Download Cisco CCNA Security-Summary PDF

TitleCisco CCNA Security-Summary
TagsDenial Of Service Attack Transmission Control Protocol Radius Network Switch Port (Computer Networking)
File Size1.3 MB
Total Pages56
Table of Contents
                            Contents
Introduction
	Cisco Security Management Tools
	Control of Data
	Security Policy
	Risk
	System Development Life Cycle (SDLC)
Understanding the Risks
	Layer 2 risks
	Layer 3 risks
	Upper Layer risks
	Physical
Configuring Devices
	Basic device Configuration
		Creating a Banner
		Configure SSH access
		Enable SDM
		IOS Resilient Configuration
		Password Recovery
	AAA
		RADIUS
		TACACS
		Configuring
	User Privileges
		Privilege Level Access
		Role Based Access
	Logon Security
		Securing VTY Lines
	AutoSecure and One Step Lock Down
		AutoSecure
		SDM One-Step Lockdown & Security Audit
	Logging
	NTP
Layer 2 security
	Port Security
		Configure SNMP Traps for MAC Table Event Notification
	802.1x Port Security / Network Admission Control (NAC)
		Dot1x port control modes-
		EAP
		Example
	Storm Control
	Span ports (Switchport Analyser)
	Securing VLANs
		Filtering Intra-VLAN Traffic
		Private VLANs
	Securing IP at Layer 2
		DHCP Snooping
		Dynamic ARP Inspection (DAI)
		IP Source Guard
	Useful Commands
	Best Practices
IOS Firewall
	Firewall Introduction
		Firewall Types
		Layered Defence Strategy
		Cisco IOS Firewall feature set
	Static Packet Filtering
		Examples
		Named access lists
		Apply a list to an interface / line
		Show commands
		Turbo ACLs
		NOTES
	CBAC/Classic Firewall
	Zone based Firewall (ZFW)
		ZFW Actions
		Creation of a ZFW using Cisco Common Classification Policy (C3PL)
		C3PL/MQC (Modular QoS CLI) – Parameter maps
		C3PL/MQC (Modular QoS CLI) – Class maps
		C3PL/MQC (Modular QoS CLI) – Policy-map
IPS
	IPS Introduction
		Types of IPS/IDS solutions
		Intrusion Detection Methods
		Alerts
		Signatures
		Cisco IDS / IPS Range
	Configuring IPS on a Cisco Router using SDM
		Edit IPS Tab
		Security Dashboard Tab
	Logging & Monitoring
		Reporting / Logging
		CLI Monitoring
		Monitoring using SDM
	Notes
VPN / Cryptography
	Hashing & Digital signatures
		Hashing algorithms
		HMAC – Hashed Message Authentication Codes
		Digital Signatures
	Symmetric Encryption
		Caesar / Substitution Cipher
		Vigenere Cipher
		One Time Pad / Vernam Cipher
		Transposition Cipher
		DES (56bit) & 3DES – EDE (112 & 156bit)
		AES (128, 192 & 256bit)
		IDEA (128bit) International Data Encryption Algorithm
		SEAL – Software Encryption Algorithm
		RC
		Blowfish (32 to 448bit)
	Asymmetric Encryption
		RSA
		Diffie Hellman Key exchange
	Choosing an encryption method
	Key Management
	PKI
		Certificates
		Certificate Authority
	IPSec
		Components
		IPSec Benefits
		Operation methods
		Negotiation
		Phase one
		Phase two
		IPSec Authentication
	Configuring Site to Site VPNs
		Configuring Site to Site VPNs using SDM
		Configuring Site to Site VPNs using CLI
Endpoint Security
	Endpoint Security Introduction
		Operating Systems
		Applications
		Phases of an attack
		Example of some previous attacks and their phases
	Cisco NAC
		NAC Components
		The NAC Process
	Cisco Security Agent (CSA)
	IronPort
San and Voice Security
	SAN Security
		Securing SANs
		Port Authentication
		Data Confidentiality
	Voice Security
		Voice Attacks-
		Approaches to secure VoIP
		IP Phone vulnerabilities
Notes
                        
Document Text Contents
Page 1

Cisco CCNA Security Notes (640-553)

M Morgan ©2010 Page 1 of 56

Contents

Contents ....................................................................................................................................................... 1

Introduction .................................................................................................................................................. 3

Cisco Security Management Tools ........................................................................................................... 4

Control of Data ......................................................................................................................................... 4

Security Policy ........................................................................................................................................... 5

Risk ............................................................................................................................................................ 6

System Development Life Cycle (SDLC) .................................................................................................... 6

Understanding the Risks ............................................................................................................................... 7

Layer 2 risks .............................................................................................................................................. 8

Layer 3 risks .............................................................................................................................................. 9

Upper Layer risks .................................................................................................................................... 11

Physical ................................................................................................................................................... 12

Configuring Devices .................................................................................................................................... 13

Basic device Configuration ..................................................................................................................... 13

AAA ......................................................................................................................................................... 15

User Privileges ........................................................................................................................................ 17

Logon Security ........................................................................................................................................ 18

AutoSecure and One Step Lock Down .................................................................................................... 19

Logging .................................................................................................................................................... 21

NTP ......................................................................................................................................................... 22

Layer 2 security ........................................................................................................................................... 23

Port Security ........................................................................................................................................... 23

802.1x Port Security / Network Admission Control (NAC) ..................................................................... 24

Storm Control ......................................................................................................................................... 24

Span ports (Switchport Analyser) ........................................................................................................... 25

Securing VLANs ....................................................................................................................................... 25

Securing IP at Layer 2 ............................................................................................................................. 27

Useful Commands................................................................................................................................... 28

Best Practices.......................................................................................................................................... 28

IOS Firewall ................................................................................................................................................. 29

Firewall Introduction .............................................................................................................................. 29

Static Packet Filtering ............................................................................................................................. 29

Page 2

Cisco CCNA Security Notes (640-553)

M Morgan ©2010 Page 2 of 56

CBAC/Classic Firewall ............................................................................................................................. 32

Zone based Firewall (ZFW) ..................................................................................................................... 32

IPS ............................................................................................................................................................... 35

IPS Introduction ...................................................................................................................................... 35

Configuring IPS on a Cisco Router using SDM ........................................................................................ 37

Logging & Monitoring ............................................................................................................................. 38

Notes ...................................................................................................................................................... 40

VPN / Cryptography .................................................................................................................................... 41

Hashing & Digital signatures ................................................................................................................... 41

Symmetric Encryption ............................................................................................................................ 42

Asymmetric Encryption .......................................................................................................................... 43

Choosing an encryption method ............................................................................................................ 44

Key Management ................................................................................................................................... 44

PKI ........................................................................................................................................................... 45

IPSec ....................................................................................................................................................... 46

Configuring Site to Site VPNs .................................................................................................................. 48

Endpoint Security ....................................................................................................................................... 51

Endpoint Security Introduction .............................................................................................................. 51

Cisco NAC ................................................................................................................................................ 52

Cisco Security Agent (CSA) ...................................................................................................................... 53

IronPort................................................................................................................................................... 53

San and Voice Security ............................................................................................................................... 54

SAN Security ........................................................................................................................................... 54

Voice Security ......................................................................................................................................... 55

Notes .......................................................................................................................................................... 56

Page 28

Cisco CCNA Security Notes (640-553)

M Morgan ©2010 Page 28 of 56

The recommendation is to sett all ports connected to hosts as untrusted and all ports connected to

other switches as trusted. As ARP packets are inspected on ingress each arp packet will only be

inspected once.



IP Source Guard

This prevent a host using another hosts Ip address and like Dynamic ARP Inspection requires DHCP

Snooping to be enabled. An untrusted port will only accept DHCP packets until it receives an IP address.

This address is recorded and will only accept traffic from that IP address. This reduces the risk of IP

Spoofing.



Useful Commands

Mode Description Command Syntax
# Show all mac addresses Show mac address-table

# Show only dynamic learnt address Show mac address-table dynamic

# Show address for a particular vlan Show mac address-table dynamic vlan vlanid

(config) Select a range of interface interface range f0/6 - 10


Best Practices

 Use secure management (SSH, OOB, Access-class on VTY lines).

 Make an audit sheet (portfast, bpduguard etc).

 Try to reduce the use of VLAN 1 and don’t use it as the native VLAN.

 Disable dynamic trunking (set all non trunking ports as access ports).

 Lock down SNMP (Set ACLs, keep community strings secret, avoid RW access).

 Unused port recommendation-

 Disable the port (shutdown)

 Set the port to an assess port (switchport mode access)

 Assign the port to another Vlan (switchport access vlan 99)

Similer Documents