Chapter 6 - Securing the Mgmt Plane on a Cisco IOS Device

Question 1

What are 7 Management Plane Best Practices?

Answer 1

1) Strong Passwords
2) User authentication and AAA
3) Role-based access control (RBAC)
4) Encrypted management protocols
5) Logging
6) Network Time Protocol (NTP)
7) Secure system files

Question 2

Describe AAA.

Answer 2

Authentication, authorization, and accounting - You can control which admins are allowed to connect to which devices and what they can do while they are there, and you can create an audit trail of what they did.

Question 3

How can you control an adminitrator’s access to a device?

Answer 3

Through AAA and custom privilege levels/parser views. You could create a group that has limited permissions and then assign that administrator to that group. This is an example of using RBAC.

Question 4

What does out-of-band management mean?

Answer 4

It implies that there is a completely separate network just for management protocols and a different network for end users and their traffic.

Question 5

What are some examples of encrypted communication to use with management?

Answer 5

Secure Shell (SSH) or Hypertext Transfer Protocol Secure (HTTPS).

Question 6

If a plaintext management protocol must be used, what can be used to encrypt the traffic?

Answer 6

VPN

Question 7

What is the purpose of logging?

Answer 7

It’s a way to create an audit trail. It not only includes what admins have changed or done, but also system events that are generated by the router or switch because of some problem or some threshold that has been reached.

Question 8

If SNMP is used for logging, what version should be used and why?

Answer 8

Version 3 should be used because of its authentication and encryption abilities.

Question 9

What is an SNMP trap?

Answer 9

A message generated by the router or switch to alert the manager or management station of some event.

Question 10

Why is it important to use NTP to synchronize clocks on network devices?

Answer 10

It’s important to correlate clocks among network devices in case there is ever a breach you need to reconstruct (or prove in a court of law) what occurred.

Question 11

What are the 3 functional components of AAA?

Answer 11

1) Authentication
2) Authorization
3) Accounting and auditing

Question 12

What is the function of authentication in AAA?

Answer 12

It’s the process by which individuals prove that they are who they claim to be.

Question 13

What are 2 common methods or choices for authenticating a user?

Answer 13

1) Referring to the local running configuration

2) Going to an external server that holds the username and password

Question 14

In AAA, what happens after the user has been authenticated?

Answer 14

The user or admin is then authorized.

Question 15

What does authorization in AAA do?

Answer 15

It determines which resources the user or admin is allowed access, and which operations may be performed.

Question 16

What is the role of accounting and auditing?

Answer 16

To record what the user or admin actually does with this access, what he accesses, and how long he accesses it.

Question 17

Monitoring all the activity of a user or admin through accounting and auditing is also referred to what?

Answer 17

Creating an audit trail.

Question 18

What are 4 AAA centralized server types?

Answer 18

1) Cisco Secure ACS Solution Engine
2) Cisco Secure ACS for Windows Server
3) Current flavors of ACS functionality
4) Self-contained AAA

Question 19

What is the Cisco Secure ACS Solution Engine?

Answer 19

This is a dedicated server that contains the usernames, their passwords, and other information about what users are allowed to access and when.

Question 20

What is the protocol used between the router and the ACS server if you are authenticating an admin who is seeking command-line access?

Answer 20

TACACS+

Question 21

What is the protocol used between the router and ACS server if you are authenticating an end user for network access?

Answer 21

RADIUS

Question 22

What is Cisco Secure ACS for Windows Server?

Answer 22

AAA services on a router or network access server contact an external Cisco Secure ACS (running on a Microsoft Windows system).

Question 23

What are current flavors of ACS functionality?

Answer 23

The most common way that ACS services are implemented today is through a virtual machine running on some flavor of VMWare.

Question 24

What is Cisco Identity Services Engine?

Answer 24

It’s another up-and-coming service to support similar services to ACS.

Question 25

What is ACS?

Answer 25

Access Control Server

Question 26

What is self-contained AAA?

Answer 26

AAA services are self-contained on the router itself.

Question 27

What is self-contained AAA also known as?

Answer 27

Local authentication and authorization.

Question 28

In self-contained AAA, what is the local database also referred to?

Answer 28

The running configuration of the router or IOS device.

Question 29

Before we can authorize a user or admin, what must be done first?

Answer 29

We must choose authentication first. We cannot choose authorization for a user without knowing who that user is through authentication first.

Question 30

For remote administrative access, what type of protocol would be used?

Answer 30

Usually TACACS+ between the router and the ACS.

Question 31

For remote network access end users, what type of protocol would be used?

Answer 31

Usually RADIUS between the router and the ACS.

Question 32

For remote admin access, what mode does this normally provide access to?

Answer 32

Character (line or EXEC mode).

Question 33

For remote network access and users, what mode does this normally provide access to?

Answer 33

Packet (interface mode) such as an interface with PPP requiring authentication.

Question 34

For remote admin access, where (lines or interfaces) are these likely to be used?

Answer 34

vty, AUX console, and tty

Question 35

For remote network access and users, where (lines or interfaces) are these likely to be used?

Answer 35

Interfaces: async, group-async, BRI, PRI, Other functionality: VPN user authentication

Question 36

For remote admin access, what are the AAA command elements?

Answer 36

login, enable, exec

Question 37

For remote network access and users, what are the AAA command elements?

Answer 37

ppp, network, vpn groups

Question 38

What is a AAA method list?

