CCNA2 - Module 11 -13 Flashcards
(94 cards)
1
Q
– easiest for hackers to deploy
A
Layer 2 attacks
2
Q
prevents MAC address table overflow attacks
- PS limits the no. of valid MAC addresses allowed on a port. (admin manually configure MAC, dynamically learned)
- 1 only permitted MAC addresses, PS controls unauthorized access to the network
A
Enabling port security
3
Q
command to enable port security
A
S1(config-if)# sw port-security
o If the port is set to dynamic auto (trunking on), the command above will be rejected
4
Q
4 types of port security
A
- aging
- mac-address
- maximum
- violation
5
Q
limit & learn MAC add
A
- default = 1
- max = depends on sw and IOS
6
Q
3 ways learn MAC ADDRESS
A
-
Manually configured
S1(config-ig)# sw port-security mac-address [ma] - Dynamically learned: current source MAC connected to the port is auto secured (not added in run config). Rebooted – port re-learn device’s MAC A
-
Dynamically learned – sticky: Admin enable switch to 2 and stick them to run config
S1(config-if)# sw port-security mac-address sticky
* Save
Sh port-security int and sh port-security add – verify congurations
7
Q
2 types of aging
A
-
Absolute secure addresses on the port are
deleted after the specified aging time -
Inactivity The secure addresses on the port are
deleted if they are inactive for a specified time.
S1(config-if)# sw port-security aging {static | time time | type {absolute | inactivity}}
8
Q
Port security violation modes
A
-
Shutdown (D) –
error-disabled state immediately, off LED, send syslog message -
Restrict –
port drops packets with unknown source addresses(counter to increment andgenerates a syslog message) -
Protect – least secure (
no syslog messageis sent)
9
Q
ports in error-disabled state
A
Sh int – identifies the port status as err-disabled
Sh port-security int – secure-shutdown
10
Q
Verify port security
A
Sh port-security – display port-security settings for all switches
Sh port-security interface – view
Sh run | begin int f0/19 – verify that MAC address are ‘sticking’ to the configuration
Sh port-security address – display all secure MAC addresses
11
Q
is launched in one of three ways:
- Spoofing DTP messages from the attacking host (sw -> trunking mode)
o Attacker send traffic tagged w/ target vlan
- Introducing a rogue switch & enable trunk
o Attacker can access ALL vlans on the victim switch
- Double-tagging (d-encapsulated) attack
o Takes advantage of the way hardware on most switches operate
A
VLAN hopping attack
12
Q
Steps to Mitigate VLAN Hopping Attacks
A
- Disable DTP (auto trunking) negotiation on non-trunking ports (sw mode)
- Disable unused ports & put them in unused vlan
- Manually enable trunk link on trunking port (sw mode trunk)
- Disable DTP negotiations on trunking port (sw nonegotiate)
- Set native vlan to a vlan other tan VLAN 1 (sw trunk native vlan vlan_no)
13
Q
– attack tools such as Gobbler to create a Denial of Service (DoS) for connecting clients
- Can be effectively mitigated using port security. Gobbler = unique source MACaddress for each DHCP request sent
- Gobbler – configured to use the actuate int MAC add as the source ethernet add
A
DHCP starvation attack
14
Q
– requires more protection
- Can be mitigated using DHCP snooping on trusted ports
A
DHCP spoofing attacks
15
Q
– filters DHCP messages and rate-limits DHCP traffic on untrusted ports
* Trusted sources
o Dev. Under admin control (sw, r, servers)
o Trusted int (trunk links, server p)
* Untrusted Source
o Dev outside the network & all access ports
A
DHCP snooping
16
Q
– includes the source MAC add of device on an untrusted port & IP add assigned
- MAC & IP add are bound together
- Aka _________________________________
A
DHCP table
DHCP snooping binding table
17
Q
Steps to Implement DHCP Snooping
A
- Enable DHCP snooping (
S1(config)# ip dhcp snooping) - On trusted ports (
S1(config-if)# ip dhcp snooping trust) - On untrusted int (
S1(config-if)# ip dhcp limit rate packets-per-second) - Enable DHCP snooping by VLAN (
S1(config)# ip dhcp snooping vlan)
S1# sh ip dhcp snooping – verify DHCP snooping settings
S1# s hip dhcp snooping binding – view the clients that have receive DHCP infos
18
Q
– requires DHCP snooping and helps prevent ARP attacks by
- Not relaying invalid ARP replies to other ports
- Verify each intercepted packet for a valid IP-to-MAC binding
- Drop & log ARP replies coming from invalid
- Error-disable the int if the configured DAI no of ARP packets is exceeded
A
Dynamic ARP Inspection (DAI)
19
Q
DAI Implementation Guidelines
A
- Enable DHCP snooping globally
- Enable DHCP snooping on selected VLANs
- Enable DAI on selected VLANs
- Configure trusted int for DHCP snooping & ARP inspection
o Trusted (uplink ports that connected to other switches)
o Untrusted ( all access ports)
20
Q
Destination, source & IP add
A
Destination MAC – checks the DM add in the Ethernet header against the target MAC add in ARP body
Source MAC – checks the SM add in the Ethernet header against the sender MAC address in the ARP body.
IP address - Checks the ARP body for invalid and unexpected IP addresses including addresses 0.0.0.0, 255.255.255.255, and all IP multicast addresses.
21
Q
PortFast and BPDU Guard
A
Portfast
- Immediately brings a port to the forwarding state from a blocking state, bypassing the listening and learning states
- Apply to all end-user access ports
BPDU Guard
- immediately error disables a port that receives a BPDU
- Like PortFast, BPDU guard should only be configured on interfaces attached to end devices
22
Q
Configure PortFast
A
- Only enable portfast on access ports
- Portfast on inter switch link = spanning-tree loop
On int – S1(config-if)# spanning-tree portfast
Globally - S1(config)# spanning-tree portfast default
23
Q
Verify PortFast
A
Verify PortFAst is enabled GLOBALLY
- Sh run | begin span
- Sh spanning-tree summary
Verify PortFAst is enabled in an INTERFACE
- Sh run int type/number
- Sh run int type/number detail
24
Q
Configure BPDU Guard
A
- If a BPDU is received on a BPDU Guard enabled access port, the port is put into error-disabled state
- This means the port is shut down and must be manually re-enabled or automatically recovered through the errdisable recovery cause secure_violation global command
On interface – S1(config-if)# spanning-tree bpduguard enable
Globally – S1(config)# spanning-tree bpduguard default
25
* is a type of wireless network that is `commonly used in homes, offices, and campus environments.`
* WLANs `make mobility possible` within the home and business environments.
* Wireless infrastructures `adapt to rapidly changing needs` and technologies.
**Wireless LAN (WLAN)**
26
**Types of Wireless Networks**
* Wireless Personal-Area Network (WPAN)
* Wireless LAN (WLAN)
* Wireless MAN (WMAN)
* Wireless WAN (WWAN)
27
* – `Low power and short-range` (20-30ft or 6-9 meters). Based on IEEE 802.15 standard and 2.4 GHz frequency. Bluetooth and Zigbee are WPAN examples.
**Wireless Personal-Area Network (WPAN)**
28
* – `Medium sized networks` up to about 300 feet. Based on IEEE 802.11 standard and 2.4 or 5.0 GHz frequency.
**Wireless LAN (WLAN)**
29
* – `Large geographic area` such as ***city or district***. Uses specific licensed frequencies.
**Wireless MAN (WMAN)**
30
* – `Extensive geographic area` for n***ational or global communication***. Uses specific licensed frequencies.
**Wireless WAN (WWAN)**
31
– `IEEE WPAN standard `used for device pairing at up to 300ft (100m) distance.
**Bluetooth**
32
* – Supports `mesh topology` to large scale network devices.
**Bluetooth Low Energy (BLE)**
33
* – Supports `point-to-point topologies` and is optimized for audio streaming.
**Bluetooth Basic Rate/Enhanced Rate (BR/EDR)**
34
– `Alternative broadband wired internet connections`. IEEE 802.16 WLAN standard for up 30 miles (50 km).
**WiMAX (Worldwide Interoperability for Microwave Access)**
35
– `Carry both voice and data.` Used by phones, automobiles, tablets, and laptops.
**Cellular Broadband**
36
* – Internationally recognized
**Global System of Mobile (GSM)**
37
* – Primarily used on the US.
**Code Division Multiple Access (CDMA)**
38
– `Uses directional satellite dish aligned with satellite in geostationary orbit`. Needs clear line of site. Typically used in ***rural locations*** where cable and DSL are unavailable.
802.11 Standards
**Satellite Broadband**
39
* – Regulates the allocation of radio spectrum and satellite orbits.
**International Telecommunication Union (ITU)**
40
* – `Specifies how a radio frequency is modulated to carry information`. Maintains the standards for local and metropolitan area networks (MAN) with the IEEE 802 LAN/MAN family of standards.
**Institute of Electrical and Electronics Engineers (IEEE)**
41
* – `Promotes the growth and acceptance of WLANs`. It is an association of vendors whose objective is to improve the interoperability of products that are based on the 802.11 standard
**Wi-Fi Alliance**
42
**Wireless Home Router**
* **Access point** – To provide wires access
* **Switch** – To interconnect wired devices
* **Router** - To provide a default gateway to other networks and the Internet
43
**Access Point (AP) Categories**
* **Autonomous APs** – S`tandalone devices configured through a command line interface or GUI`. Each autonomous AP acts independently of the others and is configured and managed manually by an administrator.
* **Controller-based APs**– Also known as ***lightweight APs (LAPs)***. `Use Lightweight Access Point Protocol (LWAPP) to communicate with a LWAN controller (WLC)`. Each LAP is automatically configured and managed by the WLC.
44
* – S`tandalone devices configured through a command line interface or GUI`. Each acts independently of the others and is configured and managed manually by an administrator.
**Autonomous APs**
45
* – Also known as *`lightweight APs (LAPs)`*. `Use Lightweight Access Point Protocol (LWAPP) to communicate with a LWAN controller (WLC)`. Each LAP is automatically configured and managed by the WLC.
**Controller-based APs**
46
**Wireless Antennas**
* **Omnidirectional** – Provide `360-degree coverage`. Ideal in houses and office areas.
* **Directional** – `Focus the radio signal in a specific direction`. Examples are the Yagi and parabolic dish.
* **Multiple Input Multiple Output (MIMO)** – `Uses multiple antennas` (Up to eight) to increase bandwidth.
47
**802.11 Wireless Topology Modes**
* **Ad hoc mode**- Used to `connect clients in peer-to-peer manner *without* an AP.`
* **Infrastructure mode** - Used to `connect clients to the network using an AP.`
* **Tethering** - V`ariation of the ad hoc topology` is when a smart phone or tablet with cellular data access is enabled to create a personal hotspot.
*
48
* Uses `single AP` to interconnect all associated wireless clients.
* Clients in `different BSSs cannot communicate.`
**Basic Service Set (BSS)**
49
* A u`nion of two or more BSSs interconnected` by a wired distribution system.
* Clients in each BSS can communication through the ESS.
**Extended Service Set (ESS)**
50
are `half-duplex and a client cannot “hear” while it is sending,` making it impossible to detect a collision.
**WLANs**
51
**To achieve successful association, a wireless client and an AP must agree on specific parameters:**
* **SSID** – The `client needs to know the name of the network to connect`.
* **Password** – This is r`equired for the client to authenticate to the AP`.
* **Network** **mode** – The `802.11 standard in use.`
* **Security** **mode** – The `security parameter setting`s, i.e. WEP, WPA, or WPA2.
* **Channel** **settings** – The `frequency bands in use.`
52
* – `AP openly advertises its service by periodically sending broadcast beacon frames` containing the SSID, supported standards, and security settings.
**Passive mode**
53
* – `Wireless clients must know the name of the SSID`. The wireless client `initiates the process` by broadcasting a probe request frame on multiple channels.
**Active mode**
54
* is an I`EEE standard protocol that enables a WLC to manage multiple APs and WLANs.`
* `Based on LWAPP but adds additional security` with Datagram Transport Layer Security (DLTS).
* `Encapsulates and forwards WLAN client traffic` between an AP and a Wireless Lan Controller (WLC) over tunnels using UDP ports 5246 and 5247.
* `Operates over both IPv4 and IPv6.` IPv4 uses IP protocol 17 and IPv6 uses IP protocol 136.
**Control and Provisioning of Wireless Access Points (CAPWAP)**
55
* `provides security between the AP and the WLC.`
* It is `enabled by default to secure the CAPWAP `control channel and encrypt all management and control traffic between AP and WLC.
* `Data encryption is disabled by default` and requires a DTLS license to be installed on the WLC before it can be enabled on the AP.
**Datagram Transport Layer Security (DTLS)**
56
enables the configuration and control of Aps over a WAN link.
**FlexConnect**
57
**2 modes of FlexConnect AP**
* **Connected mode** – The *WLC is reachable*. The FlexConnect AP **has** `CAPWAP connectivity with the WLC through the CAPWAP tunnel.` The WLC performs all CAPWAP functions.
* **Standalone mode** – The *WLC is unreachable*. The FlexConnect AP has lost CAPWAP connectivity with the WLC. The FlexConnect AP can assume some of the WLC functions such as `switching client data traffic locally and performing client authentication locally.`
58
* - A m`odulation technique designed to spread a signal over a larger frequency band`. Used by `802.11b` devices to avoid interference from other devices using the same 2.4 GHz frequency.
**Direct-Sequence Spread Spectrum (DSSS)**
59
* - `Transmits radio signals by rapidly switching a carrier signal among many frequency channels`. Sender and receiver must be synchronized to “know” which channel to jump to. Used by the original 802.11 standard.
**Frequency-Hopping Spread Spectrum (FHSS)**
60
* - A s`ubset of frequency division multiplexing in which a single channel uses multiple sub-channels on adjacent frequencies`. OFDM is used by a number of communication systems including 802.11a/g/n/ac.
**Orthogonal Frequency-Division Multiplexing (OFDM)**
61
_______________ can be the result of the following:
* Improperly configured devices
* A malicious user intentionally interfering with the wireless communication
* Accidental interference
**Wireless DoS attacks**
62
* is an `AP or wireless router that has been connected to a corporate network without explicit authorization and against corporate policy.`
* Once connected, the rogue AP `can be used by an attacker to capture MAC addresses`, capture data packets, gain access to network resources, or launch a man-in-the-middle attack.
* A `personal network hotspot` could also be used as a rogue AP. For example, a user with secure network access enables their authorized Windows host to become a Wi-Fi AP.
* To prevent the installation of rogue APs, `organizations must configure WLCs with rogue AP policies and use monitoring software` to actively monitor the radio spectrum for unauthorized APs.
**rogue AP**
63
, the `hacker is positioned in between two legitimate entities in order to read or modify the data that passes between the two parties.` A popular wireless MITM attack is called the “**evil twin AP**” attack, where an `attacker introduces a rogue AP and configures it with the same SSID as a legitimate AP.`
**man-in-the-middle (MITM) attack**
64
* `APs and some wireless routers allow the SSID beacon frame to be disabled.` Wireless clients must be manually configured with the SSID to connect to the network.
