{"id":510,"date":"2024-10-11T03:34:34","date_gmt":"2024-10-11T03:34:34","guid":{"rendered":"https:\/\/blog.devops955.com\/swain\/?p=510"},"modified":"2024-10-11T03:34:34","modified_gmt":"2024-10-11T03:34:34","slug":"ccnp-encor-350-401-part-5","status":"publish","type":"post","link":"https:\/\/blog.devops955.com\/swain\/2024\/10\/11\/ccnp-encor-350-401-part-5\/","title":{"rendered":"CCNP ENCOR 350-401 \u2013 Part 5"},"content":{"rendered":"<blockquote>\n<p>Estimated Reading Time: 10 minutes<\/p>\n<\/blockquote>\n<h1><strong>Security (20%)<\/strong><\/h1>\n<h2>Configure and Verify Device Access Control<\/h2>\n<h3>Lines and Local User Authentication<\/h3>\n<ul>\n<li>\n<p><strong>Line Configuration<\/strong>:<\/p>\n<ul>\n<li><strong>Console Port<\/strong>: Configure and verify access control for the Console port, such as setting up password protection.<\/li>\n<li><strong>VTY Lines<\/strong>: Configure VTY (Virtual Terminal) lines for remote access (e.g., SSH and Telnet), including password settings and access control lists (ACLs).<\/li>\n<li><strong>Auxiliary Port<\/strong>: Configure and verify access control for the Auxiliary port, commonly used for modem dial-in access.<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>Local User Authentication<\/strong>:<\/p>\n<ul>\n<li><strong>Local User Accounts<\/strong>: Create and manage local user accounts, including username and password configuration.<\/li>\n<li><strong>Privilege Levels<\/strong>: Set different privilege levels for users to control the set of commands they can execute (e.g., levels 1-15).<\/li>\n<li><strong>Local Authentication and Authorization<\/strong>: Use a local database for user authentication and authorization, setting up local usernames and passwords for verification.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Authentication and Authorization Using AAA<\/h3>\n<ul>\n<li>\n<p><strong>AAA Fundamentals<\/strong>:<\/p>\n<ul>\n<li><strong>AAA Definition<\/strong>: Understand the three components of AAA: Authentication, Authorization, and Accounting.<\/li>\n<li><strong>AAA Framework<\/strong>: Learn about AAA's role in network security and its workflow.<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>AAA Server Configuration<\/strong>:<\/p>\n<ul>\n<li><strong>TACACS+ and RADIUS<\/strong>: Configure and compare the functionality and use cases of TACACS+ and RADIUS servers, including their application in authentication, authorization, and accounting.<\/li>\n<li><strong>AAA Server Configuration<\/strong>: Learn how to configure Cisco devices to communicate with AAA servers, including setting the TACACS+ and RADIUS server addresses and keys.<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>AAA Authentication Configuration<\/strong>:<\/p>\n<ul>\n<li><strong>Authentication Method Lists<\/strong>: Create and apply authentication method lists for user authentication through TACACS+, RADIUS, or a local database.<\/li>\n<li><strong>Login Authentication<\/strong>: Configure and verify AAA login authentication using the <code>login authentication<\/code> command.<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>AAA Authorization Configuration<\/strong>:<\/p>\n<ul>\n<li><strong>Authorization Method Lists<\/strong>: Set up authorization method lists to control the resources and actions users can access.<\/li>\n<li><strong>Command Authorization<\/strong>: Use TACACS+ servers or local databases to configure command authorization, ensuring that users can only execute authorized commands.<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>AAA Accounting Configuration<\/strong>:<\/p>\n<ul>\n<li><strong>Accounting Configuration<\/strong>: Set up AAA accounting features to log user sessions and command executions for security auditing and analysis.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Configure and Verify Infrastructure Security Features<\/h2>\n<h3>ACLs (Access Control Lists)<\/h3>\n<ul>\n<li>\n<p><strong>Fundamentals<\/strong>:<\/p>\n<ul>\n<li><strong>Role of ACLs<\/strong>: Understand that ACLs are used to control inbound and outbound network traffic, enhance security, and optimize network performance.<\/li>\n<li><strong>Standard ACLs<\/strong>: Learn how standard ACLs filter traffic based on source IP addresses.<\/li>\n<li><strong>Extended ACLs<\/strong>: Understand how extended ACLs filter traffic based on source and destination IP addresses, protocol types, and port numbers.<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>Configuration Steps<\/strong>:<\/p>\n<ul>\n<li><strong>Standard ACLs<\/strong>: Learn how to create standard ACLs and apply them to interfaces.<\/li>\n<li><strong>Extended ACLs<\/strong>: Learn how to create extended ACLs and apply them to interfaces.<\/li>\n<li><strong>Named ACLs<\/strong>: Understand how to use named ACLs for improved readability and easier management.<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>Application Scenarios<\/strong>:<\/p>\n<ul>\n<li><strong>Inbound and Outbound ACLs<\/strong>: Configure ACLs to control traffic based on the direction (inbound or outbound).<\/li>\n<li><strong>VLAN ACLs<\/strong>: Configure VLAN ACLs to control traffic between VLANs on a switch.<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>Verification and Troubleshooting<\/strong>:<\/p>\n<ul>\n<li><strong>Verify ACLs<\/strong>: Use commands such as <code>show access-lists<\/code> and <code>show ip interface<\/code> to verify ACL application and traffic matches.<\/li>\n<li><strong>Troubleshooting<\/strong>: Use <code>debug<\/code> commands and log analysis to troubleshoot ACL configuration issues.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>CoPP (Control Plane Policing)<\/h2>\n<ul>\n<li>\n<p><strong>Fundamentals<\/strong>:<\/p>\n<ul>\n<li><strong>Role of CoPP<\/strong>: Understand the purpose of Control Plane Policing (CoPP) in protecting the control plane of routers and switches from DoS attacks and malicious traffic.<\/li>\n<li><strong>Classification and Policing<\/strong>: Learn how to classify and prioritize different types of traffic for applying QoS policies.<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>Configuration Steps<\/strong>:<\/p>\n<ul>\n<li><strong>Class-map Definition<\/strong>: Create class-maps to match specific types of traffic.<\/li>\n<li><strong>Policy-map Definition<\/strong>: Create policy-maps to apply to matched traffic, setting rate limits and other policies.<\/li>\n<li><strong>Apply Service Policy<\/strong>: Apply the service policy to the control plane interface.<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>Verification and Troubleshooting<\/strong>:<\/p>\n<ul>\n<li><strong>Verify CoPP<\/strong>: Use commands such as <code>show policy-map control-plane<\/code> and <code>show policy-map interface control-plane<\/code> to verify CoPP configuration and traffic matches.<\/li>\n<li><strong>Troubleshooting<\/strong>: Use <code>debug<\/code> commands and log analysis to troubleshoot CoPP configuration issues.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Describe REST API Security<\/h2>\n<ul>\n<li>\n<p><strong>Fundamentals<\/strong>:<\/p>\n<ul>\n<li><strong>REST API<\/strong>: Understand the basics of Representational State Transfer (REST) APIs and how they operate.<\/li>\n<li><strong>Security Requirements<\/strong>: Recognize the security requirements when using REST APIs, such as authentication, authorization, data encryption, and abuse prevention.<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>Authentication and Authorization<\/strong>:<\/p>\n<ul>\n<li><strong>Basic Authentication<\/strong>: Learn about using HTTP basic authentication and its security risks.<\/li>\n<li><strong>OAuth<\/strong>: Understand OAuth, a protocol for granting third-party applications access to user resources.<\/li>\n<li><strong>API Key<\/strong>: Learn about API key-based authentication, often used for simplified access control to public APIs.<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>Encryption and Data Protection<\/strong>:<\/p>\n<ul>\n<li><strong>HTTPS<\/strong>: Ensure that REST API requests and responses are encrypted via HTTPS to prevent man-in-the-middle attacks.<\/li>\n<li><strong>Token Encryption<\/strong>: Use token technologies like JSON Web Tokens (JWT) to encrypt and protect sensitive data.<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>Abuse Prevention and Rate Limiting<\/strong>:<\/p>\n<ul>\n<li><strong>Rate Limiting<\/strong>: Prevent DDoS attacks and abuse by limiting the frequency of API requests.<\/li>\n<li><strong>IP Whitelisting<\/strong>: Restrict API access to specific IP addresses only.<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>Common Attack Prevention<\/strong>:<\/p>\n<ul>\n<li><strong>SQL Injection<\/strong>: Use secure database query methods when processing API request parameters.<\/li>\n<li><strong>Cross-Site Request Forgery (CSRF)<\/strong>: Use CSRF tokens to validate API requests.<\/li>\n<li><strong>Cross-Site Scripting (XSS)<\/strong>: Properly encode and filter API responses to prevent XSS attacks.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Configure and Verify Wireless Security Features<\/h2>\n<h3>802.1X<\/h3>\n<ul>\n<li>\n<p><strong>Fundamentals<\/strong>:<\/p>\n<ul>\n<li><strong>802.1X Standard<\/strong>: Understand the IEEE 802.1X standard, a network access control framework typically used for wired and wireless authentication.<\/li>\n<li><strong>Components<\/strong>: Learn the key components of 802.1X: Supplicant, Authenticator, and Authentication Server.<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>Configuration Steps<\/strong>:<\/p>\n<ul>\n<li><strong>WLC Configuration<\/strong>: Set up the Wireless LAN Controller (WLC) for 802.1X authentication, including configuring SSIDs and choosing authentication methods.<\/li>\n<li><strong>RADIUS Server Configuration<\/strong>: Set up the RADIUS server for user authentication.<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>Verification Methods<\/strong>:<\/p>\n<ul>\n<li><strong>Connection Verification<\/strong>: Use commands and tools to verify the 802.1X authentication status of wireless clients.<\/li>\n<li><strong>Log Checking<\/strong>: Analyze WLC and RADIUS server logs to confirm successful or failed authentication processes.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>WebAuth (Web Authentication)<\/h3>\n<ul>\n<li>\n<p><strong>Fundamentals<\/strong>:<\/p>\n<ul>\n<li><strong>WebAuth Definition<\/strong>: Understand WebAuth, which redirects users to a web login page for authentication.<\/li>\n<li><strong>Use Cases<\/strong>: Often used in guest networks and simple user authentication.<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>Configuration Steps<\/strong>:<\/p>\n<ul>\n<li><strong>WLC Configuration<\/strong>: Set up WebAuth on the WLC, including creating the WebAuth login page and configuring SSIDs.<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>Verification Methods<\/strong>:<\/p>\n<ul>\n<li><strong>User Connection Testing<\/strong>: Use a web browser to connect to the wireless network and test the WebAuth authentication process.<\/li>\n<li><strong>Authentication Log Analysis<\/strong>: Check WLC logs to confirm successful WebAuth authentication.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>PSK (Pre-Shared Key)<\/h3>\n<ul>\n<li>\n<p><strong>Fundamentals<\/strong>:<\/p>\n<ul>\n<li><strong>PSK Definition<\/strong>: Understand pre-shared key (PSK), a simple wireless network authentication method using shared keys.<\/li>\n<li><strong>Use Cases<\/strong>: Commonly used in small or home networks.<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>Configuration Steps<\/strong>:<\/p>\n<ul>\n<li><strong>WLC Configuration<\/strong>: Set up PSK authentication on the WLC, including SSID and PSK configuration.<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>Verification Methods<\/strong>:<\/p>\n<ul>\n<li><strong>Connection Testing<\/strong>: Use a wireless client to connect to the network and enter the PSK for authentication.<\/li>\n<li><strong>Connection Status Check<\/strong>: Use WLC or client tools to check the connection status and encryption method.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>EAPOL (4-Way Handshake)<\/h3>\n<ul>\n<li>\n<p><strong>Fundamentals<\/strong>:<\/p>\n<ul>\n<li><strong>EAPOL Definition<\/strong>: Understand the Extensible Authentication Protocol (EAP) and EAP over LAN (EAPOL), particularly the 4-way handshake process.<\/li>\n<li><strong>4-Way Handshake<\/strong>: Learn the steps of the 4-way handshake, including ANonce, SNonce, MIC, and PTK generation and exchange.<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>Security<\/strong>:<\/p>\n<ul>\n<li><strong>Protection Mechanisms<\/strong>: Understand the role of the 4-way handshake in WPA\/WPA2 for ensuring wireless network security.<\/li>\n<li><strong>Potential Vulnerabilities<\/strong>: Learn about the KRACK (Key Reinstallation Attack) and its impact on the 4-way handshake.<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>Configuration and Verification<\/strong>:<\/p>\n<ul>\n<li><strong>WLC Configuration<\/strong>: Ensure the WLC supports WPA\/WPA2-Enterprise authentication, using a RADIUS server for EAP authentication.<\/li>\n<li><strong>Handshake Verification<\/strong>: Use packet capture tools (e.g., Wireshark) to analyze the 4-way handshake and verify its completion.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Describe the Components of Network Security Design<\/h2>\n<h3>Threat Defense<\/h3>\n<ul>\n<li>\n<p><strong>Fundamentals<\/strong>:<\/p>\n<ul>\n<li><strong>Threat Definition<\/strong>: Understand different types of network threats, such as malware, DDoS attacks, and insider threats.<\/li>\n<li><strong>Threat Defense Mechanisms<\/strong>: Learn about the various defense mechanisms, including firewalls, IPS\/IDS systems, and endpoint security solutions.<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>Defense Technologies<\/strong>:<\/p>\n<ul>\n<li><strong>Firewall<\/strong>: Configure and manage firewalls to control the traffic entering and exiting the network.<\/li>\n<li><strong>Intrusion Detection and Prevention Systems (IDS\/IPS)<\/strong>: Use IDS\/IPS to detect and respond to network attacks.<\/li>\n<li><strong>Anti-malware<\/strong>: Deploy anti-malware solutions to detect and remove malicious software.<\/li>\n<li><strong>Behavioral Analysis<\/strong>: Utilize behavioral analysis tools to detect abnormal activities and potential threats.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Endpoint Security<\/h3>\n<ul>\n<li>\n<p><strong>Core Concepts<\/strong>:<\/p>\n<ul>\n<li><strong>Definition of Endpoint Security<\/strong>: Understand that endpoint security involves protecting endpoint devices (such as computers, mobile phones, servers, etc.) within a network from threats.<\/li>\n<li><strong>Components of Endpoint Security<\/strong>: Learn about the key components of endpoint security, including antivirus software, Endpoint Detection and Response (EDR), and device control.<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>Endpoint Security Policies<\/strong>:<\/p>\n<ul>\n<li><strong>Device Compliance Checks<\/strong>: Ensure that endpoint devices comply with security policies and regulatory requirements.<\/li>\n<li><strong>Patch Management<\/strong>: Regularly update and patch the operating system and application vulnerabilities on endpoint devices.<\/li>\n<li><strong>Data Encryption<\/strong>: Use data encryption techniques to protect sensitive information on endpoint devices.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Next-Generation Firewall (NGFW)<\/h3>\n<ul>\n<li>\n<p><strong>Core Concepts<\/strong>:<\/p>\n<ul>\n<li><strong>Traditional Firewall vs. Next-Generation Firewall (NGFW)<\/strong>: Understand the differences between traditional firewalls and NGFWs, with NGFW offering deeper traffic analysis and enhanced security features.<\/li>\n<li><strong>NGFW Features<\/strong>: Learn about the main features of NGFW, such as application identification and control, Intrusion Prevention System (IPS), Advanced Malware Protection (AMP), and content filtering.<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>Configuration and Management<\/strong>:<\/p>\n<ul>\n<li><strong>Policy Configuration<\/strong>: Configure security policies to control and monitor network traffic.<\/li>\n<li><strong>Logging and Reporting<\/strong>: Use the logging and reporting functions of NGFW to monitor network activities and security events.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>TrustSec and MACsec<\/h3>\n<ul>\n<li>\n<p><strong>TrustSec<\/strong>:<\/p>\n<ul>\n<li><strong>Core Concepts<\/strong>: Understand that Cisco TrustSec is a solution for network access control and policy enforcement using identity and role-based access.<\/li>\n<li><strong>Key Components<\/strong>: Learn about the key components of TrustSec, including Identity Services Engine (ISE), Security Group Tags (SGT), and Security Group Access Control Lists (SGACL).<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>MACsec<\/strong>:<\/p>\n<ul>\n<li><strong>Core Concepts<\/strong>: Understand that MACsec (Media Access Control Security) is a protocol that provides secure communication at the data link layer (Layer 2).<\/li>\n<li><strong>Features<\/strong>: Learn about MACsec's features, including frame encryption, integrity checking, and protection against replay attacks.<\/li>\n<li><strong>Configuration and Management<\/strong>: Learn how to configure and manage MACsec on switches and other devices.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Network Access Control with 802.1X, MAB, and WebAuth<\/h3>\n<ul>\n<li>\n<p><strong>802.1X<\/strong>:<\/p>\n<ul>\n<li><strong>Core Concepts<\/strong>: Understand that IEEE 802.1X is a standard used for wired and wireless network access control.<\/li>\n<li><strong>Components<\/strong>: Learn about the main components of 802.1X: the Supplicant, Authenticator, and Authentication Server.<\/li>\n<li><strong>Authentication Process<\/strong>: Become familiar with the 802.1X authentication process, including the use of Extensible Authentication Protocol (EAP) and RADIUS protocol.<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>MAB (MAC Authentication Bypass)<\/strong>:<\/p>\n<ul>\n<li><strong>Core Concepts<\/strong>: Understand that MAB is a network access control method based on MAC addresses, used when devices do not support 802.1X.<\/li>\n<li><strong>Configuration and Management<\/strong>: Learn how to configure MAB on switches and integrate it with RADIUS servers.<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>WebAuth (Web Authentication)<\/strong>:<\/p>\n<ul>\n<li><strong>Core Concepts<\/strong>: Understand that WebAuth authenticates users by redirecting them to a web login page, commonly used in guest networks.<\/li>\n<li><strong>Configuration and Management<\/strong>: Learn how to configure WebAuth on wireless controllers, including creating a WebAuth login page and configuring SSID.<\/li>\n<\/ul>\n<blockquote>\n<p>Reference Materials<br \/>\n<a href=\"https:\/\/www.cisco.com\/c\/en\/us\/support\/docs\/security-vpn\/remote-authentication-dial-user-service-radius\/13838-10.html\">https:\/\/www.cisco.com\/c\/en\/us\/support\/docs\/security-vpn\/remote-authentication-dial-user-service-radius\/13838-10.html<\/a><br \/>\n<a href=\"https:\/\/www.cisco.com\/c\/en\/us\/td\/docs\/ios-xml\/ios\/sec_usr_8021x\/configuration\/xe-3se\/3850\/sec-user-8021x-xe-3se-3850-book\/config-ieee-802x-pba.html\">https:\/\/www.cisco.com\/c\/en\/us\/td\/docs\/ios-xml\/ios\/sec_usr_8021x\/configuration\/xe-3se\/3850\/sec-user-8021x-xe-3se-3850-book\/config-ieee-802x-pba.html<\/a><\/p>\n<\/blockquote>\n<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>This article covers CCNP ENCOR 350-401 security part, including access control, AAA (Authentication, Authorization, and Accounting), ACLs (Access Control Lists), and wireless security features like 802.1X and WebAuth. It also explores advanced security protocols such as Control Plane Policing (CoPP), REST API security, and endpoint protection strategies, alongside modern firewall technologies like Next-Generation Firewalls (NGFW), Cisco TrustSec, and MACsec.<\/p>\n","protected":false},"author":1,"featured_media":447,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","_jetpack_memberships_contains_paid_content":false},"categories":[3],"tags":[],"jetpack_sharing_enabled":true,"jetpack_featured_media_url":"https:\/\/blog.devops955.com\/swain\/wp-content\/uploads\/sites\/2\/2024\/04\/cisco-1.png","_links":{"self":[{"href":"https:\/\/blog.devops955.com\/swain\/wp-json\/wp\/v2\/posts\/510"}],"collection":[{"href":"https:\/\/blog.devops955.com\/swain\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.devops955.com\/swain\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.devops955.com\/swain\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.devops955.com\/swain\/wp-json\/wp\/v2\/comments?post=510"}],"version-history":[{"count":4,"href":"https:\/\/blog.devops955.com\/swain\/wp-json\/wp\/v2\/posts\/510\/revisions"}],"predecessor-version":[{"id":516,"href":"https:\/\/blog.devops955.com\/swain\/wp-json\/wp\/v2\/posts\/510\/revisions\/516"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.devops955.com\/swain\/wp-json\/wp\/v2\/media\/447"}],"wp:attachment":[{"href":"https:\/\/blog.devops955.com\/swain\/wp-json\/wp\/v2\/media?parent=510"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.devops955.com\/swain\/wp-json\/wp\/v2\/categories?post=510"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.devops955.com\/swain\/wp-json\/wp\/v2\/tags?post=510"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}