CCNA Security Chapter 6 Securing the Local Area Network

6.1.1.2

Describe the three elements on which the Cisco strategy for addressing endpoint security is based:

Cisco Network Admission Control (NAC) Makes sure end devices are granted access according to the security policies. Endpoint Protection- Protects endpoint against viruses, Trojans, worms. Technology is available with Cisco Security agent (CSA) Network infection containment- To address the newest attack methods that can compromise the network, containment focuses on automating key elements of the infection response proces

6.1.1.3

What basic security services do operating systems provide to applications?

6.1.1.4

Describe privilege switching:

Trusted code and trusted path Privileged context of execution Process memory protection and isolation Access control to resources Privileged switching changes the applications privildge, which gives it more or less access. Attackers take advantage of application privildges do run them. Least privilege concept - a process should never be given more privilege than is necessary to perform a job. Isolation between processes - Isolation between processes can be virtual or physical. A reference monitor is an access control concept that refers to a mechanism or process that mediates all access to objects. It provides a central point for all policy decisions

6.1.1.4

Describe the techniques that help protect an endpoint from operating system vulnerabilities:

6.1.1.5

Describe three Cisco components used to ensure a robust endpoint security solution.

Small, verifiable pieces of code - idea is to have small, easily verifiable pieces of code that are managed and monitored by a reference monitor IronPort - Cisco IronPort perimeter security appliances protect enterprises against Internet threats, with a focus on email and web security, two of the main endpoint security considerations Cisco NAC - NAC uses the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources. CSA provides a fully integrated endpoint security solution that combines policy-driven, data-loss prevention with zeroupdate attack prevention and anti-virus detection in a single agent and management console. CSA defends endpoints against data loss from both malware and user actions and enforces acceptable-use and compliance policies within a simple management infrastructure.

Page 1 of 8

CCNA Security Chapter 6 Securing the Local Area Network

6.1.2.2

Describe IronPort SenderBase:

SenderBase, the world's largest threat detection database, to help provide preventive and reactive security measures. *SenderBase collects data from more than 100,000 ISPs, universities, and corporations. It measures more than 120 different parameters for any email server on the Internet. This massive database receives more than five billion queries per day, with real-time data streaming in from every continent and both small and large network providers.

6.1.3.1

Describe the purpose of Cisco Network Admission Control (NAC): Describe the four important features of NAC:

Cisco NACs purpose is to allow only authorized systems to access the network ANDDDDDDD to enforce the security policy Authentication and authorization, posture assessment (evaluating an incoming device against the policies of the network), quarantining of noncompliant systems, Remediation of noncompliant systems. File system interceptor - All file read or write requests are intercepted and allowed or denied based on the security policy. Network interceptor - Network driver interface specification (NDIS) changes are controlled and network connections are cleared through the security policy. The number of network connections that are allowed within a specified time can also be limited to prevent DoS attacks. Configuration interceptor - CSA tightly controls read/write requests to the registry. Execution space interceptor - preserving the integrity of dynamic resources, such as the file system, configuration of web services, memory, and network I/O by blocking to write to memory.

6.1.3.1

6.1.4.2

Describe the four interceptors which CSA employs to provide protection:

6.1.4.4

List the phases in the logical progression of almost every attack that intends to gain control of core mechanisms in a target system. Describe some of the attack mechanisms in the persist and later phases: List some of the possible Layer 2 attacks: Describe MAC address spoofing attacks:

6.1.4.4

Probe Phase Penetrate phase Persist Phase Propagate Phase Paralyze Phase An attempt to modify the operating system, modify files, create or alter network connections, or violate the memory space of active processes. MAC address spoofing, STP manipulation, MAC address table overflows, LAN storms, and VLAN attacks. Spoofing attacks occur when one host masquerades or

6.2.1.1 6.2.2.1

Page 2 of 8

CCNA Security Chapter 6 Securing the Local Area Network

6.2.3.1

Describe MAC address table overflow attacks:

6.2.5.2

Describe Storm Control:

poses as another to receive otherwise inaccessible data or to circumvent security configurations. The table fills up to the point that no new entries can be accepted. When this occurs, the switch begins to flood all incoming traffic to all ports because there is no room in the table to learn any legitimate MAC addresses. Storm control prevents traffic on a LAN from being disrupted by a broadcast, multicast, or unicast storm on one of the physical interfaces. VLAN hopping enables traffic from one VLAN to be seen by another VLAN with the aid of a router. Under certain circumstances, attackers can sniff data and extract passwords and other sensitive information. To prevent a basic VLAN hopping attack is to turn off trunking on all ports, except the ones that specifically require trunking. On the required trunking ports, disable DTP (auto trunking) negotiations and manually enable trunking.

6.2.6.2

Describe a VLAN hopping attack and how to prevent it:

6.2.6.3

Describe the double-tagging VLAN hopping attack:

6.3.1.1 6.3.1.4

Explain switch port security: Describe the two types of Port security aging:

6.3.3.1

Describe spanning-tree PortFast and list the commands to activate it:

This type of attack takes advantage of the way that hardware on most switches operates. Most switches perform only one level of 802.1Q decapsulation; this can allow an attacker in specific situations to embed a hidden 802.1Q tag inside the frame. Port security allows an administrator to statically specify MAC addresses for a port or to permit the switch to dynamically learn a limited number of MAC addresses Absolute - The secure addresses on the port are deleted after the specified aging time. Inactivity - The secure addresses on the port are deleted only if they are inactive for the specified aging time. PortFast feature causes an interface configured as a Layer 2 access port to transition from the blocking to the forwarding state immediately, bypassing the listening and learning states Switch(config)# spanning-tree portfast default (all non trunkingports at once) . Switch(config-if)# spanning-tree portfast (on interface)

6.3.3.2

Describe spanning-tree BPDU guard and list the command to activate it:

Switch# show running-config interface FastEthernet 0/8 BPDU guard is used to protect the switched network from the problems caused by receiving BPDUs on ports that should not be receiving them. Switch(config)# spanning-tree portfast bpduguard default

6.3.3.4

Explain the difference between BPDU guard

BPDU guard disables the port upon BPDU reception if

Page 3 of 8

CCNA Security Chapter 6 Securing the Local Area Network

and Root guard: 6.3.4.1 6.3.5.2 Explain storm control operation on Cisco switches: Describe how to control trunking for switch ports:

PortFast is enabled on the port. Root guard allows BPDUs as long as it doesnt try to become root. To monitor predefined suppression-level thresholds. When enabling storm control, both a rising threshold and a falling threshold can be set. Step 1. Use the switchport mode trunk interface configuration command to cause the interface to become a trunk link. Step 2. Use the switchport nonegotiate interface configuration command to prevent the generation of DTP frames.

6.3.6.1

Explain the operation of switched port analyzer (SPAN): Explain the operation of remote switched port analyzer (RSPAN):

6.3.7.1

Step 3. Use the switchport trunk native vlan vlan_number interface configuration command to set the native VLAN on the trunk to an unused VLAN. The default native VLAN is VLAN 1. A SPAN port mirrors traffic to another port where a monitoring device is connected. Without this, it can be difficult to track hackers after they have entered the network. An RSPAN port mirrors traffic to another port on another switch where a probe or IDS sensor is connected. This allows more switches to be monitored with a single probe or IDS. Manage switches in a secure manner (SSH, out-ofband management, ACLs, etc.). Set all user ports to non-trunking ports (unless you are using Cisco VoIP). Use port security where possible for access ports. Enable STP attack mitigation (BPDU guard, root guard). Use Cisco Discovery Protocol only where necessary with phones it is useful. Configure PortFast on all non-trunking ports. Configure root guard on STP root ports. Configure BPDU guard on all non-trunking ports. Proactive threat and intrusion detection capabilities detect wireless attacks and prevent them. Comprehensive protection safeguards confidential data and communications. A single user identity and policy simplifies user management and protects against unauthorized access. Collaboration with wired security systems enables a superset of wireless security functionality and protection. Security policies, intrusion prevention, RF management, QoS, and mobility.

6.3.8.1

List layer 2 guidelines for managing security on switches:

6.4.1.2

Describe the benefits of an infrastructureintegrated approach to comprehensive wireless security:

6.4.2.1

List the system-wide wireless LAN functions provided by Cisco Wireless LAN Controllers (WLCs):

Page 4 of 8

CCNA Security Chapter 6 Securing the Local Area Network

6.4.2.3

Describe some of the tools that wireless hackers have at their disposal:

6.4.3.2

Describe some of the precautions network administrators can take to decrease the risk for wireless users:

6.4.4.1

Describe some of the business advantages VOIP can provide:

6.4.4.2

Describe the components of a packet voice network:

6.4.4.2

Describe the specialized protocols used by VoIP:

Kismet software displays wireless networks that do not broadcast their SSIDs. AirSnort software sniffs and cracks WEP keys. CoWPAtty cracks WPA-PSK (WPA1). ASLEAP gathers authentication data. Wireshark can scan wireless Ethernet data and 802.11 SSIDs. Wireless networks using WEP or WPA/TKIP are not very secure and are vulnerable to hacking attacks. Wireless networks using WPA2/AES should have a pass phrase of at least 21 characters. If an IPsec VPN is available, use it on any public wireless LAN. If wireless access is not needed, disable the wireless radio or wireless NIC. Lower telecom call costs are significant. VoIP service providers charge up to 50 percent less for phone connectivity service. Productivity increases with VoIP phone service can be substantial. Move, add, and change costs are much lower. VoIP flexibility enables easily moving a phone between workstations. Ongoing service and maintenance costs can be lower. Many VoIP systems require little or no training for users. IP phones - Provide IP voice to the desktop. Gatekeeper - Provides Call Admission Control (CAC), bandwidth control and management, and address translation. Gateway - Provides translation between VoIP and non-VoIP networks, such as the PSTN Multipoint control unit (MCU) - Provides real-time connectivity for participants in multiple locations to attend the same videoconference or meeting. Call agent - Provides call control for IP phones, CAC, bandwidth control and management, and address translation. Application servers - Provide services such as voice mail and unified messaging, such as Cisco Unity. Videoconference station - Provides access for enduser participation in videoconferencing. ITU standard protocol for interactive conferencing; evolved from H.320 ISDN standard; flexible, complex Emerging IETF standard for PSTN gateway control; thin device control Joint IETF and ITU standard for gateway control with support for multiple gateway types; evolved

Page 5 of 8

CCNA Security Chapter 6 Securing the Local Area Network

6.4.4.3

Describe the threats specific to VoIP networks.

6.4.4.4

Describe Spam over IP telephony (SPIT) and how it can be stopped:

6.4.4.5

Describe the types of fraud in VoIP systems and vulnerabilities with SIP and how they may be mitigated:

from MGCP standard IETF protocol for interactive and noninteractive conferencing; simpler but less mature than H.323 IETF standard media-streaming protocol IETF protocol that provides out-of-band control information for an RTP flow IETF protocol that encrypts RTP traffic as it leaves the voice device Cisco proprietary protocol used between Cisco Unified Communications Manager and Cisco IP phones Reconnaissance Directed attacks such as spam over IP telephony (SPIT) and spoofing Eavesdropping and man-in-the-middle attacks DoS attacks such as DHCP starvation, flooding, and fuzzing If SPIT grows like spam, it could result in regular DoS problems for network administrators. Antispam methods do not block SPIT. Authenticated TLS stops most SPIT attacks because TLS endpoints accept packets only from trusted devices. Vishing - A voice version of phishing that is used to compromise confidentiality. Theft and toll fraud - The stealing of telephone services Partitions limit what parts of the dial plan certain phones can access. Dial plans filter control access to exploitive phone numbers. FACs prevent unauthorized calls and provide a mechanism for tracking. Registration hijacking Allows a hacker to intercept incoming calls and reroute them. Message tampering Allows a hacker to modify data packets traveling between SIP addresses. Session tear-down Allows a hacker to terminate calls or carry out VoIP-targeted DoS attacks. Creates a separate broadcast domain for voice traffic. Protects against eavesdropping and tampering. Renders packet-sniffing tools less effective. Makes it easier to implement VACLs that are specific to voice traffic. Ensure SIP, SCCP, H.323, and MGCP requests conform to standards. Prevent inappropriate SIP methods from being sent to Cisco Unified Communications Manager. Rate limit SIP requests. Enforce the policy of calls (whitelist, blacklist,

