CCSG Ch 13 Security CH 14 HSRP

Reconnaissance attacks

Access Attacks

Denial of Service Attacks

What are the 3 primary network attacks

an unauthorized familiarization session. Mapping the network, its resources, systems and vulnerabilities for future attacks.

Reconnaissance attacks

are against networks or systems to retrieve data, gain accesses or escalate privileges.

Access attacks

an attack that deny users access network resources. Their sole purpose is to disable or corrupt network services. The result will be to either crash a system or slow it down to the point where it is useless.

The basic idea is to keep open all connections supported by a key server.

DoS attacks are often run with common internet protocols like TCP and ICMP

Denial of Service Attacks

a type of attack also called network snooping and packet sniffing. Used for stealing info and identities.

To counteract eavesdropping create a policy forbidding the use of protocols with known susceptibilities to eavesdrop and make sure all sensitive, important network traffic is encrypted.

eavesdropping

Chargen Massive amount of UDP packets causing congestion

SYN flood-randomly opening TCP ports

Packet fragmentation and reassembly

accidental

email bombs

Land.c uses the TCP SYN packet and makes source/destination the same address causing system to crash

Types of DoS attacks

CBAC - Context Based Access Control provides advanced traffic filtering services and can be used as an integral part of your ntwk firewall

Java blocking

DoS detection and monitoring

Audit trails

Real time alerts log

Cisco firewall features to help combat DoS attacks

The Cisco TCP Intercept feature implements software to protect TCP servers from a type of DoS attack called TCP SYN-flooding

The Cisco TCP Intercept feature implements software to protect TCP servers from a type of DoS attack called TCP SYN-flooding

Terminal Access Controller Access Control System is a Cisco remote authentication server that uses TCP. It was later released as an open standard. It has multiprotocol support.

Authorization enables explicit control over user capabilities

Accounting supplies detailed information about user activities.

Authorization and accounting are separate.

Authentication includes messaging support in addition to login and password function

TACACS+

is when someone outside network pretends to be a trusted computer by using an ip address within the range of your network IPs

another name would be Masquerade Attack

Combated by ACLs on internet facing interfaces

IP Spoofing

program that repeatedly attempts to ID a user account and password.

brute force attack

a challenge-response authentication method used in Point-to-Point Protocol (PPP) to verify the identity of a remote user accessing a network, without exposing the password

Challenge and Handshake Protocol

CHAP

Repudiation

a denial of a transaction so that no communication can be traced by erasing or altering logs to hide the trail providing deniability.

This type of attack can be guarded against with setting your browsers security setting to high, block corporate access to public email sites. In addition add access control and authentication on your network.

is an attack when a hacker changes the routing table of the targeted router. To alter the course of IP packets so they’ll go to the attackers unauthorized destination instead.

Rerouting can be stopped with a Cisco ASA or Cisco Firepower Device

Rerouting

a Cisco security device that combines firewall, antivirus, intrusion prevention, and VPN capabilities

Adaptive Security Appliances

Cisco ASA

session hijacking/ replaying can be defended with by using strong authentication and encrypted management protocols.

session hijacking/ replaying can be defended with by using strong authentication and encrypted management protocols.

non-repudiation

a security principle that ensures a party cannot deny having sent or received a message or performed an action, crucial for maintaining trust and accountability in digital interactions and transactions.

a type of denial-of-service (DoS) attack where an attacker floods a target with ICMP (Internet Control Message Protocol) echo reply packets by spoofing the source address to appear as the victim's IP address. 

Can be guarded against with filtering either at the edge of the network where customers connect or sit the edge with connections to upstream providers

Smurfing

a denial-of-service (DoS) attack that involves sending a large amount of spoofed UDP traffic to a router's broadcast address within a network. It is very similar to a Smurf Attack, which uses spoofed ICMP traffic rather than UDP traffic to achieve the same goal.

Fraggle

a type of attack where the attacker must have access to network packets traveling across the networks. This means your middleman could be an internal user, someone who spoofed or even someone within the ISP.

Man in the Middle

An attack that involves an application with a well known weakness that can be easily exploited. Sendmail, PostScript and FTP are a few examples. The idea is to gain access to a computer with the permission of the account running the application, which is usually a privileged, system level account.

Application layer attack

any malware that disguises itself as a needed application while carrying out malicious actions

trojan horse

an attack that is run thru a browser often using JAVA Applets or ActiveX controls. The attacker modifies a setting or program that then starts the attack when the user initiates the program/setting

HTML attacks

Pharming is similar to phishing only pharming pollutes the contents of a computers DNS cache so that requests to a legitimate site are actually routed to an alternate one.

Pharming is similar to phishing only pharming pollutes the contents of a computers DNS cache so that requests to a legitimate site are actually routed to an alternate one.

Any malware that replicates itself but doesn’t need another application or human interaction to propagate.

Worm

any malware that attaches itself to another application to replicate or distribute itself

Virus

Any malware that collects private user data, including browsing history or keyboard input.

Spyware

a type of Physical access control where the person who wants in is physically authenticated at the first door, enters into a room. The door closes and additional verification is performed before a 2nd door is opened.

mantrap

a type of Physical access control method where RFID badge are card must be in the possession of the user to swipe in order to gain access to resource.

Badge

a fancy badge often times need a password or pin to gain access

Smart Card

Think of the 3 barriers this way, Outer barrier =fence, Middle Barrier = Guards, locks and mantraps and Inner barrier would be key/fob or smart card.

Think of the 3 barriers this way, Outer barrier =fence, Middle Barrier = Guards, locks and mantraps and Inner barrier would be key/fob or smart card.

Continued use of ACL and policies from the distribution layer

Creation of separate collision domains and micro segmentation

Workgroup connectivity into the distribution layer

Device connectivity

Resiliency and security services

advanced technological capabilities (voice/videos, PoE, port-security, QoS, etc)

Gigabit Switching

The access layer is where user devices connect to the network and its also the connection point between the network and client devices.

Access Layer functions

Note ISE (Identity Service Engine) and DNA (Digital Network Architecture) center are Identity Based Networking products from Cisco

Note ISE (Identity Service Engine) and DNA (Digital Network Architecture) center are Identity Based Networking products from Cisco

Port Security -restricts a port to a specific set of MAC addresses

DHCP Snooping

Dynamic ARP inspection

Identity Based Networking

What are some ways to protect the access layer

Layer 2 security feature that validates DHCP messages by acting like a firewall between trusted hosts and untrusted DHCP servers. When enabled switch interfaces are configed trusted/untrusted. Trusted interfaces allow all types of DHCP messages but untrusted interfaces only permit requests. Trusted interfaces connect to legitimate DHCP server or uplink toward one.

With DHCP Snooping enabled , a switch builds a DHCP Snooping Binding database containing the MAC, IP of the host, DHCP lease times, binding type, VLAN and interface. Dynamic ARP Inspection also uses the DHCP Snooping Binding Database

DHCP Snooping

a concept that ties together several authentication, access control and user policy components to provide users with only the network services you want them to access.

Identity Based Networking

Cisco’s best next generational firewall. The Firewall Threat Defense can be used to send authentication to the server

Cisco FTD

RADIUS

TACACS+

Kerberos

What are the 3 types of security server protocols supported by Cisco routers?

developed by IETF and uses only UDP. Is an open standard that combines authentication and authorization into a single process. In other words cannot separate services.

Remote Authentication Dial in User Service

RADIUS

Accept - UN/PW are valid

Reject - UN/PW not valid

Challenge -The RADIUS server requests additional info

Change password - user should select new PW

What are the different RADIUS responses and their meaning

Remember RADIUS encrypts only the PW in the access-request packet, from the client to the server, the remainder of the packet is unencrypted.

Remember RADIUS encrypts only the PW in the access-request packet, from the client to the server, the remainder of the packet is unencrypted.

router(config)# aaa new-model

what command will enable AAA services

the aaa new-model cmd immediately applies local authentication to all lines and interfaces except con 0. So to avoid being locked out of the router you should define a local username and password before AAA configuration

the aaa new-model cmd immediately applies local authentication to all lines and interfaces except con 0. So to avoid being locked out of the router you should define a local username and password before AAA configuration

user awareness

training

physical security

what are the 3 elements to a security program

router(config)# aaa new-model

router(config)# username Mike password Password

router(config)# radius server SecureLogin

router(config-radius-server)#address ipv4 10.10.10.254

router(config-radius-server)#key MyRadiusPW

router(config)#aaa authentication login default group MyRadiusGroup local

Config RADIUS server named SecureLogin with an address of 10.10.10.254 and a key of MyRadiusPW. Set it up that if the RADIUS server fails the fallback is local authentiacation.

understand that authentication and authorization are treated as separate processes in TACACS+.

understand that authentication and authorization are treated as separate processes in TACACS+.

router(config)# aaa new-model

router(config)# username Mike password Password

router(config)# tacacs-server SecureLoginTACACS+

router(config-radius-server)#address ipv4 10.10.10.254

router(config-radius-server)#key MyTACACS+PW

router(config)#aaa authentication login default group MyTACACS+Group local

Config TACACS+ server named SecureLoginTACACS+ with an address of 10.10.10.254 and a key of TACACS+PW. Set it up that if the TACACS+ server fails the fallback is local authentication.

A text document that ties a user account to a public and private key pair created by a certificate server or certificate authority.

It provides an entity with the credentials to proves its identity and associates that identity with a public key. At a minimum a digital ______ must provide the serial number, the issuer, the subject (owner) and the public key.

Certificate

by something they know PW

by something they are (retina, fingerprint facial recognition)

by something they possess (smart card)

by somewhere they are (location)

by something they do (behavior)

How can user be identified

_____ uses unique biological and behavioral traits to identify and authenticate individuals, offering a more secure and convenient alternative to traditional methods like passwords or PINs

biometric

Public Key Infrastructure is a system that links users to public keys and verifies a users identity by using a CA (Certificate Authority). _______ encryption operates through asymmetric cryptography, meaning that a different key is used to encrypt and decrypt the message, respectively.

PKI

an organization responsible for validating user IDs and issuing unique identifiers (certificates) to confirm the individuals to certify that their identity can really be trusted

Certificate Authority

CA

a security system created by MIT that establishes a users identity when they first log on to a system. It employs a strong encryption for all transactions and communications, and it is readily available. _____ uses tickets that expire quickly but automatically refresh as log as the user is logged in. With a ______ all users must have a synchronized clock. The Secret keys are stored in an encrypted state.

Kerberos

only enable ssh to vty

rtr(config)#vty 0 4

rtr(config-line)# transport input ssh

this disables telnet and enables only ssh

also called highjacking takes advantage of TCP when a user believes they are sending packet to a valid host when they are actually sending them to a highjacker.

session hijacking/ replaying can be defended with by using strong authentication and encrypted management protocols.

Session replay

strong, complex passwords that expire, screen saver passwords and BIOS passwords

A good organizational password policy would include…

A Port Security

C Dynamic ARP Inspection

which of the following will mitigate access layer threats?

A Port Security

B Access Lists

C Dynamic ARP Inspection

D AAA

B DHCP Snooping is required in order to build the MAC to IP binding for DAI validation

What is true of DAI (Dynamic ARP Inspection)

A It must use TCP, BootP and DHCP snooping in order to work

B DHCP Snooping is required in order to build the MAC to IP binding for DAI validation

C DAI is required in order to build the MAC to IP which protects against man in the middle attacks

D DAI tracks ICMP to MAC binding from DHCP

Client

Authenticator

Authentication Server

What are the 3 roles for 802.1x standard ?

C Session Replay

E SNMP

F SMTP

Which of the following are examples ofa TCP/IP weakness? choose 3

A Trojan Horse

B HTML attack

C Session Replay

D Application layer attack

E SNMP

F SMTP

B TCP Intercept

which Cisco IOS feature would you use to protect TCP server from TCP SYN-flooding attacks?

A Rerouting

B TCP Intercept

C Access Control List

D Encryption

B E G

with Cisco Lock and Key along with CHAP and TACACS+ you can create a more secure network and hel stop unauthorized access

Which of the following can be used to counter unauthorized access attempts (choose 3)

A Encryption data

B Cisco Lock and Key

C Access List

D PAP

E CHAP

F IKE

G TACACS+

Proxy ARP

Proxy ARP is a networking technique where a router or switch responds to Address Resolution Protocol (ARP) requests on behalf of other devices, essentially acting as a proxy for resolving IP addresses to MAC addresses

A category of protocols that provides redundancy for the default gateway, ensuring that hosts always have an available gateway even if the primary router fails

First Hope Redundancy Protocol works by giving you a way to config more then 1 physical router to appear as if they were only a single logical one.

FHRP

Fault tolerant solutions ensure continues operation in the event of a device failure, and load balancing solutions distribute the workload over multiple devices.

Fault tolerant solutions ensure continues operation in the event of a device failure, and load balancing solutions distribute the workload over multiple devices.

HSRP

Cisco propriety protocol that provides a redundant gateway for hosts on a local subnet.

HSRP allows you to config 2 or more routers into a standby group that shares an IP and MAC address and provides a default gateway. When the IP and MAC are independent from the routers physicl address (on a virtual interface) they can swap control of an address if the current active router fails.

Active router

Standby router

Virtual router

Other routers

HSRP standby groups contain which routers?

What are the HSRP timers?

hello timer - default is 3 seconds and they ID the state of each router

hold timer - specifies the interval the standby router uses to determine whether the active router is offline or out of commo. default is 10 sec

active timer - monitors the state of the active router and resets when ever the standby group receives a Hello from active router. Timer is based off hold timer

standby timer - monitors the state of the standby rtr and resets when ever a rtr in the standby group receives a hello from the stanby router. timer is based off the hold timer.

The physical router that receives data sent to the virtual router. The active router processes the data that’s being fwded and will also answer any ARP requests destined for the virtual router.

Active Router

Standby routers

backup to the active router. It monitors the active router and quickly takes over if active router fails or loses commo

In HSRP it is nothing more then IP and MAC that packets are sent to. It is not a physical entity.

Virtual Router

Any router that is not active or standby that is in the HSRP standby group. Can be up to 255 per group. They monitor Hello msgs to ensure the active/standby router exists. They will fwd data that is specifically addressed to their IP. These routers send “speak” msg based on the Hello timer interval that informs other routers of their position in an election

Other Routers

The default priority is 100 for a router with HSRP interface tracking enabled. If a tracked interface goes down then the priority value goes down making that router less desirable in an election.

What is the default priority of a router with HSRP interface. What happens to the priority of a tracked interface goes down.

standby group# ip virtual_ip

the group # and virtual ip will be the same on both routers configed for HSRP

What’s the simple command to config HSRP?

What command will force an HSRP election in group 1?

rtr(config-if)#standby 1 preempt

show standby

show standby brief

How do you verify HSRP?

Things to look for when troubleshooting HSRP..

different HSRP virtuap IPs config on peers

different HSRP group are configed on the peers

different HSRP version are configed on the peers or ports are blocked

HSRP and GLBP (Gateway Load Balancing Protocol) are Cisco Propriety.

VRRP (Virtual Router Redundancy Protocol) is not

What are the different FHRPs and which are Cisco propriety?

The first 24 bits identify the vendor who manufactured the device (OUI). the next 16 bits tells us that the MAC address is a well-known HSRP MAC address. The last 8 bits of the address are a hexadecimal representation of the HSRP group number.

0000.0c07.ac0a

Describe HSRP virtual MAC.

What are the different HSRP states?

INIT

Learn

Listen

Speak

Standby

Active

INIT

A HSRP state where HSRP is not running.

Learn

A HSRP state where Router has not determined the virtual IP and has not seen an authenticated hello message. The router waits to hear from the Active router.

Listen

A HSRP state where Router knows the Virtual IP, but the router is not the active or standby router.

Standby

A HSRP state where Router is a candidate to be the next Active router. Sends periodic Hello messages.

Speak

A HSRP state where a Router sends periodic hello msg and actively participates in the election of the active/standby routers. A router cannot enter the Speak state unless the router has the virtual IP.

Active

A HSRP state where a router currently forwards packets that are send to the group virtual MAC address. The router sends periodic hello msgs.

In HSRP ver 1 HSRP msgs are sent to multicast address 224.0.0.2 with UDP port 1985. In HSRP ver2 the HSRP messages are sent to multicast address 224.0.0.102 and port UDP 1985.

These IP addresses and ports need to be permitted in the inbound access list. If the packets are blocked, the peers wont see each other and there will be no HSRP redundancy.

In HSRP ver 1 HSRP msgs are sent to multicast address 224.0.0.2 with UDP port 1985. In HSRP ver2 the HSRP messages are sent to multicast address 224.0.0.102 and port UDP 1985.

These IP addresses and ports need to be permitted in the inbound access list. If the packets are blocked, the peers wont see each other and there will be no HSRP redundancy.

Which of the following are HSPR state(choose 2)?

A INIT

B Active

C Established

D Idle

A INIT

B Active

Which of the following statements is true about HSRP ver 1 hello packets?

A HSRP hello packets are sent to multicast address 224.0.0.5

B HSRP hello packets are sent to multicast address 224.0.0.2 with TCP port 1985

C HSRP hello packets are sent to multicast address 224.0.0.2 with UDP port 1985

D HSRP hello packets are sent to multicast address 224.0.0.10 with TCP port 1986

C HSRP hello packets are sent to multicast address 224.0.0.2 with UDP port 1985

What’s the multicast and port number for HSRP ver 2?

224.0.0.2 UDP port 1985