CISSP領域重要名詞釋疑 - 風險接受的準則 降低風險 與 轉換風險

風險接受的準則
低可能性與影響小的風險可以被風險評估接受。高頻率與影響範圍大的風險不能被接受。這裏有些案例，例如立法規定和法規規範的數據保護或，危害人類生命或安全的，這些風險接受就不會成為選項。

降低風險
降低風險意味著將風險降低到可以被接受的程度。在筆記型電腦加密的案件中，年前預期損失部分給與加密就是風險減輕的例子。筆記型電腦被盜所損失的個人資料資訊通過加密數據獲得緩解，風險並未消除到安全：過弱的密碼或是可能暴露的個資，但風險已經降低到一個可以接受的水平。

在某些案例中，風險可以被完全的消除，這就是所謂的消除風險。

轉換風險
轉換風險是一種”保險模式”。就像多數人並不承擔房子火災風險，而由保險公司去承擔，保險公司是由專家在作風險分析，買入風險是他們的事。如果發生火災的年平均貨幣分險，每1000家為$500,000($500/house)，他們出售1000家火災的保單是$600/year，則他們會有20%的利潤。當然前提是他們已經正確的評估出風險。

關於AP IOS升降版初始化找不到tftp server的問題

昨天在Nike與公司環境都有發生過初始化AP的問題，以下針對AP開機按住Reset Button將預設IP設定回10.0.0.1，卻無法連上同網段Tftp Server時提供解決方式。

以下幾行為在AP上進行設定的關鍵指令，請參考：
debug capwap console client
debug capwap client no-reload

archive download-sw /overwrite tftp://10.66.74.250/ap3g2-k9w7-tar.default
最後一行請改成相對應的邏輯路徑，AP即可利用IP位址從Tftp Server端下載指定的IOS。

CISSP領域重要名詞釋疑 - 風險選擇 與 同意風險

風險選擇
每一次我們風險評估，我們總是決定要如何去做。選項包含接受風險、減輕或者消除風險、轉換風險、避免風險。

同意風險
某些風險可能被同意：在同樣的案例中，該資產的價值低於被保護的風險，低於保護它所做出的效益(以及所花費的金錢)。這並不是一個無知的決策，所有風險造成的影響與同意風險前的考慮。

案例學習：同意風險
一間公司進行風險分析，確定大型主機是風險來源。該大型主機不再用於新的交易，他僅進行歷史資料的運作。隨著時間推移，硬碟故障回復能力降低，硬體的保固年限，支援合約的服務到期並且沒有續約，大型主機的服務人員陸續離開。公司沒有信心當資料遺失後還能夠成功救回及時的數據，如果它發生的話。

這些歷史資料必須維持在線上長達六個月或更久，才會轉換到新架構的系統。所以有需要進行即時的備份嗎？有必要購買新的大型主機與購買支援服務和聘用外部大型主機專家嗎？

風險管理團隊要求團隊支持下載升級檔，”如果明天這些數據消失了，會發生甚麼情況，前六個月的新檔案去留？” 答案是：該公司可能在期中的使用紙張記錄數據，這將會是一個小的操作上的不便。沒有法律或法規禁止的這一類計畫。

該公司決定接受失敗的數據存檔灰復，評估主機故障後的風險。請注意，這個決定是經過深思熟慮的。利益相關方面進行了協商，對運行的影響層面進行了評估，並針對法律和法規進行了審議的結果。

Understanding the Cloud Computing Stack: SaaS, PaaS, IaaS

軟體即服務（SaaS）Software as a Service
平台即服務（PaaS）Platform as a Service
基礎設施即服務（IaaS）Infrastructure as a Service

看一下Rackspace對於這三者的解釋。
Rackspace是全球三大雲計算中心之一，1998年成立，是一家全球領先的主機託管及雲端運算提供商，公司總部位於美國，在英國，澳大利亞，瑞士，荷蘭及香港設有分部。

RUCKUS WLC LAB

RUCKUS WLC(Wireless LAN Controller) 與 AP(Access Point) 的初始化設定步驟與報告。

Word 連結文件下載

學校(TAS)無線網路規模

學校(TAS)無線網路規模

總控制端有一顆Wireless Control System(WCS)，下轄8個Wireless LAN Controller(WLC)，WLC下面在控制550顆左右數量的AP(Access Point)這樣形成了學校的主幹網路。學校的無線網路總共有四個SSID，這裡指的是Produation，測試用的不算。

第一種是TAS-MAC，這個ID可以連接學校伺服器與網路設備但是不能使用系統，通常給與廠商或者是硬體裝置使用(例如：無線印表機)，我們也是用這個網段來進行學校網路連接與控管，驗證方式WEP加密而且綁硬體MAC。

第二種是TAS-IOS，因為學校多數學生的配備使用Apple(通常是蘋果的NB或是ipad的IOS來使用)，驗證方式是WPA2，用學生或是教職員的帳號密碼來登入。

第三種是TAS-IT顧名思義，這個無線網路專門用來給IT部門使用(MIS、APP開發、PC維修部使用)，驗證使用WPA2-PSK。

第四種是TAS-Intranet，給校內內部非IOS的裝置使用(通常是Windows系統)，驗證方式是WPA2，用裝置網域的帳號密碼登入。

第五種是TAS-Guest，臨時申請可以到MIS部門臨櫃取得一組當日有效的密碼，登入連SSID沒有驗證，但有重導網頁登入的密碼系統控制，長期申請就是綁MAC跟私人密碼，通常給家長或是外賓到學校參訪時使用。

Cisco ACE 4710 Startup Configuration

設定清除步驟與重新開機

Starting sysmgr processes.. Please wait...Done!!! switch login: admin Password: Cisco Application Control Software (ACSW) TAC support: http://www.cisco.com/tac Copyright (c) 1985-2012 by Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained herein are owned by other third parties and are used and distributed under license. Some parts of this software are covered under the GNU Public License. A copy of the license is available at http://www.gnu.org/licenses/gpl.html. switch/Admin# switch/Admin# ? Exec commands:   backup      Backup commands   capture     Capture packets on one or more interfaces   changeto    Changeto another context   checkpoint  Checkpoint/Rollback commands   clear       Reset functions   clock       Manage the system clock   compare     Compare checkpoint config with running config   configure   Enter configuration mode   copy        Copy from one file to another   crypto      Execute PKI related commands   debug       Debugging functions   delete      Remove files -1   dir         Directory listing for files   dm          Device mgr commands for internal use   exit        Exit from the EXEC   format      Format a device with FAT16 file system   ft          Fault-tolerant switchover   gunzip      Uncompresses LZ77 coded files   invoke      Invoke commands in other contexts from admin context   license     Licensing specific commands   load        Load plug-in image   mkdir       Create new directory   move        Move files   ping        Send echo messages   reload      Halt and perform a cold restart   restore     Restore commands   rmdir       Remove existing directory   set         Set various asic registers   setup       Run the basic SETUP command facility   show        Show running system information   sleep       Sleep some time for vsh script   ssh         SSH to another system   system      System management commands   tac-pac     Save tac information to a specific location   telnet      Telnet to another system   terminal    Set terminal line parameters   traceroute  Trace route to destination   undebug     Disable Debugging functions (See also debug)   untar       Untar the given file   write       Write current configuration   xml-show    Display xmlized show command result in xml switch/Admin# clear st startup-config  stats           sticky          switch/Admin# clear startup-config Warning: This command will erase the startup-configuration. Do you wish to proceed anyway? (y/n)  [n] y switch/Admin# reload This command will reboot the system Save configurations for all the contexts. Save? [yes/no]: [yes] no Validating system image... Perform system reload. [yes/no]: [yes] switch/Admin#

以上步驟結束後，等待重新開機。

kernel=(hd0,1)/c4710ace-t1k9-mz.A5_1_2.bin ro root=LABEL=/ auto console=ttyS0,9 600n8 quiet bigphysarea=32768                                                      [Linux-bzImage, setup=0x1400, size=0xe75a16c]                                                                                                                INIT: version 2.85 booting                                                                                                                                       b4 lspci                                                                        1 Cavium device(s) found.                                                       Bringing up NP 0                                                                 Downloading U-Boot to NP card 0                                                 Downloading DP image to NP card 0                                               Starting DP image on NP card on all cores                                        DP image started on NP card                                                                                                                                                                                                                      Setting up dynamic memory size                                                  Initializing Shared Memory                                                      INIT: Entering runlevel: 3                                                      Testing PCI path for Octeon(0)....                                              This may take some time, Please wait ....                                       PCI test loop , count 0                                                         PCI path is ready                                                               Starting services...                                                           Waiting for 3 seconds to enter setup mode... Certificate & key are up to date [yes] . itch/Admin# Unmounting ext3 filesystems... Unmounting Other filesystems... Installing MySQLRestarting system. groupadd: group nobody exists useradd: user nobody exists MySQL Installed Installing JRE JRE Installed Starting sysmgr processes.. Please wait...Done!!! switch login: admin Password:  Admin user is allowed to login only from console until the default password is changed.  www user is allowed to login only after the default password is changed.  Enter the new password for user "admin":  Confirm the new password for user "admin":  admin user password successfully changed.  Enter the new password for user "www":  Confirm the new password for user "www":  www user password successfully changed. Cisco Application Control Software (ACSW) TAC support: http://www.cisco.com/tac Copyright (c) 1985-2012 by Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained herein are owned by other third parties and are used and distributed under license. Some parts of this software are covered under the GNU Public License. A copy of the license is available at http://www.gnu.org/licenses/gpl.html.   ACE>                                  This script will perform the configuration necessary for a user to         manage the ACE Appliance using the ACE Device Manager.The management         port is a designated Ethernet port which has access to the same         network as your management tools including the ACE Device Manager.         You will be prompted for the Port Number, IP Address, Netmask and         Default Route (optional).         Enter 'ctrl-c' at any time to quit the script ACE>Would you like to enter the basic configuration dialog (yes/no) [y]: no switch/Admin#

ACE清除設定後的預設帳密為

Account: admin

Password: admin

輸入後會要求修改admin與www兩帳號的密碼，請符合密碼原則輸入。

之後ACE會詢問是否要進行互動式設定

ACE>Would you like to enter the basic configuration dialog (yes/no) [y]: no

預設回答為Yes；如果不需要請輸入No。

附帶一提，如果事後仍覺得需要進行互動式設定，可以輸入Setup指令執行之。

switch/Admin# setup   ACE>                                  This script will perform the configuration necessary for a user to         manage the ACE Appliance using the ACE Device Manager.The management         port is a designated Ethernet port which has access to the same         network as your management tools including the ACE Device Manager.         You will be prompted for the Port Number, IP Address, Netmask and         Default Route (optional).         Enter 'ctrl-c' at any time to quit the script ACE>Would you like to enter the basic configuration dialog (yes/no) [y]:

以下是互動式選項的設定方式的範例，供參考。

ACE>Would you like to enter the basic configuration dialog (yes/no) [y]:   ACE> Enter the Ethernet port number to be used as the management port (1-4):? [1]:   ACE> Enter the management port IP Address (n.n.n.n): [192.168.1.10]: 192.168.1.144   ACE> Enter the management port Netmask(n.n.n.n): [255.255.255.0]:   ACE> Enter the default route next hop IP Address (n.n.n.n) or to skip this step: 192.168.1.254   ACE> Summary of entered values:   Management Port: 1   Ip address 192.168.1.144   Netmask: 255.255.255.0   Default Route: 192.168.1.254   ACE>Submit the configuration including security settings to the ACE Appliance? (yes/no/details) [y]: ACE> Configuration successfully applied. You can now manage this ACE Appliance by entering the url 'http://192.168.1.144' into a web browser to access the Device Manager GUI.

利用指令建立context

switch/Admin# conf t Enter configuration commands, one per line.  End with CNTL/Z. switch/Admin(config)# context ?     Enter the context name (Max Size - 64)   Admin   switch/Admin(config)# context Bridge switch/Admin(config-context)# switch/Admin# sh context Number of Contexts = 2 Name: Admin , Id: 0 Config count: 25 Description:  Resource-class: default Name: Bridge , Id: 1 Config count: 0 Description:  Resource-class: default Vlans: switch/Admin#

進入選定的context進行設定

switch/Admin# changeto bridge Error: context not found switch/Admin# changeto Bridge switch/Bridge#

請注意！所建立的Context名稱有區分大小寫。

還有是否成功切換所在位置的context請看/後面的context是否以切換。

不同context間的設定完全獨立，不會互通，需要個別儲存之。

檢查interface狀態

switch/Admin# sh interface vlan1000 is up, VLAN up on the physical port   Hardware type is VLAN   MAC address is 00:1b:24:78:7f:4c   Mode : routed   IP address is 192.168.0.10 netmask is 255.255.255.0   FT status is non-redundant   Description:not set   MTU: 1500 bytes   Last cleared: never   Last Changed: Sun Jan  5 22:40:45 2014   No of transitions: 1   Alias IP address not set   Peer IP address not set   Assigned on the physical port, up on the physical port      633 unicast packets input, 189322 bytes      400 multicast, 25 broadcast      0 input errors, 0 unknown, 0 ignored, 0 unicast RPF drops      1396 unicast packets output, 1671574 bytes      0 multicast, 1 broadcast      0 output errors, 0 ignored GigabitEthernet Port 1/1 is UP, line protocol is UP  Hardware is ACE Appliance 1000Mb 802.3, address is 00:1b:24:78:7f:4c  Description:  MTU 9216 bytes  Full-duplex, 1000Mb/s  COS bits based QoS is disabled  input flow-control is off, output flow-control is off     1063 packets input, 195505 bytes, 0 dropped     Received 132 broadcasts (405 multicasts)     0 runts , 0 giants     0 FCS/Align errors , 0 runt FCS, 0 giant FCS     1397 packets output, 1671574 bytes     1 broadcast, 0 multicast, 0 control output packets      0 underflow, 0 single collision, 0 multiple collision output packets     0 excessive collision and dropped, 0 Excessive Deferral and dropped  GigabitEthernet Port 1/2 is ADMIN DOWN, line protocol is DOWN  Hardware is ACE Appliance 1000Mb 802.3, address is 00:1b:24:78:7f:4c  Description:  MTU 0 bytes  Auto-duplex, Auto-speed  COS bits based QoS is disabled  input flow-control is off, output flow-control is off     0 packets input, 0 bytes, 0 dropped     Received 0 broadcasts (0 multicasts)     0 runts , 0 giants     0 FCS/Align errors , 0 runt FCS, 0 giant FCS     0 packets output, 0 bytes     0 broadcast, 0 multicast, 0 control output packets      0 underflow, 0 single collision, 0 multiple collision output packets     0 excessive collision and dropped, 0 Excessive Deferral and dropped  GigabitEthernet Port 1/3 is ADMIN DOWN, line protocol is DOWN  Hardware is ACE Appliance 1000Mb 802.3, address is 00:1b:24:78:7f:4c  Description:  MTU 0 bytes  Auto-duplex, Auto-speed  COS bits based QoS is disabled  input flow-control is off, output flow-control is off     0 packets input, 0 bytes, 0 dropped     Received 0 broadcasts (0 multicasts)     0 runts , 0 giants     0 FCS/Align errors , 0 runt FCS, 0 giant FCS     0 packets output, 0 bytes     0 broadcast, 0 multicast, 0 control output packets      0 underflow, 0 single collision, 0 multiple collision output packets     0 excessive collision and dropped, 0 Excessive Deferral and dropped  GigabitEthernet Port 1/4 is ADMIN DOWN, line protocol is DOWN  Hardware is ACE Appliance 1000Mb 802.3, address is 00:1b:24:78:7f:4c  Description:  MTU 0 bytes  Auto-duplex, Auto-speed  COS bits based QoS is disabled  input flow-control is off, output flow-control is off     0 packets input, 0 bytes, 0 dropped     Received 0 broadcasts (0 multicasts)     0 runts , 0 giants     0 FCS/Align errors , 0 runt FCS, 0 giant FCS     0 packets output, 0 bytes     0 broadcast, 0 multicast, 0 control output packets      0 underflow, 0 single collision, 0 multiple collision output packets     0 excessive collision and dropped, 0 Excessive Deferral and dropped

switch/Admin# sh ip int bri Interface             IP-Address      Status                  Protocol vlan1000              192.168.0.10    up                      up  gigabitEthernet1/1    unassigned      up                      up  gigabitEthernet1/2    unassigned      administratively down   down gigabitEthernet1/3    unassigned      administratively down   down gigabitEthernet1/4    unassigned      administratively down   down

檢查Port up/down狀態

檢查configuration設定

switch/Admin# sh running-config Generating configuration.... boot system image:c4710ace-t1k9-mz.A5_1_2.bin interface gigabitEthernet 1/1   switchport access vlan 1000   no shutdown interface gigabitEthernet 1/2   shutdown interface gigabitEthernet 1/3   shutdown interface gigabitEthernet 1/4   shutdown access-list ALL line 8 extended permit ip any any class-map type management match-any remote_access   2 match protocol xml-https any   3 match protocol icmp any   4 match protocol telnet any   5 match protocol ssh any   6 match protocol http any   7 match protocol https any   8 match protocol snmp any policy-map type management first-match remote_mgmt_allow_policy   class remote_access     permit interface vlan 1000   ip address 192.168.0.10 255.255.255.0   access-group input ALL   service-policy input remote_mgmt_allow_policy   no shutdown ip route 0.0.0.0 0.0.0.0 192.168.1.254 context Bridge   username admin password 5 $1$.HBIfcex$OzUi5Uv7eTEylxAf3NEPs/  role Admin domain default-domain username www password 5 $1$.wH9fZJd$X1MvFbstxWIWTCcHh9PjR0  role Admin domain de fault-domain ssh key rsa 1024 force switch/Admin#

進到這邊，通常你就可以用Web介面去連接和管理ACE 4710了。重點是你連接ACE 4710的第一個Port網卡要設成跟它同網段。