Secure Routing and Switching

Question 1

Endpoint Security

Answer 1

Includes securing the network infrastructure devices (LAN) and end systems, such as workstations, servers, ip phones, access points, and storage area networking devices

Also encompasses securing layer 2 of the network infrastructure

• Enabling port security
• BPDU guard
• Root guard
• PVLAN edge

Question 2

2 internal LAN elements that need to be secured

Answer 2

Endpoints - various hosts (laptops, phones, servers etc)

Network Infrastructure

Question 3

3 traditional endpoint securities:

Answer 3

Antivirus/antimalware software

Host-based IPS

Host-based firewall

Question 4

Antivirus/antimalware software

Answer 4

Software installed on a host to detect and mitigate viruses and malware

Question 5

Host-Based Firewall

Answer 5

Software installed on a host that restricts incoming and outgoing connections to those initiated by that host only. Some firewall software can also prevent a host from becoming infected and stop infected hosts from spreading malware to other hosts.

Question 6

Host-Based IPS

Answer 6

Software installed on the local host to monitor and report on the system configuration and application activity, provide log analysis, event correlation,integrity checking, policy enforcement, rootkit detection, and alerting

Question 7

Larger organizations now require protection before, during and after an attack. what 7 questions must IT administrators be able to answer?

Answer 7

1. where did it come from?
2. what was the threat method and the point of entry?
3. what systems were affected?
4. what did the threat do?
5. can i stop the threat and root cause?
6. how do we recover from it?
7. how do we prevent it from happening again?

Question 8

5 methods of securing endpoints in a borderless network

Answer 8

1. Spam filtering
2. data loss prevention (DLP)
3. antivirus/antimalware software
4. URL filtering
5. Blacklisting

Question 9

SPAM filtering

Answer 9

provides filtering of SPAM emails before they reach the endpoint

Question 10

Data Loss Prevention (DLP)

Answer 10

prevents sensitive information from being lost or stolen

Question 11

URL filtering

Answer 11

provides filtering of websites before they reach the endpoint

Question 12

Blacklisting

Answer 12

Identifies websites with bad reputations. Blacklisting immediately blocks connections based on the latest reputation intelligence, removing the need for a more resource-intensive, in depth analysis

Question 13

4 Modern Security solutions for Borderless network enpoints:

Answer 13

1. Antimalware protection (amp)
2. email security appliance (esa)
3. web security appliances (wsa)
4. network admission control (nac)

Question 14

the Purpose of Cisco Network Admission Control (NAC)

Answer 14

Purpose: is to allow only authorized and compliant systems, managed or unmanaged, to access the network
NAC is also designed to enforce network security, provides authentication, authorization, and posture assessment

Question 15

Cisco Network admission control (NAC) uses (6)

Answer 15

1. recognize users, their devices and their roles in the network
2. evaluate whether machines are compliant with security policies
3. enforce security policies by blocking, isolating, and repairing non compliant machines
4. provide easy and secure guest access
5. simplify non-authenticating device access
6. audit and report who is on the network

Question 16

Email security appliance (ESA) examples:

Answer 16

Spam blocking
Advanced malware protection
Outbound message control
Cisco email security appliance

Question 17

steps to mitigate DHCP starvation and dhcp spoofing

Answer 17

enable dhcp snooping

Question 18

Steps to mitigate mac address flooding (CAM table overflow)

Answer 18

port security

mac address vlan access maps

Question 19

steps to mitigate VLAN hopping

Answer 19

1. tighten up trunk configuration and the negotiation state of unsused ports
2. place unused ports into a common VLAN

Question 20

mitigate attacks between devices on a common vlan

Answer 20

Implement private VLANs (PVLAN)

Question 21

mitigate spanning-tree compromises

Answer 21

proactively configure the primary and backup root devices.

and enable root guard.

Question 22

what are spanning-tree compromises?

Answer 22

attacking device spoofs the root bridge in the STP topology. if, successful the network attacker can see a variety of frames

Question 23

mitigate mac spoofing

Answer 23

use DHCP snooping, port security

Question 24

what is MAC spoofing?

Answer 24

attacking device spoofs the mac address of a valid host currently in the CAM table. the switch then forwards frames destined for the valid host to the attacking device

Question 25

Mitigate ARP spoofing

Answer 25

Use dynamic arp inspection
DHCP Snooping
port security

Question 26

What is ARP spoofing

Answer 26

attacking device crafts ARP replies intended for valid hosts. the attacking device’s MAC address then becomes the destination address found in the layer 2 frames sent by the valid network device

Question 27

Mitigate Secure shell protocol (ssh) and telnet attacks

Answer 27

do not use telnet. USE ssh version 2

if you have to use telnet set up acls for those interfaces

Question 28

Setup switchport security and maximum mac addresses to 1 on port 0/4 of a switch

Answer 28

en
config t
int g0/4
switchport mode access (has to be access)
switchport port-security
switchport port-security maximum 1

Question 29

commands to setup dhcp snooping on a switch adn set port 0/1 as a trusted port

Answer 29

ip dhcp snooping
ip dhcp snooping information option
ip dhcp snooping clan 10,20
int fa0/1
description uplink
switchport mode trunk
switchport trunk allowed vlan 10,20
ip dhcp snooping trust