Network Security Fundamentals

Questions and Answers

Which of the following is a common vector for data loss?

• Restricted user permissions
• On-site paper shredding
• Email (correct)
• Encrypted external hard drive

What is the primary purpose of a worm in the context of network security?

• To act as a non-self-replicating malware that imitates a legitimate application.
• To encrypt sensitive data to prevent unauthorized access.
• To automatically replicate itself and spread across the network. (correct)
• To execute a specific, unwanted, and often harmful function on a computer, requiring user interaction to spread.

Which of the following is NOT considered a 'modern hacking title'?

• Cyber Criminal
• Vulnerability Broker
• Script Kiddie
• End User (correct)

Which security measure primarily focuses on ensuring data remains unaltered during operation?

Integrity (B)

What is the first step a hacker typically performs in a DDoS attack?

Building a botnet of infected machines (A)

In network security, what is the term for a weakness that could be exploited to cause harm?

Vulnerability (C)

Which of the following security measures is part of the OUTSIDE perimeter security for data centers?

On-premise security officers (C)

Which type of malware is designed to appear as a legitimate application or file?

Trojan horse (D)

Which of the following BEST describes the purpose of 'Control Plane Policing (CoPP)'?

Filtering all unnecessary traffic from entering the control plane of a network device. (B)

Which of the following roles is primarily responsible for overseeing security operations and managing incident response?

Security Operations (SecOps) Manager (B)

What technique is employed to render packet sniffer attacks useless?

Encryption (B)

Within the context of network security, deploying an Intrusion Prevention System (IPS) or firewall primarily aids in:

Mitigating reconnaissance attacks. (B)

How does 'tailgating' relate to social engineering attacks?

It refers to attackers impersonating legitimate employees to gain unauthorized physical access to restricted areas. (C)

You are a network administrator tasked with securing the data plane on your organization's routers. Given the options, which of the following configurations would be MOST effective in achieving this?

Implementing strict ingress and egress ACLs, enabling DHCP snooping, and configuring dynamic ARP inspection (DAI). (B)

A network security engineer discovers a series of unusual DNS queries originating from an internal host, followed by encrypted communication to a known command-and-control server. The engineer isolates the host and begins analysis. Which type of malware is MOST likely present, based solely on these observations?

Botnet Agent (D)

A threat is defined as a weakness in a system that can be exploited.

False (B)

A worm requires user interaction to replicate itself.

False (B)

A key component of data center perimeter security is the use of biometric access and exit sensors.

True (A)

Compromised-key attacks involve attackers gaining unauthorized access to the network through the use of stolen or cracked cryptographic keys.

True (A)

Defending the network involves shutting down all unnecessary services and ports.

True (A)

The primary goal of a Trojan horse is to replicate itself and spread to other systems.

False (B)

Security Operations Managers are typically responsible for setting the strategic direction of an organization's security posture.

False (B)

The Network Foundation Protection (NFP) framework includes the Control Plane, Data Plane and Presentation Plane.

False (B)

Fuzzers, unlike other penetration testing tools, are specifically designed for exploiting known vulnerabilities rather than discovering new ones.

False (B)

The Diffie-Hellman-Merkle key exchange is a quantum-resistant cryptographic protocol used in modern networks.

False (B)

Defense in depth involves using a single router approach to secure a network.

False (B)

Restricting physical access to network devices is not considered a part of router security.

False (B)

A strong password should consist of at least 10 characters and include numerals but not special characters or spaces.

False (B)

The command service password-encryption encrypts all passwords in the running configuration.

True (A)

Secret passwords configured using type 8 or type 9 encryption are less secure than those using type 7 encryption.

False (B)

Setting login delay 0 on a router disables login delay.

True (A)

The Cisco IOS resilient configuration feature uses FTP servers for securing files to avoid scalability maintenance challenges.

False (B)

Syslog messages with a severity level of 0 indicate debugging information.

False (B)

SNMPv1 offers robust security features, including encryption and strong authentication, making it suitable for sensitive network environments.

False (B)

AAA is a key component of the CEF (Cisco Express Forwarding) plane

False (B)

Which of the following is considered a 'defense in depth' approach to edge router security?

Implementing a firewall and multiple routers to protect the internal network. (B)

What is the primary goal of securing the router operating system and configuration files?

To prevent unauthorized modification or access to the router's settings. (D)

Which of the following administrative tasks helps ensure accountability?

Logging and accounting for all access attempts. (B)

When configuring local authentication, which command is used to enforce local username database authentication on a console line?

login local (B)

Which of the following is a strong password guideline?

Using a mix of uppercase and lowercase letters, numbers, symbols, and spaces. (C)

What is the danger of using the service password-encryption command without also using strong passwords?

It prevents the passwords from being seen in plain text but is easily reversible. (D)

When configuring a secret password, which algorithm type provides the strongest encryption?

SHA256 (C)

After setting up SSH on a router, which command is used to ensure that only SSH connections are accepted on the VTY lines?

line vty 0 4 transport input ssh (B)

Which of the following is a virtual login security enhancement that can help mitigate brute-force attacks?

Implementing delays between successive login attempts. (C)

What is the initial step required to enable SSH on a Cisco router?

Configuring a hostname and domain name. (C)

Privilege levels from 2 to 14 on a Cisco router are primarily used for what purpose?

Customizing user-level privileges. (D)

What is a key limitation of using privilege levels to restrict command availability?

Commands available at lower levels are executable at higher levels. (B)

What is the purpose of role-based CLI access (views) on Cisco devices?

To provide customized command sets for different administrative roles. (C)

A security administrator configures login on-failure log on a router. What is the effect of this command?

It logs syslog messages for each failed login attempt. (B)

Which of the following steps is crucial in securing OSPF routing protocol authentication using a SHA key chain, and if omitted, will cause authentication to fail?

Assigning the authentication keychain to the desired interfaces. (C)

Flashcards

What is a Virus?

Malicious software that executes an unwanted, often harmful, function on a computer.

What is a Worm?

Malware that executes arbitrary code and installs copies of itself in computer memory, automatically replicating and spreading across networks.

Network security terms

Threat is a potential danger, Vulnerability is a weakness, Mitigation reduces risk, and Risk is the potential for loss.

What is a Trojan horse?

A non-self-replicating type of malware that disguises itself as a legitimate application or file but contains malicious code.

What is Reconnaissance?

Attackers perform reconnaissance to gather information about a target network before launching an attack.

What are Campus Area Networks?

Networks that support devices and infrastructure within a geographical area.

What are Wide Area Networks?

Networks that provide connectivity to branch sites and remote workers over a large geographical area.

Purpose of Access Attacks

To retrieve data, to gain access, and to escalate access privileges.

What are Botnets and Zombies?

A network of infected hosts a hacker builds is called a botnet and the infected computers are called zombies.

Types of network hacking attacks include…

Eavesdropping, data modification, IP address spoofing, denial-of-service, man-in-the-middle, compromised-key, and sniffer.

Modern hacking titles

Script kiddies, vulnerability brokers, hacktivists, cyber criminals, state-sponsored hackers.

Securing the Control Plane

AutoSecure, Routing protocol authentication, Control Plane Policing (CoPP)

Securing the Management Plane

Enabling login and password policy, Presenting legal notification, Ensuring the confidentiality of data using SSH and HTTPS, Enabling role-based access control, Authorizing actions, Enabling management access reporting

Securing the Data Plane

ACLs, Antispoofing, Layer 2 security including port security, DHCP snooping, dynamic ARP inspection (DAI)

Reconnaissance Attacks

Initial query of a target, Ping sweep of the target network, Port scan of active IP addresses, Vulnerability scanners, Exploitation tools

What is a Threat?

A potential danger to assets or data within a network.

What is a Vulnerability?

A weakness or gap in security defenses that can be exploited by threats.

What is Mitigation?

Actions and processes to reduce the severity or likelihood of a threat exploiting a vulnerability.

What is Risk?

The potential for loss, damage, or destruction when a threat exploits a vulnerability.

Vectors of data loss

Email/Webmail, Unencrypted Devices, Cloud Storage Devices, Removable Media, Hard Copy and Improper Access Control

Data Center Security

Outside perimeter security and inside perimeter security

Trojan Horse Classifications

Security software disabler, Remote-access, Data-sending, Destructive, Proxy, FTP, DoS

Network Security Policy

Formal document outlining rules of conduct, security measures, and access control for network and system resources.

Code Red Worm

Initial Code Red Worm, Code Red Worm Infection 19 Hours Later

Worm components

1. Propagate for 19 days, 2. Launch DoS attack for next 7 days, 3. Stop and go dormant for a few days, 4. Repeat the cycle

Single Router Approach

A security approach using a single router to protect a network.

Defense in Depth Approach

A security approach using multiple layers of security, including routers and firewalls.

DMZ Approach

A security approach that uses a demilitarized zone to isolate public-facing servers from the internal network.

Areas of Router Security

Physical security, Router Operating System and Configuration File Security, and Router Hardening.

Secure Admin Access Tasks

Restrict access, log all access attempts, authenticate and authorize users, present legal notifications and ensure data confidentiality.

Strong Password Guidelines

Use a length of 10+ chars and include mixed case, numbers, symbols, and spaces.

Virtual Login Security

Delays between login attempts, login shutdown for DoS attacks, and logging messages.

SSH Configuration

Enables a secure, encrypted connection for remote management.

IOS Resilient Config Feature

Configuration file is a copy of the running config, detects version mismatch automatically.

Syslog

Used for network security to log system events.

Secure Administrative Access

Restricting who can access the device, logging all access attempts, authentication requirements, authorization levels, legal notifications, and data confidentiality using SSH

Router Security Areas

Physical security, Router Operating System and Configuration File Security, and Router Hardening.

Defense in Depth

A security strategy that implements multiple firewalls to protect internal resources.

Single Router

A simple approach which is using a single router for basic network security.

Access Security

To enable strong passwords, use service password-encryption, and set exec-timeout.

Privilege Levels

To implement role-based access and grant fewer priveleges lowering risk.

Configuring SSH

Enables secure access with encryption and authentication.

Using AutoSecure

AutoSecure automates security tasks such as disabling services, setting banners, and securing interfaces.

IOS Resilient Config

Automated feature that secures the Cisco image and configuration files.

Using NTP

Used to maintain accurate time across network devices.

Routing Protocol Spoofing

Traffic is redirected creating routing loops, monitored on insecure lines or disacarded.

Control Plane Policing

Used to protect the control plane from traffic attacks and implements priority policies.

Study Notes

Securing Networks

• This section aims to describe the current network security landscape and explain the need to protect all types of networks.

Current State of Affairs

• Networks are targets of various attacks.

Drivers for Network Security

• Threat refers to a potential danger to a network.
• Vulnerability refers to weakness in system that can be exploited.
• Mitigation involves actions taken to reduce impact or likelihood of a threat.
• Risk indicates the potential for loss or damage when a vulnerability is exploited.

Vectors of Network Attacks

• Network attacks can originate from external threats, internal threats or compromised hosts.

Data Loss

• Data can be lost through Email/Webmail, unencrypted devices, cloud storage, removable media, hard copies, or improper access controls.

Network Topology Overview

• Networks can be divided into Campus Area Networks, Small Office and Home Office Networks, Wide Area Networks, and Data Center Networks

Data Center Network security

• Outside perimeter security for data centers include on-premise security, fences and gates, continuous video surveillance and security breach alarms
• Inside perimeter security includes electronic motion detectors, security traps, continuous video surveillance and biometric access and exit sensors

Network Threats

• This section aims to enable students to describe the evolution of network security
• To describe the various types of attack tools used by hackers
• To Describe malware and explain common network attacks

Who is Hacking Our Networks?

• Modern hacking titles include script kiddies, Vulnerability Brokers, Hacktivists, Cyber Criminals, State-Sponsored Hackers

Hacker Tools

• Sophistication of attacker tools and technical knowledge needed has increased.

Evolution of Security Tools

• Penetration testing tools include password crackers, wireless hacking, network scanning/hacking, packet crafting/sniffers, rootkit detectors and fuzzers to search vulnerabilities
• Other tools include forensic tools, debuggers, hacking operating systems, encryption tools, vulnerability exploitation tools and vulnerability scanners

Categories of Attack Tools

• Network hacking attacks include eavesdropping, data modification, IP address spoofing, denial-of-service, man-in-the-middle, compromised-key, and sniffers.

Malware

• Is malicious software.

Types of Malware

• Virus is malicious software which executes a specific unwanted, often harmful, function
• Worm executes arbitrary code; installs copies of itself in infected computer's memory; automatically replicates and spreads across networks
• Trojan horse is a non-self-replicating malware that contains malicious code, designed to look like a legitimate application or file

Trojan Horse Classifications

• Can be classified as a: Security software disabler, Remote-access tool, Data-sending tool, Destructive tool, Proxy, FTP, or DoS tool.

Worm Components

• Worm components include enabling vulnerability, propagation mechanism and a payload.
• The worm will propagate for 19 days, launch DoS attack for the next 7 days, stop and go dormant for a few days, then repeat the cycle.

Other Types of Malware

• Other types of malware are Ransomware, Scareware, Spyware, Phishing, Adware and Rootkits

Types of Network Attacks

• Include Reconnaissance, Access, and DoS

Reconnaissance Attacks

• Initial query of a target
• Ping sweep of the target network
• Port scan of active IP addresses
• Vulnerability scanners
• Exploitation tools

Access Attacks

• Some reasons why hackers use access attacks are to retrieve data, to gain access or to escalate access privileges
• Types of access attacks include password attacks, port redirection attacks, man-in-the-middle attacks, buffer overflows, and IP, MAC and DHCP spoofing

Social Engineering Attacks

• Social Engineering Attacks include: Pretexting, Phishing, Spearphishing, Spam, Tailgating, and Something for Something

Denial of Service Attacks

• Designed to disrupt network access

DDoS Attacks

• The steps for DDoS attacks include building a network of infected machines, use those zombie computers to scan and infect more targets, then the hacker instructs the system to make the botnet of zombies carry out the DDoS attack
• A network of infected hosts is called a botnet.
• Compromised computers are called zombies, controlled by handler systems.

Mitigating Threats

• The goal of the section is to learn about the methods and resources to protect the networks
• To understand a collection of domains for network security
• Explain the purpose of the Cisco SecureX Architecture
• Describe the techniques used to mitigate common network attacks
• Explain how to secure the three functional areas of Cisco routers and switches

Defending the Network

• Includes network security professionals and various security organizations.

Network Security Professionals

• Include Chief Information Officer (CIO), Chief Information Security Officer (CISO), Security Operations (SecOps) Manager, Chief Security Officer (CSO), Security Manager, and Network Security Engineer

Network Security Organizations

• Include CERT, SANS, MITRE, FIRST, INFOSYSSEC, MS-ISAC

Confidentiality, Integrity, Availability

• Confidentiality uses encryption to encrypt and hide data
• Integrity uses hashing algorithms to ensure data is unaltered during operation
• Availability assures data is accessible guaranteed by network hardening mechanisms and backup systems

Network Security Domains

• Include: Risk assessment, security policy, organization of information security, Asset management, human resources security, Physical and environmental security
• Also includes communications and operations management, information systems acquisition, development, and maintenance, access control
• Other components are information security incident management, business continuity management, and compliance.

Network Security Policy Objectives

• It's important to consider what data you have that others want.
• What data or information sysstems are critical.
• What would stop the company from doing business .

Mitigating Common Network Threats

• Requires implementing certain measures for each threat.

Defending the Network

• Best practices include developing written security policies, educating employees about social engineering risks, controlling physical access to systems, using strong passwords.
• Further practices include encrypting sensitive data, implementing security hardware/software, performing regular backups, shutting down unnecessary ports/services, keeping patches updated and performing security audits

Mitigating Malware

• Anti-virus and security software can mitigate malware threats

Mitigating Worms

• Processes include inoculation, containment, and quarantining and treatment

Mitigating Reconnaissance Attacks

• Techniques include implementing authentication for access, using encryption for packet sniffers, and anti-sniffer tools, and using firewalls and IPS.

Mitigating Access Attacks

• This requires strong passwords, the principle of minimum trust, cryptography and applying system patches

Mitigating DoS Attacks

• IPS and firewalls, antispoofing technologies, and quality of service traffic policing

NFP Framework

• The Cisco Network Foundation Protection (NFP) Framework is comprised of three planes: control, management and data

Securing the Control Plane

• The control plane is secured through AutoSecure, routing protocol authentication and control plane policing

Securing the Management Plane

• Achieved by enabling login and password policy, legal notification, ensuring data confidentiality using SSH and HTTPS, role-based access control, authorizing actions, and enabling management access reporting

Securing the Data Plane

• Secured using ACLs, antispoofing, and Layer 2 security including port security, DHCP snooping, and DAI

Securing Network Devices

• This secion explains how to secure a network perimeter
• How to configure secure administrative access to Cisco routers
• Enhanced security for virtual logins
• How to configure an SSH daemon for secure remote management.

Securing the Edge Router

• Edge Router Security Approaches can include a single router, defense in depth, or use a DMZ.
• Three areas of Router Security are physical, router operating system and configuration file, and router hardening.

Secure Administrative Access Tasks

• Restrict device accessibility.
• Log and account for all access.
• Authenticate access.
• Authorize actions.
• Present legal notification.
• Ensure the confidentiality of data.

Secure Local and Remote Access

• Local access can be achieved through a serial connection
• Remote Access can be done using Telnet/SSH or Modem and Aux Port

Configuring Secure Administrative Access

• Guidelines for strong passwords include using at least 10 characters, mixing uppercase and lowercase letters, numbers, symbols, and spaces.
• Avoid dictionary words and easily identifiable information. Misspell words and change passwords. Never write passwords down.
• Configure all secret passwords using type 8 or type 9 passwords.

Securing Line Access

Configuring Enhanced Security for Virtual Logins

• Virtual login security enhancements include implementing delays between successive login attempts, enabling login shutdown, and generating system-logging messages for login detection.
• The login block-for command sets blocking time, attempts, and the time window for attempts.

Configuring SSH

• SSH can be enabled on a Cisco router as an SSH server or client.
• SSH client running on a host, such as PuTTY, OpenSSH, or TeraTerm.

Assigning Administrative Roles

• Administrative privilege levels control command availability.
• Role-based CLI access also controls command availability.

Configuring Privilege Levels

• Privilege levels range from 0 to 15, with 0 being user-level access, 1 being the default for router login, 2-14 being customizable, and 15 being for enable mode.
• EXEC mode is privilege level 1, with only user-level commands.
• Privileged EXEC mode is level 15 with all enable-level commands.
• The privilege mode {level level | reset} command is used to configure privilege levels.
• A command with multiple keywords grants access to all commands using those keywords.

Configuring Role-Based CLI

• Security operator privileges example includes configuring AAA, issuing show commands, and configuring firewall, IDS/IPS, and NetFlow.
• WAN engineer privilege examples includes configuring routing and interfaces and issuing show commands.
• Superviews contain views but not commands, two superviews can share a CLI view.

Monitoring and Managing Devices

• Use the Cisco IOS resilient configuration feature to secure the Cisco IOS image and configuration files.
• Compare in-band and out-of-band management access.
• Configure syslog to log system events, secure SNMPv3 access using ACLs, and NTP to accurately timestamp all devices.

Securing Cisco IOS Image and Configuration Files

• The Cisco IOS Resilient Configuration feature copies the running configuration to the primary bootset.
• This feature secures the smallest working set of files and detects image or configuration version mismatch automatically.

Using Syslog for Network Security

• Syslog sends system messages to a Syslog server.
• Syslog security levels range from 0 (emergencies, system unusable) to 7 (debugging messages).
• Column 1 of a Syslog includes the sequence number.
• Column 2 contains a timestamp, facility of message origin and severity.
• Also includes the mnemonic and description.

Configuring System Logging

• Configuring steps:
  • logging host [hostname | ip-address]
  • logging trap level (optional)
  • logging source-interface interface-type interface-number
  • logging on

Using SNMP for Network Security

• A managed node uses an SNMP agent to communicate with an SNMP Manager.

Using NTP

• NTP authenticates network time.

Using Automated Security Features

• Use security audit tools to determine IOS-based router vulnerabilities.
• Use AutoSecure to enable security on IOS-based routers.

Performing a Security Audit

• Discovery Protocols CDP and LLDP can indicate security vulnerabilites
• Additional recommendations to ensure device security are:
  • Disable unneccesary services and interfaces
  • Disable and restrict commonly configured management services
  • Disable probes and scans and ensure terminal access security
  • Disable gratuitous and proxy ARPs
  • Disable IP-directed broadcasts

Locking Down a Router Using AutoSecure

• The command auto secure enhances security but does not make the router absolutely secure from all security attacks.
• The auto secure command guides through configuring various security measures.
  • auto secure [no-interact | full] [forwarding | management] [ntp| login | ssh | firewall | tcp-intercept]
• Options for the auto secure command include:
  • no-interact, to avoid prompts for interactive configurations.
  • full, to be prompted for all interactive questions (default).
  • forwarding, to secure forwarding plane only.
  • management, to secure management plane only.
  • ntp, to configure NTP feature.
  • login, to configure login feature.
  • ssh, to configure SSH feature.
  • firewall, to configure firewall feature.
  • tcp-intercept, to configure TCP-Intercept feature.
• Steps for using auto secure are that the command is entered, wizard gathers information about outside interfaces, AutoSecure secures management plane by disabling unnecessary services, and autosecure prompts for a banner as well as passwords, and enables password and login features.
• Next, iterfaces are secured and the forwarding plane is secured.

Securing the Control Plane

• Configure routing protocol authentication.
• Explain the function of Control Plane Policing.

Routing Protocol Authentication

• Consequences of protocol spoofing:
  • Redirect traffic to create routing loops.
  • Redirect traffic to be monitored on an insecure link.
  • Redirect traffic to discard it.

OSPF MD5 Routing Protocol Authentication

• Configured on the router to have neighboring authentication

OSPF SHA Routing Protocol Authentication

• Specifies an SHA authentication key chain and assigns it to the desired interfaces.

Control Plane Policing

• Protects the control plane from DoS attacks.

Network Device Operations

• Include Control and Managment Planes, and Data Plane

Control and Management Plane Vulnerabilities

• Can be secured to add extra layers of security.

CoPP Operation

• CoPP is used in control and managment planes to further secure network device operations

Chapter Objectives:

• Configure secure administrative access.
• Configure command authorization using privilege levels and role-based CLI.
• Implement the secure management and monitoring of network devices.
• Use automated features to enable security on IOS-based routers.
• Implement control plane security.