- •Using Your Sybex Electronic Book
- •Acknowledgments
- •Introduction
- •Assessment Test
- •Answers to Assessment Test
- •Types of Network Security Threats
- •Types of Security Weaknesses
- •Technology Weaknesses
- •Configuration Weaknesses
- •Policy Weaknesses
- •Types of Network Attacks
- •Eavesdropping
- •Denial-of-Service Attacks
- •Unauthorized Access
- •WareZ
- •Masquerade Attack (IP Spoofing)
- •Session Hijacking or Replaying
- •Rerouting
- •Repudiation
- •Smurfing
- •Password Attacks
- •Man-in-the-Middle Attacks
- •Application-Layer Attacks
- •Trojan Horse Programs, Viruses, and Worms
- •HTML Attacks
- •The Corporate Security Policy
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Authentication Methods
- •Windows Authentication
- •Security Server Authentication
- •PAP and CHAP Authentication
- •PPP Callback
- •Configuring the NAS for AAA
- •Securing Access to the Exec Mode
- •Enable AAA Locally on the NAS
- •Authentication Configuration on the NAS
- •Authorization Configuration on the NAS
- •Accounting Configuration on the NAS
- •Verifying the NAS Configuration
- •Troubleshooting AAA on the Cisco NAS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 2.1: Setting the Line Passwords
- •Lab 2.2: Setting the Enable Passwords
- •Lab 2.3: Encrypting your Passwords
- •Lab 2.4: Creating Usernames and Logging In
- •Lab 2.5: Configuring AAA Authentication on the NAS
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the CiscoSecure ACS
- •Using User Databases for Authentication
- •Populating the User Database Population
- •New ACS Features
- •Installing CiscoSecure ACS 3.0
- •Administering CiscoSecure ACS
- •TACACS+ Overview
- •Configuring TACACS+
- •Using RADIUS
- •CiscoSecure User Database NAS Configuration for RADIUS
- •Verifying TACACS+
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Solving Eavesdropping and Session Replay Problems
- •Fighting Rerouting Attacks
- •Fighting Denial-of-Service Attacks
- •Turning Off and Configuring Network Services
- •Blocking SNMP Packets
- •Disabling Echo
- •Turning Off BOOTP and Auto-Config
- •Disabling the HTTP Interface
- •Disabling IP Source Routing
- •Disabling Proxy ARP
- •Disabling Redirect Messages
- •Disabling the Generation of ICMP Unreachable Messages
- •Disabling Multicast Route Caching
- •Disabling the Maintenance Operation Protocol (MOP)
- •Turning Off the X.25 PAD Service
- •Enabling the Nagle TCP Congestion Algorithm
- •Logging Every Event
- •Disabling Cisco Discovery Protocol
- •Disabling the Default Forwarded UDP Protocols
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 4.1: Controlling TCP/IP Services
- •Answers to Written Lab
- •Answers to Review Questions
- •Understanding the Cisco IOS Firewall
- •Authentication Proxy and IDS
- •Context-Based Access Control
- •CBAC Compared to ACLs
- •CBAC-Supported Protocols
- •Introduction to CBAC Configuration
- •Using Audit Trails and Alerts
- •Configuring Global Timeouts and Thresholds
- •Configuring PAM
- •Defining Inspection Rules
- •Applying Inspection Rules and ACLs to Router Interfaces
- •Configuring IP ACLs at the Interface
- •Testing and Verifying CBAC
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 5.1: Configure Logging and Audit Trails
- •Lab 5.2: Define and Apply Inspection Rules and ACLs
- •Lab 5.3: Test and Verify CBAC
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the Cisco IOS Firewall Authentication Proxy
- •Configuring the AAA Server
- •Configuring AAA
- •Configuring the Authentication Proxy
- •Testing and Verifying Your Configuration
- •show Commands
- •Clearing the Cache
- •Introduction to the Cisco IOS Firewall IDS
- •Initializing Cisco IOS Firewall IDS
- •Configuring, Disabling, and Excluding Signatures
- •Creating and Applying Audit Rules
- •Setting Default Actions
- •Creating an Audit Rule
- •Applying the Audit Rule
- •Verifying the Configuration
- •Stopping the IOS Firewall IDS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 6.1: Enabling the IOS Firewall Authentication Proxy
- •Lab 6.2: Enabling the IOS Firewall IDS
- •Answers to Written Lab
- •Answers to Review Questions
- •What is a Virtual Private Network?
- •Introduction to Cisco IOS IPSec
- •IPSec Transforms
- •IPSec Operation
- •The Components of IPSec
- •IPSec Encapsulation
- •Internet Key Exchange (IKE)
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Configuring Cisco IOS IPSec for Pre-Shared Keys Site-to-Site
- •Preparing for IKE and IPSec
- •Configuring IKE
- •Configuring IPSec
- •Testing and Verifying IPSec
- •Configuring IPSec Manually
- •Configuring IPSec for RSA-Encrypted Nonces
- •Configuring Cisco IOS IPSec Certificate Authority Support Site-to-Site
- •Configuring CA Support Tasks
- •Preparing for IKE and IPSec
- •Configuring CA Support
- •Configuring IKE Using CA
- •Configuring IPSec for CA
- •Testing and Verifying IPSec for CA
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 8.1: Configure IKE on Lab_A and Lab_B
- •Lab 8.2: Configure IPSec on Lab_A and Lab_B
- •Answers to Written Lab
- •Answers to Review Questions
- •Answers to Hands-On Labs
- •Answer to Lab 8.1
- •Answer to Lab 8.2
- •Introduction to Cisco Easy VPN
- •The Easy VPN Server
- •Introduction to the Cisco VPN 3.5 Client
- •Easy VPN Server Configuration Tasks
- •Pre-Configuring the Cisco VPN 3.5 Client
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 9.1: Installing the Cisco VPN 3.5 Client Software on Windows
- •Answers to Written Lab
- •Answers to Review Questions
- •Network Separation
- •Three Ways through a PIX Firewall
- •PIX Firewall Configuration Basics
- •Configuring Interfaces
- •Saving Your Configuration
- •Configuring Access through the PIX Firewall
- •Configuring Outbound Access
- •Configuring Inbound Access
- •Configuring Multiple Interfaces and AAA on the PIX Firewall
- •Configuring Multiple Interfaces
- •Implementing AAA on the PIX Firewall
- •Configuring Advanced PIX Firewall Features
- •Failover
- •Outbound Access Control
- •Logging
- •SNMP Support
- •Java Applet Blocking
- •URL Filtering
- •Password Recovery
- •Glossary
22 Chapter 1 Introduction to Network Security
Review Questions
1.Which of the following is an example of a policy weakness? (Choose all that apply.)
A.Absence of a proxy server
B.No trusted networks
C.Misconfigured network equipment
D.No disaster recovery plan
E.Technical support personnel continually changing
2.What are the three typical weaknesses in any network implementation? (Choose all that apply.)
A.Policy weakness
B.Technology weakness
C.Hardware weakness
D.Configuration weakness
E.Software weakness
3.Which of the following are examples of TCP/IP weaknesses? (Choose all that apply.)
A.Trojan horse
B.HTML attack
C.Session replaying
D.Application-layer attack
E.SNMP
F.SMTP
4.Which Cisco IOS feature would you use to protect a TCP server from TCP SYN-flooding attacks?
A.Rerouting
B.TCP Intercept
C.Access control lists
D.Encryption
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
Review Questions |
23 |
5.Which of the following can be used to counter an unauthorized access attempt? (Choose all that apply.)
A.Encrypted data
B.Cisco Lock-and-Key
C.Access control lists
D.PAP
E.CHAP
F.IKE
G.TACACS+
6.What security issues face organizations today? (Choose all that apply.)
A.Security is not just a technology problem.
B.Too many employees need remote access.
C.Service providers don’t provide the support and security they promise.
D.Vast quantities of security technologies exist.
E.Adopting the latest security methods can be costly.
F.Many organizations lack a single network-wide security policy.
7.Which of the following threats is an example of snooping and network sniffing?
A.Repudiation
B.Masquerade threats
C.Eavesdropping
D.DoS
8.You are creating your security policy. Which of the following would you consider policy weaknesses? (Choose all that apply.)
A.Improper change control
B.IP spoofing
C.Masquerade attack
D.Misconfigured network equipment
E.Consistent security policy
F.Absence of a disaster recovery plan
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
24 Chapter 1 Introduction to Network Security
9.In a masquerade attack, what does an attacker steal when pretending to come from a trusted host?
A.Account identification
B.User group
C.IP address
D.CHAP password
10.Which statements about the creation of a security policy are true? (Choose all that apply.)
A.It helps you determine the return on your investment in the network.
B.It provides a process with which to audit existing network security.
C.It defines how to track down and prosecute policy offenders.
D.It defines which behavior is and is not allowed.
E.It helps determine which vendor security equipment or software is better than others.
F.It allows your network to be completely secure and safe from all attacks.
11.Which of the following would be considered configuration weaknesses? (Choose all that apply.)
A.Old software
B.Unsecured user accounts
C.Misconfigured Internet services
D.No monitoring or auditing
12.Which of the following are examples of policy weaknesses? (Choose all that apply.)
A.Organization politics
B.Misconfigured Internet services
C.Improper change control
D.No monitoring or auditing of logs
E.System accounts with easily guessed passwords
13.What are the technology weaknesses that can affect an organization? (Choose all that apply.)
A.Software weakness
B.TCP/IP weakness
C.Operating system weakness
D.Network equipment weakness
14.What policies should be in place before any network equipment is configured and installed? (Choose all that apply.)
A.Passwords
B.Politics
C.Firewalls
D.Authentication
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
Review Questions |
25 |
15.Using the default settings when installing network equipment is listed as what type of weakness?
A.Technology weakness
B.Configuration weakness
C.Policy weakness
D.Software weakness
16.Lack of business continuity is listed as what type of weakness?
A.Technology weakness
B.Configuration weakness
C.Policy weakness
D.Software weakness
17.Operating system security problems are listed as what type of weakness?
A.Technology weakness
B.Configuration weakness
C.Policy weakness
D.Software weakness
18.Lax security administration is listed as what type of weakness?
A.Technology weakness
B.Configuration weakness
C.Policy weakness
D.Software weakness
19.Software and hardware installation and changes are listed as what type of weakness?
A.Technology weakness
B.Configuration weakness
C.Policy weakness
D.Software weakness
20.Not having a disaster recovery plan is listed as what type of weakness?
A.Technology weakness
B.Configuration weakness
C.Policy weakness
D.Software weakness
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |