Scribd
Upload
78 views

Chapter5 Security Fundamentals

The document discusses several security concepts and programs including asset identification, threat mitigation techniques, device access control, virtual private networks, access control lists, port security, DHCP snooping, dynamic ARP inspection, and authentication, authorization, and accounting. Mitigation techniques include technical/logical approaches like firewalls and intrusion prevention systems as well as administrative policies and physical security of network devices and data centers. Virtual private networks allow for secure site-to-site and client connections through encrypted tunnels. Access control lists and port security provide control over network access while DHCP snooping and dynamic ARP inspection mitigate spoofing attacks. Authentication, authorization, and accounting provide user credential validation and privilege management.

Uploaded by

Ziad Abdo
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
78 views

Chapter5 Security Fundamentals

The document discusses several security concepts and programs including asset identification, threat mitigation techniques, device access control, virtual private networks, access control lists, port security, DHCP snooping, dynamic ARP inspection, and authentication, authorization, and accounting. Mitigation techniques include technical/logical approaches like firewalls and intrusion prevention systems as well as administrative policies and physical security of network devices and data centers. Virtual private networks allow for secure site-to-site and client connections through encrypted tunnels. Access control lists and port security provide control over network access while DHCP snooping and dynamic ARP inspection mitigate spoofing attacks. Authentication, authorization, and accounting provide user credential validation and privilege management.

Uploaded by

Ziad Abdo
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 11

Cisco Certified Network Associate (200-301 CCNA)

CHAPTER 5: SECURITY FUNDAMENTALS

5.1 Security Concepts & Programs


- What do I have? And should I care about?
- Asset: everything valuable (Docs, Info’s, etc.)
- Threat: Danger to Asset (Hacker, SW BUG, Environmental Disaster)
- Vulnerability: Weakness (old Bug, missing Patch)

- Then we should consider Mitigation:


- it has 3 types
- Type 1: Technical/Logical Mitigation:
- Choosing the Correct Firewall
- Choosing the Correct IPS
- Choosing the Correct Design!

1
Cisco Certified Network Associate (200-301 CCNA)

- Type 2: Administrative:
- Things that you (The Network Admin.) decides and consider
- Like Policies & Procedures
(The company agreed policies & procedures)
- Written documents
- Background check for new employees
- Security awareness/periodically
(remind them from time to time)
- And Password of course
- Length (characters)
- Complexity (Upper/Lower case, Numbers, Symbols)
- Age (Minimum/Maximum Age for changing the Password)

2
Cisco Certified Network Associate (200-301 CCNA)

- Also, there are some Alternatives


- 2 Factor/Multi-Factor Authentication
- Done by using some biometrics and certificates
- Besides passwords
- Can be Physical Card (Identity Card)
- One-Time Password (Mobile phone App)
- Iris Scan, Fingerprints, Face recognition
Type 3: Physical:
- This is an in-reality protection
- like securing the devices inside racks
- racks should have licked metal/glass door
- all racks should be installed in a secured DC
- Racks and DCs can be secured using Keys, Cards,
Fingerprints

3
Cisco Certified Network Associate (200-301 CCNA)

5.2 Device Access Control


- what if the device wasn’t locked properly (physically)
- if someone did connect to the Console/AUX ports!!!!

- Console and Auxiliary ports can be protected


- either by configuring a specified password for each port
- or by using a local credentials and applying them upon the ports

*even if a user did login to a device, limit his access by assigning


“enable secret/password”

4
Cisco Certified Network Associate (200-301 CCNA)

5.3 Virtual Private Networks (VPN)


- How Virtual? And How Private?
- Tunnels will be established
- Full separation
- End-to-End Encryption

- Site-to-Site VPN
- Peer-to-Peer VPN
- needs and IGP for Routing and Forwarding (Underlay)
- the IGP will be exchange at the edges with the ISP
- Overlay VPN
- obtain a circuit from the ISP
- IGP will be yours all the way

5
Cisco Certified Network Associate (200-301 CCNA)

- Client VPN
- for an end user
- requires a software
- established remotely
- credentials are needed
- the Tunnel will be “PC – Router”

6
Cisco Certified Network Associate (200-301 CCNA)

5.4 Access Control List (ACL)


- specific permissions for users/ networks
- allow or deny rules only
- allow or deny some hosts/networks from internet

- ACL Types
- Standard:
- uses source host/network to decide the permissions
- range of 1-99
- NO specific permissions
- Extended:
- uses source & destination hosts/networks/ports/services
- range of 100-199
- specific in detail permissions
- Named: A Combination, Hierarchy Mode, Name
7
Cisco Certified Network Associate (200-301 CCNA)

5.5 Port Security


- Switch Ports connects you immediately
- A limitation is needed to the switch ports
- This limitation includes:
- The No. of learned MAC Addresses
- Only “Statically” assigned MAC Addresses are allowed to connect
- A combination of the 2 above

*All Cisco Switch Ports are “Dynamic” by Default, Make them Access
*Static Ports DON’T have timers, assign timers
*Those “Statically” assigned MACs are called “Sticky”
- What will be the reaction when an unallowed MAC/s hits?
- Violation the Behavior Shutdown the port (Default)
Protect (Silently)
Strict (log it)
8
Cisco Certified Network Associate (200-301 CCNA)

5.6 DHCP Snooping


- Rouge DHCP Servers will respond to your “Discovery” message
- Computers will take/accept the first offer they receive

- Snooping will trust an interface to make it the:


Only interface allowed to receive Broadcast Messages
- Applied on a specific VLAN

*Rouge Servers will Act as a “Man in the Middle”, which is an attack

9
Cisco Certified Network Associate (200-301 CCNA)

5.7 Dynamic ARP Inspection


- First, what is ARP!
Address Resolution Protocol: Binds an IP Address to Its Source
MAC Address
- so, if a binding is missing, an ARP will handle it
- but ARP is a Broadcast, thus, everyone will know about you trying to
Reach your GW for any purpose
- Someone might manipulate you and claim that he is the GW!!!!
*Man in the Middle detected
- DAI will allow only trusted interfaces to receive and forward Broadcast
- It will cooperate with the DHCP Snooping DB to perform
- After inspecting, it will either Forward the ARP, or Drop it (LOG)
*Static IPs don’t use DHCP, SO!! Drop the ARP
Or Trust the Port
Create ARP ACL
10
Cisco Certified Network Associate (200-301 CCNA)

5.8 Authentication, Authorization, and Accounting


- AAA are the Security mechanisms for the MGM Plane
- you can control everything about everyone allowed/denied
From accessing the Network
- Authentication:
- Verifies Credentials
- Contacts the AAA Server to check the eligibility of
those Credentials
- Authorization:
- Determines the Credentials Powers
- Contacts the AAA Server to check the Privileges of
those Credentials
- Accounting:
- Determines some Limitations
- Calculates Statistics
11

You might also like