01
5.1/5.2 Security concepts
- Threat (potential danger) vs vulnerability (weakness) vs exploit (the attack using it) vs mitigation (the defense).
- CIA triad: Confidentiality, Integrity, Availability. Program elements: user awareness, training, physical access control.
02
5.3/5.4 Device access & passwords
- "enable secret" (hashed) beats "enable password" (weak). Console + VTY line passwords; "login local" uses local usernames.
- "service password-encryption" is weak Type 7 - reversible. Password policy: length, complexity, expiry, lockout.
- MFA combines different FACTOR TYPES: something you know / have / are.
03
5.5 IPsec VPNs (describe only)
- Site-to-site = gateway-to-gateway, connects whole networks. Remote-access = single user/client to a gateway (often SSL/TLS).
- IPsec provides confidentiality, integrity, authentication and anti-replay.
04
5.6 ACLs (standard & extended)
- Standard (1–99 / 1300–1999): match SOURCE only → place NEAR the DESTINATION.
- Extended (100–199 / 2000–2699): match source + dest + protocol + port → place NEAR the SOURCE.
- Processed TOP-DOWN, first match wins; there is an implicit "deny any" at the end. Apply with "ip access-group {in|out}".
- Wildcard mask is the INVERSE of a subnet mask (0 = must match, 1 = ignore).
05
5.7 Layer-2 security
- Port security: limit MACs per port; "sticky" learns them. Violation modes: shutdown (default, err-disable), restrict (drop + log), protect (drop silently).
- DHCP snooping: trust uplink/server ports, distrust client ports; builds a binding table.
- Dynamic ARP Inspection (DAI) REQUIRES DHCP snooping first (uses its binding table).
06
5.8 AAA - RADIUS vs TACACS+
- Authentication (who are you) / Authorization (what may you do) / Accounting (what did you do).
RADIUS vs TACACS+ | RADIUS | TACACS+ |
|---|
| Transport | UDP 1812/1813 | TCP 49 |
| Encrypts | password only | entire payload |
| A's | combines authN+authZ | separates all three |
| Origin | open standard | Cisco |
| Use | network access / 802.1X | device administration |
07
5.9/5.10 Wireless security
- WPA (TKIP, deprecated) → WPA2 (AES/CCMP, 4-way handshake) → WPA3 (SAE/Dragonfly resists offline dictionary attacks).
- Personal = pre-shared key (PSK). Enterprise = 802.1X/RADIUS per-user authentication.
- GUI WLAN config (the one hands-on wireless task): create WLAN, set SSID, map to VLAN/interface, Layer-2 = WPA2 + AES + PSK, then ENABLE it.