CET2025+
Flashcards for and by Computer Engineering Technician Students

Systems Security Final Test – Modules 15-22 (10%) April 15th. Virtual Systems Administration 20% online releases April 15 - Final assignment due April 21st ---- April 16th Systems Analysis Exam 25%! n ITE slot---- April 17th (Earth Day) IT Essentials Exam 25%! ---- April 22 Internet Programming Exam 35%

Code Snippets

Systems Security Snippets

Module 1: Securing Networks

Configure VLAN

interface vlan 10
 ip address 192.168.10.1 255.255.255.0
 description Secure VLAN
 no shutdown

Enable SSH

crypto key generate rsa
 ip ssh version 2

Set IP on Interface

interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 no shutdown

Show VLAN Info

show vlan brief

Module 2: Network Threats

Log DDoS Attempts

logging trap warnings
logging host 192.168.1.100

Enable Logging

logging on
logging buffered 51200 debugging

Show Logs

show logging

Set Log Timestamp

service timestamps log datetime

Module 3: Mitigating Threats

Rate-Limit Traffic

interface FastEthernet0/0
 rate-limit input 1000000 187500 375000 conform-action transmit exceed-action drop

Traffic Shaping

interface FastEthernet0/0
 traffic-shape rate 800000

Show Rate Limits

show interfaces FastEthernet0/0 rate-limit

Set Bandwidth Limit

interface FastEthernet0/0
 bandwidth 10000

Module 4: Securing Device Access

Secure Console

line console 0
 password C1sc0
 login
 exec-timeout 5 0

Secure VTY

line vty 0 4
 password C1sc0
 login

Disable Telnet

line vty 0 4
 transport input ssh

Set Banner

banner motd #Authorized Access Only#

Module 5: Assigning Administrative Roles

Set Privilege Level

username admin privilege 15 secret C1sc0
privilege exec level 15 configure terminal

Create User

username user1 privilege 5 secret MyPass

Show Privilege

show privilege

Custom Privilege

privilege exec level 5 show running-config

Module 6: Device Monitoring and Management

Enable SNMP

snmp-server community public RO
snmp-server host 192.168.1.50 public

Set SNMP Traps

snmp-server enable traps
snmp-server host 192.168.1.50 traps public

Show SNMP

show snmp

Enable NetFlow

interface FastEthernet0/0
 ip flow ingress

Module 7: Authentication, Authorization, and Accounting (AAA)

Configure AAA with RADIUS

aaa new-model
radius-server host 192.168.1.10 key R@diusKey
aaa authentication login default group radius local

TACACS+ Config

tacacs-server host 192.168.1.20 key T@cKey
aaa authentication login default group tacacs+ local

Enable Accounting

aaa accounting exec default start-stop group radius

Show AAA

show running-config | section aaa

Module 8: Access Control Lists

Allow HTTP Traffic

access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 80
access-list 101 deny ip any any
interface FastEthernet0/0
 ip access-group 101 in

Deny ICMP

access-list 102 deny icmp any any
interface FastEthernet0/0
 ip access-group 102 in

Show ACLs

show access-lists

Named ACL

ip access-list extended HTTP_ONLY
 permit tcp any any eq 80
 deny ip any any

Module 9: Firewall Technologies

Reflexive ACL

access-list 102 permit tcp any any eq 80 reflect WEBTRAFFIC
interface FastEthernet0/0
 ip access-group 102 in

Basic Firewall Rule

access-list 103 permit tcp any any eq 443
interface FastEthernet0/0
 ip access-group 103 in

Log Traffic

access-list 104 permit ip any any log
interface FastEthernet0/0
 ip access-group 104 in

Clear Logs

clear logging

Module 10: Zone-Based Policy Firewalls

Basic ZBPF Config

zone security INSIDE
zone security OUTSIDE
interface FastEthernet0/0
 zone-member security INSIDE
class-map type inspect match-all HTTP
 match protocol http
policy-map type inspect INSIDE-TO-OUTSIDE
 class HTTP
  inspect

Zone Pair

zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
 service-policy type inspect INSIDE-TO-OUTSIDE

Show Zones

show zone security

Drop Traffic

policy-map type inspect DROP
 class class-default
  drop

Module 11: IPS Technologies

Enable IPS

ip ips name MYIPS
ip ips signature-category
 category all
 retired false

Set IPS Signature

ip ips signature 2000:0 disable

Show IPS Config

show ip ips configuration

Update IPS

ip ips update

Module 12: IPS Operation and Implementation

Apply IPS

interface FastEthernet0/0
 ip ips MYIPS in

Show IPS Events

show ip ips events

Log IPS

ip ips name MYIPS log

Test IPS

show ip ips statistics

Module 13: Endpoint Security

Port Security

interface FastEthernet0/1
 switchport mode access
 switchport port-security
 switchport port-security maximum 2
 switchport port-security violation shutdown

Sticky MAC

interface FastEthernet0/1
 switchport port-security mac-address sticky

Show Port Security

show port-security

Set Aging

interface FastEthernet0/1
 switchport port-security aging time 10

Module 14: Layer 2 Security Considerations

Prevent VLAN Hopping

interface FastEthernet0/1
 switchport mode access
 switchport access vlan 10

Enable DAI

ip arp inspection vlan 10

Show DAI

show ip arp inspection

Disable Trunk

interface FastEthernet0/1
 switchport mode access

Module 15: Cryptographic Services

Generate RSA Keys

crypto key generate rsa
 1024

Show Keys

show crypto key mypubkey rsa

Set AES

crypto ipsec transform-set MYSET esp-aes

Remove Keys

no crypto key rsa

Module 16: Basic Integrity and Authenticity

HMAC-SHA1 Auth

interface FastEthernet0/0
 ip authentication mode eigrp 100 md5
 ip authentication key-chain eigrp 100 MYCHAIN

Key Chain

key chain MYCHAIN
 key 1
  key-string MyKey

Show Auth

show ip eigrp neighbors

Enable MD5

interface FastEthernet0/0
 ip ospf authentication message-digest

Module 17: Public Key Cryptography

Configure SSH with RSA

ip domain-name example.com
crypto key generate rsa
 2048
ip ssh version 2

Show SSH

show ip ssh

Import Cert

crypto pki import MYCERT

Set SSH Timeout

ip ssh time-out 60

Module 18: VPNs

IPsec VPN Setup

crypto isakmp policy 10
 encryption aes 256
 authentication pre-share
crypto isakmp key MySecretKey address 203.0.113.2

Show VPN

show crypto isakmp sa

Set Transform

crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac

Enable NAT-T

crypto isakmp nat-traversal

Module 19: Implement Site-to-Site IPsec VPNs

Site-to-Site VPN

crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac
crypto map MYMAP 10 ipsec-isakmp
 set peer 203.0.113.2
 set transform-set MYSET

Apply Crypto Map

interface FastEthernet0/0
 crypto map MYMAP

Show IPsec SA

show crypto ipsec sa

Set ACL

access-list 110 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255

Module 20: Introduction to the ASA

ASA Interface Config

interface GigabitEthernet0/0
 nameif OUTSIDE
 security-level 0
 ip address 203.0.113.1 255.255.255.0

Set Hostname

hostname ASA1

Show Mode

show running-config | include mode

Enable Multi-Context

mode multiple

Module 21: ASA Firewall Configuration

ASA NAT Config

object network INSIDE-NET
 subnet 192.168.1.0 255.255.255.0
 nat (INSIDE,OUTSIDE) dynamic interface

ACL on ASA

access-list OUTSIDE_IN extended permit tcp any any eq 80
access-group OUTSIDE_IN in interface OUTSIDE

Show NAT

show nat

Set Security Level

interface GigabitEthernet0/1
 nameif INSIDE
 security-level 100

Module 22: Network Security Testing

Enable Logging

logging enable
logging timestamp
logging buffered debugging

Nmap Scan

nmap -sS 192.168.1.0/24

Wireshark Capture

wireshark -i eth0 -f "tcp port 80"

Show Logs

show logging

Back to categories