Securing Local Area Network

Questions and Answers

What is the primary goal of endpoint security?

• To protect individual devices on a network (correct)
• To manage network traffic
• To secure the network perimeter
• To monitor server performance

Which of the following is a traditional component of endpoint security?

• Antivirus software (correct)
• Intrusion detection system
• Content filtering
• Load balancing

What is a key feature of a borderless network?

• Secure access from anywhere (correct)
• Restricted user permissions
• Limited device connectivity
• Centralized server location

Which of these is a common method of host-based protection?

Antivirus/Antimalware (C)

What does AMP stand for in the context of network security?

Advanced Malware Protection (B)

What is the purpose of URL filtering?

Blocking access to malicious websites (A)

Which feature of email security blocks unwanted messages?

Spam blocking (A)

What does NAC primarily control?

Network Access (A)

What is a primary function of Cisco's Email Security Appliance?

Spam blocking (A)

What is the purpose of blacklisting?

Blocking known malicious entities (B)

Which security measure can protect against malware?

Antimalware protection (C)

What is a key function of Cisco NAC?

Authenticating users (B)

What does a web security appliance (WSA) primarily protect against?

Web-based threats (B)

What is a CAM table overflow attack?

Flooding a switch with MAC addresses (A)

Which of the following is a Layer 2 security threat?

CAM table overflow (A)

What is a common method to mitigate CAM table overflow attacks?

Port security (C)

What type of attack involves manipulating VLANs?

VLAN hopping (C)

What type of attack does DHCP snooping mitigate?

DHCP attacks (C)

What is the purpose of Dynamic ARP Inspection (DAI)?

Mitigating ARP attacks (D)

What does IP Source Guard protect against?

Address spoofing (A)

What is one key feature of port security?

Limiting MAC addresses (D)

Which of these is a security violation mode in port security?

Protect (D)

What does DHCP Starvation Attack do?

Requests all available IP addresses. (D)

Which option is correct about DHCP Spoofing?

Client receiving address information from malicious server. (D)

What is MAC address in port security?

Secure MAC address. (A)

Endpoint security involves securing individual devices on a network.

True (A)

A firewall is not an element of LAN security.

False (B)

Traditional endpoint security involves only antivirus software.

False (B)

URL filtering is a host-based protection method.

True (A)

Spam filtering is not a host-based protection.

False (B)

Modern endpoint security solutions only consist of antivirus software.

False (B)

AMP stands for Advanced Malware Prevention.

False (B)

Anti-malware software only protects against viruses.

False (B)

With advanced malware protection, remediation happens before an attack.

False (B)

Talos teams only gather threat intelligence from external sources.

False (B)

Cisco ESA provides spam blocking.

True (A)

Cisco WSA only forwards web requests.

False (B)

Cisco NAC does not remediate network access issues.

False (B)

Layer 2 vulnerabilities are concerned with the physical layer.

False (B)

IP Addresses are at Layer 2.

False (B)

An ARP attack is an example of a Layer 2 attack.

True (A)

A CAM table attack exploits vulnerabilities at Layer 3.

False (B)

A MAC address table lists the VLAN mappings.

False (B)

In a CAM table overflow attack the attacker floods the network with valid MAC addresses.

False (B)

Port Security cannot be enabled on a dynamic port.

True (A)

With port security, the maximum number of MAC addresses cannot be configured per port.

False (B)

With port security, MAC addresses can be learned dynamically.

True (A)

Port Security only has protect violation mode.

False (B)

DHCP starvation attacks exhaust all the IP addresses available.

True (A)

DHCP snooping helps prevent rogue DHCP servers from providing IP addresses to clients.

True (A)

Flashcards

What is endpoint security?

Securing individual devices connected to a network to protect against threats.

What are traditional Endpoint Security Measures?

Antivirus, antimalware, host-based firewalls, and host-based intrusion prevention systems (IPS).

What does Cisco AMP do?

Advanced Malware Protection. Provides continuous monitoring and analysis of files to detect and respond to malware.

What does Cisco NAC do?

Network Admission Control. A security solution that authenticates users and devices before granting network access.

What is a Cisco Email Security Appliance (ESA)?

A security device that blocks spam, malware, and phishing attacks in email traffic.

What is a Cisco Web Security Appliance (WSA)?

A security solution that filters malicious websites and content to protect users from web-based threats.

What are Layer 2 Attacks?

Exploits vulnerabilities in the Data Link Layer (Layer 2) to compromise network security.

Name examples of Layer 2 Attacks.

CAM (Content Addressable Memory) table overflow, VLAN hopping, STP manipulation, DHCP spoofing, and ARP poisoning.

What is a CAM Table Overflow Attack?

Caused by attackers flooding the switch with fake MAC addresses, exhausting the CAM table's storage capacity.

What is 'macof'?

A tool used to flood a switch with random MAC addresses to perform CAM table overflow attack.

What does Port Security Do?

Limits the number of MAC addresses allowed on a port to prevent MAC flooding attacks.

What are Port Security Violation Modes?

Secure-shutdown, restrict, and protect.

What is Secure-Shutdown violation mode?

Disables the port immediately upon a security violation, requiring manual re-enablement.

What is Restrict violation mode?

Drops traffic from unknown MAC addresses, logs the violation, and increments the violation counter.

What is Protect violation mode?

Drops traffic from unknown MAC addresses but doesn't log the violation.

