CCNA Sec 01

• The basics of IT security: CIA (Confidentiality, Integrity, Availability)

• Confidentiality.
• Measures that prevent disclosure of information or data to unauthorized individuals or systems.
• Integrity.
• Protecting the data from unauthorized alteration or revision.
• Often ensured through the use of a hash.
• Availability.
• Making systems and data ready for use when legitimate users need them at any time.
• Guaranteed by network hardening mechanisms and backup systems.
• Attacks against availability all fall into the “denial of service” realm.
• Asset.
• It is anything that is valuable to an organization.
• Vulnerability.
• An exploitable weakness in a system or its design.
• Threat.
• Any potential danger to an asset.
• Countermeasure.
• A safeguard that somehow mitigates a potential risk.
• Risk.
• The potential for unauthorized access to, compromise, destruction, or damage to an asset.
• Classifying Assets.
• One reason to classify an asset is so that you can take specific action, based on policy, with regard to assets in
a given class.

• Classifying Vulnerabilities.
• Policy flaws
• Design errors

CCNA Sec Page 1

• Design errors
• Protocol weaknesses
• Misconfiguration
• Software vulnerabilities
• Human factors
• Malicious software
• Hardware vulnerabilities
• Physical access to network resources
• Classifying Countermeasures.
• Administrative controls.
• Consist of written policies, procedures, guidelines, and standards.
• Physical controls.
• Are exactly what they sound like, physical security for the network servers, equipment, and infrastructure.
• Logical controls (technical controls).
• Logical controls include passwords, firewalls, IPS, access lists, VPN tunnels, ……...
• Potential Attackers.
• Terrorists
• Criminals
• Government agencies
• Nation states
• Hackers
• Disgruntled employees
• Competitors
• Attack Methods.
• Reconnaissance.
• This is the discovery process used to find information about the network.
• Social engineering.
• Leverages our weakest (very likely) vulnerability in a secure system (data, applications, devices, networks):
the user.
• Could be done through e-mail or misdirection of web pages, which results in the user clicking something that
leads to the attacker gaining information.
• Phishing.
• Presents a link that looks like a valid trusted resource to a user.
• Pharming.
• Used to direct a customer’s URL from a valid resource to a malicious one that could be made to appear as the
valid site to the user.
• Privilege escalation.
• The process of taking some level of access and achieving an even greater level of access.
• Backdoor.
• Application can be installed to allow access.
• Code execution.
• When attackers can gain access to a device, they might be able to take several actions.
• Man-in-the-Middle Attacks.
• Results when attackers place themselves in line between two devices that are communicating.
• To mitigate this risk, you could use techniques such as DAI (Dynamic ARP Inspection).
• Additional Attack Methods.
• Covert channel.
• Uses programs or communications in unintended ways.
• For ex. If web traffic is allowed but peer-to-peer messaging is not, users can attempt to tunnel their peer-to-
CCNA Sec Page 2
• For ex. If web traffic is allowed but peer-to-peer messaging is not, users can attempt to tunnel their peer-to-
peer traffic inside of HTTP traffic.
• Also a backdoor application collecting keystroke information from the workstation and then sending it out as
ICMP or http packet.
• Trust exploitation.
• Ex. an attacker could leverage his gaining access to a DMZ host, and using that location to launch his attacks
from there to the inside network.
• Brute-force (password-guessing) attacks.
• Performed when an attacker’s system attempts thousands of possible passwords looking for the right match.
• Mitigated by limiting how many unsuccessful authentication attempts can occur within a specified time.
• DoS (Denial of Service).
• An attack is launched from a single device with the intent to cause damage to an asset
• DDoS (Distributed Denial-of-Service).
• An attack is launched from multiple devices as from botnet network.
• Botnet.
• A collection of infected computers that are ready to take instructions from the attacker.
• RDoS (Reflected DDoS).
• When the source of the initial (query) packets is actually spoofed by the attacker.
• The response packets are then “reflected” back from the unknowing participant to the victim of the attack.
• Guidelines for Secure Network Architecture.
• Rule of least privilege.
• Minimal access should only provided to the required network resources.
• Defense in depth.
• You should have security implemented on an early every point of your network.
• Ex. filtering at a perimeter router, filtering again at a firewall, using IPSs to analyze traffic before it reaches
your servers, and using host-based security precautions at the servers, as well.
• Separation of duties.
• Rotating individuals into different roles periodically will also assist in verifying that vulnerabilities are being
addressed, because a person who moves into a new role will be required to review the policies in place.
• Auditing.
• Accounting and keeping records about what is occurring on the network.
• Common forms of social engineering.
• Phishing.
• Elicits secure information through an e-mail message that appears to come from a legitimate source such as a
service provider or financial institution.
• The e-mail message may ask the user to reply with the sensitive data, or to access a website to update
information such as a bank account number.
• Malvertising.
• This is the act of incorporating malicious ads on trusted websites, which results in users’ browsers being
inadvertently redirected to sites hosting malware.
• Phone scams.
• An example is a miscreant posing as a recruiter asking for names, e-mail addresses, and so on for members of
the organization and then using that information to start building a database to leverage for a future attack.
• Defenses Against Social Engineering.
• Password management.
• The number and type of characters that each password must include, how often a password must be changed.
• Two-factor authentication.
• Use two-factor authentication rather than fixed passwords.
• Antivirus/antiphishing defenses.

CCNA Sec Page 3

• Antivirus/antiphishing defenses.
• Document handling and destruction.
• Sensitive documents and media must be securely disposed of and not simply thrown out with the regular
office trash.
• Physical security.
• Malware Identification Tools.
• Packet captures.
• Snort IDS
- An open source IDS/IPS developed by the founder of Sourcefire.
• NetFlow
• IPS events
• Advanced Malware Protection (AMP).
• Designed for Cisco FirePOWER network security appliances.
• Provides visibility and control to protect against highly sophisticated, targeted, zero-day, and persistent
advanced malware threats.
• NGIPS (Next-Generation Intrusion Prevention System).
• The Cisco FirePOWER NGIPS solution provides multiple layers of advanced threat protection at high
inspection throughput rates.
Implementing AAA in Cisco IOS
• Administrative access methods.
• Password only.
• Local database.
• AAA Local Authentication (self-contained AAA).
• AAA Server-based.
• AAA provides:
• Authentication.
• Who is permitted to access a network.
• Authorization.
• What they can do while they are there.
• Accounting.
• Records in details what they did.
• Methods of implementing AAA services.
• Local AAA Authentication.
- Uses a local database stored in the router for authentication.
• Server-Based AAA Authentication.
- Uses an external database server that leverages RADIUS or TACACS+ protocols.
- Preferred in large environment.
• Server-Based Authentication
• The user establishes a connection with the router.
• The router prompts the user for a username and password.
• The router passes the username and password to the Cisco Secure ACS.
• The ACS authenticates and authorizes the user based on its database.
• ACS (Access Control Server).
• Can create a central user and administrative access DB that all network devices can access.
• Can work with many external databases, such as Active Directory.
• Supports both TACACS+ and RADIUS protocols.
• Both protocols can be used to communicate between AAA client (Router) and AAA servers (ACS).
• Provides user and device group profiles.

CCNA Sec Page 4

•
• Restrictions to network access based on a specific time.
• Can be software installed on windows server or a physical appliance can be purchased from Cisco.
• RADIUS (Remote Authentication Dial-In User Service).
• Open standard, RFCs 2865, 2866, 2867, and 2868.
• Combines authentication & authorization, but separates accounting.
• Supports detailed accounting required for billing users, so preferred by ISPs.
• Encrypts only the password.
• Does not encrypt user name, or any other data in the message.
• Used UDP port 1645 & now 1812 for authentication & authorization.
• Used UDP port 1646 & now 1813 for accounting.
• Supports remote-access technologies, 802.1X, and SIP.

• TACACS+ (Terminal Access Control Access Control Server).

• Cisco proprietary.
• Separates authentication and authorization.
• Provides limited detailed accounting.
• Encrypts all packet not only the password.
• Utilizes TCP port 49.
• Multiprotocol support, such as IP and AppleTalk.
• Incompatible with any previous version of TACACS.

• AAA clients must run Cisco IOS Release 11.2 or later.

• ISE (Identity Services Engine).
• An identity and access control policy platform.
• Can validate that a computer meets the requirements of a company’s policy related to virus definition files,
service pack levels, and so on before allowing the device on the network.
• Leverages many AAA-like (authentication, authorization, and accounting) features, but is not a 100 percent
replacement for ACS.
• ACS should be used mainly for AAA, and ISE for the posturing & policy compliance checking for hosts.
• Login method types:

CCNA Sec Page 5

• Login method types:
• Enable.
• Uses the enable password for authentication.
• Line.
• Uses the line password for authentication.
• Local.
• Uses the local username database for authentication.
• Local-case.
• Uses case-sensitive local username authentication.
• Group radius.
• Uses the list of all RADIUS servers for authentication.
• Group tacacs+.
• Uses the list of all TACACS+ servers for authentication.
• Group group-name.
• Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius
or aaa group server tacacs+ command.
• None.
• To ensure that the authentication succeeds even if all methods return an error.
• AAA lists.
• When AAA is enabled, the default list is automatically applied to all interfaces and lines but with no methods
defined unless a predefined list is assigned.
• If the default method list is not set and there is no other list, only the local user database is checked.
• Authorization.
• What a user can and cannot do on the network after that user is authenticated.
• Implemented using a AAA server-based solution.
• When a user has been authenticated, a session is established with the AAA server.
• The router requests authorization for the requested service from the AAA server.
• The AAA server returns a PASS/FAIL for authorization.
• TACACS+ establishes a new TCP session for every authorization request.
• When AAA authorization is not enabled, all users are allowed full access.
• To enable AAA.
• R(config)# aaa new-model
• To Configure Authentication to Use the AAA Server.
• R(config)# aaa authentication login list-name|default method method method [maximum 4 methods]
• R(config)# aaa authentication login default group radius group tacacs+ local …..
• R(config)# aaa authentication enable list-name|default group tacacs+ enable
• Methods are used in order, if no response from one, the next is used.
• To specify the number of unsuccessful login attempts (then the user will be locked out).
• R(config)# aaa local authentication attempts max-fail n
• The account (non priv 15) will stay locked until it is cleared by an administrator.
• To display a list of all locked-out users.
• R# show aaa local user lockout
• To unlock a specific user or to unlock all locked users.
• R# clear aaa local user lockout all | username name
• To display the attributes that are collected for a AAA session.
• R# show aaa user all | unique-id
• To show the unique ID of a session.
• R# show aaa sessions

CCNA Sec Page 6

• R# show aaa sessions
• For vty lines.
• R(config)# line vty 0 4
• R(config-line)# login authentication name|default
• R(config-line)# authorization exec name|default
• To debug aaa authentication.
• R# debug aaa authentication|authorization
• Look specifically for GETUSER and GETPASS status messages.
• To configure AAA with CCP.
• CCP, Configure, Router, AAA,…...
• To create a local user account.
• CCP > Router > Router Access > User Accounts/View > Add
• To configure the AAA client (router) with the TACACS+ server.
• R(config)# tacacs-server host ip key the-key
• To configure the AAA client (router) with the RADIUS server.
• R(config)# radius-server host ip key the-key
• AAA Authorization (Router)
• To get the priviege level that should be given to user from the local user database.
• R(config)# aaa authorization exec default local
• To get the priviege level that should be given to user from the tacacs server.
• R(config)# aaa authorization exec default group tacacs+
• To enable command authorization on the console.
• R(config)# aaa authorization console
• To assign level 15 automatically to any user just authenticated.
• R(config)# aaa authorization exec default if-authenticated
• To authorize each command, you enter at config and it's submode.
• R(config)# aaa authorization config-commands
• To authorize level x (1-15) users.
• R(config)# aaa authorization commands x default group tacacs+ if-authenticated
• R(config)# no aaa authorization config-commands
• AAA debugging
• To debug aaa.
• R# debug aaa authentication
• To debug RADIUS or TACACS+.
• R# debug radius|tacacs events
• AAA Accounting
• Each session established through the ACS can be fully accounted for and stored on the server.
• To configure AAA accounting.
• R(config)# aaa accounting exec default|list-name start-stop|stop-only method1 method2 ...
• ACS server configurations.
• Network device groups.
• Groups of network devices, normally based on routers or switches with similar functions/devices managed by
the same administrators.
• Network devices (ACS clients/routers/switches).
• The individual network devices that go into the device groups.
• Identity groups (user/admin groups).
• Groups of administrators, normally based on users who will need similar rights and access to specific groups
of network devices.

CCNA Sec Page 7

•
of network devices.
• User accounts.
• Individual administrator/user accounts that are placed in identity groups.
• Authorization profiles.
• These profiles control what rights are permitted.
• The profile is associated with a network device group and a user/administrator identity group.
• To manage ACS server.
• https://ip
• Default username and password: acsadmin pass: default
• For trial license.
https://www.cisco.com/go/license
username: adelmohammad , pass: P@ssw0rd
get other licenses , demo and..., search for access control ,
• To create a device group.
• ACS > Network Resources > Network Device Groups > Device Type > Create
• To add a device to the group.
• Network Resources > Network Devices and AAA Clients > Create
• Click the Select button to the right of the device type and select the device group
• Select tacacs+ and type the password
• In the ip address select range and type the range (ex. 10.0.0.100-200) , Add V
• To create a user group.
• Users and Identity Stores > Identity Groups > Create
• To create individual user.
• Users and Identity Stores > Internal Identity Stores > Users and click > Create
• To create a shell profile.
• Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles > Create
• Custom tasks tab, Default Privilege:static, type a privilige level
• To configure authorization policies (To assign permisions to identity group to access device group).
• Access Policies > Access Services > Default Device Admin > Authorization > Create
• Then select a shell profile or create one (shell profile has a name and defines a privilige level).
• Verifying and Troubleshooting Router-to-ACS Server Interactions.
• Ping the ACS server from the router.
• R# test aaa group tacacs+ username password legacy
• Using debug Commands to Verify Functionality
• To look at the reports on the ACS server.
• Monitoring & Reports > Reports > Catalog > AAA Protocol
Bring Your Own Device (BYOD)
• Allowing users bringing their own network-connected devices while also maintaining an appropriate
security posture.
• The organization’s security policy must be lever-aged to govern the level of access for BYOD devices.

CCNA Sec Page 8

•

• BYOD Solution Components.

• BYOD devices.
• The corporate-owned and personally owned endpoints that require access to the corporate network regardless
of their physical location.
• Wireless access points (AP).
• Provide wireless network connectivity to the corporate network for both local & BYOD devices.
• Wireless LAN (WLAN) controllers.
• Serve as a centralized point for the configuration, management, and monitoring of the Cisco WLAN solution.
• Used to implement and enforce the security requirements for the BYOD solution.
• Works with the ISE to enforce both authentication and authorization policies on each BYOD endpoint.
• Identity Services Engine (ISE).
• The cornerstone of the AAA requirements for endpoint access, which are governed by the security policies
put forth by the organization.
• Cisco AnyConnect Secure Mobility Client.
• Provides connectivity for end users who need access to the corporate network.
• Inside network users leverages 802.1X to provide secure access to the corporate network.
• Outside users uses AnyConnect Client to provide secure VPN connectivity, including posture checking.
• Integrated Services Routers (ISR).
• Will be used in the Cisco BYOD solution to provide WAN and Internet access for the branch offices and
Internet access for home office environments.
• Can provide VPN connectivity for mobile devices that are part of the BYOD solution.
• Adaptive Security Appliance (ASA).
• Provides all the standard security functions for the BYOD solution at the Internet edge.
• Can provide IPS and VPN for end devices.
• Cloud Web Security (CWS).
• Provides enhanced security for all the BYOD solution endpoints while they access Internet.
• RSA SecurID.
• The RSA SecurID server provides one-time password (OTP) generation and logging for users that access
network devices and other applications which require OTP authentication.

CCNA Sec Page 9

•
network devices and other applications which require OTP authentication.
• Active Directory.
• Restricts access to those users with valid authentication credentials.
• Certificate authority.
• The CA server ensures that only devices with corporate certificates can access the corporate network.
• Mobile Device Management (MDM).
• Deploy, manage, and monitor the mobile devices that make up the Cisco BYOD solution.
• Specific functions provided by MDM include:
- Enforcement of a PIN lock (locking a device after a set threshold of failed login attempts has been reached).
- Enforcement of strong passwords for all BYOD devices.
- Detection of attempts to “jailbreak” or “root” BYOD devices, specifically smartphones, and then attempting
to use these compromised devices on the corporate network.
- Enforcement of data encryption requirements based on an organization’s security policies.
- Ability to remotely wipe a stolen or lost BYOD device so that all data is completely removed.
• MDM Deployment Options.
• On-Premise MDM Deployment.
• MDM application software is installed and maintained on servers within the corporate data center.
• Consists of the following topology and network components:
• Data center.
• The data center consists of the servers and ISE to enforce posture assessment and access control.
• Internet edge.
• Includes an ASA firewall, WLC and the MDM which provides all the policies and profiles, digital
certificates, applications, data, and configuration settings for all the BYOD devices.
• Services.
• Contains the WLC for all APs to which the corporate users connect; however, any other network-based
services required for the corporate.
• Core.
• Serves as the main distribution and routing point for all network traffic traversing the corporate network
environment.
• Campus building.
• A distribution switch provides the main ingress/egress point for all network traffic entering and exiting from
the campus environment.

• Cloud-Based MDM Deployment.

• MDM application software is hosted, managed and maintained by a service provider who is solely
CCNA Sec Page 10
• MDM application software is hosted, managed and maintained by a service provider who is solely
responsible for the BYOD solution.
• Consists of the following topology and network components:
• Data Center.
• The data center consists of the servers and ISE to enforce posture assessment and access control.
• Internet edge.
• Includes an ASA firewall, WLC and the MDM which provides all the policies and profiles, digital
certificates, applications, data, and configuration settings for all the BYOD devices.
• WAN.
• Provides MPLS VPN connectivity for the branch office back to corporate network.
• Internet access for the branch office.
• Access to the cloud-based MDM functionality.
• The cloud-based MDM provides all the policies and profiles, digital certificates, applications, data, and
configuration settings for all of the BYOD devices.
• WAN edge.
• Serve as the ingress/egress point for the MPLS WAN traffic entering from and exiting to the branch office
environment.
• Services.
• Contains the WLC for all APs to which the corporate users connect; however, any other network-based
services required for the corporate
• Core.
• Serves as the main distribution and routing point for all network traffic travers ing the corporate network
environment.
• Branch office.
• All users requiring network connectivity within the branch office do so through either hardwired connections
to the access switches or via WLAN access to the corporate APs.

CCNA Sec Page 11