Implementing Network Security (Version 2.0) – CCNAS Final Exam Online

The implementation of an access list may provide extra security by permitting denying a flow of traffic, but it will not provide a direct response to limit the success of the attack. The implementation of a firewall on the network edge may prevent reconnaissance attacks from the Internet, but attacks within the local network are not prevented. By implementing restrictions on the sending of ICMP echo-reply messages within a local network, devices may not respond to ping messages, but port scans are not prevented and clear-text data sent on the network are still vulnerable. The best security measure is to encrypt as much network traffic as possible, both user data and network management traffic.

Control plane traffic such as ARP messages or routing protocol advertisements are generated by a network device in order to support network operations. Routing protocol authentication provides an extra measure of security to authenticate the source of routing updates. Encrypting remote access connections, utilizing the NTP protocol, and using AAA, are all measures implemented to secure management plane traffic.

Configuring a router with maximum available memory allows support for the widest range of security services and can help to protect against certain DoS attacks. Secure copies of router operating system images and configuration files provide backups needed for device recovery. Installing a UPS device provides physical security for networking devices but does not affect the security of their operating systems. Disabling unnecessary ports and services is part of the process of router hardening, and does not specifically involve the router operating system.

A CLI view has no command hierarchy, and therefore, no higher or lower views. Deleting a superview does not delete the associated CLI views. Only a root view user can configure a new view and add or remove commands from the existing views.​

When using the Cisco IOS Resilient Configuration feature, a secure copy of the IOS image is stored in flash and is hidden from view and and not included in any directory listings.

A Cisco router log message consists for three parts:

1) the timestamp
2) the log message and severity level
3) the message text

Local AAA authentication works very similar to the login local command, except that it allows you to specify backup authentication methods as well. Both methods require that local usernames and passwords be manually configured on the router.

The authentication for Telnet connections is defined by AAA method list AUTHEN. The AUTHEN list defines that the first authentication method is through an ACS server using the RADIUS protocol (or RADIUS server), the second authentication method is to use the local user database, and the third method is to use the enable password. In this scenario, however, because the administrator fails to pass the authentication by the first method, the authentication process stops and no other authentication methods are allowed.

TACACS+ has the following features:separates authentication and authorization
encrypts all communication
uses TCP port 49

Authentication must ensure that devices or end users are legitimate. Authorization is concerned with allowing and disallowing authenticated users access to certain areas and programs on the network. The configure terminal command is rejected because the user is not authorized to execute the command.

By default, TACACS+ establishes a new TCP session for every authorization request. This can lead to delays.To improve performance, Cisco Secure ACS supports persistent TCP sessions configured with the single-connection command.

There are several advantages of using a packet filtering firewall:
– ​allows for implementing simple permit or deny rule sets.
– has a low impact on network performance
– is easy to implement, and is supported by most routers
– provides an initial degree of security at the network layer
– performs almost all the tasks of a high-end firewall at a much lower cost

Stateful and next-generation firewalls provide better log information than packet filtering firewalls​. Both stateful and next-generation firewalls defend against spoofing by filtering unwanted traffic. However, next-generation firewalls provide the following benefits over stateful firewalls:

• Granularity control within applications
• Website and application traffic filtering based on site reputation
• Proactive rather than reactive protection from Internet threat
• Enforcement of security policies based on multiple criteria
• Improved performance with NAT, VPN, and stateful inspections
• Integrated IPS

Stateful firewalls are the most versatile and the most common firewall technologies in use. Stateful firewalls provide stateful packet filtering by using connection information maintained in a state table. Stateful filtering is a firewall architecture that is classified at the network layer. It also analyzes traffic at OSI Layers 4 and 5.​ Stateful firewalls cannot prevent application layer attacks because they do not examine the actual contents of an HTTP connection.

There are several benefits of a ZPF:
· It is not dependent on ACLs.
· The router security posture is to block unless explicitly allowed.
· Policies are easy to read and troubleshoot with C3PL.
· One policy affects any given traffic, instead of needing multiple ACLs and inspection actions.

​In addition, an interface cannot be simultaneously configured as a security zone member and for IP inspection.​

The pass action allows traffic in only one direction. Interfaces automatically become members of the self zone. Interfaces are assigned to a zone in interface configuration mode, but most configuration takes place in global configuration mode and associated submodes. An interface can belong to only one zone at a time.

Cisco IDS and IPS sensors can use four types of signature alarms or triggers:

• Pattern-based detection – also known as signature-based detection, searches for a specific and pre-defined pattern. In most cases, the pattern is matched to the signature only if the suspect packet is associated with a particular service or destined to or from particular ports.
• Anomaly-based detection – also known as profile-based detection, involves first defining a profile of what is considered normal for the network or host. After defining normal activity, the signature triggers an action if excessive activity occurs beyond a specified threshold that is not included in the normal profile.
• Policy-based detection – also known as behavior-based detection, is similar to pattern-based detection, but instead of trying to define specific patterns, the administrator defines behaviors that are suspicious based on historical analysis.
• Honey pot-based detection – uses a dummy server to attract attacks.

In IPS implementation, when a signature detects a matching activity, the signature triggers one or more of these actions:Generates an alert
Logs the activity
Drops or prevent the activity
Resets a TCP connection
Blocks future activity
Allows the activity

Atomic alerts are generated every time a signature triggers. A summary alert is a single alert that indicates multiple occurrences of the same signature from the same source address or port. Deny packet and deny flow actions do not automatically cause TCP reset actions to occur. Atomic alerts do not shut down interfaces.

Because the security violation count is at 0, no violation has occurred. The system shows that 3 MAC addresses are allowed on port fa0/2, but only one has been configured and no sticky MAC addresses have been learned. The port is up because of the port status of secure-up. The violation mode is what happens when an unauthorized device is attached to the port. A port must be in access mode in order to activate and use port security.

Community ports can send and receive information with ports within the same community, or with a promiscuous port. Isolated ports can only communicate with promiscuous ports. Promiscuous ports can talk to all interfaces. PVLAN edge protected ports only forward traffic through a Layer 3 device to other protected ports.​

Mitigating a VLAN hopping attack can be done by disabling Dynamic Trunking Protocol (DTP) and by setting the native VLAN of trunk links to VLANs not in use.

DHCP snooping must be enabled on a port where DAI is configured, because DAI requires the DHCP snooping table to operate. Only a trusted interface, such as an uplink port between switches, is configured to implement DAI. All access ports are untrusted.

To protect against MAC and IP address spoofing, apply the IP Source Guard security feature, using the ip verify source command, on untrusted ports.​

When assuring integrity with CRC values, it is easy to generate data with the same CRC. With hash functions, it is computationally infeasible for two different sets of data to come up with the same hash output. Hashing can use many bit values depending on the algorithm. ​These characteristics make hashing much stronger cryptographically.​

Weak keys, whether part of an existing encryption algorithm or manually generated, reveal regularities in encryption. This creates a shortcut by which a hacker can break the encryption. DES has four keys for which encryption is identical to decryption.

Symmetric algorithms use the same key, a secret key, to encrypt and decrypt data. This key must be pre-shared before communication can occur. Asymmetric algorithms require more processing power and overhead on the communicating devices because these keys can be long in order to avoid being hacked.

Digitally signing code provides several assurances about the code:
The code is authentic and is actually sourced by the publisher.
The code has not been modified since it left the software publisher.
The publisher undeniably published the code. This provides nonrepudiation of the act of publishing.

The higher the certificate number, the more trustworthy the certificate. Class 1 certificates are for individuals, with a focus on email verification. An enterprise can act as its own CA and implement PKI for internal use. In that situation, the vendor can issue certificates as needed for various purposes.​

The IPsec framework uses various protocols and algorithms to provide data confidentiality, data integrity, authentication, and secure key exchange. Two algorithms that can be used within an IPsec policy to protect interesting traffic are AES, which is an encryption protocol, and SHA, which is a hashing algorithm.

The IPsec framework uses various protocols and algorithms to provide data confidentiality, data integrity, authentication, and secure key exchange. To ensure that data is not intercepted and modified (data integrity), Hashed Message Authentication Code (HMAC) is used. AES is an encryption protocol and provides data confidentiality. DH (Diffie-Hellman) is an algorithm that is used for key exchange. RSA is an algorithm that is used for authentication.

Establishing an IPsec tunnel involves five steps:Detection of interesting traffic defined by an ACL
IKE Phase 1 in which peers negotiate ISAKMP SA policy
IKE Phase 2 in which peers negotiate IPsec SA policy
Creation of the IPsec tunnel
Termination of the IPsec tunnel

When an ASA 5505 device is being utilized, traffic is denied as it travels from a lower security zone to a higher security zone. The highest security zone is the internal network, the DMZ is usually the next highest, and the outside network is the lowest. Traffic is only allowed to move from a lower security level to a higher if it is in response to originating traffic within the higher security zone.

Stateful packet inspection allows return traffic that is sourced on the outside network to be received by the originating sender on the internal network.

Filtering only applies to traffic traveling in the direction from a higher security level to a lower security level.

When traffic moves from an interface with a higher security level to an interface with a lower security level, it is considered outbound traffic. Conversely, traffic that moves from an interface with a lower security level to an interface with a higher security level is considered inbound traffic.

Cisco ASDM is a Java-based GUI tool that makes ASA configuration easier. In order to remotely manage multiple ASAs with Cisco ASDM, each ASA must have the same ASDM version. When ASDM is run as a local application, no browser is required and several ASA devices can be managed.

When ASDM is used to configure an ASA, the peer address is the IP address of the other site for the VPN. In this instance R3 has the outside IP address of 209.165.201.1, so that must be the peer IP address for the ASA. Conversely, R3 will have to be configured with a peer IP address of 209.165.200.226.

ASDM supports creating an ASA site-to-site VPN between two ASAs or between an ASA and an ISR router.

When a full tunnel is creating using the Cisco AnyConnect VPN Wizard, the VPN protocols should be selected to protect the traffic inside the tunnel. The VPN protocol choices are SSL and/or IPsec. Otherwise, a third-party certificate can be configured. Initially SSL and IPsec are selected.

An integrity checking system can report login and logout activities. Network scanning can detect user names, groups, and shared resources by scanning listening TCP ports. Password cracking is used to test and detect weak passwords. Vulnerability scanning can detect potential weaknesses in a system, such as misconfigurations, default passwords, or DoS attack targets.

Security Information Event Management (SIEM) is a technology that provides real-time reporting and long-term analysis of security events. SIEM provides the ability to search logs and events from disparate systems or applications to detect threats. SIEM aggregates duplicate events to reduce the volume of event data. SIEM can be implemented as software or as a managed.service. SuperScan is a Microsoft Windows port scanning tool that runs on most versions of Windows.Tools, such as Nmap and SuperScan, can provide effective penetration testing on a network and determine network vulnerabilities while helping to anticipate possible attack mechanisms.

Nmap is a low-level network scanner that is available to the public and which has the ability to perform port scanning, to identify open TCP and UDP ports, and perform system identification. It can also be used to identify Layer 3 protocols that are running on a system.

Once the connector is enabled on the Cisco ASA device, users on the internal network can connect to the Cisco CWS transparently when they access external websites. The Cisco CWS serves as a proxy for the web access to scan traffic for malware and policy enforcement. Users visit external websites by accessing the URLs directly on the web browsers.

Hairpinning allows VPN traffic that is received on a single interface to be routed back out that same interface. Split tunneling allows traffic that originates from a remote-access client to be split according to whether the traffic must cross a VPN or the traffic is destined for the public Internet. MPLS and GRE are two types of Layer 3 VPNs.

Establishing a VPN between two sites has been a challenge when NAT is involved at either end of the tunnel. The enhanced version of original IKE, IKE version 2, now supports NAT Traversal (NAT-T). NAT-T has the ability to encapsulate ESP packets inside UDP. During IKE version 2 Phase 1, the VPN end devices can detect whether the other device is NAT-T capable and whether either device is connecting through a NAT-enabled device in order to establish the tunnel.

The network-based IPS (NIPS) is deployed in a network to monitor traffic in the network. Different from the host-based IPS (HIPS), NIPS does not provides protection to specific individual hosts. The operation of NIPS does not rely on the operating system of individual hosts nor centrally managed software agents.

Standards help IT staff maintain consistency in the operations of the network. Guidelines are a list of suggestions on how to do things more efficiently and securely. They are similar to standards, but are more flexible and are not usually mandatory. Procedure documents are longer and more detailed than standards and guidelines. Procedure documents include implementation details that usually contain step-by-step instructions and graphics.

The Cisco ASA 5500-X series with FirePOWER service merges the ASA 5500 series appliances with some new features such as advanced malware protection as well as application control and URL filtering. The stateful firewall, IPsec VPN, and security level settings are functions common to both ASA 5500 and ASA 5500-X series devices.

Unlike the ASA 5505, the ASA 5506-X does not use switch ports. All Ethernet ports in the backplane are routed and require IP addresses.

Network scanning tools are used to probe network devices, servers and hosts for open TCP or UDP ports. Vulnerability scanning tools are used to discover security weaknesses in a network or computer system. Penetration testing tools are used to determine the possible outcome of a successful attack on a network or computer system.