What is DHCP Spoofing?

An attack where a rogue server provides incorrect network information to clients, often redirecting traffic.

What is DHCP Starvation?

An attack where an attacker floods the DHCP server with requests, exhausting available IP addresses.

What is DHCP Snooping?

A security feature that filters DHCP traffic, allowing only trusted DHCP servers to respond to client requests.

Antivirus / Antimalware Software

Host-based antivirus and antimalware software detect and block malicious software, and remove malware if an infection occurs.

Post-Malware Attack Questions

Endpoint security in the borderless network requires asking questions like where did the malware come from and how can we prevent it from happening again.

URL Filtering

URL filtering is used to block access to malicious or inappropriate websites.

Blacklisting

Blacklisting blocks known malicious files or websites.

Network Admission Control (NAC)

NAC authenticates users and assesses device compliance before granting network access.

Email Security Appliance (ESA)

Email Security Appliances (ESAs) block spam and malware.

CAM Table

A CAM table stores MAC address to port mappings on a switch.

Data Link Layer

Layer 2 of the OSI model, responsible for data transfer between two directly connected nodes on a point-to-point link.

Study Notes

Securing the Local Area Network

Endpoint Security

• Endpoint security and enabling technologies are described.
• Cisco AMP's role in endpoint security is explained.
• Cisco NAC authenticates and enforces network security policies.

LAN Elements

• VPNs, Firewalls, IPS, DNS, and Email/Web Servers are used to control LAN Elements.

Traditional Endpoint Security

• Consists of antivirus/antimalware software.
• Host-based IPS and Host-Based Firewall.
• Host-based protection.

Borderless Network

• Securing endpoints involves addressing post-malware attack questions.
• Questions include identifying the source, method, affected systems, and impact.
• Determining how to stop, recover from, and prevent future threats are also key.
• Host-based protection includes antivirus/antimalware, SPAM filtering, URL filtering, and blacklisting.

Modern Endpoint Security Solutions

• NAC, AMP, ESA, and WSA.

Antimalware Protection

• Protection is separated into Before, During, and After stages.
• Before focuses on discovering, enforcing, and hardening.
• During centers on detecting, blocking, and defending.
• After involves scoping, containing, and remediating.
• AMP (Advanced Malware Protection) for Endpoints provides dashboard overviews.
• Dashboard displays compromised installs, inbox statuses, detections, and vulnerabilities.
• Statistics include files scanned and network connections logged.

AMP and Managed Threat Defense

• Talos teams gather threat intelligence from 1.6 million security devices.
• The devices include firewalls, IPS, web, and email appliances.
• Intelligence comes from 150 million endpoints.
• Data analysis involves 100 TB of security intelligence daily.
• Analysis includes 13 billion web requests per day.
• Also included is 35% of the world's enterprise email traffic.

Email and Web Security

• Cisco Email Security solutions offer spam blocking.
• Includes advanced malware protection.
• Ability for outbound message control is another core feature.
• Cisco Web Security Appliance handles web requests.
• The appliance then forwards requests to the internet, and sends back to the client.

Controlling Network Access

• Cisco NAC authenticates.

Layer 2 Security Considerations

• Layer 2 vulnerabilities are described.
• CAM table overflow attacks are also described.
• Port security and VLAN Trunk security are configured to mitigate attacks.
• DHCP Snooping, Dynamic ARP Inspection, and IP Source Guard are implemented.

Layer 2 Security Threats

• The data Link Layer is at Layer 2, using Ethernet Frames for initial compromise.

Switch Attack Categories

• Include CAM Table Attacks, VLAN Attacks, and DHCP Attacks.
• STP Attacks, ARP Attacks, and Address Spoofing Attacks.

CAM Table Attacks

• Filling the CAM table with bogus MAC addresses.
• Tools like macof can be used to begin sending unknown bogus MAC addresses.

Mitigating CAM Table Attacks

• Use port security.

Port Security

• Port security can be enabled.
• Options are configurable like maximum MAC addresses.
• Connected MAC addresses can be learned dynamically, or MAC addresses set statically.
• Setting the maximum number of Mac Addresses.
• Configurable through the command switchport port-security maximum value.
• Mac Addresses can be configured manually using this command: switchport port-security mac-address mac-address {vlan | { access | voice}}.
• Mac Addresses can be learned dynamically using this command: switchport port-security mac-address sticky.

Security Violation Modes

• Protect forwards traffic but doesn't increase the violation counter or shut down the port.
• Restrict drops traffic and sends syslog messages while incrementing the violation counter.
• Shutdown drops traffic and sends syslog messages while incrementing the violation counter and shutting down the port.
• S1(config-if)# switchport port-security violation shutdown.
• S1(config-if)# switchport port-security aging time 120.
• S1(config-if)#.

DHCP Attacks

• DHCP Spoofing Attack.

DHCP Starvation Attack

• Involves an the attacker initiating a starvation attack.
• The attacker then sends lots of DHCP requests to a DHCP server.
• The DHCP server then acknowledges the All Requests.

DHCP Snooping

• Trusted ports and untrusted ports.

DHCP Snooping Example

• Configuring DHCP Snooping requires setting rate limits on untrusted interfaces.
• Interface configuration example: S1(config-if-range)# ip dhcp snooping limit rate 6.
• DHCP snooping bindings can be viewed.