Troy’s checklist for preparing for the CCNA: Objective 6

July 17, 2009 at 7:57 am | Posted in Cisco | Leave a comment
Tags: ,

This week we cover Objective 6 of 640-802, Identify Security threats to a network and describe general methods to mitigate those threats. This objective, while a small part of the exam, is very important in the real world. First you should be familiar with all types of attacks that a network can experience, and second, you should know the security features or approaches that can mitigate theses attacks.

Attack Defense
DoS (Denial of Service) – floods the target system with unwanted requests, causing the loss of service to users. Stateful packet filtering is the most common defense against a DoS attack.
DDoS (Distributed Denial of Service) – occurs when multiple systems are used to flood the network and tax the resources of the target system. Various intrusion detection systems, utilizing stateful packet filtering, can protect against DDoS attacks.
Spoofing – also known as masquerading, is a popular trick in which an attacker intercepts a network packet, replaces the source address of the packets header with the address of the authorized host, and reinserts fake information which is sent to the receiver. This type of attack involves modifying packet contents. Message Authentication Code (MAC) can prevent this type of attack and ensure data integrity by ensuring that no data has changed. MAC also protects against frequency analysis, sequence manipulation, and ciphertext-only attacks (more concepts to be familiar with).
SYN floods – repeatedly bombards the target with spoofed IP packets and causes it to either freeze or crash. A SYN flood attack is a type of D0S  attack that exploits the buffers of a device that accept incoming connections and therefore cannot be prevented by MAC. Common defenses against a SYN flood attack include filtering, reducing the SYN-RECEIVED timer, and implementing SYN cache or SYN cookies.

The above answers are general in nature. You also should know the specific Cisco feature that can be used to mitigate these attacks, such as:

Attack Defense
DDoS and DoS Access control lists (which filter unwanted traffic)   and black holing (which completely blocks traffic from a given source or traffic aimed towards a specific destination)
Spoofing Access control lists (filter unwanted traffic)

You should be familiar with all of the security devices available to combat security problems:

  • Cisco Security Agent – used to provide endpoint protection in the network.
  • Cisco PIX firewall – used for infection containment during the threat detection and mitigation process. This is accomplished by dividing the network into segments created by security zones. The firewall provides security at the network perimeter.
  • Cisco Intrusion Detection System (IDS) – used to ensure application security in the network. It is concerned with detecting an intrusion in real time.
  • Cisco Intrusion Prevention System (IPS) -provides intrusion and anomaly detection. It is more concerned with preventing an intrusion.

You should be familiar with Cisco best practices for securing the network:

  • Security guidelines
    • Potential security breaches should be evaluated.
    • The impact of stolen network resources and equipment should be accessed.
    • Physical access control such as locks and alarms should be used.
    • To secure traffic flowing on networks outside the user control, a control mechanism such as cryptography should be used.
    • Limit the use of CDP.

Understand the Cisco Self-Defending Network strategy:

  • Trust and Identity Management: Responsible for security of critical assets and the safe identification of those with access to the assets.
  • Threat defense: Responsible for responding to problems caused by the security outbreaks.
  • Secure connectivity: Ensures that privacy and confidentiality is maintained during data communications.

Another short and sweet objective. (Here’s the previous coverage of Objective 1, Objective 2, Objective 3, Objective 4 Part 1, Objective 4 Part II, and Objective 5. The full list of CCNA objectives is at

Don’t forget, we love comments. Please let us know if you’re listening out there and what else you would like to see here.

Until next week, keep your guard up!

Keeping your guard up (but not all night)

Keeping your guard up (but not all night)

Leave a Comment »

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Entries and comments feeds.

%d bloggers like this: