Hi all I am sending out the solutions for the Section 8 - *Identify and Mitigate Network Attacks. *Please add/correct it. ** ** *Identify and Mitigate Network Attacks*
*Identify and protect against fragmentation attacks * IOS - Using deby ACLs to block packets with non-zero offset with "fragment" keyword. ASA - Using of fragment command with "fragment chain 1" *Identify and protect against malicious IP option usage * ** IOS - Using "ip options" command IOS - Using deny ACL to block packets with options using "option" keyword. *Identify and protect against network reconnaissance attacks * ** IOS - Using ACLs. IOS - disabling unused services like finger, dhcp, tcp/udp server etc. *Identify and protect against IP spoofing attacks * ** IOS - Using ACLs denying RFC 3330/1918/2827/3704 IOS - Using uRPF *Identify and protect against MAC spoofing attacks * ** IOS - DHCP snooping IOS - switch port security *Identify and protect against ARP spoofing attacks * ** IOS - Using DAI with DHCP snooping or static binding IOS - Using vlan filter and blocking ethertype of 0x0806 *Identify and protect against Denial of Service (DoS) attacks * ** IOS - ACL with RFC 1918/2827/3330/3704 filtering IOS - TCP intercept, inspect fine tuning, ZBF parameter map (type info) - TCP and UDP various timeous, max connections etc ASA - static, nat and using MQC - TCP and UDP various timeous, max connections etc * Identify and protect against Distributed Denial of Service (DDoS) attacks * IOS - ACL with RFC 1918/2827/3330/3704 filtering IOS - TCP intercept, inspect fine tuning, ZBF parameter map (type info) - TCP and UDP various timeous, max connections etc ASA - static, nat and using MQC - TCP and UDP various timeous, max connections etc *Identify and protect against Man-in-the-Middle (MiM) attacks * ** IOS - Authentication, VPN, 802.1x *Identify and protect against port redirection attacks * ** IOS - Auth proxy ASA - Cut through pxoxy *Identify and protect against DHCP attacks * ** IOS - DHCP snooping *Identify and protect against DNS attacks * ** ASA - Checking for DNS payload size - default 512 bytes *Identify and protect against Smurf attacks * IOS - TCP intercept, inspect fine tuning, ZBF parameter map (type info) - TCP and UDP various timeous, max connections etc ASA - static, nat and using MQC - TCP and UDP various timeous, max connections etc *Identify and protect against SYN attacks * IOS - TCP intercept, inspect fine tuning, ZBF parameter map (type info) - TCP and UDP various timeous, max connections etc ASA - static, nat and using MQC - TCP and UDP various timeous, max connections etc *Identify and protect against MAC Flooding attacks * ** IOS - switch port security *Identify and protect against VLAN hopping attacks * ** IOS - Disabling a negotiate state of switchport and putting native vlan that is unused. *Identify and protect against various Layer2 and Layer3 attacks * ** IOS - L7 inspection IOS - FPM ASA - AIC With regards Kings
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
