CCNA – The Security Threat Landscape

CCNA - The Security Threat Landscape

Table of Contents

The Security Threat Landscape

These are my general security notes as I have been preparing for the CCNA exam. Notes on Port Security, DHCP Snooping, and Dynamic ARP Inspection are coming in the next couple of days. 🙂 As always, hit me up on LinkedIn if you want to connect and chat, always love meeting new people. Feel free to comment if I missed something.

  • Threat: has the potential to cause harm to an IT asset.
  • Vulnerability: a weakness that compromises the security or funtionality of a system or the integrity of data.
  • Exploit: uses a weakness to compromise the security or funtionality of a system.
  • Threat: the likelihood of an attacker successfully using an exploit.
  • Mitigation: techniques to eliminate or reduce the potential of and seriousness of an attack.
  • Malware: is malicious software, including:
    • Viruses: software which inserts itself into other software and can spread from computer to computer. Requires human action to spread.
    • Worms: a self-propagating virus that can replicate itself.
    • Trojan horses: malicious software which looks legitimate to trick humans into triggering it. Often installs back doors.
    • Ransomware: Encrypt data with the attacker's key and asks the victim to pay a ransom to obtain the key.

Common Attacks

  • TCP Syn Flood Attack.
  • DDos, A distributed denial of service.
  • Reflection and Amplification Attack.
  • Man In The Middle Attacks such as ARP spoofing.
  • Password Attacks.
  • Malware.
AttackCounter Measures
VLAN HoppingStatic access ports, disabling of DTP, avoidance of trunk native VLAN on access ports.
STP SpoofingBDPU Guard/Root Guard
CAM/MAC SpoofingPort Security (MAC LIMIT)
ARP SpoofingARP inspection
DHCP StarvationPort Security
DHCP Server SpoofingDHCP snooping

Common Social Engineering Attacks

Attack TypeGoal
Social EngineeringExploits human trust and social behavior.
PhishingDisguises a malicious invitation as something legitimate.
Spear phishingTargets group of similar users.
WhalingTargets high-profile individuals.
VishingUses voice calls.
SmishingUses SMS text messages.
PharmingUses legitimate services to send users to a compromised site.
Watering holeTargets specific victims who visit a compromised site.

Firewalls and IDS/IPS

  • IDS: Intrusion detection system.
  • IPS: Intrusion prevention system.
  • IDS and IPS use signatures to inspect packets up to layer 7 of the OSI stack, looking for traffic patterns which match known attacks.
  • They can also use anomaly-based inspection to look for unusual behaviour, such as a host sending more traffic than usual.
  • They require skilled staff to tune the IPS to their own particualar environment and minimize false postitives and negatives.
  • IDS sits alongside the traffic flow and informs security administrators of any potential concerns.
  • IPS sits inline with the traffic flow and can also block attacks.
  • An IDS may also have the capability to tell a firewall to block attacks.

Firewalls vs Packet Filters

  • Firewalls secure traffic passing through them by either permitting or denying it.
  • Stateful firewalls maintain a connection table which tracks the two-way 'state' of traffic passing through the firewall.
  • Return traffic is permitted by default.
  • Firewall rules example:
    • Deny all traffic from outside to inside.
    • Permit outbound we traffic from
  • Next Generation Firewalls move beyond port/protocol inspection and blocking to add application-level inspection, intrusion prevention, and user based security.
  • Deep packet inspection analyses packets up to layer 7 of the OSI stack.
  • Different permissions can be applied to different users.
  • The Cisco ASA with FirePower is a Next Generation Firewall.


  • Cryptography provides these services to data:
    • Authenticity (proof of source).
    • Confidentiality (privacy and secrecy).
    • Integrity (has not changed in transit).
    • Non-repudiation (non-deniability).

Symmetric Encryption

  • With symmetric encryption, the same shared key both encrypts and decrypts the data.
  • The shared key is know by both the sender and receiver and must be kept secret.
  • Fast.
  • Used for large transmissions (eg., email, secure web traffic, IPsec).
  • Algorithms include DES, 3DES, AES, SEAL.

Asymmetric Encryption

  • Asymmetric encryption uses private and public key pairs.
  • Data encrypted with the public key can only be decrypted with the private key, and vice versa.
  • Data encrypted with the public key cannot be decrypted with the public key.
  • Only the private key must be kept secret.
  • The public key can be available in the public domain.
  • It's slow.
  • Used for small transmission (symmetric key exchange, digital signatures).
  • Algorithms include: RSA, ECDSA.

Transport Layer Security TLS

  • SSL: Secure Socket Layer (Deprecated).
  • TLS: Transport Layer Security (successor to SSL).
  • Can be used to provide secure web browsing with HTTP (can also be used with other applications such as email).
  • Uses symmetric cryptography to encrypt transmitted data.
  • Symmetric keys are generated uniquely for each connection.
  • Authentication is provided by public key cryptography.
  • Message Authentication Code provides integrity.

The numbers before the passwd in the config file?

Type 0, the password is clear text.
Type 7, it was originally a type 0 password, created by enable password but it has been encrypted using the service password-encryption command.
Type 5 is hashed using MD5.
Type 4 and 8 is PBKDF2.
Type 9 uses the Scrypt algorithm.
Here are a few commands and Encoding Types for the enable secret command.

enable [algorithm-type md5] secret password5MD5
enable algorithm-type sha256 secret password8SHA-256
enable algorithm-type scrypt secret password9SHA-256

Controlling and Monitoring User Access (AAA)

  • AAA server is for example Cisco's ISE platform or Microsoft's Active Directory. AAA servers usually support the following two protocols to communicate with enterprise resources.
    • TACACS+: A Cisco proprietary protocol that separates each of the AAA functions. Communication is secure and encrypted over TCP port 49.
    • RADIUS: A standards-based protocol that combines authentication and authorization into a single resource. Communication uses UDP ports 1812 and 1813 (accounting) but is not completely encrypted.
  • Authentication: Who is the user?
  • Authorization: What is the user allowed to do?
  • Accounting: What did the user do?

Final thoughts

This information is gathered from Cisco Press and other places. I hope it served as a general introduction or a refresher on the topic. The security threat landscape is always shifting and that can either be draining or exciting, it all depends on our perspective. I like to look at it as exciting and an ongoing opportunity for development instead of settling ,or to feel content with what I know today. Cybersecurity is a growing industry that needs more skilled people. If you are interested in IT but haven't decided which path to pursue, I suggest you take a look at it. If you missed my blog about access control lists, check it out here.

Leave a Reply

Your email address will not be published. Required fields are marked *