As this ccna security portable command guide, it ends taking place subconscious Completely updated to reflect the new CCNA Security exam, this quick reference CCNA Security Portable Command Guide - pdf - Free IT. 8. März Security Official Cert Guide Download Pdf, Free Pdf Ccna Security ccna security quick reference about the author anthony. one studying for Cisco certifications or as a handy quick reference is for those people preparing for the CCNA Security ( IINS) exam.
|Language:||English, Spanish, Arabic|
|ePub File Size:||16.81 MB|
|PDF File Size:||13.64 MB|
|Distribution:||Free* [*Register to download]|
CCNA Security Quick ronaldweinland.info - Download as PDF File .pdf), Text File .txt) or view presentation slides online. n,n,n,mn. CCNA Security Quick Reference. About the Author. Anthony Sequeira, CCIE No. , is a Cisco Certified Systems Instructor and author regarding all . CCNA Security (IINSv2) Exam Updates eBook versions of the text: a PDF version and an EPUB version for reading on your tablet .. which is a repository of standards-based vulnerability information; you can do a quick.
Anthony formally began his career in the information technology industry in with IBM in Tampa, Florida. He quickly formed his own computer consultancy, Computer Solutions, and then discovered his true passionteaching and writing about Microsoft and Cisco technologies. Anthony joined Mastering Computers in and lectured to massive audiences around the world about the latest in computer technologies. Mastering Computers became the revolutionary online training company KnowledgeNet, and Anthony trained there for many years. He also has a masters of science degree in Information Technology with a focus in Network Architecture and Design, a masters of science degree in Organizational Management, a masters certicate in Network Security, a bachelors of science degree in Computer Networking, and an associates degree in Applied Science in Computer Information Systems.
Looking at the densely packed area, it is obviously impossible to kill these zombies.
From the mouths of others, Liu Qing knew the name of this woman. Liu Qing never likes to force anyone. After all, the rule of law society for decades has been firmly engraved, and it is not so easy to be broken.
In the heart of the Qing dynasty, it was completely fortunate to be completely destroyed. And only Ye Feifan, the expression is very calm, looking at the look of the blue eyes, the strange light in the eyes is wonderful.
The corpse corps is simple and clear, that is, destroy the corpse and eliminate the zombies What Dumps is it that ruined everything about them What is it, killing their loved ones What is it that Vce Download is persecuting humanity What is it, so that they are so embarrassed What they know what they see is the zombie The zombies are the common enemy of all mankind forever.
Without Exam Dumps being attacked, the blues did not find any traces of fighting. If you do not retreat in time, it will be difficult to retreat.
Use a secure channel to communicate the DES key from the sender to the receiver. Restrictions for SEAL include the following: This feature is available only on Cisco equipment. The Cisco router and the other peer must support the k9 subsystem. AES is more suitable for high-throughput. Both block length and key length can be extended easily in multiples of 32 bits. Rivest Ciphers Widely used RC algorithms include the following: SEAL encryption uses a bit encryption key and has less impact on the CPU compared to other software-based algorithms.
This provides nine different combinations of key length and block length. Cisco IOS routers use hashing with secret keys to add authentication information to routing protocol updates. A fast block cipher that has variable block size and variable key size RC6: A block cipher designed by Rivest. The message length is also encoded into the digest. Hashing can also be used in a feedback-like mode to encrypt data. MD5 MD5 is a one-way function that makes it easy to compute a hash from the given input data but makes it unfeasible to compute input data given only a hash.
Consider using MD5 only if speed is an issue. The output of the algorithm is a set of four bit blocks. The bit blocks are divided into 16 bit sub-blocks. Protect HMAC secret keys. These blocks are then rearranged with simple operations in a main loop. Best practices include the following: The input is a data block plus a feedback of previous blocks.
The algorithm is slightly slower than MD5. There are also The sending device attaches the digital signature to the message and sends the message to the receiver. Based on the input data and a signature key. Some of the service-provider-oriented voice management protocols use digital signatures to authenticate the involved parties. The user uses a signature algorithm with a personal signature key. A user wants to sign some data. Cisco products use digital signatures for entity-authentication.
If the check is successful. The receiving device inputs the message. The RSA algorithm is based on the fact that each entity has two keys.
RSA is mainly used for two services: User A transmits the encrypted message. User B uses his private key to decrypt. The public key can be published. This binds the name of the security entity with its public key. It provides the following in the network: The standard has been widely used with many Internet applications. A document that has been signed by the CA. Two important PKI terms follow: The trusted third party that signs the public keys of entities in a PKI-based system.
The CA may be a single entity. IPsec is extremely scalable. Security is provided at the network layer. IPsec features two main framework protocols. IPsec Overview IPsec has many advantages. Tunnel mode: Encapsulates the original IP header and creates a new IP header that is sent unencrypted across the untrusted network.
Security is provided only for the transport layer and above. Transport mode protects the payload of the packet but leaves the original IP address in the clear. An IKE session begins with one computer sending a proposal to another computer. Additional service negotiations occur in IKE Phase 1. Aggressive mode: Two IPsec peers perform the initial negotiation of SAs.
IKE Phase 2: Quick mode: Similar to aggressive mode IKE negotiation. The negotiation of the shared policy determines how the IPsec tunnel is established. In IKE Phase 2. Create a crypto ACL. In IKE Phase 1. Ensure that existing access lists are compatible with IPsec. Operations VPN negotiation occurs as follows: After the peers are authenticated. The IPsec tunnel is created. Site-to-Site VPNs 5. The crypto map is applied to the outgoing interface of the VPN device.
Create and apply a crypto map. Detection cannot prevent these attacks from occurring. This action might be to alert the network administrator via an automated notification. Sensors operating using intrusion detection run in promiscuous mode. You might add this powerful tool to your network via a dedicated hardware appliance known as a sensor. However you decide to implement the technology. Intrusion prevention is more powerful in that potential threats and attacks can be stopped from entering your network.
Detection cannot prevent the attacks because it operates on copies of packets. Prevention is possible by the sensor because it is operates inline with packet flows. Intrusion Prevention Versus Intrusion Detection Intrusion detection is powerful in that you can be notified when potential problems or attacks are introduced into your network.
False Positive A false positive means that an alert has been triggered. False Negative A false negative occurs when attack traffic does not trigger an alert on the IPS device. An attacker might enter invalid characters in an attempt to corrupt the underlying database. This is often viewed as the worst type of false alarm. Exploit An exploit is a mechanism designed to take advantage of vulnerabilities that exist in your systems.
This type of traffic is often referred to as benign traffic. Both are unwanted. Vulnerability A vulnerability is a weakness that compromises the security or functionality of a particular system in your network. There are two types of these alarms: An example of a vulnerability is a web form on your public website that does not adequately filter inputs and guards against improper data entry.
True Negative This means that nonoffending or benign traffic did not trigger an alarm. This means that a device often a switch captures traffic for the sensor and forwards a copy for analysis to the sensor. True Positive A true positive means that an attack was recognized and responded to by the IPS device.
Both true positives and true negatives are wanted. This makes the device more effective against worms and atomic attacks attacks that are carried out by a single packet. This is because the IPS device is in the actual traffic path. Figure shows an example of a promiscuous mode IDS implementation. If a Cisco IPS device operates in inline mode. Because the device works with a copy of the traffic. Figure shows an example of inline mode IPS.
It can detect an attack and send an alert and take other actions. This pair of interfaces acts as a transparent Layer 2 structure that can drop an attack that fires a signature.
This is an example of an inline configuration in which only intrusion detection is performed. This enables one segment to be monitored for intrusion detection only.
This type of approach is also known as pattern matching. Because it can be so difficult to define what is normal activity for a given network. The two common types of anomaly-based IPS are statistical anomaly detection and nonstatistical.
As different types of attacks are created. Alarms are triggered if activities are detected that violate the security policy coded by the organization. This is much less prone to false positives and ensures that IPS devices are stopping common threats. Signature-Based Although Cisco uses a blend of detection and prevention technologies.
This section describes these various approaches. Cisco releases signatures that are added to the device that identify a pattern that the most common attacks present.
Signature-based focuses on stopping common attacks. The statistical approach learns about the traffic patterns on the network.
Policy-Based With this type of technology. Obfuscation is one way in which control characters. Another string match type of evasive technique is to just change the case of the string. Session In this type of attack. String Match In this type of attack. Fragmentation adds a layer of complexity for the sensor. Most signatures examine rather common settings. You can use TCP segment reassembly to combat this evasive measure.
Fragmentation With this evasive measure. Because this method of foiling the IPS device exists. Encryption-Based This is an effective means to have attacks enter the network. The encrypted attack cannot be detected by the IPS device. Unlike the insertion attack. The attacker sends the attack via an encrypted session. Evasion With this type of evasive technique. The end system ignores the harmless data and processes only the attack data. With this evasive procedure. Resource Exhaustion Another evasive approach is to just overwhelm the sensor.
The IPS sensor does not fire an alert based on the harmless data. Anomaly detection: Designed to detect worm-infested hosts. New and improved GUI for management. Enhanced password recovery: Password recovery no longer requires reimaging. The risk rating helps with alerts and is now based on many different components to improve the performance and operation of the sensor.
This 6. Allowing different policies for different segments monitored by a single sensor. Improved risk. New signature engines: External product interface: Enables sensors to subscribe for events from other devices.
The components include the following: This solution does not require additional hardware sensors. It complements network IPS by protecting the integrity of applications and operating systems. Because the sensor is analyzing network traffic. Virtualization Will multiple virtual sensors be created in the sensor? Important issues in an IPS design include the following: Size and complexity.
Your management and monitoring options: The number of sensors often dictates the level of management you need. Sensor placement: Locations that generally need to be protected include the following: Sensor between your perimeter gateway and the Internet Extranet: Between your network and extranet connection Internal: Between internal data centers Remote access: Hardens perimeter control Server farm: The following techniques help protect an endpoint from operating system vulnerabilities: A process should never be given more privilege than is necessary to perform a job.
Cisco NAC. Overview The Cisco strategy for addressing host security is based on three broad elements: Cisco Security Agent protects endpoints against threats posed by viruses. Isolation between processes: An operating system should provide isolation between processes. Network infection containment: Containment focuses on automating key elements of the infection response process.
Ensures that every endpoint complies with network security policies before being granted access to the network. Cisco Security Agent. This section details the Cisco approach to this important security area. Worm Attacks A worm attack consists of the following: An access control concept that refers to a mechanism that mediates all access to operating system and application objects.
Persist phase: The code tries to persist on the target system.
Paralyze phase: Actual damage is done to the system. Buffer overflows are used to root a system or to cause a DoS attack. Rooting a system is hacking a system so that the attacker has root privileges. Propagate phase: Extends the attack to other targets. Penetrate phase: Exploit code is transferred to the vulnerable target.
The following are the security appliance products that IronPort offers: E-mail security appliances IronPort S-Series: Web security appliance IronPort M-Series: Security management appliance Cisco NAC Cisco NAC products are designed to allow only authorized and compliant systems to access the network and to enforce network security policy.
Client software that facilitates network admission Rule-set updates: Automatic updates Cisco Security Agent This product consists of the following: Logical Unit Number Masking In computer storage. Cisco solutions for intelligent SANs provide a better way to access.
Gigabit Ethernet. Overview A storage-area network SAN is a specialized network that enables fast. This topic is explored in this section. LUN masking is an authorization process that makes a LUN available to some hosts and unavailable to others. If a SAN contains several storage devices.
You can partition ports within a single switch into multiple VSANs. Zoning can use WWNs to assign security permissions.
Zoning can also use name servers in the switches to either allow or block access to particular WWNs in the fabric. Media Gateway Control Protocol enables a client for example.
Overview You can find the following components in the VoIP network: Call agents: Replace many of the features previously provided by PBXs Gateways: Can forward calls between different types of networks Gatekeepers: Useful for conference calling Application servers: Offer additional services such as voice mail Videoconference stations: Originally developed by Cisco.
Session Initiation Protocol is a popular protocol to use in mixed-vendor environments. This section details this technology and lists important related security topics. Common Voice Security Issues Common attacks include the following: Skinny Client Control Protocol is a Cisco-proprietary signaling protocol. Real-time Transport Protocol carries the voice payload. Security appliances. This section details many important security practices you must follow. Disable gratuitous ARP. STP Protections Consider the following protection mechanisms: Ensures that bridges plugged into PortFast ports do not cause a temporary Layer 2 loop.
Disable unneeded services. Root Guard: Denies a new root switch from being elected in the topology from an unauthorized port. Mitigating Layer 2 Attacks Layer 2 is often omitted from security practices. Set user ports to nontrunking. Figure shows an example of port security configurations. Do not use VLAN 1. Copy frames to a destination port for analysis Storm control: Prevents an excess of unicast.
To enable the feature and configure options. Use port security. Use a dedicated VLAN for trunks. Disable unused ports. Please see page 89 for more details.
This section also examines the different types of attacks that modern networks can experience. Network threats include internal and external threats. Internal threats are the most serious. These threats often occur because best practices are not followed. For example, blank or default passwords are used, or in-house developers use insecure programming practices. External threats typically rely on technical methods to attack the network. Firewalls, routers with access control lists ACL , intrusion prevention systems IPS , and other methods are the focus.
Powerful methods to ensure confidentiality are encryption and access controls. Integrity ensures that data has not been changed by an unauthorized individual. Availability ensures that access to the data is uninterrupted. Denial-of-service DoS attacks attempt to compromise data availability. These attacks typically try to fail a system using an unexpected condition or input, or fail an entire network with a large quantity of information.
Assets, Vulnerabilities, and Threats Assets are anything of value to the organization. Not all assets have the same value. An organization must classify its assets. A vulnerability is a weakness in a system or a design that might be exploited. Common categories include policy flaws, protocol weaknesses, and software vulnerabilities. A threat is a potential danger to information or systems. A countermeasure is a safeguard that mitigates against potential risks.
Countermeasures are typically administrative, technical, and physical controls. Information security risk is the measure of the impact of threat vectors exploiting the vulnerabilities of the assets you must to protect. Age: With time, the sensitivity of data typically decreases.
Useful life: Information can be made obsolete with newer information. Personal association: The data is associated with sensitive issues or individuals. Classification roles include the following: Owner Custodian responsible for the day-to-day management of the data User Pearson Education, Inc.
Technical controls involve electronics, hardware, and software. Physical controls are mostly mechanical. Controls are categorized as preventative, deterrent, or detective. Responses Investigators must prove motive, opportunity, and means. The system should not be shut down or rebooted before the investigation begins.
Laws and Ethics Security policy must attempt to follow criminal, civil, and administrative law. Ethics refer to values that are even higher than the law. Network Attack Methodologies You must understand the command types of attacks that a network can experience.
Studying these attacks is the first step to defend against them. A risk is the likelihood that a specific attack will exploit a particular vulnerability of a system. An exploit happens when computer code is developed to take advantage of a vulnerability.
The main vulnerabilities of systems are categorized as follows: Design errors Protocol weaknesses Software vulnerabilities Misconguration Hostile code Human factor Potential adversaries can include the following: Nations or states Terrorists Criminals Hackers Corporate competitors Disgruntled employees Government agencies Pearson Education, Inc.
Crackers criminal hackers : Hackers with a criminal intent to harm information systems. Phreakers phone breakers : Individuals who compromise telephone systems. Script kiddies: Individuals with low skill level. They do not write their own code.
Instead, they run scripts written by other, more skilled attackers. Hacktivists: Individuals who have a political agenda in doing their work. Academic hackers: People who enjoy designing software and building programs with a sense for aesthetics and playful cleverness.
Hobby hacker: Focuses mainly on computer and video games, software cracking, and the modication of computer hardware and other electronic devices. How Does a Hacker Usually Think? Perform footprint analysis reconnaissance. Enumerate applications and operating systems. Manipulate users to gain access. Escalate privileges. Gather additional passwords and secrets. Install back doors. Leverage the compromised system. Defend the enclave boundaries. Defend the computing environment.
Build layered defenses. Use robust components. Use robust key management. Enumeration and Fingerprinting Ping sweeps and port scans are common practices to identify all devices and services on the network. These reconnaissance attacks are typically the first steps in a much larger more damaging attack. IP Spoong IP spoofing refers to forging the source address information of a packet so that the packet appears to come from some other host in the network.
IP spoofing is often the first step in the abuse of a network service, or a DoS type of attack. In IP spoofing, the attacker sends messages to a computer with an IP address that indicates the message is coming from a trusted host. Hackers can guess or predict the TCP sequence numbers that are used to construct a TCP packet without receiving any responses from the server.
Their prediction allows them to spoof a trusted host on a local network. Blind spoong: The attacker sends several packets to the target machine to sample sequence numbers and then predicts them for the attack.
Spoof attacks are often combined with IP source-routing options set in packets. Source routing is the capability of the source to specify within the IP header a full routing path between endpoints.
Cisco IOS routers drop all source-routed packets if the no ip sourceroute global command is configured. Figure shows a man-in-the-middle attack. An attacker sniffs to identify the client and server IP addresses and relative port numbers. The attacker waits to receive an ACK packet from the client communicating with the server. The ACK packet contains the sequence number of the next packet that the client expects.