CCNA Security 640-554

Contents
Security Concepts...................................................................................................................................... 1
AAA............................................................................................................................................................ 3
Layer 2 Security ......................................................................................................................................... 6
Cisco Configuration Professional .............................................................................................................. 8
IPS/IDS ..................................................................................................................................................... 10
Cisco Firewall/ASA .................................................................................................................................. 11
IPSec ........................................................................................................................................................ 14
VPNs ........................................................................................................................................................ 15
IPv6.......................................................................................................................................................... 17

Security Concepts

1. What are we protecting?

2. How is the potential target vulnerable currently?
3. Who wants to damage it, and what is the threat?
4. How can we prevent the damage?

1+2+3+4= Risk

 Network security objectives

o Confidentiality
 Only authorized individuals/systems should see the information
o Integrity
 Make sure the information transmitted is not modified during transmission
o Availability
 Ensure the data is always available to the authorized users
 Countermeasures
o Physical
 Lock up your server room/network rack
 Password recovery
 If an attacker gains physical access to a Cisco device on your network,
they could password crack and break into it through ROMMON. There
is a command that disables entry into it if this happens
 #no service password-recovery
o Administrative
 Update security policies/enforce change control
o Logical

A Wathen ©2014 Page 1

 CCNA Security 640-554

 Change your passwords, fine tune the IPS and firewall

 Set minimum password requirements to prevent methods of password
cracking
 #security passwords min-length *8*
 Autosecure: A one step lockdown process that can be done in the CLI
o Cryptographic
 Encrypt info when possible
 To encrypt all passwords in your cisco configuration:
 #service password-encryption
o Legal
 Don't forget to include the legal warning (i.e. banners)
o Least privilege
 A network user should only have the level of access they need to do their job
 Defense in depth
o Layer your security
 Disable unused ports, utilize 802.1x authentication
 Refer to methods in countermeasures.
 Security Network Lifecycle
o Initiation
o Acquisition and development
o Implementation
o Maintenance
o Disposition (Safely)
 Risk analysis and management
o Asset cost
o Quantitative vs qualitative
 Quantitative: How much will it cost you?
 Qualitative: How bad will it be if this asset is lost?
o Assess vulnerability through measures
 Password Attacks
 Pentesting
 NFP (Network Foundation Protocol)
o Management Plane ("Ability to manage", protocols used to connect, authenticate, and
manage routers/switches)
 Parser views
 Configure views that allow admins to provide other users necessary
privileges while preventing them from using certain commands
 #aaa new-model
 #enable view
 #parser view *Name*
 #secret *password*
 #commands exec [include | exclude] {all} *command* (i.e. show
running-config)
 #enable view *View Name*
 Cisco IOS resilient configuration
 Prevents your startup-config/flash from getting remotely/locally erased

A Wathen ©2014 Page 2

 CCNA Security 640-554

 #secure boot-image (flash)

 #secure boot-config (startup-config)
 #show secure-bootset
 Recovery
 #secure boot-config restore
 ROMMON- boot *file*
 Disabling IOS resiliency can only happen by console
 #no secure boot-[config | image]
 Can be activated remotely
o Control Plane ("Ability to Route", routing protocols)
o Data Plane ("Ability to forward data", data being forwarded)
 ACLs
 Standard ACL focuses only a source (placed closest to destination)
 Extended ACL focuses on source and destination (placed closest to the
source)
 #access-list [1-99 | 100-199] permit [tcp | udp | *other protocol]
X.X.X.X. *wildcard mask* X.X.X.X *wildcard mask* {option}
 #ip access-list [standard | extended] [number | *Name]
 Primarily used for named access lists
 #ip access-class *#*
 Used for vty lines
 Protocol-specific ACLs
 #ip access-list extended [Number | Name]
 #deny icmp host x.x.x.x any echo log
 #deny icmp host x.x.x.x any echo-reply log (denies ping)
 #permit icmp any any log
 Sequence numbers
 Can put an ACL line in between a line in the ACL
 Can’t use on dynamic, reflexive, firewall, or numbered ACLs
 #ip access-list extended *Name*
 *sequence number* [permit | deny] tcp any any
 Time-based ACLs
 Steps
1. Define the time range (Absolute or periodic)
2. Call the time range in the aCL
3. Apply the ACL
 Configure your ACL first
 #time-range *ACL Name*
 #[absolute | periodic] start [time/date] end [time/date]
 Apply time-range *Name* in ACL (After line command)

