1 / 62

Evaluating Network Security Threats

Evaluating Network Security Threats. Objectives. Upon completion of this chapter you will be able to perform the following tasks: Identify the need for network security Identify the causes of network security problems

mircea
Télécharger la présentation

Evaluating Network Security Threats

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Evaluating Network Security Threats

  2. Objectives • Upon completion of this chapter you will be able to perform the following tasks: • Identify the need for network security • Identify the causes of network security problems • Identify the most pervasive and significant security threats for campus, dialup, and Internet environments based on a case study network scenario

  3. Review Questions • 1. What are the three primary reasons for network security issues? A. Technology weaknesses B. Configuration weaknesses C. Policy weaknesses • 2. Which of the general network threats pose a risk to Internet connections? A. All of the general categories B. More threats are being created over time

  4. Review Questions (cont.) • 3. What resources are available to learn network attack types and methods to thwart them? A. Publications such as Maximum Security, Internet Security for Business B. Web sites such as CERT, COAST, Cisco CCO C. Newsgroups such as alt.2600 D. Each of the resources points to still more resources

  5. Chapter 3 Configuring the NAS for AAA Security

  6. Objectives • Upon completion of this chapter, you will be able to perform the following tasks: • Describe network access server port types and access control methods • Configure the network access server to enable AAA processes to use a local database with a CiscoSecure NAS • Test the network access server AAA configuration using applicable debugging and testing commands

  7. Review Questions • 1. What are the two network access server modes that can be secured by AAA commands? • A. Character (line mode) with tty, vty, aux, and cty ports • B. Packet (interface mode) with async, group-async, BRI, and serial (PRI) ports

  8. Review Questions (cont.) • 2. What is being configured in each of the fields of the following command? • aaa authentication ppp sales if-needed local • A. aaa authen ppp–Specifies the PPP operation for this authentication process • B. sales–Assigns the profile name sales to this process • C. if-needed–Specifies the if-needed authentication method for the PPP authentication operation, which requires no authentication if the user is already authenticated • D. local–If the if-needed method fails, uses the local database method for PPP authentication

  9. Chapter 4 Configuring CiscoSecure ACS and TACAS+

  10. Objectives • Upon completion of this chapter, you will be able to perform the following tasks: • Describe the features and architecture of CiscoSecure ACS 2.4 for Windows NT • Configure CiscoSecure ACS for NT to perform AAA functions • Describe the features and architecture of CiscoSecure ACS 2.3 for UNIX • Configure the network access server to enable AAA processes to use a TACACS remote service

  11. Review Questions • 1. Describe the pros and cons of using the NT User Database. PROS: A. Single database simplifies administration B. Can reuse existing username and password entries in the database C. Enables single login for users CONS: A. Cannot repopulate another database with usernames and passwords located in NT SAM hive B. Cannot store third-party passwords such as CHAP passwords C. Cannot run token card algorithm in NT SAM hive

  12. Review Questions (cont.) • 2. What do you need to configure in the NT User Manager? A. Username and password pairs in NT User Database. B. User group must include the policy “Log on Locally.” C. User profile must not have “change password at next login" or "disable account" selected. D. Enable "Grant dialin permissions" from the dial-up menu if you want to optionally control user login privileges from within NT. E. The callback number should not be configured.

  13. Review Questions (cont.) • 3. What is configured using the CiscoSecure ACS Web interface? A. User profiles B. Group profiles C. Network access server information, including authorization parameters D. CiscoSecure ACS services E. Token server configuration F. Remote administrators G. Reports and activities H. Can also view online documentation

  14. Review Questions (cont.) • 4. How is AAA accounting information reported in CiscoSecure ACS? A. Accounting information can be viewed under "Reports and Activity" via the Web browser interface B. Report files in .csv format can be imported into other database and spreadsheet applications for evaluation • 5. Where should you start in troubleshooting CiscoSecure ACS problems? • A. The “Failed Attempts Report” under “Reports and Activity” via the Web browser interface

  15. Chapter 5 Configuring PIX Firewall Basics

  16. Objectives • Upon completion of this chapter, you will be able to perform the following tasks: • Identify PIX™ Firewall features and components • Configure a PIX Firewall to work with a Cisco router • Configure basic PIX Firewall features to protect Internet access to an enterprise based on a case study network design • Test and verify basic PIX Firewall operation

  17. Review Questions • 1. Which PIX Firewall features enable PIX to have high performance? A. Stateful operation: adaptive security algorithm B. Cut-through proxy authentication C. Secure, real-time embedded system • 2. What is the basic PIX Firewall security policy for inbound and outbound connections? A. Inbound: All inbound connections are denied unless specifically authenticated, enabled by a static or conduit, or as a response to a valid user request B. Outbound: All connections are allowed unless specifically denied by access lists

  18. Review Questions (cont.) • 3. What are three of the advantages of the PIX Adaptive Security Algorithm? A. Stateful connection security B. Tracks source and destination ports and addresses, TCP sequences, and additional TCP flags C. Random TCP sequence numbers D. Tracks TCP and UDP session state E. Outbound traffic return session backflow tracking F. Supports authentication, authorization, and syslog accounting

  19. Review Questions (cont.) • 4. List the six commands needed to get the PIX running and providing basic network security? A. nameif ethernetX B. interface ethernetX C. ip address D. global E. nat F. route

  20. Review Questions (cont.) • 5. Does the PIX 515 support FDDI and Token Ring interfaces? No. • 6. What command is used to verify interface function and correct cable connection? show interface

  21. Chapter 6 Configuring Access through the PIX Firewall

  22. Objectives • Upon completion of this chapter, you will be able to complete the following tasks: • Configure outbound and inbound access through the PIX Firewall based on a case study network design • Test and verify correct PIX operation

  23. Review Questions • 1. What function does the nat 0 command serve? It disables address translation so that outside hosts can access inside hosts. • 2. Two commands can be used to enable NAT. What are they? A. global B. static • 3. PAT supports more than 64,000 hosts. What approximate percentage of that number can be connected at the same time? 25%

  24. Review Questions (cont.) • 4. When running multimedia applications through the PIX, does it matter if PAT is enabled? Yes. Some multimedia applications need access to specific ports. This may cause a conflict with the port mappings that PAT provides. • 5. Which command has precedence, static, or nat and global? Why is this important? Static. It is important because a nat 1 0 0 command only grants outbound access to hosts not specified in the static statement. • 6. In V-4.4(1) of the PIX s/w, can the conduit command be used with either the global or static commands? Is either of them required with the conduit command? Yes. No.

  25. Chapter 7 Configuring Multiple Interfaces and AAA on the PIX Firewall

  26. Objectives • Upon completion of this chapter, you will be able to: • Configure multiple interfaces on the PIX Firewall to protect a bastion host based on a case study network • Configure AAA features of the PIX Firewall to work with Cisco CiscoSecure ACS based on a case study network • Test and verify correct PIX operation

  27. Review Questions • 1. What is the advantage of using multiple perimeter interfaces? A. Platform extensibility B. Security Policy enforcement • 2. What command replaced the aaa-tacacs and aaa-radius commands? aaa-server • 3. What quantity of group tags does PIX software allow, and how many servers are allowed in each? A. 16 group tags B. 16 servers in each group tag

  28. Review Questions (cont.) • 4. When adding, changing, or removing a global statement, what is the next command to enter after saving the configuration? clear xlate

  29. Chapter 8 Configuring Advanced PIX Firewall Features

  30. Objectives • Upon completion of this chapter, you will be able to: • Configure PIX Firewall advanced features to protect Internet access to an enterprise network based on a case study network • Test and verify correct PIX operation

  31. Review Questions • 1. List three advanced PIX Firewall features that enhance network security. A. Java Applet blocking B. URL filtering C. Control SNMP access • 2. What two things are needed for Failover to work? A. Two identical PIX Firewalls B. A failover cable • 3. Which commands are used together to enable apermanent connection through PIX? A. link B. linkpath

  32. Review Questions (cont.) • 4. Two conduits are needed to enable PPTP on a PIX. What are they for? A. TCP Port 1723 B. GRE protocol • 5. Can PIX Firewall Manager and Cisco Security Manager run on the same machine at the same time? No. • 6. What advantages does PFM have over the command-line interface for PIX configuration and management? A. GUI-based configuration and management enables point-and-click policy settings B. Can manage multiple PIX Firewalls from a single point C. Provides general reporting capabilities D. Provides URL and FTP logging for audits

  33. Chapter 9 Configuring a Cisco Perimeter Router

  34. Objectives • Upon completion of this chapter, you will be able to perform the following tasks: • Identify perimeter security problems and solutions • Identify Cisco IOSTM software perimeter security features • Configure a Cisco router as a perimeter router to protect Internet access from common security threats based on a case study network design

  35. Review Questions • 1. What are the Cisco IOS software features useful for implementing perimeter security? • A. Cisco IOS Firewall feature set • B. Standard and extended access lists • C. NAT • D. PAT • E. TCP Intercept to control SYN DoS attacks • F.Lock and Key security

  36. Review Questions (cont.) • 2. What features are included in the Cisco IOS Firewall feature set? A. Context-based access lists B. Java blocking C. DoS detection and prevention D. Audit trail E. Real-time alerts F. ConfigMaker support

  37. Review Questions (cont.) • 3. Which Cisco IOS software commands would you use on a perimeter router to block echo and finger inquiries from the Internet? A. no service tcp-small-servers B. no service udp-small-servers C. no service finger commands • 4. Write an access list that will allow traffic to a Web server on the XYZ Company DMZ. A. access list 110 permit tcp any host 171.16.1.3 eq www

  38. Review Questions (cont.) • 5. What are some limitations of using access lists for network security? A. Cannot detect data attacks such as viruses, worms, or Trojan horses B. Cannot completely protect against denial-of-service attacks C. Access lists are difficult to maintain

  39. Chapter 10 Configuring Cisco Secure Integrated Software

  40. Objectives • Upon completion of this chapter, you will be able to perform the following tasks: • Identify Cisco Secure Integrated Software features • Configure Cisco Secure Integrated Software features to secure a case study network

  41. 1.Define four features of CBAC. A. Secure per-application filtering. B. Support for advanced protocols. C. Control downloading of Java applets. D. DoS detection and prevention. E. Real-time alerts F. TCP/UDP Transaction logs G. Administration Review Questions

  42. 2.Place the following configuration steps in the correct order: 1. Pick an interface: Internal or External 2. Configure IP Access Lists at the Interface 3. Configure Global Timeouts and Thresholds 4. Define an inspection rule 5. Apply the Inspection Rule to an Interface 6. Test and verify CBAC. Review Questions (cont.)

  43. 3. What command would you use to verify CBAC inspection of application protocol inspection of packets? A. debug ip inspect protocol Review Questions (cont.)

  44. Chapter 11 Understanding Cisco OIS IPSec Support

  45. Objective • Upon completion of this chapter, you will be able to perform the following task: • Identify IPSec encryption protocols implemented in Cisco IOS Software

  46. Review Questions • 1. What is the difference between ESP Transport mode and ESP Tunnel mode? ESP Tunnel mode encapsulates the entire datagram and gives it a new IP Header. • 2. What elements of security does AH provide? A. Data Integrity B. Origin Authentication C. Replay protection (optional) • 3. What element of security does AH not provide? A. Confidentiality

  47. Review Questions (cont.) • 4. Can IPSec be configured without IKE? Yes • 5. What are three of the benefits of IKE? A. Automated IPSec security parameter distribution B. Can specify a lifetime for IPSec security association C. Can change encryption keys during IPSec session D. Allows IPSec to provide anti-replay services E. CA support F. Dynamic authentication of peers • 6. What is the Primary purpose of a CA? To verify the identity of an entity in a digital transmission

  48. Configuring Cisco IOS IPSec Chapter 12

  49. Objectives • Upon completion of this chapter, you will be able to: • Identify Cisco IOS commands used to configure and test IPSec in Cisco routers • Configure IPSec between Cisco routers to create a secure communication environment based on a case study network design

  50. 1. Place the following configuration steps into the order in which they should be performed: 1. Exchange DSS public key 2. Generate router’s DSS public/private keys 3. Configure per-session encryption policy 4. Define global encryption policy Review Questions

More Related