26 - Understanding Enterprise Network Security Architecture Flashcards
What is the name for the multitude of types of threats and sources to the enterprise network?
Threatscape
A weakness that compromises either the security or functionality of a system. Weak or easily guessed passwords are considered this.
Vulnerability
The mechanism that is used to leverage a vulnerability to compromise the security or functionality of a system.
Exploit
Any circumstance or event with the potential to cause harm to an asset in the form of destruction, disclosure, adverse modification of data, or DoS. An example of a __ is malicious software that targets workstations
Threat
The likelihood that a particular threat using a specific attack will exploit a particular vulnerability of an asset that results in an undesirable consequence.
Risk
Attacks that attempt to consume all critical or computer network resource to make it unavailable for valid use
DoS/DDoS
An attacker injects traffic that appears to be source from a system other than the attacker’s system, itself. __ is not specifically an attack but can be incorporated into various types of attacks
Spoofing
Aype of DoS attack in which the attacker sends a flood of protocol request packets to various IP hosts. The attacker spoofs the IP address of the intended target. The IP hosts that receive these packets become “reflectors”. The reflectors respond by sending response packets to the spoofed address (the target), thus flooding the unsuspecting target.
Reflection
Manipulating people and capitalising on expected behaviours
Social engineering
Common social engineering technique. Typically, a __ email pretends to be from a large, legitimate organisation. The goal is to get the victim to enter personal information such as account numbers, social security numbers, usernames or passwords.
Phishing
The attacker will try to access protected resource by obtaining a users password. Methods include guessing, brute force, and dictionary attacks.
Password attacks
An attempt to learn more about the intended victim before attempting a more intrusive attack.
Reconnaissance attacks
When an attacker provides inputs that are larger than expected, and the service will access the input and write it to memory, filling up the associated buffer and overwriting adjacent memory. This may corrupt the system and cause it to crash, resulting in a DoS.
Buffer overflow attacks
Generally, in these attacks, a system that has the ability to view the communication between two systems imposes itself in the communication path between those other systems.
Man in the middle attacks
Malicious software that comes in several forms, including viruses, worms and trojan horses.
Malware
Refers to the means by which data leaves the organisation without authorisation. While not a direct attack itself, it is a major security concern in the enterprise network
Vector of data loss and exfiltration
An __ is a system that performs deep analysis of network traffic, searching for signs of suspicious or malicious behaviour. If it detects such behaviour, the __ can take protective action. Because it can perform deep packet analysis, an __ can complement a firewall by blocking attacks that would normally pass through a traditional firewall device.
IPS
There are several methods of traffic inspection that are used in various IPS’:
- signature-based inspection
* anomaly-based inspection
This traffic inspection method examines the packet headers or data payloads in network traffic and compares the data against a database or know attack signatures
signature-based inspection
This traffic inspection method observes network traffic and acts if a network event outside normal network behaviour is detected
anomaly-based inspection
What are the three types of anomaly-based network IPS?
- statistical anomaly detection (network behaviour analysis)
- protocol verification
- Policy-based inspection
___– observes network traffic over time and builds a statistical profile of normal traffic behaviour based on communication patterns, traffic rate, mixture or protocols and traffic volume. After a normal profile has been established, statistical anomaly detection systems detect or prevent activity that violates the normal profile
statistical anomaly detection (network behaviour analysis)
___ - observes network traffic and compares network, transport and application later protocols that are used inside network traffic to protocol standards. If a deviation from standards-based protocol behaviour is detected, the system takes action.
protocol verification
____ – a policy based IPS analyses network traffic and takes action if it detects a network event outside a configured traffic policy.
Policy-based inspection
A __ carries private traffic over a public or shared infrastructure (such as the internet).
VPN
___ scrambles data into what appears as random strings of characters, converting the data to ciphertext. Only the destination device can decipher the information.
Encryption
Encryption can be implemented with one of the two following methods:
- Link encryption – entire frame is encrypted between two devices, this is used on point-to-point connections of directly connected devices
- Packet payload encryption – only the packet payload is encrypted, which allows this form of encryption to be routed across a L3 network, such as the internet.
To be effective, a cryptographic VPN must provide:
- Confidentiality – the assurance that no one except the intended recipient can read the data traversing the VPN
- Origin authentication – the assurance that the end point entities are legitimate (who they claim to be)
- Data integrity – the assurance that data traversing the VPN has not been altered in transit, intentionally, or unintentionally.
Cisco ___ simplifies the provisioning and management of secure access to network services and applications. Compared to access control mechanisms that are based on network topology, Cisco __ defines policies using logical policy grouping, so secure access is consistently maintained even as resources are moved in mobile and virtualised networks.
TrustSec
Cisco TrustSec encompassed ___ and IEEE MAC security standards (MACsec)
Security Group Tags (SGTs)
By classifying traffic based on the contextual ___ of the endpoint instead of its source IP, Cisco TrustSec enables more flexible access controls for dynamic networking environments and data centres.
identity
The features that are associated with SGTs on the network devices can be broken into three categories:
• Classification – the assignment of an SGT to an IP address. This can be either dynamically or statically
• Transport – SGT mappings follow the traffic through the network. This can either be through inline tagging or the SGT eXchange Protocol (SXP)
o Inline – the SGT is embedded in the ethernet frame. Not all devices support this
o SXP – used to transport SGT mappings across devices that do not support inline
• Enforcement – implementing permit or deny policy decisions based on the source and destination SGTs. This can be accomplished with SGACLs on switching platforms and SGFW on routing and firewall platforms.
__ is an IEEE 802.1AE standards-based L2 hop-to-hop encryption that provides data confidentiality and integrity for media access independent protocols
MACsec
MACsec provides MAC-layer __ over wired networks. MACsec uses out-of-band methods for encryption keying. Required session keys are provided, and encryption keys managed by MACsec Key Agreement (MKA) Protocol. After successful authentication, MKA and MACsec are implemented using the 802.1x Extensible Authentication Protocol (EAP) framework.
encryption
Cisco ___ is characterised by a suite of services that are embedded in Cisco Catalyst switches or Cisco WLCs.
Identity-Based Networking Services (IBNS)
Cisco Identity service Engine (ISE) uses infrastructure services provided by switches and WLCs to allow you to implement the following:
- Strong authentication using 802.1x, MAB and web authentication
- Policy-based authorisation via downloadable ACLs (dACLS) or VLAN assignment
- Broad client supplicant support
Cisco __ is an architecture based on several Cisco technologies, including catalyst switches, WLCs and ISE.
IBNS
802.1X provides port-based authentication. Network devices have the following roles:
- Supplicant – endpoint 802.1x-compliant software service. It communicates with NAD authenticator to request network access
- Authenticator – controls access to the network, based on client authentication status. Endpoints authenticate to the authentication server via EAP. NAD authenticators act as an intermediary proxy between client and authentication server.
- Authentication server – performs client authentication. The authentication server validates client identity and notifies NAD authenticators of client authorisation status.
After successful 802.1X/EAP authentication, the user can be authorised to be on a specific VLAN. This ___is configured on the Cisco ISE RADIUS service and communicated in a RADIUS Access-Accept message. While typically used to assign VLAN upon successful authentication, it can also be used when authentication fails. For example, places in a guest VLAN.
Dynamic VLAN
When a client successful authenticates, and no dynamic VLAN is assigned by the authentication server, this __ is used.
Default VLAN
___ ACLS provide differentiated access for wireless users. __ ACLs are configured locally on the WLC. You merely reference this ACL in a Cisco ISE authorisation policy.
Named
___can provide different levels of access to 802.1X-authenticated users. The RADIUS server authenticates 802.1X-connected users. Based on user identity, it retrieves ACL attributes and sends them to the switch. The switch applies attributes to the 802.1X port during the user session.
Downloadable ACLs (dACL)
___ ACLs are configured on Cisco ISE and pushed down to the switch during authentication/authorisation process. __ ACLs are configured locally on the WLC and is referenced in the Cisco ISE authorisation policy.
Downloadable ACLs (dACL), named
The __ mode of the 802.1X port determines whether more than one client can be authenticated on the port and how authentication will be enforced.
host
You can configure an 802.1X port to use any of these four host modes.
- Single host
- Multiple host mode
- Multiple domain authentication mode
- Multiple Authentication mode
__ host mode – Only one device (MAC) can connect. Second client causes unauthorised state
Single
__ host mode – One device (first MAC) authenticated. All subsequent devices get access based on the first device authentication
Multiple host
___ mode – allows an IP phone and a single host behind the IP phone to authenticate independently. Muiltidomain refers to two domains (data and voice VLAN).
Multiple domain authentication
___mode – allows one 802.1X or MAB client on the voice VLAN. Also allows multiple authenticated clients on the data VLAN.
Multiple Authentication
The AAA framework uses __ messages to dynamically modify active subscriber session. For example, RADIUS attributes in __ messages might instruct the framework to create, modify, or terminate a subscriber service.
Change of Authorisation (CoA)
The 802.1X protocol is supported on L2 static access ports, including wired switchports and wireless access points. It is also supported on voice VLAN ports and L3 routed ports. It is not supported on these port types:
- Trunk ports
- Dynamic ports
- Dynamic access ports
- EtherChannel
____is an alternative authentication method that can be used when devices do not support other authentication methods (802.1X)
MAC Authentication Bypass (MAB)
MAB has the following characteristics:
- Uses a MAC address for both username and password
- Basic authentication for endpoints incapable of 802.1x
- No authentication or encryption. easily spoofed.
MAB enables visibility and security, but also has the following limitations that your design must take in to consideration:
- MAC database – must have a pre-existing database of MAC address
- Delay – when used as a fallback mechanism to 802.1x, MAB waits for this to time out before validating the MAC address
- No user authentication – only authenticates devices, not users
- Strength – MAB is not a strong authentication method.
When guests, contractors or employees connect to the enterprise network they may not be able to use 802.1X authentication. An identity-based authentication that can be used in these cases is __.
Web Authentication (WebAuth).
__ is typically used to allow guest network access via HTTP/HTTPS.
WebAuth
The web authentication process has two authorisation assignments:
- Initial authorisation assignment restricts traffic
a. Only web authentication permitted
b. Other traffic is redirected to the authentication web page (portal) - After successful authentication the appropriate network access is provided.
Web authentication using Cisco ISE supports four scenarios:
- NAD with Central webauth
- WLC with Local WebAuth
- Wired NAD with Local WebAuth
- Device registration WebAuth
___ webauth – the use is redirected to the Cisco ISE web service for authentication. The authentication is performed on Cisco ISE. ISE sends a Change of Authorisation to the NAD after authentication
NAD with Central
___ WebAuth – The user logs in and is directed to the WLC, the WLC then redirects the user to the Guest portal
WLC with Local
___ WebAuth – the Guest User Login portal redirects the guest user login to the switch. The login request is in the form of an HTTPS URL that is posted to the switch and contains the user credentials. The switch receives the user login request and authenticates the user through a RADIUS server that points to Cisco ISE.
Wired NAD with Local
___WebAuth – the user connects to the network with a wireless connect. An initial MAB request is sent to Cisco ISE. If the user MAC address is not in the endpoint identity store, Cisco ISE responds with a URL redirection authorisation profile. The URL redirection presents the user with an acceptable use policy access pages with the user attempts to browse to any URL.
Device registration
