Home > Articles > CCNA Security: Defending the Perimeter

CCNA Security: Defending the Perimeter

Contents

  1. "Do I Know This Already?" Quiz
  2. Foundation Topics
  3. Exam Preparation Tasks

Chapter Description

This chapter covers an ISR overview and how to provide secure administrative access and a Cisco Security Device Manager overview.

Exam Preparation Tasks

Review All the Key Topics

Review the most important topics from this chapter, denoted with the Key Topic icon. Table 3-12 lists these key topics and the page where each is found.

keytopic.jpg

Table 3-12. Key Topics for Chapter 3

Key Topic Element

Description

Page Number

Table 3-2

IOS security features

81

List

ISR enhancements

85

Table 3-7

Passwords configured during the SETUP script

88

Table 3-8

Cisco IOS Resilient Configuration steps

96

List

Requirements added by Cisco IOS Login Enhancements for Virtual Connections

96

Example 3-18

Creating a message-of-the-day banner

99

List

Cisco SDM benefits

100

Table 3-11

Cisco SDM wizards

103-104

Complete the Tables and Lists from Memory

Print a copy of Appendix D, "Memory Tables," (found on the CD) or at least the section for this chapter, and complete the tables and lists from memory. Appendix E, "Memory Tables Answer Key," also on the CD, includes completed tables and lists so that you can check your work.

Definition of Key Terms

Define the following key terms from this chapter, and check your answers in the glossary:

  • Integrated Services Router (ISR), dictionary attack, brute-force attack, privilege level, role-based command-line interface (CLI) view, bootset, Cisco Security Device Manager (SDM)

Command Reference to Check Your Memory

This section includes the most important configuration and EXEC commands covered in this chapter. To see how well you have memorized the commands as a side effect of your other studies, cover the left side of the table with a piece of paper, read the descriptions on the right side, and see whether you remember the commands.

Table 3-13. Chapter 3 Configuration Command Reference

Command

Description

enable secret password

A global configuration mode command that configures a router's enable secret password

password password

A line configuration mode command that configures a password for a line (such as a con, aux, or vty line)

login

A line configuration mode command that configures a line to require a login

service password-encryption

A global configuration mode command that encrypts plain-text passwords in a router's configuration

exec-timeout minutes [seconds]

A line configuration mode command that specifies an inactivity period before logging out a user

security authentication failure rate number_of_failed_attempts log

A global configuration mode command used to specify the maximum number of failed attempts (in the range of 2 to 1024) before introducing a 15-second delay; also generates a log message if the specified threshold is exceeded

privilege mode {level level command | reset command}

A global configuration mode command used to associate a command (issued in a specific mode) with a specified privilege level, in the range 0 to 15 (although custom privilege levels are in the range 1 to 14), or to reset a command to its default level

aaa new-model

A global configuration mode command used to enable authentication, authorization, and accounting (AAA)

parser view view_name

A global configuration mode command used to create a new view

secret 0 password

A view configuration mode command used to set the password required to invoke the view

commands parser_mode {include | include-exclusive | exclude} [all] [interface interface_identifier | command]

A view configuration mode command that allows an administrator to specify a command (or interface) available to a particular view

secure boot-image

A global configuration mode command used to enable image resilience

secure boot-config

A global configuration mode command that archives the running configuration of a router to persistent storage

login block-for seconds attempts attempts within seconds

A global configuration mode command that specifies the number of failed login attempts (within a specified time period) that trigger a quiet period, during which login attempts will be blocked

login quiet-mode access-class {acl-name | acl-number}

A global configuration mode command that specifies an ACL that identifies exemptions from the previously described quiet period

login delay seconds

A global configuration mode command that specifies a minimum period of time that must pass between login attempts

login on-failure log [every login_attempts]

A global configuration mode command that creates log messages for failed login attempts

login on-success log [every login_attempts]

A global configuration mode command that creates log messages for successful login attempts

banner motd delimiter message_body delimiter

A global configuration mode command that configures a message to be displayed when a user administratively connects to a router

ip http server

A global configuration mode command that enables an HTTP server on a router

ip http secure-server

A global configuration mode command that enables a secure HTTP (HTTPS) server on a router

ip http authentication local

A global configuration mode command that configures a local authentication method for accessing the HTTPS server

username name privilege 15 secret 0 password

A global configuration mode command that configures a username and password to be used for authentication local to the router

Table 3-14. Chapter 3 EXEC Command Reference

Command

Description

enable view

Enables the root view, which is represented by the set of commands available to an administrator logged in with a privilege level of 15

enable view view_name

Switches to the specific view (after the required credentials are provided)

show secure bootset

Used to verify that Cisco IOS Resilient Configuration is enabled and that the files in the bootset have been secured

show login

Can be used to verify that enhanced support for virtual logins is configured and to view the login parameters

There are currently no related articles. Please check back later.