Infrastructure Security

Question 1

a command-line facility that implements security measures across all three of the planes

Answer 1

auto secure

Question 2

• Specific sub-interfaces classification

- handles traffic to one of the physical or logical interface of the router

Answer 2

host sub-interface

Question 3

Specific sub-interfaces classification

-handles certain data plane traffic that requires CPU intervention before forwarding(such as IP Options)

Answer 3

transit sub-interface

Question 4

Specific sub-interfaces classification

Exception traffic such as keep-alives or packets with time to live

Answer 4

CEF-Exception sub-interface

Question 5

Syslog Levels

Answer 5

0 - Emergencies - System is unsuable
1 - Alerts - Immediate Action is needed
2 - Critical 
3 - Error
4 - Warnings
5 - Notifications
6 - Informational
7 - Debugging

Question 6

commands to secure boot image

Answer 6

secure boot-image

Question 7

Threats to Both Ipv4 and ipv6
-an attacker is using a network service in an unexpected or malicious way. To protect againts this, you can place filters to allow only the required protocols through network

Answer 7

Application layer attacks

Question 8

Threats to Both Ipv4 and ipv6
Individuals not authorized for access are gaining access to network resources. To protect against this, use AAA service to challenge the user.

Answer 8

Unauthorized Access

Question 9

Threats to Both Ipv4 and ipv6
Someone or something is between the two devices who believe they are communicating directly with each other. You can prevent this by implement dynamic arp inspectiong (DAI) and spanning tree protocol guards (STP)

Answer 9

Man-in-the-middle

Question 10

Threats to Both Ipv4 and ipv6
An attacker is listening in on the network traffic of others. This could be done where the attacker has implemented a content-addressable memory (CAM) table overflow. To protect against this you can use port-security.

Answer 10

Snipping or eavesdropping

Question 11

Threats to Both Ipv4 and ipv6
Making services that should be available to user unavailable. Performing packet inspection and rate limiting can help mitigate

Answer 11

Denial of Service (DOS)

Question 12

Threats to Both Ipv4 and ipv6
Forge addressing or packet content. Filtering traffic that is attempting to enter the network is one of the best first steps to mitigate this type of traffic.

Answer 12

Spoofed packets

Question 13

New potential risk with Ipv6

Answer 13

Network Discovery protocol (NDP)
Neighbour cache resource starvation
DHCPv6
Hop-by-hop extension headers
Packet amplification attacks
ICMPv6
Tunneling options
Autoconfigurations
Dual Stacks
Bugs in code

Question 14

IPV6 Best practices

Answer 14

Filter bogus addresses
Filter nonlocal multicast addresses
Filter ICMPv6 that is not needed
Drop routing header type 0 packets
use manual tunnels rather than automatic tunnels
Protect IPV6 rouge devices
Secure Neighbor Discovery (SeND) in IPV6

Question 15

Mechanism to prevent spoofing of IPV6 addresses

Answer 15

IPv6 first-hop security binding table
IPv6 device tracking
IPv6 port-based access list support
IPv6 RA guard
IPV6 ND inspection

Question 16

Process-switched traffic category

Answer 16

Receive adjacency traffic

Data plane traffic requiring special processing by CPU

Question 17

command that can be used for Control Plane Policing (CoPP)

Answer 17

show policy-map control plane

Question 18

Is a Cisco-IOS wide feature designed to allow users to manage the flow of traffic handled by the route processor of their network devices

Answer 18

Control Plane Policing (CoPP)

Question 19

Is another feature like CoPP, that can help mitigate the effects on the CPU of traffic the requires processing by the CPU

Answer 19

Control Plane Protection (CPPr)

Question 20

CPPr can restrict traffic with finer granuality by diving the aggregate control plane into three seperate control plane categories known as sub interfaces. The three sub interfaces are

Answer 20

Host sub-interface
Transit sub-interface
CEF-Exception sub-interface

Other features are;

• Port-filtering feature
• Queue-thresholding feature

Question 21

Ways to secure routing protocols

Answer 21

by using passsword authentication with routing protocols

MD5

Question 22

Layer 2 best practices

Answer 22

• select unused vlan except for vlan 1 and use that for native vlan. Do not use this vlan for any other thing
• avoid vlan 1
• administratively configure access port as access ports and turn off negotiate
• limit the number of mac learned on given port
• control spanning tree by using bpdu guard and root guard
• turn off CDP
• assign ununsed ports to unused vlan and shut down

Question 23

Layer 2 toolkit

Answer 23

• BPDU guard
• Root guard
• Port security
• DHCP snooping
• Dynamic Arp inspection
• IP source guard
• 802.1x
• storm control
• access control list

Question 24

Introduce by Cisco in 1994 to provide mechanism for the management system to automatically learn about devices connected to the the network

Answer 24

Cisco Discovery Protocol (CDP)

Question 25

Is a security feature that acts like a firewall between untrusted host and truseted DHCP servers.

Answer 25

DHCP Snooping

Question 26

Is a security feature that validates ARP packets in a network. Intercept logs, and discards ARP packets with invalid IP-to-MAC address bindings

Answer 26

Dynamic ARP inspection

Question 27

For Cisco IOS router and switches, the Network Foundation Protection (NFP) framework is broken down in three basic planes.

Answer 27

- Management plane - Data Plane - Control Plane

Question 28

Best practices to securing management plane

Answer 28

- Enforce password policy - Implement Role base access control (RBAC) - Use AAA services - Keep accurate time using NTP - Use encrypted version of SNMP (v2 and v3) - Control which IP address is allow to initiate management connection - lock down syslog - disable unnessary services (tcp and udp small services, finger, bootp, dhcp, maintenance operation protocol (mop), DNS, packet assembler/disassembler (pad), http and https server, cdp, lldp)

Question 29

Best practices for deploying control plane

Answer 29

deplyoing CoPP and CPPr

Question 30

best practices for protecting data plane

Answer 30

- block unwanted traffic at the router - reduce the chance of DOS attacks such as TCP Intercept and firewall services - reduce spoofing attack ( blocking traffic from outside with source of internal IP) - provide bandwidth management (rate-limiting on certain types like icmp) - when possible use IPS

Question 31

Best practices common to IPv4 and IPv6

Answer 31

- physical security - device hardening - control access between zones - routing protocol security - AAA - NTP - Mitigating DOS attacks - have an update a security policy

Question 32

command to enable timestamps in syslog messages

Answer 32

service timestamps log datetime

Question 33

is a feature thats intended to improve recovery time by making a secure working copy of a router or image and the startup configuration files so they cannot be deleted by user

Answer 33

Cisco Resilient Configuration

Question 34

cdp operates in layer?

Answer 34

layer 2

Question 35

A custom privileged level. Associate with a subset of commands

Answer 35

Parser Views