Chapter 34 - Securing Network Devices

Question 1

What command can you use to encrypt passwords that are currently stored in the router as plain text?

Answer 1

‘service password-encryption’

• This only encrypts passwords and not secrets as secrets are already encrypted

Question 2

When using the ‘enable secret <secret>' command, what is the encryption level set to by default?</secret>

Answer 2

5

Question 3

When using the ‘service password-encryption’ command, what is the encryption level set to?

Answer 3

7

Question 4

True or False. Entering ‘enable secret <secret>' and 'enable secret 5 <secret>' will do the same thing.</secret></secret>

Answer 4

False.

• When using ‘enable secret <secret>' you can enter the clear-text version of a password and login with the clear-text version</secret>
• When using ‘enable secret 5 <secret>' you must enter the MD5 encrypted version of your password and then to login you can use the unencrypted version. The password you enter after the 5 is the encrypted version of your actual password.</secret>

For example, entering ‘$1$mERr$YlCkLMcTYWwkF1Ccndtll.’ as the secret will allow you to login with secret ‘Cisco’.

Question 5

What is the encryption level for clear-text passwords and secrets?

Answer 5

0

Question 6

True or False. After using the ‘no service password-encryption’ command on an encrypted password it will automatically decrypt the password into its clear-text state.

Answer 6

False. You need to enter a new password which will be created as clear-text.

Question 7

True or False. ‘enable secret’ overrides ‘enable password’

Answer 7

True. If both are enabled use the secret.

Question 8

True or False. It is best practice to use ‘enable secret’ rather than ‘enable password’.

Answer 8

True. Secret is encrypted by default and therefore much more secure.

Question 9

What are the 2 more secure algorithm types on newer Cisco IOS versions?

Answer 9

• Type 8 - SHA-256 - ‘enable algorithm-type sha256 secret <secret>'</secret>
• Type 9 - Scrypt (uses SHA-256) - ‘enable algorithm-type scrypt secret <secret>'</secret>

These can also be used with the username command to create a more secure user login. Just swap ‘enable…’ for ‘username name…’

Question 10

What command could you use to deny certain addresses from accessing a Cisco device?

Answer 10

Create an access-list for the specific addresses and then enable it per vty or console line using the below command from line configuration mode:
- ‘access-class <ACL> in'
- You can also add 'out' at the end to stop users from using the 'telnet' or 'ssh' commands to access other devices from the console of this router. However it bases this decision on the destination address rather than the source.</ACL>

Question 11

What are some of the benefits of dedicated firewalls over router ACLs?

Answer 11

• Firewalls can inspect application layer data and connections to know what additional TCP and UDP ports are used by said connections and filter based on those.
• Firewalls can inspect traffic so thoroughly that it can filter based on the URI of a HTTP request.
• Firewalls (stateful) can keep state information by storing information about each packet and make decisions about filtering future packets in the same connection based on the historical state information. Cisco router ACLs are generally speaking stateless.

Question 12

What is an example of a stateful firewall being a security benefit over a stateless firewall?

Answer 12

• Stateful firewalls could assist when it comes to DOS attacks.
• They would have historical state information so they could see that a large amount of TCP connections have come from a particular address or small number of devices (characteristic of a DOS attack)
• However, in a stateless firewall it would not have this historical information so could not filter in this way.

Question 13

What is a Security Zone?

Answer 13

• Allows to define security rules based on where the connection comes from and add interfaces to define which rules apply to them.
• For example, you may have a security zone for the internal network and one for the internet. Your internet facing interfaces would be put in the internet security zone and have different rules applied compared to those on internal interfaces.
• You may allow new connections from internal to internet but not from internet to internal.

Question 14

What is a DMZ?

Answer 14

• De-Militarised Zone
• Used for devices that need to be accessible from outside your network (e.g. Web servers)

Question 15

What is an IPS?

Answer 15

• Intrusion Prevention System
• Has a database of known potential exploits and characteristics of them
• Monitors traffic for these characteristics to stop exploits (e.g. DoS, DDoS, Worms, Viruses)
• Generally uses rules defined by the IPS vendor rather than the company or its engineers

Question 16

What is NGIPS and NGFW?

Answer 16

• Next Generation Intrusion Prevention System
• Next Generation Firewall

Question 17

What is Cisco AVC?

Answer 17

• Application Visibility and Control
• Used by Next Generation Firewalls
• Instead of relying on port numbers to match data being set to or from certain applications, it can inspect application layer data.
• Useful in the event that attackers use non-standard ports to attempt to exploit a device.

Question 18

Benefits of an NGFW over a traditional firewall

Answer 18

• Uses AVC which can inspect packets based on application layer data rather than just transport layer
• Uses Advanced Malware Protection by looking out for things such as file transfers that could bring malware into the network and running analysis on the file
• Can use URL Filtering which categorises URLs and can filter and rate limit them based on their category. An example of a service that offers this is The Cisco Talos security group which keeps a database with a categorisation of each domain on the internet.
• Uses NGIPs

Question 19

Benefits of an NGIPS system over a traditional IPS

Answer 19

• Uses AVC which can inspect packets based on application layer data rather than just transport layer
• Allows for contextual awareness by gathering information from hosts (e.g. OS, software version, patches applied, applications running and sending/receiving data, open ports, etc.) and then using this to decide which vulnerabilities are less likely exist in which portion of the network so it can uses its resources for more likely vulnerabilities and reduce the number of logged events
• Uses Reputation-Based Filtering in the same way that an NGFW uses URL Filtering.
• Provides logs based on Event Impact Level so that technicians can easily interrogate the logs and decide where to focus efforts.