Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

From Flashcardlet > Chapter 4 - Network Foundation Protection > Flashcards

Chapter 4 - Network Foundation Protection Flashcards

0
Q

What are the three basic planes in the NFP framework?

A

1) Management plane
2) Control plane
3) Data plane

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
1
Q

What is network foundation protection?

A

(NFP) It is all about breaking the infrastructure down into smaller components, and then systematically focusing on how to secure each of those components.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Describe the management plane of the NFP framework.

A

This includes the protocols and traffic that an administrator uses between his workstation and the router and switch itself. An example is using a remote management protocol such as Secure Shell (SSH).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Describe the control plane in the NFP.

A

This includes protocols and traffic that the network devices use on their own without direct interaction from an admin. An example is a routing protocol.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Describe the data plane in the NFP.

A

This includes traffic which is being forwarded through the network (sometimes called transit traffic). An example is a user on one part of the network who is accessing a server; the data plane represents the traffic that is being switched or forwarded by the network devices between the client and server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Describe how you would use Security Measures to protect the Management plane.

A

Authenticate and authorize admins (AAA). Protect time synchronization using NTP. Use only encrypted protocols such as SSH for CLI or SSL/TLS for GUI tools and use secure versions of SNMP. If plaintext tools are used, they should be protected by encryption protocols such as IPsec. A parser view is a way to limit what a specific individual, based on his role, can do on a router.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

List 7 different security measures for the management plane.

A

1) Authentication, authorization, accounting (AAA)
2) Authenticated network time protocol (NTP)
3) Secure Shell (SSH)
4) SSL/TLS - Secure Sockets Layer/Transport Layer Security
5) Protected syslog
6) Simple Network Management Protocol Version 3 (SNMPv3)
7) Parser Views

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How can you remove the possibility of an attacker manipulating routing tables?

A

Running protocol updates should be authenticated.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are 2 Security Methods to use on the control plane?

A

1) Control plane policing (CoPP) & Control plan protection (CPPr)
3) Authenticated routing protocols

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Access control lists (ACLs) are a security measure for which plane?

A

Data plane

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Why is it important to protect the infrastructure at Layer 2 in the data plane?

A

You can avoid a rogue switch from becoming the root of your spanning tree.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

When applied as filters on interfaces, what can control which traffic (transit traffic) is allowed on the data plane?

A

ACLs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How can an IOS Zone-Based firewall be a security measure at the data plane?

A

It can control exactly what traffic is flowing through your network based on policy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is role-based access control (RBAC)?

A

Creating a group that has specific rights, and then placing users in that group.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are some ways to implement RBAC?

A

Using Access Control Server (ACS) and CLI parser views.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

How does AAA work?

A

The network router or switch can interact with a centralized server before allowing any access, before allowing any command to be entered, and while keeping an audit trail that identifies who has logged in and what commands they executed. Your policies reside on the server and routers/switches act like clients.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are some ways of locking down syslog?

A

By using a separate VLAN for management traffic or encrypting the syslog data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is an example of out-of-band (OOB)?

A

Using a separate VLAN to send management traffic through where the user traffic never goes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What are 3 ways to secure the control plane?

A

1) CoPP
2) CPPr
3) Routing protocol authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is CoPP?

A

Control Plane Policing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

How does CoPP work?

A

You can configure this as a filter for any traffic destined to an IP address on the router itself.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is an example of CoPP?

A

You can specify that management traffic, such as SSH/HTTPS/SSL can be rate-limited (policed) down to a specific level.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

How is CoPP applied so that the policy can be applied globally to the router?

A

It is applied to the logical control plane interface (not directly to any Layer 3 interface).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is CPPr?

A

Control plane protection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

How is CPPr different from CoPP?

A

It allows for more detailed classification of traffic that is going to use the CPU for handling.

25
Q

What are the 3 different sub-categories of traffic that can be classified with CPPr?

A

1) Traffic to one of the physical or logical interfaces of the router
2) Certain data plane traffic that requires CPU intervention before forwarding (such as IP options)
3) Cisco Express Forwarding (CEF) exceptions (traffic related to network operations, such as keepalives or packets with Time-to-Live mechanisms.

26
Q

What is a benefit of CPPr?

A

You can rate-limit and filter traffic with a more fine-toothed comb that CoPP.

27
Q

What interface is CPPr applied to?

A

Logical Interface

28
Q

How can routing protocol authentication be used to secure the control plane?

