· 6 years ago · Aug 22, 2019, 11:10 PM
1CCNA Security
2https://learningnetwork.cisco.com/community/certifications/security_ccna/iins-v3/exam-topics
3
4
5Security is a "precise" look, answers need to be precise
6If it is not a standard default, or mentioned in the question, it does not exist
7I am used to collapsed core designs, Cisco refers to distributed core where the inter-vlan routing happens on the distribution layer
8
9
10Primary Network Security Objectives
11 - Confidentiality, Integrity, Availability
12
13
14CIA = confidentiality, integrity, availability
15 - confidentiality
16 - encryption provides confiendtiality
17 - only authorized persons have seen the data
18 - hash only is most appropriate for data at rest
19 - integrity
20 - Hashing provides integrity
21 - the data has not been modified by unauthorized personnel
22 - availability
23 - the data is available when and where they need it
24 - ESP / AH provide integrity
25
26
27
28information assurance
29 - risk minimization and assurance
30
31
32Asset
33 - refers to a person, property, or data of value to a company
34
35
36Defense in Depth
37 - provides great security on day 1 of implementation
38
39
40Least Privilege
41 - provides great security on day 1 of implementation
42
43
44Viable options to risk
45 - transfer risk
46 - mitigate risk
47 - remove risk
48
49
50SIEM = Security Identification and Event Management
51 - real-time analysis of security alerts generated by network hardware and applications
52 - software information and event management software products combine security information management and security event management
53 - Provides Correlation between logs and events from multiple systems
54 - Provides proactive malware analysis to block malicious traffic
55
56
57SEM = Security Event Manager
58 - focuses on real time anlysis and detection
59 - typically analyze log data from multiple sources
60 - some systems also implement incident handling
61
62
63SIM = Security Information Management
64 - focuses on non-real-time log collection and analysis
65 - can flag potentially threatening events
66
67
68Data Aggregation
69 - Collect data/logs
70
71
72Data Correlation
73 - job is to identify malicious behaviour
74 - key is to get a baseline of normal operations and alert on non-normal activity
75
76
77Data Retention
78 - data archival according to policy
79
80
81TPM = trusted platform module
82 - independant crypto processor in computers
83 - hardware based authentication and full disk enxryption services
84
85MTM = Mobile Trusted Module
86 - same functions as TPM, but on a mobile device
87
88
89Common Network Attack Types:
90
91Vulnerability
92 - Asset characteristic that refers to a risk that results from a threat and a lock of countermeasures
93 - a weaknes in an IT system that an attacker can leverage to gain unauthorized access to the system or its data
94
95Attacks:
96 - Operation Aurora - advanced persistant attack
97 - a months long attack in 2009 - used phising, IE exploits, compromised PC's
98 - Heartbleed - vulnerability
99 - OpenSSL memory handling bug
100 - POODLE - man in the middle
101 - exploited security failback mechanisms
102 - Back Oriffice
103 - exploit Microsoft Windows hosts
104 - uses magic cookie
105 - SnowShoe Spam
106 - establish false company names and identities to manipulate reputation.
107 - phishing
108 - social engineering carried out electronically
109 - spear phishing is a targeted phising attack
110 - whaling is spear phishing high value targets
111 - privilege escalation attack
112 - giving yourself more privileges than you are supposed to have
113 - trust exploitation attack
114 - when a trusted relationship in our network is exploited (firewall zones)
115 - Brute force attack
116 - keep trying until successful
117 - social engineering attack
118 - focuses on humans
119 - plays on fear and joy
120 - recon attack
121 - gathering information
122 - searching vulnerabilities
123 - lacks damage/impact
124 - DOS attack
125 - attack by overloading device resources
126 - DDOS attack
127 - DOS attack from multiple hosts
128 - often carried out by botnets
129 - UDP is the protocol of choice
130 - syn flood attack
131 - (denial of service)-- attacker sends a lot of syn packets to a target with the purpose of overwhelming the device with half-open connections
132 - rate based prevention preprocessor can detect a syn flood attack
133 - advanced persistent threat
134 - long term approach to gathering intel on a target
135 - Stuxnet
136 - exploited remote code execution vulnerbaility in the processing of .lnk files
137 - exploited remote code execution vulnerability in the printer spooler service
138 - Cyber Warfare
139 - Mailicious worm attack
140 - targeted PLC's in SCADA networks
141 - Damaged Irans nuclear program
142 - pharming
143 - phishing technique that can occur as a result of DNS poisoning
144 - tries to point users to fake sites by modifying the result of a DNS lookup
145 - Blaster Worm
146 - exploited a buffer overflow vulnerability in the DCOM RPC service
147 - carried a destructive payload that engaged in a DoS attack -- blasting the MS update servers
148 - SQL Slammer
149 - exploited a buffer overflow vulnerability in Microsoft SQL server software
150 - Code RED
151 - exploited buffer overflow vulnerability in Microsoft IIS software
152
153
154OWASP
155 - Open Web Application Security Project
156 - multi-national not-for-profit organization that publishes frameworks, documentation, tools, ect in relation to application security
157
158
159SAMM = Software Assurance Maturity Model
160 - Open framework used to guide an organization in making software security decisions that are in alignment with the organizations risk profile
161 - SAMM is published by the OWASP (Open Web Applications Security Project)
162
163
164OWTF = offensive web testing framework
165 - penetration testing tool designed to automate some of the lower level/tedious tasks associated with penetration testing
166 - the goal of OWTF is to provide the tester with more time for investigation and analysis
167
168
169ZAP = Zed attack proxy
170 - integrated penetration testing tool for web applications
171 - provides automated scanning tools
172 - provides a tool sweet to manually probe for vulnerabilities
173
174
175
176All firewalls are multihomed (attached to multiple network segments)
177
178
179CSM:
180 - Cisco Security Manager
181 - Rule-Based policies can contain hundreds of rules containing values for the same set of parameters
182 - Settings-based policies can contain only one set of parameters for each settings-based policy defined on a device
183 - Centralizes policy administration
184 - can use settings based on rule-based policies
185 - Cisco FlexConfig
186 - built using Java
187
188
189APT Lifecycle: (advanced persistant threat)
190- define target
191- find and organize accomplices
192- build or acquire tools
193- research target infrastructure/employees
194- test for detections
195- deployment
196- initial intrusion
197- outbound connection initiated
198- expand access and obtain credentials
199- strengthen foothold
200- ex-filtrate data- cover tracks and remain undetected
201
202
203Tamper detection examines data and timestamps to detect man in the middle attacks
204
205
206MAC spoofing vs ARP spoofing:
207ARP Spoofing: (arp cache poisoning or arp poisoning)
208- the attacker advertises its mac address with the targets ip address (gratuitous arp - unsolicited)
209- dynamic arp inspection protects against arp spoofing (identifies trusted and untrusted ports)
210- dynamic arp inspection is implemented using DHCP snooping
211- cisco best practice is to mark host ports as untrusted and non-host ports as trusted
212
213
214Proxy Arp:
215 - When a gateway responds to an ARP request with it's MAC address if it knows how to get to the destination ip
216
217
218MAC Spoofing:
219- misrepresenting your mac address
220
221
222CAM Table Overflows:
223- floods the mac address table with spoofed macs
224- can be overcome with port security
225
226
227Port Security Modes:
228- Shutdown = port goes to err-disabled - snmp trap is generated - syslog generated
229- restrict = unsecure frames are dropped - snmp trap is generated syslog generated
230- protect = unsecure frame is dropped - no other action
231
232
233Private Vlans
234Port Types -
235- Promiscuous - talk to everyone on any vlan type
236- Community - talk to other community members and promiscuous ports
237- Isolated - talk to promiscuous ports and no one else
238
239
240Private Vlan Types -
241- Primary (parent) - can be mapped to multiple secondary vlans
242- Secondary (child) - can only be mapped to one primary vlan
243
244
245Secondary Vlan Types -
246- Community - can talk to others in the same (secondary vlan) community and promiscous ports in the parent primary vlan
247- Isolated - can only talk to promiscous ports in the parent primary vlan
248
249
250Routing protocol authentication
251 - send lifetime is in seconds
252
253
254OSPF Authentication:
255 - Authentication can be done by area or by link
256 - Null - Type 0 = no authentication (disables authentication
257 - Clear Text - Type 1 = clear text authentication
258 - MD5 - Type 2 = MD5 hashed password
259
260
261Root Guard
262 - guards switch to protect its status as root
263 - ports recieving a superior BPDU will drop the bid and put the port in root-inconsistent state
264 - the port level command is: spanning guard root
265
266
267ACL's
268 - extended ACL's can use source, destination, and destination port
269 - most affective near the source on the inbound interface
270 - standard ACL's are use source ip/network
271 - most affective near the ?source?
272
273
274ACL Design Guidelines:
275 - Branch Location BYOD
276 - Default ACL
277 - should deny HTTP or HTTPS
278 - should permit tftp, bootp, domain (dns)
279 - After passing authentication the downloadable ACL (dACL) should allow those protocols
280
281
282
283Reflexive ACL
284 - Used to filter ip packets based on upper-layer session information
285 - Uses extended, named access-lists only
286 - Security against spoofing and certain DOS attacks
287 - Reflexive ACL's only contain temporary entries
288 - Temporary entries are removed when the session ends or times out
289 - these acl's do not work with applications that change ports mid-session
290
291
292Class Maps
293 - can match traffic based on application protocols
294 - QoS traffic shaping is not available for all class maps
295 - Class maps can match on things other than ACL
296 - mpf = modular policy framework
297
298
299VLAN ACL's (VACL)
300 - create matching ACL
301 - create vlan access-map
302 - match (match-type) (acl)
303 - action [action]
304 - vlan filter [vlan access-map] vlan-list [vlans]
305
306
307VLAN Hopping:
308 - dot1q - double-tagging
309 - must be access port on the native vlan
310 - as it crosses a trunk, the native-vlan tag is removed, and the second tag remains
311 - changing the default native vlan will protect you
312 - not using the default native vlan on access ports will protect you
313 - vlan dot1q tag native prevents the first tag from being removed as it crosses a trunk
314
315
316Switch Spoofing:
317 - when a host is connected to a port that is running switchport trunk dynamic desireable
318
319
320DHCP Snooping
321 - Classifies ports as trusted or untrusted for DHCP traffic
322 - DHCP requests on untrusted ports are dropped
323 - DHCP offers on untrusted ports are dropped
324 - show ip dhcp snooping database
325 - displays binding databse location (url/local)
326 - displays status of the binding table
327
328
329IP Source Guard:
330 - prevents a host on the network from using another hosts ip address
331 - uses the DHCP snooping database
332 - creates a vlan acl to permit/deny traffic based on the DHCP Snooping database
333 - port level command "ip verify source"
334 - static entries use "ip source binding h.h.h vlan [x] [ip address] interface [interface id]"
335
336
337Privilege Levels:
338 - privilege level 0 -- user is not able to issue the login command
339 - privilege level 1 ("user exec")
340 - privilege level 15 ("privileged exec" or "enable mode")
341 - enable secret takes precedence over enable password
342
343
344Managing Exec Level Privileges:
345 - privilege exec level [0-15] [command]
346 - privilege interface [0-15] [command]
347 - a user account can be created with autocommand (the command is executed and exits the console)
348 - autcommand must be the last piece of a username configuration
349 - when show run priv level is changed, the only config items they can see are the ones they have the priv to change
350
351
352Role Based CLI Access (views)
353 - Routers can run up to 15 views
354 - consists of views and superviews
355 - AAA must be enabled
356 - enable password must exist
357 - privileged exec mode - enable view
358 - parser view [view-name] {option - superview}
359 - secret [password]
360 - commands exec [include|exclude] [commands]
361 - to add a superview:
362 - parser view [view-name] superview
363 - secret [password]
364 - view [view to be added to superview]
365 - users can be applied to a view
366
367
368Lawful Intercept (eavesdropping / wiretapping) Views:
369 - 3 step process
370 - Collection -- collect desired data
371 - make sure all necessary data is collected without impacting the network
372 - observe all parameters in the warrants are met
373 - configure lawful intercept device captures and store the data
374 - Get data from source to mediation device without data loss/manipulation
375 - Mediation -- data is formatted to highly specific standards
376 - Delivery -- formatted data is delivered to Law Enforcement Agency
377 - configure lawful-intercept view
378 - li-view [password] user [username] password [password]
379
380
381IOS Resilient Configuration
382 - a copy of the IOS image and the running config are saved on the local router
383 - secure files = primary bootset
384 - config file is the running config when the feature was enabled - does not dynamically update
385 - feature can be enabled remotely, but can only be disabled via console
386 - show secure bootset
387 - conf ter
388 - secure boot-image (archives image and hides it)
389 - secure boot-config
390 - restore operations
391 - secure boot-config restore [file_name]
392 - configure replace [path:file]
393 - write mem (copy run start)
394
395
396CoPP (Control Plane Policing)
397https://www.cisco.com/c/en/us/about/security-center/copp-best-practices.html
398 - CPPr = improved version of CoPP
399 - Control Plane traffic is either originated by or destined to the local router
400 - can be used to mitigate DOS attacks
401 - control plane packets can create and perform network operations on a network device
402 - Management Plane is considered to be a subset of the Control Plane
403 - management plane protocols include telnet, ssh, http, https, and snmp
404 - Data Plane traffic is just passing through, Neither originated locally or destination local
405 - CoPP considers the control plane to be totally separate from anything else on the router
406 - CoPP is configured with the Cisco IOS Modular QoS CLI (MQC)
407 - ACL's in CoPP policies are identification only (deny = exclude from match)
408 - Cisco recommends CoPP ACL's not be logged - unexpected things may happen -
409-- ACL's match ip addresses
410-- Class-maps match traffic and conditions based on ACL's
411-- Policy-Maps define actions based on Class-Maps
412
413
414 - Configure Class-Map
415 - create ACL's to match traffic
416 - *class-map match rules
417 - match-all = match all ACL conditions
418 - match-any = match any single ACL condition
419 - class-map [name]
420 - defaults to match-all
421 - match access-group [ACL_ID]
422 - * show class-map *
423
424 - Configure Policy-Map
425 - policy-map [name]
426 - class [class-map-name]
427 - [action] [options] {example: police 25000 conform-action transmit exceed-action drop}
428 - * show policy-map *
429
430 - Apply Policy-Map to control Plane
431 - control-plane
432 - service-policy [input | output] [policy-map-name]
433 - * show policy-map control-plane *
434
435 - Control Plane Protection (CPPr)
436 - uses combination of QoS, traffic classification, and traffic policing
437 - CoPP protects as a whole - CPPr divides the control plane into host, transit, and CEF-exception
438
439
440VPN
441 - Site to Site VPN
442 - IPSec only support unicast traffic
443 - GRE is needed for multicast
444 - Hairpinning allows traffic to exit the same interface it came in on
445
446
447IPSec
448 - offers encryption and authentication
449 - made up of the following 3
450 - Authentication Header (AH) defines method for authentication and securing data
451 - Encapsulating Security Payload (ESP) defines method for authentication, securing and encrypting data
452 - Internet Key Exchange (IKE) negotiates the security parameters and authentication keys
453 - Transport mode encrypts traffic between a VPN Endpoint and a host
454 - provides provides confidentiality, integrity, and authentication
455 - Transform sets you can set up to 4 transforms
456 - Authentication Header
457 - ESP Encryption
458 - ESP Authentication
459 - Compression
460
461
462Anatomy of an ESP Packet:
463 - ESP Header
464 - SPI
465 - Sequence number
466 - ESP Body
467 - payload
468 - ESP Trailer
469 - Padding
470 - Pad Length
471 - next header
472 - ESP Transport mode
473 - Payload data and trailer are encrypted
474 - Original ip header and ESP header are unencrypted
475 - ESP Tunnel Mode
476 - Original IP header, payload, and trailer are encrypted
477 - A new ip header is applied
478 - The new ip header and ESP header are unencrypted
479
480
481Authentication Header (AH)
482 - Data Origin authentication
483 - Data Integrity
484 - Optional Anti-Replay protection
485 - LACKS data confidentiality
486 - Incomplete IP Header Protection (some fields may change during transmission)
487 - less processor intensive than ESP
488 - can be run in tunnel mode and transport mode
489
490
491Encapsulating Security Payload (ESP)
492 - Encapsulates data payload
493 - Origin Authentication
494 - Anti-Replay protection
495 - Data confidentiality
496 - more processor intensive than AH
497 - requires strong cryptography (processor overhead)
498 - can be run in tunnel mode and transport mode
499 - Header Fields
500 - contains "Security Paramters Index" (SPI)
501 - Identifies the correct security association for the communication
502 - Sequence Number (for anti-replay protection)
503 - Trailer Fields
504 - Padding for encryption alignment
505 - Padding Length - self explanatory
506 - Next Header - identifies the protocol number of the next header in the diagram
507 - Fields that can be encrypted
508 - Padding
509 - Pad Length
510 - next header
511
512
513ESP w/ HMAC
514 - ESP encrypted with AH for authentication
515 - provides confidentiality, anti-replay protection, integrity
516
517
518Tunnel Mode
519 - used for gateway-to-gateway VPN (site-to-site, B2B)
520 - the entire packet is encrypted
521 - the encrypted ip packet is placed inside of another ip packet
522 - the encapsulated packet will use the ip addresses configured on the tunnel endpoints for routing
523
524
525Transport Mode
526 - used for client-server communications (anyconnect)
527 - this only encrypts the payload and the ESP trailer contents
528 - there is no protection for the original ip address that is used for routing the packet
529
530
531Transparent Mode Firewall
532 - layer 2 bridging mode that is transparent ... acts as a bump in the wire
533 - Enables a VPN tunnel to form through a firewall or NAT device
534 - When enabled on a VPN client, encrypted packets are encapsulated in TCP or UDP packets prior to transmission
535
536
537SMART Tunnels
538 - can be used by clients without admin access
539 - better performance than port forwarding
540
541
542Internet Key Exchange (IKE)
543 - used to build Security Association (SA)
544 - is a hybrid of ISAKMP, SKEME, and OAKLEY
545 - Phase 1
546 - Phase 1 tunnel is bidirectional
547 - Phase 1 tunnel is used for the management of phase 2
548 - DH Algorith used to allow secure key exchange across a non-secure tunnel
549 - ISAKMP is a SA built using a one-way association
550 - IKE Main Mode - encryption protects the identities and the key hash
551 - IKE Aggressive Mode - does not protect identities and key hash
552 - Phase 2 (quick mode only)
553 - IPSec SA's are also unidirectional
554 - show crypto isakmp sa
555 - MM = main mode and AG = aggressive mode
556 - MM_NO_STATE = the peers have created the SA
557 - MM_SA_SETUP = the peers have negotiated SA parameters
558 - MM_KEY_EXCH = the peers have exchange DH keys and have generated a shared secret
559 - MM_KEY_AUTH = the peers have authenticated the SA
560 - AG_NO_STATE = the peers have created the SA
561 - AG_INIT_EXCH = the peers have negotiated SA parameters and have exchanged keys
562 - AG_AUTH = the peers have authenticated the SA
563
564
565IKE Phase 2 (ipsec)
566 - Uses quick mode (QM)
567 - IPSec uses unidirectional tunnels
568 - Phase 2 tunnels use Phase 1 tunnels to negotiate over an encrypted tunnel
569
570
571VPN Build - 5 step process
572 - Process initialization via interesting traffic (ACL)
573 - matching extended Crypto ACL
574 - the matching ACL is read forward for outbound and backwards for inbound
575 - Crypto ACL outbound rules
576 - traffic permitted by the crypto ACL is protected by IPSec
577 - traffic denied by a crypto ACL is denied IPSec, but not denied transmission
578 - ACL inbound rules
579 - Permitted traffic should be protected by IPSec, if it is not, it is dropped
580 - Crypto map
581 - crypto map [map-name] [sequence] ipsec-isakmp
582 - match address [acl_ID]
583 - set peer [peer-ip]
584 - set transform-set [trans-set-id]
585 - Apply Crypto Map
586 - conf ter
587 - int x/x
588 - crypto map [map-name]
589 - IKE Phase 1 - IKE SA is negotiated - tunnel created (UDP port 500)
590 - * show crypto isakmp policy *
591 - crypto isakmp policy [priority_number]
592 - authentication [auth_method]
593 - encryption [encryption algorithm]
594 - hash [hashing algorithm]
595 - group [group_number]
596 - lifetime [time in seconds] **in cases of mismatch, the lower value is applied
597 - crypto isakmp key [key] [peer {address|hostname}]
598 - IKE Phase 2 - IPSec SA is negotiated (protocol 50 - ESP // protocol 51 - AH)
599 - * show crypto ipsec transform-set
600 - crypto ipsec transform-set [name] [esp_option] [authentication_option]
601 - mode [transport/tunnel]
602 - crypto ipsec security-association lifetime [seconds/kilobytes] [duration]
603 - Secure Data Transfer
604 - Tunnel Termination (teardown)
605
606
607 - IKE Defaults
608 - DH-2 1024-bit
609 - 3des 168-bit encryption
610 - sha-1 hash
611 - 86400 lifetime seconds
612 - psk
613
614
615Isakmp Policies used to negotiate IKE phase 1 tunnels
616 - have one of the following
617 - H - Hash
618 - A - Authentication method
619 - G - Group - DH Group
620 - L - Lifetime
621 - E - Encryption
622 - 8 default policies
623 - non-default policies can be numbered 1 - 10,000 (1 is best priority)
624
625Encryption
626 - AES
627 - key space (1-256 in bits) total number of all possible permutations
628 - default key space is 128 bits
629 - good protection against brute force attack 2^256 is a lot of keys
630 - symmetric key
631 - DES
632 - susceptible to brute force, insecure
633 - symetric key
634 - 3DES
635 - runes the DES algorithm against a block of data 3 times
636 - not as strong as AES
637 - symmetric key
638 - RC4
639 - symmetric key
640
641
642Symmetric Encryption
643 - DES / 3DES
644 - AES
645 - IDEA
646 - RC 2, RC4, RC5, RC6
647 - Blowfish
648
649
650Asymmetric Encryption
651 - RSA
652 - DH
653 - ElGamal
654 - DSA
655 - ECC (Elliptic Curve)
656
657
658NGR (Nrxt-Gen Encryption)
659 - ECC
660 - AEC-GCM (Galois/Counter Mode)
661 - ECC Digital Signature Algorithm
662 - SHA-256, SHA-384, SHA-512
663
664
665CA - Certificate Authority
666 - Issues Identity certificates
667 - Tracks status of certificates
668 - Identity certificates
669 - includes CRL Location
670 - includes Validity Date
671 - includes Public key of certificate owner
672 - includes Serial number
673 - includes Issuer
674 - includes Subject (O, OU, C)
675 - CRL
676 - Certificate Revocation List
677 - contains a full list of certificates by serial number of revoked certificates
678 - OSCP
679 - Online certificate status protocol
680 - Client sends a query for a certificate
681
682
683Certificate Standards
684 - PKCS#1
685 - RSA Crypto standard
686 - PKCS#3
687 - DH Key-Exchange
688 - PKCS#7
689 - used by CA as a response to PKCS#10
690 - PKCS#10
691 - used to request an identity certificate
692 - PKCS#12
693 - used to store public and private key using a symmetric password to unlock when needed
694
695
696Hash
697 - md5 (not default hash in ASA v8.4+)
698 - sha
699 - sha256
700 - sha384
701 - sha512
702
703DH Groups - Cisco DH minimum recommended modulus size is 2048 when NGE is not available
704 - 1 (default), 2, 5, 14, 15, 16, 19, 20
705 - 1, 2, and 5 are no longer recommended
706
707
708Nat-T
709 - enabling isakmp nat-traversal opens udp port 4500 on all IPSec enabled interfaces
710 - Encapsulates the ESP Packet with UDP
711 - The original Source and Destination port will always be port 4500 prior to PAT
712 - After Pat the source port is changed to random high number, and the destination port remains 4500
713
714
715NAT - precedents
716 - static nat with shortest prefix
717
718
719PAT
720 - round robin configured in PAT allows the device to use the next address instead of the next port
721 - prevent misinterpretation of a DoS attack
722
723
724Identity NAT
725 - effectively exempts one or more addresses from NAT
726 - no-nat
727
728
729Firewall
730 - should be a part of a defense in depth network security strategy (layered defense strategy)
731 - security policies should be in writing
732
733
734Stateless Firewall
735 - Static Filtring, Static Packet Filtering, Packet Filtering
736 - ACL's are a common method of static filtering
737 - 5-Tuple
738 - source ip
739 - destination ip
740 - source port
741 - destination port
742 - protocol number
743 - not connection oriented, therefore susceptible to ip spoofing
744
745
746Stateful Firewall
747 - connection oriented (therefore efficient at preventing DoS attacks)
748 - can operate at layers 3, 4, and 5
749 - uses state table (connection table)
750 - tracks tcp state
751 - tracks tcp sequence numbers
752 - a connection initiated by an inside host is more likely to be a legitimate conversation
753 - does not protect against application layer attacks
754 - Session management path
755 - responsible for ACL checks, route lookups, NAT, establishing sessions in fast path
756 - State tables update when a connection is created or when the connection timer expires
757
758
759Application Layer Firewall (NextGen)
760http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_white_paper0900aecd8058ec85.html
761 - Can Authenticate individuals
762 - Offers some protection against DoS attacks
763 - Combines Firewall and IPS
764 - Scans for known malicious attacks
765 - provides protection for some applications
766 - provides reverse proxy services
767 - Application blocking blocks specific applications
768
769
770CBAC:
771 - Context Based Access Control
772 - Cisco IOS Firewall feature set
773 - Temporary Dynamic rules that are implemented in stateful firewalls to allow return traffic
774 - CBAC rules are granular down to protocol, source/destination ip addresses and ports
775 - requires inspection to be present
776 - Inspection rules are applied after access rules
777 - These rules operate at layer 3 and/or 4
778 - These rules are removed at the end of the session
779 - prevents tempering/spoofing
780
781
782CCP (Cisco Configuration Professional) - GUI for IOS Based firewalls
783 - http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/prod_white_paper0900aecd805c4ea8.html
784 - IP unicast reverse-path forwarding check
785 - ensures loop free forwrding (unicast and multicast) and help prevent ip spoofing
786 - ip http server and ip http secure server generate the crypto pki trustpoint used to manage the router via CCP
787 - HTTP/HTTPS is required - ip http server or ip http secure server
788
789
790Cisco IOS IPS
791 - uses underlying routing infrastructure to provide an extra layer of protection
792 - inline deep-packet inspection-based used to mitigate network attacks
793 - risk rating based signature event action processor
794 - string-tcp signature micro-engine (SME)
795 - can have the great impact on Cisco IOS IPS performance
796 - SDEE is required - ip ips notify SDEE
797 - Message types are All, Error, Status, Alerts
798 - Filtering can be configured based on message types
799
800
801Proxy Firewall
802 - Proxy firewall is the middleman for a connection
803 - protects against cross-site scripting attacks (XSS - injects malicious scripts into webpages)
804
805
806Cisco IOS Zone-Based Firewall
