At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. . CCNA Security (IINSv2) Exam Updates eBook versions of the text: a PDF version and an EPUB version for reading on your. Getting the books ccna security official cert guide now is not type of challenging means. You Cisco ASA Commands Cheat Sheet Download PDF. As this ccna security portable command guide, it ends taking place Cisco Certified Network Associate Security (Exam ) Prime Video Currently unavailable. CCNA Security Portable Command Guide - pdf - Free IT All the.
|Language:||English, Spanish, Hindi|
|Genre:||Children & Youth|
|ePub File Size:||24.38 MB|
|PDF File Size:||12.46 MB|
|Distribution:||Free* [*Regsitration Required]|
Ccna Security Official Cert - [Free] Ccna Security Official Cert [ PDF] [EPUB]. Cisco Press is the official publisher for the New. Ccna Security Official Cert Guide - [Free] Ccna Security Official Cert Guide. [PDF] [EPUB] Cisco Press is the official publisher. Cisco Press offers excellent discounts on this book when ordered in quantity for bulk purchases or . CCNA Security (IINSv2) Exam Updates eBook versions of the text: a PDF version and an EPUB version for reading on your.
Develop a written security policy for the company. Technical controls involve electronics. A user wants to sign some data. Crackers criminal hackers: A cipher-text-only attack: Jon Ne Win.
The network can intelligently evolve and adapt the threats. Collaboration occurs among the service and devices throughout the network. Every element is a point of defense.
Models include the Series. Router Security Principles Following are three areas of router security: This section details exactly how you must do this. To create username and password entries in the local accounts database. To configure idle timeouts for router lines. These commands can be used: You must password-protect your router. To encrypt the passwords that are clear text. You can also configure minimum password lengths with the security passwords min-length length command.
STEP 6. These views contain the specific commands available for different administrators. These protected files do not appear in a dir listing of flash. Perimeter Security Setting Multiple Privilege Levels You can configure multiple privilege levels on the router for different levels of your administrators. Use the enable view command to enable the feature. STEP 2. Using this approach. Use the parser view view-name command to create a new view.
To assign privileges to levels 2 through Use the secret command to assign a password to the view. STEP 5. STEP 7. Enable AAA. STEP 1. Level 0 is reserved for user-level access privileges. There are 16 privilege levels. The secure boot-image command protects the IOS image. Verify using the enable view command. STEP 3. To configure role-based CLI. To see these protected files.
STEP 4. Perimeter Security Enhanced Security for Virtual Logins The following commands have been added to enhance security for virtual logins: Banner Messages Banner messages are important. With these messages. The devices that match a permit statement in the ACL are exempt from the quiet period. This command is mandatory.
If the router is an existing router and is not configured with the CCP default configuration. To launch CCP from the router flash memory. These features include Communities.
Many of these options lead to a wizard that aids in the configuration. Building Blocks for Ease of Management There are some new additions to the Cisco Configuration Professional that directly address the ease of management for larger environments.
This section details the use of these services with a local database on the router or switch. These appear on the top button bar. When you click either Configure or Monitor. Groups of devices that share common components Templates: Navigating in CCP Home. Accounting tracks what users do. Use the clear aaa local user lockout command in privileged EXEC mode to unlock a locked-out user. The two modes are character mode when the user tries to connect to the router for admin.
To display the attributes collected for a AAA session. Authorization dictates what these users can do after they are authenticated.
To display a list of all locked-out users. You can make additional settings at the command line. To configure in CCP. Perimeter Security Authentication. Cisco provides four methods to implement AAA: CCP uses the following commands on the router: Perimeter Security mode. The username command adds a username and password to the local security database. Of the two. You can use the show aaa sessions command to show the unique ID of a session. To display information about AAA authentication.
New in ACS 5. Rule-based policies provide a more flexible approach that can match on a variety of access conditions found in current networks. Add router as AAA client. Implementing Secure Management and Reporting Management traffic is often a necessity in the network infrastructure. Create an identity policy.
This section details how to ensure that this traffic does not represent a security breach. Create an authorization policy. This would include access. Rule-Based Policies You can use this system to grant permissions on conditions other than the identity alone. To configure this rule-based approach in ACS. The Architecture for Secure Management and Reporting The information flow between management hosts and the managed devices can take two paths: Out-of-band OOB: OOB Management Guidelines Help ensure that management traffic is not intercepted on the production network.
Apply only to those devices that truly need to be managed in this manner. Decide whether monitoring needs to be constant or periodic. Syslog Syslog is the current standard for logging system events in a Cisco infrastructure. It is the most popular option for storing Cisco router log messages. Figure shows the various Cisco log severity levels. Cisco router log messages contain three main parts: A panic condition normally broadcast to all users A condition that should be corrected immediately, such as a corrupted system database Critical conditions; for example, hard device errors.
Warning messages Conditions that are not error conditions, but should possibly be handled specially Informational messsages Messages that contain information normally of use only when debugging a program. This offers little to no security. SNMP 3 uses a combination of authenticating and encrypting packets over the network to provide secure access to devices.
SNMP 3 provides message integrity, authentication, and encryption. SNMP 3 supports all three of the following security levels: Community string auth: When actually implemented on a router, these levels can be combined. For example, authPriv enables the use of authentication and encryption.
Cisco IOS Release The Cisco router acts as the SSH server, and the client must be acquired to connect to the server. A sample client is PuTTY. To use the command line for the configuration, follow these steps: If there are any existing key pairs, overwrite them using the command crypto key zeroize rsa. Enable vty inbound SSH sessions; use the transport input ssh command.
Locking Down the Router Cisco provides two powerful methods for locking down the router. This means disabling or protecting unused services, and making other configuration changes necessary for a secure network infrastructure. This provides a secure end-to-end solution for internetworking.
Following are some distinctions between the two approaches: To access this feature. Secure each protocol in transition approaches. Consider current and future security enhancements. IPv6 has some new vulnerabilities: Header extensions can be exploited. Control the use of tunneling. Tunneling and dual stacking become vulnerabilities. Advantages of these firewalls include the following: Be the only transit point.
Enforce the access control policy of the organization. This section details their evolution and the technologies that have resulted. Application layer firewalls offer advantages: Proxy services are specific to the protocol that they are designed to forward and can provide increased access control. Application Layer Gateways Application layer firewalls also called proxy firewalls or application gateways operate at Layers 3. Unlike static packet filtering. Stateful packet filtering maintains a state table and allows modification to the security rules dynamically.
The state table is part of the internal structure of the firewall. It tracks all sessions and inspects all packets passing through the firewall. Does not support user authentication. Not all protocols are stateful. Some applications open multiple connections.
Although this is the primary Cisco Firewall technology. Advantages include the following: Firewalls are the primary security device. Practice change management. Outbound ACLs: Incoming packets are routed to the outbound interface and then are processed through the outbound ACL. If there is no matching permit or deny statement and the entire access list has been processed.
Extended ACLs: Check both the source and destination packet addresses. Cisco Security Monitoring. Check the source addresses of packets that can be routed.
Incoming packets are processed before they are routed to an outbound interface. Every ACL should have at least one permit statement.
You should create the ACL before applying it to an interface. Unless you end your ACL with an explicit permit any statement. Only one ACL per protocol. Your ACL should be organized to allow processing from the top down.
Named ACLs: If you apply an ACL to an interface. Follow these guidelines with ACLs: An administrator wants to match the subnets Instead of Match the corresponding bit value in the address.
Figure shows an example of wildcard masking. The first two octets of the wildcard mask will be 0. For the third octet. Wildcard mask bit 1: Ignore the corresponding bit value in the address. You can match on the extension headers.
The syntax is ipv6 traffic-filter to assign to the interface and ipv6 access-list to create. This new model presented the Cisco IOS zone-based policy. Policies are applied between zones. Application inspection.
This section details this new technology. Combining service lists with network and host address lists is allowed. Default deny-all policy.
DoS mitigation. From the Create Firewall tab.
Policies may be made up of combinations of the following: Analogous to a deny statement in an ACL Pass: Unidirectional policy between zones. Overview Cryptology is the science of making and breaking secret codes. A chosen-plain-text attack: The attacker chooses what data the encryption device encrypts and observes the cipher-text output. The attacker uses a brute-force attack to try keys until decryption with the correct key produces a meaningful result.
A known-plain-text the usual brute-force attack: The attacker has access to the cipher text of several messages but also knows something about the plain text underlying that cipher text.
A cipher-text-only attack: The attacker has the cipher text of several messages but no knowledge of the underlying plain text.
You should understand these principles before studying VPN technologies. The attacker must deduce the key or keys used to encrypt the messages to decrypt other messages encrypted with the same keys. Cryptanalysis is the practice of breaking codes to obtain the meaning of encrypted data.
Following are examples of attacks: The attacker tries every possible key with the decryption algorithm. A cipher is an algorithm for performing encryption and decryption. Support variable and long key lengths and scalability. Same key to encrypt and decrypt data Asymmetric encryption algorithms: Different keys to encrypt and decrypt data The following are well-known encryption algorithms that use symmetric keys: Symmetric and Asymmetric Encryption Algorithms Following are two classes of encryption algorithms.
The attacker can choose different cipher texts to be decrypted and has access to the decrypted plain text. Create an avalanche effect. Birthday attack: A form of brute-force attack against hash functions.
Following are features that good encryption algorithms provide: Do not have export or import restrictions. Meet-in-the-middle attack: The attacker knows a portion of the plain text and the corresponding cipher text.
With a stream cipher. RC4 is a common stream cipher. DES has a block size of 64 bits.
Applying the reverse transformation to the cipher-text block. The best-known asymmetric cryptographic algorithms follow: Unlike block ciphers. Data of arbitrary length is input into the hash function. The user makes an outbound connection to TCP port The router software can easily decrypt the packet using its private key. The key is used to encrypt the SSL session.
Now both participants in the session know the shared secret key. The user computer generates a shared-secret symmetric key that both parties use. Key Management Key management consists of the following components: The shared secret is encrypted with the public key of the router and transmitted to the router. Guidelines for DES usage include the following: Lengths of 80 bits or longer are considered trusted. This section describes this important technology. DES This encryption algorithm typically operates in block mode.
Test a key to see whether it is weak before using it. DES uses two standardized block cipher modes: Serially encrypts each bit plain-text block using the same bit key. Key Lengths Symmetric encryption algorithms typically use keys of length 40 to bits.
Use a secure channel to communicate the DES key from the sender to the receiver. Restrictions for SEAL include the following: This feature is available only on Cisco equipment. The Cisco router and the other peer must support the k9 subsystem. AES is more suitable for high-throughput. Both block length and key length can be extended easily in multiples of 32 bits. Rivest Ciphers Widely used RC algorithms include the following: SEAL encryption uses a bit encryption key and has less impact on the CPU compared to other software-based algorithms.
This provides nine different combinations of key length and block length. Cisco IOS routers use hashing with secret keys to add authentication information to routing protocol updates.
A fast block cipher that has variable block size and variable key size RC6: A block cipher designed by Rivest. The message length is also encoded into the digest. Hashing can also be used in a feedback-like mode to encrypt data.
MD5 MD5 is a one-way function that makes it easy to compute a hash from the given input data but makes it unfeasible to compute input data given only a hash. Consider using MD5 only if speed is an issue. The output of the algorithm is a set of four bit blocks. The bit blocks are divided into 16 bit sub-blocks.
Protect HMAC secret keys. These blocks are then rearranged with simple operations in a main loop.
Best practices include the following: The input is a data block plus a feedback of previous blocks. The algorithm is slightly slower than MD5. There are also The sending device attaches the digital signature to the message and sends the message to the receiver. Based on the input data and a signature key.
Some of the service-provider-oriented voice management protocols use digital signatures to authenticate the involved parties. The user uses a signature algorithm with a personal signature key. A user wants to sign some data. Cisco products use digital signatures for entity-authentication.
If the check is successful. The receiving device inputs the message. The RSA algorithm is based on the fact that each entity has two keys. RSA is mainly used for two services: User A transmits the encrypted message. User B uses his private key to decrypt. The public key can be published.
This binds the name of the security entity with its public key. It provides the following in the network: The standard has been widely used with many Internet applications.
A document that has been signed by the CA.
Two important PKI terms follow: The trusted third party that signs the public keys of entities in a PKI-based system. The CA may be a single entity. IPsec is extremely scalable. Security is provided at the network layer.
IPsec features two main framework protocols. IPsec Overview IPsec has many advantages. Tunnel mode: Encapsulates the original IP header and creates a new IP header that is sent unencrypted across the untrusted network.
Security is provided only for the transport layer and above. Transport mode protects the payload of the packet but leaves the original IP address in the clear. An IKE session begins with one computer sending a proposal to another computer. Additional service negotiations occur in IKE Phase 1.
Aggressive mode: Two IPsec peers perform the initial negotiation of SAs. IKE Phase 2: Quick mode: Similar to aggressive mode IKE negotiation. The negotiation of the shared policy determines how the IPsec tunnel is established.
In IKE Phase 2. Create a crypto ACL. In IKE Phase 1. Ensure that existing access lists are compatible with IPsec. Operations VPN negotiation occurs as follows: After the peers are authenticated. The IPsec tunnel is created.
Site-to-Site VPNs 5. The crypto map is applied to the outgoing interface of the VPN device. Create and apply a crypto map. Detection cannot prevent these attacks from occurring.
This action might be to alert the network administrator via an automated notification. Sensors operating using intrusion detection run in promiscuous mode. You might add this powerful tool to your network via a dedicated hardware appliance known as a sensor. However you decide to implement the technology. Intrusion prevention is more powerful in that potential threats and attacks can be stopped from entering your network.
Detection cannot prevent the attacks because it operates on copies of packets. Prevention is possible by the sensor because it is operates inline with packet flows. Intrusion Prevention Versus Intrusion Detection Intrusion detection is powerful in that you can be notified when potential problems or attacks are introduced into your network.
False Positive A false positive means that an alert has been triggered. False Negative A false negative occurs when attack traffic does not trigger an alert on the IPS device. An attacker might enter invalid characters in an attempt to corrupt the underlying database. This is often viewed as the worst type of false alarm. Exploit An exploit is a mechanism designed to take advantage of vulnerabilities that exist in your systems.
This type of traffic is often referred to as benign traffic.
Both are unwanted. Vulnerability A vulnerability is a weakness that compromises the security or functionality of a particular system in your network. There are two types of these alarms: An example of a vulnerability is a web form on your public website that does not adequately filter inputs and guards against improper data entry. True Negative This means that nonoffending or benign traffic did not trigger an alarm. This means that a device often a switch captures traffic for the sensor and forwards a copy for analysis to the sensor.
True Positive A true positive means that an attack was recognized and responded to by the IPS device. Both true positives and true negatives are wanted.
This makes the device more effective against worms and atomic attacks attacks that are carried out by a single packet. This is because the IPS device is in the actual traffic path. Figure shows an example of a promiscuous mode IDS implementation. If a Cisco IPS device operates in inline mode. Because the device works with a copy of the traffic.
Figure shows an example of inline mode IPS. It can detect an attack and send an alert and take other actions. This pair of interfaces acts as a transparent Layer 2 structure that can drop an attack that fires a signature.
This is an example of an inline configuration in which only intrusion detection is performed. This enables one segment to be monitored for intrusion detection only. This type of approach is also known as pattern matching. Because it can be so difficult to define what is normal activity for a given network. The two common types of anomaly-based IPS are statistical anomaly detection and nonstatistical. As different types of attacks are created.
Alarms are triggered if activities are detected that violate the security policy coded by the organization. This is much less prone to false positives and ensures that IPS devices are stopping common threats. Signature-Based Although Cisco uses a blend of detection and prevention technologies. This section describes these various approaches.
Cisco releases signatures that are added to the device that identify a pattern that the most common attacks present. Signature-based focuses on stopping common attacks. The statistical approach learns about the traffic patterns on the network. Policy-Based With this type of technology. Obfuscation is one way in which control characters. Another string match type of evasive technique is to just change the case of the string.
Session In this type of attack. String Match In this type of attack. Fragmentation adds a layer of complexity for the sensor. Most signatures examine rather common settings. You can use TCP segment reassembly to combat this evasive measure.
Fragmentation With this evasive measure. Because this method of foiling the IPS device exists. Encryption-Based This is an effective means to have attacks enter the network. The encrypted attack cannot be detected by the IPS device. Unlike the insertion attack. The attacker sends the attack via an encrypted session.
Evasion With this type of evasive technique. The end system ignores the harmless data and processes only the attack data. With this evasive procedure. Resource Exhaustion Another evasive approach is to just overwhelm the sensor.
The IPS sensor does not fire an alert based on the harmless data. Anomaly detection: It works in passive mode so as not to impact traffic flow.
Select the interface s to apply the IPS rule. You have been given the assignment to deploy a Cisco IPS solution. Select the traffic flow direction that should be applied by the IPS rule. Choose four. It supports the complete signature database as a Cisco IPS sensor appliance. Specify the configuration location and select the category of signatures to be applied to the selected interface s. The signature database is tied closely with the Cisco IOS image.
The authentication process uses hashing technologies. Asymmetric algorithms are used for authentication and key exchange. The application programming interface can be used to modify extensively the SSL client software for use in special applications. Tunnel mode is used between a host and a security gateway. Transport mode leaves the original IP header in the clear. Tunnel mode only encrypts and authenticates the data.
The sender encrypts the data using the sender's private key. Transport mode authenticates the IP header. Tunnel mode is used between two security gateways. It is used within the IKE Phase 1 exchange to provide peer authentication. The sender encrypts the data using the sender's public key. The sender encrypts the data using the receiver's private key. It uses asymmetrical encryption to provide authentication over an unsecured communications channel.
The sender encrypts the data using the receiver's public key. It provides a way for two peers to establish a shared-secret key. It uses symmetrical encryption to provide data confidentiality over an unsecured communications channel. When the router boots up. The Cisco IOS image file is not visible in the output from the show flash command.
The show version command does not show the Cisco IOS image file location. They use different keys for encryption and decryption of data. Which statement about asymmetric encryption algorithms is true? They use the same key for decryption but different keys for encryption of data. Which four configurations are required with no defaults? They use the same key for encryption and decryption of data.
They use different keys for decryption but the same key for encryption of data. Perform quantitative risk analysis. Determine device risk scores. Implement a security monitoring system. Perform penetration testing. Standard ACLs are processed first. The best match ACL is matched first. ACLs are matched from top down. Neither switch would assume the role of root bridge because they have the same default priority.
Native VLANs for trunk ports should be tagged with Which switch is designated as the root bridge in this topology? It depends on which switch came on line first. Native VLANs for trunk ports should never be used anywhere else on the switch. Cisco AIM C. Cisco iSDM B. The port is shut down. If an access list is applied but it is not configured.
The violation mode of the port is set to restrict. ACLs always search for the most specific entry before taking any filtering action. The port remains enabled. Router-generated packets cannot be filtered by ACLs on the router.
The Cisco ASA appliance supports user-based access control using Which four TCP packets sourced from Which state must a signature be in before any actions can be taken when an attack matches that signature? Which three statements about these three show outputs are true? Traffic matched by ACL is encrypted. The sender encrypts the message using the sender's public key.
The sender encrypts the message using the sender's private key. The sender encrypts the message using the receiver's public key. The sender encrypts the message using the receiver's private key. The initiating connection request was being spoofed by a different source address. Which statement about this debug output is true? A VLAN provides individual port security. Build ACLs based upon your security policy. Synchronize clocks on hosts and devices. Place deny statements near the top of the ACL to prevent unwanted traffic from passing through the router.
Always put the ACL closest to the source of origination. Implement telnet for encrypted device management access. Implement in-band management whenever possible. Always test ACLs in a small. Ports in a VLAN will not share broadcasts amongst physically separate switches. Implement management plane protection using routing protocol authentication. HSRP D. STP Correct Answer: They are not scanned or processed. They do not take any actions.
They still consume router resources. They are considered to be "retired" signatures. You are the security admin for a small company. Using CCP. Choose four A. Network Then click the Add button. Enter the Server IP address and source interface and key information as specified. ACL Editor. Hit OK. Also be sure to click the Prefer button.
For the access rule portion: Click on Router. Then ensure that permit is selected and that source and destination boxes both say Any IP Address They should already. Then click add button again. Then enter Inbound for the name and make sure rule is extended. Select the outside interface and select the inbound direction. Then click Add at the rule entry. For the NTP portion: Click Add button. All vty ports are automatically enabled for SSH to provide secure management.
You must then specify the general-purpose key size used for authentication with the crypto key generate rsa general-keys modulus command. The SSH protocol is automatically enabled. You must then zeroize the keys to reset secure shell before configuring other parameters. The show version command will not show the Cisco IOS image file location.
Based on the Syslog message shown. Network-based IPS provides better protection against OS kernel-level attacks against hosts and servers. Host-based IPS can work in promiscuous mode or inline mode. Network-based IPS can provide protection to desktops and servers without the need of installing specialized software on the end hosts and servers. This is a normal system-generated information message and does not require further investigation. Service timestamps have been globally enabled.
This message is a level 5 notification message. The Cisco IOS image file will not be visible in the output from the show flash command. This message is unimportant and can be ignored. You are looking at your Syslog server reports. You are a network manager for your organization. The login block-for command is configured to block login hosts for 93 seconds.
All logins from any sources are blocked for another seconds. Three or more login requests have failed within the last seconds. Which statement is correct based on the show login command output shown?
Configure the Cisco ACS server to forward authentication of users to an external user databases. When the router goes into quiet mode. A zone-pair is bidirectional because it specifies traffic flowing among the interfaces within the zone-pair in both directions.
A router interface can belong to multiple zones. The pass action works in only one direction. Router management interfaces must be manually assigned to the self zone. Service policies are applied in the interface configuration mode.
Policy maps are used to classify traffic into different traffic classes. Based on the show policy-map type inspect zone-pair session command output shown. This is an outbound policy applied to traffic sourced from the more secured zone destined to the less secured zone.
TCP sequencing information. All non-HTTP traffic will be inspected. All packets will be dropped since the class-default traffic class is matching all traffic. This is an inbound policy applied to traffic sourced from the less secured zone destined to the more secured zone. The ACL must be applied to each vty line individually. Create a parser view called "root view. The ACL is applied to the Telnet port with the ip access-group command. Create a root local user in the local database. Which statement about the aaa configurations is true?
Enable AAA authentication and authorization using the local database. Enable the root view on the router. Log in to the router as the root user.