CCNA Security Chapter 2 Quiz

Questions and Answers

What are the three main areas of router security?

• Network Security, User Authentication, Data Confidentiality
• Network Security, Data Confidentiality, User Authentication
• Physical Security, Network Security, User Authentication
• Physical Security, User Authentication, Data Confidentiality (correct)

Which of these are NOT types of router security approaches?

• DMZ Approach
• Single Router Approach
• Intrusion Detection System (IDS) Approach (correct)
• Defense in Depth Approach

Which one of these is NOT a secure administrative access task?

• Ensure the confidentiality of data (correct)
• Authenticate access
• Restrict device accessibility
• Log and account for all access

What types of remote access to a router are mentioned in the text?

Telnet/SSH connection and modem/aux port (A)

What is a recommendation for creating a strong password?

Use a password length of 10 or more characters, including uppercase and lowercase letters, numbers, symbols, and spaces. (D)

What is the name of the command used to configure privilege levels?

privilege level (D)

What is the default privilege level for login with the router prompt?

1 (B)

Which privilege level is reserved for the enable mode privileges?

15 (A)

What is the name of the mode accessed at the router# prompt?

Privileged EXEC mode (C)

What is the purpose of configuring privilege levels?

To control the availability of commands based on user privileges. (B)

What are the two ways to connect to an SSH-enabled router? (Select all that apply)

Using an SSH server like Cisco router (A), Using an SSH client like Putty (D)

Which of these is NOT a common SSH client?

Hyper-V (D)

Which of these options are NOT limitations of privilege levels?

No access control to device hardware, such as chassis, fans and power supplies. (D)

What is the primary purpose of role-based CLI access?

To simplify network management by grouping similar tasks under specific roles. (B)

Which of the following is NOT a typical task associated with the "Security operator" role in a role-based CLI configuration?

Configure routing protocols. (B)

The Cisco IOS Resilient Configuration feature is primarily designed to:

Ensure that the router can recover from a major hardware failure. (B)

What is the main function of the syslog feature?

To log system events and security alerts. (D)

What is the primary advantage of using SNMPv3 over previous versions of SNMP?

SNMPv3 provides enhanced security features. (C)

Which of the following is a method of managing a Cisco device remotely, not using in-band management?

Console port (C)

What is one characteristic of a weak password?

Based on easily identifiable information (C)

Which option best describes a strong password?

12^h u4@1p7 (A)

Which command syntax is used to configure an unencrypted password?

enable algorithm-type (D)

What is one of the virtual login security enhancements mentioned?

Implement delays between successive login attempts (C)

How can system logging assist in login management?

It generates syslog messages for login detection (B)

Deliberately misspelling a password can enhance its strength.

True (A)

Passwords should be written down and stored in obvious places.

False (B)

A password consisting only of simple dictionary words is considered weak.

True (A)

Generating system-logging messages is not beneficial for login detection.

False (B)

It is advisable to change passwords often for better security.

True (A)

A strong password should be at least 10 characters long.

True (A)

The single router approach is the only method for securing an edge router.

False (B)

SSH is used for secure remote management of devices.

True (A)

The task of presenting legal notification is part of securing device access.

True (A)

Using a mix of symbols and spaces is not recommended for strong passwords.

False (B)

Level 0 is predefined for administrative access privileges.

False (B)

Privilege level 15 is reserved for enable mode privileges.

True (A)

A Cisco router can only function as an SSH client.

False (B)

Level 1 offers the highest command availability at the router prompt.

False (B)

SSH clients like PuTTY and OpenSSH can be used to connect to SSH-enabled routers.

True (A)

Privilege levels range from 0 to 15.

True (A)

User EXEC mode corresponds to privilege level 0.

False (B)

Command availability can be customized between levels 2 and 14.

True (A)

Commands available at lower privilege levels are always executable at higher privilege levels.

True (A)

The role of a WAN engineer includes configuring firewall settings.

False (B)

Assigning a command with multiple keywords restricts access to specific commands that utilize those keywords.

False (B)

The Cisco IOS resilient configuration feature is designed to secure the Cisco IOS image and configuration files.

True (A)

In-band management refers to management access that occurs through a separate channel, like a dedicated console port.

False (B)

Secure SNMPv3 access can be configured using Access Control Lists (ACL).

True (A)

Configuring NetFlow is part of the responsibilities of a security operator.

True (A)

Flashcards

Weak Password

A weak password like 'secret' uses easily identifiable information and is easy to guess.

Strong Password

A strong password like '12^h u4@1p7' includes alphanumeric characters, symbols, and spaces, making it hard to guess.

Password Change Frequency

Change passwords often to enhance security and reduce risks of compromise.

Secret Password Algorithms

Use type 8 or type 9 passwords for secure configurations and specify encryption with commands.

Login Security Enhancements

Implement login delays and shutdowns on suspicious activity to improve security.

Edge Router Security Approaches

Methods to secure routers at the network edge, including single router, defense in depth, and DMZ.

Secure Administrative Access

Methods to restrict, log, authenticate, and authorize access to network devices.

Secure Local and Remote Access

Techniques ensuring secure access to network devices directly and remotely using protocols like SSH.

Strong Password Guidelines

Recommendations for creating passwords that are at least 10 characters long and use varied characters.

SSH Daemon Configuration

Setting up SSH for secure remote management of network devices to prevent unauthorized access.

SSH Connection Types

Connect via a Cisco router as server or client, or use SSH client software.

SSH Clients

Software like PuTTY, OpenSSH, or TeraTerm used to connect via SSH.

Privilege Level 0

Predefined for user-level access privileges; lowest access.

Privilege Level 1

Default level for login, allowing only user-level commands at router prompt.

Privilege Levels 2-14

Customizable levels for user privileges between Level 1 and Level 15.

Privilege Level 15

Reserved for enable mode privileges, access to all commands.

Role-Based CLI Access

Configuring command availability based on user roles.

User EXEC Mode

Lowest EXEC mode user privileges, usually at privilege level 1.

Limitations of Privilege Levels

Certain commands accessible only at higher privilege levels and not at lower ones.

Security Operator Privileges

Permissions allowing configuration of security-related functions like AAA and firewall.

WAN Engineer Privileges

Access to configure routing and interfaces specific to WAN management.

Cisco IOS Resilient Configuration

Feature that secures the Cisco IOS image and configuration files against unauthorized changes.

Syslog

Logging system events for network devices to assist in monitoring and security.

Secure SNMPv3 Access

Configuration of SNMP version 3 with access control lists for enhanced security.

Password Complexity

A strong password combines various characters, making it hard to guess.

Password Change Best Practices

Change passwords regularly and avoid storing them in obvious places.

Secret Password Types

Use type 8 or type 9 configurations for secure password settings.

Login Delay Implementation

Add delays between login attempts to prevent brute-force attacks.

Login Failure Logging

Generate login syslog messages to track failed login attempts.

Defense in Depth Approach

A security strategy that layers multiple defenses to protect networks.

Three Areas of Router Security

Includes securing physical, logical, and administrative aspects of routers.

Remote Access Using SSH

Secure method for accessing devices remotely over the internet.

Legal Notification

Informing users about the monitoring and legal aspects of device usage.

SSH Server

A router configured to accept SSH client connections.

Level 0 Privileges

Predefined for user access; lowest privilege level.

Level 1 Privileges

Default login level allowing user-level commands only.

Level 15 Privileges

Highest privilege level with access to all commands.

Configuring Privilege Levels

Assigning specific privilege levels to control access.

Study Notes

Chapter 2: Securing Network Devices

• This chapter focuses on securing network devices, specifically Cisco routers.
• The CCNA Security v2.0 curriculum is being used.
• Dr. Nadhir Ben Halima is the instructor.
• The course follows a structured chapter outline, covering topics from introduction to summary.

Chapter Outline

• The chapter is organized into subsections, including:
  • Introduction
  • Securing Device Access
  • Assigning Administrative Roles
  • Monitoring and Managing Devices
  • Using Automated Security Features
  • Securing the Control Plane
  • Summary

Section 2.1: Securing Device Access

• Upon completion of this section, students should be able to explain securing a network perimeter, configure secure administrative access to Cisco routers, configure enhanced security for virtual logins, and configure an SSH daemon for secure remote management.

Topic 2.1.1: Securing the Edge Router

• This section focuses on edge router security.
• Approaches outlined include:
  • Single Router Approach
  • Defense in Depth Approach
  • DMZ Approach
  • IP addresses are given for LAN 1 (e.g., 192.168.2.0)

Three Areas of Router Security

• Physical Security
• Router Operating System and Configuration File Security
• Router Hardening

Secure Administrative Access

• Tasks for securing administrative access include:
  • Restricting device accessibility
  • Logging and accounting for all access
  • Authenticating access
  • Authorizing actions
  • Presenting legal notification
  • Ensuring data confidentiality

Secure Local and Remote Access

• Diagrams illustrate local access methods (vty, console, aux ports) and remote access using Telnet/SSH, and modem/aux port. Different types of local and remote connections are shown.

Topic 2.1.2: Configuring Secure Administrative Access

• This section details techniques for configuring secure administrative access, including strong password guidelines.

Strong Passwords

• Strong passwords are crucial and include:
  • Length of 10 or more characters
  • Mix of uppercase and lowercase letters, numbers, symbols, and spaces
  • Avoiding passwords based on easily identifiable information
  • Deliberately misspelling words as passwords
  • Changing passwords frequently
  • Avoiding writing down passwords in obvious places
  • Examples of weak and strong passwords are provided.

Increasing Access Security

• Demonstrates configuring password encryption and setting timeouts for console and vty lines. Specific configuration commands are given (e.g., security passwords min-length 10, service password-encryption).

Secret Password Algorithms

• Describes configuring different password types (type 8 and type 9). Syntax for enabling unencrypted passwords is provided (e.g., enable algorithm-type {md5|scrypt|sha256}).

Securing Line Access

• Provides commands for securing console, aux, and vty lines (e.g., disabling passwords, enabling SSH). Specific commands are shown (e.g., username Bob algorithm-type scrypt secret cisco54321).

Topic 2.1.3: Configuring Enhanced Security for Virtual Logins

• This section discusses enhancements to virtual login security.

Enhancing the Login Process

• Enhancements for virtual login security include:
  • Implementing delays between successive login attempts
  • Enabling login shutdown if DoS attacks are suspected
  • Generating system-logging messages for login detection

Enable Login Enhancements

• Includes commands for login delay, preventing excessive login attempts, and setting time limits for login attempts. Example commands are given (e.g., login block-for 120 attempts 5 within 60, login delay 3).

Logging Failed Attempts

• Shows examples of generating login syslog messages. Example commands are provided (login on-success log [every login], security authentication failure rate threshold-rate log).

Topic 2.1.4: Configuring SSH

• Describes steps for configuring SSH access. This includes key generation, and using the show crypto key command to verify key details.

Steps for Configuring SSH

• Details the process of creating and using SSH configuration.
• Includes the 'show crypto key' command and checking if SSH 1.99 is enabled.

Connecting to an SSH-Enabled Router

• Describes how to connect, either as a server or a client using SSH. Supported client tools are mentioned (e.g., PuTTY, OpenSSH, TeraTerm).

Section 2.2: Assigning Administrative Roles

• Upon completing this section, students should be able to configure administrative privilege levels and role-based CLI access to control command availability.

(and so on, continuing with the rest of the existing study notes, each section updated with details and additional information)