Module 11

Question 1

Zero Trust & Defense in Depth

Answer 1

• Zero Trust Model o Nothing inside or outside the network is trusted o Every device, user, and connection must be verified o Internal threats treated as seriously as external threats • Defense in Depth Strategy o Multiple, redundant security layers o Protects against malware, intrusions, misconfigurations o Security implemented across all devices: routers, switches, servers, etc.

Question 2

Access Control Lists (ACLs)

Answer 2

• Purpose o Filter traffic at routers, switches, and firewalls o Permit or deny packets based on defined criteria • Match Criteria o Network layer protocol (IP, ICMP) o Transport layer protocol (TCP, UDP) o Source/Destination IP address o TCP/UDP port number • ACL Structure o Consists of sequential “permit” or “deny” statements o Evaluated top to bottom o Implicit deny: packets not explicitly permitted are dropped by default o Each router interface needs a separate ACL o Can be applied to inbound or outbound traffic • Wildcard Masks (opposite of subnet masks) o 0 = match required o 1 = any value allowed o Example: 0.0.0.255 allows last octet to vary (match 10.1.1.X)

Question 3

ACL Configuration (Cisco-style)

Answer 3

• Basic Commands o access-list <name/number> permit/deny <protocol> <src> <dest> [eq <port>] o Example:  Allow all ICMP: access-list acl_2 permit icmp any any  Deny all ICMP: access-list acl_2 deny icmp any any  Allow TCP from host 2.2.2.2 to 5.5.5.5: access-list acl_2 permit tcp host 2.2.2.2 host 5.5.5.5  Allow TCP to port 80: access-list acl_2 permit tcp host 2.2.2.2 host 3.3.3.3 eq www  Allow TCP to network 10.1.1.X: access-list acl_2 permit tcp 10.1.1.0 0.0.0.255 • Key Notes o ACLs must be assigned to an interface to take effect o If no ACL is configured, all traffic is allowed o Long ACLs may slow router performance o Common misconfigurations:  Incorrect rule order  Wrong match criteria  Syntax errors</port></dest></src></protocol>

Question 4

Control Plane Policing (CoPP)

Answer 4

• Purpose o Protects the control plane (routing decisions, protocol mgmt) o Prevents overload during high traffic or attacks o Uses QoS-like filters to rate-limit traffic • General Steps 1. Create ACL to identify relevant traffic  Permit or deny ICMP, IP, etc.  Example:  access-list 100 permit icmp any any  access-list 100 deny icmp host 192.168.2.2 any 2. Create Class Map  class-map <name>  Match ACL: match access-group 100 3. Create Policy Map  policy-map <name>  Pair with class: class <class-name>  Apply policing:  police <bps>  conform-action transmit  exceed-action drop  Example:  police 8000 conform-action transmit exceed-action drop 4. Apply to Control Plane  Enter control-plane mode: control-plane  Apply policy: service-policy input <policy-name> • Test CoPP o Send large pings from trusted (not limited) and untrusted (limited) sources o Untrusted pings dropped if exceeding threshold</policy-name></bps></class-name></name></name>

Question 5

Switch Security Features

Answer 5

• Certain features are common to both routers & switches (e.g., CoPP) • Others are switch-specific due to Layer 2 traffic handling • Key switch-specific features: o RA Guard o DHCP Snooping o Dynamic ARP Inspection (DAI)

Question 6

RA Guard

Answer 6

• Protects IPv6 clients from malicious Router Advertisements (RA) • Prevents 2 major vulnerabilities: o Misconfiguration/hijack of network traffic via fake RAs o DoS attacks via RA flooding • Works by filtering RAs to allow only those from: o Specific switch interfaces o Specified MAC/IP addresses, router priorities, etc. • Configured via Cisco CLI: o raguard command o Create RA guard policies (e.g., HOSTS and ROUTERS):  HOSTS: applied to client-facing ports, blocks all RAs  ROUTERS: applied to router-facing ports, filters based on trust criteria

