Section 8. Managing Network Device Security Flashcards

1
Q

Q1-What are five common threats network devices face?

A

Five common threats network devices face are

Remote access threats: Include unauthorized remote access to network devices.

Local access and physical threats: These threats include physical damage to network device hardware, password recovery by weak physical security, and theft.

Environmental threats: Temperature extremes (heat or cold) or humidity extremes and storms.

Electrical threats: Voltage spikes, brownouts, noise, and power loss.

Maintenance threats: The improper handling of important electronic components, lack of critical spare parts, poor cabling and labeling, and poor change policies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Q2-How do you mitigate remote access threats for network devices?

A

Mitigation of remote access threats includes configuration of strong authentication and encryption for remote access, configuration of a login banner, the use of ACLs, and VPN access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Q3-What are some techniques used to mitigate local access and physical threats facing network devices?

A

Techniques used to mitigate local access and physical threats include locking wiring closets, providing physical access control, and blocking physical access through a dropped ceiling, raised floor, window, ductwork, or other points of entries. You can also monitor facilities with security cameras.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Q4-What are techniques used to mitigate environmental threats?

A

Mitigation techniques include creating a proper operating environment through temperature control, humidity control, airflow, remote environmental alarms, environment monitoring and recording, and policies/plans for environmental storms.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Q5-What can one do to mitigate electrical threats facing network devices?

A

Mitigation of electrical threats includes using surge protectors, installing UPS systems and generators, providing redundant power supplies, following a preventive maintenance plan, and using remote monitoring.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Q6-What are some ways to mitigate network device maintenance threats?

A

Ways to mitigate network device maintenance threats include neat cabling runs, proper labeling of components, stocking critical spares, access by only authorized personnel, proper change management procedures, and ensuring that network documentation is accurate and up to date.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Q7-On a Cisco router, how do you set a password to restrict access to privileged EXEC mode?

A

The enable password and enable secret global configuration commands can set passwords to restrict access to privileged EXEC mode.

The enable password command restricts access to privileged EXEC mode but stores the password in the configuration unencrypted. The enable secret command creates an encrypted form of the enable password. The following example configures an encrypted password to privilege mode with ICND as the password:
RouterA(config)# enable secret ICND

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Q8-When you view the configuration on Cisco routers, only the enable secret password is encrypted. How do you encrypt passwords that protect user mode access and the enable password?

A

To encrypt passwords that protect user mode access and the enable password, use the service password-encryption global command, as follows:
RouterA(config)# service password-encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Q9-On a Cisco router, how do you add a password to the console line?

A

To add a password to the console terminal, use the line console 0 global configuration command, followed by the login and password password line subcommands, as follows:
RouterA(config)# line console 0
RouterA(config-line)# login
RouterA(config-line)# password ICND
The login subcommand forces the router to prompt for authentication. Without this command, the router does not authenticate the line password. The password ICND subcommand sets the console password to ICND. The password set is case sensitive.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Q10-How do you add a password to the VTY lines on a Cisco router?

A

The VTY lines provide access to telnet to a Cisco device. To add a password to the VTY lines, enter the line vty 0 4 global configuration command, the login command, and finally the password line subcommand. The password is case sensitive. In the following example, the Telnet password is set to ciscopress:
RouterA(config)# line vty 0 4
RouterA(config-line)# login
RouterA(config-line)# password ciscopress

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Q11-What are the four steps to configure SSH on a Cisco router or switch?

A

The four steps to configure SSH are

  1. Use the hostname command to configure a host name of the device.
  2. Configure the DNS domain with the ip domain-name command
  3. Generate RSA keys with the crypto key generate rsa command.
  4. Configure the user credentials to be used for authentication.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Q12-As a network administrator, you configure SSH on your Cisco device for remote access. What command will allow you to only permit SSH access and block Telnet access to the vty lines?

A

The vty line configuration mode command transport input ssh will limit access to the device through SSH while blocking Telnet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Q13-What IOS command can you use to display whether SSH is configured on your Cisco device?

A

Use the show ip ssh command.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Q14-Create an access list that permits only vty access from network 192.168.10.0 255.255.255.0 to connect to the Cisco router.

A

To create an access list that permits only vty access from network 192.168.10.0 255.255.255.0 to connect to the Cisco router, enter the following:
RouterA(config)# access list 10 permit 192.168.10.0 0.0.0.255
RouterA(config)# line vty 0 15
RouterA(config-if)# access-class 10 in

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Q15-What are the two most popular external authentication options for connecting to Cisco devices?

A

The two most popular options are RADIUS and TACACS+.

RADIUS is an open standard with low use of CPU resources and memory.

TACACS+ is a security mechanism that enables modular authentication, authorization, and accounting services. It uses a TACACS+ daemon running on a security server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Q16-What is AAA?

A

Authentication, authorization, and accounting (AAA) is a security architecture for distributed systems that enables control over access to systems and determines which users are allowed access to particular services. AAA allows access to a device based on entering correct credentials, and any actions are accounted for (logged).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Q17-What are some of the reasons a network administrator would want to secure unused device interfaces?

A

Unused interfaces on a network device, such as a switch, can be a security risk. For example, an unauthorized user can plug into an unused port on a switch and gain access to the network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Q18-How can you secure unused interfaces on a Cisco switch?

A

You secure an unused switch interface by either disabling the port or putting the port in an unused nonroutable VLAN. Also, auto-trunking of ports should be disabled using the switchport nonegotiate interface command.

19
Q

Q19-How do you disable a switch interface?

A

You disable a switch interface by issuing the shutdown interface command. To reenable the interface, issue the no shutdown command.

20
Q

Q20-What is switch port security?

A

Switch port security allows you to restrict input to a port by limiting and/or identifying the MAC addresses of the devices allowed to access the port.

21
Q

Q21-What are the four ways port security related to MAC address associations can be configured on a switch port?

A

The four ways to implement port security related to MAC address associations are

Dynamic: Secures the port by limiting the number of MAC addresses used on a port. Dynamic addresses are dynamically learned and can be configured to age out after a certain period.

Static: Secures the port with a static configuration of specific MAC addresses that are permitted to use the port.

Combination: Uses static MACs plus dynamic MACs.

Sticky learning: Converts dynamically learned addresses to “sticky secure” addresses. In other words, dynamically learned MAC addresses are stored in the running configuration as if they were statically configured.

22
Q

Q22-As a network administrator, you want to restrict the laptops that are allowed to connect to a specific switch port. You want to restrict switch port access to the MAC addresses of these laptops. What are the four steps to limit and identify the MAC addresses of the laptops that are allowed access on the ports?

A

Port security limits the number of valid MAC addresses that are allowed on a port. When MAC addresses are assigned to a secure port, the port does not forward packets with source addresses outside the group of defined addresses.

The steps to configure port security are as follows:

  1. Enable port security.
  2. Set the MAC address limit.
  3. Specify the allowable MAC addresses (optional).
  4. Define the violation action.
23
Q

Q23-When enabling port security on a Catalyst switch, what is the default number of MAC addresses allowed and the default violation action?

A

By default, port security is not enabled. When it is enabled, the default number of secure MAC addresses allowed on the interface is one and the default violation action is to shut down the port.

24
Q

Q24-What commands enable port security on interface g0/1? Only allow two MAC addresses on the port, and let the switch dynamically learn the MAC addresses and store them in the running configuration. Restrict the port and drop illegal frames and log them to a server if a third MAC address is detected.

A

Use the following commands to enable port security on interface g0/1:
Cat2960(config)# int g0/1
Cat2960(config-if)# switchport mode access
Cat2960(config-if)# switchport port-security
Cat2960(config-if)# switchport port-security max 2
Cat2960(config-if)# switchport port-security mac-address sticky
Cat2960(config-if)# switchport port-sec violation restrict

25
Q

Q25-Can you enable port security on a trunk port?

A

Yes. Port security supports nonnegotiating trunks.

A trunk port is a port configured to trunk multiple VLANs and can be configured with port security as long as the trunk is configured as a nonnegotiating trunk.

26
Q

Q26-When configuring port security violation actions, what are the three modes that can be configured and what do these modes do when a security violation occurs?

A

The three port security violations modes and their operation are as follows:

Protect: Drops packets with unknown source addresses until a sufficient number of secure MAC addresses are removed to drop below the maximum value.

Restrict: Drops packets with unknown source addresses until a sufficient number of secure MAC addresses are removed to drop below the maximum value and causes the SecurityViolation counter to increment.

Shutdown: Immediately puts the interface into the error-disabled state and sends an SNMP trap notification.

27
Q

Q27-How can you tell whether port security is enabled on a switch?

A

You determine whether port security is enabled on a switch by issuing the show port-security command, as follows:
Cat2960# show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
—————————————————————————
Fa0/1 1 0 0 Restrict
—————————————————————————
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 8320

28
Q

Q28-How can you display the port security settings that are defined for an interface?

A

The show port-security interface interface-type interface-number privileged EXEC command displays the port security settings configured for an interface. The output from this command displays the following:

Whether port security is enabled

The violation mode

The maximum allowed number of secure MAC addresses for each interface

The number of secure MAC addresses on the interface

The number of security violations that have occurred

SwitchA# show port-security interface fastethernet 5/1
Port Security: Enabled
Port status: SecureUp
Violation mode: Shutdown
Maximum MAC Addresses: 11
Total MAC Addresses: 11
Configured MAC Addresses: 3
Aging time: 20 mins
Aging type: Inactivity
SecureStatic address aging: Enabled
Security Violation count: 0

29
Q

Q29-How do you display the secure MAC address for all ports on a switch that has port security enabled?

A

The show port-security address privileged EXEC command displays the secure MAC addresses for all ports. Following is an example from the output of the show port-security address command:

SwitchA# show port-security address
Secure Mac Address Table
——————————————————————
Vlan Mac Address Type Ports Remaining Age
(mins)
—- ———– —- —– ————-
1 0001.0001.0001 SecureDynamic Fa5/1 15 (I)
1 0001.0001.0002 SecureDynamic Fa5/1 15 (I)
1 0001.0001.1111 SecureConfigured Fa5/1 16 (I)
1 0001.0001.1112 SecureConfigured Fa5/1 -
1 0001.0001.1113 SecureConfigured Fa5/1 -
1 0005.0005.0001 SecureConfigured Fa5/5 23
1 0005.0005.0002 SecureConfigured Fa5/5 23
1 0005.0005.0003 SecureConfigured Fa5/5 23

30
Q

Q30-What is the default mode of a Catalyst 2960 switch interface?

A

The default mode of a Catalyst 2960 switch is dynamic auto. Because the default mode of a Catalyst 2960 switch interface is dynamic auto, the interface will try to negotiate to trunking if the other end of the link has a compatible setting. This setting can allow an unauthorized user to plug a device into an unused switch interface and gain access to the VLANs on the network. Cisco recommends securing unused switch interfaces.

31
Q

Q31-As a network administrator, you enable port security on your switch ports. After a week, a user complains that he can no longer access the network. You issue the show interface status command and notice that the port the end user is connected to has err-disabled status. What has occurred?

A

In this example, the err-disabled status most likely indicates that a port security violation has occurred and the port was configured to shut down in the event of a violation, thus blocking network access for the end user.

32
Q

Q32-Port security is enabled on a switch with its default settings. When issuing the show interface status command, you notice that interface g0/1 is in the err-disabled state. How do you make the interface operational again?

A

When port security is enabled on a switch and an interface is in the err-disabled state, it means that a security violation has occurred and the interface was shut down. To make the interface operational, it will need to be enabled again with the no shutdown interface command.

In this example, the following commands would make interface g0/1 operational again:

SwitchA(config)# interface g0/1
SwitchA(config-if)# no shutdown

33
Q

Q33-Some services on Cisco devices might not be needed and can be disabled. What are two benefits for disabling these unused services?

A

Two benefits for disabling unused services on Cisco devices are

Image Helps preserve system resources

Image Eliminates the potential for security exploits on the unneeded services

34
Q

Q34-What Cisco IOS command displays open ports and services on your Cisco device?

A

The Cisco IOS command is show control-plan host open-ports.

This command shows all UDP and TCP ports the device is listening on to determine what services need to be disabled.

Cisco provides the AutoSecure function to help disable unnecessary services and enable other security features.

35
Q

Q35-What are some general best practices for disabling unused services on a Cisco router?

A

Best practices for disabling unused services on a Cisco router are as follows:

Unless needed, disable finger, identification (identd), and TCP and UDP small services.

Disable CDP on interfaces where the service might represent a risk. Examples include external or Internet edge interfaces.

Disable HTTP.

In IOS 15.0 and later, finger, identd, TCP and UDP small services, and HTTP service are disabled by default.

36
Q

Q36-What is NTP and why is it important to configure on network devices?

A

Network Time Protocol is used to synchronize the clocks of network devices on a network to ensure that all devices are on the same time.

NTP is important to configure on network devices to allow correct tracking of events that transpire on a network, and clock synchronization is critical for digital certificates.

37
Q

Q37-From what sources can an NTP device get the correct time?

A

NTP clients can receive time from

Local master clock

Master clock on the Internet

GPS or atomic clock

A router can act as an NTP server and client.

38
Q

Q38-How do you configure a router to act as an NTP server?

A

The ntp master stratum global command configures a router as an NTP server. The stratum variable is a number from 1 to 15. A lower stratum value indicates higher NTP priority. The following configures a router as an NTP server with a stratum of 1:

RouterA(config)# ntp master 1

39
Q

Q39-How do you configure a router to synchronize its time from an NTP server?

A

The ntp server server-ip-address global command configures a Cisco device to synchronize its time with an NTP server.

40
Q

Q40-What banner is displayed before the username and password login prompts on a Catalyst switch?

A

The login banner is displayed.

The login banner is configured using the banner login global command. For example:

Switch# config t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# banner login #
Enter TEXT message. End with the character ‘#’.
Notice! Only Authorized Personnel Are Allowed to Access This Device
#

41
Q

Q41-When is the message of the day (MOTD) banner displayed?

A

The MOTD is displayed upon connection to the router or switch either by Telnet or by the console port.

If a login banner is also configured on the router or switch, the MOTD will display first, followed by the login banner.

42
Q

Q42-Why does Cisco recommend using SSH instead of Telnet for remote access of a Cisco device?

A

Cisco recommends using SSH because it encrypts communication between the Cisco device and the host. Telnet is unsecure, and all communication between the Cisco device and host is sent in clear text.

43
Q

Q43-By default, any IP address can connect to vty lines. How do you restrict access to vty lines, allowing only approved IP addresses to connect to the vty lines?

A

You restrict access to vty lines by using standard access lists.

Standard access lists allow you to permit or deny traffic based on the source IP address. To restrict access to vty lines, you would create a standard access list that permits each authorized IP address to connect to vty and apply the access list to the vty lines.