6.4.5.1

Describe the benefits of assigning voice traffic to specific VLANs:

6.4.5.2

Describe how Cisco ASA Adaptive Security Appliances provide VoIP security:

Page 6 of 8

CCNA Security Chapter 6 Securing the Local Area Network

6.4.5.3 6.4.5.3

Describe Service Level Agreements (SLA): Describe recommended security practices for VoIP:

6.4.5.4

Describe how Cisco Unified Communications Manager helps to secure voice application servers: Describe the three primary business requirements that are met by SANs in enterprise infrastructures:

caller/called party, SIP Uniform Resource Identifier). Dynamically open ports for Cisco applications. Enable only "registered phones" to make calls. Enable inspection of encrypted phone calls. An SLA is a document that details the expected QoS parameters for packets that go through the provider network. Use IPsec for authentication Use IPsec to protect all traffic, not just voice Consider SLA with service provider Terminate on a VPN concentrator or large router inside of firewall to gain these benefits: -Performance -Reduced configuration complexity -Managed organizational boundaries Disable unnecessary services, disable default usernames, allow only signed images to be installed, have CSA installed, and support secure management protocols. Reduce capital and operating expenses. Increase agility to support changing business priorities, application requirements, and revenue growth. Improve long-distance replication, backup, and recovery to meet regulatory requirements and industry best practices.

6.4.6.1

6.4.6.2

Describe the three major SAN transport technologies:

6.4.6.2

Define a logical unit number (LUN):

6.4.6.3 6.4.6.4 6.4.6.4

Define World Wide Name (WWN) as it applies to Fibre Channel networks: Describe Fibre Channel zoning: Describe rules for zoning operation:

Fibre Channel - This technology is the primary SAN transport for host-to-SAN connectivity. iSCSI - Maps SCSI over TCP/IP. This is another host-to-SAN connectivity model that is typically used in the LAN FCIP - Popular SAN-to-SAN connectivity model that is often used over the WAN or MAN (metropolitan area network). a logical unit number (LUN) is a 64-bit address for an individual disk drive and, by extension, the disk device itself. The term is used in the SCSI protocol as a way to differentiate individual disk drives within a common SCSI target device such as a disk array. A World Wide Name (WWN) is a 64-bit address that Fibre Channel networks use to uniquely identify each element in a Fibre Channel network. Fibre Channel zoning is the partitioning of a Fibre Channel fabric into smaller subsets. Zone members see only other members of the zone. Zones can be configured dynamically based on WWN. Devices can be members of more than one zone. Switched fabric zoning can take place at the port or device level, based on the physical switch port,

Page 7 of 8

CCNA Security Chapter 6 Securing the Local Area Network

6.4.6.5

Describe virtual storage area networks (VSANs): Describe the critical areas to consider when securing a SAN:

device WWN, or LUN ID. A virtual storage area network (VSAN) is a collection of ports from a set of connected Fibre Channel switches that form a virtual fabric.

6.4.7.1

SAN management - Secure the management services that are used to administer the SAN. Fabric access - Secure access to the fabric. The SAN fabric refers to the hardware that connects servers to storage devices. Target access - Secure access to storage devices (targets) and LUNs. SAN protocols - Secure the protocols that are used in switch-to-switch communication. IP storage access - Secure FCIP and iSCSI. Data integrity and secrecy - Encrypt data as it crosses networks as well as when stored on disks.

6.4.7.2

Describe security concerns to consider when managing a SAN:

Disruption of switch processing - A DoS attack can cause excessive load on the CPU, rendering the CPU unable to react to fabric events. Compromise of fabric - Changed configurations or lost configurations can result in changes to the configured services or ports. Compromise of data integrity and confidentiality Breaching the actual data compromises the integrity and confidentiality of stored information.

Page 8 of 8