807 - ZFW = zone based policy firewall
808 - Cisco's latest deployment of stateful zone based firewalls
809 - does not support the inspection of IGMP (internet group message protocol)
810 - IGMP is a multicast protocol, ZFW does not support the stateful inspection of multicast traffic
811 - can operate in transparent mode
812 - Trend Micro TRSP (Trend Router Provisioning Service)
813 - cloud-based subscription for URL filtering
814 - Websense / Secure Computing Smart Filter
815 - Local server based method of URL filtering
816 - Only CoPP can protect the control plane against multicast traffic
817 - Zones are logical groups of interfaces
818 - a zone must be configured before it can be assigned
819 - An interface does not need to be in a zone
820 - An interface can only belong to 1 zone
821 - Traffic flows freely between interfaces in the same zone
822 - By-Default traffic does not flow at all between interfaces in different zones
823 - Traffic generated on the local router is "exiting the self-zone"
824 - traffic destinated to the local router is "entering the self-zone"
825 - Zone Pairs
826 - zone pairs are a unidirectional set of rules that will be applied to inter-zone traffic
827 - zone pairs only point one-way
828 - bidirectional traffic requires 2 zone pairs, one of each direction
829 - inter-zone traffic is not allowed by default
830 - traffic can be allowed via "permission" or "inspection"
831 - "permit" does not generate a state table entry, so return traffic is not allowed (unless another zone pair exists)
832 - "inspect" generates an entry in the state table so a reply is allowed
833 - Self Zone
834 - It can be the source or destination zone
835 - it supports stateful inspection of multicast traffic
836
837Zone-Based Firewall
838 - can only either drop or broadcast traffic
839
840ASA Firewalls
841 - uses numeric security levels 0 - 100 (least secure is 0)
842 - by default, telnet is disabled on interfaces with the lowest security interface with the exception of security level 100
843 - by default - traffic sourced from a higher rated interface is allowed to pass to a lower rated interface
844 - by default a security level tie needs a rule to permit traffic
845 - interface rules take precedent over global rules
846 - global rules take precedent over implicit rules
847 - Multiple Context mode
848 - Does not support RIP, OSPFv3, Multicast routing, UC, Threat Detection, QoS
849 - you can only delete a context by editing the system configuration
850 - attribute maps
851 - there are no limits to the number of ldap-attribute-maps
852 - no limits to the number of attributtes that can be configured per ldap-attribute-map
853 - ldap-attribute map has a limitation with multi-valued attributes such as AD group memberof attribute lists
854 - Tunnel-group password management command
855 - expired password rejection messages are sent as MSCHAPv2 error 648
856 - allows users with expired passwords to update their password
857 - forced authentication protocol to MSCHAPv2 (default is PAP)
858 - the client is presented with a "new password" and "confirm password" dialog box
859 - show conn command
860 - Flags
861https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113602-ptn-113602.html
862 - The flags used by an ASA's connection state database is dependant on the direction of the connection
863 - a = awaiting ack response to the syn that was initiated from inside
864 - A = awaiting inside ack to syn (initiated from outside)
865 - s = awaiting syn segment - initiated from outside
866 - S = awaiting syn segment - initiated from inside
867 - U = indicated 3-way handshake is complete
868 - B = first tcp connection after handshake for connections initiated from the outside
869 - I = data has been passed from the outside to the inside
870 - O = data has been passed from the inside to the outside
871 - NAT on ASA
872 - NAT can be implemented 2 ways on an ASA, network object NAT or twice NAT
873 - Twice NAT can specify source and destination NAT addresses in a single rule
874 - Twice NAT is more scalable
875 - Network object NAT is easier to configure
876 - Network Object NAT requires 2 rules to translate source and destination addresses
877 - NAT order of operations
878 - Twice NAT - first match, manual order
879 - Network Object NAT = 1. static rules, 2. Dynamic rules
880 - 8.2- code
881 -
882 - 8.4+ code
883
884
885ASDM:
886 - VPN
887 - Add internal Group Policy
888 - group policy name
889 - banner message
890 - tunneling protocols
891 - Connection profiles, tunnel-groups, and Groups (from client perspective) all refer to the same thing
892 - Client (AnyConnect)
893 - VLAN restrictions are configured in the "General" pane
894 - Secured Routes indicate split-tunneling is enabled.
895 - The secured routes point traffic across the vpn tunnel.
896 - Clientless
897 - Default profile for SSL VPN is DefaultWEBVPNGroup
898 - Default profile for IPSec VPN is DefaultRAGroup
899 - Default profile for L2L VPN is DefaultL2LGroup
900 - Add SSL VPN Connection Profile dialog box
901 - The SSL VPN Screen is where you add Group URL's
902 - Group-URL command:
903 - Specifying a group URL or IP address eliminates the need for the user to select a group at login.
904 - When a user logs in, the adaptive security appliance looks for the user's incoming URL/address in the tunnel-group-policy table.
905 - If it finds the URL/address and if group-url is enabled in the tunnel group, then the adaptive security appliance automatically selects the associated tunnel group and presents the user with only the username and password fields in the login window.
906 - This simplifies the user interface and has the added advantage of never exposing the list of groups to the user. The login window that the user sees uses the customizations configured for that tunnel group.
907 - DefaultGrpPolicy
908 - It is the default policy for DefaultRAGroup and DefaultWEBVPNGroup connection profiles
909 - It cannot be deleted
910 - it can be assigned to user profiles
911 - it can be modified to fit your needs
912 - Connection Profiles
913 - does not display tunnelling protocols
914 - checkbox to allow users to select/choose their connection profile
915
916
917IDS / IPS
918 - (distributed protection model) can be deployed to branch offices to protect against malicious traffic prior to reaching the core network
919 - IDS - collects mirrored traffic (span/rspan) (promiscuous mode)
920 - IPS - typically inline, inside the router and firewall
921 - deny attacker inline - matches offending host ip and denies for a configured amount of time
922 - deny attacker service pair inline - matches offedning hosts ip AND destination port and denies packets
923 - deny attacker victim pair inline - matches offending hosts ip AND destination ip and denies packets
924 - deny connection inline - communications using a particular tcp flow are blocked
925 - deny packet inline - specific packet from offending host is blocked
926 - modify packet inline - modifies the offensive part of a packet and forwards
927 - Defined rules can be configured to take an action based on a triggered signature (compares network traffic)
928 - false negatives can be discovered using third-party penetration testing
929 - less secure but allows greater throughput
930 - blacklisting by security zone can streamline performance on an IPS device (block what needs to be blocked on a per-zone basis)
931 - IPS in promiscuous mode
932 - can request connection blocking
933 - can reset the tcp connection
934 - can request host blocking
935 - HIPS
936 - host based IPS
937 - Needs to be supported on multiple OS's
938 - Does not protect PC's outside the organization
939 - Success/Failure of an attack can be readily determined
940 - Detection types
941 - Signature (rules) Based
942 - preloaded signatures that detect malicious activity
943 - Policy Based
944 - manually configured policies
945 - Anomaly Based - aka profile-based
946 - detects anomalies in traffic flows
947 - relies on a baseline of what is "expected behaviour/values"
948 - can be used to detect worms that spread through the network
949 - requires the least amount of updates
950 - Reputation Based
951 - learning bad reputation from other sensors (cloud-based) or trusted hosts
952
953
954TACACS:
955 - single-connection = open a single connection to the tacacs server to process requests
956 - http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_book.html
957 - AAA Authentication
958 - Ports 445 and 389 need to be open to authenticate against Active Directory
959 - default response timeout is 5 seconds
960 - tacacs server timeout [value] = seconds it will wait for a response
961 - tacacs-server host timeout value overrides tacacs-server timeout value
962 - Split ACS Deployment
963 - primary and secondary servers can be used for different, specialized operations such as network access and device administration
964 - Typically deployed in a cluster
965
966
967TACACS / RADIUS
968 - TACACS
969 - ASCII
970 - PAP
971 - CHAP
972 - MS-CHAPv1
973 - RADIUS
974 - PAP
975 - CHAP
976 - MS-CHAPv1
977 - MS-CHAPv2
978
979
980Radius
981 - Uses UDP
982 - Only encrypts the password
983 - Combines authentication and authorization
984
985
986ISE
987 - Microsoft Network Device Enrollment Service (NDES)
988 - Uses Simple Certificate Enrollment Protocol (SCEP)
989 - Can act as a SCEP proxy to enable the device to receive a certificate from a central CA server
990
991
992MGMT:
993 - in-band management uses remote acces protocols like ssh, http, https, telnet, snmp, ect...
994 - out of band access the devices outside of the standard network band - dial - in
995
996
997Cisco Email Security Appliance
998 - can mitigate impact of snowshoe spam
999 - can mitigate impact of sophisticated phishing
1000
1001
1002Debugs
1003 - debug crypto isakmp
1004 - can be used to troubleshoot ISAKMP negotiation and psk mismatches
1005
1006
1007FirePower / SourceFire (IPS module)
1008 - FirePOWER has a dedicated preprocessor for back orifice
1009 - Firepower inline normalization
1010 - Cannot detect TCP Syn flood attacks
1011 - Cannot detect TCP session hijacking
1012 - reduces malicious traffic from evading detection
1013 - takes place immediately after the IPS Decoder decodes the packet
1014 - SourceFire IPS
1015 - Policy-Based preprocessor blocks traffic according to IP/Network reputation
1016 - to reduce false positives from a trusted source, you can configure an allow action with an intrustion policy
1017 - to reduce false positives from a trusted source, you can configure a trust action
1018 - Rate-Based prevention preprocessor
1019 - can be used to mitigate syn flood attacks
1020 - DCE/RPC preprocessor
1021 - Distribute Computing Environment / Remote Procedure Call packet inspection
1022 - connection oriented - TCP (port 135) , SMB (port 139), NetBios (445), RPC over HTTP (80)
1023 - connectionless Oriented - UDP (port 135)
1024 - firewalls typically block port 539 by default
1025 - DNS preprocessor
1026 - Inspects DNS responses
1027 - Protects from Overflow attempts on RData text fields
1028 - Protects from Obsolete/Experimental DNS resource record types
1029 - Menu : Policies -> Access Control -> Network Analysis Policy .. or .. Policy -> Access Control -> Intrusion -> Network Analysis Policy
1030 - FTP/Telnet Decoder
1031 - Analyze FTP and Telnet data streams
1032 - permits stateless and statefull inspections
1033 - detects encrypted sessions
1034 - detects telnet subnegotiations
1035 - HTTP Inspect Preprocessor
1036 - decoding/normalizing HTTP requests
1037 - normalize javascript feature
1038 - Sun RPC Preprocessor
1039 - Typical RPC ports are 111 and 32771
1040 - SIP Preprocessor
1041 - The Session Initiation Protocol (SIP) is a communications protocol for signaling and controlling multimedia communication sessions
1042 - Used in applications of Internet telephony voice and video calls, in private IP telephone systems, as well as in instant messaging over Internet Protocol (IP) networks.
