Topic 6 - Infrastructure Security Flashcards
what port the Port security is applied to?
Access port
Can Port security be applied to Trunk port?
No. Can be applied to only Access port
What happens to port when the violation occurs?
interface will shutdown
What method is used to stop interfaces to shutdown when violation occurs?
Switchport port security Violation protect
Explain what the below modes does:
1 - Port Security PROTECT:
2 - Port Security RESTRICT:
3 - Port Security Shutdown
PROTECT - Drops all the packets from the insecure hosts at the port-security process level but does not increment the security-violation count
RESTRICT: Drops all the packets from the insecure hosts at the port-security process level and increments the security-violation count
SHUTDOWN: Shuts down the port if there is a security violation.
Explain
Static port security
AND
Dynamic port security
Set the MAC addresses that are allowed to use the port. If less than the maximum are set than the remaining are learned dynamically.
Switch(config-if)#switchport port-security mac-address
Sticky port
Enable sticky learning on the interface
Switch(config-if)#switchport port-security mac-address sticky
Maximum MAC Addresses port
Set the number of MAC addresses allowed to use this port
Switch(config-if)#switchport port-security maximum (1-3072)
Violation Actions port security
Set the action to be taken when port-security is violated
Switch(config-if)#switchport port-security violation {protect | restrict | shutdown}
Protect - Least secure, Frames from unsecured MAC’s are not forwarded.
Restrict - Medium Secure, Frames from unsecured MAC’s are not forwarded + Syslog + SNMP trap ( message to Monitoring tool ) + Violation counter
Shutdown - Default one and it shuts down
Error-disabled recovery
Once port security is violated on an interface, the interface will go to err-disabled. To return it to normal, do the following:
Switch#show interface status err-disabled
Switch#config t
Switch(config)#interface f0/1
Switch(config-if)#shutdown
Switch(config-if)#no shutdown
After the port is disabled and to bring back automatically, what command do we use?
Errdisable recovery
To Automatically, recover once the port is recovered from Error disabled
Explain DHCP Snooping ?
DHCP snooping (a good thing) is a security feature, typically on a switch, that acts like a firewall between untrusted hosts and trusted DHCP servers DHCP snooping is enabled on a per-VLAN basis and is inactive by default
Explain 802.1x ?
- A client-server-based access control and authentication protocol preventing unauthorized clients from connecting to a LAN through publicly accessible ports unless they are properly authenticated
- The authentication server authenticates each client connected to a switch port before making available any services offered by the switch or the LAN
- After authentication is successful, normal traffic can pass through the port
Explain Nondefault native VLAN?
- The default native VLAN is VLAN1
- The nondefault native VLAN means you changed the native VLAN to be something other than VLAN 1.
- There are a lot of things that are defaulted to VLAN 1 and that means a lot of bad things can happen either accidentally or by way of purposeful exploits.
- VLAN hopping by way of double tagging is one such exploit. It can be easily averted by using a nondefault native vlan
Types of access lists?
Standard, Extended and Named
Explain Access List
Access-lists are used to permit and deny different traffic based on the filtering criteria specified in the list
Access-lists are evaluated top down from first entry to last entry
Access-lists are applied to interfaces
Explain STANDARD ACCESS LIST
- Standard ACLs are numbered from 1 to 99
- Permit or deny traffic using subnet and wildcard mask
- Cannot permit or deny based on ports
- Implicit deny is automatically added to the end of each access-list
- Place Standard ACLs close to the destination
Explain EXTENDED ACCESS LIST
- Extended ACLs are numbered from 100-199
- Permit or deny traffic from specific source IPs or ranges to specific destination IPs or ranges
- Can also permit or deny based on specific ports or port ranges
- Implicit deny is automatically added to the end of each access-list
- Place extended ACL’s close to the source
STANDARD ACCESS LIST Configuration
Router#config t
Router(config)#access-list 10 permit 192.168.1.0 0.0.0.255
Router(config)#access-list 10 permit 192.168.2.0 0.0.0.255 --- Router#config t Router(config)#interface f0/1 Router(config-if)#ip access-group 10 in
EXTENDED ACCESS LIST Configuration
Router#config t
Router(config)#access-list 100 permit udp 192.168.1.0 0.0.0.255 any eq 53
Router(config)#access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 80
Router#config t
Router(config)#interface f0/1
Router(config-if)#ip access-group 100 in
APIC-EM
Application Policy Infrastructure Controller - Enterprise Module (APIC-EM)
TACACS
AAA
RADIUS
- Terminal Access Controller Access control system.
- Authentication, Authorization, and Accounting.
- Remote Access Dial-In User Service
Explain TACACS+
• TACACS+ Terminal Access Controller Access Control Service Plus
• TACACS+ is a security application that provides centralized validation of users attempting to gain access to a router or network access server
• TACACS+ services are maintained in a database on a TACACS+ daemon running, typically, on a UNIX or Windows NT workstation
• We must have access to and must configure a TACACS+ server before the configured TACACS+ features on your network access server are available
• TACACS+ provides for separate and modular authentication, authorization, and accounting facilities
TACACS+ allows for a single access control server (the TACACS+ daemon) to provide each service—authentication, authorization, and accounting—independently
TACACS+ vs RADIUS
- The primary functional difference between RADIUS and TACACS+ is that TACACS+ separates out the Authorization functionality, where RADIUS combines both Authentication and Authorization
- When a RADIUS Authentication request is sent to the AAA server, the AAA client expects to receive a reply containing the Authorization result
Explain Local authentication
- Authentication is a way of identifying a user before permitting access to the network and network services.
- Local authentication on a device references usernames and passwords configured locally on the device
- Local authentication restricts access to the User Exec command mode to the accounts configured on the device
- To configure local authentication
Router(config)#username [username] password [password]
Router(config)#aaa new-model
Router(config)#aaa authentication login default local
Explain Secure password ( In terms of device hardening )
- A secure password prevents access to the Privileged Exec command mode
- The enable password stores the password in plain text in the configuration
Router(config)#enable password [password]
- The enable secret creates an MD5 hash of the plain-text password that is entered and stores the hash in the configuration
- It is recommended to use enable secret instead of enable password
Router(config)#enable secret [password]
Explain Login Banner
- A login banner appears just before the Username: prompt when user authentication is required to login to a device. Like warning messages on ACT etc
- A character delimiter is required to specify the beginning and end of the login banner
Router1(config)#banner login ?
LINE c banner-text c, where ‘c’ is a delimiting character
Router1(config)#banner login %this is the login banner%
Router1(config)#exit
