Complete List of Terms and Definitions for CCIE 5
| Terms | Definitions |
|---|---|
|
What are the characteristics of AES? What are its advantages to DES/3DES? |
Advanced Encryption Standard symmetric encryption; block cipher variable block & key length of 128, 192, or 256 bits faster to run than DES/3DES |
|
What are the characteristics/differences between compulsory tunneling and voluntary tunneling for L2TP? What are the packet format sent from the client for each mode? |
Compulsory: client unaware of tunnel packet = [PPP | data] Voluntary: client aware of tunnel; acts as LAC also packet = [PPP | L2TP | data] where the [L2TP | data] part is directly passed on by LAC without further processing |
| How does NAC operate? |
1. Device attempting network connection requests a security profile of endpoint device 2. Profile info compared to network security policy 3. NAC will permit, deny, or restrict access by redirecting to less exposed network segment; can also quarantine non-compliant devices |
| What are the characteristics of RC4? |
symmetric encryption, stream cipher used in SSL, WEP generates pseudo-random keystream to encrypt message; vulnerable if keystream not random |
| Describe the Land (Land.c) attack. |
Attacker sends TCP SYN where srcIP=dstIP=victim's host IP and srcPort=dstPort Victim tries to open TCP connection to itself and goes into infinite loop |
|
What are the characteristics of multicast addresses? What are the special addresses used to send messages/updates to subsets of hosts. |
Class D addresses 224.0.0.0 to 239.255.255.255 all hosts: 224.0.0.1 all multicast routers on subnet: 224.0.0.2 |
|
How is protocol filtering set up? What are the port states and how do they behave? |
1. Define protocol groups 2. Associate protocol groups with ports 3. Ports set to on/off/auto On: Only b/mcast for protocols in group is allowed on specified ports. Auto: port becomes member after host sends packets of protocol in group |
| What transform set configuration options are available for ESP and AH in IPSec config |
For ESP encryption: esp-null, esp-des, esp-3des, esp-aes, esp-aes 192, esp-aes 256, esp-aes seal For ESP authentication: esp-md5-hmac, esp-sha-hmac For AH: ah-md5-hmac, ah-md5-hmac |
| What are the characteristics of Cat6k IDSM? |
Intrusion Detection Services Module Switching module on Cat6k; part of Cisco IDS - captures network packets on VACL or SPAN port - reassembles and compares against signatures - generates alarms through the backplane to IDS Director or CSPM |
| What are some of the specific attacks that CSA protects against or monitors on end users (browsers and OS)? |
Cookies Browser Helper Objects Browser Plug-in Keylogger NMS Tools Remote Install tools Trojan/virus/worms |
|
For IP Sec... What encryption algorithms are supported? What hash algorithms are supported? Authentication mechanisms? |
DES , 3DES, AES, RSA, preshared key/D-H HMAC-MD5, HMAC-SHA-1 RSA/digital signatures, preshared key, nonces |
|
What is the goal of NAC? What prerequisite application does it require? |
Network Admission Control (also Cisco Clean Access) Ensure all devices accessing network resources are adequately protected from network security threats. Enforce compliance to security policies for devices. Requires ACS |
|
What are the characteristics and purpose of: BPDU Guard BPDU Filter Root Guard Loop Guard |
BPDU Guard - Prevents devices on portfast ports from hijacking as STP root (DoS). Places ports in err-disabled state if detects BPDUs. BPDU Filter - Prevents sending BPDUs to portfast ports (reconnaisance attack). Root Guard - Enforces root; puts desginated port in root-inconsistent state if superior BPDU is seen. Loop Guard - Places root/alt ports in inconsistent state if no BPDU traffic seen. |
| What is the purpose of protocol filtering? | Limit broadcast and multicast for protocols on ports for flood control |
| What is the "Chain of Evidence" model in Security Forensics? |
Methodology for evidnce collection across an intranet based on a model consisting of linked audit logs. Plan event configuration such that audit logs provide complementary information. (Quality of evidence also covered) |
|
What is the purpose of : 1. dynamic access lists (aka lock-and-key) 2. time-based access lists 3. reflexive access lists |
1. Create specific, temporary openings in response to user authentication. 2. Create specific, temporary openings for a certain amount of time. 3. Temporary entries/filters for network traffic based on IP upper-layer protocol session information; nested in extended named ACL on interface |
|
What are some of the general preventive measures that CSA offer and what attacks do they block? (Hint: 5 P's) |
Prevents port scanning & pinging (probing) Prevents mail attachments running any applications that can compromise the system (penetration) Prevents file creation/modification (persist/paralyze) Prevents hosts from sending malicious traffic to network (propagate) |
| What criteria is used to determine which route is placed in the routing table given multiple routes to the same destination? |
1. If learned from different routing protocols: use route with lowest administrative distance 2. If learned from same routing protocol: use route with lowest metric/cost 3. If all else above the same, use route with the longest prefix match |
| What are the basic steps in establishing a L2TP tunnel connection? |
1. End host initiates connection to LAC server 2. LAC initiates tunnel to LNS 3. AAA takes place on LNS (local DB or AAA server) |
|
What are the two categories of network access attacks? (Give examples) |
Data access - unauthorized data retrieval of info Eg. privilege escalation System Access - unauthorized access to system resources & devices (programs, cameras, etc) Eg. malware, password attacks. |
| What are the characteristics of preconfigured policies on CSA? |
Can be used as is. Should NOT be edited (though technically possible) Instead - should be cloned & edited, or a new similar policy created. |
| What are the steps to establishing a TCP connection? |
Three-way handshake: 1. A --> B : SYN with seq(A) 2. A <-- B : SYN with seq(B), ACK with seq(A+1) 3. A --> B : ACK with seq(B+1) |
| What are the two modes of FTP operation? |
PORT (active) - Client opens random port >1023, sends it to server, and waits for connection. Server initiates data connection with source port 20 PASV (passive) - Client opens random port and send it to server on port 21. Server opens random port >1023 and sends to client's port. Client initiates both control and data connection. |
| What is the format of the AH header in IPSec? |
[next header|payload len| Reserved ] [ security Param Index (SPI) ] [ seq # ] [ auth data... ] SPI - for SA ID auth data - may contain additional padding for integrity check |
| What are the NAC user roles and their characteristics? |
1. unauthenticated - default system role for unauth. users; web login users placed here while network scanning is being performed 2. normal login - authenticated users 3. client posture assessment: 3a. agent temporary - agent users when requirements are still being checked 3b. quarantine - placed here when network scanning detects vulnerabilities |
| What are the steps for the RSA encrypted nonces authentication method? |
1. Each peer generates a nonce (random number). 2. The nonces are encrypted and exchanged. 3. Each peer makes an authentication key from both nonces and some other info. 4. Generated key is run through hash. 5. The hash values of peers are compared (should be the same) for authentication. |
| What are the two stages of a L2TP tunnel connection? |
1. Control session setup - set up between LAC & LNS; identifying peers and their L2TP version/etc 2. Session establishment - actual setup of tunnel for data transfer |
