Estimated Reading Time: 10 minutes

Security (20%)

Configure and Verify Device Access Control

Lines and Local User Authentication

• Line Configuration:

  • Console Port: Configure and verify access control for the Console port, such as setting up password protection.
  • VTY Lines: Configure VTY (Virtual Terminal) lines for remote access (e.g., SSH and Telnet), including password settings and access control lists (ACLs).
  • Auxiliary Port: Configure and verify access control for the Auxiliary port, commonly used for modem dial-in access.

• Local User Authentication:

  • Local User Accounts: Create and manage local user accounts, including username and password configuration.
  • Privilege Levels: Set different privilege levels for users to control the set of commands they can execute (e.g., levels 1-15).
  • Local Authentication and Authorization: Use a local database for user authentication and authorization, setting up local usernames and passwords for verification.

Authentication and Authorization Using AAA

• AAA Fundamentals:

  • AAA Definition: Understand the three components of AAA: Authentication, Authorization, and Accounting.
  • AAA Framework: Learn about AAA's role in network security and its workflow.

• AAA Server Configuration:

  • TACACS+ and RADIUS: Configure and compare the functionality and use cases of TACACS+ and RADIUS servers, including their application in authentication, authorization, and accounting.
  • AAA Server Configuration: Learn how to configure Cisco devices to communicate with AAA servers, including setting the TACACS+ and RADIUS server addresses and keys.

• AAA Authentication Configuration:

  • Authentication Method Lists: Create and apply authentication method lists for user authentication through TACACS+, RADIUS, or a local database.
  • Login Authentication: Configure and verify AAA login authentication using the login authentication command.

• AAA Authorization Configuration:

  • Authorization Method Lists: Set up authorization method lists to control the resources and actions users can access.
  • Command Authorization: Use TACACS+ servers or local databases to configure command authorization, ensuring that users can only execute authorized commands.

• AAA Accounting Configuration:

  • Accounting Configuration: Set up AAA accounting features to log user sessions and command executions for security auditing and analysis.

Configure and Verify Infrastructure Security Features

ACLs (Access Control Lists)

• Fundamentals:

  • Role of ACLs: Understand that ACLs are used to control inbound and outbound network traffic, enhance security, and optimize network performance.
  • Standard ACLs: Learn how standard ACLs filter traffic based on source IP addresses.
  • Extended ACLs: Understand how extended ACLs filter traffic based on source and destination IP addresses, protocol types, and port numbers.

• Configuration Steps:

  • Standard ACLs: Learn how to create standard ACLs and apply them to interfaces.
  • Extended ACLs: Learn how to create extended ACLs and apply them to interfaces.
  • Named ACLs: Understand how to use named ACLs for improved readability and easier management.

• Application Scenarios:

  • Inbound and Outbound ACLs: Configure ACLs to control traffic based on the direction (inbound or outbound).
  • VLAN ACLs: Configure VLAN ACLs to control traffic between VLANs on a switch.

• Verification and Troubleshooting:

  • Verify ACLs: Use commands such as show access-lists and show ip interface to verify ACL application and traffic matches.
  • Troubleshooting: Use debug commands and log analysis to troubleshoot ACL configuration issues.

CoPP (Control Plane Policing)

• Fundamentals:

  • Role of CoPP: Understand the purpose of Control Plane Policing (CoPP) in protecting the control plane of routers and switches from DoS attacks and malicious traffic.
  • Classification and Policing: Learn how to classify and prioritize different types of traffic for applying QoS policies.

• Configuration Steps:

  • Class-map Definition: Create class-maps to match specific types of traffic.
  • Policy-map Definition: Create policy-maps to apply to matched traffic, setting rate limits and other policies.
  • Apply Service Policy: Apply the service policy to the control plane interface.

• Verification and Troubleshooting:

  • Verify CoPP: Use commands such as show policy-map control-plane and show policy-map interface control-plane to verify CoPP configuration and traffic matches.
  • Troubleshooting: Use debug commands and log analysis to troubleshoot CoPP configuration issues.

Describe REST API Security

• Fundamentals:

  • REST API: Understand the basics of Representational State Transfer (REST) APIs and how they operate.
  • Security Requirements: Recognize the security requirements when using REST APIs, such as authentication, authorization, data encryption, and abuse prevention.

• Authentication and Authorization:

  • Basic Authentication: Learn about using HTTP basic authentication and its security risks.
  • OAuth: Understand OAuth, a protocol for granting third-party applications access to user resources.
  • API Key: Learn about API key-based authentication, often used for simplified access control to public APIs.

• Encryption and Data Protection:

  • HTTPS: Ensure that REST API requests and responses are encrypted via HTTPS to prevent man-in-the-middle attacks.
  • Token Encryption: Use token technologies like JSON Web Tokens (JWT) to encrypt and protect sensitive data.

• Abuse Prevention and Rate Limiting:

  • Rate Limiting: Prevent DDoS attacks and abuse by limiting the frequency of API requests.
  • IP Whitelisting: Restrict API access to specific IP addresses only.

• Common Attack Prevention:

  • SQL Injection: Use secure database query methods when processing API request parameters.
  • Cross-Site Request Forgery (CSRF): Use CSRF tokens to validate API requests.
  • Cross-Site Scripting (XSS): Properly encode and filter API responses to prevent XSS attacks.

Configure and Verify Wireless Security Features

802.1X

• Fundamentals:

  • 802.1X Standard: Understand the IEEE 802.1X standard, a network access control framework typically used for wired and wireless authentication.
  • Components: Learn the key components of 802.1X: Supplicant, Authenticator, and Authentication Server.

• Configuration Steps:

  • WLC Configuration: Set up the Wireless LAN Controller (WLC) for 802.1X authentication, including configuring SSIDs and choosing authentication methods.
  • RADIUS Server Configuration: Set up the RADIUS server for user authentication.

• Verification Methods:

  • Connection Verification: Use commands and tools to verify the 802.1X authentication status of wireless clients.
  • Log Checking: Analyze WLC and RADIUS server logs to confirm successful or failed authentication processes.

WebAuth (Web Authentication)

• Fundamentals:

  • WebAuth Definition: Understand WebAuth, which redirects users to a web login page for authentication.
  • Use Cases: Often used in guest networks and simple user authentication.

• Configuration Steps:

  • WLC Configuration: Set up WebAuth on the WLC, including creating the WebAuth login page and configuring SSIDs.

• Verification Methods:

  • User Connection Testing: Use a web browser to connect to the wireless network and test the WebAuth authentication process.
  • Authentication Log Analysis: Check WLC logs to confirm successful WebAuth authentication.

PSK (Pre-Shared Key)

• Fundamentals:

  • PSK Definition: Understand pre-shared key (PSK), a simple wireless network authentication method using shared keys.
  • Use Cases: Commonly used in small or home networks.

• Configuration Steps:

  • WLC Configuration: Set up PSK authentication on the WLC, including SSID and PSK configuration.

• Verification Methods:

  • Connection Testing: Use a wireless client to connect to the network and enter the PSK for authentication.
  • Connection Status Check: Use WLC or client tools to check the connection status and encryption method.

EAPOL (4-Way Handshake)

• Fundamentals:

  • EAPOL Definition: Understand the Extensible Authentication Protocol (EAP) and EAP over LAN (EAPOL), particularly the 4-way handshake process.
  • 4-Way Handshake: Learn the steps of the 4-way handshake, including ANonce, SNonce, MIC, and PTK generation and exchange.

• Security:

  • Protection Mechanisms: Understand the role of the 4-way handshake in WPA/WPA2 for ensuring wireless network security.
  • Potential Vulnerabilities: Learn about the KRACK (Key Reinstallation Attack) and its impact on the 4-way handshake.

• Configuration and Verification:

  • WLC Configuration: Ensure the WLC supports WPA/WPA2-Enterprise authentication, using a RADIUS server for EAP authentication.
  • Handshake Verification: Use packet capture tools (e.g., Wireshark) to analyze the 4-way handshake and verify its completion.

Describe the Components of Network Security Design

Threat Defense

• Fundamentals:

  • Threat Definition: Understand different types of network threats, such as malware, DDoS attacks, and insider threats.
  • Threat Defense Mechanisms: Learn about the various defense mechanisms, including firewalls, IPS/IDS systems, and endpoint security solutions.

• Defense Technologies:

  • Firewall: Configure and manage firewalls to control the traffic entering and exiting the network.
  • Intrusion Detection and Prevention Systems (IDS/IPS): Use IDS/IPS to detect and respond to network attacks.
  • Anti-malware: Deploy anti-malware solutions to detect and remove malicious software.
  • Behavioral Analysis: Utilize behavioral analysis tools to detect abnormal activities and potential threats.

Endpoint Security

• Core Concepts:

  • Definition of Endpoint Security: Understand that endpoint security involves protecting endpoint devices (such as computers, mobile phones, servers, etc.) within a network from threats.
  • Components of Endpoint Security: Learn about the key components of endpoint security, including antivirus software, Endpoint Detection and Response (EDR), and device control.

• Endpoint Security Policies:

  • Device Compliance Checks: Ensure that endpoint devices comply with security policies and regulatory requirements.
  • Patch Management: Regularly update and patch the operating system and application vulnerabilities on endpoint devices.
  • Data Encryption: Use data encryption techniques to protect sensitive information on endpoint devices.

Next-Generation Firewall (NGFW)

• Core Concepts:

  • Traditional Firewall vs. Next-Generation Firewall (NGFW): Understand the differences between traditional firewalls and NGFWs, with NGFW offering deeper traffic analysis and enhanced security features.
  • NGFW Features: Learn about the main features of NGFW, such as application identification and control, Intrusion Prevention System (IPS), Advanced Malware Protection (AMP), and content filtering.

• Configuration and Management:

  • Policy Configuration: Configure security policies to control and monitor network traffic.
  • Logging and Reporting: Use the logging and reporting functions of NGFW to monitor network activities and security events.

TrustSec and MACsec

• TrustSec:

  • Core Concepts: Understand that Cisco TrustSec is a solution for network access control and policy enforcement using identity and role-based access.
  • Key Components: Learn about the key components of TrustSec, including Identity Services Engine (ISE), Security Group Tags (SGT), and Security Group Access Control Lists (SGACL).

• MACsec:

  • Core Concepts: Understand that MACsec (Media Access Control Security) is a protocol that provides secure communication at the data link layer (Layer 2).
  • Features: Learn about MACsec's features, including frame encryption, integrity checking, and protection against replay attacks.
  • Configuration and Management: Learn how to configure and manage MACsec on switches and other devices.

Network Access Control with 802.1X, MAB, and WebAuth

• 802.1X:

  • Core Concepts: Understand that IEEE 802.1X is a standard used for wired and wireless network access control.
  • Components: Learn about the main components of 802.1X: the Supplicant, Authenticator, and Authentication Server.
  • Authentication Process: Become familiar with the 802.1X authentication process, including the use of Extensible Authentication Protocol (EAP) and RADIUS protocol.

• MAB (MAC Authentication Bypass):

  • Core Concepts: Understand that MAB is a network access control method based on MAC addresses, used when devices do not support 802.1X.
  • Configuration and Management: Learn how to configure MAB on switches and integrate it with RADIUS servers.

• WebAuth (Web Authentication):

  • Core Concepts: Understand that WebAuth authenticates users by redirecting them to a web login page, commonly used in guest networks.
  • Configuration and Management: Learn how to configure WebAuth on wireless controllers, including creating a WebAuth login page and configuring SSID.

  Reference Materials
  https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/13838-10.html
  https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/xe-3se/3850/sec-user-8021x-xe-3se-3850-book/config-ieee-802x-pba.html