Learn About Implementing Cisco IOS Network Security
By Certification Magazine —
1 | 2 |
Single answer, multiple-choice
Where do IKE Phase II negotiations occur?
A. At the session layer of the OSI model.
B. Within the ISAKMP SA.
C. During the Diffie-Hellman exchanges.
D. Within the ESP tunnel.
Answer:
B
Tutorial:
IKE Phase II negotiations are done via the Internet Key Exchange (IKE) Phase I security association (SA), also called the Internet Security Association Key Management Protocol (ISAKMP) SA.
IKE operates at Layer 7 (the Application layer) of the Open Systems Interconnect (OSI) model.
The Diffie-Hellman process takes place during IKE phase I to negotiate keys that will be used for symmetrical encryption.
Encapsulating Security Payload (ESP) tunnels, also called IP Security (IPSec) SAs, are built once IKE Phase I and IKE Phase II are successful. ESP tunnels carry the encrypted payload exchanges between two IPSec peers.
References:
Site-to-Site VPNs
Cisco Press Authorized Self-Study Guide: Implementing Cisco IOS Network Security (IINS)
Chapter 5
Virtual Private Networks With IPsec
Exam Cram: CCNA Security
Chapter 7
IPSec Overview Part Four: Internet Key Exchange (IKE)
Ciscopress.com
http://www.ciscopress.com/articles/article.asp?p=25474&seqNum=7
Objective: Mitigate common Layer 2 attacks.
Sub-objective: Describe how to prevent layer 2 attacks by configuring basic Catalyst switch security features.
Multiple answers, multiple-choice
Which of the following are ways to prevent a basic VLAN hopping attack? (Choose three.)
A. Turn off trunking on all ports except the ones that specifically require trunking.
B. Turn on BPDU Guard.
C. On ports requiring trunking, disable DTP negotiations.
D. Enable trunking manually.
E. Add port security to limit the number of secure MAC addresses.
F. Turn on PortFast.
Answer:
A, C, D
Tutorial:
In a basic VLAN hopping attack, the attacker takes advantage of the default automatic trunking configuration on most switches. The hacker configures a computer to emulate either ISL or 802.1Q signaling along with Dynamic Trunking Protocol (DTP) signaling, thus impersonating a switch. By tricking a switch into thinking that the computer is a switch and needs to trunk, the hacker can gain access to the traffic of VLANs allowed on the trunk port.
To succeed, this attack requires a configuration on the port that supports trunking, such as auto. As a result, the attacker is a member of all of the VLANS that are trunked on the switch and can send and receive traffic on all of those VLANs.
The best way to prevent a basic VLAN hopping attack is to turn off trunking on all ports except the ones that specifically require trunking. On the required trunking ports, disable DTP (auto trunking) negotiations and manually enable trunking.
The Bridge Protocol Data Unit (BPDU) protocol is not involved in trunking. BPDU Guard shuts down a port upon receiving a BPDU frame. BPDU guard is used to protect the switched network from the receipt of BPDUs on ports that should not be receiving them. BPDU guard is best deployed on user-facing ports to prevent rogue switch network extensions by an attacker.
Adding port security to limit the number of Media Access Control (MAC) addresses that can be learned by the switch will not prevent VLAN hopping.
PortFast will not help mitigate a VLAN hopping attack. PortFast transitions a port from the blocking to the forwarding state in spanning tree negotiation, instead of having the ports transitioning through the normal states of blocking, listening, learning and forwarding. PortFast is configured only on access ports.
References:
Mitigating VLAN attacks
Cisco Press Authorized Self-Study Guide: Implementing Cisco IOS Network Security (IINS)
Chapter 7
VLAN Security White Paper
Cisco.com
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml
