26. Understanding Enterprise Network Security Architecture
What modules allow AnyConnect to assess compliance on endpoints?
ASA Posture Module and Identity Services Engine Posture Module
What is used to encrypt and protect MACsec frames?
An Integrity Check Value (ICV) encrypts and protects MACsec frames. Frames received at the switch from the client are decrypted and the correct ICV is calculated using the session keys provided by MKA.
What is IPS?
An Intrusion Prevention Systems (IPS) is a system that performs deep analysis of network traffic, searching for signs of suspicious or malicious behavior. If it detects such behavior, the IPS can take protective action.
Describe antispyware software.
Antispyware software: Detects and removes spyware. Spyware displays advertisements and tracks information on your endpoint device without your consent. Spyware can make changes to your endpoint device without your consent and damage your device. Both antispyware and antivirus software must be updated frequently to remain effective.
Describe antivirus software.
Antivirus software: Prevents and removes computer viruses and other types of malicious software. Computer viruses spread from one computer to another, leaving infections as they travel. They can damage data or software or even cause Denial of Service (DoS) conditions. Both antispyware and antivirus software must be updated frequently to remain effective.
What is the benefit of applying access control between pairs of security groups?
By applying access control between pairs of security groups, Cisco TrustSec achieves role-based, topology-independent access control within the network.
Describe malware analysis and protection.
Cisco Advanced Malware Protection (AMP) for Endpoints offers protection against malware that has infiltrated an organization's network. It is an intelligent, enterprise-class advanced malware analysis and protection solution that uses a telemetry model, which uses big data, continuous analysis, and advanced analytics, to detect, track, analyze, control, and block advanced malware outbreaks across all endpoints: PCs, Macs, mobile devices, and virtual systems.
Describe Cisco Collective Security Intelligence Cloud.
Cisco Collective Security Intelligence Cloud: This is where the various detection and analytics engines reside. SPERO is a machine-learning malware detection engine that resides in the cloud. SPERO relies on information that is provided to it by way of a fingerprint that contains many attributes of the file being processed. This fingerprint is sent along with the Secure Hash Algorithm (SHA-256) hash of the file in the initial message to the cloud. ETHOS is a fuzzy logic-based malware detection engine. ETHOS also resides in the cloud, and is invoked if the file being checked is not known or returns a neutral disposition.
What is IBNS and what is it characterized by?
Cisco Identity-Based Networking Services (IBNS) is characterized by a suite of services that are embedded in Cisco Catalyst switches and Cisco WLCs.
Cisco TrustSec encompasses what?
Cisco TrustSec encompasses Security Group Tags (SGTs) and Electrical and Electronics Engineers (IEEE) MAC Security standard (MACsec).
What categories can the features associated with SGTs be broken into? Describe them.
Classification: Classification is the assignment of an SGT to an IP address. This can be accomplished either dynamically or statically. Generally, dynamic classification is done at the access layer and static classification is done in the data center. Dynamic classification utilizes the rich context data available to Cisco ISE for making policy decisions. Dynamic classification can be done using IEEE 802.1X, MAC authentication bypass, or web authentication. Static classification is generally configured on the switch to which servers are attached. Static options and configuration syntax vary by switching platforms and operating system version. Options for static classification include the mapping of IP address, VLAN, or port, to an SGT. Also, Cisco ISE can centrally store a database of IP addresses and their corresponding SGTs. Compatible devices may download the centrally managed mappings from Cisco ISE. Transport: Security group mappings follow the traffic through the network. This can be accomplished either through inline tagging or the SGT eXchange Protocol (SXP). With inline tagging, the SGT is embedded in the Ethernet frame header. Not all network devices support inline tagging. SXP is used to transport SGT mappings across devices that do not support inline tagging. Enforcement: Enforcement is implementing permit or deny policy decisions based on the source and destination SGTs. This can be accomplished with SGACLs on switching platforms and SGFW on routing and firewall platforms.
Describe Client Connector
Client Connector: This is the component that runs on the endpoints. It communicates with the cloud to send information about files and to receive file disposition information.
To be effective, what three things must cryptographic VPN provide? Describe them.
Confidentiality: The assurance that no one except the intended recipient can read the data traversing the VPN. The purpose of encryption is to guarantee confidentiality. Origin authentication: The assurance that the endpoint entities are legitimate (who they claim to be). Data integrity: The assurance that data traversing the VPN has not been altered in transit, intentionally or unintentionally.
