I took a stab at these... *Identify and Mitigate Network Attacks * *Identify and protect against fragmentation attacks* your solutions are correct but be sure to understand how to apply these solutions to control and data planes as needed
*Identify and protect against malicious IP option usage* There is only one type on ACL that takes the "options" key word so make sure you are aware of it *Identify and protect against network reconnaissance attacks* looks good *Identify and protect against IP spoofing attacks* also looks good *Identify and protect against MAC spoofing attacks* looks good *IOS - switch port security* know the modes for this, very important *Identify and protect against ARP spoofing attacks* make sure you know how you apply DAI including DAI in a non-dhcp environment. Special care needs to be taken. *Identify and protect against Denial of Service (DoS) attacks* CBAC/ZBF will also do this *Identify and protect against Distributed Denial of Service (DDoS) attacks* CBAC/ZBF again *Identify and protect against Man-in-the-Middle (MiM) attacks* DAI for this *Identify and protect against port redirection attacks* looks good *Identify and protect against DHCP attacks* looks good - make sure you know how to apply this as testing in the lab will be difficult *Identify and protect against DNS attacks* ZBF and CBAC also have special DNS inspection configurations *Identify and protect against Smurf attacks* use the interface command "no ip directed-broadcast" *Identify and protect against SYN attacks* CBAC also *Identify and protect against MAC Flooding attacks* correct *Identify and protect against VLAN hopping attacks* correct *Identify and protect against various Layer2 and Layer3 attacks* VACL, port access-group, mac access-list On Fri, Apr 30, 2010 at 2:51 AM, Kingsley Charles < [email protected]> wrote: > Resending.... > > The advance security and Identify and Mitigate Network Attacks are two > section of CCIE security that really tests our knowledge. You to apply the > solutions that you have learnt. > > Thought may be this is worth while to be discussed as there is not specific > references for these two sections. > > I am waiting for inputs :-) > > > With regards > Kings > > On Wed, Apr 28, 2010 at 7:35 PM, Kingsley Charles < > [email protected]> wrote: > >> Hi all >> >> I am sending out the solutions for the Section 8 - *Identify and Mitigate >> Network Attacks. *Please add/correct it. >> ** >> ** >> *Identify and Mitigate Network Attacks* >> >> *Identify and protect against fragmentation attacks * >> >> IOS - Using deby ACLs to block packets with non-zero offset with >> "fragment" keyword. >> ASA - Using of fragment command with "fragment chain 1" >> >> *Identify and protect against malicious IP option usage * >> ** >> IOS - Using "ip options" command >> IOS - Using deny ACL to block packets with options using "option" keyword. >> >> *Identify and protect against network reconnaissance attacks * >> ** >> IOS - Using ACLs. >> IOS - disabling unused services like finger, dhcp, tcp/udp server etc. >> >> *Identify and protect against IP spoofing attacks * >> ** >> IOS - Using ACLs denying RFC 3330/1918/2827/3704 >> IOS - Using uRPF >> >> *Identify and protect against MAC spoofing attacks * >> ** >> IOS - DHCP snooping >> IOS - switch port security >> >> >> *Identify and protect against ARP spoofing attacks * >> ** >> IOS - Using DAI with DHCP snooping or static binding >> IOS - Using vlan filter and blocking ethertype of 0x0806 >> >> *Identify and protect against Denial of Service (DoS) attacks * >> ** >> IOS - ACL with RFC 1918/2827/3330/3704 filtering >> IOS - TCP intercept, inspect fine tuning, ZBF parameter map (type info) - >> TCP and UDP various timeous, max connections etc >> ASA - static, nat and using MQC - TCP and UDP various timeous, max >> connections etc >> >> * Identify and protect against Distributed Denial of Service (DDoS) >> attacks * >> >> IOS - ACL with RFC 1918/2827/3330/3704 filtering >> IOS - TCP intercept, inspect fine tuning, ZBF parameter map (type info) - >> TCP and UDP various timeous, max connections etc >> ASA - static, nat and using MQC - TCP and UDP various timeous, max >> connections etc >> >> *Identify and protect against Man-in-the-Middle (MiM) attacks * >> ** >> IOS - Authentication, VPN, 802.1x >> >> *Identify and protect against port redirection attacks * >> ** >> IOS - Auth proxy >> ASA - Cut through pxoxy >> >> *Identify and protect against DHCP attacks * >> ** >> IOS - DHCP snooping >> >> *Identify and protect against DNS attacks * >> ** >> ASA - Checking for DNS payload size - default 512 bytes >> >> *Identify and protect against Smurf attacks * >> >> IOS - TCP intercept, inspect fine tuning, ZBF parameter map (type info) >> - TCP and UDP various timeous, max connections etc >> ASA - static, nat and using MQC - TCP and UDP various timeous, max >> connections etc >> >> *Identify and protect against SYN attacks * >> >> IOS - TCP intercept, inspect fine tuning, ZBF parameter map (type info) - >> TCP and UDP various timeous, max connections etc >> ASA - static, nat and using MQC - TCP and UDP various timeous, max >> connections etc >> >> *Identify and protect against MAC Flooding attacks * >> ** >> IOS - switch port security >> >> >> *Identify and protect against VLAN hopping attacks * >> ** >> IOS - Disabling a negotiate state of switchport and putting native vlan >> that is unused. >> >> *Identify and protect against various Layer2 and Layer3 attacks * >> ** >> IOS - L7 inspection >> IOS - FPM >> ASA - AIC >> >> >> With regards >> Kings >> > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
