Securing Local Area Networks

Questions and Answers

Which of the following is NOT a component of traditional endpoint security?

• Antivirus/Antimalware Software
• Network Access Control (NAC) (correct)
• Host-Based Intrusion Prevention System (IPS)
• Host-Based Firewall

In the context of modern endpoint security, what is the purpose of Cisco AMP?

• To provide intrusion detection services
• To ensure endpoint security through advanced malware protection (correct)
• To manage network device configurations
• To block SPAM

Which of the following is a primary function of Cisco NAC?

• Authenticating users and enforcing network security policies (correct)
• Providing VPN access
• Filtering URL requests
• Managing firewall rules

What is the primary goal of securing LAN elements?

To protect network devices and data from unauthorized access and threats (A)

In a borderless network, what is a key consideration when securing endpoints after a malware attack?

Determining the source of the malware and how to prevent future infections (A)

Which of the following is a method of Host-Based Protection?

Antivirus/Antimalware (C)

Which of the following is NOT a modern endpoint security solution?

VLAN (Virtual LAN) (B)

What is the primary function of a Cisco Email Security Appliance (ESA)?

To block spam and protect against email-borne malware (A)

What is the primary function of a Cisco Web Security Appliance (WSA)?

To manage and secure web traffic (B)

Which of the following best describes a CAM table overflow attack?

An attempt to fill the switch's CAM table with bogus MAC addresses. (C)

What type of Layer 2 attack involves manipulating the Spanning Tree Protocol (STP) to become the root bridge?

STP Manipulation (D)

Which of the following Layer 2 attack mitigation techniques involves limiting the number of MAC addresses that can be learned on a port?

Port Security (C)

What is the purpose of DHCP snooping?

To prevent rogue DHCP servers from providing IP addresses to clients (D)

Which command enables port security on an interface?

switchport port-security (B)

Which port security violation mode drops traffic from unknown MAC addresses and increments the violation counter?

Restrict (A)

What is the effect of setting a port security violation mode to 'Shutdown'?

The port is disabled immediately upon detecting a security violation. (A)

What type of attack attempts to consume all available IP addresses on a DHCP server?

DHCP Starvation (A)

What is the purpose of the command ip dhcp snooping trust when configuring DHCP snooping?

It configures a port to forward all DHCP messages without inspection. (D)

An attacker is flooding a switch with packets containing different source MAC addresses. What type of attack is this, and what is its likely outcome?

CAM Table Overflow; switch behaving like a hub and broadcasting all traffic (C)

What are the key phases within the "Advanced Malware Protection" (AMP) framework that illustrate its continuous security approach?

Before, during, and after an attack (B)

If a network administrator configures port security with the violation mode set to 'protect', what will the switch do when a MAC address that exceeds the maximum limit attempts to access the port?

The switch will drop traffic from the violating MAC address but continue to forward traffic from known, secure MAC addresses. (C)

A network technician is tasked with implementing port security on a switch. They configure the maximum number of allowed MAC addresses to 1 and set the violation mode to ’shutdown.’ A user connects a hub to this port, and then connects two computers to the hub. What will happen?

The port will immediately shut down once the second computer attempts to communicate, due to a violation of the MAC address limit. (D)

What are the implications of a successful DHCP starvation attack on a network?

Legitimate clients are unable to obtain IP addresses, leading to network connectivity issues. (B)

A disgruntled employee wants to disrupt the company's network. They decide to launch a CAM table overflow attack. What tool could the employee use?

macof (D)

An administrator needs to configure a Cisco switch interface connected to an IP phone and a computer. They want to ensure that the phone and computer can both connect, but also limit the number of MAC addresses allowed on the port for security. What is the most appropriate configuration approach?

Enable port security with a maximum of 2 MAC addresses and violation mode set to 'restrict'. (A)

An attacker launches a DHCP spoofing attack by setting up a rogue DHCP server on the network. The rogue server is configured to hand out invalid IP addresses, a default gateway pointing to the attacker's machine, and a DNS server also controlled by the attacker. What are the potential consequences?

The attacker will be able to intercept and redirect network traffic, potentially capturing sensitive information or serving malicious content. (C)

A network administrator discovers a series of security violations on a switch port, with the violation mode set to 'restrict.' Upon investigation, it is found that users are frequently moving their devices between different ports, causing new MAC addresses to be learned and triggering the violation alerts. What is the most suitable approach to address this issue while maintaining security?

Configure sticky MAC addresses on each port to automatically learn and retain the authorized MAC addresses, and periodically review the sticky MAC address configurations to remove any unauthorized entries. (B)

Which command would you use to dynamically learn and retain MAC addresses on a port, and what are the implications of using this command in a port security configuration?

switchport port-security mac-address sticky; The MAC addresses are dynamically learned and retained even after a switch reboot, but require manual removal of unauthorized entries. (A)

If an attacker wanted to perform a DHCP starvation attack, which of the following actions would most likely be taken?

Sending a large number of DHCP Release messages with spoofed MAC addresses. (A)

A network administrator is tasked with securing a network against CAM table overflow attacks. They decide to implement port security but are unsure about the best violation mode to use. They need a solution that will prevent unauthorized devices from accessing the network while also minimizing administrative overhead. Which port security violation mode would be the most suitable?

protect (B)

You are troubleshooting a network issue where users in VLAN 10 are unable to obtain IP addresses. After some investigation, you discover that a rogue DHCP server is present on the network. Which of the following actions would best mitigate the issue?

Implement DHCP snooping and configure the switch ports connected to legitimate DHCP servers as trusted. (D)

What is the purpose of DAI

Detect and prevent man-in-the-middle attacks based on ARP spoofing. (B)

Why is it important to enable DHCP Snooping on all VLANs?

Enabling it protects each VLAN from unauthorized DHCP servers. (A)

A Security Engineer performs an analysis of AMP Threat Grid and discovers a zero-day exploit. Given this discovery, what actions MUST be taken by the Security Engineer?

The Engineer MUST inform management and other Security Engineers of the discovery; it may be dangerous. (B)

Can Intrusion Prevention Systems (IPS) and Intrusion Detection Systems (IDS) analyze encrypted traffic?

They can analyze encrypted traffic IF TLS inspection is enabled. (D)

What is the most important countermeasure that should be in place for a large company that experiences a successful CAM attack in the LOCAL AREA NETWORK (LAN)?

Segment the LOCAL AREA NETWORK (LAN) into logical groups, and assign unique VLANs to each group. (D)

Why can it be said that network threats are constantly evolving?

New attacks are written on a near-daily basis. (B)

Why is Endpoint Detection and Response (EDR) a major improvement to previous endpoint protections (such as Antivirus)?

AV simply looks for well-known malware signatures, typically after their exploit has occured. EDR focuses on detecting activity and processes caused BY exploits, before the damage occurs. (B)

Which of the following is a typical feature of a Cisco Email Security Appliance (ESA)?

Spam blocking. (B)

What is the primary purpose of URL filtering in host-based protection?

To block access to known malicious websites. (B)

What is the purpose of the switchport port-security mac-address sticky command?

To enable dynamic learning of MAC addresses and save them to the running configuration. (D)

In the context of DHCP, what is the purpose of configuring a 'trusted port'?

To designate a port that can send DHCP server messages. (A)

An administrator needs to ensure that devices connecting to a switch port are authenticated before gaining network access. Which technology should be implemented?

Cisco NAC. (A)

What is the potential impact of insufficient endpoint security in a borderless network?

Compromised data and malware propagation across the network. (C)

Which of the following accurately describes the function of a Cisco Web Security Appliance (WSA) in securing a network?

It proxies web requests, filtering malicious content and enforcing web usage policies. (C)

A network administrator observes a high volume of DHCP requests originating from a single host, rapidly depleting the DHCP scope. Besides enabling DHCP Snooping, what additional mitigation strategy can be deployed on the switch to address this specific issue?

Implement rate limiting on the switch port connected to the offending host. (B)

A network security engineer suspects that a CAM table overflow attack is being launched against a critical switch in the network. While port security is configured, the engineer notices that the switch is still flooding traffic. Further investigation reveals that the attacker is rapidly changing the source MAC addresses in the attack packets at a rate exceeding the switch's MAC address learning rate, even with port security enabled with a violation mode of 'restrict'. What is the MOST effective mitigation step the engineer can take immediately to contain the attack?

Change the violation mode on the affected ports to 'shutdown' to immediately disable the ports when a violation occurs. (C)

A network administrator is tasked with hardening the network's defenses against Layer 2 attacks. They have already implemented port security and DHCP snooping. To further enhance security, they want to prevent attackers from exploiting ARP to conduct man-in-the-middle attacks, especially in VLANs where sensitive data is transmitted. Given these constraints, which additional security mechanism provides the MOST direct and effective mitigation against ARP spoofing?

Configure dynamic ARP inspection (DAI) to validate ARP packets against DHCP snooping bindings. (D)

Endpoint security focuses solely on antivirus software.

False (B)

Cisco AMP is designed to only detect malware before it enters the network.

False (B)

Cisco NAC authenticates devices but does not enforce network security policies.

False (B)

Traditional endpoint security primarily relies on perimeter-based protection.

False (B)

In a borderless network, security threats are solely contained within the internal network.

False (B)

URL filtering is a component of Host-Based Protection.

True (A)

Modern endpoint security solutions do not include web security.

False (B)

Email Security Appliances only provide inbound message control.

False (B)

NAC uses both credentials and posture assessment to grant network access.

True (A)

Layer 2 security vulnerabilities are a concern primarily at the Physical layer of the OSI model.

False (B)

A CAM table overflow attack aims to flood the switch with legitimate MAC addresses.

False (B)

VLAN hopping attacks exploit vulnerabilities in VLAN trunking protocols.

True (A)

DHCP Snooping mitigates ARP poisoning attacks.

False (B)

IP Source Guard is used to prevent MAC address spoofing.

False (B)

Compromise at the Application Layer always occurs after a compromise at the Data Link Layer.

False (B)

STP Attacks target the Spanning Tree Protocol to manipulate the network topology.

True (A)

Using the macof tool, it's possible to simulate a DoS attack against a network switch.

True (A)

Enabling port security increases the number of dynamic ports on a switch.

False (B)

With port security, setting the violation mode to 'protect' shuts down the port immediately upon a violation.

False (B)

Enabling DHCP snooping prevents man-in-the-middle attacks by validating DHCP messages.

True (A)

The primary goal of securing the local area network (LAN) is to allow any device to freely access network resources.

False (B)

Endpoint security solutions are only necessary for devices physically connected to the network.

False (B)

Cisco Advanced Malware Protection (AMP) is solely a signature-based antivirus solution.

False (B)

Cisco Network Admission Control (NAC) ensures that all devices accessing the network comply with the organization's security policies.

True (A)

In a traditional endpoint security model, host-based firewalls primarily protect against network-based attacks.

False (B)

In the context of securing a borderless network, preventing malware infections is the only important consideration.

False (B)

Modern endpoint security solutions like NAC focus on perimeter security rather than host-based security.

False (B)

Cisco Email Security Appliance only filter inbound spam.

False (B)

Cisco Web Security Appliance (WSA) is a solution designed to prevent phishing attacks.

True (A)

Network Access Control (NAC) functions without any user authentication.

False (B)

Layer 2 security vulnerabilities only affect wireless networks.

False (B)

A CAM table overflow attack exploits vulnerabilities at Layer 3 of the OSI model.

False (B)

Configuring port security on a switch aims to prevent ARP spoofing attacks.

False (B)

Implementing DHCP snooping on a network helps prevent VLAN hopping attacks.

False (B)

IP Source Guard operates at Layer 3 of the OSI model to protect against IP address spoofing.

True (A)

In a CAM table overflow attack, the attacker's intention is to cause the switch to act like a hub, flooding traffic to all ports.

True (A)

Disabling unused ports on a switch is an effective mitigation technique against DHCP starvation attacks.

False (B)

Setting the port security violation mode to 'restrict' provides the least visibility into security incidents.

False (B)

DHCP snooping requires all ports connected to DHCP clients to be configured as trusted ports.

False (B)

Denying all outbound internet traffic from your internal LAN is an effective solution for all security concerns.

False (B)

Cisco's Advanced Malware Protection (AMP) only functions after a malware attack.

False (B)

A host-based firewall is an example of traditional endpoint security.

True (A)

$Talos$ teams collect near-time threat intelligence from approximately 16 million deployed security devices.

False (B)

URL Filtering is a method of host-based protection.

True (A)

In the context of network security, 'blacklisting' refers to a method of blocking network communications from or to specific IP addresses or domains known to be malicious.

True (A)

A CAM table overflow attack aims to flood the switch's MAC address table to impair its ability to forward network traffic effectively.

True (A)

Implementing VLAN Truck security is a method to defend against MAC address spoofing attempts on a network.

False (B)

In port security, setting the violation mode to 'restrict' will prevent traffic from an unknown MAC address, but will not increment the violation counter.

False (B)

Cisco's Web Security Appliance (WSA) is positioned in the network to directly handle client web requests, filtering malicious content.

True (A)

DHCP starvation attacks can be entirely prevented by implementing strict MAC address filtering on all network switches, ensuring only known devices can request IP addresses.

False (B)

Flashcards

Endpoint Security

Security measures implemented on devices (endpoints) to protect a network.

Traditional Endpoint Security

Traditional security includes Antivirus, Host-Based IPS and Firewalls

Modern Endpoint Security Solutions

A modern security solution including AMP, NAC, ESA, and WSA.

Advanced Malware Protection (AMP)

Advanced Malware Protection provides protection before, during, and after an attack.

Cisco Email Security Appliance

Email Security Appliance blocks spam, protects against advanced malware, and controls outbound messages.

Network Access Control (NAC)

Network Access Control authenticates users and enforces network security policies.

Layer 2 Vulnerabilities

Exploitable weaknesses in Layer 2 protocols that attackers can target.

CAM Table Attacks

Attacks that exploit switch's MAC address table to flood the network.

macof

Tool used to send bogus MAC addresses to flood a CAM table.

Port Security

Security feature to control MAC addresses learned on a port.

Configuring Port Security

Configuring a switchport to only allow specific MAC addresses

switchport port-security mac-address

Configuration command used to statically configure a port security MAC address

Port Security Violation Modes

Security action options when violations occur on a switchport.

DHCP Starvation Attack

Denial-of-service attack that floods the DHCP server with requests.

DHCP Spoofing Attack

Malicious server providing incorrect IP configuration information.

DHCP Snooping

Security feature to filter DHCP messages from untrusted sources.

Configuring DHCP Snooping

Marking specified ports as trusted or untrusted for DHCP messages

Securing LAN Elements

Element security that provides multiple layers of protection to safeguard networks.

Borderless Network

A network where users can access resources from anywhere, using any device, securely.

Antimalware Protection

Scanning files to detect and block malware before, during, and after execution.

Cisco Web Security Appliance

Security device used as a barrier against web based threats.

Cisco NAC Functions

Used to create a secure decision point for remediation.

Layer 2 Attack

Occurs when an attacker exploits Data Link layer protocols through a switch.

CAM Table Attack Tools

Utilities that exploits switches by sending bogus MAC addresses.

Countermeasure for CAM Table Attacks

Method for preventing CAM table overflow attacks by limiting MAC addresses.

Study Notes

Securing the Local Area Network

• Key Topics include Endpoint Security and Layer 2 Security Threats.

Endpoint Security

• Secures LAN elements, including Internet, VPN, Firewall, ESA/WSA, DNS, IPS, Hosts, and ACS
• Key completion goals include explaining how Cisco AMP is used to ensure endpoint security
• Further goals are to explain how Cisco NAC authenticates and enforces network security policy

Traditional Endpoint Security

• Includes Antivirus/Antimalware Software, Host-Based IPS, and Host-Based Firewall to achieve Host-Based Protection

Securing Endpoints

• Securing Endpoints in the Borderless Network requires answering questions after a malware attack.
• Key questions are, Where the attack came from, Threat Method, Affected Systems, What the threat did, Can you stop the threat and root cause, How to recover, and How to prevent from happening again
• Host-Based protection measures include Antivirus/Antimalware, SPAM Filtering, URL Filtering, and Blacklisting.

Modern Endpoint Security Solutions

• Modern solutions comprise AMP, NAC, ESA, and WSA to deliver modern security solutions

Antimalware Protection

• Advanced Malware Protection occurs before, during, and after an attack

AMP and Managed Threat Defense

• Talos teams gather real-time threat intelligence from 1.6 million deployed security devices, e.g., firewall, IPS, web, and email appliances, with 150 million endpoints
• 100 TB of security intelligence is analyzed daily
• Analyzed data includes 13 billion web requests per day, and also 35% of the world's enterprise email traffic

Cisco Email Security Appliance

• Uses spam blocking, advanced malware protection and outbound message control

Cisco Web Security Appliance

• The Web Security Appliance handles client web requests by first having the client initiate the request, the WSA then forwards this request
• Reply is then sent to the WSA and then finally to the client

Cisco NAC Functions

• Network Access Control involves hosts attempting network access.
• This access involves credentials, enforcement, Policy Server Decision Points and Remediation

Layer 2 Security Considerations

• Focuses on Layer 2 vulnerabilities, CAM table overflow attacks, port security, VLAN truck security, DHCP snooping, dynamic ARP Inspection, and IP Source Guard.

Describe Layer 2 Vulnerabilities

• The data link layer is the Initial Compromise point on which Ethernet Frames make up Data Link Layer
• Upper layers range from physical at layer 1 to application at layer 7

Switch Attack Categories

• Attack types include CAM Table Attacks, STP Attacks, VLAN Attacks, Address Spoofing Attacks, ARP Attacks and DHCP Attacks

Basic Switch Operation

• Command "show mac-address-table" shows the mac address table, VLAN, Mac Address, Type and Ports and other switch information

CAM Table Operation

• CAM Table Operation stores MAC address for PCs

CAM Table Attack

• Intruder runs attack tool and fills the CAM table, the Switch then floods all traffic meaning the attacker captures traffic

Mitigating CAM Table Attacks

• Security is enforced by allowing particular MAC Address through ports

Port Security

• Port Security is enabled through a command line interface
• Port security options include aging, mac-address, maximum and violation

Enabling Port Security Options

• Maximum number of MAC addresses can be set
• MAC Addresses can be configured manually
• Learning connected Mac Addresses dynamically can be enabled

Port Security Violations

• Security Violation Modes: Protect, Restrict, Shutdown

DHCP Spoofing Attack

• Aims to provide a client with a false IP address

DHCP Starvation Attack

• Attack initiates a request, then the DHCP server offers parameters, then the client requests all offers and the DHCP Server acknowledges all requests

Configuring DHCP Snooping

• DHCP Snooping can be configured through the command line interface
• Consists of trusted and untrusted ports