1043 - SIP sets up connections for RTP
1044 - GTP Preprocessor (General Service Packet Radio (GPRS) Tunneling Protocol (GTP))
1045 - ESA - Email Security Appliance IMAP, POP3, and SMTP preprocessors
1046 - IMAP, POP3, and SMTP preprocessors are able to extract and decode email attachments
1047 - checks file attachments against a file policy
1048 - TCP port 25 is used for SMTP
1049 - if users are able to access content that should be blocked, the connection to the Cisco Cloud Security proxy has timed out
1050 - CASE
1051 - context adaptive scanning engine
1052 - does not check the reputation of the reciever
1053 - intended to detect email threats as they are recieved
1054 - SSH Preprocessor
1055 - Detects: Challenge-Response Buffer Overflow exploit
1056 - detects crc-32 exploit
1057 - SecureCRT SSH Client Buffer Overflow exploit
1058 - SSL Preprocessor
1059 - SSL inspection
1060 - detects heartbleed
1061 - AMP = Cisco Advanced Malware Protection for endpoint
1062 - URL filtering subscription services filter traffic that matches predefined categories
1063 - Outbreak Control
1064 - can prevent specific programs from running
1065 - provides granular control over which applications can be blocked or whitelisted
1066
1067
1068Web Security Appliance (WSA):
1069 - Application Visibility and Control (AVC)
1070 - capable of blocking specific features on web pages
1071
1072
1073 - NAT
1074 - rules follow a first match basis
1075
1076
1077FireSIGHT
1078 - Impact Message Levels
1079 - 0 (GRAY) unknown vulnerability
1080 - source/destination host is not on a monitored network
1081 - 1 (RED) vulnerable
1082 - the source or the destination host is in the network map, and a vulnerability is mapped to the host
1083 - the source or destination host is potentially compromised by a virus, trojan, or other piece of malicious software
1084 - 2 (ORANGE) potential vulnerability
1085 - Either the source or the destination host is in the network map and one of the following is true
1086 - for port-oriented traffic, the port is running a server application protocol
1087 - for non-port-oriented traffic, the host uses the protocol
1088 - 3 (YELLOW) currently not vulnerable
1089 - Either the source or the destination host is in the network map and one of the following is true
1090 - for port-oriented traffic (for example, TCP or UDP), the port is not open
1091 - for non-port-oriented traffic (for example, ICMP), the host does not use the protocol
1092 - 4 (BLUE) unknown target
1093 - Either the source or destination host is on a monitored network, but there is no entry for the host in the network map.
1094
1095
1096Cloud Web Security Appliance/Service
1097 - Cisco service offered to protect against web based attacks
1098
1099
1100Cloud Computing:
1101 - Software as a Service (SaaS)
1102 - Consumer uses Providers applications running on cloud infrastructure
1103 - Platform as a Service (PaaS)
1104 - capability provided to the consumer to upload consumer-created or acqquired applications to cloud infrastructure
1105 - Infrastructure as a Service (IaaS)
1106 - capability provided to the consumer to provision processing, storage, networks, and other computing resources where the consumer manages software on the infrastructure
1107
1108
1109MobileIron with ISE (BYOD infrastructure)
1110 - Selective Wipe
1111 - removes the MDM profile and all of its subprofiles
1112 - does not remove CA certificate for the WiFi profile installed by ISE
1113 - does not quarantine device
1114 - Cisco ESA = Email Security Appliance
1115 - DDOS is not an email based attack
1116 - Bluetooth status is not an available policy
1117 - Supports device restrictions and device compliance
1118 - Ability to push notifications
1119 - content distribution (bookmarks, contacts, ect)
1120 - BYOD Best Practice
1121 - permit BOOTP, TFTP, and DNS
1122 - ability to report the device as lost/stolen
1123 - ability to initiate a PIN lock
1124
1125https://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/MobileIronISE.pdf
1126
1127
1128What is the primary purpose of the ISR (integrated services router) in the BYOD Solution?
1129 - provide connectivity in the home office back to campus
1130
1131
1132Cisco Unified Access
1133 - MDM = Mobile Device Management
1134 - By default, a Cisco ISE node is preinstalled with a self-signed certificate that is used for EAP authentication, Admin portal, portals, and pxGrid controller.
1135 - does not deploy software updates to BYOD devices
1136 - PIN enforcement
1137 - JailBreak/Root detection
1138 - Data Encryption enforcement
1139 - Remote Data Wipe
1140 - Data Loss Prevention
1141 - Application Tunnels
1142
1143
1144SSC = Cisco Secure Services Client
1145 - uses EAP, WPA, and WPA2
1146
1147
1148802.1x
1149 - PEAP - Protected Extensible Authentication Protocol
1150 - requires digital certificates to be installed on the server but not on the client
1151 - EAP-TLS - Eaxtensibale Authentication Protocol over TLS
1152 - requires a certificate on the client and the server
1153 - LEAP
1154 - does not require certificates
1155 - uses RADIUS
1156 - Cisco invented
1157 - EAP-FAST - extensible authentication protocol flexible authentication over secure tunneling
1158 - does not require certificates
1159 - uses Protected Access Credentials. V2 implemented support for TLS 1.2
1160 - Cisco invented
1161 - EAP-FAST with EAP chaining (EAP-FASTv2)
1162 - can authenticate a user and a device in a single EAP transaction
1163 - Auth Fail = when a client fails authentication x-times, the port can be placed in a restricted vlan
1164 - authentication order vs priority
1165 - authentication order dictates in what order authentication occurs
1166 - priority indicates priority order
1167 - when authentication order does not match priority order, authentication order represents sequence of events and priority represents required authentications
1168 - example auth.order = mab dot1x and priority = dot1x mab ... mab happens first, but 802.1x is still required
1169 - if the MAC is address is not in the mab, and there is no response to 802.1x, the no response method can be triggered
1170
1171
1172
1173NTP
1174 - only authenticates the time source
1175 - show clock
1176 - "our_master" indicates ntp server the local device is synchronized to
1177 - " " means authoritative and synchronized
1178 - "." means the time is authoritative but not synchronized
1179 - "*" means not-authoritative
1180 - show ntp associations
1181 - "*" NTP is synchronized and this is the master