AAA

 Authentication- Who can come in?

o Four responses when authenticating
 Accept

A Wathen ©2014 Page 3

 CCNA Security 640-554

 Reject
 Continue (Need additional info)
 Error (Potential packet loss, frame errors)
 Authorization- What can an authenticated user do once they're in?
o ISE (Identity Service Engine)
o ACS (Access Control Server)
 Protocols used between ACS and the router
 TACACS+
 Cisco proprietary
 TCP-based
 Encrypts entire packet
 Considers each "A" a seperate process
 TCP port 49
 RADIUS
 Open standard
 UDP-based
 Encrypts only password in initial packet
 Combines authentication and authorization
 Can't control authorization of users and router commands
 UDP port 1812
 Different vendors of RADIUS don't work well together
 Accounting- What is the user doing with this access? Who's paying for network resources
the user uses?
o Syslog server
 Severity Levels (In IOS)
 0- Emergencies
 1- Alerts
 2- Critical
 3- Errors
 4- Warnings
 5- Notifications
 6- Informational
 7- Debugging
o SNMP server
 SNMP Manager
 Runs management application
 SNMP agent
 Software that runs on a managed device
 Management Information Base
 Information about a managed device stored here
 Message types
 GET
 Used to retrieve info from managed device
 SET
 Sets a variable in a managed device
 Trap

A Wathen ©2014 Page 4

 CCNA Security 640-554

 A message the Manager didn’t ask for i.e. if a significant

event occurred
 Versions
 V1 and 2 security is weak. V3 fixes what the first two did wrong
 Security Levels
 noAuthNoPriv
 Uses community strings
 No authentication
 No encryption
 authNoPriv
 Uses hashing with HMAC and MD5 (Or SHA1)
 Not encrypted
 authPriv
 Provides hashing
 Encryption with CBC (Cipher Block Chaining) DES
 CCP config
 Configure -> Router -> SNMP (Define Community string, rights,
and IP/password of the trap receiver)
o NTP server
 Provides timing throughout the network for multiple purposes. One being
to ensure accurate timestamps when logging
 Current version is 4 (Provides cryptography. 1 and 2 don't)
 The lower the stratum level, the more reliable for timing the device is
(Stratum goes from 0 (Which is GPS clock) to 3)
 Three modes: Server (Provide timing), clients (recieve updates from server
but can't send them), and peer (Can send messages to each other)
 (Server configuration): #ntp master *stratum number*
 (Client configuration): #ntp server X.X.X.X
 #ntp update-calendar
 Verification: #show ntp associations
 Setting up timestamps
 #service timestamps log datetime
 Configuring AAA in IOS
o #aaa new-model
o #tacacs-server host *IP Address* key *key*
o #radius-server host 172.0.0.2 key ccnas
o #username *username* privilege 15 (Takes you directly to privileged
mode) secret *password*
o #enable secret *password*
o #aaa authentication login [default | *NAME*] group radius group tacacs
local enable (First preference is RADIUS, second is TACACS, third is local
login, last is enable password)
o #line vty 0 4
o #login authentication [default | *NAME*]
o Additional options:
o #aaa authentication banner *Insert Banner Here*

A Wathen ©2014 Page 5

 CCNA Security 640-554

o #aaa authentication [fail-message] [password-prompt] [username-prompt]

 CCP Config (Please refer to the CCP section first)
o Router -> AAA -> AAA summary (This is where you can enable AAA, and set
your AAA policies)
o Authentication policies (This is where you set your default login methods)
 Logging configuration within CCP
o Router -> Performance routing -> Logging (You can set your syslog server, buffer
size and logging level here)

Layer 2 Security

 Dynamic Trunking Protocol

o Switchports trunk by default
o #switchport nonegotiate (Disables trunk negotiations)
 Native vlan
o Not tagged
 Double tagging
o Two separate VLAN IDs used (Uses native vlan to pose as multiple VLANs)
o Must be on access port, vlan must be on native vlan, and dot1q must be trunking
protocol in user
 Switch spoofing
o Allows rogue device to pretend to be a member of all VLANs on network
 BPDUguard
o If any bpdu is sent to a port with this command on it, the port is shutdown and err-
disabled
o #spanning bpduguard enable (Interface command)
o #spanning portfast bpduguard default (Global Command)
 Rootguard
o Prevents rogue switch from becoming the root bridge for STP
o #spanning guard root
o Doesn’t err-disable the port, but prompts with syslog message when rogue switch
is blocked.
 Port security
o Used to only allow a certain number of MAC addresses (Default 1) to prevent
CAM overflow attacks
o #switchport port-security
o Setting a port to allow more than one mac address
 #switchport port-security maximum *5*
o Three violation types
 Protect (Unauthorized user cannot connect)
 Restrict (Unauthorized user cannot connect and log message is sent when
they attempt to connect)
 Shutdown (The port is err-disabled (Default))
 #switchport port security violation [protect | restrict | shutdown]
o MAC address can be statically or dynamically configured
 #switchport port security mac-address [*mac address* | sticky]

A Wathen ©2014 Page 6

 CCNA Security 640-554

o Port security aging

 MAC address expires after certain period of time
 #switchport port-security aging [time] [minutes] type [absolute |
inactivity]
 DHCP snooping
o If host sends discovery packet for DHCP address, a rogue server can trick the
computer into thinking it’s the server (Can also pose as a DNS server)
o Starvation attack: Rogue server exhausts real DHCP server of IP addresses
o DHCP snooping allows switch to serve as a firewall between hosts and untrusted
DHCP servers
 Trusted and Untrusted
 Trusted: Operates normally
 Untrusted: Rejects DHCP addresses and err-disables interface
 #ip dhcp snooping vlan *#*
 Ip dhcp snooping [trust | untrust] (Interface command)
 Dynamic ARP inspection
o ARP cache poisoning/spoofing
 Rogue host gets in the middle of a connection and claims to be an arp
receiver. Uses identical IP
o DAI
 Prevents spoofing by creating a database of trusted MAC-IP mappings
 Performed as ARP messages are received
 Trusted/untrusted interfaces are used as they are in DHCP snooping
 #ip arp inspection vlan *number range*
 #ip arp inspection trust (Interface command)
 TCP intercept
o Syn Flooding
 Sends syn tcp packets without a legitimate IP and connection can’t finish
as there is no legitimate sender (AKA DoS attack)
 TCP Intercept (Watch mode)
 Router intercepts and watches user and sends syn-ack if syn is sent
by that port
 If ack is followed up by that user, the router accepts the syn and
the three way handshake between intended receiver and sender is
established.
 (Passive mode)
 Passes traffic but monitors incomplete TCP connections and closes
it after a period of time.
 #ip tcp intercept mode [intercept | watch]
 #ip tcp intercept watch-timeout *seconds* (For watch mode)
 Applying ACLs to define subnets/addresses that will be watched
 #ip access-list 101 permit x.x.x.x *wildcard* x.x.x.x *wildcard*
 #ip tcp intercept list 101
 PVLANs (Private VLANs)
o L2 feature that allows you to restrict/allow communication between hosts on the
same VLAN
A Wathen ©2014 Page 7
 CCNA Security 640-554

o Three types
 Promiscuous
 Can communicate with anyone on the same VLAN
 Community
 Can communicate with anyone in the community or to
promiscuous ports
 Isolated
 Can ONLY communicate with promiscuous ports (Not each other)
 SPAN (Switchport Analyser)
o Copies traffic from specified port/s (Ingress traffic on one port and egress traffic
on the other) and sends it to a destination SPAN port that can contain a sniffer or
traffic analyser.
o Types
 Local SPAN
 Remote SPAN
 Port-based SPAN
 VLAN-based SPAN
 ESPAN

Cisco Configuration Professional

To use CCP, there are certain prerequisites to get it working. I will show you how to get
it working (Windows only) so you can play with it managing a router on GNS3

 In GNS3, the router you have must be configured to support http and/or https (We’ll just use
http). If you plan to manage multiple routers, make sure you have your routes setup properly
o #ip http server
o #ip http authentication local
o #username *username* privilege 15 secret *password*
o #ip http timeout-policy idle 60 life 86400 requests 10000
 Next, you’ll need to configure a Microsoft Loopback adapter on your PC. To do this:
o Go to Start menu, right click on Computer, and when it opens, on the top left, you’ll
see “Device Manager”. Click on it.
o Select “Action” and click on “Add legacy hardware”
o Click next and on the next screen, select “Install the hardware that I manually select
from a list”
o Select Network adapters
o Go down to Microsoft and select the “Microsoft Loopback Adapter”
 Go back to GNS3. Drag the cloud icon (It should be in the category with the computer icon)
and double click to configure it.
o In the “NIO Ethernet” tab, you can select your adapter. Select the loopback adapter.
 Now that you have that done, you’ll attach the cloud to your router. Next, you’ll have to
configure the router interface, add the routing statement in the router, and configure the
loopback adapter for the same subnet as the IP address on that router interface
o Example: R1- #int f0/0 -> #ip address 192.168.1.1 255.255.255.0 -> no shutdown
o #router eigrp 1

A Wathen ©2014 Page 8

 CCNA Security 640-554

o #network 192.168.0.0
o #no auto-summary
o Loopback adapter IPv4 address: 192.168.1.2 Mask: 255.255.255.0 Gateway:
192.168.1.1
 Now that you have that done, make sure you turn your internet off if your internet is using
the same subnet as this can cause conflict when trying to discover.
 A few extra things to prevent errors and other small issues. Make sure you run CCP as
administrator (ALWAYS).
o In Control Panel, look for Java. Open it and go to the Security tab. Go to edit site list
and add http://127.0.0.1:8600 as an exception (This is the address for CCP)
o In Internet Explorer, make sure in the option “Compatibility View Settings”, you
have 127.0.0.1 input as well.
o If you have any other issues when running CCP, I probably haven’t had the issue.
This is what I did to make it work.
 Input username and password of local login on your router when logging into CCP along
with the IP of the attached interface.
 Creating user profiles
o Application -> Create User Profile -> New
o Select Devices -> Next -> Select Permissions
 Template Creation
o Template -> Create
o Select a template from your localhost
o Paramaterize: Select what you want to parameterize (i.e. hostname) and click the
button
 Security Audit
o Under Security, select Security Audit
o Perform security audit vs One-step lockdown
 One-step lockdown implements all security features without giving you the
option to pick and choose
 Common threats observed by the Security Audit Feature
 Finger Service
 TCP/UDP small servers
 CDP
 Password encryption
 Enabling ip CEF
 Disabling IP gratuitous ARPs
 Minimum password length
 Enabling SSH
 Cisco security management tools
o Security Device Manager
 Used to configure and manage standalone routers
o Cisco Security Manager
 Manage a Cisco based network where you can manage and maintain up to
thousands of devices to include ASA and VPN technologies.

A Wathen ©2014 Page 9

 CCNA Security 640-554

IPS/IDS

 IDS (Intrusion Detection System)

o Detects problematic traffic by mirroring copies of incoming packets
o Not in the line of traffic (No delay) AKA out-of-band
o Can’t handle the traffic by itself. Only analyzes and sounds the alarm
 IPS (Intrusion Prevention System)
o Detects and takes action
o No mirroring, but in the line of traffic directly
o Slight delay in packet forwarding (Due to analysis directly)
o If IPS goes bad, you need another entry point
o Actions that can be taken
 denyAttackerInline
 Denies all IP packets of source
 denyFlowInline
 Denies flow of traffic but doesn’t block user
 Alarm
 Sounds an alarm
 Reset
 Resets TCP connection
 Drop
 Drops the threatening packet
 Ironport
o C Series
 Email security. Provides anti-x capabilities and mail routing
o S Series
 Uses web reputation to provide signature-based anti-spyware
o M-series
 Spam quarantine management and reporting
 Sensor detection types
o Signature based
 Similar to antivirus definitions
 String of unique characters (Configured by Cisco)
 Types
 Atomic
o Match on a single packet
 Service
o Examine application layer services
 String or Multistring
o Pattern matching in on or multiple packets
 Other
o Policy based
 Manually configured by admin
o Anomaly based
 Looks for abnormal behavior on the network

A Wathen ©2014 Page 10

 CCNA Security 640-554

o Reputation based
 One network tells another about a restriction/blocking of a host
 Risk Rating (RR)
o The higher the rating, the greater the risk in a particular event occurring
o Valued between 0-100
o Signature Fidelity Rating (SFR)
 Value of 0-100
 Reflect’s a signature’s accuracy
o Alert Severity Rating
 Value assigned to damaged that would be caused by a successful attack
 25- Information
 50- Low
 75- Medium
 100- High
o Target Value Rating
 Rates relative importance of a target
 75- Low Asset
 100- Medium Asset
 150- High Asset
 200- Mission Critical Asset

Cisco Firewall/ASA

 Traffic should have to go through it

 Default settings are not recommended
 Consider a “Defense-in-Depth” Approach (See Defense-in-Depth)
 Belongs at logical attack points (i.e. Border Router)
 Should log the traffic not permitted
 Written policy should be dynamic
 PAT: Port Address Translation
o Used to translate multiple private IP addresses into one public IP address
 Types of Firewalls
o Stateless
 Packet Filtering
 Source/Destination IP
 Protocol Number
 Easier to Implement
 Can cause issues with legitimate connections by denying certain apps
appropriate protocols
 Open to IP spoofing
o Stateful
 Monitors the connection state
 Operates at L3-5 of the OSI model
 Monitors sequence numbers

A Wathen ©2014 Page 11

 CCNA Security 640-554

 Allows conversation for traffic to be initiated from inside to out, but not
the outside to in
 Maintains a session table
 Source/Destination IP with port numbers
 TCP/UDP flag settings
 TCP sequencing info
 Doesn’t combat against application-layer attacks
o Application gateway
 Another device connects to the outside destination for you
 Inside user attempts to connect to an outside destination
 Proxy receives attempt, holds it, and attempts to connect to the
destination (If allowed)
 Proxy connects, gets information, then presents the inside user
(Which all of this is transparent to that user)
 Works up to the application layer
 Requires strong/expensive hardware
 Works well against denial of service attacks
 Cisco IOS Zone-based Firewall
o Zones are logical zones of multiple interfaces
o Interfaces can only be assigned to one zone
o Traffic in one zone can’t be allowed into another by default
o Self-zone
 Traffic destined for an IP address on the same router which is generated
by the router
o Zone pair
 Allows/inspects traffic destined between zones
 Unidirectional (Needs a zone pair on each side to be bidirectional)
 Action based on policy maps configured
o DMZ
 Most exposed to outside networks
o Class Maps
 Identify specific traffic and classify it
 #class-map type inspect match-any *NAME*
 #match protocol [http | https | other]
o Policy maps
 Take action on the traffic specified by the Class Map
 Actions taken:
 Inspect
o Permits and inspects traffic
o Used by users who respect a reply from devices on the
other side
 Pass
o Permits traffic but doesn’t create entry in the database
o Traffic will get to destination but sender will not get a reply
 Drop
o Denies the packet

A Wathen ©2014 Page 12

 CCNA Security 640-554

 Log
o Logs the traffic
 #policy-map type inspect *NAME*
 #class type inspect *Class map name*
 #[drop | inspect | pass | log]
o Zone security
 #zone security *INSIDE*
 #zone security *OUTSIDE*
 #zone-pair security *IN_TO_OUT* source *INSIDE* destination
*OUTSIDE*
 #service-policy type inspect *Policy Map Name*
 #int f0/0
 #zone-member security *INSIDE*
 #show zone-pair security
 #show zone security
o CCP Configuration
 Security -> Firewall -> Basic/Advanced Firewall
 Define inside/outside (And DMZ if you have one)
 Verifying zone pairs: Security -> Firewall Status
 NAT Configuration: Router -> NAT -> Basic/Advanced NAT -> Define
inside and outside interfaces
 Cisco ASA
o Features
 Packet filtering (Both standard and extended ACLs)
 Stateful Filtering
 Application inspection
 NAT support (exempt for VPN)
 Can act as DHCP server
 Routing
 VPN support
 IPSec support for remote-access and site-to-site
 SSL support for clientless and AnyConnect
 Object Groups
 Refers to one or more items (i.e. subnet)
 Botnet traffic filtering
 AAA support
 Supports Active/Active and Active/Standby failover
o Security levels
 0-100
 The greater the number, the more trusted the interface
 Defaults
 Inside: 100
 DMZ: 50
 Outside: 0
 Traffic initiating from lower to higher value will not go through.

A Wathen ©2014 Page 13

 CCNA Security 640-554


If it’s a tie, traffic is also not allowed (Refer to ASDM section below to
determine workaround)
 Base license only allows three interfaces (Which includes the DMZ)
o ASDM config
 Configuration -> Startup wizard -> Assign IP to management interface ->
Next -> Host name, domain name (Can also change enable password) ->
Choose outside/inside/DMZ vlans -> Allocate ports to inside, outside and
DMZ -> Define inside/outside/DMZ IPs -> Define two interfaces in which
the traffic can be restricted -> (Optional) Define DHCP scope -> Setup
NAT/PAT interfaces
 Interface -> In this window, you can enable traffic between two or more
interfaces which are configured with the same security level
 Make sure to apply changes afterwords
 Configuration -> Firewall -> Access rules (This is where you can change
default rules/security. You can add additional rules for more specific
security

IPSec

 Runs at layer 3 (While SSL/SSH run at layers 4-7)

 Applications don’t need to be designed to use IPSec
 Uses checksums and hashing (MD5, SHA1)
 Members of the IPSec suite
o Authentication Header (AH)
 Defines a method for authentication and security
 The IP header is not complete
 Optional anti-replay protection
o Encapsulating Security Payload (ESP)
 Defines a method for authentication, security, and encryption.
 More process intensive
 Anti-replay protection
o Internetwork Key Exchange (IKE)
 Negotiates security parameters and authentication
 Authenticates, provides key exchange and manages keys
 Three IKE Protocols
 SKEME- Enables public key encryption for authentication
 ISAKMP- Defines how messages will be exchanged
 Oakley- Defines mechanism for key exchange
 IKE Process
 Phase 1
o IPSec devices come to an agreement on what methods
should be used to exchange data for the Security
Association
 Hash
 MD5

A Wathen ©2014 Page 14

 CCNA Security 640-554

 SHA1
 HMAC
o Hashing with an additional secret
key both parties have to know
 Authentication method
 PSK or RSA digital signature
 Diffie-Helman Group (Random number)
 Lifetime
 The time until the tunnel should be torn
down (In minutes)
 Encryption Algorithm (AES, 3DES, DES)
 Phase 1.5
o Optional
o Can use extended authentication (xauth) for additional
security
 Phase 2
o SA will be used
o Unidirectional SA in this phase
 Tunnel Termination (After specified lifetime)
 Tunnel vs Transport Mode
o Tunnel
 IPSec process is transparent to end hosts
 Entire IP packet is encrypted and placed in an additional IP packet
 Specialized IPSec gateway handles workload
o Transport
 Encrypts the payload
 No protection for the original IP
 IPSec header inserted directly after IP header
 L4-7 is protected only

VPNs

 Tunnel between two endpoints, exclusive only to two persons/parties

 Point-to-point WAN
 Categories
o Remote-access
 Used to connect to work network from home
o Site-to-site
 Used to connect from work to another company building i.e. HQ or other
site
 Benefits
o Scalability
o Cost

A Wathen ©2014 Page 15

 CCNA Security 640-554

o Security
 Four things VPNs provide
o Authentication
 Combo of ciphers and keys (Pre-shared keys)
o Data Integrity
 Ensures data that arrives originated with the source authenticated devices
(Hashing)
o Confidentiality
 Only two of the endpoints should read the data (Cryptography)
o Anti-Replay
 Prevents MITM attacks
 Cryptography
o Symmetric
 DES
1. 56 bits
 3DES
1. 168 bits, effective 112
 AES
1. Runs on Cisco router that has IPSec 3DES/DES capability
 RC4, Blowfish, IDEA
 Faster than asymmetric but less secure
o Asymmetric
 Private and Public key used
 Diffie-Helman, RSA, DSS
1. Diffie-Helman
o Makes secure key exchange over a non-secure channel
possible
o Endpoints must agree on a non-secure, non-secret numeric
value before it works. Numbers, not keys
o Does not include authentication
 PKI (Public Key Infrastructure)
o User’s info to Certificate Authority
 Public key
 IP address
 Name (hostname.domainname.com)
o CA issues digital certificate
 Signed by CA with public key
o Digital signature
1. Computer 1 (Sender) runs a hash and encrypts data with their private key
2. Computer 2 (Receiver) decrypts the message with Computer 1’s public
key
3. Computer 2 runs the hash algorithm
4. If the results are identical, the signature is authenticate
5. If it’s not, the person could be a fake or the transmission went corrupt
o Methods of verifying revoked certificates
 CRL (Certificate Revocation List)

A Wathen ©2014 Page 16

 CCNA Security 640-554

 Database of revoked certificates recognized by the CA

 OSCP (Online Certificate Status Protocol)
1. Alternative to CRLs
2. Computer 1 transmits request of Computer 2’s digital certificate
status
3. The responder lets Computer 1 know that Computer 2 is:
o Good
o Revoked
o Unknown
4. Susceptible to MITM attacks
 SCEP
 Scalable
 Usually requires intensive input
 SSL VPNs
o Anyone can attempt to connect via port 443 (Also known as a clientless VPN)
o Can also use SSL by using Cisco’s Anyconnect client (Client)
 Site-to-Site VPN process (IPSec)
o Process initialized by “Interesting Traffic”
 Defined by a crypto access-list
 Traffic that comes in without IPSec in the tunnel is discarded
 If traffic is not defined in the ACL, it is forward normally.
 #access-list 100 permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.255.255
o IKE Phase 1
 #crypto isakmp policy 5
 #authentication pre-share
 #encryption aes 128
 #hash md5
 #group 5
 #lifetime 1000
 #crypto isakmp key *Key* address *peer address*
o IKE Phase 2
o Data Transfer
o Tunnel Termination
 CCP Config
o Security -> VPN -> Site-to-Site VPN

IPv6

 128-bit IP address represented in hexadecimal

 Nodes can assign themselves DHCP address with autoconfiguration
o Stateless
 Host configures it’s own link-local address
 64 bits is FE80 followed by 54 zeroes
 Last 64 bits is the interface identifier
o Stateful
 Host obtains a v6 address and other info from a server
A Wathen ©2014 Page 17
 CCNA Security 640-554

 Anycasts
o Address that represents multiple interfaces
 Identification
o 001 (Global Address)
o 1111 1111 (Multicast)
o 1111 1110 11 (Link local)
o ::1 (Loopback)
 Common link local addresses
o FF02::1 (All nodes)
o FF02::2 (All routers)
o FF02::9 (All RIP routers)
o FF02::A (All EIGRP routers)
 DAD (Duplicate Address Detection)
o Host sends a neighbor solicitation message to see if any other host is using the
same link local address
o If a neighbor advertisement is received, the host will disable its link local address
o Next, the host sends a router solicitation message to the router on the link to
retrieve info. The router responds with a RA (Router advertisement) containing:
 Whether the host should use DHCP
 If DHCP is in use, it tells the host where the server is
 If not, it provides needed network prefix and lifetime information

A Wathen ©2014 Page 18