Question 7

DHCP Snooping

Answer 7

• Prevents rogue DHCP servers from issuing malicious IP configs • Rogue DHCP can cause: o On-path attacks (attacker sets self as gateway/DNS) o Website spoofing or traffic redirection • When enabled: o Only trusted ports (e.g., uplinks to real DHCP server) can send DHCP offers o Switch listens to DHCP traffic, builds a DHCP snooping binding database with IP-MAC pairings • Cisco config command: o ip dhcp snooping • Binding table can be used by other security tools (e.g., DAI)

Question 8

Dynamic ARP Inspection (DAI)

Answer 8

• Protects against ARP spoofing / poisoning • ARP attacks allow: o Redirection of traffic (like DNS spoofing) o On-path attacks o DoS via MAC flooding (fills switch MAC table with bogus MACs) • Switch vulnerabilities: o ARP lacks authentication; accepts any ARP reply • DAI operation: o Uses DHCP snooping binding table to verify ARP messages o Checks if source IP ↔ source MAC match DHCP records • Blocks ARP replies with mismatched MAC/IP • Works with DHCP snooping for full effectiveness • Can also mitigate MAC flooding alongside port security

Question 9

Proxy Servers

Answer 9

• Acts as intermediary between internal and external networks • Works at Application Layer (OSI Layer 7) • Main Functions: o Screens all incoming/outgoing traffic o Hides internal IP addresses (identity protection) o Performs content filtering o Caches frequently accessed content o Repackages data with its own IP before sending • Does not encrypt traffic (unlike VPN) • NOT the same as NAT o NAT: IP address management o Proxy: Traffic mediation & security • Example Use Case (Outbound email): 1. Workstation sends data to proxy 2. Proxy replaces IP with its own 3. Sends to firewall 4. Firewall verifies & forwards to Internet • Software Examples: o Smartproxy o Luminati o Squid o WinGate (includes firewall features) • Reverse Proxy: o Protects internal servers from external clients o Provides application-layer firewall protection o Useful when multiple web servers use same public IP

Question 10

Firewalls – General

Answer 10

• Filters/blocks traffic between networks • Can be: o Network-based (protects whole network) o Host-based (protects individual device) • Can be hardware or software • Located at network edge or internally • Often includes default security settings • Common filtering criteria: o Source/destination IP o Source/destination ports (TCP/UDP, FTP, ICMP, etc.) o TCP flags (SYN, ACK) o Protocol used (UDP, ICMP) o Packet position (first or subsequent) o Direction (inbound or outbound) • Port Blocking Example: o Block NetBIOS ports (137, 138, 139) for added security

Question 11

Firewalls – Types and Features

Answer 11

• Packet-Filtering Firewall: o Examines packet headers o Uses ACL to allow/deny traffic o Stateless (evaluates packets individually) • Stateful Firewall: o Tracks connections (stateful inspection) o Evaluates packets in context • Application Layer Firewall: o Inspects application data/payloads o Can block based on:  Website content  Keywords  Suspicious code o Supports zero trust (inspects even internal traffic) • Host-based vs. Network Firewall: o Host-based: device-specific, e.g., disallow port 22 on a local server o Network: covers multiple devices; more complex rules • Common Software: o iptables (Linux) o ZoneAlarm o Comodo Firewall o Windows Firewall (built-in) • Security Appliances (Enterprise): o Vendors: Cisco, Fortinet o Functions:  Packet filtering  Encryption  Load balancing  Intrusion Prevention (IPS)

Question 12

Firewall Rule Considerations

Answer 12

• More granular than ACLs • Evaluate rules when message enters/exits/traverses firewall • Key features to look for in firewalls: o Encryption support o User authentication o Centralized management o Easy rule creation/modification o Logging/auditing (e.g., IDS/IPS support) o Internal IP masking o Stateful inspection o High-layer filtering (application inspection)

Question 13

Intrusion Detection System (IDS)

Answer 13

• Definition: Monitors network traffic; generates alerts for suspicious activity • Deployment: o Stand-alone device, app, or feature on host/server/switch/router/firewall o Installed inside the network • Detection Methods: o Statistical anomaly detection – Compares traffic to baseline o Signature-based detection – Uses known attack patterns (requires signature management) • Signature Management: o Regular updates o Retire irrelevant signatures o Select relevant ones to optimize performance

Question 14

IDS Types (HIDS vs NIDS)

Answer 14

• HIDS (Host-based IDS): o Monitors a single host o Detects logon attempts, insecure app usage o Includes FIM (File Integrity Monitoring)  Uses checksums to track unauthorized file changes • NIDS (Network-based IDS): o Monitors network segments o Typically placed at edge or DMZ o Detects suspicious traffic like DoS o Traffic Duplication Techniques:  Port mirroring / SPAN  One switch port copies traffic to another for analysis  Managed via Cisco’s monitoring session command  TAP (Test Access Point)  Inline hardware between devices  Captures all traffic  Can feed to multiple monitoring devices

Question 15

IDS Alerts & Issues

Answer 15

• Alert Classifications: o True Positive – Real problem, correctly alerted o True Negative – No problem, no alert o False Positive – Alert for a non-issue (e.g., user forgets password) o False Negative – Missed alert for real issue • Drawbacks: o Too many false positives = alert fatigue • Best Practices: o Customize rules o Update signatures o Reevaluate rules regularly • Examples of IDS Software: o Snort (popular) o Suricata • Vendors with IDS Products: o Cisco, Juniper, Palo Alto

Question 16

Intrusion Prevention System (IPS)

Answer 16

• Definition: Sits inline; actively blocks suspicious traffic • Function: o Detects and prevents threats from reaching host/network o Example: Blocks flood attack, quarantines sender IP o Still allows valid traffic • IPS vs IDS: o IDS = Detect only o IPS = Detect + Block o Firewalls now overlap with IPS functionality • Types: o NIPS (Network-based IPS) – Protects entire networks o HIPS (Host-based IPS) – Protects individual hosts

Question 17

IPS Deployment & Strategy

Answer 17

• Placement Options: o Network perimeter o Inside private network o Within DMZ • Combined Use Example: o NIPS blocks attacker before reaching server o HIPS on server protects against direct host exploitation • Configuration: o Needs fine-tuning to reduce false alarms • Best Practice: o Use NIPS + HIPS for layered defense

Question 18

Cloud Security Technologies – Overview

Answer 18

• Traditional network security tools can be virtualized for cloud use • Cloud platforms embed their own security features • Defense-in-depth strategy applies across cloud layers: o Platform o Network o Instances o Applications o Data

Question 19

Cloud Security – Granularity

Answer 19

• Granular security appliances: secure individual resources o Similar to host-based firewall • AWS Security Group: o Filters traffic into/out of a single EC2 instance • AWS NACL (Network ACL): o Filters traffic for an entire VPC o Similar to a network-based firewall

Question 20

Cloud Security – Awareness (Stateful vs Stateless)

Answer 20

• Stateless tools: o Do not track traffic session states • Stateful tools: o Maintain connection state awareness o Map related inbound/outbound traffic • Examples: o Google Cloud virtual firewall rules = stateful  Allowing traffic one way allows return traffic o AWS NACLs = stateless

Question 21

Cloud Security – Default Configuration

Answer 21

• Each tool has a default allow or deny behavior • Admins must understand defaults to configure securely • Examples: o AWS Security Groups:  Default allow SSH over port 22 for Linux EC2 o Azure NSG (Network Security Group):  Has 6 default rules  Cannot delete/change, but can override with priority rules

Question 22

Built-in Cloud Security Features

Answer 22

• Many defaults are secure by default • Example – AWS S3 Buckets: o Deny all internet access by default o Requires multiple configuration and confirmation steps to allow internet access

Question 23

Cloud Security – Shared Responsibility Model

Answer 23

• Cloud security is shared between: o Cloud provider (infrastructure security) o Cloud customer (configuration & access control) • Responsibility varies by deployment model (IaaS, PaaS, SaaS)

Question 24

AAA Framework – Overview

Answer 24

• AAA = Authentication, Authorization, Accounting (sometimes AAAA with Auditing) • Access control manages who can enter and what they can do on a network • Physical access control = badges, locks • Information access control = limits users/devices on data and resources

Question 25

AAA Components – Definitions

Answer 25

• Authentication: Verifies user/device identity ("Who are you?") • Authorization: Determines permissions ("What are you allowed to do?") • Accounting: Logs user activity ("What did you do?") • Auditing: Reviews logs and config for compliance and misuse (usually part of accounting)

Question 26

Authentication – Purpose & Scope

Answer 26

• Verifies identity before access granted • Can authenticate to: o Local device and resources (local authentication) o Network and distributed resources (network authentication)

Question 27

Local Authentication

Answer 27

• Credentials stored on the local device • Advantages: o Simple for few devices (< dozen) o Backup access during network/server failure • Disadvantages: o Lower security (vulnerable to brute force) o No remote account lockdown o Difficult management with many devices

Question 28

Local Authentication – Example

Answer 28

• Windows local user accounts for sign-in • Each device secures its own resources • Multiple local accounts needed if users access multiple devices • Administrative overhead increases with network size

Question 29

Switching to Network Authentication

Answer 29

• Network authentication uses central database (e.g., Active Directory) • Windows domain authentication stores credentials in Active Directory • Single network username for sign-in across multiple devices/resources • Centralized control of resource access

Question 30

Network Authentication – Logon Restrictions

Answer 30

• Time of day: restrict account usage to specific hours • Total time logged on: limit total daily usage hours • Source address: limit login from specific workstations or network segments • Unsuccessful login attempts: block user ID after set failed attempts • Geographic location (Geofencing): restrict login to defined physical areas using GPS or RFID data

Question 31

Authorization: Purpose & Scope

Answer 31

• Controls user actions after network access granted • Prevents unauthorized access to sensitive data & critical configurations • Controls: o Software rights (run, install, uninstall) o Data permissions (read, modify, create, delete)

Question 32

Role-Based Access Control (RBAC)

Answer 32

• Most popular authorization method • Roles defined by user’s supervisor (job description) • Network admin assigns permissions based on roles only • Public rights usually limited and available to all users

Question 33

RBAC User Groups & Permissions

Answer 33

• User groups created per role/job function • Users assigned to matching groups (can belong to multiple groups) • Role separation enforcement: o Users restricted to one group for safety o Multiple group membership locks down all privileges • Example: IT Department group manages credentials centrally

Question 34

Windows Authorization Tools

Answer 34

• Local groups on individual workstations • Active Directory domain local groups (centrally managed) • Easier management: add/remove users in groups instead of individual rights

Question 35

Accounting: Separation of Duties (SoD)

Answer 35

• Prevents one person from full control & potential fraud • Divides sensitive privileges among multiple people • Example: One writes checks, another balances records • Prevents conflict of interest (no self-monitoring) • Spreads auditing roles to reduce fraud & error risks

Question 36

Accounting: Logging & Auditing

Answer 36

• Actions on data/resources are logged continuously • Logs help troubleshoot & audit system activities • Linux logs mostly text files (need management to avoid storage bloat) • Windows Event Viewer shows logs like Audit Failures • Audit logging enabled via Group Policy in Windows

Question 37

SIEM (Security Information and Event Management)

Answer 37

• Aggregates & analyzes log data from multiple devices (routers, servers, switches) • Detects significant security events based on predefined rules • Generates alerts & notifications to IT staff (email, text, etc.) • Balance needed: o Too few alerts = missed threats o Too many alerts = alert fatigue & ignored warnings • Storage & processing capacity important for SIEM effectiveness • Rules must be fine-tuned & regularly reviewed by admins

Question 38

Examples of SIEM Software

Answer 38

• AlienVault OSSIM (Open Source) • IBM Security QRadar • SolarWinds Security Event Manager • Splunk Enterprise Security

Question 39

Directory Services & LDAP

Answer 39

• Directory services manage databases of account credentials (usernames, passwords, etc.) • Used for network-wide authentication (not individual devices) • Common directory service software: o Active Directory (AD) – Windows-based o OpenLDAP, 389 Directory Server – Linux-based • All options are LDAP-compliant • LDAP (Lightweight Directory Access Protocol): o Standard for accessing directory data o Supports querying, editing, and adding data o Transmits data in plaintext – insecure • LDAPS (LDAP over SSL/TLS): o Encrypted version of LDAP o Secure communication over port 636 o LDAP uses port 389 or 2889 • AD + Kerberos + LDAP: o Kerberos = authentication o LDAP = authorization

Question 40

Kerberos Overview

Answer 40

• Default protocol used by Active Directory • Cross-platform authentication protocol • Uses private key encryption • Requires third-party validation (KDC) • Provides secure identity verification for clients • Encrypts all communication • Components: o Principal = client/user o KDC (Key Distribution Center) = main Kerberos server  Runs two services:  AS (Authentication Service) – validates users  TGS (Ticket Granting Service) – issues service tickets o Ticket = temporary proof of authenticated identity

Question 41

Kerberos Authentication Process

Answer 41

• Purpose: Connect user (e.g., Jamal) to network service (email, file storage, etc.) • Precondition: Both user and service must have registered keys with AS Step-by-step: 1. User login: Computer sends username + encrypted timestamp (with user’s password) to AS 2. AS actions: o Verifies user in database o Decrypts timestamp using stored password o Generates:  Session key (encrypted with password)  TGT (Ticket Granting Ticket) (valid for ~10 hrs, encrypted with KDC key) 3. User decrypts session key using password o Sends ticket request to TGS o Includes:  Username + timestamp (encrypted with session key)  Encrypted TGT (not decrypted by user) 4. TGS actions: o Validates TGT and request o Issues service ticket:  Includes: service name, timestamp, service session key  Part encrypted with original session key (for user)  Part encrypted with service’s secret key 5. User creates service request: o Includes encrypted ticket + new timestamp (with session key) 6. Service decrypts ticket using its secret key: o Retrieves session key o Decrypts remaining data to validate request o Verifies identity → Grants access

Question 42

SSO & MFA Concepts

Answer 42

• Single Sign-On (SSO): o Authenticates user once for access to multiple systems o Example: Kerberos o Advantage: Convenience—fewer passwords, reduced admin overhead o Disadvantage: If credentials are compromised, access to many resources is exposed • Two-Factor Authentication (2FA): o Requires two types of credentials: e.g., something you know + something you have • Multifactor Authentication (MFA): o Requires credentials from at least two different categories:  Something you know: Password, PIN, personal info  Something you have: ATM card, smart card, key  Something you are: Fingerprint, facial recognition, iris scan  Somewhere you are: Physical location  Something you do: Typing rhythm, gait, speech pattern

Question 43

Tokens for MFA

Answer 43

• Security Token: o Device/app storing or generating secure, user-specific codes o Used in 2FA/MFA setups • Software Token Example: o App scans QR code (e.g., Facebook) o App generates time-based codes (e.g., every 30 sec) to enter with password o Example: Google Authenticator • Hardware Token Example: o RSA SecurID: Keychain fob generating 60-second changing passwords o Auth server checks code validity during login

Question 44

RADIUS (Remote Authentication Dial-In User Service)

Answer 44

• General Info: o Developed by Livingston Enterprises (1991), standardized by IETF o Cross-platform; alternative to Active Directory o Supports clients not directly wired to the network (e.g., Wi-Fi or VPN) o Runs in application layer o Uses UDP or TCP (since 2012) in transport layer • Functionality: o Combines authentication and authorization into a single process o Accounting is handled separately • Deployment: o Runs as an app on a remote access server or a dedicated RADIUS server o Highly scalable—used by many ISPs o Can be combined with other services (e.g., DHCP + RADIUS on one machine) o Compatible with most modern OSs o Can be used alongside Active Directory in some scenarios • Security: o Only encrypts password, not entire AAA data o Less secure than TACACS+

Question 45

TACACS+ (Terminal Access Controller Access Control System Plus)

Answer 45

• General Info: o Developed by Cisco Systems o AAA protocol (Authentication, Authorization, Accounting) o Allows AAA to be separated  e.g., Use TACACS+ for authorization/accounting and Kerberos for authentication • Differences from RADIUS: o Uses TCP, not UDP o Encrypts entire AAA communication, not just password o Typically used to authenticate network devices (routers, switches) o Used for device admin access (techs) more than for end users o Can still be used for user network access control