Professional Documents
Culture Documents
EXTENDED
Security is the important topic in new CCNA exam because Cisco routers and switches forming the backbone to
today's network infrastructures, it becomes especially important to keep security in mind. Should your backbone be
breached, the entire network could be crippled, sensitive information could be eavesdropped on, and data could be
corrupted or altered in a way that could have drastic effects on your operations. For this reason, Cisco expects you to
have a general understanding of network security.
In section we would cover following topics
Describing the increase in security threats and the need for a security policy
Explaining general methods to mitigate threats
Describing the functions of common security appliances/applications
Describing the recommended practices of securing network devices
Network Characteristics
The following characteristics should be considered in network design and ongoing maintenance:
Availability.
Availability is typically measured in a percentage based on the number of minutes that exist in a year.
Therefore, uptime would be the number of minutes the network is available divided by the number of minutes
in a year.
Cost
includes the cost of the network components, their installation, and their ongoing maintenance.
Reliability
defines the reliability of the network components and the connectivity between them. Mean time between
failures (MTBF) is commonly used to measure reliability.
Security
includes the protection of the network components and the data they contain and/or the data transmitted
between them.
Speed
includes how fast data is transmitted between network end points (the data rate).
Scalability
defines how well the network can adapt to new growth, including new users, applications, and network
components.
Topology
describes the physical cabling layout and the logical way data moves between components.
Many different types and locations of networks exist. You might use a network in your home or home office to
communicate via the Internet, to locate information, to place orders for merchandise, and to send messages
to friends. You might have work in a small office that is set up with a network that connects other computers
and printers in the office. You might work in a large enterprise in which many computers, printers, storage
devices, and servers communicate and store information from many departments over large geographic
areas.
Networks carry data in many types of environments, including homes, small businesses, and large
enterprises. In a large enterprise, a number of locations might need to Communicate with each other, and you
can describe those locations as follows:
Corporate office:
A Corporate or main office is a site where everyone is connected via a network and where the bulk of corporate
information is located. A Corporate office can have hundreds or even thousands of people who depend on network
access to do their jobs. A main office might use several connected networks, which can span many floors in an office
building or cover a campus that contains several buildings.
Remote locations:
A variety of remote access locations use networks to connect to the main office or to each other.
Branch offices:
In branch offices, smaller groups of people work and communicate with each other via a network. Although some
corporate information might be stored at a branch office, it is more likely that branch offices have local network
resources, such as printers, but must access information directly from the main office.
Home offices:
When individuals work from home, the location is called a home office. Home office workers often require on-demand
connections to the main or branch offices to access information or to use network resources such as file servers.
Mobile users:
Mobile users connect to the main office network while at the main office, at the branch office, or traveling. The network
access needs of mobile users are based on where the mobile users are located.
Network Components
All of these networks share many common components. As we describe in definition that network is
basically sharing of information via network components. So network component play a major role in
designing and maintaining network. Some most essential network components listed here.
Network Components
Networking Devices hubs, bridges, switches, routers, firewalls, wireless access points, modems
Types of Networks
Organizations of different structures, sizes, and budgets need different types of networks. Networks can be divided
into one of two categories:
peer-to-peer
server-based networks
Peer-to-Peer Network
A peer-to-peer network has no dedicated servers; instead, a number of workstations are connected together for the
purpose of sharing information or devices. Peer-to-peer networks are designed to satisfy the networking needs of
home networks or of small companies that do not want to spend a lot of money on a dedicated server but still want to
have the capability to share information or devices like in school, college, cyber cafe
Server-Based Networks
In server-based network data files that will be used by all of the users are stored on the one server. With a server-
based network, the network server stores a list of users who may use network resources and usually holds the
resources as well.
This will help by giving you a central point to set up permissions on the data files, and it will give you a central point
from which to back up all of the data in case data loss should occur.
Network Communications
Computer networks use signals to transmit data, and protocols are the languages computers use to
communicate.
Protocols provide a variety of communications services to the computers on the network.
Local area networks connect computers using a shared, half-duplex, baseband medium, and wide area
networks link distant networks.
Enterprise networks often consist of clients and servers on horizontal segments connected by a common
backbone, while peer-to-peer networks consist of a small number of computers on a single LAN.
Network Security
A security policy defines what people can and can't do with network components and resources.
Need for Network Security
In the past, hackers were highly skilled programmers who understood the details of computer communications and
how to exploit vulnerabilities. Today almost anyone can become a hacker by downloading tools from the Internet.
These complicated attack tools and generally open networks have generated an increased need for network security
and dynamic security policies.
The easiest way to protect a network from an outside attack is to close it off completely from the outside world. A
closed network provides connectivity only to trusted known parties and sites; a closed network does not allow a
connection to public networks.
Because they have no Internet connectivity, networks designed in this way can be considered safe from Internet
attacks. However, internal threats still exist.
There is a estimates that 60 to 80 percent of network misuse comes from inside the enterprise where the misuse has
taken place.
With the development of large open networks, security threats have increased significantly in the past 20 years.
Hackers have discovered more network vulnerabilities, and because you can now download applications that require
little or no hacking knowledge to implement, applications intended for troubleshooting and maintaining and optimizing
networks can, in the wrong hands, be used maliciously and pose severe threats.
An adversary
A person that is interested in attacking your network; his motivation can range from gathering or stealing information,
creating a DoS, or just for the challenge of it
Types of attack:
Classes of attack might include passive monitoring of communications, active network attacks, close-in attacks,
exploitation by insiders, and attacks through the service provider. Information systems and networks offer attractive
targets and should be resistant to attack from the full range of threat agents, from hackers to nation-states. A system
must be able to limit damage and recover rapidly when attacks occur.
There are five types of attack:
Passive Attack
A passive attack monitors unencrypted traffic and looks for clear-text passwords and sensitive information that can
be used in other types of attacks. Passive attacks include traffic analysis, monitoring of unprotected communications,
decrypting weakly encrypted traffic, and capturing authentication information such as passwords. Passive interception
of network operations enables adversaries to see upcoming actions. Passive attacks result in the disclosure of
information or data files to an attacker without the consent or knowledge of the user.
Active Attack
In an active attack, the attacker tries to bypass or break into secured systems. This can be done through stealth,
viruses, worms, or Trojan horses. Active attacks include attempts to circumvent or break protection features, to
introduce malicious code, and to steal or modify information. These attacks are mounted against a network backbone,
exploit information in transit, electronically penetrate an enclave, or attack an authorized remote user during an
attempt to connect to an enclave. Active attacks result in the disclosure or dissemination of data files, DoS, or
modification of data.
Distributed Attack
A distributed attack requires that the adversary introduce code, such as a Trojan horse or back-door program, to a
trusted component or software that will later be distributed to many other companies and users Distribution attacks
focus on the malicious modification of hardware or software at the factory or during distribution. These attacks
introduce malicious code such as a back door to a product to gain unauthorized access to information or to a system
function at a later date.
Insider Attack
An insider attack involves someone from the inside, such as a disgruntled employee, attacking the network Insider
attacks can be malicious or no malicious. Malicious insiders intentionally eavesdrop, steal, or damage information;
use information in a fraudulent manner; or deny access to other authorized users. No malicious attacks typically result
from carelessness, lack of knowledge, or intentional circumvention of security for such reasons as performing a task
Close-in Attack
A close-in attack involves someone attempting to get physically close to network components, data, and systems in
order to learn more about a network Close-in attacks consist of regular individuals attaining close physical proximity to
networks, systems, or facilities for the purpose of modifying, gathering, or denying access to information. Close
physical proximity is achieved through surreptitious entry into the network, open access, or both.
One popular form of close in attack is social engineering in a social engineering attack, the attacker compromises
the network or system through social interaction with a person, through an e-mail message or phone. Various tricks
can be used by the individual to revealing information about the security of company. The information that the victim
reveals to the hacker would most likely be used in a subsequent attack to gain unauthorized access to a system or
network.
Phishing Attack
In phishing attack the hacker creates a fake web site that looks exactly like a popular site such as the SBI bank or
paypal. The phishing part of the attack is that the hacker then sends an e-mail message trying to trick the user into
clicking a link that leads to the fake site. When the user attempts to log on with their account information, the hacker
records the username and password and then tries that information on the real site.
Hijack attack
Hijack attack In a hijack attack, a hacker takes over a session between you and another individual and disconnects
the other individual from the communication. You still believe that you are talking to the original party and may send
private information to the hacker by accident.
Spoof attack
Spoof attack In a spoof attack, the hacker modifies the source address of the packets he or she is sending so that
they appear to be coming from someone else. This may be an attempt to bypass your firewall rules.
Buffer overflow
Buffer overflow A buffer overflow attack is when the attacker sends more data to an application than is expected. A
buffer overflow attack usually results in the attacker gaining administrative access to the system in a ommand prompt
or shell.
Exploit attack
Exploit attack In this type of attack, the attacker knows of a security problem within an operating system or a piece of
software and leverages that knowledge by exploiting the vulnerability.
Password attack
Password attack An attacker tries to crack the passwords stored in a network account database or a password-
protected file. There are three major types of password attacks: a dictionary attack, a brute-force attack, and a hybrid
attack. A dictionary attack uses a word list file, which is a list of potential passwords. A brute-force attack is when the
attacker tries every possible combination of characters.
The room must be locked with only authorized personnel allowed access.
The room should not be accessible via a dropped ceiling, raised floor, window, ductwork, or point of entry
other than the secured access point.
If possible, use electronic access control with all entry attempts logged by security systems and monitored by
security personnel.
If possible, security personnel should monitor activity via security cameras with automatic recording.
Hardware threats involve physical damage to network components, such as servers, routers, and switches
Electrical threats
Electrical threats include irregular fluctuations in voltage, such as brownouts and voltage spikes, Electrical threats,
such as voltage spikes, insufficient supply voltage (brownouts), unconditioned power (noise), and total power loss,
can be limited by adhering to these guidelines:
Install uninterruptible power supply (UPS) systems for mission-critical Cisco network devices.
Plan for and initiate regular UPS or generator testing and maintenance procedures based on the manufacturer-
suggested preventative maintenance schedule.
Monitor and alarm power-related parameters at the power supply and device levels.
Environmental threats
Environmental threats include very low or high temperatures, moisture, electrostatic, and magnetic Interference
Environmental threats, such as temperature extremes (too hot or too cold) or humidity extremes (too wet or too dry),
also require mitigation. Take these actions to limit environmental damage to Cisco network devices:
Supply the room with dependable temperature and humidity control systems. Always verify the recommended
environmental parameters of the Cisco network equipment with the supplied product documentation.
If possible, remotely monitor and alarm the environmental parameters of the room.
Maintenance threats
Maintenance threats include not having backup parts or components for critical network components; not labeling
components and their cabling correctly Maintenance threats include poor handling of key electronic components,
electrostatic discharge (ESD), lack of critical spares, poor cabling, poor labeling, and so on. Maintenance-related
threats are a broad category that includes many items. Follow the general rules listed here to prevent maintenance-
related threats:
Clearly label all equipment cabling and secure the cabling to equipment racks to prevent accidental damage,
disconnection, or incorrect termination.
Always follow ESD procedures when replacing or working with internal router and switch device components.
Do not leave a console connected to and logged into any console port. Always log off administrative interfaces
when leaving a station.
Do not rely upon a locked room as the only necessary protection for a device. Always remember that no room is
ever totally secure. After intruders are inside a secure room, nothing is left to stop them from connecting a
terminal to the console port of a Cisco router or switch.
An ACL should have at least one permit statement; otherwise, all traffic will be dropped because of the hidden
implicit deny statement at the end of every ACL.
No matter what type of ACL you use, though, you can have only one ACL per protocol, per interface, per direction. For
example, you can have one IP ACL inbound on an interface and another IP ACL outbound on an interface, but you
cannot have two inbound IP ACLs on the same interface.
Access List Ranges
Type Range
IP Standard 199
IP Extended 100199
Standard ACLs
A standard IP ACL is simple; it filters based on source address only. You can filter a source network or a source host,
but you cannot filter based on the destination of a packet, the particular protocol being used such as the Transmission
Control Protocol (TCP) or the User Datagram Protocol (UDP), or on the port number. You can permit or deny only
source traffic.
Extended ACLs:
An extended ACL gives you much more power than just a standard ACL. Extended IP ACLs check both the source
and destination packet addresses. They can also check for specific protocols, port numbers, and other parameters,
which allow administrators more flexibility and control.
Named ACLs
One of the disadvantages of using IP standard and IP extended ACLs is that you reference them by number, which is
not too descriptive of its use. With a named ACL, this is not the case because you can name your ACL with a
descriptive name. The ACL named DenyMike is a lot more meaningful than an ACL simply numbered 1. There are
both IP standard and IP extended named ACLs.
Another advantage to named ACLs is that they allow you to remove individual lines out of an ACL. With numbered
ACLs, you cannot delete individual statements. Instead, you will need to delete your existing access list and re-create
the entire list.
Configuration Guidelines
Order of statements is important: put the most restrictive statements at the top of the list and the least restrictive
at the bottom.
ACL statements are processed top-down until a match is found, and then no more statements in the list are
processed.
If no match is found in the ACL, the packet is dropped (implicit deny).
Each ACL needs either a unique number or a unique name.
The router cannot filter traffic that it, itself, originates.
You can have only one IP ACL applied to an interface in each direction (inbound and outbound)you can't have
two or more inbound or outbound ACLs applied to the same interface. (Actually, you can have one ACL for each
protocol, like IP and IPX, applied to an interface in each direction.)
Applying an empty ACL to an interface permits all traffic by default: in order for an ACL to have an implicit deny
statement, you need at least one actual permit or deny statement.
Remember the numbers you can use for IP ACLs.Standard ACLs can use numbers ranging 199 and 1300
1999,and extended ACLs can use 100199 and 20002699.
Wildcard mask is not a subnet mask. Like an IP address or a subnet mask, a wildcard mask is composed of 32
bits when doing the conversion; subtract each byte in the subnet mask from 255.
There are two special types of wildcard masks:
0.0.0.0 and 255.255.255.255
A 0.0.0.0 wildcard mask is called a host mask
255.255.255.255. If you enter this, the router will cover the address and mask to the keyword any.
Placement of ACLs
Standard ACLs should be placed as close to the destination devices as possible.
Extended ACLs should be placed as close to the source devices as possible.
Access Attacks
An access attack occurs when someone tries to gain unauthorized access to a component, tries to gain unauthorized access to
information on a component, or increases their privileges on a network component. Access attacks exploit known vulnerabilities in
authentication services, FTP services, and web services to gain entry to web accounts, confidential databases, and other sensitive
information.
DoS Attacks
DoS attacks involve an adversary reducing the level of operation or service, preventing access to, or completely crashing a
network component or service.
Password Attacks
A password attack usually refers to repeated attempts to identify a user account, password, or both. These repeated attempts are
called brute-force attacks. Password attacks are implemented using other methods, too, including Trojan horse programs, IP
spoofing, and packet sniffers.
MS-CHAPv2
MS-CHAPv2 With MS-CHAP version 2 the authentication method has been extended to authenticate both the client and the server.
MS-CHAPv2 also uses stronger encryption keys than CHAP and MS-CHAP.
Match an IP range, or
PC>ping 30.0.0.3
IP Address......................: 10.0.0.2
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 10.0.0.1
PC>ping 40.0.0.3
IP Address......................: 20.0.0.2
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 20.0.0.1
PC>telnet 50.0.0.2
Trying 50.0.0.2 ...
Password:
R2>
Now telnet it from any other pc apart from 20.0.0.2. it must be filter and denied
PC>ipconfig
IP Address......................: 20.0.0.3
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 20.0.0.1
PC>telnet 50.0.0.2
Trying 50.0.0.2 ...
Use the interface configuration command to select an interface to which to apply the ACL.
Use the ip access-group interface configuration command to activate the existing ACL on an interface.
An extended ACL gives you much more power than just a standard ACL. Extended IP ACLs check both the source
and destination packet addresses. They can also check for specific protocols, port numbers, and other parameters,
which allow administrators more flexibility and control.
access-list access-list-number {permit | deny} protocol source source-wildcard
[operator port]
destination destination-wildcard [operator port] [established] [log]
Command
Descriptions
Parameters
permit | deny Indicates whether this entry allows or blocks the specified address.
source and
Identifies source and destination IP addresses.
destination
The operator can be lt (less than), gt (greater than), eq (equal to), or neq (not equal to). The
source-wildcard
port number referenced can be either the source port or the destination port, depending on
and destination-
where in the ACL the port number is configured. As an alternative to the port number, well-
wildcard
known application names can be used, such as Telnet, FTP, and SMTP.
For inbound TCP only. Allows TCP traffic to pass if the packet is a response to an outbound-
established initiated session. This type of traffic has the acknowledgement (ACK) bits set. (See the
23 (TCP) Telnet
69 (UDP) TFTP
80 (TCP) HTTP
With Access Lists you will have a variety of uses for the wild card masks, but typically For CCNA exam prospective
you should be able to do following:
Block host to host
Block host to network
Block Network to network
Block telnet access for critical resources of company
Limited ftp access for user
Stop exploring of private network form ping
Limited web access
Configure established keyword