Network Security Commands and Technologies

Questions and Answers

What distinguishes the Cisco ASA IOS CLI from the router IOS CLI?

• ASA requires the `help` command, while routers use `?` for command assistance.
• ASA uses the `%` symbol to indicate the CLI EXEC mode, while a router uses the `#` symbol.
• ASA uses the `Ctrl+Tab` key combination for command completion, whereas a router uses the `Tab` key.
• ASA commands can be executed in any configuration mode, unlike routers that need the `do` command. (correct)

Refer to the exhibit. A network administrator is configuring AAA on an ASA device. What does the option link3 indicate?

• The specific AAA server name.
• The network name where the AAA server resides.
• The interface name.
• The sequence of servers in the AAA server group. (correct)

In a Secure Data Center solution, what element provides both secure segmentation and threat defense?

• Adaptive Security Appliance (correct)
• Intrusion prevention system
• AAA server
• Cisco Security Manager software

Which condition must be met to allow traffic sourced from the outside network of an ASA firewall to reach an internal network?

A configured ACL. (C)

A network administrator enters the command login block-for 150 attempts 4 within 90 on a router. What is the result of this command?

All login attempts will be blocked for 150 seconds if there are 4 failed attempts within 90 seconds. (C)

What threat protection capability is specifically provided by Cisco ESA?

Spam protection (A)

After the authentication port-control auto command has been issued, which types of traffic are permitted before client authentication?

CDP, STP, EAPOL (D)

What action do IPsec peers perform during the IKE Phase 2 exchange?

Negotiation of IPsec policy. (D)

Which command raises the privilege level of the ping command to 7?

privilege exec level 7 ping (B)

What is a characteristic of a role-based CLI view of router configuration?

A single CLI view can be shared within multiple superviews. (A)

What is a limitation to using OOB management on a large enterprise network?

All devices appear to be attached to a single management network. (D)

Which type of packet is not filtered by an outbound ACL?

Router-generated packet (A)

Which command activates an IPv6 ACL named ENG_ACL on an interface to filter traffic before accessing the routing table?

ipv6 traffic-filter ENG_ACL in (A)

What technology uses trusted third-party protocols to issue credentials accepted as an authoritative identity?

PKI certificates (D)

What is the best way to prevent a VLAN hopping attack?

Disable trunk negotiation for trunk ports and statically set nontrunk ports as access ports. (B)

An IDS allows malicious traffic to pass before it is addressed while an IPS does what?

Stops malicious traffic immediately. (B)

What are two features included by both TACACS+ and RADIUS protocols?

Utilization of transport layer protocols (B), Password encryption (C)

Which zone-based policy firewall zone applies to traffic destined for or originating from the router?

Self zone (E)

How does a firewall typically manage traffic from the private network to the DMZ?

Usually permitted with minimal restriction. (A)

Which type of firewall is supported by most routers and is the easiest to implement?

Stateless firewall (B)

Flashcards

Extended Access Lists

Used to specify source and destination addresses, protocol, ports, or ICMP type in ASA ACLs.

ASA Help Command

ASA uses this command for help with command descriptions and syntax.

AAA Server Option: link3

The sequence of servers in the AAA server group.

Secure Data Center Solution

Adaptive Security Appliance provides both secure segmentation and threat defense​.

Cisco Secure Data Center core components

Secure segmentation, visibility, and threat defense.

ASA transparent mode characteristics

VPNs, QoS, or DHCP Relay are not supported, a “bump in the wire,” and the ASA is invisible to an attacker.

ASA Traffic Flow

An ACL is needed to allow traffic from a lower security level interface to a higher one.

login block-for command

All login attempts blocked for 150 seconds after 4 failed attempts within 90 seconds.

Router Hardening Tasks

Disabling unused ports/interfaces and securing administrative access.

Cisco ESA threat protection

Cisco ESA provides spam protection.

Endpoints in the borderless network

Antimalware Software and DLP prevent sensitive information from being lost or stolen.

802.1X Traffic

CDP and STP traffic allowed before authentication with the command authentication port-control auto.

IKE Phase 2

The purpose of IKE Phase 2 is to negotiate a security association between two IKE peers.

IPsec AH Hashing

SHA and MD5 are used with IPsec AH to guarantee authenticity.

Privilege Level Command

The command ‘privilege exec level 7 ping’ raises the privilege level of the ping command to 7.

CLI View Router config

Only a root view user can configure a new view and add or remove commands from the existing views.

OOB Management

OOB management provides a dedicated management network without production traffic.

NTP Stratum Level

Router03 time is synchronized to a stratum 2 time server.

Syslog message level 5

A level 5 notification message indicating that service timestamps have been configured.

Grey Hat Hackers

Vulnerability brokers and hacktivists.

Study Notes

• These study notes cover various aspects of network security, commands, and technologies.

ASA ACLs

• Extended ACLs specify source and destination addresses, protocols, ports, and ICMP types.
• Webtype ACLs support filtering for clientless SSL VPN.
• Standard ACLs identify destination IP addresses only.
• EtherType ACLs are used only in transparent mode.

Cisco ASA IOS CLI vs. Router IOS CLI

• ASA can execute commands regardless of the current configuration mode prompt while routers require the 'do' command.
• ASA provides a 'help' command for command descriptions and syntax.
• Both ASA and router CLIs use '#' for EXEC mode.
• Both use the Tab key to complete partially typed commands.

AAA Implementation on ASA

• The "link3" option indicates the sequence of servers in the AAA server group.

Secure Data Center Solution

• Adaptive Security Appliance (ASA) provides secure segmentation and threat defense.
• Core components include secure segmentation, visibility, and threat defense.

ASA Transparent Mode

• Transparent mode doesn't support VPNs, QoS, or DHCP Relay.
• It's referred to as a "bump in the wire."
• The ASA is invisible to an attacker in this mode.

Allowing Traffic Through ASA Firewall

• An ACL is needed to allow traffic from a lower security level interface to a higher one.

Router Login Blocking

• login block-for 150 attempts 4 within 90 blocks login attempts for 150 seconds after 4 failed attempts within 90 seconds.

Router Hardening Tasks

• Disabling unused ports and interfaces enhances security.
• Securing administrative access improves router security.

Cisco ESA Threat Protection

• Cisco ESA provides spam protection for email security.

Endpoint Security Measures in Borderless Network

• Denylisting (blocklisting) prevents connections to websites with bad reputations.
• Data Loss Prevention (DLP) prevents sensitive information loss or theft.

Traffic Allowed Before 802.1X Authentication

• CDP, STP, and EAPOL traffic are allowed before authentication.

IKE Protocol

• IKE uses UDP port 500 for exchanging information between security gateways.
• IKE Phase 2 negotiates a security association between peers.

IKE Phase 2 Exchange

• Negotiation of IPsec policy takes place during the IKE Phase 2 exchange.

IPsec AH Hashing Algorithms

• SHA and MD5 are hashing algorithms used with IPsec AH for authenticity.

Raising Privilege Level of Ping Command

• privilege exec level 7 ping raises the privilege level of the ping command to 7.

Role-Based CLI View Limitation

• Only a root view user can configure a new view and add or remove commands from existing views.

OOB Management

• OOB management provides a dedicated network without production traffic.

NTP Configuration Output

• The output shows Router03 as a stratum 2 device synchronized with the NTP server.

Syslog Message Analysis

• The message indicates a level 5 notification and that service timestamps are configured.

Grey Hat Hackers

• Vulnerability brokers and hacktivists are typically classified as grey hat hackers.

Virus vs. Worm

• A virus replicates by attaching to another file, while a worm replicates independently.

Unfilterable Packet Type by Outbound ACL

• Router-generated packets cannot be filtered by an outbound ACL.

Access List Command Effect

• access-list 100 deny icmp 192.168.10.0 0.0.0.255 any echo reply denies echo-replies sourced from the 192.168.10.0/24 network.

Activating IPv6 ACL

• ipv6 traffic-filter ENG_ACL in activates the IPv6 ACL named ENG_ACL on an interface and filters traffic prior to accessing the routing table.

Trusted Third-Party Protocols

• PKI certificates use trusted third-party protocols to issue credentials.

Certificate Revocation Methods

• CRL and OCSP are methods to maintain certificate revocation status.

PKI Digital Certificate Format Standard

• X.509 defines the PKI digital certificate format.

DAI Uplink Interface Command

• ip arp inspection trust should be used on the uplink interface that connects to a router.

Preventing VLAN Hopping Attack

• Disable trunk negotiation and set nontrunk ports as access ports.

MAC Address Overflow Attack

• Launched so that the attacker can see frames that are destined for other hosts.

