CCIE Security written: 2– Application Protocols

Highlights of CCIE Security written Study Guide

Active FTP is less secure than passive mode because the FTP server, which, in theory, could be any host, initiates the data channel.

In passive mode, the second connection for the FTP data connection is also initiated from the client to the server (the reverse of active FTP).

In passive FTP, the client initiates both the control connection and the data connection. In active mode, the FTP server initiates the FTP data channel. When using passive FTP, the probability of compromising data is less because the FTP client initiates both connections.

If the snmp-server community command is not used during the SNMP configuration session, it will automatically be added to the configuration after the snmp-server host command is used. In this case, the default password ( string) for the  snmp-server community is taken from the  snmp-server host command. You must always set the community string manually; otherwise, your router could be left vulnerable to SNMP  get commands.

snmp-server host  host-addr [traps | informs] [ version {1 | 2c | 3    [auth | noauth  | priv]}]  community-string    [udp-port  port] [notification-type ]
  • SNMP Version 3 is the most secure model because it allows packet encryption with the priv keyword.
  • auth —(Optional) Enables Message Digest 5 (MD5) and Secure Hash Algorithm (SHA) packet authentication.
  • priv —(Optional) Enables Data Encryption Standard (DES) packet encryption (also called privacy).

NTP uses the concept of a stratum to describe how many NTP hops away a machine is from an authoritative time source. A stratum 1 time server has a radio or atomic clock directly attached; a stratum 2 time server receives its time via NTP from a stratum 1 time server, and so on. Cisco routers cannot support stratum 1 (in other words, you cannot connect a Cisco router to an atomic clock source)

To ensure that R1 sends R2 a clock source via NTP, R1 must be configured to send NTP traffic over the Frame Relay cloud with the command ntp broadcast. To specify that a specific interface should send NTP broadcast packets, use the  ntp broadcast  interface configuration command. Similarly, R2 must receive NTP traffic and is considered an NTP client with the IOS command ntp broadcast client.

Share this!

CCIE Security written: 1 – General Networking

Highlights of CCIE Security written Study Guide

Cisco switches have VLAN 1 already configured which cannot be removed for management purposes, because protocols such as CDP and spanning tree will be active.

Telnet (TCP) Packet Flow

Step 3: The PC sends a segment that acknowledges (ACK) the router’s reply. The first three steps are commonly known as the  TCP three-way handshake . It is possible for four packets to start a session if a parameter needs to be negotiated. 

A gratuitous ARP is an ARP request with its own IP address as the target address. It refreshes a device’s ARP table entries and also looks up duplicate IP addresses. Routers are devices that can send a gratuitous ARP. Continue reading “CCIE Security written: 1 – General Networking”

Share this!

OSPF Design: 3 – Fundamentals

OSPF benefits
  • Fast convergence
  • Variable-length subnet masking (VLSM)
  • Authentication
  • Hierarchical segmentation
  • Route summarization
  • Aggregation

Routing Summarization is a major factor in the success of designing your network. To ensure that your network can scale properly, route summarization is the biggest factor against which to measure your success. Without summarization, you have a flat address design with specific route information for every subnet being transmitted across the network—a bad thing in large networks.

The six time-proven steps to designing a network are as follows:

  1. Analyze the requirements.
  2. Develop the network topology.
  3. Determine the addressing and naming conventions.
  4. Provision the hardware.
  5. Deploy protocol and Cisco IOS Software features.
  6. Implement, monitor, and maintain the network.

Consider the following issues when working through the network design process: Continue reading “OSPF Design: 3 – Fundamentals”

Share this!

OSPF Design: 2 – Introduction

A dynamic routing protocol supports a routed protocol and maintains routing tables.

The most common use of static routes is in stub networks.

In Link-State routing protocols, each router sends only that portion of the routing table that describes the state of its own links.

Link-state protocols are based on the distributed map concept, which means that every router has a copy of the network map that is regularly updated.

The principle of link-state routing is that all the routers within an area maintain an identical copy of the network topology.

Link-state protocols such as OSPF flood all the routing information when they first become active in link-state packets. After the network converges, they send only small updates via link-state packets.

In OSPF, because each router knows the complete topology of the network, the use of the SPF algorithm creates an extremely fast convergence.

  • Sends updates to tables only, instead of entire tables, to routers.
  • Is a more economical routing protocol than RIP over time because it involves less network traffic.

During an external convergence event, OSPF could flood more traffic than RIP. Consider that RIP carries 25 routes per update; on the other hand, OSPF floods a single LSA per external route that is affected by the convergence event.

Distance vector means that information sent from router to router is based on an entry in a routing table that consists of the distance and vector to destination—distance being what it “costs” to get there and vector being the “direction” to get to the destination.

Call for each router to send its entire routing table, but only to its neighbors. The neighbor then forwards its entire routing table to its neighbors, and so.

Continue reading “OSPF Design: 2 – Introduction”

Share this!

OSPF Design: 1 – Networking and Routing Fundamentals

  1. The application layer essentially acts as the end-user interface. This is the layer where inter-action between the mail application (cc:Mail, MS Outlook, and so on) or communications package (SecureCRT for Telnet or FTP Voyager for FTP) and the user occurs.
  2. The presentation layer is responsible for the agreement and translation of the communication format (syntax) between applications.
  3. The session layer responsibilities range from managing the application layer’s transfer of information to the data transport portion of the OSI reference model. An example is Sun’s or Novell’s Remote Procedure Call (RPC), which uses Layer 5.
  4. The transport layer is responsible for the logical transport mechanism, which includes functions conforming to the mechanisms characteristics.
    Provides a level of error checking and reliability (through sequence numbers) to the transmission of user data to the lower layers of the OSI reference model. This is the only layer that provides true source-to-destination, end-to-end connectivity through the use of routing protocols such as open shortest path first (OSPF) or the file transfer protocol (FTP) application as examples of TCP.
    The most common usage of UDP is streaming media solutions, such as Real Audio.
  1. The data link layer provides framing, error, and flow control across the network media being used. An important characteristic of this layer is that the information that is applied to it is used by devices to determine if the packet needs to be acted upon by this layer (that is, proceed to Layer 3 or discard).
    Serial interfaces do not normally require unique Layer 2 station addresses, such as MAC addresses, unless it is necessary to identify the receiving end in a multipoint network.
    24 bits are dedicated for Organization Unique Identification (OUI) and 24 bits are for unique identification.
    First 3 bytes of an Ethernet address are the company ID, and the last 3 bytes are assigned by the manufacturer.
  1. Physical layer is responsible for defining information regarding the physical media, such as electrical, mechanical, and functional specifications to connect two systems.
    The physical layer is composed of three main areas: wires, connectors, and encoding.

The data portion of an information unit at a given OSI layer can potentially contain headers, trailers, and data from all the higher layers. This is known as  encapsulation.  Continue reading “OSPF Design: 1 – Networking and Routing Fundamentals”

Share this!