الفصل الثالث عشر
Security
الأمــن
أقسام الفصل الرئيسية
Denial of Services Attack
Reconnaissance Attack
Traffic Attack
Network Security Practices
Physical Security
AAA
SAFE Blueprint
SAFE Guidelines for Securing the Internet Connectivity Module
SAFE Guidelines for Securing the E-Commerce Module
SAFE Guidelines for Securing the Remote Access and VPN Module
SAFE Guidelines for Securing the WAN Module
SAFE Guidelines for Securing the Network Management Module
SAFE Guidelines for Securing the Server Farm Module
Cisco Network Security is divided into:
شبكات أمن وأمان سيسكو تقسم إلى:
Data Integrity
سلامة البيانات
Data Confidentially
سرية البيانات
Data Availability
توفرية البيانات
السؤال
Network security aims to provide data integrity, data confidentiality, and system availability. What is the meaning of data integrity?
الجواب
Data integrity means that the network data is valid and has not been changed or tampered with in any way.
Major threats include the following:
التهديدات تتضمن :
Integrity Violation
انتهاك السلامة
Confidentially breaches
الخروقات سراً
Denial of Services Attack
الهجوم على الخدمات
Denial of Services (DoS) attacks compromise the availability of data. They typically involve flooding a network system with bogus traffic
وهذا الخطر يساوم توفرية البيانات ويتضمن فيضان الشبكة ناهيك عن التلاعب في آلية تدفق البيانات داخل المنظومة
السؤال
Many types of attacks involve sending a host a malformed message that is known to cause an error, or overwhelming the host with massive amounts of data. What are these types of attacks typically called?
الجواب
These types of attacks are typically called Denial of Service attacks.
Reconnaissance Attack
هجوم استطلاع
Under a Reconnaissance Attack, the network is being searched or scanned for the potential targets
ومن اسمه يتم الاستطلاع واكتشاف الأهداف المحتملة بعد البحت والتحري داخل الشبكة
السؤال
Many attacks involve searching the network for addresses, possible targets, and security gaps. What are these types of attacks typically called?
الجواب
These attacks are typically called reconnaissance attacks.
Traffic attacks
These attacks occur when data flowing through a network is compromised
تحدث هذه الهجمات عند تدفق البيانات في شبكة منذرة بالخطر(شبكة مساوم عليها)
Network Security Practices
ممارسات أمن الشبكة
Risk Assessment
Defines the potential threats that exist
التهديدات المحتمل وجودها
Security Policy
السياسية الأمنية
Defines how risks are managed
كيقية إدارة التهديدات
Security Design
Implements the security policy
طريقة تطبيق السياسية الأمنية
Physical Security
أمن وأمان البيانات الفيزيائية-الطبيعية
ومنها التعليمات التي يجب مراعتها أثناء تطبيق هذا المفهوم:
Include Physical Access Control
التحكم الكامل في الشبكة
Determine breaches physical access can effect other security consoles
حساب الخروقات التي تؤثر على أمان المعلومات الأخرى
Be able to recover quickly from theft
العودة الطبيعة بعد الهجوم
Ensure that you protect communications over insecure networks that you do not own
الحماية من الشبكات المتصلة معك والتي قد تكون غير آمنة
AAA
AAA should be used in a secure network
Authentication
التحقق
Verify the identity of the user who wants to access network resources
التحقق من هوية المستخدم التي يريد الدخول لمصادر الشبكة
Authorization
التفويض
What can the user do in the network
ما هي الصلاحيات التي بمقدوره المستخدم عملها في الشبكة
Accounting
المراقبة
Monitoring the access to the network
مراقبة الوصول إلى الشبكة
السؤال
Provide at least two reasons why it so important to physically secure a router or switch.
الجواب
It is important to physically secure these devices for the following reasons:
- Console access allows an administrator to override any security that is placed on the device
- Theft
- Installation of software directly
- Installation of new hardware directly
السؤال
Provide at least two of the physical security guidelines recommended by Cisco.
الجواب
Cisco recommends the following physical security guidelines:
- Deploy adequate physical access controls
- To the extent possible, ensure that physical access cannot comprise other security measures
- Ensure that you can recover easily in the event of device theft
- Be sure to use cryptography for data that travels on equipment or networks that are out of your control
السؤال
What does the acronym AAA stand for? What does each word mean to network security?
الجواب
AAA stands for
- Authentication: Verifying a network user's identity
- Authorization: Verifying that the user is permitted do what they are trying to do
- Accounting: Auditing access of recourses for security and billing purposes
السؤال
Name at least five ways a user can authenticate himself on a computer network.
الجواب
There are many ways for authentication to function. The following can be used:
- Username/password
- PIN (personal identification number)
- Private cryptographic key
- Password token card
- Smartcard
- Hardware key
- Fingerprint
- Retina pattern
- Voice
- Face recognition
السؤال
Name at least two authentication guidelines that are recommended by Cisco.
الجواب
Cisco Systems recommends the following:
- Use strong authentication on users from external networks
- Use strongest authentication mechanism when the most valuable resources are being accessed
- Make authentication mechanisms user-friendly
- Integrate authentication with existing user databases
السؤال
Name at least one Cisco recommendation when for network authorization.
الجواب
Cisco recommends the following when it comes to authorization on the network:
- Use the principle of least privilege: Each user should use an account the gives him just enough privileges to accomplish what he needs, and no more.
- Use the principle of defense in depth for valuable resources: Each security mechanism should back up others.
- Never trust client-supplied settings.
SAFE Blueprint
The Cisco security architecture for Enterprise (SAFE) blueprint provides a modular approach to securing the network. It also provides best practices for network designers and implementers
سيسكو تقدم طريقة مثلى في عملية توزيع أمن وأمان المعلومات بطريقة متسلسة وتوافيقة لتصميمها وتمثيلها على أكمل وجه
SAFE Guidelines for Securing the Internet Connectivity Module
Firewalls, routers and IDS should be used to prevent network mapping attacks
يجب حماية الموجهات والجدران النارية لمنع أية هجوم
To ensure that the exposed hosts are not compromised, use firewall to protect and IDS to detect
للتأكد بأن المستخدمين المكشوفين لم يُساوموا وبالتالي الجدران النارية للحماية واي دي اس للكشف
To stop hosts from being attacked by compromised use a DMZ, firewalls, LAN Access Control and IDS for monitoring
التحضير واتخاذ الإجراءات قبل الوقوع وبالتالي يستحسن استخدام الأجهزة المذكورة لغرض الحماية
DoS attacks on links –QoS mechanism; IDS
نوع الهجوم والإجراء المتخذ
DoS attacks on hosts –host hardening and firewalls
نوع الهجوم والإجراء المتخذ
Introduction of malicious code-use application filtering
نوع الهجوم والإجراء المتخذ
سيتم وضع أنواع الخطر والاجراء الواجب اتباعه
SAFE Guidelines for Securing the E-Commerce Module
Exposed hosts and applications, use a firewall, host hardening, secure programming and IDS
Hosts attacked from other host, Host hardening, firewalls and ISD
DoS attacks at hosts, DMZ, firewalls, IDS and LAN Access Control
SAFE Guidelines for Securing the Remote Access and VPN Module
Risk of Identity spoofing-strong authentication
Confidentially and integrity-strong encryption
Compromised clients and remote sites-Firewall and viruses scanning
SAFE Guidelines for Securing the WAN Module
Confidentially and integrity-Strong encryption
WAN misconfiguration-WAN peer authentication
SAFE Guidelines for Securing the Network Management Module
Administrator impersonation-Authentication
Compromise of management protocols-secure protocol
Accidental/deliberate misconfiguration- Authorization
Responsibility avoidance –Auditing
Management host-separate management networks, firewalls and IDS
SAFE Guidelines for Securing the Server Farm Module
Compromise of exposed hosts-firewalls, host hardening, secure applications and IDS
Compromise other hosts from compromised hosts-firewalls, IDS and LAN access control
السؤال
The Internet Connectivity Module often features a DMZ. What is a DMZ?
الجواب
A demilitarized zone (DMZ) network contains a host that has been compromised. A DMZ is typically created using two firewalls, and it permits public access for select services.
السؤال
What is spoofing in network security?
الجواب
Spoofing means that the client is falsifying its true identity. IP address spoofing is a common method for gaining access to secured networks
الفصل الثالث عشر من دورة الـــ Ccda
ضوابط المشاركة
رد مع اقتباس
المفضلات