Beruflich Dokumente
Kultur Dokumente
2.1.1.1 Describe an edge router: The edge router is the last router between
the internal network and an untrusted
network such as the Internet. All of an
organization's Internet traffic goes through
this edge router; therefore, it often
functions as the first and last line of
defense for a network.
2.1.1.3 Describe three critical areas of Physical security: Place the router and
router security: physical devices that connect to it in a
secure locked room that is accessible only
to authorized personnel, is free of
electrostatic or magnetic interference, and
has controls for temperature and humidity.
Install an uninterruptible power supply
(UPS) and keep spare components
available. This reduces the possibility of a
DoS attack from power loss to the
building.
Page 1 of 21
CCNA Security Chapter 2
Securing Network Devices
2.1.1.4 Describe the important tasks Restrict device accessibility - Limit the
involved in securing accessible ports, restrict the permitted
administrative access: communicators, and restrict the permitted
methods of access.
Log and account for all access - For
auditing purposes, record anyone who
accesses a device, including what occurs
and when.
Authenticate access - Ensure that
access is granted only to authenticated
users, groups, and services. Limit the
Page 2 of 21
CCNA Security Chapter 2
Securing Network Devices
2.1.1.5 When accessing the network Encrypt all traffic between the
remotely, what precautions administrator computer and the router. For
should be taken? example, instead of using Telnet, use
SSH. Or instead of using HTTP, use
HTTPS.
Establish a dedicated management
network. The management network
should include only identified
administration hosts and connections to a
dedicated interface on the router.
Configure a packet filter to allow only
the identified administration hosts and
preferred protocols to access the router.
For example, permit only SSH requests
from the IP address of the administration
host to initiate a connection to the routers
in the network.?
2.1.2.1 Visit:
http://sectools.org/crackers.html
to see a list of password attack
tools.
Page 3 of 21
CCNA Security Chapter 2
Securing Network Devices
2.1.2.2 Describe the enable secret The enable secret password global
password global configuration configuration command: restricts access
command: to privileged EXEC mode. The enable
secret password is always hashed inside
the router configuration using a Message
Digest 5 (MD5) hashing algorithm. If the
enable secret password is lost or
forgotten, it must be replaced using the
Cisco router password recovery
procedure.
2.1.2.2 How can you protect Console By default, the console port does not
Port access? require a password for console
administrative access; however, it should
always be configured as a console port
line-level password. Use the line console
Page 4 of 21
CCNA Security Chapter 2
Securing Network Devices
2.1.2.2 How can you protect Virtual Use the line vty 0 4 command followed by
Terminal Line (vty) access? the login and password subcommands
to require login and establish a login
password on incoming Telnet sessions.
2.1.2.2 How can you protect Auxiliary To access the auxiliary line use the line
Port (aux) access? aux 0 command. Use the login and
password subcommands to require login
and establish a login password on
incoming auxiliary port connections.
2.1.3.3 Describe the two login block- Normal mode (watch mode) - The router
for feature modes of operation: keeps count of the number of failed login
attempts within an identified amount of
time.
Quiet mode (quiet period) - If the
number of failed logins exceeds the
configured threshold, all login attempts
using Telnet, SSH, and HTTP are
denied.* business continuity management;
2.1.3.4 What commands can be used login on-failure log generates logs for
to keep track of the number of failed login requests.
successful and failed login login on-success log generates log
attempts.? messages for successful login requests.
2.1.3.4 How can you verify that the Use the show login command.
login block-for command is
configured and which mode the
router is currently in?
2.1.3.4 What command displays more The show login failures command
information regarding failed
Page 6 of 21
CCNA Security Chapter 2
Securing Network Devices
login attempts?
2.1.3.5 Why are banners important and Banner messages should be used to
how can they be configured? present legal notification to would-be
intruders to inform them that they are not
welcome on a network.
Banners are activated with the banner
command:
banner {exec | incoming | login | motd |
slip-ppp} # message #
2.1.4.1 How can a secure remote SSH has replaced Telnet as the
access connection be recommended practice for providing
established to manage Cisco remote router administration with
IOS devices? connections that support confidentiality
and session integrity. A SSH connection
is encrypted and operates on port 22.
2.1.4.1 Describe the four steps to 1. Target routers must have an IOS that
configure routers for the SSH supports SSA
protocol: 2. Target routers have unique host name
3. Target routers have correct domain
name
4. Target routers are configured for
authentication
Page 7 of 21
CCNA Security Chapter 2
Securing Network Devices
R1#show ssh
2.1.4.5 How can Cisco SDM be used to To see the current SSH key settings,
configure an SSH daemon on a choose Configure > Additional Tasks >
router? Router Access > SSH.
2.1.4.5 Using Cisco SDM how are the Configure > Additional Tasks > Router
vty lines configured to support Access > VTY
SSH? click Edit button to configure
2.2.1.1 What two levels of access to User EXEC mode (privilege level 1) -
commands does Cisco IOS Provides the lowest EXEC mode user
software CLI have? privileges and allows only user-level
commands available at the router>
prompt.
Privileged EXEC mode (privilege level
15) - Includes all enable-level commands
at the router# prompt.
2.2.1.2 Describe the privilege levels Level 0: Predefined for user-level access
available in the Cisco IOS CLI. privileges. Seldom used, but includes five
Page 8 of 21
CCNA Security Chapter 2
Securing Network Devices
2.2.1.2 What is the command to set Router(config)# privilege mode {level level
privilege levels? command | reset} command
2.2.1.3 What are the two methods for To the privilege level using the global
assigning passwords to configuration command enable secret
different levels for level level password.
authentication? To a user that is granted a specific
privilege level, using the global
configuration command username name
privilege level secret password.
2.2.2.2 Role-based CLI provides which Root view: has the same access
three types of views? privileges as a user who has level 15
privileges. However, only a root view user
can configure a new view and add or
remove commands from the existing
views.
CLI view: must be assigned all
Page 9 of 21
CCNA Security Chapter 2
Securing Network Devices
2.2.2.2 Describe the characteristics of A single CLI view can be shared within
Superviews: multiple superviews.
Commands cannot be configured for a
superview. An administrator must add
commands to the CLI view and add that
CLI view to the superview.
Users who are logged into a superview
can access all the commands that are
configured for any of the CLI views that
are part of the superview.
Each superview has a password that is
used to switch between superviews or
from a CLI view to a superview.
2.2.2.3 Describe the steps to create Step 1. Enable AAA with the aaa new-
and manage a specific view: model global configuration command. Exit
and enter the root view with the enable
view command.
Step 2. Create a view using the parser
view view-name command. This enables
the view configuration mode. Excluding
the root view, there is a maximum limit of
15 views in total.
Step 3. Assign a secret password to the
view using the secret encrypted-
password command.
Step 4. Assign commands to the selected
view using the commands parser-mode
{include | include-exclusive | exclude}
[all] [interface interface-name |
command] command in view
configuration mode.
Page 10 of 21
CCNA Security Chapter 2
Securing Network Devices
2.2.2.4 Describe the steps to create Step 1. Create a view using the parser
and manage a superview: view view-name superview command
and enter superview configuration mode.
Step 2. Assign a secret password to the
view using the secret encrypted-
password command.
Step 3. Assign an existing view using the
view view-name command in view
configuration mode.
Step 4. Exit superview configuration mode
by typing the exit command.
configuration.
Step 4. Enter global configuration mode
using conf t.
Step 5. Restore the secure configuration
to the supplied filename using the secure
boot-config restore filename command.
2.3.1.4 Describe the steps necessary Step 1. Connect to the console port.
to recover a lost router Step 2. Use the show version command
password: to view and record the configuration
register.
Step 3. Use the power switch to power
cycle the router.
Step 4. Press “CTRL break” within 60
seconds of power up to put the router into
ROMmon mode.
Step 5. Type confreg 0x2142 at the
rommon 1> prompt.
Step 6. Type reset at the rommon 2>
prompt.
Step 7. Type no after each setup
question, or press Ctrl-C to skip the initial
setup procedure.
Step 8. Type enable at the Router>
prompt. This puts the router into enable
mode and allows you to see the Router#
prompt.
Step 9. Type copy startup-config
running-config to copy the NVRAM into
memory.
Step 10. Type show running-config. An
administrator can now see the passwords
(enable password, enable secret, vty, and
console passwords) either in encrypted or
unencrypted format. Unencrypted
passwords can be reused, but encrypted
passwords need a new password to be
created.
Step 11. Enter global configuration and
Page 12 of 21
CCNA Security Chapter 2
Securing Network Devices
2.3.2.2 Describe the two paths that the Out-of-band (OOB) - Information flows on
flow can take when logging and a dedicated management network on
managing information flow which no production traffic resides.
between management hosts In-band - Information flows across an
and the managed devices: enterprise production network, the
Internet, or both using regular data
channels.
6 - informational - Informational
messages only. LOG_INFO
7 - debugging - Debugging messages.
LOG_DEBUG
2.3.3.2 Describe the two types of Syslog servers - Also known as log hosts,
systems contained in Syslog these systems accept and process log
implementations: messages from syslog clients.
Syslog clients - Routers or other types of
equipment that generate and forward log
messages to syslog servers.
2.3.3.2 Describe Cisco Security MARS The Cisco Security Monitoring, Analysis,
and explain how it uses logging and Response System (MARS) is a Cisco
information: security appliance that can receive and
analyze syslog messages from various
networking devices and hosts from Cisco
and other vendors. Cisco Security MARS
combines all of this log data into a series
of sessions which it then compares to a
database of rules. If the rules indicate that
there might be a problem, an incident is
triggered.
2.3.3.3 Describe the steps to activate 1. Set the destination logging host using
and configure system logging: the logging host [hostname | ip
address]command.
Step 2. (Optional) Set the log severity
(trap) level using the logging trap level
command.
Step 3. Set the source interface using the
logging source-interface interface-type
interface-number command. This
specifies that syslog packets contain the
IPv4 or IPv6 address of a particular
interface, regardless of which interface the
packet uses to exit the router.
Step 4. Enable logging with the logging
on command. You can turn logging on
Page 15 of 21
CCNA Security Chapter 2
Securing Network Devices
2.3.3.4 Describe the steps to enable 1. Choose Configure > Additional Tasks
syslog logging using Cisco > Router Properties > Logging.
Security Device Manager: 2. From the Logging pane, click Edit.
3. In the Logging window, select Enable
Logging Level and choose the logging
level from the Logging Level list box.
Messages will be logged for the level
selected and below.
4. Click Add, and enter an IP address of
a logging host in the IP
Address/Hostname field.
5. Click OK to return to the Logging dialog
box.
6. Click OK to accept the changes and
return to the Logging pane.
management software
Agents - network devices that need to be
managed, such as switches, routers,
servers, and workstations
Management Information Bases – a
database that reflects the resources and
activity of a managed device
2.3.4.1 What are the three actions that Get – view information about a managed
a manager node can use to device
view or alter information in a Set - change configuration variables in the
managed device? agent device
Trap (Notification) - enable an agent to
notify the management station of
significant events
2.3.4.3 How does SNMP version 3 SNMPv3 provides three security features.
address the vulnerabilities of
versions 1 and 2? Message integrity - Ensures that a
packet has not been tampered with in
transit.
Authentication - Determines that the
message is from a valid source.
Encryption - Scrambles the contents of a
packet to prevent it from being seen by an
unauthorized source.
2.3.5.1 Describe two ways to set date Manually editing the date and time
and time on a Cisco router. Configuring the Network Time Protocol
(NTP)
2.3.5.2 Describe the process of setting NTP clients either contact the master or
date and time on Cisco routers listen for messages from the master to
using NTP: synchronize their clocks. To contact the
master, use the ntp server ntp-server-
address command.
In a LAN environment, NTP can be
configured to use IP broadcast messages
instead by using the ntp broadcast client
command.
2.4.1.3 What is best way to determine Use security audit tools such as:
and fix the vulnerabilities that Security Audit Wizard in Cisco SDM
exist with a current One-Step Lockdown in Cisco SDM
configuration? Cisco auto secure command in the Cisco
IOS CLI
2.4.1.4 What actions does the Security Shuts down unneeded servers.
Audit wizard in Cisco Security Disables unneeded services.
Device Manager (SDM) Applies the firewall to the outside
perform? interfaces.
Disables or hardens SNMP.
Shuts down unused interfaces.
Checks password strength.
Enforces the use of ACLs.
Forwarding plane:
Enables CEF
Enables traffic filtering with ACLs
Implements Cisco IOS firewall inspection
for common protocols
2.4.3.2 Describe the features of Cisco Disabling NTP - Based on input, Cisco
AutoSecure that are not AutoSecure disables NTP if it is not
implemented or are necessary. Otherwise, NTP is configured
implemented differently in with MD5 authentication. Cisco SDM does
Cisco SDM one-step lockdown: not support disabling NTP.
Configuring AAA - If the AAA service is
not configured, Cisco AutoSecure
configures local AAA and prompts for the
configuration of a local username and
password database on the router. Cisco
SDM does not support AAA configuration.
Setting Selective Packet Discard (SPD)
values - Cisco SDM does not set SPD
values.
Enabling TCP intercepts - Cisco SDM
does not enable TCP intercepts.
Configuring antispoofing ACLs on
Page 20 of 21
CCNA Security Chapter 2
Securing Network Devices
Page 21 of 21