According to what criteria are VPNs classified? Describe them.
Deployment mode: Site-to-site VPN and remote-access VPN. A site-to-site VPN provides an Internet-based WAN infrastructure for connecting branch offices, home offices, or the sites of business partners to all or portions of a network. A remote-access VPN provides secure communications for remote access to networks and applications. Hosts can establish remote-access VPNs either by using VPN client software or by using an SSL-enabled web browser. Underlying technology: IPsec VPN, SSL VPN, Multiprotocol Label Switching (MPLS) VPN, other Layer 2 technologies such as Frame Relay or Asynchronous Transfer Mode (ATM), and hybrid VPNs combining multiple technologies.
Describe AMP for endpoints detection publishing
Detection publishing: Detection signatures are in the cloud, which reduces the size of the client connector and reduces the amount of processing that has to take place on the connector, since the bulk of the work is being performed in the cloud. -Administrators can create custom signatures in the cloud and push them down to the endpoint connectors. -Cross-referencing of files and signatures is done in the cloud, so the cloud is self-updating without having to communicate those updates to endpoints every time.
What are examples of Cisco content security products?
ESA, WSA
What are some different types of malware that can be detected by antivirus?
Examples of other types of malware that may be detected by antivirus software include: keystroke loggers, back doors, root kits, browser hijackers, Trojan horses, and ransomware.
Define an exploit.
Exploit: The mechanism that is used to leverage a vulnerability to compromise the security or functionality of a system. An example of an exploit is an exploit tool. When a vulnerability is disclosed to the public, attackers often create a tool that implements an exploit for the vulnerability. If they release this tool to the Internet, other attackers with very little skill can effectively exploit the vulnerability.
What default cipher suite do all Cisco components support?
Galois/Counter Mode Advanced Encryption Standard 128 (GCM-AES-128).
What are heuristics?
Heuristics allow for recognition on imprecise signature matches. Often malware will mutate over time into different variants.
How are host facing links secured?
Host facing links (links between network access devices and endpoint devices such as a PC or IP phone) can only be secured using MACsec MKA encryption.
Where is SGACL policy centrally managed?
ISE
What happens if 802.1X is not enabled or supported on the Network Access Device? If the supplicant doesn't receive an EAP request?
If 802.1X is not enabled or supported on the NAD, EAPOL frames from the supplicant are dropped. If the supplicant does not receive an EAP request or identity frame after three attempts, the supplicant sends frames as if the port was in the authorized state. A port in authorized state effectively means that the supplicant has been successfully authenticated.
What is behavioral-based detection?
Instead of analyzing the code for signatures, the behavior of processes is monitored. If a process attempts to do something that is recognized as malicious, such as modifying another executable program or capturing keystroke information, behavioral-based analysis can detect the malware. This can help with zero-day attacks.
What two methods can encryption be implemented with? Describe them.
Link encryption: The entire frame is encrypted between two devices; this is used on point-to-point connections of directly connected devices. Packet payload encryption: Only the packet payload is encrypted, which allows this form of encryption to be routed across a Layer 3 network, such as the Internet.
What protocol manages the encryption keys used by MACsec?
MKA
What is a zero-day attack?
Malware that has never been seen before
What is MACsec?
Media Access Control Security (MACsec) is an IEEE 802.1AE standards-based Layer 2 hop-by-hop encryption that provides data confidentiality and integrity for media access independent protocols.
Describe personal firewalls.
Personal firewalls: Protect only the device on which they are installed. A personal firewall may have the ability to block applications, files, and services, and may also provide intrusion detection services.
How does anti-virus realtime protection work?
Real-time protection analyzes data as it is loaded into the working memory of the computers, such as when an application auto-executes upon insertion of a USB memory key, or when opening an email or completing a web transaction.
Describe ISE remediation
Remediation with ISE is based on quarantining the endpoint. Instead of allowing normal connectivity for the noncompliant endpoint, the endpoint is allowed very limited connectivity. The limited connectivity includes the ability to reach servers from which the required software can be obtained. After the required software has been properly installed, the posture module is executed again. If the endpoint has reached a state of compliance, it is allowed normal access to the network.
Describe ASA remediation.
Remediation with the ASA is limited to working with the software that is already installed on the endpoint. The remediation capabilities include the ability to enable software that has been disabled, force updates for antivirus and antispyware software, and push firewall policy to the personal firewall software. Remediation with the ASA requires that the advanced endpoint assessment license is installed on the appliance.
Define a risk.
Risk: The likelihood that a particular threat using a specific attack will exploit a particular vulnerability of an asset that results in an undesirable consequence.
What does Cisco ASA use to enforce TrustSec policy, rather than using SGACLs?
SGFW features
What are methods of traffic inspection used in various IPSs? Describe them.
Signature-based inspection: A signature-based IPS examines the packet headers or data payloads in network traffic and compares the data against a database of known attack signatures. The database must be continually updated to remain effective. A signature might be a sequence or a string of bytes in a certain context. Signature-based inspection is sometimes referred to as rule-based or pattern-matching inspection. Anomaly-based inspection: Anomaly-based network IPS devices observe network traffic and act if a network event outside normal network behavior is detected.
What are the three types of anomaly based network IPS? Describe them.
Statistical anomaly detection (network behavior analysis): Observes network traffic over time and builds a statistical profile of normal traffic behavior based on communication patterns, traffic rate, mixture of protocols, and traffic volume. After a normal profile has been established, statistical anomaly detection systems detect or prevent activity that violates the normal profile. Protocol verification: Observes network traffic and compares network, transport, and application layer protocols that are used inside network traffic to protocol standards. If a deviation from standards-based protocol behavior is detected (such as a malformed IP packet), the system can take appropriate action. Policy-based inspection: A policy-based IPS analyzes network traffic and takes action if it detects a network event outside a configured traffic policy.
Describe the 802.1X roles
Supplicant: Endpoint 802.1X-compliant software service. It communicates with NAD Authenticators to request network access. Authenticator: Controls access to the network, based on client authentication status. The objective here is for endpoints to authenticate to the Authentication server via some Extensible Authentication Protocol (EAP). NAD authenticators act as an intermediary (proxy) between client and authentication server. They communicate with endpoint supplicants via 802.1X, to request identity information. Then they communicate with the Authentication Server via RADIUS to verify that information. They relay authentication server responses back to the client. The authenticator acts as a RADIUS client, encapsulating, and de-encapsulating EAP frames. . Authentication server: This role performs client authentication. The authentication server validates client identity and notifies NAD authenticators of client authorization status. Because the authenticator acts as the proxy, the authentication service is transparent to the client. Cisco ISE acts as the authentication server.
What is AnyConnect?
The Cisco AnyConnect Secure Mobility Client v4.0 is a multifaceted endpoint software product. It not only provides VPN access through Secure Sockets Layer (SSL) but also offers enhanced security through various built-in modules, such as the Cisco Network Access Manager, Cisco AnyConnect ISE Agent, and Cisco AnyConnect Web Security Client.
What is Cisco ESA?
The Cisco Email Security Appliance ESA is a type of firewall and threat monitoring appliance for SMTP traffic
What is Cisco WSA?
The Cisco Web Security Appliance WSA provides secure web access, content security, and threat mitigation for web services.
How does ISE perform evaluation? ASA?
The ISE posture module performs a client-side evaluation, while ASA posture module performs server-side evaluation.
When a personal firewall finds itself in a new network, what does it query the user for?
The class of the network
Is a client ever a key server? Can it interact with multiple MKA entities?
The client is never a key server and can only interact with a single MKA entity, the key server (switch).
What attributes can ASA and ISE examine?
The exact list of attributes that can be examined by the two posture modules differs, but both have the ability to examine the endpoint for operating system type version, antivirus software, and antispyware applications. The ASA posture module also has the ability to examine personal firewall software.
What is the foundation for IBNS?
The foundation for IBNS is IEEE 802.1X, a port-based authentication and access control protocol, which can be applied at a physical switch port on the wired network or on a wireless local area network (WLAN) on Cisco WLC.
Describe an SGT in TrustSec.
The frames that enter the Cisco TrustSec domain are marked using an SGT. This is a unique 16-bit tag that represents the unique role of the traffic source in the network.
What is an MKPDU?
The packet body in an EAPOL Protocol Data Unit (PDU) is referred to as a MACsec Key Agreement PDU (MKPDU). After key derivation and generation, the switch sends periodic transports to the partner at a default interval of 2 seconds.
What is endpoint security?
The term "endpoint security" refers to protecting an endpoint device such as a desktop computer, laptop, tablet, or smartphone. The term also refers to verifying the user, the device, and the device state to protect the network.
Define a threat.
Threat: Any circumstance or event with the potential to cause harm to an asset in the form of destruction, disclosure, adverse modification of data, or DoS. An example of a threat is malicious software that targets workstations.
What must a client (switch) have in order to encrypt traffic? How is this thing sent to a supplicant? How is it kept secure byt the switch? How can the supplicant decrypt the securely transported thing?
To successfully encrypt traffic, the client must also possess the SAK. Using MKA, the switch will send the SAK to the supplicant. To keep the SAK secure, the switch encrypts it with some additional CAK-derived keys and the AES key wrap (RFC 3394) function. Because the supplicant possesses the CAK, it can decrypt the key wrap and retrieve the SAK.
T/F: AMP for endpoints allows custom signature creation for malware detection
True
T/F: All Cisco security devices support logging.
True
What are SGACLS used for?
Using SGACLs, you can control access policies based on source and destination security group tags.
What are the 802.1X authorization features?
VLAN assignment: Enables the authentication server to associate a VLAN with a particular user or group. Thus, the switch can dynamically assign a VLAN for that authenticated user. This VLAN assignment is appropriate if your desired access control method is based on different VLANs (with routed Access Control Lists (ACLs) or a firewall system that is configured egress to the VLANs). It provides strong access control and auditing. ACL assignment: The authentication server associates an ACL with a particular user or group. It then instructs the NAD to dynamically assign the ACL to the user session. This mechanism provides very granular access control, right down to the port level. Time-based access: The authentication server controls each user's allowed-access days and times. Security group access: Provides topology-independent, scalable access control. With security group access, the ingress switches classify data traffic for a particular role and tag the traffic with security group tags. The egress network devices evaluate the security group tags and filter packets by applying appropriate security group ACLs.
Describe the benefit of cryptographic VPN compatibility with broadband technology.
VPNs allow mobile workers, telecommuters, and people who want to extend their workday to take advantage of high-speed, broadband connectivity to gain access to their corporate networks, providing workers significant flexibility and efficiency.
Describe the benefit of cryptographic VPN scalability.
VPNs enable corporations to use the Internet infrastructure within ISPs and devices, which makes it easy to add new users. Therefore, corporations are able to add large amounts of capacity without adding significant infrastructure.
Describe the benefit of cryptographic VPN cost savings.
VPNs enable organizations to use cost-effective third-party Internet transport to connect remote offices and remote users to the main corporate site, thus eliminating expensive dedicated WAN links. Furthermore, with the advent of cost-effective high-bandwidth technologies, organizations can use VPNs to reduce their connectivity costs while simultaneously increasing remote connection bandwidth.
Describe the benefit of cryptographic VPN security.
VPNs provide the highest level of security by using advanced encryption and authentication protocols that protect data from unauthorized access.
Define a vulnerability.
Vulnerability: A weakness that compromises either the security or the functionality of a system. Weak or easily guessed passwords are considered vulnerabilities.
How are VLANs assigned with 802.1X authentication?
When a client successfully authenticates, and no dynamic VLAN is assigned by the authentication server, this default VLAN is used. If dynamic VLAN is enabled, the dynamic VLAN is configured on the Cisco ISE RADIUS service and communicated in a RADIUS Access-Accept message. While typically used to assign a VLAN upon successful authentication, it can also be used when authentication fails.
When is a secure connectivity association key name (CKN) generated?
When the EAP session ID is entered
Where is spyware most commonly implemented?
With tracking cookies in internet browsers
What type of anomaly based network IPS do modern IPSs (NGIPS) use?
a combination of all 3 (statistical, protocol, and policy)
What does EAP authentication produce that is shared by both partners in the data exchange?
a master session key (MSK)
How des EAP framework implement MKA?
as a newly defined EAP-over-LAN (EAPOL) packet
How are MACsec encyrption keys managed?
by the MACsec Key Agreement (MKA) protocol
What does a distributed firewall rewuire?
central management of multiple personal firewalls' policies
What three types of software has endpoint security traditionally relied on?
personal firewalls -antivirus software -antispyware software
What type of detection does most antivirus software use?
signature based
How are MKA and MACsec implemented after successful authentication?
using 802.1x EAP framework
What does WSA offer?
-Advanced malware protection -Application Visibility and Control -Insightful reporting -Secure mobility
What elements does AMP for endpoints consist of?
-Cisco Collective Secuirty Intelligence Cloud -Client Connector -Cisco AMP for enpoints mobile -Cisco AMP for endpoints Mac Connector -AMP for Networks
List the major attack types.
-DoS and DDoS -spoofing -reflection -social engineering -phishing -password attacks -reconnaissance attacks -buffer and overflow attacks -man-in-the-middle attacks -malware -vectors of data loss and exfiltration -hacking tools
Describe AMP for endpoints large-scale data processing
-Fie samples are provided to the cloud for processing. If the disposition of a given sample is deemed malicious, it is stored in the cloud and reported to endpoints that see the same file. -An important design goal of the cloud is to provide results as quickly as possible, so low latency is a key characteristic. -The cloud includes advanced analytic engines that constantly correlate the incoming data. It uses the analytic results to update its signatures. -It also includes machine-learning engines to further refine its signatures and reevaluate the detections that it has already performed.
What additional capabilities beyond traditional firewalls do NGFWs offer?
-Integrate security functions tightly to provide highly effective threat and advanced malware protection -Implement policies that are based on application visibility instead of transport protocols and ports -Provide URL filtering and other controls over web traffic -Provide actionable indications of compromise to identify malware activity -Offer comprehensive network visibility -Help reduce complexity -Integrate and interface smoothly with other security solutions
What features does IBNS include?
-Provides authentication of wired and wireless users using IEEE 802.1X, MAB, and web authentication -Delivers policy-based authorization based on downloadable ACLs (dACLs) or VLAN assignment -Offers broad client support for native operating system and third-party supplicants
What features does Cisco Collective Security Intelligence Cloud offer?
-Rapid detection of known malware -Use of cloud resources to test files with unknown dispositions -Use of machine learning techniques to constantly keep itself up-to-date
What services does ISE allow you to implement?
-Strong authentication using Institute of Electrical and Electronics Engineers (IEEE) 802.1X, MAC Authentication Bypass (MAB), and web authentication -Policy-based authorization via downloadable access control lists (dACLs) or VLAN assignment. -Broad client supplicant support
What does ESA offer?
-The capability to quickly block new email-based blended attacks -The capability to control or encrypt sensitive outbound email -A rapid spam capture rate and few false positives -A proven zero-hour antivirus solution
All firewalls should have what properties?
-The firewall itself must be resistant to attack; otherwise, it would allow an attacker to disable the firewall or change its access rules. -All traffic between security domains must flow through the firewall. This prevents a backdoor connection that could be used to bypass the firewall, violating the network access policy. -A firewall must have traffic-filtering capabilities.
What are features that may be included in a next generation firewall are what?
-URL filtering -application visibility and control -context awareness -intrusion prevention system -advanced malware protection
What are possible destinations for logging messages?
-console monitor -memory buffer -syslog server -SNMP traps -flash memory
What is the cloud responsible for in AMP for endpoints function?
-detection publishing -large-scale data processing -decision making that's performed real-time -reporting
What do historical perspectives from AMP for endpoints give visibility into?
-file trajectory -device trajectory
What are the three common zones for a firewall deployment?
-inside -outside -DMZ
What are the three models of IBNS deployment?
-monitor (open) mode -low-impact mode -high-security (closed) mode
How are named ACLs used in 802.1X?
-named ACLs configured on WLCs -RADIUS server authenticates the 802.1X user and informs the WLC which local ACL to use
What are traditional endpoint security products?
-personal firewalls -antivirus -antispyware -malware analysis and protection
What protective measures can be provided by firewalls?
-reducing exposure of sensitive hosts and applications to untrusted users -protection of protocol flaw exploitation
What are the benefits of cryptographic VPNS?
-security -scalability -compatibility with broadband technology -cost savings
What can you block malicious network connection based on, when using AMP for endpoints?
-security intelligence feeds -custom IP blacklists
What are the limitations of firewalls?
-single point of failure -can introduce bottlenecks -cannot control data paths that circumvent them -users may find ways to bypass security policies -generally firewalls only provide protection between network security zones, not within them
What roles do network devices have in 802.1X?
-supplicant -authenticator -authentication server
What is logging needed for?
-troubleshooting -policy-compliance auditing