A

A rogue router on the network will not be believed by the authorized network devices. Most routing protocols support authentication.

29
Q

What are 5 features you can use to protect the data plane?

A

1) ACLs used for filtering
2) IOS firewall support
3) IOS IPS
4) TCP Intercept
5) Unicast Reverse Path Forwarding

30
Q

How have the firewall features on an IOS router grown over the years?

A

The older technology was called context-based access control. This has been replaced with the more current Zone-Based firewall on the IOS.

31
Q

What is IOS IPS?

A

A software implementation of an intrusion prevention system (IPS) that is overlaid on top of the existing routing platform.

32
Q

What does an IOS IPS use to look for malicious traffic?

A

Signature matches.

33
Q

What is TCP intercept?

A

This tool allows the router to look at the number of half-formed session that are in place and intervene on behalf of the destination device. This can prevent against a SYN-flood attack.

34
Q

When uRPF is enabled on a router, what does the router spend some extra time doing?

A

When packets enter the interface, it spends an extra moment considering the source address of the packet. It then considers its own routing table, and if the routing table does not agree that the interface that just received the packet is also the best egress interface to use for forwarding to the source address of the packet, it then denies the packet.

35
Q

What can be used to mitigate spoofed IP packets on the data plane?

A

Unicast Reverse Path Forwarding (uRPF)

36
Q

How do you block unwanted traffic at the router?

A

Using ACLs. If your corporate policy does not allow certain traffic, just implement ACLs inbound or outbound on any any Layer 3 interface on the router.

37
Q

How can you reduce the chance of DoS attacks on the data plane layer?

A

Techniques such as TCP Intercept and firewall services can reduce the risk of SYN-flood attacks.

38
Q

How can you provide bandwidth management at the data plan layer?

A

Implementing rate-limiting on certain types of traffic can also reduce the risk of an attack.

39
Q

How can you reduce spoofing attacks at the data plane layer other than uRPF?

A

Filter or deny packets trying to enter your network (from the outside) that claim to have a source IP address that is from your internal network.

40
Q

What are 4 Layer 2 mechanisms that you can use to help protect the data plane?

A

1) Port security
2) Dynamic Host Configuration Protocol (DHCP) snooping
3) Dynamic ARP inspection (DAI)
4) IP source guard

41
Q

How can DHCP snooping protect the data plane?

A

It can prevent a rogue DHCP server from handing our incorrect default gateway information and protect a DHCP server from a starvation attack.

42
Q

What can switch port security protect against at the data plane?

A

It can protect against MAC address flooding and CAM (content-addressable memory) overflow attacks.

43
Q

What is a DHCP starvation attack?

A

Where an attacker requests all the IP addresses available from the DHCP server so that none are available.

44
Q

What can DAI protect against at the data plane?

A

ARP spoofing and ARP poisoning.

45
Q

What is ARP poisoning?

A

Advertising the incorrect IP-to-MAC address mapping information.

46
Q

What does IP source guard do?

A

When implemented on a switch, verifies that IP spoofing is not occurring by devices on that switch.

47
Q

Layer 2 controls, such as private VLANs, Spanning Tree Protocol (STP) guards are security measures for which plane?

A

Data plane.

48
Q

IOS IPS, Zone-based firewalls are a security measure for which plane?

A

Data plane.

49
Q

Enforcing a password policy is a best practice for securing which plane?

A

Management plane.

50
Q

Blocking unwanted traffic at the router is a best practice for securing which plane?

A

Data plane.

51
Q

Locking down the syslog is a best practice for securing which plane?

A

Management plane.

52
Q

Implementing an IPS is a best practice for securing which plane?

A

Data plane.

53
Q

Controlling which IP addresses are allowed to initiate management sessions with the network device is a best practice for securing which plane?

A

Management plane.

54
Q

Reducing the chance of a DoS attack using TCP Intercept and firewall services is a best practice for protecting which plane?

A

Data plane.

55
Q

Reducing spoofing attacks is a best practice for protecting which plane?

A

Data plane.

56
Q

Using RBAC and AAA services are best practices for securing which plane?

A

Management plane.

57
Q

Providing bandwidth management is a best practice for securing which plane?

A

Data plane.

58
Q

Keeping accurate time across all network devices using secure NTP is a best practice for protecting which plane?

A

Management plane.

59
Q

Using encrypted and authenticated versions of SNMP, is a best practice for securing which plane?

A

Management plane.

From Flashcardlet (7 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions