26 - Understanding Enterprise Network Security Architecture

Question 1

What is the name for the multitude of types of threats and sources to the enterprise network?

Answer 1

Threatscape

Question 2

A weakness that compromises either the security or functionality of a system. Weak or easily guessed passwords are considered this.

Answer 2

Vulnerability

Question 3

The mechanism that is used to leverage a vulnerability to compromise the security or functionality of a system.

Answer 3

Exploit

Question 4

Any circumstance or event with the potential to cause harm to an asset in the form of destruction, disclosure, adverse modification of data, or DoS. An example of a __ is malicious software that targets workstations

Answer 4

Threat

Question 5

The likelihood that a particular threat using a specific attack will exploit a particular vulnerability of an asset that results in an undesirable consequence.

Answer 5

Risk

Question 6

Attacks that attempt to consume all critical or computer network resource to make it unavailable for valid use

Answer 6

DoS/DDoS

Question 7

An attacker injects traffic that appears to be source from a system other than the attacker’s system, itself. __ is not specifically an attack but can be incorporated into various types of attacks

Answer 7

Spoofing

Question 8

Aype of DoS attack in which the attacker sends a flood of protocol request packets to various IP hosts. The attacker spoofs the IP address of the intended target. The IP hosts that receive these packets become “reflectors”. The reflectors respond by sending response packets to the spoofed address (the target), thus flooding the unsuspecting target.

Answer 8

Reflection

Question 9

Manipulating people and capitalising on expected behaviours

Answer 9

Social engineering

Question 10

Common social engineering technique. Typically, a __ email pretends to be from a large, legitimate organisation. The goal is to get the victim to enter personal information such as account numbers, social security numbers, usernames or passwords.

Answer 10

Phishing

Question 11

The attacker will try to access protected resource by obtaining a users password. Methods include guessing, brute force, and dictionary attacks.

Answer 11

Password attacks

Question 12

An attempt to learn more about the intended victim before attempting a more intrusive attack.

Answer 12

Reconnaissance attacks

Question 13

When an attacker provides inputs that are larger than expected, and the service will access the input and write it to memory, filling up the associated buffer and overwriting adjacent memory. This may corrupt the system and cause it to crash, resulting in a DoS.

Answer 13

Buffer overflow attacks

Question 14

Generally, in these attacks, a system that has the ability to view the communication between two systems imposes itself in the communication path between those other systems.

Answer 14

Man in the middle attacks

Question 15

Malicious software that comes in several forms, including viruses, worms and trojan horses.

Answer 15

Malware

Question 16

Refers to the means by which data leaves the organisation without authorisation. While not a direct attack itself, it is a major security concern in the enterprise network

Answer 16

Vector of data loss and exfiltration

Question 17

An __ is a system that performs deep analysis of network traffic, searching for signs of suspicious or malicious behaviour. If it detects such behaviour, the __ can take protective action. Because it can perform deep packet analysis, an __ can complement a firewall by blocking attacks that would normally pass through a traditional firewall device.

Answer 17

IPS

Question 18

There are several methods of traffic inspection that are used in various IPS’:

Answer 18

• signature-based inspection

* anomaly-based inspection

Question 19

This traffic inspection method examines the packet headers or data payloads in network traffic and compares the data against a database or know attack signatures

Answer 19

signature-based inspection

Question 20

This traffic inspection method observes network traffic and acts if a network event outside normal network behaviour is detected

Answer 20

anomaly-based inspection

Question 21

What are the three types of anomaly-based network IPS?

Answer 21

• statistical anomaly detection (network behaviour analysis)
• protocol verification
• Policy-based inspection

Question 22

___– observes network traffic over time and builds a statistical profile of normal traffic behaviour based on communication patterns, traffic rate, mixture or protocols and traffic volume. After a normal profile has been established, statistical anomaly detection systems detect or prevent activity that violates the normal profile

Answer 22

statistical anomaly detection (network behaviour analysis)

Question 23

___ - observes network traffic and compares network, transport and application later protocols that are used inside network traffic to protocol standards. If a deviation from standards-based protocol behaviour is detected, the system takes action.

Answer 23

protocol verification

Question 24

____ – a policy based IPS analyses network traffic and takes action if it detects a network event outside a configured traffic policy.

Answer 24

Policy-based inspection

Question 25

A __ carries private traffic over a public or shared infrastructure (such as the internet).

Answer 25

VPN

Question 26

___ scrambles data into what appears as random strings of characters, converting the data to ciphertext. Only the destination device can decipher the information.

Answer 26

Encryption

Question 27

Encryption can be implemented with one of the two following methods:

Answer 27

• Link encryption – entire frame is encrypted between two devices, this is used on point-to-point connections of directly connected devices
• Packet payload encryption – only the packet payload is encrypted, which allows this form of encryption to be routed across a L3 network, such as the internet.

Question 28

To be effective, a cryptographic VPN must provide:

Answer 28

• Confidentiality – the assurance that no one except the intended recipient can read the data traversing the VPN
• Origin authentication – the assurance that the end point entities are legitimate (who they claim to be)
• Data integrity – the assurance that data traversing the VPN has not been altered in transit, intentionally, or unintentionally.

Question 29

Cisco ___ simplifies the provisioning and management of secure access to network services and applications. Compared to access control mechanisms that are based on network topology, Cisco __ defines policies using logical policy grouping, so secure access is consistently maintained even as resources are moved in mobile and virtualised networks.

Answer 29

TrustSec

Question 30

Cisco TrustSec encompassed ___ and IEEE MAC security standards (MACsec)

Answer 30

Security Group Tags (SGTs)

Question 31

By classifying traffic based on the contextual ___ of the endpoint instead of its source IP, Cisco TrustSec enables more flexible access controls for dynamic networking environments and data centres.

Answer 31

identity

Question 32

The features that are associated with SGTs on the network devices can be broken into three categories:

Answer 32

• Classification – the assignment of an SGT to an IP address. This can be either dynamically or statically
• Transport – SGT mappings follow the traffic through the network. This can either be through inline tagging or the SGT eXchange Protocol (SXP)
o Inline – the SGT is embedded in the ethernet frame. Not all devices support this
o SXP – used to transport SGT mappings across devices that do not support inline
• Enforcement – implementing permit or deny policy decisions based on the source and destination SGTs. This can be accomplished with SGACLs on switching platforms and SGFW on routing and firewall platforms.

Question 33

__ is an IEEE 802.1AE standards-based L2 hop-to-hop encryption that provides data confidentiality and integrity for media access independent protocols

Answer 33

MACsec

Question 34

MACsec provides MAC-layer __ over wired networks. MACsec uses out-of-band methods for encryption keying. Required session keys are provided, and encryption keys managed by MACsec Key Agreement (MKA) Protocol. After successful authentication, MKA and MACsec are implemented using the 802.1x Extensible Authentication Protocol (EAP) framework.

Answer 34

encryption

Question 35

Cisco ___ is characterised by a suite of services that are embedded in Cisco Catalyst switches or Cisco WLCs.

Answer 35

Identity-Based Networking Services (IBNS)

Question 36

Cisco Identity service Engine (ISE) uses infrastructure services provided by switches and WLCs to allow you to implement the following:

Answer 36

• Strong authentication using 802.1x, MAB and web authentication
• Policy-based authorisation via downloadable ACLs (dACLS) or VLAN assignment
• Broad client supplicant support

Question 37

Cisco __ is an architecture based on several Cisco technologies, including catalyst switches, WLCs and ISE.

Answer 37

IBNS

Question 38

802.1X provides port-based authentication. Network devices have the following roles:

Answer 38

• Supplicant – endpoint 802.1x-compliant software service. It communicates with NAD authenticator to request network access
• Authenticator – controls access to the network, based on client authentication status. Endpoints authenticate to the authentication server via EAP. NAD authenticators act as an intermediary proxy between client and authentication server.
• Authentication server – performs client authentication. The authentication server validates client identity and notifies NAD authenticators of client authorisation status.

Question 39

After successful 802.1X/EAP authentication, the user can be authorised to be on a specific VLAN. This ___is configured on the Cisco ISE RADIUS service and communicated in a RADIUS Access-Accept message. While typically used to assign VLAN upon successful authentication, it can also be used when authentication fails. For example, places in a guest VLAN.

Answer 39

Dynamic VLAN

Question 40

When a client successful authenticates, and no dynamic VLAN is assigned by the authentication server, this __ is used.

Answer 40

Default VLAN

Question 41

___ ACLS provide differentiated access for wireless users. __ ACLs are configured locally on the WLC. You merely reference this ACL in a Cisco ISE authorisation policy.

Answer 41

Named

Question 42

___can provide different levels of access to 802.1X-authenticated users. The RADIUS server authenticates 802.1X-connected users. Based on user identity, it retrieves ACL attributes and sends them to the switch. The switch applies attributes to the 802.1X port during the user session.

Answer 42

Downloadable ACLs (dACL)

Question 43

___ ACLs are configured on Cisco ISE and pushed down to the switch during authentication/authorisation process. __ ACLs are configured locally on the WLC and is referenced in the Cisco ISE authorisation policy.

Answer 43

Downloadable ACLs (dACL), named

Question 44

The __ mode of the 802.1X port determines whether more than one client can be authenticated on the port and how authentication will be enforced.

Answer 44

host

Question 45

You can configure an 802.1X port to use any of these four host modes.

Answer 45

1. Single host
2. Multiple host mode
3. Multiple domain authentication mode
4. Multiple Authentication mode

Question 46

__ host mode – Only one device (MAC) can connect. Second client causes unauthorised state

Answer 46

Single

Question 47

__ host mode – One device (first MAC) authenticated. All subsequent devices get access based on the first device authentication

Answer 47

Multiple host

Question 48

___ mode – allows an IP phone and a single host behind the IP phone to authenticate independently. Muiltidomain refers to two domains (data and voice VLAN).

Answer 48

Multiple domain authentication

Question 49

___mode – allows one 802.1X or MAB client on the voice VLAN. Also allows multiple authenticated clients on the data VLAN.

Answer 49

Multiple Authentication

Question 50

The AAA framework uses __ messages to dynamically modify active subscriber session. For example, RADIUS attributes in __ messages might instruct the framework to create, modify, or terminate a subscriber service.

Answer 50

Change of Authorisation (CoA)

Question 51

The 802.1X protocol is supported on L2 static access ports, including wired switchports and wireless access points. It is also supported on voice VLAN ports and L3 routed ports. It is not supported on these port types:

Answer 51

• Trunk ports
• Dynamic ports
• Dynamic access ports
• EtherChannel

Question 52

____is an alternative authentication method that can be used when devices do not support other authentication methods (802.1X)

Answer 52

MAC Authentication Bypass (MAB)

Question 53

MAB has the following characteristics:

Answer 53

• Uses a MAC address for both username and password
• Basic authentication for endpoints incapable of 802.1x
• No authentication or encryption. easily spoofed.

Question 54

MAB enables visibility and security, but also has the following limitations that your design must take in to consideration:

Answer 54

• MAC database – must have a pre-existing database of MAC address
• Delay – when used as a fallback mechanism to 802.1x, MAB waits for this to time out before validating the MAC address
• No user authentication – only authenticates devices, not users
• Strength – MAB is not a strong authentication method.

Question 55

When guests, contractors or employees connect to the enterprise network they may not be able to use 802.1X authentication. An identity-based authentication that can be used in these cases is __.

Answer 55

Web Authentication (WebAuth).

Question 56

__ is typically used to allow guest network access via HTTP/HTTPS.

Answer 56

WebAuth

Question 57

The web authentication process has two authorisation assignments:

Answer 57

1. Initial authorisation assignment restricts traffic
   a. Only web authentication permitted
   b. Other traffic is redirected to the authentication web page (portal)
2. After successful authentication the appropriate network access is provided.

Question 58

Web authentication using Cisco ISE supports four scenarios:

Answer 58

• NAD with Central webauth
• WLC with Local WebAuth
• Wired NAD with Local WebAuth
• Device registration WebAuth

Question 59

___ webauth – the use is redirected to the Cisco ISE web service for authentication. The authentication is performed on Cisco ISE. ISE sends a Change of Authorisation to the NAD after authentication

Answer 59

NAD with Central

Question 60

___ WebAuth – The user logs in and is directed to the WLC, the WLC then redirects the user to the Guest portal

Answer 60

WLC with Local

Question 61

___ WebAuth – the Guest User Login portal redirects the guest user login to the switch. The login request is in the form of an HTTPS URL that is posted to the switch and contains the user credentials. The switch receives the user login request and authenticates the user through a RADIUS server that points to Cisco ISE.

Answer 61

Wired NAD with Local

Question 62

___WebAuth – the user connects to the network with a wireless connect. An initial MAB request is sent to Cisco ISE. If the user MAC address is not in the endpoint identity store, Cisco ISE responds with a URL redirection authorisation profile. The URL redirection presents the user with an acceptable use policy access pages with the user attempts to browse to any URL.

Answer 62

Device registration