Resending.... The advance security and Identify and Mitigate Network Attacks are two section of CCIE security that really tests our knowledge. You to apply the solutions that you have learnt.
Thought may be this is worth while to be discussed as there is not specific references for these two sections. I am waiting for inputs :-) With regards Kings On Wed, Apr 28, 2010 at 7:35 PM, Kingsley Charles < [email protected]> wrote: > Hi all > > I am sending out the solutions for the Section 8 - *Identify and Mitigate > Network Attacks. *Please add/correct it. > ** > ** > *Identify and Mitigate Network Attacks* > > *Identify and protect against fragmentation attacks * > > IOS - Using deby ACLs to block packets with non-zero offset with "fragment" > keyword. > ASA - Using of fragment command with "fragment chain 1" > > *Identify and protect against malicious IP option usage * > ** > IOS - Using "ip options" command > IOS - Using deny ACL to block packets with options using "option" keyword. > > *Identify and protect against network reconnaissance attacks * > ** > IOS - Using ACLs. > IOS - disabling unused services like finger, dhcp, tcp/udp server etc. > > *Identify and protect against IP spoofing attacks * > ** > IOS - Using ACLs denying RFC 3330/1918/2827/3704 > IOS - Using uRPF > > *Identify and protect against MAC spoofing attacks * > ** > IOS - DHCP snooping > IOS - switch port security > > > *Identify and protect against ARP spoofing attacks * > ** > IOS - Using DAI with DHCP snooping or static binding > IOS - Using vlan filter and blocking ethertype of 0x0806 > > *Identify and protect against Denial of Service (DoS) attacks * > ** > IOS - ACL with RFC 1918/2827/3330/3704 filtering > IOS - TCP intercept, inspect fine tuning, ZBF parameter map (type info) - > TCP and UDP various timeous, max connections etc > ASA - static, nat and using MQC - TCP and UDP various timeous, max > connections etc > > * Identify and protect against Distributed Denial of Service (DDoS) > attacks * > > IOS - ACL with RFC 1918/2827/3330/3704 filtering > IOS - TCP intercept, inspect fine tuning, ZBF parameter map (type info) - > TCP and UDP various timeous, max connections etc > ASA - static, nat and using MQC - TCP and UDP various timeous, max > connections etc > > *Identify and protect against Man-in-the-Middle (MiM) attacks * > ** > IOS - Authentication, VPN, 802.1x > > *Identify and protect against port redirection attacks * > ** > IOS - Auth proxy > ASA - Cut through pxoxy > > *Identify and protect against DHCP attacks * > ** > IOS - DHCP snooping > > *Identify and protect against DNS attacks * > ** > ASA - Checking for DNS payload size - default 512 bytes > > *Identify and protect against Smurf attacks * > > IOS - TCP intercept, inspect fine tuning, ZBF parameter map (type info) - > TCP and UDP various timeous, max connections etc > ASA - static, nat and using MQC - TCP and UDP various timeous, max > connections etc > > *Identify and protect against SYN attacks * > > IOS - TCP intercept, inspect fine tuning, ZBF parameter map (type info) - > TCP and UDP various timeous, max connections etc > ASA - static, nat and using MQC - TCP and UDP various timeous, max > connections etc > > *Identify and protect against MAC Flooding attacks * > ** > IOS - switch port security > > > *Identify and protect against VLAN hopping attacks * > ** > IOS - Disabling a negotiate state of switchport and putting native vlan > that is unused. > > *Identify and protect against various Layer2 and Layer3 attacks * > ** > IOS - L7 inspection > IOS - FPM > ASA - AIC > > > With regards > Kings >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
