Flashcards in Security Deck (35):
authentication, authorization, and accounting
Three core security functions.
Define authentication method
A term referring generically to ways in which a router or switch can determine whether a particular device or user should be allowed access.
A protocol, defined in RFC 2865, that defines how to perform authentication between an authenticator (for example, a router) and an authentication server that holds a list of usernames and passwords.
A Cisco-proprietary protocol that defines how to perform authentication between an authenticator (for example, a router) and an authentication server that holds a list of usernames and passwords.
Define MD5 hash
A term referring to the process of applying the Message Digest 5 (MD5) algorithm to a string, resulting in another value. The original string cannot be easily computed even when the hash is known, making this process a strong method for storing passwords.
Define enable password
The password required by the enable command. Also, this term may specifically refer to the password defined by the enable password command.
Define enable secret
The MD5-encoded password defined by the enable secret command.
A term referring generically to a server that performs many AAA functions. It also refers to the software product Cisco Secure Access Control Server.
Define SAFE blueprint
An architecture and set of documents that defines Cisco’s best recommendations for how to secure a network.
A switch feature with which the switch watches ARP messages, determines if those messages may or may not be part of some attack, and filters those that look suspicious.
Define port security
A switch feature that limits the number of allowed MAC addresses on a port, with optional limits based on the actual values of the MAC addresses.
Define IEEE 802.1X
An IEEE standard that, when used with EAP, provides user authentication before their connected switch port allows the device to fully use the LAN.
Define DHCP snooping
A switch feature in which the switch examines DHCP messages and, for untrusted ports, filters all messages typically sent by servers and inappropriate messages sent by clients. It also builds a DHCP snooping binding table that is used by DAI and IP Source Guard.
Define IP source guard
A switch feature that examines incoming frames, comparing the source IP and MAC addresses to the DHCP snooping binding database, filtering frames whose addresses are not listed in the database for the incoming interface.
Define man-in-the-middle attack
A characterization of a network attack in which packets flow to the attacker, and then out to the true recipient. As a result, the user continues to send data, increasing the chance that the attacker learns more and better information.
Define Sticky learning
In switch port security, the process whereby the switch dynamically learns the MAC address(es) of the device(s) connected to a switch port, and then adds those addresses to the running configuration as allowed MAC addresses for port security.
Define Fraggle attack
An attack similar to a smurf attack, but using packets for the UDP Echo application instead of ICMP.
Define DHCP snooping binding database
The list of entries learned by the switch DHCP snooping feature. The entries include the MAC address used as the device’s DHCP client address, the assigned IP address, the VLAN, and the switch port on which the DHCP assignment messages flowed.
Defined in RFC 3748, the protocol used by IEEE 802.1X for exchanging authentication information.
The encapsulation of EAP messages directly inside LAN frames. This encapsulation is used between the supplicant and the authenticator.
Defined in RFC 2289, a mechanism by which a shared key and a secret key together feed into a hash algorithm, creating a password that is transmitted over a network. Because the shared key is not reused, the hash value is only valid for that individual authentication attempt.
The 802.1X driver that supplies a username/password prompt to the user and sends/receives the EAPoL messages.
Define authentication server
In 802.1X, the computer that stores usernames/passwords and verifies that the correct values were submitted before authenticating the user.
Define smurf attack
A style of attack in which an ICMP Echo is sent with a directed broadcast (subnet broadcast) destination IP address, and a source address of the host that is being attacked. The attack can result in the Echo reaching a large number of hosts, all of which reply by sending an Echo Reply to the host being attacked.
Define TCP SYN flood
An attack by which the attacker initiates many TCP connections to a server, but does not complete the TCP connections, by simply not sending the third segment normally used to establish the connection. The server may consume resources and reject new connection attempts as a result.
Define TCP intercept
A Cisco router feature in which the router works to prevent SYN attacks either by monitoring TCP connections flowing through the router, or by actively terminating TCP connection until the TCP connection is established and then knitting the client-side connection with a server-side TCP connection.
An individual line in an ACL.
Define storm control
A Cisco switch feature that permits limiting traffic arriving at switch ports by percentage or absolute bandwidth. Separate thresholds are available per port for unicast, multicast, and broadcast traffic.
Part of the Cisco IOS Firewall feature set, CBAC inspects traffic using information in the higher-layer protocols being carried to decide whether to open the firewall to specific inbound traffic. CBAC supports both UDP and TCP and multiple higher-layer protocols and can be applied inbound or outbound on an interface.
Define classic IOS firewall
Provides dynamic inspection of traffic as it traverses the router. It uses Context-Based Access Control (CBAC) to look deeper into a packet than an access list can. It tracks outbound traffic and dynamically allows in responses to that traffic.
Define zone-based IOS firewall
Similar to an appliance firewall, in that interfaces are placed into security zones. Traffic is allowed between interfaces in the same zone. You can apply policies to filter and control traffic between zones.
Define IOS IPS
Allows the router to act as an inline IPS, doing deep packet inspection.
Define inspection rule
A set of parameters for CBAC to perform in its traffic inspection process.
A method of providing dynamically configured spoke-to-spoke VPN connectivity in a hub-and-spoke network that significantly reduces configuration required on the spoke routers compared to traditional IPsec VPN environments.