preplogic ccna security megaguide

7/29/2019 PrepLogic CCNA Security MegaGuide

1/78

www.CareerCert.info
http://www.careercert.info/http://www.careercert.info/


2/78

Mega Guide n CCNA Security (640-553 IINS) www.preplogic.com n 1-800-418-678

PrepLogic Practice Exams n Video Training n Mega Guides n Printables n Audio Trainin

CCNA Security (640-533 IINS) Mega GuideCopyright 2009 by PrepLogic, LLC.Product ID: 012203Production Date: December 10, 2009

All rights reserved. No part o this document shall be stored in a retrieval system or transmitted by anymeans, electronic, mechanical, photocopying, recording, or otherwise, without written permission romthe publisher. No patent liability is assumed with respect to the use o the in ormation contained herein.

Warning and DisclaimerEvery e ort has been made to make this document as complete and as accurate as possible, but nowarranty or tness is implied. The publisher and authors assume no responsibility or errors or omissions. The in ormation provided is on an as is basis. The authors and the publisher shall have neither liabilitynor responsibility to any person or entity with respect to any loss or damages arising rom the in ormationcontained in this document.

Volume, Corporate, and Educational SalesPrepLogic o ers avorable discounts on all products when ordered in quantity. For more in ormation,please contact PrepLogic directly: [email protected]

www.CareerCert.info
http://www.preplogic.com/default.aspxhttp://www.preplogic.com/default.aspxhttp://www.preplogic.com/products/exams/view-practice-exams.aspxhttp://www.preplogic.com/products/video/view-video-training.aspxhttp://www.preplogic.com/products/mega-guides/view-mega-guides.aspxhttp://www.preplogic.com/products/printables/view-printables.aspxhttp://www.preplogic.com/products/audio/view-audio-training.aspxmailto:%[email protected]://www.careercert.info/http://www.careercert.info/mailto:%[email protected]://www.preplogic.com/products/audio/view-audio-training.aspxhttp://www.preplogic.com/products/printables/view-printables.aspxhttp://www.preplogic.com/products/mega-guides/view-mega-guides.aspxhttp://www.preplogic.com/products/video/view-video-training.aspxhttp://www.preplogic.com/products/exams/view-practice-exams.aspxhttp://www.preplogic.com/default.aspxhttp://www.preplogic.com/default.aspx


3/78



Domain 1 - Describe the security threats acing modern network in rastructures . . . . . 7

Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Classi cation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Government and Military Model Organizational Model

R o l e s

Security Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Control Classifcation

Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Attack Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

IP Spoo ng Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

IP Source Routing

Prevention Con dentiality Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Integrity Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Availability Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

System Development Li e Cycle (SDLC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Backup Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Security Policy Components

Risk Analysis

Risk Mitigation Security Awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Cisco Sel -De ending Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Core Characteristics

Cisco Integrated Security Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Domain 2 - Secure Cisco routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Security Device Manager (SDM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Security Audit

Securing Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Enable Password Enable Secret Password

Line Passwords

Local User Passwords

www.CareerCert.info
http://www.preplogic.com/default.aspxhttp://www.preplogic.com/default.aspxhttp://www.preplogic.com/products/exams/view-practice-exams.aspxhttp://www.preplogic.com/products/video/view-video-training.aspxhttp://www.preplogic.com/products/mega-guides/view-mega-guides.aspxhttp://www.preplogic.com/products/printables/view-printables.aspxhttp://www.preplogic.com/products/audio/view-audio-training.aspxhttp://www.careercert.info/http://www.careercert.info/http://www.preplogic.com/products/audio/view-audio-training.aspxhttp://www.preplogic.com/products/printables/view-printables.aspxhttp://www.preplogic.com/products/mega-guides/view-mega-guides.aspxhttp://www.preplogic.com/products/video/view-video-training.aspxhttp://www.preplogic.com/products/exams/view-practice-exams.aspxhttp://www.preplogic.com/default.aspxhttp://www.preplogic.com/default.aspx


4/78



Password Recovery

Confguring Cisco Password Encryption

Confguring Miscellaneous Password Parameters

Privilege Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

R o l e - B a s e d C L I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 0

Securing IOS Images and Con guration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Domain 3 - Implement AAA on Cisco routers

using local router database and external ACS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21

Authentication, Authorization and Accounting (AAA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

AAA Con guration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Authorization

Accounting

AAA Debug

SDM AAA Con guration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

TACACS+ and RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

TACACS+ Responses

TACACS+ Attributes

RADIUS Message Types

RADIUS Attributes

AAA Server Con guration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

TACACS+ Confguration

RADIUS Confguration

SDM TACACS+/RADIUS Server Confguration

Cisco Secure ACS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Cisco Secure ACS Requirements

Cisco Secure ACS Connections

Domain 4 - Mitigate threats to . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Cisco routers and networks using ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Access Lists Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Access List Con guration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

SDM Access-list Confguration

Access List Caveats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Preventing IP Spoo ng . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Domain 5 - Implement secure network management and reporting . . . . . . . . . . . . . . . . . .41

www.CareerCert.info


5/78



Secure Management and Reporting Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Secure Management Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Secure Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Confguring S ecure Shell

Confguring SSH with SDM

Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Confguring Syslog

Confguring Syslog with SDM

Simple Network Management Protocol (SNMP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

SNMP Components

SNMP Message Types

SNMP Security Levels

Confguring SNMP

Confguring SNMP with SDM

Network Time Protocol (NTP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Confguring NTP

Confguring NTP with SDM

Domain 6 - Mitigate common Layer 2 attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52

VLAN Hopping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Con guring VLAN Hopping prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Switch Spoofng

Double Tagging

Root Guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Con guring Root Guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Port ast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Con guring Port ast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

BPDU Guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Con guring BPDU Guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

D H C P S n o o p i n g . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 4

Con guring DHCP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Dynamic ARP Inspection (DAI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Con guring DAI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Port Violation Behaviors

www.CareerCert.info


6/78



Secure MAC Address Types

Con guring Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Domain 7 - Implement the Cisco IOS frewall eature set using SDM . . . . . . . . . . . . . . . . . .57

Domain 8 - Implement the Cisco IOS IPS eature set using SDM . . . . . . . . . . . . . . . . . . . . . .61

Domain 9 - Implement site-to-site VPNs on Cisco Routers using SDM . . . . . . . . . . . . . . . . . 64

Practice Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Answers & Explanations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

www.CareerCert.info


7/78



Domain 1 - Describe the security threats acingmodern network in rastructuresBasics The rst thing that must be clear when studying or any security exam is the basics o what network security is about. There are three main goals which are de ned to achieve network security:

Con dentiality In order to achieve con dentiality, the data being held or trans erredis kept private.

Integrity In order to achieve integrity, the data must be ensured to be unmodi ed.

Availability In order to achieve availability, data must remain accessible to anyone trying toaccess it.

ClassifcationOrganizations can bene t rom structuring their own data classi cation model a ter pre-existing models. There are two main classi cation models which are used to classi y data:

Government and Military Model

Organizational Model

Government and Military Model The ollowing classi cations are used by both the government and the military. These di erentclassi cations include:

Unclassi ed Data which has ew or no privacy requirements.

Sensitive but unclassi ed Data which could be embarrassing but is not a security threat.Con dential Data which has a reasonable probability o causing damage i disclosed.

Secret Data which has a reasonable probability o causing serious damage i disclosed.

Top-Secret Data which has a reasonable probability o causing exceptionally gravedamage i disclosed.

Organizational Model The ollowing classi cations are used by private organizations:

Public Data which can be made available.

Sensitive Data which could be embarrassing but is not a security threat.

Private Data which should be kept secret inside the organization.

Con dential Data which is sensitive and should be kept secret inside the organization.

n

n

n

n

n

n

n

n

n

n

n

n

n

n

www.CareerCert.info


8/78



RolesMembers o an organization assume a number o di erent roles as they relate to security, including:

Owner The owner initially determines the classi cation levels o the data and reviews theprocedures or classi ying data. The owner then passes responsibility o data protectionto the custodian.

Custodian The custodian takes care o the data, including the backup and restoration o dataand the veri cation o data integrity. The custodian is also responsible or ollowing policy inmaintaining data.

User The user accesses and uses the data per policy guidelines and takes measures to protectthe data according to the security policy established by the owner and maintainedby the custodian.

Security Controls There are a number o controls which can be implemented to maintain a secure solution. These are splitinto three types, including:

Administrative Controls These controls are policy-centric and include clear security policiesand good security awareness training.

Physical Controls These controls maintain a secure environment and preventpotential physical attacks.

Technical Controls These controls include both hardware and so tware solutions which areimplemented to protect data. This is the type o control which is the ocus o this exam.

Control ClassifcationEach o the three di erent security control types can be urther classi ed into one o three types:

Preventive This type attempts to prevent access to data or systems which contain data.

Deterrent This type attempts to prevent data access by infuencing a potential attacker romlaunching the attack.

Detective This type attempts to detect when either the data is accessed or when the systemcontaining the data is accessed.

LawIn most countries legal issues are separated into three major categories, including:

Criminal Law Criminal law involves crimes which have been committed that may result in nesand/or imprisonment.

Civil Law Civil law involves wrongs which have been committed which are notconsidered crimes but may involve consequences including paying damages or ceaseand desist o illegal activity.

Administrative Law Administrative law involves the en orcement o regulations by thegovernment agencies.

n

n

n

n

n

n

n

n

n

n

n

n

www.CareerCert.info


9/78



Attack CategoriesAttacks can be categorized into ve broad categories, including:

Passive Attacks This type o attack happens when the attacker passively listens to tra c and/or

tries to decrypt captured packets. These are very hard to detect.Active Attacks This type o attack happens when the attacker is actively sending tra c towardthe network in an attempt to access unauthorized data. This type o attack is easy to detect.

Close-In Attacks This type o attack involves an attacker who is physically close the target dataequipment. The attacker can then take advantage o attack types which require physical access.

Insider Attacks This type o attack involves an attacker who is a legitimate user who tries toaccess unauthorized data.

Distribution Attacks This type o attack happens be ore equipment is distributed andinvolves the introduction o back doors which are taken advantage o once the equipmentis at its destination.

IP Spoofng Attacks The concept o IP spoo ng is simple; it involves the aking o an IP address as being trusted by the targetnetwork. Obviously i an attacker is able to make the target system believe that they are coming roma trusted IP then attacks become easier as external attack prevention is circumvented. There are twodi erent types o IP spoo ng attacks which include:

Nonblind spoo ng This type is an attack rom the same IP subnet as the target, allowing packetcapture tools to be used.

Blind Spoo ng This type is an attack not rom the same subnet. O ten IP source routing is usedwhen per orming a blind spoo ng attack.

IP Source RoutingIP source routing allows the attacking machine the ability to speci y the exact return path o an IP packet. There are two di erent types o IP source routing which can be used, including:

Loose A source route which is loosely ollowed as the routing equipment can changethe path used.

Strict A source route which is strictly ollowed by using the exact sequence o hops speci ed.

Prevention There are three main ways used to prevent IP spoo ng attacks, including:

Access Control Lists (ACL) ACLs can be used to prevent internal IP addresses rom being usedrom an external inter ace. Internal tra c destined or external inter aces should be checked to

ensure that the address being used is sourced rom an internal IP address ranged.

Link encryption The use o link encryption prevents the attacker rom capturing and readingpackets to obtain use ul data.

Cryptographic authentication I the parties involved in exchanging data are bothauthenticated to ensure identity, then an attack is highly unlikely.

n

n

n

n

n

n

n

n

n

n

n

n

www.CareerCert.info


10/78



Confdentiality Attacks There are a number o di erent attack strategies which can be used to a ect the con dentiality o data. These include:

Packet Capture This is a simple strategy: capture target tra c in order to obtain in ormation

that could be used to a ect the con dentiality o the target data.Ping Sweeps and Port Scans These techniques can be used to map out a targets network andto gure out what services are being run on these machines. Ping sweeps are used to identi ydevices and port scans are used to veri y active TCP/UDP ports.

Dumpster Diving This involves the si ting through o the targets trash in order to ndcon dential data.

Electromagnetic Inter ace Interception This involves the capture o data by utilizing the EMIwhich is a side e ect on wire media.

Wiretapping This involves the capture o data through a physical tap o target wiring systems.

Social Engineering This involves the use o non-technical social techniques to obtaincon dential data rom unknowing individuals.

Sending In ormation over Overt Channels This involves the sending o data over a primarychannel but obscured in some way; techniques include tunneling o data and steganography.

Sending In ormation over Covert Channels This involves the sending o data over a secondarynon-obvious channel.

Integrity AttacksIntegrity attacks ocus on trying to change the data that is being sent in a way that is not noticed. There are a number o di erent types o integrity attacks including:

Salami Attack A collection o small attacks that result in a larger attack.

Data Diddling The process o changing data be ore it is stored on a computing system. Trust Relationship Exploitation Involves the exploitation o a device which has a trustrelationship with the target.

Password Attacks Includes a number o di erent password exploitation attacks including Trojan horse programs, packet capture, keylogger programs, brute orce, and dictionary attacks.

Botnet Involves the in ection o remote machines that become drones or robots which can beused to source an attack. These robots are controlled remotely and ocused on the target.

Hijacking Sessions Involves the hijacking o an already initiated user session; this way, thetarget still believes that the attacker is a legitimate user.

n

n

n

n

n

n

n

n

n

n

n

n

n

n

www.CareerCert.info


11/78



Availability AttacksAvailability attacks ocus on a ecting the availability o the target system. There are a number o di erentattacks which can be used to a ect availability including:

Denial o Service (DoS) A Denial o Service attack involves the transmission o a large amount o data (food) and/or requests which is used to consume the resources o the target system.

Distributed Denial o Service (DDoS) A Distributed Denial o Service attack involves thesame techniques o a normal DoS attack but rom multiple sources. These sources are typicallycompromised systems which are used to direct multiple fows o tra c at the target.

TCP SYN Flood A TCP SYN food involves the attack o a target system by attempting toconsume the available TCP sessions on the target device. This is accomplished throughbeginning but not nalizing a TCP handshake with the target device.

ICMP Attacks There are a number o di erent ways to utilize ICMP in an attack. These attacksare typically DoS in nature.

Electrical Disturbances As all computing devices require an electrical source, the e ect o many di erent electrical problems can a ect availability. These include spikes, surges, blackouts,and brownouts, among others. These types o attacks can be mitigated through the use o uninterruptable power supplies, power conditioners, and generators.

Physical Environment Attacks An environment can also be infuenced through the alteration o the physical environment. This includes changes in temperature, humidity and gas. The easiestway to mitigate these types o attack is to control the physical security o the environment.

System Development Li e Cycle (SDLC)A network as a whole is in constant motion; the di erent network hardware and so tware componentshave a speci c li ecycle that should be ollowed which allows them to have a use ul li etime and to have apoint where they are retired. The SDLC describes this cycle with ve phases including the ollowing:

Initiation

Security Categorization Categorizes the severity o a security breach on a speci c network component. These devices are typically placed into high, medium and low risk categories.

Preliminary Risk Assessment Provides a high-level overview o asystems security requirements.

Acquisition and Development

Risk Assessment Speci es the initial protection requirements.

Security Functional Requirement Analysis Identi es what is required to properly secure asystem so it can unction in its intended capacity.

Security Assurance Requirements Analysis Provides evidence that the network resource inquestion will be protected at a desired level.

Cost Considerations and Reporting Details the costs o securing a system.

Security Planning Details what security controls are to be used.

Security Control Development Details how the already determined security controls areto be designed, developed, and implemented.

Development Security Test and Evaluation Validates the operation o the implementedsecurity controls.

n

n

n

n

n

n

n

n

www.CareerCert.info


12/78



Implementation

Inspection and Acceptance The installation o a system and its unctionalrequirements are veri ed.

System Integration The system is integrated with all required components andoperation is veri ed.

Security Certi cation The operation o security controls is veri ed.

Security Accreditation The system is given administrative privileges to process, storeand/or transmit speci c data.

Operations and Maintenance

Con guration Management and Control Be ore any con guration change is made itsimpact on other part o the network is analyzed.

Continuous Monitoring A ter a security solution is implemented it should be routinelymonitored and tested to validate operation.

Disposition

In ormation Preservation Any in ormation which is required to be stored should bearchived to a modern storage technology to ensure data availability.

Media Sanitation Storage media that is being disposed o should be sanitized so that thedata is not retrievable.

Hardware and So tware Disposal The disposal o both hardware and so tware should bedone through a ormal procedure which provides or protection against malicious activities.

Backup SitesBackup sites are used to provide redundancy or high availability to critical data. Below are the di erent

types o backup sites used today:

Hot sites are ready-to-run, dedicated sites that have equipment, so tware, and real-time data inplace. These sites are used to provide highly available data with little to no downtime.

These sites are the most expensive type o disaster recovery arrangement.

They are generally used by organizations in extremely data-sensitive industries, such asnancial services, public sa ety, and healthcare.

Warm sites provide all o the equipment and environmental controls necessary to restoreoperations but do not have applications installed or data restored.

These sites take longer to activate than hot sites but are typically much less expensive.

They may be shared by multiple organizations.

n

n

n

n

n

www.CareerCert.info


13/78



Cold sites are buildings with proper in rastructure to support computing operations (i.e., power,environmental controls, etc.) but without any computer equipment, data, or so tware in place.

These sites are the cheapest alternative.

They take a very long time to bring to an operational state.

They are use ul only in disasters that last or an extended period o time.

Hot sites, warm sites, and cold sites may be either owned and operated by the organization thatthey serve, or by a subscription service that keeps the acilities available or its clients.

Security Policy The development o a comprehensive security policy is important or the network security o anorganization. It is a constantly changing document that sets up guidelines or network use. The mainpurpose o this policy is to protect corporate assets but it also should be designed to educate users anddescribe a baseline or security monitoring.

One major part o the security policy is the establishment o an Acceptable Use Policy (AUP). The AUPidenti es what users o a network are and are not allowed to do on and with the network.

Security Policy Components There are our main components that should be part o the security policy:

Governing Policy This is a high-level policy which addresses important security concepts and isprimarily targeted at managerial and technical employees.

Technical Policies These policies are used to provide a much higher level o detail o theorganizations security policy.

End-User Policies These policies are intended to address security issues and procedureswhich are relevant to end users.

Standards, Guidelines and Procedures:

Standards De ne mandatory practices o network use.

Guidelines De ne a set o suggested practices o network use.

Procedures Detailed documents which are used to speci y step-by-step instructionsor the completion o speci c tasks.

n

n

n

n

n

n

www.CareerCert.info


14/78



Risk AnalysisRisk Analysis is de ned as a method o analyzing the probability that a speci c threat will occur and theseverity o consequences that it brings to the network. There are two di erent methods or analyzing risk:

Quantitative analysis Uses mathematical models to orecast the probability and severity o risk.In the ollowing equations, you are calculating Annualized Loss Expectancy (ALE) and Single LossExpectancy (SLE) based on the relationships between an assets value (AV), its exposure actor(EF) and, in the case o the ALE, an Annual Rate o Occurrence (ARO).

ALE = AV * EF * ARO

SLE = AV * EF

AV = Asset Value

EF = Exposure Factor

ARO = Annualized Rate o Occurrence

Qualitative analysis Uses behavior models to attempt to predict the probability that someonewould want to cause a risk and how much they want to achieve it. This analysis method is moreuse ul when analyzing large networks.

Risk MitigationRisk Management Assumes that not all potential threats can be eliminated and attempts toreduce anticipated damage rom risk.

Risk Avoidance Eliminates identi ed risks by not exposing a system to end users.

Security AwarenessUser awareness is a big part o the security o a network. In order to make sure that a good securityawareness program is implemented, it is recommended that three di erent core components be ul lled:

Awareness I the end users o the network are aware o the di erent security threats whichexist, they will be more likely to notice when they are happening.

Training A good training program creates end user competence and allows them to per ormspeci c tasks and serve in di erent security roles.

Education A more comprehensive education program allows the coverage o a larger amounto material to be covered.

n

n

n

n

n

n

n

n

n

n

www.CareerCert.info


15/78



Cisco Sel -De ending Network The concept behind a sel -de ending network is simple: have the network try to recognize threats in realtime and have it automatically adjust to deal with the speci c threat. A part o this concept requires closeintegration o individual network security products. Ciscos Sel -De ending Network is a marketing termthat de nes a collection o security best-practice solutions which identi y threats and attempt to preventthem as well as emerging threats.

Core Characteristics There are three core characteristics o the sel -de ending network:

Integrated Security is built into the network instead o being added to an existing network.

Collaborative Both IT personnel and security personnel work together on network operations.

Adaptive Security solutions are designed to adapt to evolving threats.

Cisco Integrated Security Products There are a number o di erent products that have been introduced by Cisco to provide security solutions.Some o the major products which are currently in use include:

Cisco Router

Cisco ASA 5500 Series

Cisco PIX 500 Series

Cisco 4200 Series IPS

Cisco Security Agent

Cisco Security Access Control Server

Cisco Catalyst 6500 series switches

Cisco Router and Security Device Manager (SDM)Cisco Security Monitoring, Analysis, and Response System (MARS)

Domain 2 - Secure Cisco routersSecurity Device Manager (SDM)Ciscos Security Device Manager (SDM) provides a way to graphically con gure a router through a webinter ace or through SDM so tware. This so tware includes a number o di erent wizards which can beused to con gure the router to per orm certain unctions without a high level o router knowledge.In order to be able to work with SDM, the router must be installed and con gured. There are two ways touse SDM, but both require the same commands to enable its use on the router.

n

n

n

n

n

n

n

n

n

n

n

n

router(con g)#ip http server

router(con g)#ip http secure-server

router(con g)#ip http authentication local

router(con g)#username name privilege 15 secret password

router(con g)#ip http server

router(con g)#ip http secure-server

router(con g)#ip http authentication local

router(con g)#username name privilege 15 secret password

www.CareerCert.info


16/78



The rst two commands are used to enable HTTP access; secure-sever enables secure access. A usernamemust be set up on the router or SDM to use to local login authentication.

A ter this there are two di erent ways to install SDM: either locally on the router fash, or through aninstaller on the users computer. Many o the newer routers come with SDM preinstalled, but older routers

can be installed with it.Security AuditOne o SDMs main security eatures is the Security Audit eature. The Security Audit eature can be run inone o two modes: One-Step Lockdown, and Security Audit Wizard. When using the One-Step lockdown,the SDM will automatically lockdown the router based on a list o common security threats. When usingthe Security Audit Wizard eature, SDM will ask or the changes that you want to be xed.

Figure 1 - One-Step Lockdown

www.CareerCert.info


17/78



Figure 2 - Security Audit Wizard

Securing PasswordsOne o the easiest ways to ensure security on a Cisco router is by setting passwords. There are a number o

di erent password types which are con gurable on a router:Enable Password

Enable Secret Password

Line Passwords

Console Password

Auxiliary Password

vty Password

Local User Passwords

Enable PasswordEnable Password is used when trying to enter the Enable Con guration mode.

router(con g)#enable password password

n

n

n

n

www.CareerCert.info


18/78



Enable Secret PasswordEnable Secret Password is used when trying to enter the Enable Con guration mode. The di erencebetween Enable Password and Enable Secret Password is the passwords security in the routerscon guration. When using Enable Password, it is stored in the con guration les in one o two ways: cleartext, or using Cisco-Proprietary encryption. The problem with the Cisco-Proprietary encryption is that it iseasily reversible and there ore not secure. When using the Enable Secret Password method, the passwordis entered in the con guration as an MD5 hash and there ore is not reversible and is highly secure.

router(con g)#enable secret password

Line PasswordsLine passwords are used to secure speci c entry points into the router. The three main types includeconsole, auxiliary, and vty passwords. The console password is used to secure the console access intothe router. The auxiliary password is used to secure the access through the router auxiliary port. The vtypassword is used to secure the telnet and/or ssh virtual entry points coming into the router.

router(con g-line)#login

router(con g-line)#password password

Local User PasswordsLocal User Password is used when individual users are set up on the router. Like Enable Password, userpasswords can be entered using either a clear text password, Cisco-Proprietary encrypted password, orusing an MD5 hash.

router(con g)#username username password password

router(con g)#username username secret password

Password RecoveryAn important part o being amiliar with passwords is knowing how to recover them. This can be done onmost Cisco equipment once physical access is possible. I routers are going to be put into a location whichis not as physically secure as possible, the option to disable this ability is possible through con guration.It should be noted however that i password recovery is disabled in the con guration and the password islost, the con guration will not be recoverable rom the router and must be stored elsewhere.

router(con g)#no service password-recovery

www.CareerCert.info


19/78



Confguring Cisco Password EncryptionAs described above, a method o masking the passwords in the con guration is to use theCisco-Proprietary encryption algorithm. By de ault, this is enabled and masks the password,however it is easily reversible.

router(con g)#no service password-encryption

Confguring Miscellaneous Password Parameters There are a number o di erent parameters which can be con gured to a ect di erent passwordbehaviors. The rst one shown below is where you can con gure the minimum length o the passwordsused on the router.

router(con g)#security password min-length length

The second one shown is how you can con gure the number o login attempts be ore a 15 second delayis imposed. By de ault, this parameter is set to 10 login attempts.

router(con g)#security authentication ailure rate rate log

The third one shows how to con gure the login inactivity timer. When the time is up, the router willautomatically log the person out. By de ault, this timer is set or 10 minutes.

router(con g)#exec-timeout minutes seconds

Privilege LevelsBy de ault, users logged in using the enable command have a privilege level o 15 and can use allcommands available on the router. I ner granularity is required, it is possible to setup di erent privilegelevels, so that certain commands can be used and other commands are still restricted. The ollowing showsthe two commands that are required to setup the commands into a speci c privilege levels.

router(con g)#privilege exec level level command

router(con g)#enable secret level level password

www.CareerCert.info


20/78



Role-Based CLIAnother way o con guring multiple levels o access is through Role-Based CLI or Inter ace views. In orderto set this up there are a couple o main commands which are required. The initial two shown are used tosetup Authentication, Authorization and Accounting (AAA) and to setup the root view which is used bythe senior administrators.

router(con g)#aaa new-model

router(con g)#enable view

The next command is used to setup a custom view which is con gured with a separate password.

router(con g)#parser view view-name

router(con g)#secret password

At this point you are ready to con gure the commands which are to be allowed in a speci c view.

router(con g)# commands parser-mode {include | include-exclusive | exclude } [all] command

Securing IOS Images and Confguration FilesCisco calls the router image and con guration the bootset and the Cisco IOS Resilient Con guration

eature can be used to secure a copy o these les. This eature can only be disabled rom the CLI on theCisco router. The ollowing commands are used to enable these eatures:

router(con g)#secure boot-image

router(con g)#secure boot-config

The boot image can be restored by booting into ROMmon and using the boot command. The securedcon guration can be restored using the ollowing command:

router(con g)#secure boot-confg restore restore-flename

Login BannerImplementing a legally worded login banner is recommended or a secured device. This should be cra ted

rom your legal department and warn o the repercussions o attempting a breach o the networkingequipment. It should not, however, have any identi ying markings or a speci c company or piece o networking equipment. This banner is con gured using the ollowing command:

router(con g)#banner motd delimiter message delimiter

www.CareerCert.info


21/78



Domain 3 - Implement AAA on Cisco routersusing local router database and external ACS

Authentication, Authorization and Accounting (AAA)AAA is one o the core concepts to know when implementing security on Cisco devices. Each o theseitems has its own part o the security picture and each should be con gured to secure a device. These three are detailed as ollows:

Authentication The process where users and administrators prove who they are be ore beingable to access a system

Authorization The process where users and administrators are authorized access to speci cresources or commands.

Accounting The process where the activities which happen on a device are logged in detailand provide a clear record o what each user and administrator did while logged in. Accountingis commonly used or billing or security logging.

AAA Confguration There are a number o di erent commands which are used to con gure speci c AAA unctionality. Thesewill be separated in to three di erent sections in this guide.

The one command which is universal to all sections o AAA is the command to enable AAA:

router(con g)#aaa new-model

Authentication The main procedure or setting up authentication is as ollows:

Enable AAA.

Setup security server con guration. (I used, see later in the domain.)

Create an authentication method list.

Apply the authentication method list.

n

n

n

1.

2.

3.

4.

www.CareerCert.info


22/78



There are a number o di erent commands which can be used to con gure authentication depending onhow you want the authentication to work. The ollowing is a list o the commonly available authenticationcommands, which would all be entered in global con guration mode:

aaa authentication banner Used to create a personalized login banner.

aaa authentication enable de ault Used to create an authentication list which is used whentrying to access privileged command levels.

aaa authentication ail-message Used to create a message which will be displayed when auser login ails.

aaa authentication local-override Used to enable the check o local user databaseauthentication be ore using other methods o authentication.

aaa authentication login Used to create an authentication list which is used when logging into a device.

aaa authentication password-prompt Used to change the text displayed when beingprompted or a password.

aaa authentication ppp Used to create an authentication list which is using PPPon an inter ace.

aaa authentication username-prompt Used to change the text displayed when beingprompted or a username.

When con guring PPP authentication the command can be con gured in a number o di erent ways; thegeneral command syntax is as ollows:

router(con g)#aaa authentication enable de ault method1method4

The de ault parameter which is shown in this command is used to set the de ault Enable Authenticationbehavior. There are a number o di erent methods which can be con gured; up to our can be con guredat the same time and are used in order. The methods which can be speci ed are listed below:

group radius The RADIUS server con guration is used or authentication.

group tacacs+ The TACACS server con guration is used or authentication.

enable The Enable Password is used or authentication.

line The Line Password is used or authentication.

none Uses no authentication.

When con guring login authentication the command can be con gured in a number o di erent ways;the general command syntax is as ollows:

router(con g)#aaa authentication login {de ault | list-name} method1method4

n

n

n

n

n

n

n

n

www.CareerCert.info


23/78



The de ault parameter which is shown in this command is used to set the de ault login authenticationbehavior. The list-name parameter is used to setup a custom login authentication list which is used inconjunction with the line or inter ace speci c command, which is explained later. There are a number o di erent methods which can be con gured; up to our can be con gured at the same time and are used inorder. The methods which can be speci ed are listed below:

enable The Enable Password is used or authentication.



krb5 Uses Kerberos 5 or authentication.

krb5-telnet Uses Kerberos 5 Telnet authentication protocol when using telnet to access the device.

line The Line Password is used or authentication.

local The local user database is used or authentication.

local-case Uses case sensitive local user authentication.


When con guring PPP authentication the command can be con gured in a number o di erent ways; thegeneral command syntax is as ollows:

router(con g)#aaa authentication ppp {de ault | list-name} method1method4

The de ault parameter which is shown in this command is used to set the de ault PPP authenticationbehavior. The list-name parameter is used to setup a custom PPP authentication list which is used inconjunction with the line or inter ace speci c command, which is explained later. There are a number o di erent methods which can be con gured, up to our can be con gured at the same time and are used inorder. The methods which can be speci ed are listed below:



krb5 Uses Kerberos 5 or authentication.

local The local user database is used or authentication.

local-case Uses case sensitive local user authentication.


In order to apply the con guration as detailed above on speci c inter aces or lines, the ollowingcommands are used:

router(con g-i )#ppp authentication protocol1 protocol2{de ault | list-name }

router(con g-line)#login authentication {de ault | list-name}

www.CareerCert.info


24/78



It should be noted however that i a de ault method list is created, it is automatically enabled on allinter aces and lines which are not speci cally con gured with a separate method list.

There are several available protocols which can be used with PPP; all our can be used in one commandand are attempted in the order entered. The protocols which are available or the ppp authentication

command are:

chap Enables use o the Challenge-handshake authentication protocol (CHAP).

pap Enables use o the Password Authentication Protocol (PAP).

ms-chap Enables use o the Microso t - Challenge-handshake authentication protocol (MS-CHAP).

eap Enables use o the Extensible Authentication Protocol (EAP).

Authorization The main procedure or setting up authorization is the same as authentication and is as ollows:

Enable AAA.Setup security server con guration. (I used, see later in the domain.)

Create an authorization method list.

Apply the authorization method list.

There are a number o di erent commands which can be used to con gure authentication, depending onhow you want the authorization to work. The ollowing is a list o the commonly available authorizationcommands, all o which would be entered in global con guration mode:

aaa authorization network Used to create an authorization list which is used whenimplementing authorization over network-related services.

aaa authorization exec Used to create an authorization list which is used when determining ausers ability to run the EXEC shell.

aaa authorization commands Used to create an authorization list which is used whenimplementing authorization o all commands at a speci c user privilege level. The levels range

rom 0 to 15.

aaa authorization reverse-access Used to create an authorization list which is used whenimplementing authorization or reverse access connections (typically reverse Telnet).

aaa authorization confguration Used to create an authorization list which is used whendownloading a con guration rom the AAA server.

When con guring network authorization the command can be con gured in a number o di erent ways;the general command syntax is as ollows:

router(con g)#aaa authorization network {de ault | list-name }method1method4

1.2.

3.

4.

n

n

n

n

n

www.CareerCert.info


25/78



When con guring exec authorization the command can be con gured in a number o di erent ways;the general command syntax is as ollows:

router(con g)#aaa authorization exec {de ault | list-name }method1method4

When con guring reverse-access authorization the command can be con gured in a number o di erentways; the general command syntax is as ollows:

router(con g)#aaa authorization reverse-access {de ault | list-name }method1method4

When con guring con guration authorization the command can be con gured in a number o di erentways; the general command syntax is as ollows:

router(con g)#aaa authorization confguration {de ault | list-name }method1method4

When con guring commands authorization the command can be con gured in a number o di erentways; the general command syntax is as ollows:

router(con g)#aaa authorization commands level {de ault | list-name }method1method4

The de ault parameter which is shown in this command is used to set the de ault login authenticationbehavior. The list-name parameter is used to setup a custom network authorization list which is used inconjunction with the line or inter ace speci c command, which is explained later. There are a number o di erent methods which can be con gured; up to our can be con gured at the same time and are used inorder. The methods which can be speci ed are listed below:

group radius The RADIUS server con guration is used or authorization.group tacacs+ The TACACS server con guration is used or authorization.

local The local user database is used or authorization.

i -authenticated Allows the user to run the speci c unction as long as they are authenticated.

none Uses no authorization.

In order to apply the con guration as detailed above on speci c inter aces or lines, the ollowingcommand are used:

router(con g-i )#authorization {arap | commands level | exec | reverse-access} [de ault | list-name ]

router(con g-line)#ppp authorization {de ault | list-name}

www.CareerCert.info


26/78



Accounting The main procedure or setting up accounting is the same as authentication and authorization andis as ollows:

Enable AAA.

Setup security server con guration. (I used, see later in the domain).

Create an accounting method list.

Apply the accounting method list.

There are a number o di erent commands which can be used to con gure accounting, dependingon how you want the accounting to work. The ollowing is a list o the commonly available accountingcommands, all o which would be entered in global con guration mode:

aaa accounting system - Used to enable AAA accounting on all system-level events notassociated with users.

aaa accounting network Used to enable AAA accounting on all network-

related service requests.aaa accounting exec Used to enable AAA accounting on all EXEC shell sessions.

aaa accounting connection Used to enable AAA accounting on all outbound connectionsmade rom the Network Access Server (NAS).

aaa accounting commands Used to enable AAA accounting on all commands on a speci cprivilege level.

When con guring system accounting, the command can be con gured in a number o di erent ways; thegeneral command syntax is as ollows:

router(con g)#aaa accounting system {de ault | list-name } {start-stop | stop-only | none} group group-name

When con guring network accounting, the command can be con gured in a number o di erent ways;the general command syntax is as ollows:

router(con g)#aaa accounting network {de ault | list-name } {start-stop | stop-only | none} group group-name

When con guring exec accounting, the command can be con gured in a number o di erent ways; thegeneral command syntax is as ollows:

router(con g)#aaa accounting exec {de ault | list-name } {start-stop | stop-only | none} group group-name

When con guring connection accounting, the command can be con gured in a number o di erent ways;the general command syntax is as ollows:

router(con g)#aaa accounting connection {de ault | list-name } {start-stop | stop-only | none} group group-name

1.

2.

3.

4.

n

n

n

n

n

www.CareerCert.info


27/78



When con guring commands accounting, the command can be con gured in a number o di erent ways;the general command syntax is as ollows:

router(con g)#aaa accounting commands level {de ault | list-name } {start-stop | stop-only | none} group group-name

The group-name parameter is able to be one o two options:

group radius The RADIUS server con guration is used or accounting.

group tacacs+ The TACACS server con guration is used or accounting.

In order to apply the con guration as detailed above on speci c inter aces or lines, the ollowingcommands are used:

router(con g-i )#accounting {commands level | connection | exec} {de ault | list-name }

router(con g-line)#ppp accounting {de ault | list-name}

AAA Debug There are also a number o commands which are used to debug the various types o AAA. These di erentcommands are as ollows:

router# debug aaa authentication

router# debug aaa authorization

router# debug aaa accounting

SDM AAA ConfgurationIn the newer exams, Cisco appears to be placing more emphasis on the use o SDM with speci ccon guration processes. In order to con gure the same parameters as shown under AAA Debug, above,within SDM, the gures show the various con guration screens that would be used to con gure theseitems using SDM.

www.CareerCert.info


28/78



Figure 3 - SDM AAA Screen

Figure 4 - Enabling AAA with SDM

www.CareerCert.info


29/78



Figure 5 - SDM AAA Enabling Confrmation

Figure 6 AAA CLI Confguration rom SDM

www.CareerCert.info


30/78



Figure 7 - AAA SDM Method List Editing

Figure 8 - AAA SDM Method List Adding

www.CareerCert.info


31/78



TACACS+ and RADIUS Two o the most used AAA protocols are Terminal Access Controller Access-Control System (TACACS+)and Remote Authentication Dial In User Service (RADIUS). TACACS+ is a Cisco proprietary which runson TCP, and RADIUS is an IETF-maintained protocol and runs over UDP. TACACS+ gives some additional

unctionality which is not supported by RADIUS, including the ability to separate authentication andauthorization, and the ability to control the authorization level o users.

TACACS+ ResponsesAs the TACACS+ server converses with the user, it uses a couple o responses whichdetermine request outcome:

ACCEPT The user has been authenticated; authorization begins at this point i con gured.

REJECT Authentication has ailed or the user.

ERROR At some point during the authorization an error has occurred.

CONTINUE The user is being prompted or urther authorization be oreacceptance or rejection.

TACACS+ Attributes There are a number o di erent attributes which are used or authentication and authorization:

ACL(EXEC authorization) Lists an access class number that will be applied to a line.

ADDR(SLIP, PPP Authorization) Used to speci y the IP address o the remote host when using aSLIP or PPP connection.

CMD(EXEC) The attribute-value (AV) pair is used to start an authorization request oran EXEC command.

Priv-lvl (EXEC Authorization) This is used to speci y the current privilege levelor command authorization.

Route (SLIP, PPP Authorization) Used to speci y a route to be applied to an inter ace.

InACL(SLIP, PPP Authorization) Used to list an inbound ACL or a SLIP or PPP Connection.

OutACL -Used to list an outbound ACL or a SLIP or PPP Connec

preplogic ccna security megaguide

Documents