Module 5: Securing Network Devices: Authentication, Authorization, and Accounting Flashcards by Ayen A

An edge router security approach that refers to an information security approach in which a series of security mechanisms and controls are thoughtfully layered throughout a computer network to protect the confidentiality, integrity, and availability of the network and the data within.

Defense in Depth (DiD) approach

How well did you know this?

Not at all

Perfectly

An edge router security approach that is a method of providing segregation of networks and services that need to be provided to users, visitors, or partners through the use of firewalls and multiple layers of faltering and control to protect internal systems.

demilitarized zone (DMZ)

How well did you know this?

Not at all

Perfectly

An edge router security approach that is used to connect the internal network to the external network (usually the internet). This router is responsible for all the security measures, including firewall, intrusion detection, and prevention systems.

Single Router Approach

How well did you know this?

Not at all

Perfectly

What are the areas of router security?

physical security
router hardening
router operating system and configuration file security

How well did you know this?

Not at all

Perfectly

An area of router security where the router is secured against attacks as best as possible.

router hardening

How well did you know this?

Not at all

Perfectly

A protocol to provide communication over the Internet or a LAN a using a virtual terminal connection.

Telnet

How well did you know this?

Not at all

Perfectly

It allows a direct, non-network connection to the router, from a remote location

Auxiliary Port (AUX Port)

How well did you know this?

Not at all

Perfectly

username
password
password

How well did you know this?

Not at all

Perfectly

A command that allows telnet connections to the device.

transport input telnet ssh

How well did you know this?

Not at all

Perfectly

A command that allow ssh connections.

transport input ssh

How well did you know this?

Not at all

Perfectly

A feature that allows users to enhance the security of a router by configuring options to automatically block further login attempts when a possible denial-of-service (DoS) attack is detected.

(Cisco IOS) Login Enhancements Features

How well did you know this?

Not at all

Perfectly

A CISCO command where all login requests are denied and the only available connection is through the console.

How well did you know this?

Not at all

Perfectly

A CISCO command that logs the username and IP of successful login.

How well did you know this?

Not at all

Perfectly

A CISCO command used to configure the number of login on-success log.

security authentication failure rate

How well did you know this?

Not at all

Perfectly

A protocol which allows you to connect securely to a remote computer or a server by using a text-based interface.

Secure Socket Shell (SSH)

How well did you know this?

Not at all

Perfectly

A CISCO command used to generate Rivest, Shamir, and Adelman (RSA) key pairs

crypto key generate rsa

How well did you know this?

Not at all

Perfectly

Level of access of User EXEC mode

privilege level 1

How well did you know this?

Not at all

Perfectly

Level of access of Privileged EXEC mode

privilege level 15

How well did you know this?

Not at all

Perfectly

A feature that allows the network administrator to define “views,” which are a set of operational commands and configuration capabilities that provide selective or partial access to Cisco IOS EXEC and configuration (Config) mode commands.

Role-Based CLI Access feature

How well did you know this?

Not at all

Perfectly

A CISCO command under role-based views that enables root views.

enable root view

secret 5 root

enable view

parser view

enable view

How well did you know this?

Not at all

Perfectly

A CISCO command under role-based that creates a view and enters view configuration mode.

enable root view

secret 5 root

enable view

parser view

How well did you know this?

Not at all

Perfectly

A CISCO command under role-based that used to view a superview.

parser view

secret 5

view HOST

enable view

secret 5
or
view HOST
(di ko alam)

How well did you know this?

Not at all

Perfectly

A CISCO command under role-based that associates a command-line interface (CLI) view or superview with a password.

enable root view

secret 5 root

enable view

parser view

secret 5

How well did you know this?

Not at all

Perfectly

It is a feature in CISCO devices that enables a router to secure and maintain a working copy of the running image and configuration so that those files can withstand malicious attempts to erase the contents of persistent storage (NVRAM and flash).

Cisco IOS Resilient Configuration feature

How well did you know this?

Not at all

Perfectly

A CISCO command that enables Cisco IOS image resilience

secure boot-image

A CISCO command under IOS image resilience that stores a secure copy of the primary bootset in persistent storage

secure boot-config

A CISCO command under IOS image resilience that displays the status of configuration resilience and the primary bootset filename.

show secure bootset

_______ requires that authentication, authorization, and accounting (AAA) be configured so the router can determine whether the user has the correct privilege level.

Secure Copy (SCP)

What is the CISCO command to disable password recovery?

no service password-recovery

A type of management access that apply only to devices that need to be managed or monitored.

in-band management

A type of management access that mitigates the risk of passing management protocols over the production network.

out-of-band management

A type of management access that decides whether the management channel need to be open at all time.

in-band management

A type of management access that provides highest level of security.

out-of-band management

A type of management access that provides a secure dedicated alternate access method into an IT network infrastructure to administer connected devices and IT assets without using the corporate LAN.

out-of-band management

A type of management access that uses the same communications channels that the devices themselves support.

in-band management

A type of management access that uses IPsec, SSH, or SSL when possible.

in-band management

A standard for logging messages.

Syslog (System Logging Protocol)

It is used to logged messages from the set level and higher when CISCO message level are set.

Syslog (System Logging Protocol)

What syslog security level will be logged/raised when interface changed state from up to down or vice-versa?

Level 5

What syslog security level will be logged/raised when it is unable to allocate memory?

Level 2

What syslog security level will be logged/raised when the temperature is too high?

Level 1

What syslog security level will be logged/raised when it has invalid memory size?

Level 3

What syslog security level will be logged/raised when a packet is denied by ACL?

Level 6

What syslog security level will be logged/raised when crypto operation failed?

Level 4

What syslog security level will be logged/raised when CISCO IOS software could not load?

Level 0

What syslog security level will be logged/raised when a packet type is invalid?

Level 7

In configuring system logging, it is used to log messages to syslog server host. logging source-interface logging host logging trap logging on

logging host

In configuring system logging, it is used to limit messages logged to the syslog servers. logging source-interface logging host logging trap logging on

logging trap

In configuring system logging, it is used to specify a particular IP address for syslog messages. logging source-interface logging host logging trap logging on

logging source-interface

In configuring system logging, it is used to enable message logging. logging source-interface logging host logging trap logging on

logging on

An Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior.

Simple Network Management Protocol (SNMP)

An SNMP version that uses DEA and AES for encryption.

SNMPv3

An SNMP version that uses username match for authentication.

SNMPv3

An SNMP version that provides authentication based on HMAC-MD5 or HMAC-SHA algorithms.

SNMPv3

An SNMP version that uses community string match for authentication.

SNMPv1 SNMPv2c

What is the CISCO command to configure an SNMP view? snmp-server user parser view snmp-server group ip access-list standard permit snmp-server view

snmp-server view

What is the CISCO command to configure an SNMP group? snmp-server user parser view snmp-server group ip access-list standard permit snmp-server view

snmp-server group

What is the CISCO command to add a user to SNMP group? snmp-server user parser view snmp-server group ip access-list standard permit snmp-server view

snmp-server user

A networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks.

Network Time Protocol (NTP)

A feature that examines your existing router configurations and then updates your router in order to make your router and network more secure.

Security Audit

It is a Cisco ISO feature that is based on the Cisco IOS AutoSecure feature and performs checks on and assists in configuration of almost all of the AutoSecure functions.

Security Audit

It discovery protocol that facilitates the management of Cisco devices by discovering these devices, determining how they are configured, and allowing systems using different network-layer protocols to learn about each other.

Cisco Discovery Protocol (CDP)

A Layer 2, media-independent, and network-independent protocol that runs on Cisco devices and enables networking applications to learn about directly connected devices nearby.

Cisco Discovery Protocol (CDP)

It discovery protocol that is used for network devices to advertise information about themselves to other devices on the network.

Link Layer Discovery Protocol (LLDP)

This protocol runs over the data-link layer, which allows two systems running different network layer protocols to learn about each other.

Link Layer Discovery Protocol (LLDP)

A feature that secures a router by using a single CLI command to disable common IP services that can be exploited for network attacks, enable IP services and features that can aid in the defense of a network when under attack, and simplify and harden the security configuration of the router

AutoSecure

A routing protocol for Internet Protocol (IP) networks.

Open Shortest Path First (OSPF)

A Cisco IOS feature allows users to configure a quality of service (QoS) filter that manages the traffic flow of control plane packets to protect the control plane of Cisco IOS routers and switches against reconnaissance and denial-of-service (DoS) attacks.

control plane policing

SHA

Secure Hash Algorithm

CEF

Cisco Express Forwarding

Control Plane Policing (CoPP) Support for Distributed or Hardware Switching Platforms Yes or No

Yes

Control Plane Policing (CoPP) CEF required Yes or No

Control Plane Policing (CoPP) Provides a mechanism for dropping packets that are directed to closed or nonlistening TCP/UDP ports Yes or No

Control Plane Policing (CoPP) Ability to enforce limits on the number of packets for a specified protocol that are allowed in the control plane IP input queue Yes or No

AAA

Authentication, Authorization, Accounting

Give types of accounting information.

* network * connection * system * command * resource * EXEC

What is the CISCO command used to enable AAA parameters on the router? aaa authentication login default local-case username authentication ADMIN algorithm-type scrypt secret Str0ng5rPa55w0rd username JR-ADMIN algorithm-type scrypt secret Str0ng5rPa55w0rd aaa new-model

aaa new-model

What is the CISCO command used to configure AAA parameters on the router? aaa authentication login default local-case username authentication ADMIN algorithm-type scrypt secret Str0ng5rPa55w0rd username JR-ADMIN algorithm-type scrypt secret Str0ng5rPa55w0rd aaa new-model

aaa authentication login default local-case

What is the CISCO command used to add usernames and passwords to the local router for users that need administrative access to the router? aaa authentication login default local-case username authentication ADMIN algorithm-type scrypt secret Str0ng5rPa55w0rd username JR-ADMIN algorithm-type scrypt secret Str0ng5rPa55w0rd aaa new-model

username JR-ADMIN algorithm-type scrypt secret Str0ng5rPa55w0rd

What is the CISCO command used to enable AAA globally on the router? aaa authentication login default local-case username ADMIN algorithm-type scrypt secret Str0ng5rPa55w0rd username JR-ADMIN algorithm-type scrypt secret Str0ng5rPa55w0rd aaa new-model

username ADMIN algorithm-type scrypt secret Str0ng5rPa55w0rd

A type of server-based AAA that separates authentication from authorization.

tacacs+

A type of server-based AAA that does not separate authentication from authorization.

radius

A term in AAA that ensures a device or end-user is legitimate.

authentication

A term in AAA that allows or disallows authenticated users access to certain areas and programs on the network.

Authorization