| what does mean Asset ? | everything valuable (Docs, Info’s, etc.) |
| what does mean Threat ? | Danger to Asset (Hacker, SW BUG, Environmental Disaster) |
| what doe smean Vulnerability ? | Vulnerability: Weakness (old Bug, missing Patch) |
| what is the three type of mitigation ? | 1- logical/technical mitigation
2-physical mitigation
3-Administrative |
| how we apply logical mitigation ? | Type 1: Technical/Logical Mitigation:
- Choosing the Correct Firewall
- Choosing the Correct IPS
- Choosing the Correct Design! |
| how we apply Administrative mitigation ? | - Things that you (The Network Admin.) decides and consider
- Like Policies & Procedures
(The company agreed policies & procedures)
- Written documents
- Background check for new employees
- Security awareness/periodically.
and password length, complexity, and age of the password . |
| what is the alternatives for password ? | - 2 Factor/Multi-Factor Authentication
- Done by using some biometrics and certificates.
- Besides passwords
- Can be Physical Card (Identity Card)
- One-Time Password (Mobile phone App)
- Iris Scan, Fingerprints, Face recognition . |
| what is physical mitigation ? | This is an in-reality protection
- like securing the devices inside racks
- racks should have licked metal/glass door
- all racks should be installed in a secured DC
- Racks and DCs can be secured using Keys, Cards,
Fingerprints |
| what if the device wasn’t locked properly (physically)
, if someone did connect to the Console/AUX ports!!!! | Console and Auxiliary ports can be protected
- either by configuring a specified password for each port .
- or by using a local credentials and applying them upon the ports . |
| how we protect privilege mode ? | *even if a user did login to a device, limit his access by assigning
“enable secret/password”
use command
enable password 1234567 |
| what command we must use to protect AUX and console ports ? | line console/aux 0
password 2456789
login
end |
| how we can set local credential ? | command :
username afaf privilege 15 password 12356
line console 0
login local
end |
| what is VPN ? | Virtual Private Networks (VPN)
- How Virtual? And How Private?
- Tunnels will be established
- Full separation
- End-to-End Encryption |
| what is the 2 type of VPN ? | - site to site vpn
- client vpn |
| what is the 2 type of site to site vpn ? | - Peer-to-Peer VPN :
- needs and IGP for Routing and Forwarding (Underlay)
- the IGP will be exchange at the edges with the ISP
- Overlay VPN :
- obtain a circuit from the ISP
- IGP will be yours all the way |
| what is client vpn ? | - Client VPN
- for an end user
- requires a software
- established remotely
- credentials are needed
- the Tunnel will be “PC – Router” |
| what is ACL ? | Access Control List (ACL)
- specific permissions for users/ networks
- allow or deny rules only
- allow or deny some hosts/networks from internet .
- applying these specification on ports not the whole of router . |
| what is the types of ACL ? | - Standard: uses source host/network to decide the permissions
- range of 1-99
- NO specific permissions .
- Extended: uses source & destination hosts/networks/ports/services
- range of 100-199 .
- specific in detail permissions.
- Named: A Combination, Hierarchy Mode, Name .
we apply ACL on checkpoints (inside/outside) . |
| some important command of standard ACL ? | - access-list <give number> deny 10.10.10.1 0.0.0.3
- acces-list <give nimber> permit any
-to applly it inside interface :
ip access-group <give number> out/ins
sho access-lists |
| some important command of Extended Named ACL ? | - ip access-list extended Afaf
- deny ip 19.10.10.1 10.10.1.0.0 0.0.0.15 --> deny this network from reaching this network .
- deny ip host 19.10.10.1 10.10.1.0.0 0.0.0.15 --> deny this host from reaching this network .
- permit ip any any .
- applying it on interface :
ip access-group Afaf in |
| what is port security ? | - Switch Ports connects you immediately
- A limitation is needed to the switch ports
- This limitation includes:
- The No. of learned MAC Addresses.
- Only “Statically” assigned MAC Addresses are allowed to connect.
- A combination of the 2 above. |
| important things i should do when applying port security ? | *All Cisco Switch Ports are “Dynamic” by Default, Make them Access
*Static Ports DON’T have timers, assign timers
*Those “Statically” assigned MACs are called “Sticky” |
| What will be the reaction when an unallowed MAC/s hits? (port security) | Violation the Behavior :
1-Shutdown the port (Default)
2-Protect (Silently)
3-Strict (log it) |
| what is DHCP snooping ? | - Rouge DHCP Servers will respond to your “Discovery” message.
- Computers will take/accept the first offer they receive.
- Snooping will trust an interface to make it the:
Only interface allowed to receive Broadcast Messages.
- Applied on a specific VLAN .
*Rouge Servers will Act as a “Man in the Middle”, which is an attack. |
| important command in DHCP snooping ? | ip DHCP snooping vlan 1
- apply it on specific interface :
ip dhcp snooping trust .
- then go to the trusted dhcp server :
ip dhcp rely information trust-all . |
| what is DAI ? | Dynamic ARP Inspection
ARP is a Broadcast, thus, everyone will know about you trying to
Reach your GW for any purpose
- Someone might manipulate you and claim that he is the GW!!!!
*Man in the Middle detected
- DAI will allow only trusted interfaces to receive and forward Broadcast. |
| how DAI will work ? | - It will cooperate with the DHCP Snooping DB to perform
- After inspecting, it will either Forward the ARP, or Drop it (LOG)
*Static IPs don’t use DHCP, SO!! Drop the ARP !
solution ?
Trust the Port , Or
Create ARP ACL |
| what is AAA ? | Authentication, Authorization, and Accounting
- AAA are the Security mechanisms for the MGM Plane
- you can control everything about everyone allowed/denied
From accessing the Network . |
| Authentication ? | - Verifies Credentials
- Contacts the AAA Server to check the eligibility of
those Credentials. |
| Authorization ? | - Determines the Credentials Powers
- Contacts the AAA Server to check the Privileges of
those Credentials |
| Accounting ? | - Determines some Limitations
- Calculates Statistics |
