For more information on Security, visit our Security Reference Guide or sign up for our Security Newsletter
Exam Topics in This Chapter
- Remote Authentication Dial-In User Service (RADIUS)
- Terminal Access Controller Access Control System Plus (TACACS+)
- Advanced Encryption Standard (AES)
- EAP, PEAP, TKIP, TLS
- Data Encryption Standard (DES)
- Triple DES (3DES)
- IP Security (IPSec)
- Internet Key Exchange (IKE)
- Certificate Enrollment Protocol (CEP)
- Point-to-Point Tunneling Protocol (PPTP)
- Layer 2 Tunneling Protocol (L2TP)
You can find a list of all of the exam topics in the introduction to this book. For the latest updates on exam topics, visit Cisco.com.
This chapter covers some of today's most widely used technologies that enable network administrators to ensure that sensitive data is secure from unauthorized sources.
Standards such as IP Security (IPSec) and encryption standards are covered, as are all the fundamental foundation topics you need to understand to master the topics covered in the CCIE Security written exam.
The chapter ends with a discussion of some of the security features used in wireless networking to improve security. Protocols such as Extensible Authentication Protocol (EAP), Protected Extensible Authentication Protocol (PEAP), Temporal Key Integrity Protocol (TKIP), Message Integrity Check (MIC), and Transport Layer Security (TLS) are discussed, all of which are newly defined protocols used to help secure vulnerable wireless networks.
This chapter covers the following topics:
- Security protocol topics— Sections are included for authentication, authorization, and accounting (AAA), RADIUS, and TACACS+.
- Encryption Technology Overview— Covers encrypting IP using standard encryption such as 3DES, AES, and IPSec. The mechanism used to authenticate encryption tunnels is also covered.
- Certificate Enrollment Protocol— Describes the Cisco-defined certificate management protocol, CEP, and how a device communicates with a Certificate Authority (CA).
- EAP, PEAP, and TKIP— Shows common new mechanisms used in the fight to keep intruders and hackers away from wireless networks.
"Do I Know This Already?" Quiz
The purpose of this assessment quiz is to help you determine how to spend your limited study time.
If you can answer most or all of these questions, you might want to skim the "Foundation Topics" section and return to it later, as necessary. Review the "Foundation Summary" section and answer the questions at the end of the chapter to ensure that you have a strong grasp of the material covered.
If you already intend to read the entire chapter, you do not necessarily need to answer these questions now. If you find these assessment questions difficult, read through the entire "Foundation Topics" section and review it until you feel comfortable with your ability to answer all of these questions and the "Q & A" questions at the end of the chapter.
Answers to these questions can be found in Appendix A, "Answers to Quiz Questions."
- What are the three components of AAA? (Choose the three best answers.)
- Accounting
- Authorization
- Adapting
- Authentication
- What Cisco IOS command must be issued to start AAA on a Cisco router?
- aaa old-model
- aaa model
- aaa new model
- aaa new-model
- aaa new_model
- What mathematical algorithm initiates an encrypted session between two routers by exchanging public keys over an insecure medium such as the Internet?
- Routing algorithm
- Diffie-Hellman algorithm
- The switching engine
- The stac compression algorithm
- Can you configure RADIUS and TACACS+ to be used on the same router?
- No.
- Yes, provided you have the same lists names applied to the same interfaces.
- Yes, provided you have the different lists names applied to the same interfaces.
- Yes, provided you have the different list names applied to different interfaces.
- How do you remotely launch ACS to a Windows 2000 device? (The remote IP address is 10.1.1.1 and the client is Internet Explorer.)
- Type launch.
- Type 10.1.1.1.
- Type 10.1.1.1:2002.
- Type 10.1.1.1:8080.
- What RADIUS attribute is used by vendors and not predefined by RFC 2138?
- 1
- 2
- 3
- 4
- 13
- 26
- 333
- 33
- RADIUS can support which of the following protocols?
- PPP
- OSPF
- AppleTalk
- IPX
- NLSP
- When a RADIUS server identifies the wrong password entered by the remote user, what packet type is sent?
- ACCEPT-USER
- REJECT-USERS
- REJECT-DENY
- REJECT-ACCEPT
- REJECT-ERROR
- ACCESS-REJECT
- Identify the false statement about RADIUS.
- RADIUS is a defined standard in RFC 2138/2139.
- RADIUS runs over TCP port 1812.
- RADIUS runs over UDP port 1812.
- RADIUS accounting information runs over port 1646.
- What is the RADIUS key for the following configuration? If this configuration is not valid, why isn't it? (Assume that this configuration is pasted into Notepad and not on an active router.)
aaa authentication login use-radius group radius local aaa authentication ppp user-radius if-needed group radius aaa authorization exec default group radius aaa authorization network default group radius radius-server 3.3.3.3 radius-server key IlovemyMum
- The RADIUS key is IlovemyMum, and it is a valid configuration.
- The RADIUS key is Ilovemymum, and it is a valid configuration.
- This configuration will not work because the command aaa new-model is missing.
- The RADIUS key is 3.3.3.3, and it is a valid configuration.
- What is the RADIUS key for the following configuration?
aaa new-model aaa authentication login use-radius group radius local aaa authentication ppp user-radius if-needed group radius aaa authorization exec default group radius aaa authorization network default group radius radius-server 3.3.3.3 radius-server key IlovemyMum
- The RADIUS key is IlovemyMum.
- The RADIUS key is Ilovemymum.
- No RADIUS key exists.
- The RADIUS key is 3.3.3.3.
- What versions of TACACS does Cisco IOS support? (Select the best three answers.)
- TACACS+
- TACACS
- Extended TACACS
- Extended TACACS+
- TACACS+ is transported over which TCP port number?
- 520
- 23
- 21
- 20
- 49
- What is the predefined RADIUS server key for the following configuration?
radius-server host 3.3.3.3 radius-server key CCIEsrock
- 3.3.3.3
- Not enough data
- CCIESROCK
- CCIEsRock
- CCIEsrock
- What does the following command accomplish?
tacacs_server host 3.3.3.3
- Defines the remote TACACS+ server as 3.3.3.3
- Defines the remote RADIUS server as 3.3.3.3
- Nothing, because it is not a valid IOS command
- Configures a Radius server 3.3.3.3
- An Invalid IOS command
- Which of the following protocols does TACACS+ support?
- PPP
- AppleTalk
- NetBIOS
- All of these
- Which of the following key lengths are not supported by AES?
- 64
- 128
- 192
- 256
- 512
- What is the number of bits used with a standard DES encryption key?
- 56 bits
- 32 bits; same as IP address
- 128 bits
- 256 bits
- 65,535 bits
- 168 bits
- What is the number of bits used with a 3DES encryption key?
- 56 bits
- 32 bits; same as IP address
- 128 bits
- 256 bits
- 65,535 bits
- 168 bits
- In IPSec, what encapsulation protocol encrypts only the data and not the IP header?
- ESP
- AH
- MD5
- HASH
- In IPSec, what encapsulation protocol encrypts the entire IP packet?
- ESH
- ESP
- AH
- MD5
- HASH
- Which of the following is AH's IP number?
- 23
- 21
- 50
- 51
- 500
- 444
- Which of the following is ESP's IP number?
- 23
- 21
- 50
- 51
- 500
- 444
- Which of the following is not part of IKE phase I negotiations?
- Authenticating IPSec peers
- Exchanging keys
- Establishing IKE security
- Negotiating SA parameters
- Which of the following is not part of IKE phase II?
- Negotiating IPSec SA parameters
- Periodically updating IPSec SAs
- Occasionally updating SAs (at most, once a day)
- Establishing IPSec security parameters
- Which is the fastest mode in IPSec?
- Main mode
- Fast mode
- Aggressive mode
- Quick mode
- Certificate Enrollment Protocol (CEP) runs over what TCP port number? (Choose the best two answers.)
- Same as HTTP
- Port 80
- Port 50
- Port 51
- Port 333
- Port 444
- Which of the following are new features aimed at increasing wireless security? (Choose the best four answers.)
- TKIP
- AES
- EAP
- PEAP
- MIC
- 802.1D
- ESP
- AH