Topic 6 - Infrastructure Security

Question 1

what port the Port security is applied to?

Answer 1

Access port

Question 2

Can Port security be applied to Trunk port?

Answer 2

No. Can be applied to only Access port

Question 3

What happens to port when the violation occurs?

Answer 3

interface will shutdown

Question 4

What method is used to stop interfaces to shutdown when violation occurs?

Answer 4

Switchport port security Violation protect

Question 5

Explain what the below modes does:
1 - Port Security PROTECT:
2 - Port Security RESTRICT:
3 - Port Security Shutdown

Answer 5

PROTECT - Drops all the packets from the insecure hosts at the port-security process level but does not increment the security-violation count

RESTRICT: Drops all the packets from the insecure hosts at the port-security process level and increments the security-violation count

SHUTDOWN: Shuts down the port if there is a security violation.

Question 6

Explain
Static port security
AND
Dynamic port security

Answer 6

Set the MAC addresses that are allowed to use the port. If less than the maximum are set than the remaining are learned dynamically.

Switch(config-if)#switchport port-security mac-address

Question 7

Sticky port

Answer 7

Enable sticky learning on the interface

Switch(config-if)#switchport port-security mac-address sticky

Question 8

Maximum MAC Addresses port

Answer 8

Set the number of MAC addresses allowed to use this port

Switch(config-if)#switchport port-security maximum (1-3072)

Question 9

Violation Actions port security

Answer 9

Set the action to be taken when port-security is violated

Switch(config-if)#switchport port-security violation {protect | restrict | shutdown}

Protect - Least secure, Frames from unsecured MAC’s are not forwarded.

Restrict - Medium Secure, Frames from unsecured MAC’s are not forwarded + Syslog + SNMP trap ( message to Monitoring tool ) + Violation counter

Shutdown - Default one and it shuts down

Question 10

Error-disabled recovery

Answer 10

Once port security is violated on an interface, the interface will go to err-disabled. To return it to normal, do the following:

Switch#show interface status err-disabled

Switch#config t
Switch(config)#interface f0/1
Switch(config-if)#shutdown
Switch(config-if)#no shutdown

Question 11

After the port is disabled and to bring back automatically, what command do we use?

Answer 11

Errdisable recovery

To Automatically, recover once the port is recovered from Error disabled

Question 12

Explain DHCP Snooping ?

Answer 12

DHCP snooping (a good thing) is a security feature, typically on a switch, that acts like a firewall between untrusted hosts and trusted DHCP servers
DHCP snooping is enabled on a per-VLAN basis and is inactive by default

Question 13

Explain 802.1x ?

Answer 13

• A client-server-based access control and authentication protocol preventing unauthorized clients from connecting to a LAN through publicly accessible ports unless they are properly authenticated
• The authentication server authenticates each client connected to a switch port before making available any services offered by the switch or the LAN
• After authentication is successful, normal traffic can pass through the port

Question 14

Explain Nondefault native VLAN?

Answer 14

• The default native VLAN is VLAN1
• The nondefault native VLAN means you changed the native VLAN to be something other than VLAN 1.
• There are a lot of things that are defaulted to VLAN 1 and that means a lot of bad things can happen either accidentally or by way of purposeful exploits.
• VLAN hopping by way of double tagging is one such exploit. It can be easily averted by using a nondefault native vlan

Question 15

Types of access lists?

Answer 15

Standard, Extended and Named

Question 16

Explain Access List

Answer 16

Access-lists are used to permit and deny different traffic based on the filtering criteria specified in the list

Access-lists are evaluated top down from first entry to last entry

Access-lists are applied to interfaces

Question 17

Explain STANDARD ACCESS LIST

Answer 17

• Standard ACLs are numbered from 1 to 99
• Permit or deny traffic using subnet and wildcard mask
• Cannot permit or deny based on ports
• Implicit deny is automatically added to the end of each access-list
• Place Standard ACLs close to the destination

Question 18

Explain EXTENDED ACCESS LIST

Answer 18

• Extended ACLs are numbered from 100-199
• Permit or deny traffic from specific source IPs or ranges to specific destination IPs or ranges
• Can also permit or deny based on specific ports or port ranges
• Implicit deny is automatically added to the end of each access-list
• Place extended ACL’s close to the source

Question 19

STANDARD ACCESS LIST Configuration

Answer 19

Router#config t
Router(config)#access-list 10 permit 192.168.1.0 0.0.0.255

Router(config)#access-list 10 permit 192.168.2.0 0.0.0.255
---
Router#config t
Router(config)#interface f0/1
Router(config-if)#ip access-group 10 in

Question 20

EXTENDED ACCESS LIST Configuration

Answer 20

Router#config t
Router(config)#access-list 100 permit udp 192.168.1.0 0.0.0.255 any eq 53

Router(config)#access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 80

Router#config t
Router(config)#interface f0/1
Router(config-if)#ip access-group 100 in

Question 21

APIC-EM

Answer 21

Application Policy Infrastructure Controller - Enterprise Module (APIC-EM)

Question 22

TACACS
AAA
RADIUS

Answer 22

• Terminal Access Controller Access control system.
• Authentication, Authorization, and Accounting.
• Remote Access Dial-In User Service

Question 23

Explain TACACS+

Answer 23

• TACACS+ Terminal Access Controller Access Control Service Plus
• TACACS+ is a security application that provides centralized validation of users attempting to gain access to a router or network access server
• TACACS+ services are maintained in a database on a TACACS+ daemon running, typically, on a UNIX or Windows NT workstation
• We must have access to and must configure a TACACS+ server before the configured TACACS+ features on your network access server are available
• TACACS+ provides for separate and modular authentication, authorization, and accounting facilities
TACACS+ allows for a single access control server (the TACACS+ daemon) to provide each service—authentication, authorization, and accounting—independently

Question 24

TACACS+ vs RADIUS

Answer 24

• The primary functional difference between RADIUS and TACACS+ is that TACACS+ separates out the Authorization functionality, where RADIUS combines both Authentication and Authorization
• When a RADIUS Authentication request is sent to the AAA server, the AAA client expects to receive a reply containing the Authorization result

Question 25

Explain Local authentication

Answer 25

• Authentication is a way of identifying a user before permitting access to the network and network services.
• Local authentication on a device references usernames and passwords configured locally on the device
• Local authentication restricts access to the User Exec command mode to the accounts configured on the device
• To configure local authentication

Router(config)#username [username] password [password]
Router(config)#aaa new-model
Router(config)#aaa authentication login default local

Question 26

Explain Secure password ( In terms of device hardening )

Answer 26

• A secure password prevents access to the Privileged Exec command mode
• The enable password stores the password in plain text in the configuration

Router(config)#enable password [password]

• The enable secret creates an MD5 hash of the plain-text password that is entered and stores the hash in the configuration
• It is recommended to use enable secret instead of enable password

Router(config)#enable secret [password]

Question 27

Explain Login Banner

Answer 27

• A login banner appears just before the Username: prompt when user authentication is required to login to a device. Like warning messages on ACT etc
• A character delimiter is required to specify the beginning and end of the login banner

Router1(config)#banner login ?
LINE c banner-text c, where ‘c’ is a delimiting character
Router1(config)#banner login %this is the login banner%
Router1(config)#exit