This Cram Sheet contains key facts about the CCNA Security exam. Review this information as the last thing you do before you enter the testing center, paying special attention to those areas in which you feel that you need the most review. Strategy note: Plan to transfer memorized facts onto a blank sheet of paper immediately before you begin the exam.
Categories of Security Controls |
Types of Security Controls |
---|---|
(Remember “PAT”):
|
(Hierarchy = Category -> Type):
|
Types of Laws |
Due Care vs. Due Diligence |
---|---|
|
|
Seven Steps for Compromising Targets and Applications |
Types of Testing Techniques |
---|---|
|
|
Types of IP Spoofing |
General Attack Categories |
---|---|
|
|
Three Key Principles of the Cisco Self-Defending Network |
The Three Phases of Disaster Recovery Plan (DRP) and Business Continuity Plan (BCP) |
---|---|
|
|
Overt Versus Covert Channel Attacks |
---|
|
Types of Administrative Access to Cisco Routers |
|
---|---|
|
|
Cisco Log Severity Levels |
|||
---|---|---|---|
Level |
Log String |
Name |
Description |
0 |
LOG_EMERG |
Emergencies |
Router unusable |
1 |
LOG_ALERT |
Alerts |
Immediate action required |
2 |
LOG_CRIT |
Critical |
Condition critical |
3 |
LOG_ERR |
Errors |
Error condition |
4 |
LOG_WARNING |
Warnings |
Warning condition |
5 |
LOG_NOTICE |
Notifications |
Normal but important event |
6 |
LOG_INFO |
Informational |
Informational message |
7 |
LOG_DEBUG |
Debugging |
Debug message |
Basic Workflow to Create a Zone-Based Policy Framework (ZPF) Firewall:
Alternative to ACLs for Preventing IP Spoofing:
CiscoISR(config-if)#ip verify unicast reverse-path
Encryption Algorithms That Use Asymmetric Keys |
Symmetric Algorithms That Are Considered Trusted |
---|---|
|
|
Two Basic Criteria for Choosing an Encryption Algorithm |
Key Management Policies Manage Key |
---|---|
|
|
Letter |
Policy Element |
Choices |
---|---|---|
H |
HMAC |
MD5 SHA-1 |
A |
Authentication |
PSKs RSA signatures RSA-encrypted nonces |
G |
Group |
DH1, DH2, DH5, DH7 |
L |
Lifetime |
Time and/or Data |
E |
Encryption |
DES 3DES AES: 128-, 192-, or 256-bit |
Tunnel Mode IPsec Packet Syntax C-I-A Memory Aid:
The order of the fields in the IPsec payload of the IP packet is C-I-A:
Command to Create a Pre-Shared Key (PSK) to an IKE Peer:
CiscoISR-A(config)#crypto isakmp key Cisc0R0ck5! address 172.16.32.1
Commands for IKE Phase II (Transform Set and Crypto Map):
(Crypto Map name is multipurpose; Transform Set name is CantHackMe; peer IP = 172.16.32.1.)
Create Transform Set:
CiscoISR-A(config)#crypto ipsec transform-set CantHackMe esp-sha-hmac
esp-aes 128
Define Traffic to Protect (Transform) inside VPN:
CiscoISR-A#(config)#access-list 102 permit ip 192.168.0.0 0.0.0.255 10.0.40.0
0.0.0.255
Create the Crypto Map (virtual IPsec Interface):
CiscoISR-A(config)#crypto map multipurpose 999 ipsec-isakmp
Associate Transform Map to Crypto Map and Crypto Map to a Peer:
CiscoISR-A(config-crypto-map)#set peer 172.16.32.1
CiscoISR-A(config-crypto-map)#set transform-set CantHackMe
CiscoISR-A(config-crypto-map)#match address 102
CiscoISR-A(config-crypto-map)#set security-association lifetime seconds 86400
CiscoISR-A(config-crypto-map)#set security-association lifetime kilobyte
4000000
CiscoISR-A(config-crypto-map)#set pfs group2
IPsec VPN Troubleshooting Commands |
|
---|---|
Command |
Description |
|
Displays configured and default IKE policies. |
|
Displays configured crypto maps. |
|
Displays configured IPsec transform sets. |
|
Displays established IKE Phase II SAs (IPsec) tunnels. |
|
Displays established IKE Phase I SAs (ISAKMP) tunnels. |
|
Debugs IKE Phase I events. (This command creates a lot of output, and you will not be responsible for analyzing the output on the exam, so this command will not be explained further.) |
|
Debugs IKE Phase II (IPsec) events. (This command creates a lot of output, and you will not be responsible for analyzing the output on the exam, so this command will not be explained further.) |
|
Displays matches for packets that have been assigned to the VPN by the crypto ACL. |
IDS and IPS Sensor Types |
|
---|---|
Signature-based |
Policy-based |
Anomaly-based |
Honey Pot-based |
Signature Micro-Engines in IOS 12.4(6)T |
|
---|---|
Signature Micro-Engines |
Signature Categories |
Atomic |
Signatures that examine simple packets; for example: IP, ICMP, and UDP (see the following note). |
Service |
Signatures that examine attacks on “services,” such as application layer protocols like HTTP, FTP, and SMTP. |
String |
Signatures that use REGEX-based patterns to detect intrusive activity. |
Multi-String |
Supports flexible packet matching (FPM) and supports signatures by Trend Labs. |
Other |
Internal engine dedicated to miscellaneous signatures. |
Common VoIP Threats |
SIP Vulnerabilities |
---|---|
|
|
VLAN Hopping by Double-Tagging Attack Mitigation:
Ensure that the native VLAN of the trunked ports is different than any of the users’ ports—VLAN 10, for example:
Catalyst1(config-if)switchport trunk native vlan 10
Port Security Commands:
Catalyst1(config-if)#switchport port-security maximum 32
Catalyst1(config-if)#switchport port-security violation shutdown
Catalyst1(config-if)#switchport port-security mac-address 0013.b638.8567
Catalyst1(config-if)#switchport port-security mac-address sticky
Catalyst1(config-if)#switchport port-security aging time 100
Catalyst1(config-if)#switchport port-security aging type inactivity
Configuring SPAN (Switch Port Analyzer):
Catalyst1(config)# monitor session 1 source interface gigabitEthernet0/1
Catalyst1(config)# monitor session 1 destination interface gigabitEthernet0/2
encapsulation replicate
Storm Control:
Catalyst1# show running-config interface GigabitEthernet0/1
interface GigabitEthernet0/1
storm-control broadcast level 62.50
storm-control multicast level pps 3k 2k
storm-control unicast level bps 50m 25m
storm-control action shutdown