Topic 6 - Infrastructure Security Flashcards

1
Q

what port the Port security is applied to?

A

Access port

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Can Port security be applied to Trunk port?

A

No. Can be applied to only Access port

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What happens to port when the violation occurs?

A

interface will shutdown

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What method is used to stop interfaces to shutdown when violation occurs?

A

Switchport port security Violation protect

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Explain what the below modes does:
1 - Port Security PROTECT:
2 - Port Security RESTRICT:
3 - Port Security Shutdown

A

PROTECT - Drops all the packets from the insecure hosts at the port-security process level but does not increment the security-violation count

RESTRICT: Drops all the packets from the insecure hosts at the port-security process level and increments the security-violation count

SHUTDOWN: Shuts down the port if there is a security violation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Explain
Static port security
AND
Dynamic port security

A

Set the MAC addresses that are allowed to use the port. If less than the maximum are set than the remaining are learned dynamically.

Switch(config-if)#switchport port-security mac-address

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Sticky port

A

Enable sticky learning on the interface

Switch(config-if)#switchport port-security mac-address sticky

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Maximum MAC Addresses port

A

Set the number of MAC addresses allowed to use this port

Switch(config-if)#switchport port-security maximum (1-3072)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Violation Actions port security

A

Set the action to be taken when port-security is violated

Switch(config-if)#switchport port-security violation {protect | restrict | shutdown}

Protect - Least secure, Frames from unsecured MAC’s are not forwarded.

Restrict - Medium Secure, Frames from unsecured MAC’s are not forwarded + Syslog + SNMP trap ( message to Monitoring tool ) + Violation counter

Shutdown - Default one and it shuts down

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Error-disabled recovery

A

Once port security is violated on an interface, the interface will go to err-disabled. To return it to normal, do the following:

Switch#show interface status err-disabled

Switch#config t
Switch(config)#interface f0/1
Switch(config-if)#shutdown
Switch(config-if)#no shutdown

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

After the port is disabled and to bring back automatically, what command do we use?

A

Errdisable recovery

To Automatically, recover once the port is recovered from Error disabled

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Explain DHCP Snooping ?

A
DHCP snooping (a good thing) is a security feature, typically on a switch, that acts like a firewall between untrusted hosts and trusted DHCP servers
DHCP snooping is enabled on a per-VLAN basis and is inactive by default
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Explain 802.1x ?

A
  • A client-server-based access control and authentication protocol preventing unauthorized clients from connecting to a LAN through publicly accessible ports unless they are properly authenticated
  • The authentication server authenticates each client connected to a switch port before making available any services offered by the switch or the LAN
  • After authentication is successful, normal traffic can pass through the port
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Explain Nondefault native VLAN?

A
  • The default native VLAN is VLAN1
  • The nondefault native VLAN means you changed the native VLAN to be something other than VLAN 1.
  • There are a lot of things that are defaulted to VLAN 1 and that means a lot of bad things can happen either accidentally or by way of purposeful exploits.
  • VLAN hopping by way of double tagging is one such exploit. It can be easily averted by using a nondefault native vlan
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Types of access lists?

A

Standard, Extended and Named

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Explain Access List

A

Access-lists are used to permit and deny different traffic based on the filtering criteria specified in the list

Access-lists are evaluated top down from first entry to last entry

Access-lists are applied to interfaces

17
Q

Explain STANDARD ACCESS LIST

A
  • Standard ACLs are numbered from 1 to 99
  • Permit or deny traffic using subnet and wildcard mask
  • Cannot permit or deny based on ports
  • Implicit deny is automatically added to the end of each access-list
  • Place Standard ACLs close to the destination
18
Q

Explain EXTENDED ACCESS LIST

A
  • Extended ACLs are numbered from 100-199
  • Permit or deny traffic from specific source IPs or ranges to specific destination IPs or ranges
  • Can also permit or deny based on specific ports or port ranges
  • Implicit deny is automatically added to the end of each access-list
  • Place extended ACL’s close to the source
19
Q

STANDARD ACCESS LIST Configuration

A

Router#config t
Router(config)#access-list 10 permit 192.168.1.0 0.0.0.255

Router(config)#access-list 10 permit 192.168.2.0 0.0.0.255
---
Router#config t
Router(config)#interface f0/1
Router(config-if)#ip access-group 10 in
20
Q

EXTENDED ACCESS LIST Configuration

A

Router#config t
Router(config)#access-list 100 permit udp 192.168.1.0 0.0.0.255 any eq 53

Router(config)#access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 80

Router#config t
Router(config)#interface f0/1
Router(config-if)#ip access-group 100 in

21
Q

APIC-EM

A

Application Policy Infrastructure Controller - Enterprise Module (APIC-EM)

22
Q

TACACS
AAA
RADIUS

A
  • Terminal Access Controller Access control system.
  • Authentication, Authorization, and Accounting.
  • Remote Access Dial-In User Service
23
Q

Explain TACACS+

A

• TACACS+ Terminal Access Controller Access Control Service Plus
• TACACS+ is a security application that provides centralized validation of users attempting to gain access to a router or network access server
• TACACS+ services are maintained in a database on a TACACS+ daemon running, typically, on a UNIX or Windows NT workstation
• We must have access to and must configure a TACACS+ server before the configured TACACS+ features on your network access server are available
• TACACS+ provides for separate and modular authentication, authorization, and accounting facilities
TACACS+ allows for a single access control server (the TACACS+ daemon) to provide each service—authentication, authorization, and accounting—independently

24
Q

TACACS+ vs RADIUS

A
  • The primary functional difference between RADIUS and TACACS+ is that TACACS+ separates out the Authorization functionality, where RADIUS combines both Authentication and Authorization
  • When a RADIUS Authentication request is sent to the AAA server, the AAA client expects to receive a reply containing the Authorization result
25
Q

Explain Local authentication

A
  • Authentication is a way of identifying a user before permitting access to the network and network services.
  • Local authentication on a device references usernames and passwords configured locally on the device
  • Local authentication restricts access to the User Exec command mode to the accounts configured on the device
  • To configure local authentication

Router(config)#username [username] password [password]
Router(config)#aaa new-model
Router(config)#aaa authentication login default local

26
Q

Explain Secure password ( In terms of device hardening )

A
  • A secure password prevents access to the Privileged Exec command mode
  • The enable password stores the password in plain text in the configuration

Router(config)#enable password [password]

  • The enable secret creates an MD5 hash of the plain-text password that is entered and stores the hash in the configuration
  • It is recommended to use enable secret instead of enable password

Router(config)#enable secret [password]

27
Q

Explain Login Banner

A
  • A login banner appears just before the Username: prompt when user authentication is required to login to a device. Like warning messages on ACT etc
  • A character delimiter is required to specify the beginning and end of the login banner

Router1(config)#banner login ?
LINE c banner-text c, where ‘c’ is a delimiting character
Router1(config)#banner login %this is the login banner%
Router1(config)#exit