Answer 38

Lis of available methods for AAA to use in order (local, RADIUS, TACACS, and so on).

Question 39

What method list command element identifies the type of list being created - with relevant options being authentication, authorization, or accounting?

Answer 39

type

Question 40

What method list command element specifies the default list of methods to be used based on the methods that follow this argument?

Answer 40

default

Question 41

What method list command element is used to create a custom method list?

Answer 41

list-name

Question 42

In the case of an authentication method list, what are some example methods?

Answer 42

enable, krb5, krb5-telnet, line, local, local-case, none, group radius, group tacacs+

Question 43

To use the local user database for authentication, what keyword must be used?

Answer 43

local

Question 44

What is a solution to protecting the router against a user connecting with Telnet or SSH since CCP cannot restrict visibility at the CLI?

Answer 44

parser views or simply a view

Question 45

What is a parser view?

Answer 45

Creating a “view” and associating it with a subset of commands. When the user logs in using this view, that same user is restricted to only those commands. You can also associate multiple users with a single view.

Question 46

What is the main problem with telnet?

Answer 46

It uses plain text and anyone who gets a copy of those packets can identify our usernames and passwords used for access and any other information being passed.

Question 47

If Telnet must be used, how should it be used?

Answer 47

It should only be used out of band, or placed within a VPN tunnel for privacy, or both.

Question 48

How is SSH better than Telnet?

Answer 48

SSH encrypts all packets used in the session.

Question 49

Accurate time can be implemented with what protocol?

Answer 49

Network Time Protocol (NTP)

Question 50

Cisco IOS devices can send log output to what different destinations?

Answer 50

1) Console
2) vty lines
3) Buffer
4) SNMP server
5) Syslog server

Question 51

What is the area called where messages are stored in router memory?

Answer 51

Buffer

Question 52

A syslog logging solution consists of what two primary components?

Answer 52

Syslog server and Syslog client

Question 53

What command encrypts most plaintext passwords in the configuration?

Answer 53

service password-encryption

Question 54

What command enables AAA features?

Answer 54

aaa new-model

Question 55

What command creates a default method list for character mode login that will use the local database (running config) on the router or switch?

Answer 55

aaa authentication login default local

Question 56

What command enters the root parser view, from where you can create additional views?

Answer 56

enable view

Question 57

To use the enable view command, what must already be in place?

Answer 57

aaa new-model

Question 58

What command assigns a show startup-config command to a customer privilege level 8?

Answer 58

privilege exec level 8 show startup-config

Question 59

What command creates the public/private key pair required for SSH?

Answer 59

crypto key generate rya

Question 60

What command secures the IOS image on flash?

Answer 60

secure boot-image

Question 61

What command would create an authentication method list called bubba that will use the local database first, and if the username does not exist, will require the enable secret to allow login?

Answer 61

aaa authentication bubba local enable

Question 62

What commands apply the method list named bubba to the console port?

Answer 62

line console 0

login authentication bubba

Question 63

What command displays debugging messages for the authentication functions of AAA?

Answer 63

debug aaa authentication

Question 64

What command displays debugging messages for the authorization functions of AAA?

Answer 64

debug aaa authorization

Question 65

What command displays debugging messages for the accounting functions of AAA?

Answer 65

debug aaa accounting

Question 66

What is SNMP?

Answer 66

Simple Network Management Protocol - The intent is to manage network nodes, such as network servers, routers, switches, and so on.

Question 67

What are 3 components of SNMP?

Answer 67

SNMP manager, SNMP agent, and Management Information Base

Question 68

What is the SNMP Manager?

Answer 68

Runs a network management application. This SNMP manager is sometimes called a Network Management Server (NMS).

Question 69

What is an SNMP Agent?

Answer 69

A piece of software that runs on a managed devices (such as server, router, or switch).

Question 70

What is the Management Information Base?

Answer 70

Information about a managed device’s resources and activity is defined by a series of objects. The structure of these management objects is defined by a a managed device’s Management Information Base (MIB). It’s like a collection of unique numbers associated with each of the individual components of a router.

Question 71

What are the 3 broad categories of SNMP message types?

Answer 71

1) GET
2) SET
3) Trap

Question 72

This type of SNMP message is used to retrieve information from a managed device.

Answer 72

GET

Question 73

This type of SNMP message is used to set a variable in a managed device or to trigger an action on a managed device.

Answer 73

SET

Question 74

This SNMP message is an unsolicited message sent from a managed device to an SNMP manager.

Answer 74

Trap

Question 75

In regards to SNMP, what is a security model?

Answer 75

Defines an approach for user and group authentication.

Question 76

In regards to SNMP, what is a security level?

Answer 76

Defines the type of security algorithm performed on SNMP packets.

Question 77

What are 3 SNMP security levels?

Answer 77

1) noAuthnoPriv
2) authNoPriv
3) authPriv

Question 78

Why is using SNMPv3 better than SNMPv1 or SNMPv2c?

Answer 78

SNMPv3 supports all 3 SNMP security levels, whereas the others only support noAuthNoPriv security levels.

Question 79

What is a custom privilege level?

Answer 79

Level 0 (user) and level 15 (enable) are predefined; anything in between (1-14) would be custom privilege level.

Question 80

What is secure bootset?

Answer 80

Part of the Cisco IOS Resilient Configuration feature, preventing the erasure of IOS files from a storage device, such as flash or NVRAM.