COMP 715 Auckland Institute of Studies Networking Questions

COMP715 Network Security Curriculum Outline
Chapter 1: Modern Network Security Threats
1. Threat targets
– connected devices in campus, SOHO, WAN networks, data centers, etc.
2. Threat actors
hackers, malware,
common network attacks – reconnaissance, access, DoS/DDoS, social engineering
Common malware — worms, trojans, and viruses
— similarities, differences between them
— worm attack phases, mitigation
3. Mitigating threats
Personnel, organisations, and tools for CIA, nRAF
Network security domains
security devices, technologies, tools
mitigating common threats from malware, attackers
Chapter 2: Securing Network Devices
1. Securing access to devices (Authentication and authorisation)
– Console, VTY(In-band, out-of-band), AUX
– access control using
global (shared) password (authorisation only)
username / password — stored in local database or server (authentication)
– password storage protection: “encryption” algorithms, use of “salt”
– Securing VTY access – SSH
– two way authentication:
– Server —> user: public key
– User —> server: username/password
– handling access attacks: delay, block, quiet period
– enhancing SSH — timeout, logging, max-tries
– Telnet access security issues
2. Controlling administrative access to resources (authorisation)
– Use privilege levels (2 – 14)
– move commands into the privilege levels
– access using: global passwords, username/password/privilege level
– Role based (views) — requires aaa new-model
– create views
– assign passwords
– install commands into views
– Superviews to contain other views
3. IOS resilience, secure Configuration files, password recovery (recovery from lost password)
4. Monitoring
– NTP
– syslog
– snmp
Chapter 3: AAA
1. Local and server based AAA
– requires aaa new-model
– TACACS+, RADIUS authentication servers
– requires list of methods — up to 4 methods to cater for failover
– authentication keys for server-device authentication
2. 802.1x port based authentication for network access
– three parties: Supplicant, Authenticator, Authentication Server (RADIUS)
– Authentication messages: EAP between Supplicant and Authenticator
– RADIUS protocol between Authenticator and Authentication Server
– Port states: unauthorised, authorised
Chapter 4: Implementing Firewalls
1. Firewall types: Packet-filtering, stateful, Application gateway (Proxy), NAT
– operations, comparisons, examples,
2. Packet filtering firewalls — using ACL, stateless
– Types:
standard –only filter source address,
extended ACL – filters src/des addr/ports flags.
– Construction methods: numbered or named
– Structure/components of ACL statements:
– Taking care of returning traffic — established keyword, reflexive ACL
– Application of ACLs at router interface, inbound or outbound directions
– Placements of standard and extended ACLs in the network
3. Classic (CBAC) firewalls – stateful firewall
– inspection rule,
– create temporary ACL entries in other extended ACL for returning packets in the session
4. Zone-based Policy Firewall
– behaviour: between zones, self-zones, unzoned
– Construction:
– Create zones, and member interfaces
– Create class map to specific what traffic
– Create policy map to specify what action on the traffic
– Specify the zone-pairs
5. Firewalls in network design
– screening firewall
– main firewall
– DMZ
– NAT firewall
Chapter 5: Implementing IPS
1. Zero-day attacks
2. IPS and IDS operations — comparisons
3. Network based IPS
– inline mode
– Promiscuous mode – hub, switched network
SPAN configuration in Cisco switches
4. IPS Signatures
– triggers
– actions
Chapter 6: Securing LAN
1. Switch operations
– separate broadcast domain
– separate subnets for isolation between different types of users – VLANs
– spanning tree to protect against loops
2. Attacks on switches and countermeasures
a. MAC address attacks
– CAM table attack
– ARP spoofing
– spoofed gratuitous ARP
– unauthorised devices (MAC addresses)
Countermeasures
– static, sticky MAC addresses
– port security, and actions
– Protect, Restrict, Shutdown
b. IP address and VLANs attacks
– DTP manipulation – VLAN hopping
– Native VLAN exploit – double tagging
– DHCP spoofing attack
Countermeasures
– disable auto trunking
– disable trunking for host ports
– Native VLAN for trunks
– DHCP snooping
– trusted/untrusted ports
– IP source guard (IPSG)
c. STP Attacks
– Spoofing root bridge
– Port fast — benefits and vulnerabilities, BPDU guard
– Root guard
Chapter 7: Cryptography
1. Crypto algorithms for
– protecting confidentiality
– DES, 3DES, AES
– block, stream cipher
– integrity – hash functions:
– MD5, SHA-1, SHA-2
– authenticating users/devices – using PSK, Public key
– authenticating messages: HMAC for authentication and integrity
2. Symmetric key and asymmetric key crypto comparisons
– speed
– resources
– key lengths
– applications
4. PKI algorithms
– DH — for key exchange
– RSA — encryption key exchange, digital signatures
5. Digital signature using RSA:
– how to generate, verify
– dependence on trusted public key
– non-repudiation feature
6. PKI certificates
– purpose – authenticate and distribute public keys
– use of public keys for key exchange
– Obtaining certificates
– certificate authorities
Chapter 8 VPN
1. Topological types:
– Site to site
– Remote access VPN
– Full-tunnel (hairping) vs Split-tunnel VPN
2. VPN in the OSI layers 3 and 4
– Network layer — IPsec VPN
– Transport layer — TLS/SSL VPN
3. IPsec VPN — packet formats
– Types of IPsec VPN protocols
– AH: authentication only
– ESP: CIA features
– Modes
– transport
– tunnel
4. IPsec VPN operations
– Setup — IKE protocol
– Phase 1 ISAKMP
– negotiate parameters/methods for
– encryption, DH group (key exchange), hash, authentication, lifetime
– exchange session key
– authenticate each other
– IKE phase 1 modes
– main mode
– aggressive mode
– Phase 2 IPsec SA negotiation
– VPN mode — tunnel or transport,
– transform set for AH or ESP, encryption, message integrity and authentication
– IPsec tunnel operates
– IPsec termination
5. Site-to-site Ipsec VPN configuration steps
1. Configure IKE
– ISAKMP policy
– isakmp pre-shared key with peer
2. Configure IPsec transform set
3. Configure ACL to catch interesting traffic
4. Put above together into a crypto map and assign it to the router outside interface
*Chapter 9 ASA
1. ASA – provides zone-based firewall, and VPN services
– allows for hardware virtualisation.
– factory default configurations:
– Ethernet 0/0 – access port on VLAN2, connect to Internet
– Ethernet 0/1-7 – access ports on VLAN1, connect to inside network
– Firewall, NAT, dhcp server for inside network enabled
2. Interfaces
a) All physical interfaces are switchports, can be configured as access, trunk (need license)
b) Logical VLAN interfaces can be configured, attached virtually to router, needs:
– an IP address (static or dhcp)
– a name, e.g. inside, outside
– a security level, e.g. 100, 0
3. Remote access: ssh, web server – must specify connection allowed from: IP, name of interface
4. Object groups: Network, icmp-type, protocol, service, users
– can contain other objects
5. ACLs – extended, standard (specifies the DESTINATION-ADDRESS only)
6. NAT services
– Inside NAT, Outside NAT
– Types: Dynamic, Static, PAT
7. Modular policy framework (MPF)
Chapter 10. ASA
1. *SDM
2. IPsec vs SSL VPN
3. Remote Access VPNs– Clientless SSL VPN
– using any browser
– limited services
4. Remote Access VPN — Client based
– Client-based SSL VPN
– using Cisco AnyConnect VPN client
– full tunnel SSL VPN
– secure access to corporate network
– Client-based IPsec VPN
– Using Cisco, Android, Windows, Linux clients
– full or split-tunnel
Chapter 11 Managing a secure network
1. Network Security testing
– Types of tests
– penetration test
– network scanning
– vulnerability scanning
– password cracking
– log review
– integrity checker
– virus detection
– Tools:
– nmap/zenmap
– superscan
– SIEM
– Tripwire
– GFI LAN guard
– L0phtCrack
– Nessus
– Metasploit
3. *Security policy
– audience
– hierarchy
– governing
– technical
– end user
– Documents
– standards
– guidelines
– procedures
4. *Roles and responsibilities
– reporting structure
– Awareness and training
– Responding to security breaches