theft.

Environmental threats: Temperature extremes (heat or cold) or humidity extremes and storms.

Electrical threats: Voltage spikes, brownouts, noise, and power loss.

Maintenance threats: The improper handling of important electronic components, lack of critical spare parts, poor cabling and labeling, and poor change policies.

Question 2

Q2-How do you mitigate remote access threats for network devices?

Answer 2

Mitigation of remote access threats includes configuration of strong authentication and encryption for remote access, configuration of a login banner, the use of ACLs, and VPN access.

Question 3

Q3-What are some techniques used to mitigate local access and physical threats facing network devices?

Answer 3

Techniques used to mitigate local access and physical threats include locking wiring closets, providing physical access control, and blocking physical access through a dropped ceiling, raised floor, window, ductwork, or other points of entries. You can also monitor facilities with security cameras.

Question 4

Q4-What are techniques used to mitigate environmental threats?

Answer 4

Mitigation techniques include creating a proper operating environment through temperature control, humidity control, airflow, remote environmental alarms, environment monitoring and recording, and policies/plans for environmental storms.

Question 5

Q5-What can one do to mitigate electrical threats facing network devices?

Answer 5

Mitigation of electrical threats includes using surge protectors, installing UPS systems and generators, providing redundant power supplies, following a preventive maintenance plan, and using remote monitoring.

Question 6

Q6-What are some ways to mitigate network device maintenance threats?

Answer 6

Ways to mitigate network device maintenance threats include neat cabling runs, proper labeling of components, stocking critical spares, access by only authorized personnel, proper change management procedures, and ensuring that network documentation is accurate and up to date.

Question 7

Q7-On a Cisco router, how do you set a password to restrict access to privileged EXEC mode?

Answer 7

The enable password and enable secret global configuration commands can set passwords to restrict access to privileged EXEC mode.

The enable password command restricts access to privileged EXEC mode but stores the password in the configuration unencrypted. The enable secret command creates an encrypted form of the enable password. The following example configures an encrypted password to privilege mode with ICND as the password:
RouterA(config)# enable secret ICND

Question 8

Q8-When you view the configuration on Cisco routers, only the enable secret password is encrypted. How do you encrypt passwords that protect user mode access and the enable password?

Answer 8

To encrypt passwords that protect user mode access and the enable password, use the service password-encryption global command, as follows:
RouterA(config)# service password-encryption

Question 9

Q9-On a Cisco router, how do you add a password to the console line?

Answer 9

To add a password to the console terminal, use the line console 0 global configuration command, followed by the login and password password line subcommands, as follows:
RouterA(config)# line console 0
RouterA(config-line)# login
RouterA(config-line)# password ICND
The login subcommand forces the router to prompt for authentication. Without this command, the router does not authenticate the line password. The password ICND subcommand sets the console password to ICND. The password set is case sensitive.

Question 10

Q10-How do you add a password to the VTY lines on a Cisco router?

Answer 10

The VTY lines provide access to telnet to a Cisco device. To add a password to the VTY lines, enter the line vty 0 4 global configuration command, the login command, and finally the password line subcommand. The password is case sensitive. In the following example, the Telnet password is set to ciscopress:
RouterA(config)# line vty 0 4
RouterA(config-line)# login
RouterA(config-line)# password ciscopress

Question 11

Q11-What are the four steps to configure SSH on a Cisco router or switch?

Answer 11

The four steps to configure SSH are

1. Use the hostname command to configure a host name of the device.
2. Configure the DNS domain with the ip domain-name command
3. Generate RSA keys with the crypto key generate rsa command.
4. Configure the user credentials to be used for authentication.

Question 12

Q12-As a network administrator, you configure SSH on your Cisco device for remote access. What command will allow you to only permit SSH access and block Telnet access to the vty lines?

Answer 12

The vty line configuration mode command transport input ssh will limit access to the device through SSH while blocking Telnet.

Question 13

Q13-What IOS command can you use to display whether SSH is configured on your Cisco device?

Answer 13

Use the show ip ssh command.

Question 14

Q14-Create an access list that permits only vty access from network 192.168.10.0 255.255.255.0 to connect to the Cisco router.

Answer 14

To create an access list that permits only vty access from network 192.168.10.0 255.255.255.0 to connect to the Cisco router, enter the following:
RouterA(config)# access list 10 permit 192.168.10.0 0.0.0.255
RouterA(config)# line vty 0 15
RouterA(config-if)# access-class 10 in

Question 15

Q15-What are the two most popular external authentication options for connecting to Cisco devices?

Answer 15

The two most popular options are RADIUS and TACACS+.

RADIUS is an open standard with low use of CPU resources and memory.

TACACS+ is a security mechanism that enables modular authentication, authorization, and accounting services. It uses a TACACS+ daemon running on a security server.

Question 16

Q16-What is AAA?

Answer 16

Authentication, authorization, and accounting (AAA) is a security architecture for distributed systems that enables control over access to systems and determines which users are allowed access to particular services. AAA allows access to a device based on entering correct credentials, and any actions are accounted for (logged).

Question 17

Q17-What are some of the reasons a network administrator would want to secure unused device interfaces?

Answer 17

Unused interfaces on a network device, such as a switch, can be a security risk. For example, an unauthorized user can plug into an unused port on a switch and gain access to the network.

Question 18

Q18-How can you secure unused interfaces on a Cisco switch?

Answer 18

You secure an unused switch interface by either disabling the port or putting the port in an unused nonroutable VLAN. Also, auto-trunking of ports should be disabled using the switchport nonegotiate interface command.

Question 19

Q19-How do you disable a switch interface?

Answer 19

You disable a switch interface by issuing the shutdown interface command. To reenable the interface, issue the no shutdown command.

Question 20

Q20-What is switch port security?

Answer 20

Switch port security allows you to restrict input to a port by limiting and/or identifying the MAC addresses of the devices allowed to access the port.

Question 21

Q21-What are the four ways port security related to MAC address associations can be configured on a switch port?

Answer 21

The four ways to implement port security related to MAC address associations are

Dynamic: Secures the port by limiting the number of MAC addresses used on a port. Dynamic addresses are dynamically learned and can be configured to age out after a certain period.

Static: Secures the port with a static configuration of specific MAC addresses that are permitted to use the port.

Combination: Uses static MACs plus dynamic MACs.

Sticky learning: Converts dynamically learned addresses to “sticky secure” addresses. In other words, dynamically learned MAC addresses are stored in the running configuration as if they were statically configured.

Question 22

Q22-As a network administrator, you want to restrict the laptops that are allowed to connect to a specific switch port. You want to restrict switch port access to the MAC addresses of these laptops. What are the four steps to limit and identify the MAC addresses of the laptops that are allowed access on the ports?

Answer 22

Port security limits the number of valid MAC addresses that are allowed on a port. When MAC addresses are assigned to a secure port, the port does not forward packets with source addresses outside the group of defined addresses.

The steps to configure port security are as follows:

1. Enable port security.
2. Set the MAC address limit.
3. Specify the allowable MAC addresses (optional).
4. Define the violation action.

Question 23

Q23-When enabling port security on a Catalyst switch, what is the default number of MAC addresses allowed and the default violation action?

Answer 23

By default, port security is not enabled. When it is enabled, the default number of secure MAC addresses allowed on the interface is one and the default violation action is to shut down the port.

Question 24

Q24-What commands enable port security on interface g0/1? Only allow two MAC addresses on the port, and let the switch dynamically learn the MAC addresses and store them in the running configuration. Restrict the port and drop illegal frames and log them to a server if a third MAC address is detected.

Answer 24

Use the following commands to enable port security on interface g0/1:
Cat2960(config)# int g0/1
Cat2960(config-if)# switchport mode access
Cat2960(config-if)# switchport port-security
Cat2960(config-if)# switchport port-security max 2
Cat2960(config-if)# switchport port-security mac-address sticky
Cat2960(config-if)# switchport port-sec violation restrict

Question 25

Q25-Can you enable port security on a trunk port?

Answer 25

Yes. Port security supports nonnegotiating trunks.

A trunk port is a port configured to trunk multiple VLANs and can be configured with port security as long as the trunk is configured as a nonnegotiating trunk.

Question 26

Q26-When configuring port security violation actions, what are the three modes that can be configured and what do these modes do when a security violation occurs?

Answer 26

The three port security violations modes and their operation are as follows:

Protect: Drops packets with unknown source addresses until a sufficient number of secure MAC addresses are removed to drop below the maximum value.

Restrict: Drops packets with unknown source addresses until a sufficient number of secure MAC addresses are removed to drop below the maximum value and causes the SecurityViolation counter to increment.

Shutdown: Immediately puts the interface into the error-disabled state and sends an SNMP trap notification.

Question 27

Q27-How can you tell whether port security is enabled on a switch?

Answer 27

You determine whether port security is enabled on a switch by issuing the show port-security command, as follows:
Cat2960# show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
—————————————————————————
Fa0/1 1 0 0 Restrict
—————————————————————————
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 8320

Question 28

Q28-How can you display the port security settings that are defined for an interface?

Answer 28

The show port-security interface interface-type interface-number privileged EXEC command displays the port security settings configured for an interface. The output from this command displays the following:

Whether port security is enabled

The violation mode

The maximum allowed number of secure MAC addresses for each interface

The number of secure MAC addresses on the interface

The number of security violations that have occurred

SwitchA# show port-security interface fastethernet 5/1
Port Security: Enabled
Port status: SecureUp
Violation mode: Shutdown
Maximum MAC Addresses: 11
Total MAC Addresses: 11
Configured MAC Addresses: 3
Aging time: 20 mins
Aging type: Inactivity
SecureStatic address aging: Enabled
Security Violation count: 0

Question 29

Q29-How do you display the secure MAC address for all ports on a switch that has port security enabled?

Answer 29

The show port-security address privileged EXEC command displays the secure MAC addresses for all ports. Following is an example from the output of the show port-security address command:

SwitchA# show port-security address
Secure Mac Address Table
——————————————————————
Vlan Mac Address Type Ports Remaining Age
(mins)
—- ———– —- —– ————-
1 0001.0001.0001 SecureDynamic Fa5/1 15 (I)
1 0001.0001.0002 SecureDynamic Fa5/1 15 (I)
1 0001.0001.1111 SecureConfigured Fa5/1 16 (I)
1 0001.0001.1112 SecureConfigured Fa5/1 -
1 0001.0001.1113 SecureConfigured Fa5/1 -
1 0005.0005.0001 SecureConfigured Fa5/5 23
1 0005.0005.0002 SecureConfigured Fa5/5 23
1 0005.0005.0003 SecureConfigured Fa5/5 23

Question 30

Q30-What is the default mode of a Catalyst 2960 switch interface?

Answer 30

The default mode of a Catalyst 2960 switch is dynamic auto. Because the default mode of a Catalyst 2960 switch interface is dynamic auto, the interface will try to negotiate to trunking if the other end of the link has a compatible setting. This setting can allow an unauthorized user to plug a device into an unused switch interface and gain access to the VLANs on the network. Cisco recommends securing unused switch interfaces.

Question 31

Q31-As a network administrator, you enable port security on your switch ports. After a week, a user complains that he can no longer access the network. You issue the show interface status command and notice that the port the end user is connected to has err-disabled status. What has occurred?

Answer 31

In this example, the err-disabled status most likely indicates that a port security violation has occurred and the port was configured to shut down in the event of a violation, thus blocking network access for the end user.

Question 32

Q32-Port security is enabled on a switch with its default settings. When issuing the show interface status command, you notice that interface g0/1 is in the err-disabled state. How do you make the interface operational again?

Answer 32

When port security is enabled on a switch and an interface is in the err-disabled state, it means that a security violation has occurred and the interface was shut down. To make the interface operational, it will need to be enabled again with the no shutdown interface command.

In this example, the following commands would make interface g0/1 operational again:

SwitchA(config)# interface g0/1
SwitchA(config-if)# no shutdown

Question 33

Q33-Some services on Cisco devices might not be needed and can be disabled. What are two benefits for disabling these unused services?

Answer 33

Two benefits for disabling unused services on Cisco devices are

Image Helps preserve system resources

Image Eliminates the potential for security exploits on the unneeded services

Question 34

Q34-What Cisco IOS command displays open ports and services on your Cisco device?

Answer 34

The Cisco IOS command is show control-plan host open-ports.

This command shows all UDP and TCP ports the device is listening on to determine what services need to be disabled.

Cisco provides the AutoSecure function to help disable unnecessary services and enable other security features.

Question 35

Q35-What are some general best practices for disabling unused services on a Cisco router?

Answer 35

Best practices for disabling unused services on a Cisco router are as follows:

Unless needed, disable finger, identification (identd), and TCP and UDP small services.

Disable CDP on interfaces where the service might represent a risk. Examples include external or Internet edge interfaces.

Disable HTTP.

In IOS 15.0 and later, finger, identd, TCP and UDP small services, and HTTP service are disabled by default.

Question 36

Q36-What is NTP and why is it important to configure on network devices?

Answer 36

Network Time Protocol is used to synchronize the clocks of network devices on a network to ensure that all devices are on the same time.

NTP is important to configure on network devices to allow correct tracking of events that transpire on a network, and clock synchronization is critical for digital certificates.

Question 37

Q37-From what sources can an NTP device get the correct time?

Answer 37

NTP clients can receive time from

Local master clock

Master clock on the Internet

GPS or atomic clock

A router can act as an NTP server and client.

Question 38

Q38-How do you configure a router to act as an NTP server?

Answer 38

The ntp master stratum global command configures a router as an NTP server. The stratum variable is a number from 1 to 15. A lower stratum value indicates higher NTP priority. The following configures a router as an NTP server with a stratum of 1:

RouterA(config)# ntp master 1

Question 39

Q39-How do you configure a router to synchronize its time from an NTP server?

Answer 39

The ntp server server-ip-address global command configures a Cisco device to synchronize its time with an NTP server.

Question 40

Q40-What banner is displayed before the username and password login prompts on a Catalyst switch?

Answer 40

The login banner is displayed.

The login banner is configured using the banner login global command. For example:

Switch# config t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# banner login #
Enter TEXT message. End with the character ‘#’.
Notice! Only Authorized Personnel Are Allowed to Access This Device
#

Question 41

Q41-When is the message of the day (MOTD) banner displayed?

Answer 41

The MOTD is displayed upon connection to the router or switch either by Telnet or by the console port.

If a login banner is also configured on the router or switch, the MOTD will display first, followed by the login banner.

Question 42

Q42-Why does Cisco recommend using SSH instead of Telnet for remote access of a Cisco device?

Answer 42

Cisco recommends using SSH because it encrypts communication between the Cisco device and the host. Telnet is unsecure, and all communication between the Cisco device and host is sent in clear text.

Question 43

Q43-By default, any IP address can connect to vty lines. How do you restrict access to vty lines, allowing only approved IP addresses to connect to the vty lines?

Answer 43

You restrict access to vty lines by using standard access lists.

Standard access lists allow you to permit or deny traffic based on the source IP address. To restrict access to vty lines, you would create a standard access list that permits each authorized IP address to connect to vty and apply the access list to the vty lines.