IDS vs. IPS

• An IDS allows malicious traffic to pass before it is addressed, whereas an IPS stops it immediately.

Zero-Day Attack

• An attempt to exploit software vulnerabilities that are unknown or undisclosed by the vendor.

Network Monitoring Technology

• IDS passively monitors network traffic.
• RSPAN uses VLANs to monitor traffic on remote switches.
• TAP is a passive traffic splitting device implemented inline.
• IPS can perform a packet drop to stop trigger packets.

Snort IPS Signature Levels on 4000 Series ISR

• Balanced, security, and connectivity.

IPS Signature Attributes

• Action, type, and trigger.

IPS Signature Trigger Categories

• Pattern-based detection searches for predefined patterns.
• Anomaly-based detection profiles normal activity.
• Honey pot-based detection uses a decoy server.

TACACS+ and RADIUS Similarities

• Password encryption and utilization of transport layer protocols.

RADIUS Protocol Function

• RADIUS provides authentication using UDP ports 1645 or 1812 and accounting using UDP ports 1646 or 1813.

RADIUS Characteristics

• Uses UDP ports for authentication and accounting.
• Supports 802.1X and SIP.
• Is an open RFC standard AAA protocol.

Zone-Based Policy Firewall Zone

• Self zone is system-defined and applies to traffic destined for or originating from the router.

Benefits of ZPF Over Classic Firewall

• ZPF allows interfaces to be placed into zones for IP inspection.
• ZPF policies are easy to read and troubleshoot.

Configuring ZPF Steps

1. Create zones.
2. Define traffic classes.
3. Create policies.
4. Apply policies.
5. Assign zones to interfaces.

Traffic from Private Network to DMZ (Firewall)

• The traffic is usually permitted with little or no restrictions.

Protocols for Stateful Filtering

• TCP and UDP generate connection information within a state table and are supported for stateful filtering.

Firewall Type Supported by Most Routers

• Stateless firewall is the easiest to implement.

Network Testing Tool for System Configuration Validation

• Tripwire is used to assess and validate system configurations against security policies.

Network Security Test to Detect Changes

• Integrity checking detects and reports changes made to systems.

Network Security Testing Tool

• SIEM provides details on the source of suspicious network activity.

Defending Against Brute-Force Attacks

• Use a keyspace large enough that it takes too much money and too much time to conduct a successful attack.

Caesar Cipher Operation

• Letters are replaced by another letter a set number of places away in the alphabet.

Security of Modern Encryption

• The secrecy of the keys ensures the security of encryption of modern algorithms.

Next Step After IKE Phase 1

• Negotiation of the IPsec SA policy is the next step in the establishment of an IPsec VPN tunnel.

Algorithm for Confidentiality

• AES provides confidentiality..

Purpose of Crypto IPsec Transform-Set

• Establishes the set of encryption and hashing algorithms used to secure data.

Algorithm for Data Integrity

• MD5 can ensure data integrity.

Algorithms for File Security

• 3DES and AES can be used to achieve data confidentiality.

VPN Cryptographic Key Type

• Symmetric key should be used in this scenario.

Limiting Information Discovered from Port Scanning

• Intrusion prevention system
• Firewall

First Action When User Accesses Detrimental Website

• Create a firewall rule blocking the respective website.

CLI Steps to Configure Router with Specific View

• Create a view using the parser view command.
• Assign a secret password to the view.
• Assign commands to the view.

No Output After Showing ACL

• The ACL has not been applied to an interface.

Additional Uses of ACLs

• Identifying traffic for QoS.
• Specifying internal hosts for NAT.

SNMPv3 Features for Addressing Weaknesses

• Authentication.
• Encryption.

Network Testing Tool for Password Auditing

• L0phtcrack is used for password auditing and recovery.

Firewall Type Using Server to Connect Clients

• Proxy firewall connects to destination devices on behalf of clients.

Output of Show Running-Config Object Command

• host 192.168.1.4 and range 192.168.1.10 192.168.1.20

DHCP Options on ASA

• The dhcpd enable inside command was issued to enable the DHCP server.
• The dhcpd address [ start-of-pool ]-[ end-of-pool ] inside command was issued to enable the DHCP server.

Characteristics of Symmetric Algorithms

• They are commonly used with VPN traffic.
• They are referred to as a pre-shared key or secret key.

Information Security Requirement

• Confidentiality is addressed through the configuration.

3DES in IPsec Framework Example

• Confidentiality.

Snort Function in Security Onion

• To generate network intrusion alerts by the use of rules and signatures.

Drawbacks to Using HIPS

• HIPS has difficulty constructing an accurate network picture or coordinating events that occur across the entire network.
• With HIPS, the network administrator must verify support for all the different operating systems used in the network.

AAA Function in Configuring Terminal Command

• Authorization.

Folder Public Read-Only Rights

• Authorization.

DMZ Zone Characteristic

• Traffic originating from the outside network going to the DMZ network is selectively permitted.

Monitoring SSL Encrypted Network Traffic

• Deploy a Cisco SSL Appliance to decrypt SSL traffic and send it to intrusion prevention system (IPS) appliances to identify risks normally hidden by SSL

Port Security Configuration on Switch

• Frames from PC1 frame address will cause the interface to shut down immediately, and a log entry will be made.

Security Countermeasure for CAM Table Overflow Attacks

• Port security.

Examples of DoS Attacks

• Buffer overflow.
• Ping of death.

Method to Identify Interesting Traffic

• A permit access list entry

Steps to Enable Crypto Map Policy

• Valid access list.
• The peer.

Firewall Handling Traffic from Public Network to DMZ

• Traffic that is originating from the public network is inspected and selectively permitted when traveling to the DMZ network.

Component Not Examined by Stateful Firewall

• The actual contents of the HTTP connection.

Network Monitoring Technology Using VLANs to Monitor Traffic

• RSPAN enables a network administrator to use the flexibility of VLANs to monitor traffic on remote switches.

Snort IPS Action

• Drop - block and log the packet.

Security Trap Creation Tipically Used

• IDs, biometrics, and two access doors

Data Loss Mitigation Technique

• Shredding.

Career In Cryptanalysis

• cracking code without access to the shared secret key

Command for Action Type in Authenticator

• dot1x pae authenticator

Disadvantages in Using an IDS

• The IDS does not stop malicious traffic.
• The IDS requires other devices to respond to attacks.

Mitigating Attack Using IP Verify Source

• MAC and IP address spoofing

Port Forwarding Traffic from Isolated Port

• Only promiscuous ports

Authentication Access Method

• Use the login delay command for authentication attempts

Drawbacks of Assigning User Privilege Levels

• Commands from a lower level are always executable at a higher level.

Conclusion of Show Crypto Map Command

• The crypto map has not yet been applied to an interface.

OSPF Routing Protocol Authentication Reasons

• To prevent redirection of data traffic to an insecure link
• To prevent data traffic from being redirected and then discarded

Functions Provided by Syslog logging

-gathering logging information -specifying where captured information is stored -distinguishing between information to be captured and information to be ignored

ICMPv6 Message Types Through IPv6

• neighbor solicitations
• neighbor advertisements

Three Services Provided Through Digital Signatures

• Authenticity
• Nonrepudiation
• Integrity

Protocol for Securely Accessing Network

• SSH

BYOD Security Policy Objectives

• safeguards must be put in place for any personal device being compromised
• rights and activities permitted on the corporate network must be defined
• The level of access of employees when connecting to the corporate network must be defined

Function of Pass on Zone Based Policy Firewall

• forwarding traffic from one zone to another

Allowed Traffic

• Traffic from the LAN and DMZ can access the Internet.

Network Testing Tool to Identify Network Layer Protocols

• Nmap

ASA ACLs Differ From Cisco IOS ACLs

• Cisco IOS ACLs are configured with a wildcard mask and Cisco ASA ACLs are configured with a subnet mask.

Characteristic of Site-to-Site VPN

• It must be statically set up.

Security Best Practices to BYOD

• Keep the device OS and software updated
• turn off Wi-Fi and Bluetooth connectivity when not being used. Only connect to trusted networks

Effect of Single-Connection

• The authentication performance is enhanced by keeping the connection to the TACACS+ server open.

How To Fix ACL Issue

• Remove the inbound association of the ACL on the interface and reapply it outbound.

Correct Algorithm used to Data

• Algorithm is RSA.

Cyber Analysts Attributes

• IP addresses of attack servers
• features of malware files
• changes made to end system software

Subscriber with Talos

• Both the subscriber rule set and the community rule set offer threat protection against security threats

Snort OVA File

• Configure Virtual Port Group interfaces

Initiate Connections To Requirements

• Established

Additional

• Levels 5, 6, 7