**SSID Cloaking**
65
* An `administrator can manually permit or deny clients wireless access based on their physical MAC hardware address`. In the figure, the router is configured to permit two MAC addresses. Devices with different MAC addresses will not be able to join the 2.4GHz WLAN.
**MAC Address Filtering**
66
* `No password required`. Typically used to provide `free internet access in public areas `like cafes, airports, and hotels.
* Client is responsible for providing security such as through a VPN.
**Open system authentication**
67
* `Provides mechanisms`, such as WEP, WPA, WPA2, and WPA3 to authenticate and encrypt data between a wireless client and AP. However, the `password must be pre-shared between both parties to connect.`
**Shared key authentication**
68
**Shared Key Authentication Methods**
**Wired Equivalent Privacy (WEP)**
- Original 802.11 specification
- Uses Rivest Cipher 4 (RC4) encryption with a static key
- No longer recommended; should never be used
**Wi-Fi Protected Access (WPA)**
- Wi-Fi Alliance standard
- Secures data with the stronger Temporal Key Integrity Protocol (TKIP)
- Changes encryption keys for each packet, increasing security
**WPA2**
- Uses the Advanced Encryption Standard (AES) for encryption
- Currently considered the strongest encryption protocol
**WPA3**
- Next-generation Wi-Fi security
- Implements the latest security methods
- Disallows outdated legacy protocols
- Requires Protected Management Frames (PMF)
69
- Original 802.11 specification
- Uses Rivest Cipher 4 (RC4) encryption with a static key
- No longer recommended; should never be used
**Wired Equivalent Privacy (WEP)**
70
- Wi-Fi Alliance standard
- Secures data with the stronger Temporal Key Integrity Protocol (TKIP)
- Changes encryption keys for each packet, increasing security
**Wi-Fi Protected Access (WPA)**
71
- Uses the Advanced Encryption Standard (AES) for encryption
- Currently considered the strongest encryption protocol
**WPA2**
72
- Next-generation Wi-Fi security
- Implements the latest security methods
- Disallows outdated legacy protocols
- Requires Protected Management Frames (PMF)
**WPA3**
73
* – Intended for `home or small office networks`, users `authenticate using a pre-shared key (PSK)`. Wireless clients authenticate with the wireless router using a pre-shared password. `No special authentication server is required.`
**Personal**
74
* – Intended for `enterprise networks`. Requires a `Remote Authentication Dial-In User Service (RADIUS) authentication server`. The device must be authenticated by the RADIUS server and then users must authenticate using `802.1X standard, which uses the Extensible Authentication Protocol (EAP) for authentication.`
**Enterprise**
75
* – `Used by WPA and provides support for legacy WLAN equipment`. Makes use of WEP but encrypts the Layer 2 payload using it.
**Temporal Key Integrity Protocol (TKIP)**
76
* – U`sed by WPA2 and uses the Counter Cipher Mode with Block Chaining Message Authentication Code Protocol (CCMP)` that allows destination hosts to recognize if the encrypted and non-encrypted bits have been altered.
**Advanced Encryption Standard (AES)**
77
**Authentication in the Enterprise**
* **RADIUS server IP address** – IP address of the server.
* **UDP port numbers** –UDP ports 1812 for RADIUS Authentication, and 1813 for RADIUS Accounting, but can also operate using UDP ports 1645 and 1646.
* **Shared key** – Used to authenticate the AP with the RADIUS server.
78
* : Thwarts brute force attacks by using Simultaneous Authentication of Equals (SAE).
**WPA3 – Personal**
79
* : `Uses 802.1X/EAP authentication.` However, it requires the use of a `192-bit cryptographic suite` and eliminates the mixing of security protocols for previous 802.11 standards.
**WPA3 – Enterprise**
80
* : Does not use any authentication. However, uses Opportunistic Wireless Encryption (OWE) to encrypt all wireless traffic.
**Open Networks**
81
* : Uses Device Provisioning Protocol (DPP) to quickly onboard IoT devices.
