Term
| What are some of the best practices for configuring security on a new Cisco router? |
|
Definition
use SSH instead of telnet
updated IOS
configure ACLs
use difficult & encrypted passwords
disable unneeded services |
|
|
Term
What are the ACL number ranges for:
IP Standard ACL
IP Extended ACL
IP Standard Expanded Range ACL
IP Extended Expanded Range ACL |
|
Definition
IP Standard ACL : 1-99
IP Extended ACL : 100-199
IP Standard Expanded Range ACL : 1300-1999
IP Extended Expanded Range ACL : 2000-2699
|
|
|
Term
| What are the characteristics and syntax of Standard ACLs? |
|
Definition
Can filter only on a source network/host (classful)
Cannot filter on destination, protocol, or port
Global config:
access-list # [permit|deny] x.x.x.x [wildcard mask] |
|
|
Term
| What are the characteristics and general syntax for Extended ACLs? |
|
Definition
filter based on: source/destination IP/ports, protocol, ICMP message
Global command:
access-list # [permit|deny] [proto] [source] [mask] (operators) [dest] [mask] (operators) (advanced opt) |
|
|
Term
What are the characteristics/advantages of named ACLs?
What is the syntax for configuring it? |
|
Definition
Meaningful to read, allows removal of individual lines
Supports both standard and extended ACLs
R(config)#ip access-list [standard|extended] [name]
R(config-ext-nacl)#[permit|deny] ...
...etc. |
|
|
Term
| What are the syntax for port operators and ICMP operators in Extended ACL config? |
|
Definition
Port operators:
eq (equal to port number)
gt/lt (match greater/less than given port number)
range (specify range)
ICMP operators:
echo, echo-reply, etc. |
|
|
Term
What are the three advanced options/keywords that can be configured on an ACL line?
What are their functions and what kind of ACLs support them? |
|
Definition
log : logs source IP to log buffer when a match is made (5 min intervals); supports standard and extended ACL
log-input : also logs L2 source MAC or DLCI number; supported for extended ACL only
established : allow traffic only if TCP session already established; only for extended ACLs filtering TCP |
|
|
Term
| What are the commands to verify (show) the configuration of ACLs? |
|
Definition
"show ACLs" - shows what ACLS are configured
"show access-list" & "show ip ACLs"
- shows only the IP ACLs
"show ip interface" - shows the direction and placement of ACLs |
|
|
Term
| What is implied at the end/default of an ACL? |
|
Definition
| "... deny any any" statement |
|
|
Term
| Where should standard / extended ACLs be placed in the network? |
|
Definition
standard - close to the destination of filtered traffic extended - close to the source of filtered traffic |
|
|
Term
| In NAT, what does the "inside" and "outside" refer to? |
|
Definition
Inside: Private side of the network, usually the source of addresses being translated (eg. "your" company network)
Outside: Public side of the network; address space to which inside/private hosts are being translated to (eg. "another's" company network) |
|
|
Term
| In NAT, what does "inside local", "inside global", "outside local", "outside global" refer to? |
|
Definition
Inside local: addresses assigned on your private network
Inside global: public addresses assigned by the ISP to represent your private addresses
Outside global: Internet routeable IP of a host outside your company
Outside local: private IP address of the end host on the other/destination private network |
|
|
Term
What are the characteristics of the following issues that NAT is used to resolve?
1. Overlapping address space
2. Well-meaning admin error |
|
Definition
1. Overlapping address space: When a network connects with another network that uses the same IP range (eg. during a merger)
2. Well-meaning admin error: Designer of network fails to plan for future growth of network or makes a mistake (eg. giving private hosts addresses of public IPs belonging to someone else) |
|
|
Term
| How does NAT contribute to load distribution? |
|
Definition
| Give a cluster of machines a single IP for clients to use |
|
|
Term
| What are the main advantages and disadvatages of NAT? |
|
Definition
Pros: Conserves the registered IP address space, adds security by hiding originating IP & preventing inside access
Cons: Application incompatibilities with the nature of changing the source IP of traffic, introduces additional latency to transmission |
|
|
Term
| What are the characteristics, general use, and config syntax of static NAT? |
|
Definition
One-on-one mapping of inside local to inside global IP
Gives hosts such as mail/web servers on the private network access to the public internet & vice-versa
Global command:
ip nat inside source static [in-local ip] [in-global ip]
On interfaces:
ip nat [inside|outside] |
|
|
Term
What are the characteristics of Dynamic NAT?
(Any cons?) |
|
Definition
Enables an inside host to get to an outside address when/as needed.
Cons: Still doesn't conserve IP |
|
|
Term
What is PAT and how is it related to NAT?
What is the config syntax? |
|
Definition
Port Address Translation (aka extended NAT entry)
Uses source ports of hosts to distinguish translated flows, possibly to a single outside address
Global config:
ip nat inside source [...] interface [intfc] overload |
|
|
Term
What are the commands to verify (show) NAT configuration/stats?
What is the command to clear dynamic NAT entries? |
|
Definition
show ip nat translations
"show ip nat statistics" - snapshot of how many translations performed, overview of config, amount of pool used
clear ip nat translation * |
|
|
Term
| What are the characteristics of dynamic access lists and how what benefits does it offer over standard and static extended ACLs? |
|
Definition
AKA Lock and Key
Dynamic user access through firewall, based on telnet connection and authentication
- Challenge mechanism to authenticate users
- Simplified management in large internetworks
- Reduction in router processing
- Reduction of chance for network break-ins
|
|
|
Term
What are the characteristics of reflexive ACLs and what are its benefits over normal ACLs? |
|
Definition
AKA IP-Session-Filtering ACLs
Denies traffic from outside sources, while allowing traffic for a session initiated from the inside network.
- Can be included in a firewall defense
- Simple to use
- Greater control of packets entering network
- Additional security against spoofing and DoS
|
|
|
Term
What is commonly used to define the outside and inside IP ranges in dynamic NAT?
What is the config syntax? |
|
Definition
inside source: access list
outside IP range: NAT pool
Global config:
ip nat pool [name] [1stIP] [lastIP] netmask [mask]
or
ip nat pool [name] [1stIP] [lastIP] prefix-length [#]
ip nat inside source list [acl#] pool [name] |
|
|
Term
What is the syntax for applying an ACL on an interface versus for telnet/ssh?
|
|
Definition
Interface config:
ip access-group [acl#] [in|out]
Line vty config:
access-class [acl#] [in|out] |
|
|
Term
| Where are the ACL commands for access-class vs access-group placed? |
|
Definition
access-class on line vty
access-group on the interface |
|
|
Term
| What commands are configured on the interface level for general NAT configuration? |
|
Definition
ip nat inside
ip nat outside |
|
|
Term
| What are the difference between IPS and IDS |
|
Definition
Identity Detection System sits parallel to the traffic flow and monitors for potential security concerns. Needs to tell a firewall (or IPS) to actually block attacks.
Intrusion Prevention System sits in the path of the traffic flow in order to potentially block attacks. |
|
|
Term
What are the differences between IPS and traditional firewalls?
|
|
Definition
IPS use signatures to inspect packets up to L7, look for traffic patterns, perform anomaly detection...
Firewalls block or permit traffic based on preset rules based on IP or port (L3 & L4)
|
|
|
Term
What are the characteristics of Next Gen Firewalls?
Example of Next Gen Firewall. |
|
Definition
Firewalls which have gained IPS capability.
- Stateful firewall: tracks connection table
- Deep packet inspection (L7 analysis)
- User based permissions
Often also acting as endpoint of VPN tunnels.
Eg. Cisco ASA with Firepower
|
|
|
