EXAM CRAM CCNA Security Cram Sheet

This Cram Sheet contains key facts about the CCNA Security exam. Review this information as the last thing you do before you enter the testing center, paying special attention to those areas in which you feel that you need the most review. Strategy note: Plan to transfer memorized facts onto a blank sheet of paper immediately before you begin the exam.

Categories of Security Controls

Types of Security Controls

(Remember “PAT”):

  • Physical: Mostly mechanical.

  • Administrative: Mostly policies and procedures.

  • Technical: Network elements, hardware, software, and devices.

(Hierarchy = Category -> Type):

  • Preventative: Controls that prevent access.

  • Deterrent: Controls that deter access.

  • Detective: Controls that detect access.

Types of Laws

Due Care vs. Due Diligence

  • Criminal: Concerned with crimes. Penalties involve fines and/or imprisonment.

  • Civil: Concerned with righting non-criminal wrongs. Penalties may include monetary awards paid to winner of lawsuit.

  • Administrative: Typically government agencies enforcing regulations. Monetary penalties divided between government and victim (if any).

  • Due Diligence: Concerns itself with the implementation of adequate security controls and establishing best practices for ongoing risk assessment and vulnerability testing (static, planning).

  • Due Care: Operating and maintaining security controls that have been implemented through due diligence (dynamic, day-to-day).

Seven Steps for Compromising Targets and Applications

Types of Testing Techniques

  1. Perform footprint analysis (reconnaissance).

  2. Enumerate applications and operating systems.

  3. Manipulate users to gain access.

  4. Escalate privileges.

  5. Gather additional passwords and secrets.

  6. Install back doors.

  7. Leverage the compromised system.

  • Network scanning

  • Vulnerability detection

  • Password cracking

  • Log analysis

  • Integrity checkers

  • Virus detection

  • War dialing

  • War driving (802.11 or wireless LAN testing)

  • Penetration testing

Types of IP Spoofing

General Attack Categories

  • Nonblind Spoofing: Requires physical access to the network. This is called “nonblind” because the attacker isn’t guessing; he or she can see your traffic.

  • Blind Spoofing: Attacker is guessing at information (sequence numbers, IP addresses, and so on). Does not require physical access.

  • Man-in-the-Middle Attacks: The attacker assumes the identity of a trusted host on the network and steals information.

  • DoS Attacks: The information gained during reconnaissance leads to a flooding of resources on a targeted system.

  • Distributed DoS Attacks (DDoS): The information learned during reconnaissance leads to a flooding of resources on a targeted system from multiple hosts and simultaneously.

Three Key Principles of the Cisco Self-Defending Network

The Three Phases of Disaster Recovery Plan (DRP) and Business Continuity Plan (BCP)

  • Integrated: Every network element is part of both defense and policy enforcement.

  • Collaborative: Devices and services collaborate to prevent attacks.

  • Adaptive: Threats are automatically prevented through proactive security technologies.

  1. Emergency response.

  2. Recovery.

  3. Return to normal operation.

Overt Versus Covert Channel Attacks

  • Overt Channel: Tunneling a protocol inside another (such as IM within HTTP).

  • Covert Channel: Hiding information (perhaps by encryption) within a network session. Sometimes called back channel attack.

Types of Administrative Access to Cisco Routers

  • Local Access: Direct, physical access to the device through its integral console port. Often referred to as out-of-band access.

  • Remote Access: Indirect access to the device through a TCP/IP network. Often referred to as in-band access.

Cisco Log Severity Levels

Level

Log String

Name

Description

0

LOG_EMERG

Emergencies

Router unusable

1

LOG_ALERT

Alerts

Immediate action required

2

LOG_CRIT

Critical

Condition critical

3

LOG_ERR

Errors

Error condition

4

LOG_WARNING

Warnings

Warning condition

5

LOG_NOTICE

Notifications

Normal but important event

6

LOG_INFO

Informational

Informational message

7

LOG_DEBUG

Debugging

Debug message

Basic Workflow to Create a Zone-Based Policy Framework (ZPF) Firewall:

image

Alternative to ACLs for Preventing IP Spoofing:

CiscoISR(config-if)#ip verify unicast reverse-path


Encryption Algorithms That Use Asymmetric Keys

Symmetric Algorithms That Are Considered Trusted

  • Diffie-Hellman (DH)

  • Rivest Shamir Adleman (RSA)

  • Elliptic Curves Cryptography (ECC)

  • ElGamal Encryption System (ElGamal)

  • DES

  • 3DES

  • IDEA

  • RC4

  • AES

Two Basic Criteria for Choosing an Encryption Algorithm

Key Management Policies Manage Key

  • The algorithm provides sufficient protection against brute force attacks. (For more about who defines “sufficient,” see Chapter 2 and the following note.)

  • The algorithm is trusted by the greater cryptographic community.

  • Generation

  • Verification

  • Storage

  • Exchange

  • Revocation

  • Destruction

HAGLE Acronym of IKE Phase I Policy Sets

Letter

Policy Element

Choices

H

HMAC

MD5

SHA-1

A

Authentication

PSKs

RSA signatures

RSA-encrypted nonces

G

Group

DH1, DH2, DH5, DH7

L

Lifetime

Time and/or Data

E

Encryption

DES

3DES

AES: 128-, 192-, or 256-bit

Tunnel Mode IPsec Packet Syntax C-I-A Memory Aid:

The order of the fields in the IPsec payload of the IP packet is C-I-A:

image

Command to Create a Pre-Shared Key (PSK) to an IKE Peer:

CiscoISR-A(config)#crypto isakmp key Cisc0R0ck5! address 172.16.32.1


Commands for IKE Phase II (Transform Set and Crypto Map):

(Crypto Map name is multipurpose; Transform Set name is CantHackMe; peer IP = 172.16.32.1.)

  1. Create Transform Set:

    CiscoISR-A(config)#crypto ipsec transform-set CantHackMe esp-sha-hmac
    esp-aes 128


  2. Define Traffic to Protect (Transform) inside VPN:

    CiscoISR-A#(config)#access-list 102 permit ip 192.168.0.0 0.0.0.255 10.0.40.0
    0.0.0.255


  3. Create the Crypto Map (virtual IPsec Interface):

    CiscoISR-A(config)#crypto map multipurpose 999 ipsec-isakmp


  4. Associate Transform Map to Crypto Map and Crypto Map to a Peer:

    CiscoISR-A(config-crypto-map)#set peer 172.16.32.1
    CiscoISR-A(config-crypto-map)#set transform-set CantHackMe
    CiscoISR-A(config-crypto-map)#match address 102
    CiscoISR-A(config-crypto-map)#set security-association lifetime seconds 86400
    CiscoISR-A(config-crypto-map)#set security-association lifetime kilobyte
    4000000
    CiscoISR-A(config-crypto-map)#set pfs group2


IPsec VPN Troubleshooting Commands

Command

Description

show crypto isakmp policy

Displays configured and default IKE policies.

show crypto map

Displays configured crypto maps.

show crypto ipsec transform-set

Displays configured IPsec transform sets.

show crypto ipsec sa

Displays established IKE Phase II SAs (IPsec) tunnels.

show crypto isakmp sa

Displays established IKE Phase I SAs (ISAKMP) tunnels.

debug crypto isakmp

Debugs IKE Phase I events. (This command creates a lot of output, and you will not be responsible for analyzing the output on the exam, so this command will not be explained further.)

debug crypto ipsec

Debugs IKE Phase II (IPsec) events. (This command creates a lot of output, and you will not be responsible for analyzing the output on the exam, so this command will not be explained further.)

show access-list

Displays matches for packets that have been assigned to the VPN by the crypto ACL.

IDS and IPS Sensor Types

Signature-based

Policy-based

Anomaly-based

Honey Pot-based

Signature Micro-Engines in IOS 12.4(6)T

Signature Micro-Engines

Signature Categories

Atomic

Signatures that examine simple packets; for example: IP, ICMP, and UDP (see the following note).

Service

Signatures that examine attacks on “services,” such as application layer protocols like HTTP, FTP, and SMTP.

String

Signatures that use REGEX-based patterns to detect intrusive activity.

Multi-String

Supports flexible packet matching (FPM) and supports signatures by Trend Labs.

Other

Internal engine dedicated to miscellaneous signatures.

Common VoIP Threats

SIP Vulnerabilities

  • Reconnaissance

  • SPAM over IP Telephony (SPIT)

  • DoS Attacks

  • Eavesdropping

  • Man-in-the-Middle Attacks

  • Registration Hacking

  • Message Tampering

  • Session Tear-Down

VLAN Hopping by Double-Tagging Attack Mitigation:

Ensure that the native VLAN of the trunked ports is different than any of the users’ ports—VLAN 10, for example:

Catalyst1(config-if)switchport trunk native vlan 10


Port Security Commands:

Catalyst1(config-if)#switchport port-security maximum 32
Catalyst1(config-if)#switchport port-security violation shutdown
Catalyst1(config-if)#switchport port-security mac-address 0013.b638.8567
Catalyst1(config-if)#switchport port-security mac-address sticky
Catalyst1(config-if)#switchport port-security aging time 100
Catalyst1(config-if)#switchport port-security aging type inactivity


Configuring SPAN (Switch Port Analyzer):

Catalyst1(config)# monitor session 1 source interface gigabitEthernet0/1
Catalyst1(config)# monitor session 1 destination interface gigabitEthernet0/2
encapsulation replicate


Storm Control:

Catalyst1# show running-config interface GigabitEthernet0/1
interface GigabitEthernet0/1
storm-control broadcast level 62.50
storm-control multicast level pps 3k 2k
storm-control unicast level bps 50m 25m
storm-control action shutdown


..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset