- •Using Your Sybex Electronic Book
- •Acknowledgments
- •Introduction
- •Assessment Test
- •Answers to Assessment Test
- •Types of Network Security Threats
- •Types of Security Weaknesses
- •Technology Weaknesses
- •Configuration Weaknesses
- •Policy Weaknesses
- •Types of Network Attacks
- •Eavesdropping
- •Denial-of-Service Attacks
- •Unauthorized Access
- •WareZ
- •Masquerade Attack (IP Spoofing)
- •Session Hijacking or Replaying
- •Rerouting
- •Repudiation
- •Smurfing
- •Password Attacks
- •Man-in-the-Middle Attacks
- •Application-Layer Attacks
- •Trojan Horse Programs, Viruses, and Worms
- •HTML Attacks
- •The Corporate Security Policy
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Authentication Methods
- •Windows Authentication
- •Security Server Authentication
- •PAP and CHAP Authentication
- •PPP Callback
- •Configuring the NAS for AAA
- •Securing Access to the Exec Mode
- •Enable AAA Locally on the NAS
- •Authentication Configuration on the NAS
- •Authorization Configuration on the NAS
- •Accounting Configuration on the NAS
- •Verifying the NAS Configuration
- •Troubleshooting AAA on the Cisco NAS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 2.1: Setting the Line Passwords
- •Lab 2.2: Setting the Enable Passwords
- •Lab 2.3: Encrypting your Passwords
- •Lab 2.4: Creating Usernames and Logging In
- •Lab 2.5: Configuring AAA Authentication on the NAS
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the CiscoSecure ACS
- •Using User Databases for Authentication
- •Populating the User Database Population
- •New ACS Features
- •Installing CiscoSecure ACS 3.0
- •Administering CiscoSecure ACS
- •TACACS+ Overview
- •Configuring TACACS+
- •Using RADIUS
- •CiscoSecure User Database NAS Configuration for RADIUS
- •Verifying TACACS+
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Solving Eavesdropping and Session Replay Problems
- •Fighting Rerouting Attacks
- •Fighting Denial-of-Service Attacks
- •Turning Off and Configuring Network Services
- •Blocking SNMP Packets
- •Disabling Echo
- •Turning Off BOOTP and Auto-Config
- •Disabling the HTTP Interface
- •Disabling IP Source Routing
- •Disabling Proxy ARP
- •Disabling Redirect Messages
- •Disabling the Generation of ICMP Unreachable Messages
- •Disabling Multicast Route Caching
- •Disabling the Maintenance Operation Protocol (MOP)
- •Turning Off the X.25 PAD Service
- •Enabling the Nagle TCP Congestion Algorithm
- •Logging Every Event
- •Disabling Cisco Discovery Protocol
- •Disabling the Default Forwarded UDP Protocols
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 4.1: Controlling TCP/IP Services
- •Answers to Written Lab
- •Answers to Review Questions
- •Understanding the Cisco IOS Firewall
- •Authentication Proxy and IDS
- •Context-Based Access Control
- •CBAC Compared to ACLs
- •CBAC-Supported Protocols
- •Introduction to CBAC Configuration
- •Using Audit Trails and Alerts
- •Configuring Global Timeouts and Thresholds
- •Configuring PAM
- •Defining Inspection Rules
- •Applying Inspection Rules and ACLs to Router Interfaces
- •Configuring IP ACLs at the Interface
- •Testing and Verifying CBAC
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 5.1: Configure Logging and Audit Trails
- •Lab 5.2: Define and Apply Inspection Rules and ACLs
- •Lab 5.3: Test and Verify CBAC
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the Cisco IOS Firewall Authentication Proxy
- •Configuring the AAA Server
- •Configuring AAA
- •Configuring the Authentication Proxy
- •Testing and Verifying Your Configuration
- •show Commands
- •Clearing the Cache
- •Introduction to the Cisco IOS Firewall IDS
- •Initializing Cisco IOS Firewall IDS
- •Configuring, Disabling, and Excluding Signatures
- •Creating and Applying Audit Rules
- •Setting Default Actions
- •Creating an Audit Rule
- •Applying the Audit Rule
- •Verifying the Configuration
- •Stopping the IOS Firewall IDS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 6.1: Enabling the IOS Firewall Authentication Proxy
- •Lab 6.2: Enabling the IOS Firewall IDS
- •Answers to Written Lab
- •Answers to Review Questions
- •What is a Virtual Private Network?
- •Introduction to Cisco IOS IPSec
- •IPSec Transforms
- •IPSec Operation
- •The Components of IPSec
- •IPSec Encapsulation
- •Internet Key Exchange (IKE)
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Configuring Cisco IOS IPSec for Pre-Shared Keys Site-to-Site
- •Preparing for IKE and IPSec
- •Configuring IKE
- •Configuring IPSec
- •Testing and Verifying IPSec
- •Configuring IPSec Manually
- •Configuring IPSec for RSA-Encrypted Nonces
- •Configuring Cisco IOS IPSec Certificate Authority Support Site-to-Site
- •Configuring CA Support Tasks
- •Preparing for IKE and IPSec
- •Configuring CA Support
- •Configuring IKE Using CA
- •Configuring IPSec for CA
- •Testing and Verifying IPSec for CA
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 8.1: Configure IKE on Lab_A and Lab_B
- •Lab 8.2: Configure IPSec on Lab_A and Lab_B
- •Answers to Written Lab
- •Answers to Review Questions
- •Answers to Hands-On Labs
- •Answer to Lab 8.1
- •Answer to Lab 8.2
- •Introduction to Cisco Easy VPN
- •The Easy VPN Server
- •Introduction to the Cisco VPN 3.5 Client
- •Easy VPN Server Configuration Tasks
- •Pre-Configuring the Cisco VPN 3.5 Client
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 9.1: Installing the Cisco VPN 3.5 Client Software on Windows
- •Answers to Written Lab
- •Answers to Review Questions
- •Network Separation
- •Three Ways through a PIX Firewall
- •PIX Firewall Configuration Basics
- •Configuring Interfaces
- •Saving Your Configuration
- •Configuring Access through the PIX Firewall
- •Configuring Outbound Access
- •Configuring Inbound Access
- •Configuring Multiple Interfaces and AAA on the PIX Firewall
- •Configuring Multiple Interfaces
- •Implementing AAA on the PIX Firewall
- •Configuring Advanced PIX Firewall Features
- •Failover
- •Outbound Access Control
- •Logging
- •SNMP Support
- •Java Applet Blocking
- •URL Filtering
- •Password Recovery
- •Glossary
Assessment Test
1.Which of the following commands trace AAA packets and monitor their activities? (Choose all that apply.)
A.debug aaa authentication
B.debug aaa authorization
C.debug aaa all
D.debug aaa accounting
2.What is the last header you can read in clear text when a packet has been encrypted using IPSec?
A.Physical
B.Data Link
C.Network
D.Transport
3.Which of the following is an example of a configuration weakness?
A.Old software
B.No written security policy
C.Unsecured user accounts
D.No monitoring of the security
4.Which IOS feature best prevents DoS SYN flood attacks?
A.IPSec
B.TCP Intercept
C.MD5 authentication
D.ACLs
5.RSA digital signatures and ___________ are IPSec authentication types supported by the Cisco Easy VPN Server.
A.Pre-shared keys
B.LSA analog signatures
C.DSS
D.DES
E.3DES
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
Assessment Test |
xxxi |
6.Which of the following commands do you use to change the maximum number of half-open TCP connections per minute to 100?
A.ip inspect tcp synwait-time 100
B.ip inspect tcp idle-time 100
C.ip inspect max-incomplete high 100
D.ip inspect one-minute high 100
E.ip inspect tcp max-incomplete host 100
7.IP spoofing, man-in-the-middle, and session replaying are examples of what type of security weakness?
A.Configuration weakness
B.TCP/IP weakness
C.Policy weakness
D.User password weakness
8.Alert is the ___________ for attack signatures in the IOS Firewall IDS.
A.Default action
B.Non-default action
C.Exclusionary rule
D.Inclusionary rule
E.Configured action
9.If you want to make sure you have the most secure authentication method, what should you use?
A.Windows username/password
B.Unix username/password
C.Token cards/soft tokens
D.TACACS+
10.Which of the following are considered typical weaknesses in any network implementation? (Choose all that apply.)
A.Policy weaknesses
B.Technology weaknesses
C.Hardware weaknesses
D.Configuration weaknesses
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
xxxii Assessment Test
11.What are RSA-encrypted nonces?
A.Manually generated/exchanged public keys
B.Automatically generated/exchanged public keys
C.Manually generated/exchanged private keys
D.Automatically generated/exchanged private keys
12.What function does the clear crypto isakmp * command perform?
A.It resets all LDPM SAs configured on a device.
B.It resets all IKE RSAs configured on a device.
C.It resets all IKE SAs configured on a device.
D.It resets the crypto settings for a configured peer.
13.Which component of AAA provides for the login, password, messaging, and encryption of users?
A.Accounting
B.Authorization
C.Authentication
D.Administration
14.Which of the following commands do you use to change the maximum time CBAC waits before closing idle TCP connections to 10 minutes?
A.ip inspect tcp synwait-time 600
B.ip inspect tcp idle-time 600
C.ip inspect max-incomplete high 600
D.ip inspect one-minute high 600
E.ip inspect tcp max-incomplete host 600
15.Which of the following are examples of policy weaknesses? (Choose all that apply.)
A.Absence of a proxy server
B.No trusted networks
C.Misconfigured network equipment
D.No disaster recovery plan
E.Technical support personnel continually changing
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
Assessment Test |
xxxiii |
16.The ESP protocol provides which service not provided by the AH protocol?
A.Data confidentiality
B.Authentication services
C.Tamper detection
D.Anti-replay detection
17.Which of the following are valid methods for populating the CiscoSecure User Database? (Choose all that apply.)
A.Manually
B.Novell NDS
C.Windows NT
D.Database Replication utility
E.Database Import utility
18.What does the command aaa new-model do?
A.It creates a new AAA server on the NAS.
B.It deletes the router’s configuration and works the same as erase startup-config.
C.It disables AAA services on the router.
D.It enables AAA services on the router.
19.A connection that has failed to reach an established state is known as ___________?
A.Full-power
B.Half-baked
C.Half-open
D.Chargen
20.Which of the following security database protocols can be used between the NAS and CSNT? (Choose all that apply.)
A.NTLM
B.SNA
C.TACACS+
D.Clear text
E.RADIUS
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
xxxiv Assessment Test
21.Which of the following are examples of a TCP/IP weakness? (Choose all that apply.)
A.Trojan horse
B.HTML attack
C.Session replaying
D.Application layer attack
E.SNMP
F.SMTP
22.You have just configured IPSec encryption. Which problem are you trying to solve?
A.Denial-of-service (DoS) attacks
B.Rerouting
C.Lack of legal IP addresses
D.Eavesdropping
23.You have just configured MD5 authentication for BGP. Which type of attack are you trying to prevent?
A.DoS
B.Rerouting
C.Hijacking of legal IP addresses
D.Eavesdropping
24.Using your web browser, which port do you go to (by default) to access the CSNT web server?
A.80
B.202
C.1577
D.2002
E.8000
25.To help you both set up and configure CBACs, Cisco has defined six steps for configuring CBAC. What is the correct order for the six steps?
A.Define Port-to-Application Mapping (PAM).
B.Set audit trails and alerts.
C.Test and verify CBAC.
D.Set global timeouts and thresholds.
E.Apply inspection rules and ACLs to interfaces.
F.Define inspection rules.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
Assessment Test xxxv
26.What port does ISAKMP use for communications?
A.TCP 50
B.UDP 50
C.TCP 500
D.UDP 500
27.Policy weaknesses, technology weaknesses, and configuration weaknesses are examples of what type of implementation weakness? (Choose all that apply.)
A.Policy implementation
B.Network implementation
C.Hardware implementation
D.Software implementation
28.The ____________________ implement(s) software to protect TCP server from TCP SYN flood attacks.
A.Cisco access control lists (ACL)
B.TCP Intercept feature
C.Cisco queuing methods
D.Cisco CBACS
29.Which of the following do not participate in the Cisco IOS Cryptosystem? (Choose all that apply.)
A.DH
B.MD5
C.ESP
D.DES
E.BPR
30.The ip inspect tcp max-incomplete host 100 command performs what function when invoked?
A.It has no known effect on the router.
B.It sets the total number of TCP connections per host to 1000.
C.It sets the total number of TCP connections per host to 100.
D.It changes the maximum number of half-open TCP connections per host to 1000.
E.It changes the maximum number of half-open TCP connections per host to 100.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
xxxvi Assessment Test
31.What key does Diffie-Hellman (DH) create during IKE phase 1?
A.Xa
B.Bx
C.Xor
D.NorX
32.Which of the following authentication methods is not supported by CiscoSecure ACS 3.0 for Windows NT/2000? (Choose all that apply.)
A.Novell NDS
B.Banyan StreetTalk
C.DNS
D.POP
E.ODBC
F.MS Directory Services
33.The ip inspect max-incomplete high 1000 command changes what setting?
A.It changes the maximum number of half-open TCP connections to 100.
B.It changes the minimum number of half-open TCP connections to 1000.
C.It changes the maximum number of half-open TCP connections to 1000.
D.It changes the IP inspect idle timer to 1000 seconds.
E.It changes the IP inspect idle timer to 100 seconds.
34.Which of the following statements about CS ACS 3.0 token-card server support are true? (Choose all that apply.)
A.Microsoft is supported with service pack 6.0a.
B.AXENT is natively supported.
C.CryptoCard is natively supported.
D.Novell NDS v4.x or higher is supported.
E.ODBC with 6.0.1.1a service pack is supported.
35.IOS version 12.2(8)T is the minimum version required in order to run ___________.
A.LPDM
B.Windows NT Terminal Services
C.IOS Easy VPN Server
D.sRAS (Secure RAS) or sDNS (Secure Domain Name Service)
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
Assessment Test |
xxxvii |
36.Memory usage and ___________ are two issues to consider when implementing the IOS Firewall IDS.
A.User knowledge
B.Signature coverage
C.User address space
D.TACACS+ server type
37.What does the aaa authentication login default tacacs+ none command instruct the router to do? (Choose all that apply.)
A.No authentication is required to log in.
B.TACACS+ is the default login method for all authentication.
C.If the TACACS+ process is unavailable, no access is permitted.
D.RADIUS is the default login method for all authentication.
E.If the TACACS+ process is unavailable, no login is required.
F.If the RADIUS process is unavailable, no login is required.
38.___________ and ___________ are both supported by Cisco Easy VPN Server.
A.Authentication using DSS
B.DH1
C.DH2
D.Manual keys
E.Perfect forward secrecy (PFS)
F.DH5
39.What does an atomic signature trigger on?
A.Single packet
B.Duplex packet
C.Atomic packet
D.Two-way packet
40.Which of these statements are true regarding the following debug output? (Choose all that apply.)
01:41:50: AAA/AUTHEN: free_user (0x81420624) user='todd' ruser=''port='tty0' rem_addr='async/' authen_type=ASCII service=LOGIN
priv=101:42:12:
AAA/AUTHEN/CONT (864264997): Method=LOCAL
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
xxxviii Assessment Test
A.This debug output shows that the user is using a remote database for authenticating the user todd.
B.This is a debug output from the authorization component of AAA.
C.This is a debug output from the authentication component of AAA.
D.The password will be checked against the local line password.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |