Basic Network Security
|
|
- Betty Merritt
- 5 years ago
- Views:
Transcription
1 Basic Network Security
2 Basic Network Security Split up the attack surfaces. Management Plane Control Plane Data Plane
3 Management Plane Protecting your access
4 Physical Security Talking about your equipment. This includes; Routers and Switches. Network and Power cables. UPS s and Racks.
5 Physical Security Can people steal your equipment Can they get physical access to it Can they get to your cables If people can steal your equipment, that s going to cause an outage. * Happened at Citylink * *
6 Verizon
7 O2
8 Physical Security Physical access? So maybe they can t take off with the equipment. If people can steal your equipment, that s going to cause an outage. * Happened at Citylink * *
9 Cabling Running tidy cabling is a network stability issue. Using cable bars to run cables helps to prevent accidental pulls of copper cables or macro bends of optical cables.
10 Cabling Don t use zip ties to attach cables, or staple guns. Use Velcro cables, easier and less likely to damage the cable. Also doesn t require cable snips to remove. Make tidy cabling easy, then it will be easier to keep tidy.
11 Cabling Label the cable! Prevent accidental unplugging of cables. Also makes it easier to detect cabling that isn t yours.
12 What are the attack vectors? * Console cable. Connect to the console. * Flash card. Could cause problems during a reboot. What are the dangers?
13 What are the attack vectors? * Attacked from within, messy cables, unplug the wrong one. * Unsecured, you could bump one. * Are they all supposed to be there. What are the Dangers?
14 Attacking Cables? Yup, even the cables are an attack vector. But how? Which is more difficult to pull a passive signal off? Fibre or Copper?
15 Passive fibre tap? It s possible to detect this type of cable tapping, but requires very strict monitoring.
16 Even the equipment
17 Even the equipment Note the MON ports in the above diagram. You can only detect this by auditing the ports.
18 Physical Security No one expects you to secure all of it. It s just not feasible. I just want you to think about it. Perhaps think about where your management cables run, locking your cabinets.
19 Management Plane Protection What is the Management Plane? A step back, let s look at router architecture.
20 The CEF table provides all the adjacency data for the forwarding hardware. Management Plane
21 The CEF is filled with data from the CPU Management Plane
22 Transit packets are forwarded only by the hardware plane. No CPU required. Management Plane
23 Management Plane This called the received path, so packets are destined for the router. Traffic to local IP addresses, non-ip traffic like CDP, ISIS and OSPF. Traffic like ICMP, BGP, SSH management. show ip cef details.
24 Management Plane Then there is punt traffic. It s not destined for the router, but still gets sent to the CPU for processing because it s not just getting forwarded. ACL logging. Cisco IOS firewall. IP Options set. Fragmentation required. ICMP unreachable generation required, MTU or TTL. Malformed packets.
25 Management Plane So when we talk about the Management plane we are talking about protecting the CPU
26 Management Plane Packets are processed on the onboard CPU (which is slow). The same CPU that processes BGP updates and OSPF convergence. Passes straight the dedicated routing hardware. So it s best to use ACL s on the edge to drop unwanted management traffic. That way the least amount of traffic is processed on the management CPU.
27 Management Plane There s no reason to not enable CEF. (bugs not included) You can examine your CEF forwarding information with show cef... and show ip cef show cef interface show ip cef switching statistics show ip cef detail (warning, lots of output)
28 Management Plane This makes the management plane a good target for disrupting the device s operation. How can that be done?
29 Points of Attack
30 Points of Attack
31 Remote Engineers Enforce the use of cryptography SSH, VPN, anything and everything.
32 Management Plane Telnet SSH SNMP HTTP MOP TFTP... Protection Things that effect your ability to interact and configure with the router. show ip socket show tcp brief all
33 Minimise Services Don t run what you don t need. Need to know, for services.
34 Software Upgrades Try to remain as up to date as possible. There are reasons they release new revisions of software. Bug fixes Security enhancements
35 Software Upgrades In 2014 Cisco 23 Juniper 5 In 2015 Cisco 16 Juniper Only Vuls 9 and above.
36 Software Upgrades vendor_id=16&product_id=&version_id=&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc =0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=9&cvssscoremax=0&year=2015&month=0&cweid=0&order=1&trc=488&sha=dbf bb02772d29ab0c96d2e1efd9f098060
37 Software Upgrades vendor_id=874&product_id=&version_id=&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmem c=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=9&cvssscoremax=0&year=2015&month=0&cweid=0&order=1&trc=29&sha=b84fe596 d9f6ac189d431b73cd0b7a46f830869a
38 Encrypted Passwords service password-encryption Don t use password <password> Type 7, reversible, on purpose. Type 5, MD5 hash. Type 4, SHA-256. Why? Demo? F MD5 hash brute forcing with Cain and Abel, John the Ripper <-- ATI HD 5970 peaks at 5600M/s MD5 hashes PBKDF2
39 Type 5 vs Type 4 Type 5, seed + password hashed 1000 times with MD5. Type 4, (PBKDF2) 80 bit seed + password hashed 1000 times with SHA-256. Except without the seed, Or 999 of the hashes :( So try to avoid type 4.
40 Encrypted Passwords Why is it a problem? Google this; inurl:"startup-config" username "secret 5" inurl:"startup-config" username "password 7" How does it get out there? Perhaps your techs are leaking it, perhaps your vendors are. It s just a matter of time before SHA-256 is cracked or GPU s become fast enough.
41 Cracking Hashes You can do it on a CPU. slowly. Using a GPU can speed it up by times. If it s worth money, just provision a Amazon EC2 instance. Free (Assuming it s not your Credit Card.) Each core on my Mac Mini can do about 11,000 hashes a second. A CPU can speed that up by
42 Encrypted Sessions Telnet is dead, long live telnet. use SSH, everything supports it. For Windows, SecureCRT or PuTTy For Mac OS X or Linux it s baked in.
43 SSH advantages. The session is encrypted. The end point is verified. Can be used for authentication. Tapping a link won t recover the information if the data is encrypted. Makes man in the middle attacks a lot more difficult. Password-less log ins. Does everyone understand how these crypto-schemes work?
44 SNMP Security Check your equipment isn t using the community public and/or private. Allow traffic only from the management network. Use SNMPv3 it has encryption. I have seriously seen equipment like UPSs and environmental monitoring systems with community strings like that. I suggest a multiple step approach, make the management traffic unrouteable, block it at the edges AND at the device. Allocate infrastructure out of a single grouped range. Use SNMPv3 if possible, more complicated, but SNMPv2 is like telnet to SNMPv3 ssh like encryption.
45 SNMP default?
46 MOP What is it? Maintenance Operation Protocol. Layer 2 protocol, MAC to MAC. It allows remote rebooting and console! Enable by default since Based on DECnet a pure layer 2 protocol, it allows remote console Why is that dangerous?
47 What other services CDP LLDP TFTP FTP DNS NTP are there?
48 CDP Cisco Discovery Protocol It enables SNMP like functionality over layer two. It is active, in that it sends out beacons advertising itself. But also accepts and processes CDP packets. No authentication. It allows for advertising SNMP contact details. The intended result is to allow nearby switches and routers to identify each other. Making it very easy to map the network. But there s no authentication, so if it s enabled on a customer port the customer or competitor can start to map your network and find useful things like management addresses. Also provides the Software version of the device. Also it s possible to attack the protocol
49 CDP
50 CDP
51 LLDP Link Layer Discovery Protocol Very similar to CDP, but cross platform. Provides more information than CDP. Still active, processes LLDP packets. No authentication. It s a cross platform replacement for CDP, different in operation. Provides the following; Port description. System Name. System Description. System Capabilities. Management Address! Port VLAN ID. PHY Configuration Status. LLDP-MED has even more
52 TFTP Trivial file transfer protocol. Used for transferring small files over a network. No authentication. Unreliable. What are you sharing with it? IOS images? configuration?
53 FTP File Transfer Protocol More reliable. Has authentication. Uses TCP, which is an attack vector.
54 DNS Domain Name System Simple and generally reliable. Could be subverted and used for man in the middle attacks. Can also be used to trigger buffer overflows.
55 NTP Network Time Protocol Used for providing synchronised time over a network, to other networked devices. If subverted can be used for replay attacks, or be used to confuse log files. Also break billing data.
56 Reduce your attack surface Your management network is not a public service. Be aware of your configuration. Restrict access.
57 Management Plane Protection Feature Not supported on our simulated routers. :( Designate interfaces as management interfaces via CLI command Device only accepts management traffic on a management interface Simplifies using interface ACLs Protocol support: SNMP (all versions), HTTP, HTTPS, FTP, TFTP, Telnet, SSH (v1 and v2) Interfaces supported: physical, sub-interfaces, tunnel (GRE/VTI) Does not impact traffic that is switched/routed through the device
58 Management Plane Protection Feature! control-plane host management-interface Gi 0/3 allow ssh snmp!! Simple to setup.! Allows SSH and SNMP to the local system only via that interface.! Drops all traffic to the local system on all other ports.!
59 Management Plane Protection Feature router#show management-interface Management interface GigabitEthernet0/3 Protocol Packets processed ssh 0 snmp 0
60 Routers individually secured. No overall filtering done. Filter done on the Router CPU? One Method
61 Defence in depth. Layers. Routers looking after each other. Better Method Every router acts like bouncer for the whole network. Filtering traffic as soon as possible reduces dodgy traffic in the core.
62 Access Control Out of band network Make sure no other traffic runs over it. Make sure only management interfaces are in the network. Monitor the edge to make sure it doesn t leak.
63 What is an OOB An Out Of Band network is a separated network from you public, traffic carrying infrastructure.
64 OOB
65 OOB
66 Service DoS or Router crash OOB
67 Fault, or mis-configuration. OOB
68 OOB
69 OOB
70 OOB
71 Why OOB? Running a separate OOB path helps with; Leaking management information. DoS attacks. Mis-Configuration Device Faults Also assists in diagnostics. Reducing response time and cost. costs in SLA pay outs and in not having to send a tech onto site to troubleshoot.
72 Separate OOB Network Using RFC 1918 address space, or unrouted address space is safest. Don t make it a wish list, make it a project. If you have your own network it can be super cheap to deploy. No need for QOS or advanced provisioning profiles. So the equipment can be cheap.
73 Got OOB? some tips. Make it impossible to route customer traffic across. Really impossible. It should be more reliable than your network. But less strict SLAs. Via another provider? use encryption. Terminal servers for direct console is good for crashes. Talk about my previous employers network. If you have fibre, cheap as chips SFPs in a cheap switch. Dial up? ADSL? Cellular Data.
74 Previous Employer We used cheap level one switches with fibre SPFs. Total cost less than $200USD each including SFPs. It was possible to manage but we choose not to, just an address and changed the default username and password.
75 Previous Employer We built a nation wide network gigabit network for less than $4000! (not including installing 800kms of fibre) We later upgraded to Cisco routers for routing when we wanted to use loops for automatic resilience. Kept the switches.
76 Can t get an OOB Use IPSEC tunnels between sites. Filter all traffic at the edge. Don t let your management run unprotected over someone else s network. Have more than one IPSEC box. Perhaps try for dial in terminal servers. Double check you can t. If it s running over someone elses network then it s inside your core and management domain.
77 Public Address Space Filter the traffic to your infrastructure addresses at the border. At every ingress point, customer and peer. Much more difficult to get right. So don t do it.
78 Either way You ll still need to audit the address space. If you have a OOB, you need to audit the network too. Need to be on the lookout for rogue hardware. But also for WAP s that people might add :(
79 Address Allocation In security?
80 Addressing as Security Allocate your addressing in blocks. Allocate customer addresses per POP. Make sure the allocations will scale to your network. The APNIC recommendation is to allocate customer space from the bottom and infrastructure from the top of your space. don t make allocations too small or else you ll need to make more allocations and then they won t be contiguous.
81 Graphically /16 Customer allocations Infrastructure allocations / /22
82 Example? /16 Total allocation Infrastructure assignments /27 - Loopbacks /26 - Linknets Customer allocations by site /24 - London - Linknets /23 - London - Customer assignments /24 - Frankfurt - Linknets /23 - Frankfurt - Customer assignments...
83 So how does this help? ACL s and configuration.
84 This is why /16 is you covering announcement to everyone /22 - London peers and IX s /22 - Frankfurt peers and IX s /24 - Filtered on all borders (that includes customers).
85 This is why. Smaller more compact prefix lists. Smaller means easier to read. Easier to read means easier to get right.
86 AAA Or how I learned stop worrying and love big brother.
87 AAA What is AAA? It s a centralised method of enforcing user based policy. Not just for usernames and passwords. Can be used for network policy enforcement. Dial up x Can also be used for user policy on routers.
88 Triple A What do the A s stand for? Authentication. Authorisation. Auditing.
89 Authentication Please sir, can I log on? SSH keys username and password. 2-Factor authentication. 2-factor, RSA, text to cellphone, etc.
90 Authorisation Only once you have access. What am I permitted to do? What commands can I run? What resources can I see? From assigning a privilege level on log in, to asking for an enable password, to per command authentication.
91 Auditing Event logging. Accounts getting logged in to. What privileges are requested. What commands are run. The logs can helpfully include the remote address that the connection is coming from.
92 TACACS++ Cisco s triple A solution.
93 TACACS Terminal Access Controller Access-Control System
94 No TACACS+
95 No TACACS+ Very basic. You could set up privilege levels. Assign commands to privilege levels. Assign users to those privilege levels. Configure on EVERY DEVICE.
96 Centralised Authentication
97 With TACACS+ Policy is recorded and stored on a central device. Adding, removing or modifying a user doesn t require touching every device! Per command authorisation! Per command logging!
98 But TACACS+ becomes an important service. So protect it, never run it on a public IP address. Certainly don t put it outside your network or put in the cloud.
99 TACACS+ Your AAA server should be protected for obvious reasons. What happens when it goes down? Got a Plan B?
100 Our Plan B We need to retain access.
101 Plan B We need a second source of credentials to use. We don t want them to be usable during normal operation, only during failures.
102 Plan B In the case of the AAA server becoming unreachable, we ll use a local username and password. It shouldn t use the local username and password if the AAA server returns access denied The local statically configured username and password should be changed regularly. The username and password should be stored in the jump kit.
103 Quizz What are the physical security dangers? What does SNMP stand for? What is the management plane? What does triple A stand for? What does OOB stand for? Time for something technical? What are the three encryption functions?
Data Plane Protection. The googles they do nothing.
Data Plane Protection The googles they do nothing. Types of DoS Single Source. Multiple Sources. Reflection attacks, DoS and DDoS. Spoofed addressing. Can be, ICMP (smurf, POD), SYN, Application attacks.
More informationControl Plane Protection
Control Plane Protection Preventing accidentally on purpose We really talking about making sure routers do what we expect. Making sure the route decision stays under our control. Layer 2 Attacks ARP injections
More informationChapter 3 Command List
Chapter 3 Command List This chapter lists all the commands in the CLI. The commands are listed in two ways: All commands are listed together in a single alphabetic list. See Complete Command List on page
More informationPROTECTING NETWORK INFRASTRUCTURE - ROUTERS, SWITCHES, ETC.
PROTECTING NETWORK INFRASTRUCTURE - ROUTERS, SWITCHES, ETC. Configuration Corrupt Config Database RADB Intercept Configuration Transport Transport Attacks Trojan Horses in Code 2-4-2 Network Infrastructure
More informationImplementing Cisco Network Security (IINS) 3.0
Implementing Cisco Network Security (IINS) 3.0 COURSE OVERVIEW: Implementing Cisco Network Security (IINS) v3.0 is a 5-day instructor-led course focusing on security principles and technologies, using
More informationSecurity Hardening Checklist for Cisco Routers/Switches in 10 Steps
Security Hardening Checklist for Cisco Routers/Switches in 10 Steps Network infrastructure devices (routers, switches, load balancers, firewalls etc) are among the assets of an enterprise that play an
More informationConfiguring Management Access
37 CHAPTER This chapter describes how to access the ASA for system management through Telnet, SSH, and HTTPS (using ASDM), how to authenticate and authorize users, how to create login banners, and how
More informationCisco Router Security: Principles and Practise. The foundation of network security is router security.
The foundation of network security is router security. 1) Router security within a general IT security plan, IOS software and standard access. 2) Password security and authentication. 3) Services, applications
More informationTechnology Scenarios. INE s CCIE Security Bootcamp - 1 -
INE s CCIE Security Bootcamp For CCIE v3.0-1 - - 2 - Lab Physical Cabling Fa0/0 Fa0/1 Fa0/0 S1/2 S1/3 R3 S1/0 S1/1 Fa0/0 R1 S0/0 S0/1 S0/1 R2 S0/0 Ethernet Fa0/0 Fa0/1 BB3 Serial Frame-Relay S0/0 R4 S0/1
More informationAutoSecure. Finding Feature Information. Last Updated: January 18, 2012
AutoSecure Last Updated: January 18, 2012 The AutoSecure feature secures a router by using a single CLI command to disable common IP services that can be exploited for network attacks, enable IP services
More informationCisco Exam Implementing Cisco Network Security Version: 12.0 [ Total Questions: 186 ]
s@lm@n Cisco Exam 210-260 Implementing Cisco Network Security Version: 12.0 [ Total Questions: 186 ] Cisco 210-260 : Practice Test Question No : 1 When an IPS detects an attack, which action can the IPS
More informationPASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year
PASS4TEST IT Certification Guaranteed, The Easy Way! \ http://www.pass4test.com We offer free update service for one year Exam : 642-504 Title : Securing Networks with Cisco Routers and Switches Vendors
More informationInternetwork Expert s CCNA Security Bootcamp. Common Security Threats
Internetwork Expert s CCNA Security Bootcamp Common Security Threats http:// Today s s Network Security Challenge The goal of the network is to provide high availability and easy access to data to meet
More informationInterconnecting Cisco Networking Devices Part 1 (ICND1) Course Overview
Interconnecting Cisco Networking Devices Part 1 (ICND1) Course Overview This course will teach students about building a simple network, establishing internet connectivity, managing network device security,
More informationGigabit Managed Ethernet Switch
LGB1110A LGB1126A-R2 Product Data Sheet Gigabit Managed Ethernet Switch Features Overview LGB1110A The Gigabit Managed Ethernet Switches offer L2 features plus advanced L3 features such as Static Route
More informationNetwork security session 9-2 Router Security. Network II
Network security session 9-2 Router Security Network II Router security First line of defense of the network Compromise of a router can lead to many issues: Denial of network services Degrading of network
More informationCISCO EXAM QUESTIONS & ANSWERS
CISCO 300-206 EXAM QUESTIONS & ANSWERS Number: 300-206 Passing Score: 800 Time Limit: 120 min File Version: 35.2 http://www.gratisexam.com/ Exam Code: 300-206 Exam Name: Implementing Cisco Edge Network
More informationCisco Virtual Networking Solution for OpenStack
Data Sheet Cisco Virtual Networking Solution for OpenStack Product Overview Extend enterprise-class networking features to OpenStack cloud environments. A reliable virtual network infrastructure that provides
More informationCISCO EXAM QUESTIONS & ANSWERS
CISCO 642-618 EXAM QUESTIONS & ANSWERS Number: 642-618 Passing Score: 800 Time Limit: 120 min File Version: 39.6 http://www.gratisexam.com/ CISCO 642-618 EXAM QUESTIONS & ANSWERS Exam Name: Deploying Cisco
More informationImplementing Cisco IP Routing
300-101 Implementing Cisco IP Routing NWExam.com SUCCESS GUIDE TO CISCO CERTIFICATION Exam Summary Syllabus Questions Table of Contents Introduction to 300-101 Exam on Implementing Cisco IP Routing...
More informationModule 1 Device and Infrastructure Security Lab
Module 1 Device and structure Security Lab Objective: All the routers are pre-configured with basic (No security) interface, OSPF and BGP configuration according to the following topology diagram. Create
More informationConfiguring Control Plane Policing
21 CHAPTER This chapter describes how to configure control plane policing (CoPP) on the NX-OS device. This chapter includes the following sections: Information About CoPP, page 21-1 Guidelines and Limitations,
More informationConfigure Site Network Settings
About Global Network Settings, page 1 About Device Credentials, page 2 Configure Global Device Credentials, page 4 Configure IP Address Pools, page 9 Configure Global Network Servers, page 9 Configure
More informationCCNA Security 1.0 Student Packet Tracer Manual
1.0 Student Packet Tracer Manual This document is exclusive property of Cisco Systems, Inc. Permission is granted to print and copy this document for non-commercial distribution and exclusive use by instructors
More informationTechniques and Protocols for Improving Network Availability
Techniques and Protocols for Improving Network Availability Don Troshynski dtroshynski@avici.com February 26th, 2004 Outline of Talk The Problem Common Convergence Solutions An Advanced Solution: RAPID
More informationPayload Types At Different OSI Layers: Layer 2 - Frame Layer 3 - Packet Layer 4 - Datagram
Payload Types At Different OSI Layers: Layer 2 - Frame Layer 3 - Packet Layer 4 - Datagram Default Cisco Terminal Options: 9600 bits/second No hardware flow control 8-bit ASCII No parity 1 stop bit Setting
More informationDefining IPsec Networks and Customers
CHAPTER 4 Defining the IPsec Network Elements In this product, a VPN network is a unique group of targets; a target can be a member of only one network. Thus, a VPN network allows a provider to partition
More informationEnterprise IPv6 Deployment Security and other topics
Enterprise IPv6 Deployment Security and other topics 6. Slo IPv6 Summit 8 Nov, 2011 Ljubljana, Slovenia Ron Broersma DREN Chief Engineer SPAWAR Network Security Manager Federal IPv6 Task Force ron@spawar.navy.mil
More informationco Configuring PIX to Router Dynamic to Static IPSec with
co Configuring PIX to Router Dynamic to Static IPSec with Table of Contents Configuring PIX to Router Dynamic to Static IPSec with NAT...1 Introduction...1 Configure...1 Components Used...1 Network Diagram...1
More informationCisco CSR1000V Overview. Cisco CSR 1000V Use Cases in Amazon AWS
Cisco CSR1000V Overview The Cisco Cloud Services Router 1000V (CSR 1000V) sets the standard for enterprise network services and security in the Amazon Web Services (AWS) cloud. The Cisco CSR 1000V is based
More informationConfiguring Control Plane Policing
This chapter contains the following sections: Information About CoPP Information About CoPP, on page 1 Control Plane Protection, on page 2 CoPP Policy Templates, on page 4 CoPP Class Maps, on page 8 Packets
More informationSecuring Wireless Networks by By Joe Klemencic Mon. Apr
http://www.cymru.com/ Securing Wireless Networks by By Joe Klemencic (faz@home.com) Mon. Apr 30 2001 Many companies make attempts to embrace new technologies, but unfortunately, many of these new technologies
More informationConfiguring the Cisco NAM 2220 Appliance
CHAPTER 5 This section describes how to configure the Cisco NAM 2220 appliance to establish network connectivity, configure IP parameters, and how to perform other required administrative tasks using the
More informationDoS Attacks Malicious Code Attacks Device Hardening Social Engineering The Network Security Wheel
CCNA4 Chapter 4 * DoS Attacks DoS attacks are the most publicized form of attack and also among the most difficult to eliminate. DoS attacks prevent authorized people from using a service by consuming
More informationEXAM - JN ACX, Specialist (JNCIS-ACX) Buy Full Product.
Juniper EXAM - JN0-740 ACX, Specialist (JNCIS-ACX) Buy Full Product http://www.examskey.com/jn0-740.html Examskey Juniper JN0-740 exam demo product is here for you to test the quality of the product. This
More informationPrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps
PrepAwayExam http://www.prepawayexam.com/ High-efficient Exam Materials are the best high pass-rate Exam Dumps Exam : 642-618 Title : Deploying Cisco ASA Firewall Solutions (FIREWALL v2.0) Vendors : Cisco
More informationChapter 4. Network Security. Part II
Chapter 4 Network Security Part II CCNA4-1 Chapter 4-2 Introducing Network Security Securing Cisco Routers CCNA4-2 Chapter 4-2 Router Security Issues The Role of Routers in Network Security: Router security
More informationRouters / external connectivity (HSRP) Web farm, mail servers
Routers / external connectivity (HSRP) hubs/switches Office network!#"%$'&)(+*-,/.10#23*-&4$5!6$5!7&)(6879:(;&
More informationCCNP TSHOOT. Quick Reference Sheet Exam
CCNP TSHOOT Quick Reference Sheet Exam 300-135 Chapter 1. Network Principles Troubleshooting Steps Problem Identification Collection of Information Examination and Action Plan Verification Basic Troubleshooting
More informationHEAnet & IOS-XR Four Years & Many, Many Packets of Experience. Brian Nisbet NOC Manager, HEAnet
HEAnet & IOS-XR Four Years & Many, Many Packets of Experience Brian Nisbet NOC Manager, HEAnet A Little History HEAnet deployed the CRS1 platform in 2007 Lots of IOS operational discussion, very little
More informationCISCO EXAM QUESTIONS & ANSWERS
CISCO 300-206 EXAM QUESTIONS & ANSWERS Number: 300-206 Passing Score: 800 Time Limit: 120 min File Version: 35.2 http://www.gratisexam.com/ Exam Code: 300-206 Exam Name: Implementing Cisco Edge Network
More informationConfiguring Cache Services Using the Web Cache Communication Protocol
Configuring Cache Services Using the Web Cache Communication Protocol Finding Feature Information, page 1 Prerequisites for WCCP, page 1 Restrictions for WCCP, page 2 Information About WCCP, page 3 How
More informationModule 11 Advanced Router Configuration
Module 11 Advanced Router Configuration ISP/IXP Networking Workshop Lab Objective: Create a basic physical lab interconnection with two autonomous systems. Each AS should use OSPF, ibgp and ebgp appropriately
More informationConfiguring Web Cache Services By Using WCCP
CHAPTER 44 Configuring Web Cache Services By Using WCCP This chapter describes how to configure your Catalyst 3560 switch to redirect traffic to wide-area application engines (such as the Cisco Cache Engine
More informationTop-Down Network Design
Top-Down Network Design Chapter Eight Developing Network Security Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer 1 Network Security Design The steps for security design are: 1. Identify
More informationImplementing Management Plane Protection
The Management Plane Protection (MPP) feature in Cisco IOS XR software provides the capability to restrict the interfaces on which network management packets are allowed to enter a device. The MPP feature
More informationSecuring CS-MARS C H A P T E R
C H A P T E R 4 Securing CS-MARS A Security Information Management (SIM) system can contain a tremendous amount of sensitive information. This is because it receives event logs from security systems throughout
More informationTCP/IP Networking. Training Details. About Training. About Training. What You'll Learn. Training Time : 9 Hours. Capacity : 12
TCP/IP Networking Training Details Training Time : 9 Hours Capacity : 12 Prerequisites : There are no prerequisites for this course. About Training About Training TCP/IP is the globally accepted group
More informationIP Access List Overview
Access control lists (ACLs) perform packet filtering to control which packets move through the network and where. Such control provides security by helping to limit network traffic, restrict the access
More informationASIT-33018PFM. 18-Port Full Gigabit Managed PoE Switch (ASIT-33018PFM) 18-Port Full Gigabit Managed PoE Switch.
() Introduction Description 16 * 10/100/1000M PoE ports + 2 * Gigabit SFP optical ports. L2+ function with better performance of management, safety & QoS etc. Supprt Layer 2 switching function, including
More informationExamTorrent. Best exam torrent, excellent test torrent, valid exam dumps are here waiting for you
ExamTorrent http://www.examtorrent.com Best exam torrent, excellent test torrent, valid exam dumps are here waiting for you Exam : 400-251 Title : CCIE Security Written Exam (v5.0) Vendor : Cisco Version
More informationFundamentals of Network Security v1.1 Scope and Sequence
Fundamentals of Network Security v1.1 Scope and Sequence Last Updated: September 9, 2003 This document is exclusive property of Cisco Systems, Inc. Permission is granted to print and copy this document
More informationNetwork Infrastructure Filtering at the border. PacNOG19 28th November - 2nd December 2016 Nadi, Fiji
Network Infrastructure Filtering at the border PacNOG19 28th November - 2nd December 2016 Nadi, Fiji Issue Date: [Date] Revision: [XX] What we have in network? Router Switch CPE (ADSL Router / WiFi Router)
More informationIPv6 Deployment Experiences
IPv6 Deployment Experiences February 2011 Craig Pierantozzi Agenda Level 3 IPv6 history IPv6 Design Goals and Implementation Issues and Observations Takeaways Level 3 Communications, LLC. All Rights Reserved.
More informationWelcome! APNIC Security Tutorial. Securing edge network devices. Overview
Welcome! APNIC Security Tutorial Securing edge network devices 6 September 2005, Hanoi, Vietnam In conjunction with APNIC20 Overview Edge security principles Threats categories Securing edge devices Routing
More informationImplementing Management Plane Protection on Cisco IOS XR Software
Implementing Management Plane Protection on Cisco IOS XR Software The Management Plane Protection (MPP) feature in Cisco IOS XR software provides the capability to restrict the interfaces on which network
More informationFGS-2616X L2+ Managed GbE Fiber Switches
FGS-2616X L2+ Managed GbE Fiber Switches FGS-2616XD FGS-2616XA FGS-2616X Overview FGS-2616X series L2+ Managed Switch are next-generation Fiber Switch offering full suite of L2 features and additional
More informationCCNA Security PT Practice SBA
A few things to keep in mind while completing this activity: 1. Do not use the browser Back button or close or reload any Exam windows during the exam. 2. Do not close Packet Tracer when you are done.
More informationCCNA Semester 2 labs. Labs for chapters 2 10
CCNA Semester 2 labs Labs for chapters 2 10 2.2.2.5 Lab - Configuring IPv4 Static and Default Routes 2.3.2.4 Lab - Troubleshooting Static Routes 3.2.1.9 Lab - Configuring Basic RIPv2 5.2.2.9 Lab - Configuring
More informationGigabit Managed Ethernet Switch
LGB1110A LGB1152A Product Data Sheet Gigabit Managed Ethernet Switch LGB1110A OVERVIEW The Gigabit Managed Ethernet Switches offer L2 features plus advanced L3 features such as Static Route for Enterprise
More informationGigabit Managed Ethernet Switch
LGB1110A LGB1126A-R2 LGB1152A Product Data Sheet Gigabit Managed Ethernet Switch FEATURES L2+ features make the switch easy to manage, provide robust security, and QoS. Offers a built-in device management
More information24-Port: 20 x (100/1000M) SFP + 4 x Combo (10/100/1000T or 100/1000M SFP)
BGS-20DSFP4C Managed Fiber Switch 24-Port: 20 x (100/1000M) SFP + 4 x Combo (10/100/1000T or 100/1000M SFP) Key Features L2+ features provide better manageability, security, QOS, and performance IEEE 802.3az
More informationPSGS-2610F L2+ Managed GbE PoE Switch
PSGS-2610F L2+ Managed GbE PoE Switch Overview PSGS-2610F L2+ Managed PoE+ Switch is a next-generation Ethernet Switch offering full suite of L2 features, better PoE functionality and usability, including
More informationNote that you can also use the password command but the secret command gives you a better encryption algorithm.
Router Device Security Lab Configuring Secure Passwords 1. Configure the enable secret and password enable password TRUSTME enable secret letmein Look at the configuration: show config terminal Note the
More informationTestOut Routing and Switching Pro - English 6.0.x COURSE OUTLINE. Modified
TestOut Routing and Switching Pro - English 6.0.x COURSE OUTLINE Modified 2017-07-10 TestOut Routing and Switching Pro Outline- English 6.0.x Videos: 133 (15:42:34) Demonstrations: 78 (7:22:19) Simulations:
More informationCCNP (Routing & Switching and T.SHOOT)
CCNP (Routing & Switching and T.SHOOT) Course Content Module -300-101 ROUTE 1.0 Network Principles 1.1 Identify Cisco Express Forwarding concepts 1.1.a FIB 1.1.b Adjacency table 1.2 Explain general network
More informationUser Security Configuration Guide, Cisco IOS Release 15MT
Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 2014 Cisco Systems, Inc. All rights
More informationIP Access List Overview
Access control lists (ACLs) perform packet filtering to control which packets move through a network and to where. The packet filtering provides security by helping to limit the network traffic, restrict
More information2015/07/23 23:32 1/8 More ibgp and Basic ebgp
2015/07/23 23:32 1/8 More ibgp and Basic ebgp More ibgp and Basic ebgp Objective: Connect your ISP to a Transit provider and the Internet Exchange Point using a combination of ISIS, internal BGP, and external
More informationIP Services Commands. Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services IP1R-157
Use the commands in this chapter to configure various IP services. For configuration information and examples on IP services, refer to the Configuring IP Services chapter of the Cisco IOS IP Configuration
More informationIt was a dark and stormy night. Seriously. There was a rain storm in Wisconsin, and the line noise dialing into the Unix machines was bad enough to
1 2 It was a dark and stormy night. Seriously. There was a rain storm in Wisconsin, and the line noise dialing into the Unix machines was bad enough to keep putting garbage characters into the command
More informationAAA and the Local Database
This chapter describes authentication, authorization, and accounting (AAA, pronounced triple A ). AAA is a a set of services for controlling access to computer resources, enforcing policies, assessing
More informationExtended ACL Configuration Mode Commands
Extended ACL Configuration Mode Commands To create and modify extended access lists on a WAAS device for controlling access to interfaces or applications, use the ip access-list extended global configuration
More informationLab Configuring and Verifying Extended ACLs Topology
Topology 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 8 Addressing Table Objectives Device Interface IP Address Subnet Mask Default Gateway R1 G0/1 192.168.10.1
More informationITBraindumps. Latest IT Braindumps study guide
ITBraindumps http://www.itbraindumps.com Latest IT Braindumps study guide Exam : 300-101 Title : Implementing Cisco IP Routing Vendor : Cisco Version : DEMO Get Latest & Valid 300-101 Exam's Question and
More informationExam Questions SY0-401
Exam Questions SY0-401 CompTIA Security+ Certification https://www.2passeasy.com/dumps/sy0-401/ 1. A company has implemented PPTP as a VPN solution. Which of the following ports would need to be opened
More informationQUICK START GUIDE. STEP X - Name of Step LES1708A, LES1716A, LES1732A, LES1748A CONSOLE SERVERS
STEP X - Name of Step QUICK START GUIDE LES1708A, LES1716A, LES1732A, LES1748A CONSOLE SERVERS 24/7 TECHNICAL SUPPORT AT 877.877.2269 OR VISIT BLACKBOX.COM STEP 1 - Check Kit Contents PACKAGE INCLUDES
More informationCisco CCNA ACL Part II
Cisco CCNA ACL Part II Cisco CCNA Access List Applications This slide illustrates common uses for IP access lists. While this chapter focuses on IP access lists, the concept of access lists as mechanisms
More information2016/01/17 04:05 1/19 Basic BGP Lab
2016/01/17 04:05 1/19 Basic BGP Lab Basic BGP Lab Introduction The purpose of this exercise is to: Understand the routing implications of connecting to multiple external domains Learn to configure basic
More informationChapter 6: Network Layer
Chapter 6: Network Layer CCNA Routing and Switching Introduction to Networks v6.0 Chapter 6 - Sections & Objectives 6.1 Network Layer Protocols Explain how network layer protocols and services support
More informationConfiguring the Management Interface and Security
CHAPTER 5 Configuring the Management Interface and Security Revised: February 15, 2011, Introduction This module describes how to configure the physical management interfaces (ports) as well as the various
More informationNetwork Security Policy
Network Security Policy Date: January 2016 Policy Title Network Security Policy Policy Number: POL 030 Version 3.0 Policy Sponsor Policy Owner Committee Director of Business Support Head of ICU / ICT Business
More informationThe Loopback Interface
1 Overview The Loopback Interface ISP/IXP Workshops Requires IOS 11.1CC or 12.0 trains ISP software trains Covers router access, security, information gathering, configuration and scalability. 2 Motivation
More informationModule 11 Advanced Router Configuration
ISP Workshop Lab Module 11 Advanced Router Configuration Objective: Create a basic physical lab interconnection with two autonomous systems. Each AS should use OSPF, ibgp and ebgp appropriately to construct
More informationPacket Tracer - Configure and Verify a Site-to-Site IPsec VPN Using CLI
Packet Tracer - Configure and Verify a Site-to-Site IPsec VPN Using CLI Topology Addressing Table R1 R2 R3 Device Interface IP Address Subnet Mask Default Gateway Switch Port G0/0 192.168.1.1 255.255.255.0
More informationIPsec NAT Transparency
The feature introduces support for IP Security (IPsec) traffic to travel through Network Address Translation (NAT) or Port Address Translation (PAT) points in the network by addressing many known incompatibilities
More informationContents. Introduction. Prerequisites. Background Information
Contents Introduction Prerequisites Background Information Limitation Configure Network Diagram Initial configuration R2 R3 IPSec configuration R2 EzPM configuration Workaround Verify Troubleshooting Related
More informationManage Your Inventory
About Inventory About Inventory, on page 1 Inventory and Cisco ISE Authentication, on page 2 Display Information About Your Inventory, on page 2 Types of Devices in the DNA Center Inventory, on page 6
More informationUniNets CCNA Security LAB MANUAL UNiNets CCNA Cisco Certified Network Associate Security LAB MANUAL UniNets CCNA LAB MANUAL
UNiNets CCNA Cisco Certified Network Associate Security LAB MANUAL Contents: UniNets CCNA Security LAB MANUAL Section 1 Securing Layer 2 Lab 1-1 Configuring Native VLAN on a Trunk Links Lab 1-2 Disabling
More informationImplementing Cisco IP Routing (ROUTE)
Implementing Cisco IP Routing (ROUTE) COURSE OVERVIEW: Implementing Cisco IP Routing (ROUTE) v2.0 is an instructor-led five-day training course developed to help students prepare for Cisco CCNP certification.
More informationConnections, addressing and common configuration rules.
Lab #2 r9-1 r7 Lab 2 BGP AS 100 VLAN_21 r5 e1 3/11 fa0/0.25 fa0/0.15 3/6 2/1 2/1 VLAN_25 VLAN_15 IGRP AS 5 OSPF Area 5 BGP AS 65005 ISDN 3/1 504 Frame-Relay OSPF Area 0 VLAN_22 604 EIGRP AS 6 r9-0 OSPF
More informationTeacher s Reference Manual
UNIVERSITY OF MUMBAI Teacher s Reference Manual Subject: Security in Computing Practical with effect from the academic year 2018 2019 Practical 1: Packet Tracer - Configure Cisco Routers for Syslog, NTP,
More informationLARGE SCALE IP ROUTING
Building ISP Networks Xantaro Page 1 / 18 TABLE OF CONTENTS 1. LAB ACCESS 4 1.1 Accessing the Jumphost... 4 1.2 Access to your routers... 4 1.3 Local Network Topology... 5 1.4 Global Network Topology...
More informationPlatform Settings for Firepower Threat Defense
Platform settings for devices configure a range of unrelated features whose values you might want to share among several devices. Even if you want different settings per device, you must create a shared
More informationDefending Yourself Against The Wily Wireless Hacker
Defending Yourself Against The Wily Wireless Hacker Brian S. Walden NYCWireless Presentation October 27, 2004 http://wifidefense.cuzuco.com/ What You Expect Common Hacker Techniques Direct Break-In Man-In-The-Middle
More information5 Tips to Fortify your Wireless Network
Article ID: 5035 5 Tips to Fortify your Wireless Network Objective Although Wi-Fi networks are convenient for you and your employees, there may be unwanted clients using up the bandwidth you pay for. In
More informationDistributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013
Distributed Systems 27. Firewalls and Virtual Private Networks Paul Krzyzanowski Rutgers University Fall 2013 November 25, 2013 2013 Paul Krzyzanowski 1 Network Security Goals Confidentiality: sensitive
More informationChapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM
Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM Topology Note: ISR G1 devices use FastEthernet interfaces instead of GigabitEthernet Interfaces. 2016 Cisco and/or its affiliates. All
More informationNetwork Infrastructure Filtering at the border. stole slides from Fakrul Alam
Network Infrastructure Filtering at the border maz@iij.ad.jp stole slides from Fakrul Alam fakrul@bdhbu.com Acknowledgement Original slides prepared by Merike Kaeo What we have in network? Router Switch
More informationIPv6 Security (Theory vs Practice) APRICOT 14 Manila, Philippines. Merike Kaeo
IPv6 Security (Theory vs Practice) APRICOT 14 Manila, Philippines Merike Kaeo merike@doubleshotsecurity.com Current IPv6 Deployments Don t break existing IPv4 network Securing IPv6 Can t secure something
More information