Edge Router Security

Questions and Answers

Which security approach involves creating zones with varying levels of security, allowing for the placement of resources based on their need for protection?

• Defense in Depth Approach
• Single Router Approach
• Routing Hardening Approach
• DMZ Approach (correct)

Which of the following areas is NOT a primary focus of router security?

• End-user application monitoring (correct)
• Physical security
• Security configuration file maintenance
• Router operating system hardening

Which aspect is NOT considered a task for securing administrative access?

• Monitoring employee internet usage (correct)
• Restricting device accessibility
• Presenting legal notification
• Logging and accounting all access

What is a key recommendation for creating strong passwords?

Using at least 10 characters with mixed types (A)

Which password would be considered the strongest based on the guidelines?

b67n42d39c (C)

Which command is used to enter an unencrypted password when configuring a secret password algorithm?

enable algorithm-type (B)

What privilege level is reserved for enable mode privileges?

Level 15 (A)

Which mode does privilege level 1 grant access to?

User EXEC mode (C)

What is a major limitation of privilege levels on a router?

No access control to specific interfaces, ports, logical interfaces, and slots. (B)

What is the primary function of a syslog server?

To provide centralized system logging (C)

Which syslog severity level indicates that the system is unusable?

Level 0 (D)

In a syslog message format, what does the facility field denote?

The source or cause of the system message (D)

What is the primary purpose of the Simple Network Management Protocol (SNMP)?

To manage and monitor network devices (D)

In SNMP, what is the role of an 'agent'?

To monitor and report the status of a device (D)

Which of the following is a critical step in implementing SNMP?

Setting traps rules on the agents. (A)

Which SNMP version provides the most robust security features?

SNMPv3 (A)

What security feature is unique to SNMPv3?

Encryption of messages to ensure privacy. (A)

In the context of SNMP, what is the purpose of configuring an Access Control List (ACL)?

To permit the protected management network. (B)

Which command is used to configure an SNMP view that restricts access to certain parts of the device's MIB tree?

snmp-server view (D)

Imagine you need to configure a highly secure SNMPv3 setup, but the legacy system you're integrating with only supports SHA1 for authentication and DES for privacy. Which configuration, while suboptimal, would represent the BEST compromise given these strict limitations?

snmp-server user username group-name v3 auth sha1 auth-password priv des privpassword (C)

A single router approach to network security includes multiple firewalls and intrusion detection systems for comprehensive defense.

False (B)

Demilitarized Zone (DMZ) is synonymous with a high-security area where sensitive military operations are conducted.

False (B)

Physical security, router operating system, and routing hardening are the four key areas of router security.

False (B)

Restricting device accessibility is not considered a task of secure administrative access.

False (B)

A strong password should be based on easily identifiable information, such as your pet's name or birthday.

False (B)

It is recommended to write passwords down and keep them in a safe place.

False (B)

Using enable algorithm-type command, it's impossible to use an encrypted password.

False (B)

Privilege level 15 on a router is the default level for login with the router prompt.

False (B)

You can completely disable a command on a router using the reset command within the privilege level configuration.

False (B)

Privileged EXEC mode (privilege level 15) is more restricted compared to User EXEC mode (privilege level 1).

False (B)

Commands set at lower privilege levels cannot be executed at higher privilege levels.

False (B)

A syslog server's primary function is to actively control network traffic by filtering packets based on defined rules.

False (B)

In a syslog message, the 'facility' field indicates the severity of the message.

False (B)

The sequence number appears in a syslog message only if service timestamps global configuration command is configured.

False (B)

SNMP is an internet standard protocol mainly for modifying information to change device behavior.

False (B)

A network can have multiple SNMP Managers to oversee different segments of the network.

False (B)

Setting 'Traps rules' in SNMP determines when a message will be sent to the agent.

False (B)

SNMPv1 includes secure access to network devices by authenticating and encrypting packets.

False (B)

In SNMP, the 'set' action, used by the manager, can change the configuration of an agent and does not present any security vulnerabilities.

False (B)

In configuring SNMPv3, the ip access-list standard command is used to define SNMP views, specifying which parts of the MIB can be accessed by the SNMP group.

False (B)

Flashcards

Defense in Depth

A security strategy that uses multiple layers of security controls to protect resources.

DMZ (Demilitarized Zone)

An isolated network segment that acts as a buffer zone between the internal network and the Internet, often hosting publicly accessible servers.

Three Areas of Router Security

Physical, router OS/config, and routing hardening.

Secure Admin. Access Tasks

Restrict access, log access, authenticate, authorize, present legal notification; ensure confidentiality.

Strong Password Guidelines

Passwords that are 10+ characters with mixed case, numbers, symbols, not easily identifiable, and changed often.

Enable algorithm-type Command

Router(config)# enable algorithm-type {md5 | scrypt | sha256 } secret unencrpyted-password

Username Algorithm-type Command

Router(config)# username name algorithm-type (md5 | scrypt | sha256} secret unencrpyted-password

Router Privilege Levels

Level 0, Level 1, Level 2-14, and Level 15.

Privilege Level Limitations

Commands available at lower levels executable at higher, higher levels commands not available at lower.

Syslog Server

A system that provides one location to collect errors and system logs in one location.

Syslog severity

The severity to which the message refers.

SNMP

An Internet Standard protocol for collecting and organizing information about devices on IP networks.

SNMP Commands

Traps (agent to manager) and Get/Set (manager to agent).

SNMP Version 3 (v3)

SNMPv3 (More secured, authenticating and encrypting packets over the network).

Advantages of SNMPv3

Message integrity & Authentication, Encryption and Access Control.

Single Router Approach

Security approach using a single router to provide basic network protection.

Demilitarized Zone

Network segment isolated by firewalls for hosting external-facing services.

Privilege Levels

Level 0 is predefined, Level 1 is default for login, 2-14 customize user privileges, Level 15 enable mode.

Privilege Reset Command

Command is the argument used to reset the privilege level.

User EXEC Mode

Lowest level with limited commands.

Privileged EXEC Mode

Highest level with all commands available.

Configuring SNMPv3

Configure SNMP with acl, view, and group.

Setup Management Console

Sets up a management console on the management server.

SNMP Traps

SNMP command sent from agent to manager

Study Notes

Configuring and Assigning Privilege Levels

• This section goes on to show an example of how this is performed

Configuring SNMPv3 Security

• The content references this section, but does not give anymore information. The content is included for completeness