Part II: Perimiter Security

The IOS router's privileged mode, accessed by entering the enable command and the correct password, has a privilege level of 15. This level allows the user to access and configure all router commands and features.

It is also a trick question! Cisco recommends that passwords should be at least 10 characters in length, but there is no default rule.Passwords can be blank. That is why this chapter stresses basics such as best practices for passwords.

SDM stands for Security Device Manager, which is a Cisco IOS feature that provides a graphical user interface (GUI) for configuring a wide variety of features on an IOS router. It also offers multiple "smart wizards" and configuration tutorials, making it easier for network administrators to set up and manage their routers. This tool simplifies the configuration process and allows administrators to quickly and efficiently configure various network features without the need for extensive command-line knowledge.

A CLI view is different from a privilege level because it only supports the commands that are specifically configured for that view. On the other hand, a privilege level supports not only the commands available at that level but also all the commands available at lower levels. This means that a user with a higher privilege level can access and execute a wider range of commands compared to a user with a specific CLI view.

The correct answer is "Authentication, authorization, accounting." This order represents the steps in a typical security protocol. Authentication verifies the identity of a user, authorization determines what actions they are allowed to perform, and accounting keeps track of their activities for auditing purposes.

Flash drives can be used to store configuration files, which are used to configure network devices. They can also be used to store digital certificates, which are used for authentication and encryption purposes. Additionally, flash drives can be used to store a copy of the IOS image, which is the operating system software that runs on Cisco devices. Storing a username/password database is not a common use for a flash drive in this context.

The correct answer is "aaa new-model" because this command is used in global configuration mode to enable AAA (Authentication, Authorization, and Accounting). AAA provides a framework for controlling access to network resources, authenticating users, and tracking their activities. By enabling AAA with the "aaa new-model" command, the network administrator can implement security measures and manage user access more effectively.

Clicking the Configure button along the top of Cisco SDM's graphical interface allows the user to access additional tasks for configuring features such as SSH, NTP, SNMP, and syslog. These additional tasks are separate from the main tasks and options provided in the interface, and they provide a way to configure specific features that are not included in the default configuration options.

The other choices are made up and don’t appear in any context with Cisco network security.

The correct answer is "Configure > Additional Tasks > AAA". This option is the most appropriate because it specifically mentions "Additional Tasks", indicating that it is an additional configuration option for AAA. The other options do not mention "Additional Tasks" and may not provide the necessary settings for enabling AAA through the SDM.

MIB stands for Management Information Base. It is a database that defines the structure and properties of management objects in a managed device. MIB contains information about the device's resources and activity, allowing network administrators to monitor and manage the device effectively. It provides a standardized way to organize and access information from network devices, enabling network management systems to retrieve and manipulate data from these devices using protocols like SNMP (Simple Network Management Protocol). Therefore, MIB defines the structure of management objects in a managed device.

SNMPv3 is not part of the Cisco SDM Security Audit Wizard.

Cisco recommends using Version 3 of the Simple Network Management Protocol (SNMP) for network management. This version provides enhanced security features, including authentication and encryption, which are crucial for protecting sensitive network information. Version 3 also offers improved performance and scalability compared to previous versions, making it the preferred choice for SNMP implementation in Cisco networks.

This is a bit of a trick question. Yes, there are some known vulnerabilities with synchronizing clocks with external time sources, but these are outweighed by the advantage of having all network devices’ clocks synchronized to a single time source.

The correct answer is "A delimiter indicating the beginning and end of a message of the day." In the banner motd # command, the "#" symbol is used as a delimiter to indicate the start and end of the message of the day. It helps to separate the actual message from the rest of the configuration and makes it easier to identify the MOTD section.

To define the authentication method that will be used with AAA, a method list is used. A method list is a logical grouping of authentication methods that are applied in a specific order. When configuring AAA, the administrator can create a method list and specify the authentication methods to be used, such as local authentication, RADIUS, or TACACS+. This allows for flexibility in defining the authentication process and determining the order in which methods are attempted for user authentication.

The bootset refers to the files that are securely stored by the Cisco IOS Resilient Configuration feature to protect a router's image and configuration against an attacker's attempt to erase them. These files are essential for the proper functioning of the router and are kept secure to ensure the integrity and availability of the device's configuration.

AAA stands for Authentication, Authorization, and Accounting. It is a framework used for controlling access to computer resources. The question asks for authentication methods that can be used with AAA. Local authentication refers to the use of credentials stored locally on the device. TACACS+ and RADIUS are both network protocols used for authentication, authorization, and accounting. TACACS+ provides separate authentication, authorization, and accounting services, while RADIUS combines all three functions. Therefore, the correct answers are Local, TACACS+, and RADIUS.

RADIUS (Remote Authentication Dial-In User Service) is a protocol used for authentication and authorization in network services. It operates over UDP (User Datagram Protocol). UDP port 1645 is the standard port used for RADIUS authentication, while UDP port 1812 is used for RADIUS accounting. TCP ports 2000 and 2002 are not commonly associated with RADIUS, and TCP port 49 is used for TACACS (Terminal Access Controller Access-Control System) rather than RADIUS. Therefore, the correct answer is UDP port 1645 and UDP port 1812.

The "quiet period" refers to the period of time in which virtual login attempts are blocked following repeated failed login attempts. This means that if there are multiple unsuccessful login attempts, the system will temporarily block any further login attempts from that source for a certain period of time. This is a security measure to prevent brute-force attacks or unauthorized access to the system. During the quiet period, the system will not accept any login attempts from the source that triggered the block.

SDM (Security Device Manager) can be run from a router's flash memory, allowing users to access and manage the router's security features directly from the device. Additionally, SDM can also be run from a PC, enabling users to access and manage the router's security features through a web-based interface on their computer. Running SDM from a router's flash and from a PC are two options for utilizing the SDM software.

AutoSecure is an automated approach for hardening the security of a Cisco IOS router. It is a feature that automatically applies a set of recommended security configurations to the router, making it more secure against potential vulnerabilities.

Cisco SDM's One-Step Lockdown is another automated approach for hardening the security of a Cisco IOS router. It is a feature of Cisco Security Device Manager (SDM) that provides a simple and guided process to secure the router by enabling security features, configuring access control lists, and implementing other security measures.

Syslog logging level 4 is associated with warnings. The syslog logging levels range from 0 to 7, with level 0 being the most critical and level 7 being the least critical. Level 4 is considered as "Warning" level, which indicates potential issues or conditions that may require attention but are not critical. Therefore, in this case, the correct answer is 4.

The management topology that keeps management traffic isolated from production traffic is Out-of-Band (OOB). Out-of-Band management involves using a separate network or connection for managing devices, separate from the network used for regular data traffic. This ensures that management tasks and traffic do not interfere with or disrupt the production traffic, enhancing security and network performance.

The complete list is as follows:
. Disable unnecessary services and interfaces.
. Disable commonly configured management services.
. Ensure path integrity.
. Disable probes and scans.
. Ensure terminal access security.
. Disable gratuitous and proxy ARP.
. Disable IP directed broadcasts.

The correct answer is "It specifies the login authentication method list named console-in using the local user database on the router." This means that when a user tries to log in to the router via the console port, the router will use the specified authentication method list (console-in) and check the credentials against the local user database on the router.

NTP (Network Time Protocol) can best help administrators correlate events appearing in a log file. NTP is a protocol used to synchronize the time of devices on a network. By ensuring that all devices have the same accurate time, administrators can easily correlate events in log files, as the timestamps will be consistent across all devices. This can be particularly useful when troubleshooting network issues or investigating security incidents.

The Cisco minimum recommended modulus value for SSH configuration is 1024 bits. This refers to the size of the encryption key used in the SSH protocol. A larger modulus value provides stronger encryption and enhances security. However, a modulus value of 1024 bits is considered the minimum recommended by Cisco, indicating that it provides a reasonable level of security while balancing performance.

This is a trick question. The question is not which protocols does Cisco Secure ACS work with to authenticate to an external database. If that was the question, you could choose everything in the list. Answers D and E are correct because only RADIUS and TACACS+ are choices for protocols that work between the AAA client (the Cisco IOS router) and the AAA server (Cisco Secure ACS).

The aaa accounting command should be issued from the Global configuration mode to configure accounting in AAA. Global configuration mode allows the user to make changes to the global configuration of the device, including configuring AAA accounting. This mode provides access to a wide range of configuration commands that affect the entire system. By issuing the aaa accounting command in this mode, the user can configure the necessary accounting settings for AAA.

The command "aaa authentication enable default" should be used to enable AAA authentication to determine if a user can access the privilege command level. This command sets the default authentication method for enabling privileged commands, using the local database as the authentication source.

The question is asking for a consideration that is not relevant when setting up technical controls for secure logging. The options provided all relate to important considerations when setting up technical controls for secure logging, such as ensuring the confidentiality of logs, centralizing log events from multiple devices, and determining the most critical and important logs to track. Therefore, the correct answer is "None of the above" as all the options provided are considerations for setting up technical controls in support of secure logging.

not-available-via-ai

not-available-via-ai

The correct answer is "exec-timeout 0 0". This command sets the timeout for the line to 0 minutes and 0 seconds, effectively disabling the timeout due to inactivity.

During the authentication process, the TACACS+ daemon may provide the NAS (Network Access Server) with three valid responses: Accept, Reject, and Continue. "Accept" indicates that the authentication is successful and the user is granted access. "Reject" signifies that the authentication failed, and access is denied. "Continue" means that further authentication steps are required before a final decision can be made. The other options, "Approved" and "Failed," are not valid responses that the TACACS+ daemon would provide.

The correct answer is Security Audit, VPN, and NAT. These three options are valid SDM (Security Device Manager) configuration wizards. SDM is a web-based device management tool used to configure and manage Cisco networking devices. The Security Audit wizard helps in auditing the security settings of the device, ensuring that it is properly configured. The VPN wizard assists in setting up Virtual Private Network connections for secure communication. The NAT (Network Address Translation) wizard enables the configuration of NAT, allowing private IP addresses to be translated to public IP addresses for internet access.

Answer B is the command that displays detailed statistics
of all logged in users. Answer C is used to display current sessions of users who have been authenticated, authorized, or accounted by the AAA module. The command in answer D doesn’t exist.

The correct answer includes stateful firewall, IPS, VRF-aware firewall, and VPN as IOS security features. A stateful firewall is a security device that monitors the state of network connections and filters traffic based on context. IPS (Intrusion Prevention System) is a security technology that detects and blocks network threats in real-time. VRF-aware firewall is a feature that allows the creation of separate virtual routing and forwarding instances with their own firewall policies. VPN (Virtual Private Network) is a secure network connection that enables users to access a private network over a public network, providing encryption and authentication. These features help enhance the security of IOS devices.

not-available-via-ai

Answer D is a trick because that command doesn’t exist and
answer A is just plain wrong. Answer C is tricky too because we learn in this chapter that passwords on the router are not encrypted unless we use the service passwordencryption command.

SNTP stands for Simple Network Time Protocol and is considered less secure than NTP. NTPv3, on the other hand, is more secure because it implements cryptography and authentication between NTP peers.

This is a bit of a trick question because answer B enables configuration from not only the terminal but also from other sources. The syntax of the other (but wrong) answers is all mixed up.

After the security authentication failure command has been issued, an IOS router's default response is to suspend the login process for 15 seconds after 10 unsuccessful login attempts. This is a security measure to prevent brute-force attacks and unauthorized access to the router. By suspending the login process, it slows down the attacker's ability to guess passwords and provides a temporary block to protect the router from repeated login attempts.

Cisco Secure ACS 4.0 for Windows provides three features: Cisco NAC support, Network access profiles, and Machine access restrictions. Cisco NAC support allows for Network Access Control, which helps to ensure that only authorized devices can access the network. Network access profiles enable administrators to define different levels of access for different users or groups. Machine access restrictions allow administrators to restrict network access based on specific machine characteristics, such as operating system or hardware.

A design goal for a secure network is to try to separate management traffic from the production networks wherever possible. Answer A is the opposite. The other answers are incorrect because they are not used in this context.

The Access-Request RADIUS message type contains AV (Attribute-Value) pairs for username and password. This message type is used by a RADIUS client to initiate the authentication process with a RADIUS server. The AV pairs within the Access-Request message include the user's credentials, such as the username and password, which are necessary for the server to verify and authorize the user's access.

Answer B is correct because you do not need special software on an IP host in order to enable AAA for the network. Answer E is correct because the Cisco Secure ACS Solution Engine is an appliance that comprises a selfcontained AAA server solution. It is not an add-on module for a router, and the router is the AAA client in this scenario anyway.

When designing an AAA solution, remote administrative access is also known as character mode. Another name for remote network access is packet mode.

Cisco ISRs do not contain integrated Power over Ethernet
(PoE) ports or VoIP ports or Firewire ports. Some of the features are available as option cards on modular ISRs.