**IoT Onboarding**
82
**The Wireless Router**
People who work from home, have small offices, or need Wi-Fi at home often use a small router.
* These routers usually have a few ports for wired devices, a port for connecting to the internet (often labeled “WAN”), and built-in Wi-Fi.
* They offer features like Wi-Fi security, automatic IP address assignment (DHCP), sharing one internet connection with many devices (NAT), and quality of service (QoS) to manage traffic.
* The features can be different depending on the router brand and model.
Note: Setting up a cable or DSL modem is usually done by a technician from your internet service provider, either in person or remotely.
83
**How to Log In to a Wireless Router**
Most routers are set up to connect to the network right away and start working.
* They come with default settings like IP addresses, usernames, and passwords that are easy to find online.
* Important: Change these defaults right away to keep your network secure.
84
**Steps to Access the Router Settings**
1. Open a web browser on a device connected to the router.
2. Type in the router’s default IP address (you can find this in the manual or online).
3. Use the default login info (often admin for both the username and password).
85
**Basic Network Setup**
Basic network setup includes the following steps:
* Log in to the router from a web browser.
* Change the default administrative password.
* Log in with the new administrative password.
* Change the default DHCP IPv4 addresses.
* Renew the IP address.
* Log in to the router with the new IP address.
86
**Basic Wireless Setup**
Basic Wireless Setup
Basic wireless setup includes the following steps:
* View the WLAN defaults.
* Change the network mode, identifying which 802.11 standard is to be implemented.
* Configure the SSID.
* Configure the channel, ensuring there are no overlapping channels in use.
* Configure the security mode, selecting from Open, WPA, WPA2 Personal, WPA2 Enterprise, etc..
* Configure the passphrase, as required for the selected security mode.
87
**Configure a Wireless Mesh Network**
In a small office or home network, one wireless router may suffice to provide wireless access to all the clients.
* If you want to extend the range beyond approximately 45 meters indoors and 90 meters outdoors, you create a wireless mesh.
* Create the mesh by adding access points with the same settings, except using different channels to prevent interference.
* Extending a WLAN in a small office or home has become increasingly easier.
* Manufacturers have made creating a wireless mesh network (WMN) simple through smartphone apps.
88
**NAT for IPv4**
Typically, the wireless router is assigned a publicly routable address by the ISP and uses a private network address for addressing on the LAN.
* To allow hosts on the LAN to communicate with the outside world, the router will use a process called **Network Address Translation (NAT).**
* NAT translates a private (local) source IPv4 address to a public (global) address (the process is reversed for incoming packets).
* NAT makes sharing one public IPv4 address possible by tracking the source port numbers for every session established by a device.
* If your ISP has IPv6 enabled, you will see a unique IPv6 address for each device.
89
**Quality of Service**
Many wireless routers have an option for configuring Quality of Service (QoS).
* By configuring QoS, you can g`uarantee that certain traffic types, such as voice and vide`o, are prioritized over traffic that is not as time-sensitive, such as email and web browsing.
* On some wireless routers, traffic can also be prioritized on specific ports.
90
* is a rule-based method of directing traffic between devices on separate networks.
**Port forwarding**
91
**Port Forwarding**
Wireless routers typically block TCP and UDP ports to prevent unauthorized access in and out of a LAN.
* However, there are situations when specific ports must be opened so that certain programs and applications can communicate with devices on different networks.
* Port triggering allows the router to temporarily forward data through inbound ports to a specific device.
* You can use port triggering to forward data to a computer only when a designated port range is used to make an outbound request.
92
* is a `controller-based AP as opposed to an autonomous AP`, so it requires no initial configuration and is often called `lightweight APs (LAPs).`
**access point (AP)**
93
use the Lightweight Access Point Protocol (LWAPP) to communicate with a WLAN controller (WLC).
**lightweight APs (LAPs).**
94
* s are useful in situations where many APs are required in the network.
**Controller-based AP**
