Term
|
Definition
allowed an IOS router to perform stateful inspection of traffic (using Context-based Access Control [CBAC])
basic traffic filtering using access control lists (ACLs) |
|
|
Term
| Intrustion Prevention System |
|
Definition
| can detect malicious network traffic inline and stop it before it reaches its destination |
|
|
Term
| VPN Routing and Forwarding-aware (VRF-aware) Firewall |
|
Definition
| maintains a separate routing and forwarding table for each VPN, which helps eliminate issues that arise from more than one VPN using the same address space |
|
|
Term
| Virtual Private Networks (VPN) |
|
Definition
a router at a headquarters location and at a branch office location could interconnect via an IPsec-protected VPN
allow traffic to pass securely between those sites, even if the VPN crossed an "untrusted" network, such as the Internet |
|
|
Term
| Integrated Service Routers (ISRs) |
|
Definition
integrate various services (voice and security) into the router architecture
last three digits of their model begin with 8 |
|
|
Term
|
Definition
Integrated VPN Acceleration
Dedicated voice hardware
Advanced Integration Modules
USB port
Cisco HWIC-AP
Cisco IDS Network Module
Cisco Content Engine
Cisco Network Analysis Mode (NAM) |
|
|
Term
| Integrated VPN Acceleration |
|
Definition
uses dedicated hardware for VPN encryption, so ISRs reduce the overhead placed on a router's processor, thereby increasing VPN performance and scalability
support AES and 3DES |
|
|
Term
|
Definition
IP telephony applications often use digital signal processors (DSP) to mix multiple voice streams in a conference, encrypt voice packets and convert between high-bandwidth and low-bandwidth codecs
Voice traffic uses Real-time Transport Protocol (RTP), Layer 4 protocol, to transport voice in a network. SRTP provides AES encryption
The processor overhead to use the encryption, dedicated DSP hardware is required-ISRs can use packet voice DSP modules (PVDM) to take over the processing tasks |
|
|
Term
| Advanced Integration Modules |
|
Definition
offload processor-intensive tasks from a router's processor
AIMs can be used for VPN processing, including a variety of standards for encryption, authentication and data integrity
AIM Models
- AIM-VPN/BPII-PLUS-1800 series ISRs (support1mod)
- AIM-VPN/EPII-PLUS-2800 series ISR, 3825 ISR (2)
- AIM-VPN/HPII-PLUS - 3845 ISR supports 2 AIMS
|
|
|
Term
|
Definition
all ISRs except 850, include one or more USB ports. Ports can be used with a USB flash drive to store IOS images or configuration files
USB eToken containing a signed digital certification can be inserted for VPN use |
|
|
Term
|
Definition
| IEEE 802.11 wireless module supporting a variety of wireless standards |
|
|
Term
|
Definition
includes hard drive containing multiple signatures of well-known attacks
can be used to detect and subsequently prevent malicious traffic |
|
|
Term
|
Definition
either 40-GB or 80-GB hard drive for caching web content
amkes it available for qick retrieval by local clients, as opposed to the client's having to retrieve all the information from the web |
|
|
Term
| Cisco Network Analysis Module (NAM) |
|
Definition
| provides detailed analysis of traffic flow |
|
|
Term
|
Definition
as soon as administrator is granted access to router
limited number of commands |
|
|
Term
| Privileged Mode in Router |
|
Definition
most router administration is performed in this mode
to access privileged mode from user mode, administrator enters enable command
typically then another password needs to be entered - sometimes called the enable password |
|
|
Term
|
Definition
used to permit access to a router's privileged mode
password is stored in the router's configuration as an MD5 hash value, making it difficult for an attacker to guess and impossible to see with the naked eye |
|
|
Term
|
Definition
password is not encrypted (or hashed) by default
enable password is considered weaker than enable secret password
Cisco IOS still supports the enable password for backward compatibility |
|
|
Term
|
Definition
| when administrator connects to a router over a network connection (Telnet, SSH) might be prompted to enter a vty password to have access to the virtual vty line to which admin is connecting |
|
|
Term
| Command for Enable Secret Password |
|
Definition
R1(config)# enable secret [password]
R1(config)# end
|
|
|
Term
| Commands for setting Console passowrd |
|
Definition
R1(config)# line con 0
R1(config-line)# password [password]
R1(config-line)# login |
|
|
Term
| Commands for setting Auxiliary Port password |
|
Definition
R1(config)# line aux 0
R1(config-line)# password [password]
R1(config-line)# login |
|
|
Term
| Commands for setting vty Line password |
|
Definition
R1(config)# line vty 0 4
R1(config-line)# login
R1(config-line)#password [password] |
|
|
Term
| Configuring a Local User Database |
|
Definition
R1(config)# username [username] secret [password]
R1(config)# end
|
|
|
Term
|
Definition
ROM monitor mode
during bootup process, can generate break sequence causing the router to go into ROMMON mode
From there the router's password can be reset |
|
|
Term
| Default delay on Number of failed login attempts |
|
Definition
15-second delay after 10 failed login attempts
security authentication failure rate [#] log can change the default to specified lengths |
|
|
Term
| Configuring Login Inactivity Timer |
|
Definition
exec-timeout [minutes][seconds]
disable by doing exec-timeout 0 0 |
|
|
Term
| Configuring Privilege Level |
|
Definition
R1# config term
R1(config)# privilege exe level [#] debug
R1(config)# enable secret level 5 [password]
R1(config)# end |
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
| Enable/Privileged mode level |
|
Definition
|
|
Term
|
Definition
| using role-based CLI views can control exactly what commands an administrator has access to |
|
|
Term
| Steps to enable views on CLI |
|
Definition
- Enable AAA: aaa new-model
- Enable the root view: enable view
- Create a view: parser view [name]
- Set a password for the view: secret 0 [password]
- Add available commands to view: commands [parser mode] {include|include-exclusive|command} [all] [interface (int ident|command)]
- Verify the role-based CLI view configuration: enable view [name]
|
|
|
Term
|
Definition
Cisco IOS Resilient Configuration feature
a secure copy of a router's image and configuration |
|
|
Term
| Cisco IOS Resilient Configuration Steps |
|
Definition
- Enable image resilience
- Secure the boot configuration
- Verify the security of the bootset
|
|
|
Term
Cisco IOS Resilient Configuration Steps
Enable image resilience |
|
Definition
secure boot-image command
issued in global configuration mode and secures the IOS image
secured image is hidden so that it does not appear in a directory listing of files |
|
|
Term
Cisco IOS Resilient Configuration Steps
Secure the boot configuration |
|
Definition
secure boot-config command
done in global configuration mode
archives the running configuration of a router to persistent storage |
|
|
Term
Cisco IOS Resilient Configuration Steps
Verify the security of the bootset |
|
Definition
show secure bootset command
used to verify that IOS Resilient Configuration is enabled and that the files in the bootset have been secured |
|
|
Term
| Cisco IOS Login Enhancements |
|
Definition
Create a delay between repeated login attempts
Suspend the login process if a denial-of-service (DoS) attack is suspected
Create syslog messages upon the success and/or failure of a login attempt |
|
|
Term
Enable Cisco IOS Login Enhancements |
|
Definition
login block-for command in global config mode
default settings -
- delay of 1 second occurs between successive login attempts
- no virtual connection can be made during the quiet period
|
|
|
Term
|
Definition
| period of time in which virtual login attempts are blocked, following repeated failed login attempts |
|
|
Term
| Router(config)# login block-for [secs#] attempts [attempts#] within [secs#] |
|
Definition
| specifies the number of failed login attempts within a specified period of time that trigger a quiet period, during which login attempts would be blocked |
|
|
Term
| Router(config)# login quiet-mode access-class {acl-name | acl-number} |
|
Definition
| specifies an ACL that identifies exemptions from the previously described quiet period |
|
|
Term
| Router(config)# login delay [seconds] |
|
Definition
specifies a minimum period of time that must pass between login attempts
default period of time is 1 second |
|
|
Term
| Router(config)# login on-failure log [every (loginattempts)] |
|
Definition
| Creates log messages for failed login attempts |
|
|
Term
| Router(config)#login on-success log [every (loginattempts)] |
|
Definition
| Creates log messages for successful login attempts |
|
|
Term
|
Definition
| can be used to verify that enhanced support for virutal logins is configured and to view the login parameters |
|
|
Term
|
Definition
banner motd [delimiter message_body delimiter]
motd stands for message of the day
delimiter is a character you choose to indicate the beginning and end of the banner message - choose a delimiter that will not appear in the body of the message |
|
|
Term
|
Definition
- smart wizards use Cisco TAC best-practice recommendations
- intelligently determines an appropriate security configuration baded on what it learns about a router's configuration (router's interfaces, NAT configuration and existing security configuration)
- supports multiple security features such as wizard-based VPN configuration, router security auditing and One-Step Lockdown configuration
- does not affect router's DRAM or CPU
|
|
|
Term
| Router(config)# ip http server |
|
Definition
| enables HTTP server on a router |
|
|
Term
| Router(config)# ip http secure-server |
|
Definition
| enables secure HTTP (HTTPS) server on a router |
|
|
Term
Router(config)# ip http authentication local |
|
Definition
| configures a local authentication method for accessing the HTTPS server |
|
|
Term
| Router(config)# username [name] privilege 15 secret 0 [password] |
|
Definition
| configures a username and password to be used for authentication local to the router |
|
|
Term
|
Definition
| shows files installed on router |
|
|
Term
Cisco SDM Wizards
Interfaces and Connections |
|
Definition
| configure LAN and WAN interfaces |
|
|
Term
Cisco SDM Wizards
Firewall and ACL |
|
Definition
| supports the configuration of basic and advanced IOS-based firewalls |
|
|
Term
|
Definition
| configure a secure site-to-site VPN, Cisco Easy VPN Server, Cisco Easy VPN Remote and DMVPN |
|
|
Term
Cisco SDM Wizards
Security Audit |
|
Definition
| identifies potential security vulnerabilities in a router's current configuration and tweaks the router's configuration to eliminate those weaknesses |
|
|
Term
Cisco SDM Wizards
Routing |
|
Definition
| allows an admin to modify and view routing configurations for the RIP, OSPF, or EIGRP routing protocols |
|
|
Term
|
Definition
| configure Network Address Translation (NAT) |
|
|
Term
Cisco SDM Wizards
Intrustion Prevention |
|
Definition
| walks an admin through the process of configure an IOS-based IPS |
|
|
Term
Cisco SDM Wizards
Quality of Service |
|
Definition
| Provides wizards for configuring Network Admission Control (NAC) features such as Extensible Authentication Protocols (EAP) |
|
|
Term
|
Definition
|
|
