Professional Documents
Culture Documents
Cisco Public
BRKCRT-1104
BRKCRT-1104 14381_04_2008_c1
Cisco Public
Agenda
Introduction Disclaimer Attack Methodologies Security Policy Cryptography Fundamentals Securing Administrative Access Firewall VPN IPS Layer 2 Security Sample Questions Answer Key
BRKCRT-1104 14381_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
Agenda
Introduction Disclaimer Attack Methodologies Security Policy Cryptography Fundamentals Securing Administrative Access Firewall VPN IPS Layer 2 Security Sample Questions Answer Key
BRKCRT-1104 14381_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
Disclaimer
Do not repeat the exercises demonstrated during this presentation on any network for which you do not have complete authorization to do so. The demonstrations are carried out on an isolated network within the Global Knowledge remote labs environment. Practicing similar exercises outside of this environment requires many considerations including, but not limited to:
1. Many organizations have security policies explicitly forbidding the use of these types of tools on the their networks. Job termination and/or criminal prosecution may be the penalty. Often these types of tools are distributed with hidden malware. By installing such tools you may unknowingly also be installing keystroke loggers, back doors, or other types of malware. Use of these types of tools with targets that are owned by other entities may violate local, state and/or federal laws.
2.
3.
BRKCRT-1104 14381_04_2008_c1
Cisco Public
Agenda
Introduction Disclaimer Attack Methodologies Security Policy Cryptography Fundamentals Securing Administrative Access Firewall VPN IPS Layer 2 Security Sample Questions Answer Key
BRKCRT-1104 14381_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
Attack
Attack
Anywhere
BRKCRT-1104 14381_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
Everywhere
8
BRKCRT-1104 14381_04_2008_c1
Cisco Public
10
fingerd
Buffer overflowfingerd expected a max of 512 bytes of input, but didnt verify Vulnerability in both target OS, but exploit was only written to BSD on the DEC VAX
rsh/rexec
Checked the local .rhosts and /etc/hosts.equiv files for trust relationships Needed to crack username/password Tried common combinations for the password, such as username, first name, last name and last name + firstname. If those attempts failed, it used /usr/dict/words and tried every word in the dictionary
BRKCRT-1104 14381_04_2008_c1
Cisco Public
11
BRKCRT-1104 14381_04_2008_c1
Cisco Public
12
BRKCRT-1104 14381_04_2008_c1
Cisco Public
13
Smurf Attack
Attacker
ICMP ECHO Replies 200.1.1.1
Target
171.1.0.0/16
Intermediaries
Cisco Public
14
BRKCRT-1104 14381_04_2008_c1
Cisco Public
15
Zombie
OR
Target
Target
2)
Zombie
Zombie
3)
Attacker
IPID Probe TCP SYN ACK Packet Response: IPID = n+1 TCP RST Packet
Zombie
Attacker
IPID Probe TCP SYN ACK Packet Response: IPID = n+2 TCP RST Packet
Zombie
BRKCRT-1104 14381_04_2008_c1
Cisco Public
16
Demonstration Topology
Perimeter Router
150.150.1.0/24
Outside-PC 150.150.1.20 pc.outside.net
.2
.1 (10) 100.100.1.0/30
time.nist.gov 192.43.244.18
.1
2K
.1
DMZ Subnet 172.16.1.0/24
(2)
Outside Perimeter 200.200.1.0/24
(11)
INTERNET
200.200.20.2 200.200.30.2
2K .1
DMZ-Srv 172.16.1.15 NAT: 200.200.1.15 www.gkl.com
.2
(3) .1
IOS-FW
.1
10.10.0.0/24 Inside Perimeter
.1 10.20.20.0/24 (13) XP
(4) 2K3
Security-Srv 10.10.2.10
.2
L3-Switch
.1 .1
Management Subnet(6) 10.10.2.0/24 10.10.1.0/24 Data Center Subnet (5)
.1
10.10.10.0/24 End User Subnet
Site1-PC 10.20.20.10
(7) XP
Admin-PC 10.10.10.10
XP
User-PC 10.10.10.20
XP
Site2-PC 10.30.30.10
2K3
Data-Srv 10.10.1.10
BRKCRT-1104 14381_04_2008_c1
17
BRKCRT-1104 14381_04_2008_c1
Cisco Public
18
A
A C B IP 10.1.1.1 MAC B.B.B.B
19
BRKCRT-1104 14381_04_2008_c1
Cisco Public
20
10
BRKCRT-1104 14381_04_2008_c1
Cisco Public
21
Agenda
Introduction Disclaimer Attack Methodologies Security Policy Cryptography Fundamentals Securing Administrative Access Firewall VPN IPS Layer 2 Security Sample Questions Answer Key
BRKCRT-1104 14381_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
22
11
BRKCRT-1104 14381_04_2008_c1
Cisco Public
23
Disposition
Security Policy
Implementation
BRKCRT-1104 14381_04_2008_c1
Cisco Public
24
12
Security Policy
Business Needs Risk Analysis
Security Policy
Policies, Guidelines, Standards
Security System
Security Operations
Incident Response, Monitor and maintenance, Compliance Audit
BRKCRT-1104 14381_04_2008_c1
Cisco Public
25
Reading List
SANS Security Policy Project:
http://www.sans.org/resources/policies/
26
13
Agenda
Introduction Disclaimer Attack Methodologies Security Policy Cryptography Fundamentals Securing Administrative Access Firewall VPN IPS Layer 2 Security Sample Questions Answer Key
BRKCRT-1104 14381_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
27
Why:
Confidentiality, privacy, encryption, Origin Authentication Data Integrity
BRKCRT-1104 14381_04_2008_c1
Cisco Public
28
14
Examples:
MD5128 bit output SHA1160 bit output
BRKCRT-1104 14381_04_2008_c1
Cisco Public
29
Receiver
Received message Shared secret key
Hash function
Hash function
2
4ehIDx67NMop9
Message + hash
BRKCRT-1104 14381_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
30
15
enable secret password Hashes the password in the router configuration file Uses a strong hashing algorithm based on MD5 Boston(config)# enable secret Curium2006
Boston# show running-config ! Salt Hash hostname Boston Phrase Value ! no logging console enable secret 5 $1$ptCj$vRErS/tehv53JjaqFMzBT/ !
BRKCRT-1104 14381_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
31
BRKCRT-1104 14381_04_2008_c1
Cisco Public
32
16
What Is Encryption?
Encryption is the conversion of plain text into cipher text using a pre-determined algorithm Generally the cipher text is the same length as the plain text Often a key is used to generate a cipher text from an algorithm for a particular plain text
cisco
plaintext Encrypt
!@$!&
ciphertext
!@$!&
ciphertext
BRKCRT-1104 14381_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved.
Decrypt
cisco
plaintext
Cisco Public
33
BRKCRT-1104 14381_04_2008_c1
Cisco Public
34
17
Sender and receiver must share a secret key Usual key length of 40-256 bits DES, 3DES, AES, RC2/4/5/6, IDEA
BRKCRT-1104 14381_04_2008_c1
Cisco Public
35
BRKCRT-1104 14381_04_2008_c1
Cisco Public
36
18
Cisco Public
37
Agenda
Introduction Disclaimer Attack Methodologies Security Policy Cryptography Fundamentals Securing Administrative Access Firewall VPN IPS Layer 2 Security Sample Questions Answer Key
BRKCRT-1104 14381_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
38
19
What Is AAA ?
AAA provides a method to control and configure these three independent security functions:
AuthenticationProvides the method of identifying users and who are allowed for access. It includes traditional username and password dialog and more secure methods (like CHAP and OTP)
AuthorizationProvides a method for controlling which services or devices the authenticated user has access to.
AccountingProvides the method for collecting and sending security server information used for billing, auditing, and reporting.
BRKCRT-1104 14381_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
39
Implementing AAA
Using the Local Database:
Usernames defined in the configuration Privilege levels defined in the configuration Role-Based CLI defined in the configuration
BRKCRT-1104 14381_04_2008_c1
Cisco Public
40
20
TACACS+
TACACS+ uses TCP TACACS+ encrypts the entire body of the packet; more secure TACACS+ uses the AAA architecture, which separates authentication, authorization and accounting Cisco developed; submitted to IETF, but declined TACACS+ offers multiprotocol support. TACACS+ provides authorization control of router commands
TACACS+ is recommended as the protocol suitable for controlling administrative access by IT staff to Cisco devices themselves.
41
Cisco Secure ACS for Windows (IINS class uses ACS v4.1)
BRKCRT-1104 14381_04_2008_c1
Cisco Public
42
21
! tacacs-server host 10.0.1.11 key Secretf0rAcs ! line vty 0 4 login authentication TACACS_ONLY
BRKCRT-1104 14381_04_2008_c1
Cisco Public
43
AAA
Adding TACACS+ Server Using SDM
BRKCRT-1104 14381_04_2008_c1
Cisco Public
44
22
AAA
Login Authentication Method List
BRKCRT-1104 14381_04_2008_c1
Cisco Public
45
AAA
BRKCRT-1104 14381_04_2008_c1
Cisco Public
46
23
AAA
BRKCRT-1104 14381_04_2008_c1
Cisco Public
47
Group Setup
48
24
BRKCRT-1104 14381_04_2008_c1
Cisco Public
49
50
25
Demo: SSH
IOS-FW#debug ip ssh Incoming SSH debugging is on IOS-FW# *Apr 4 02:45:30.991: SSH3: starting SSH control process *Apr 4 02:45:30.991: SSH3: sent protocol version id SSH-1.99-Cisco-1.25 *Apr 4 02:45:31.011: SSH3: protocol version id is - SSH-1.5-PuTTY_Release_0.58 *Apr 4 02:45:31.015: SSH3: SSH_SMSG_PUBLIC_KEY msg *Apr 4 02:45:31.019: SSH3: SSH_CMSG_SESSION_KEY msg - length 144, type 0x03 *Apr 4 02:45:31.019: SSH: RSA decrypt started *Apr 4 02:45:31.143: SSH: RSA decrypt finished *Apr 4 02:45:31.143: SSH: RSA decrypt started *Apr 4 02:45:31.207: SSH: RSA decrypt finished *Apr 4 02:45:31.211: SSH3: sending encryption confirmation *Apr 4 02:45:31.211: SSH3: keys exchanged and encryption on *Apr 4 02:45:35.119: SSH3: SSH_CMSG_USER message received *Apr 4 02:45:35.119: SSH3: authentication request for userid admin *Apr 4 02:45:35.127: SSH3: SSH_SMSG_FAILURE message sent *Apr 4 02:45:47.695: SSH3: SSH_CMSG_AUTH_PASSWORD message received *Apr 4 02:45:52.703: SSH3: authentication successful for admin *Apr 4 02:45:52.703: SSH3: requesting TTY *Apr 4 02:45:52.703: SSH3: setting TTY - requested: length 24, width 80; set: length 24, width 80 *Apr 4 02:45:52.707: SSH3: SSH_CMSG_EXEC_SHELL message received *Apr 4 02:45:52.707: SSH3: starting shell for vty
BRKCRT-1104 14381_04_2008_c1
Cisco Public
51
Agenda
Introduction Disclaimer Attack Methodologies Security Policy Cryptography Fundamentals Securing Administrative Access Firewall VPN IPS Layer 2 Security Sample Questions Answer Key
BRKCRT-1104 14381_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
52
26
What Is a Firewall?
A firewall is a system or group of systems that enforce an access control policy between two networks Three basic classes of firewalls include:
Packet Filters Proxy Servers Stateful Firewalls
BRKCRT-1104 14381_04_2008_c1
Cisco Public
53
Packet Filtering
Packet filtering limits packets into a network based on the destination and source addresses, ports, and other flags compiled in an ACL
BRKCRT-1104 14381_04_2008_c1
Cisco Public
54
27
Checks for ACK or RST, with no knowledge of previous flow Is the reply really in response to an echo? Was this really requested in a valid FTP control channel? Might someone spoof time.nist.govs IP address?
55
BRKCRT-1104 14381_04_2008_c1
Cisco Public
56
28
internet
inside
10.0.1.12/24
Fa0/0
outside
Attacker
BRKCRT-1104 14381_04_2008_c1
Cisco Public
57
58
29
Zone-Based Policy introduces a new firewall configuration model Policies are applied to traffic moving between zones, not interfaces A zone is a collection of interfaces
BRKCRT-1104 14381_04_2008_c1
Cisco Public
59
E2
S4
E0
E1
BRKCRT-1104 14381_04_2008_c1
Cisco Public
60
30
61
BRKCRT-1104 14381_04_2008_c1
Cisco Public
62
31
BRKCRT-1104 14381_04_2008_c1
Cisco Public
63
Drop
Analogous to deny
Pass
Analogous to permit No stateful capability
BRKCRT-1104 14381_04_2008_c1
Cisco Public
64
32
BRKCRT-1104 14381_04_2008_c1
Cisco Public
65
Define the list of services in the firewall policy Apply action (inspect = stateful inspection) Configure Zones Assign Interfaces to Zones Apply inspection from private to public zones
BRKCRT-1104 14381_04_2008_c1
Cisco Public
66
33
BRKCRT-1104 14381_04_2008_c1
Cisco Public
67
BRKCRT-1104 14381_04_2008_c1
Cisco Public
68
34
BRKCRT-1104 14381_04_2008_c1
Cisco Public
69
BRKCRT-1104 14381_04_2008_c1
Cisco Public
70
35
Agenda
Introduction Disclaimer Attack Methodologies Security Policy Cryptography Fundamentals Securing Administrative Access Firewall VPN IPS Layer 2 Security Sample Questions Answer Key
BRKCRT-1104 14381_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
71
The Problem
Site A Internet Site B
The hosts on the Site A and Site B networks use legacy, insecure protocols such as SMTP, POP, HTTP and Telnet This is OK for intra-site communications on the protected internal networks It is not acceptable across the Internet Changing the protocols used by the hosts is not an option, so you need the routers to use VPN technology to protect data transmitted between the sites
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
BRKCRT-1104 14381_04_2008_c1
72
36
BRKCRT-1104 14381_04_2008_c1
Cisco Public
73
BRKCRT-1104 14381_04_2008_c1
Cisco Public
74
37
Site A
Internet
IPSec SA IPSec SA
Site B
Two-Phase protocol:
Phase 1 exchange: two peers establish a secure, authenticated channel for IKE communications
Main mode or aggressive mode accomplishes a phase 1 exchange
Phase 2 exchange: security associations are negotiated on behalf of IPSec services. Quick mode accomplishes a phase II exchange
Each phase has its SAs: ISAKMP SA (Phase 1) and IPSec SA (Phase 2)
BRKCRT-1104 14381_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
75
76
38
DH Exchange
Alice
Private Value, XA Public Value, YA Private Value, XB Public Value, YB
Bob
YA =g
XA
mod p
YA YB
YB = g
XB
mod p
YB mod p = zz
(Alice calculated)
XA XB
XA
YA
XB
mod p = zz
(Bob calculated)
zz = shared secret = g
BRKCRT-1104 14381_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
mod p
77
HMAC-MD5 HMAC-SHA Only the IKE authenticated peer can use the negotiated keys Sequence no. & Sliding window
BRKCRT-1104 14381_04_2008_c1
78
39
ESP header
Original IP header
IP payload encrypted
Integrity checked
ESP header
BRKCRT-1104 14381_04_2008_c1
Cisco Public
79
10.1.1.3
10.2.2.3
1. 2.
Host A sends interesting traffic to Host B. Routers A and B negotiate an IKE Phase 1 session.
IKE SA
3.
IKE Phase 1
IKE SA
IPSec SA
4.
IKE Phase 2
IPSec SA
5.
BRKCRT-1104 14381_04_2008_c1
Cisco Public
80
40
BRKCRT-1104 14381_04_2008_c1
Cisco Public
81
1. 2. 3. 4. 5.
BRKCRT-1104 14381_04_2008_c1
Enter the configuration page. Choose the VPN page. Choose the desired VPN wizard (VPN type). Choose the VPN implementation subtype. Start the wizard.
Cisco Public
82
41
Quick Setup
BRKCRT-1104 14381_04_2008_c1
Cisco Public
83
R6
10.0.6.0
Site 2
Internet
10.0.1.12
R1# show running -config
172.30.1.2
172.30.6.2
10.0.6.12
crypto isakmp policy 110 encr 3des hash md5 authentication pre -share group 2 lifetime 36000 crypto isakmp key cisco1234 address 172.30.6.2 ! crypto ipsec transform -set SNRS esp -des ! crypto map SNRS -MAP 10 ipsec -isakmp set peer 172.30.6.2 set transform -set SNRS match address 101 ! interface Ethernet 0/1 ip address 172.30.1.2 255.255.255.0 crypto map SNRS -MAP ! access-list 102 permit ip 10.0.1.0 0.0.0.255 10.0.6.0 0.0.0.255
BRKCRT-1104 14381_04_2008_c1
Cisco Public
84
42
BRKCRT-1104 14381_04_2008_c1
Cisco Public
85
Agenda
Introduction Disclaimer Attack Methodologies Security Policy Cryptography Fundamentals Securing Administrative Access Firewall VPN IPS Layer 2 Security Sample Questions Answer Key
BRKCRT-1104 14381_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
86
43
Agent
Agent
Agent
Untrusted Network
Inline Sensor
Agent Agent Agent Agent
SMTP Server
Agent
Agent
Web Server
DNS Server
BRKCRT-1104 14381_04_2008_c1
Cisco Public
87
BRKCRT-1104 14381_04_2008_c1
Cisco Public
88
44
BRKCRT-1104 14381_04_2008_c1
Cisco Public
89
Alarm
Syslog
Syslog Server
BRKCRT-1104 14381_04_2008_c1
Cisco Public
90
45
Signature Micro-Engines
Cisco IPS relies on signature micro-engines to support IPS signatures
All the signatures in a signature micro-engine are scanned in parallel
BRKCRT-1104 14381_04_2008_c1
Cisco Public
91
Step 2: Select one of the two recommended signature categories (list of signatures): IOS-Basic or IOS-Advanced Step 3: Use IOS CLI or SDM 2.4 to customize your signature list:
Select additional signatures as desired Delete signatures not relevant to the applications youre running Tune actions of individual signatures (e.g., add drop action) as desired Test your custom signature set in a lab setting before actual deployment
BRKCRT-1104 14381_04_2008_c1
Cisco Public
92
46
BRKCRT-1104 14381_04_2008_c1
Cisco Public
93
BRKCRT-1104 14381_04_2008_c1
Cisco Public
94
47
BRKCRT-1104 14381_04_2008_c1
Cisco Public
95
48
BRKCRT-1104 14381_04_2008_c1
Cisco Public
97
BRKCRT-1104 14381_04_2008_c1
Cisco Public
98
49
BRKCRT-1104 14381_04_2008_c1
Cisco Public
99
With IOS IPS enabled, the router detects a suspiciously long user name field in the FTP control stream. The shell connection is not successful, and the event is logged.
msf [*] [*] [*] msf 3com_3cdaemon_ftp_overflow(win32_reverse) > exploit Starting Reverse Handler. Attempting to exploit Windows 2000 English Exiting Reverse Handler. 3com_3cdaemon_ftp_overflow(win32_reverse) >
BRKCRT-1104 14381_04_2008_c1
Cisco Public
100
50
Agenda
Introduction Disclaimer Attack Methodologies Security Policy Cryptography Fundamentals Securing Administrative Access Firewall VPN IPS Layer 2 Security Sample Questions Answer Key
BRKCRT-1104 14381_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
101
Why Be Concerned?
If one layer is hacked, communications are compromised without the other layers being aware of the problem. Security is only as strong as your weakest link. When it comes to networking, Layer 2 can be a very weak link.
Application Presentation Session Transport Network Data Link Physical
BRKCRT-1104 14381_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
Application Stream
Compromised
Protocols and Ports IP Addresses Initial Compromise MAC Addresses Physical Links
51
Port 0/1 allows MAC A Port 0/2 allows MAC B Port 0/3 allows MAC C
MAC F
Attacker 1
BRKCRT-1104 14381_04_2008_c1
Attacker 2
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
103
switchport mode access switchport port-security switchport port-security maximum value switchport port-security violation {protect | restrict | shutdown} switchport port-security mac-address mac-address switchport port-security mac-address sticky switchport port-security aging {static | time time | type {absolute | inactivity}}
BRKCRT-1104 14381_04_2008_c1
Cisco Public
104
52
STP Manipulation
Root Bridge Priority = 8192 MAC Address= 0000.00C0.1234
F F F
ST Pr P BP ior ity DU =0
BRKCRT-1104 14381_04_2008_c1
BPDU Guard
Root Bridge
Switch(config)#
BRKCRT-1104 14381_04_2008_c1
U PD 0 PB = ST iority Pr
Attacker
Root Bridge
Cisco Public
105
F F
B
BPDU Guard Enabled
Attacker
STP BPDU
Globally enables BPDU guard on all ports which have portfast enabled
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
106
53
Root Guard
F F
F
Root Guard Enabled
Attacker Switch(config-if)#
Cisco Public
107
VLAN 10
k un Tr
Q 2.1 80
Server
Server
BRKCRT-1104 14381_04_2008_c1
Cisco Public
108
54
The first switch strips off the first tag and sends it back out.
Attacker on VLAN 10
20
802.1Q, Frame
3
Fra m e
Note: This attack works only if the trunk has the same native VLAN as the attacker.
The attacker sends double-encapsulated 802.1Q frames. The switch performs only one level of decapsulation. Only unidirectional traffic is passed. The attack works even if the trunk ports are set to off.
Note: There is no way to execute these attacks unless the switch is misconfigured.
BRKCRT-1104 14381_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
109
BRKCRT-1104 14381_04_2008_c1
Cisco Public
110
55
A
A C B IP 10.1.1.1 MAC B.B.B.B
111
BRKCRT-1104 14381_04_2008_c1
Cisco Public
112
56
BRKCRT-1104 14381_04_2008_c1
Cisco Public
113
Agenda
Introduction Disclaimer Attack Methodologies Security Policy Cryptography Fundamentals Securing Administrative Access Firewall VPN IPS Layer 2 Security Sample Questions Answer Key
BRKCRT-1104 14381_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
114
57
BRKCRT-1104 14381_04_2008_c1
Cisco Public
115
BRKCRT-1104 14381_04_2008_c1
Cisco Public
116
58
BRKCRT-1104 14381_04_2008_c1
Cisco Public
117
BRKCRT-1104 14381_04_2008_c1
Cisco Public
118
59
! aaa new-model ! aaa authentication login name tacacs+ ! tacacs-server host 10.0.1.1 tacacs-server key Secretf0rAcs ! line vty 0 5 login authentication name ! A. B. C. D.
BRKCRT-1104 14381_04_2008_c1
aaa authentication login default tacacs+ local aaa authentication login default local adding the local option after aaa authentication login name tacacs+ adding the default option after login authentication name in the vty config mode
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
119
BRKCRT-1104 14381_04_2008_c1
Cisco Public
120
60
BRKCRT-1104 14381_04_2008_c1
Cisco Public
121
BRKCRT-1104 14381_04_2008_c1
Cisco Public
122
61
Referring to the IPSec transform set configuration shown, which encryption method is used to provide data confidentiality?
A. SHA B. DES C. HMAC D. AES E. ESP
BRKCRT-1104 14381_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
123
BRKCRT-1104 14381_04_2008_c1
Cisco Public
124
62
125
aessha
esp-sha-hmac 10.1.1.0 0.0.0.255 10.2.1.0 0.0.0.255 20 10.0.0.0 0.255.255.255 esp-sha-hmac 10.1.2.0 0.0.0.255
aessha
What is wrong regarding the partial S2S IPSec VPN configuration shown?
A. B. C. D. E.
BRKCRT-1104 14381_04_2008_c1
The transform-set name does not match between the peers The transform-set is missing the AH option The transform-set is missing the mode tunnel option The crypto acl is not a mirror image of the crypto acl on the other peer The crypto acl is not matching the 172.16.172.10 and 172.16.171.20 IP address
Cisco Public
126
63
Agenda
Introduction Disclaimer Attack Methodologies Security Policy Cryptography Fundamentals Securing Administrative Access Firewall VPN IPS Layer 2 Security Sample Questions Answer Key
BRKCRT-1104 14381_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
127
BRKCRT-1104 14381_04_2008_c1
Cisco Public
128
64
Correct Answer: B
BRKCRT-1104 14381_04_2008_c1
Cisco Public
129
Correct Answer: C
A. B. C. D.
aaa authentication login default tacacs+ local aaa authentication login default local adding the local option after aaa authentication login name tacacs+ adding the default option after login authentication name in the vty config mode
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
BRKCRT-1104 14381_04_2008_c1
130
65
BRKCRT-1104 14381_04_2008_c1
Cisco Public
131
Correct Answer: C
BRKCRT-1104 14381_04_2008_c1
Cisco Public
132
66
Correct Answer: C
BRKCRT-1104 14381_04_2008_c1
Cisco Public
133
Referring to the IPSec transform set configuration shown, which encryption method is used to provide data confidentiality?
A. SHA B. DES C. HMAC D. AES E. ESP
BRKCRT-1104 14381_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
Correct Answer: D
134
67
Correct Answer: D
BRKCRT-1104 14381_04_2008_c1
Cisco Public
135
Correct Answer: B
136
68
aessha
esp-sha-hmac 10.1.1.0 0.0.0.255 10.2.1.0 0.0.0.255 20 10.0.0.0 0.255.255.255 esp-sha-hmac 10.1.2.0 0.0.0.255
aessha
What is wrong regarding the partial S2S IPSec VPN configuration shown?
A. B. C. D. E.
BRKCRT-1104 14381_04_2008_c1
The transform-set name does not match between the peers The transform-set is missing the AH option The transform-set is missing the mode tunnel option
Correct Answer: D
The crypto acl is not a mirror image of the crypto acl on the other peer The crypto acl is not matching the 172.16.172.10 and 172.16.171.20 IP address
Cisco Public
137
Q and A
BRKCRT-1104 14381_04_2008_c1
Cisco Public
138
69
Recommended Reading
Continue your Cisco Live learning experience with further reading from Cisco Press Check the Recommended Reading flyer for suggested books
139
BRKCRT-1104 14381_04_2008_c1
Cisco Public
140
70
BRKCRT-1104 14381_04_2008_c1
Cisco Public
141
71