AA - General Review FSA Topics

Question 1

Centralized Deployment

Answer 1

Single site architecture - remote sites managed via centralized appliances - Deployed as Layer 3>> No span traffic to remote site Issues: Bandwidth concerns - number of managed switches at remote sites - Microsoft vulnerability compliance

Question 2

Hybrid Deployment

Answer 2

Sites with appliances and sites without appliances Crucial or strategic sites have appliances - Smaller less critical sites, no appliance> but bandwidth concerns

Question 3

Distributed Deployment

Answer 3

• Overall best solution
• Multiple Site appliances
• One to one mapping of site to appliance
• Enhanced IPS and HTTP redirect actions
• utilizes layer 2 (this layer can do threat protection)
• Less bandwidth

Question 4

Location of Appliances

Answer 4

SPAN = Better visibility!

• Place where most valuable traffic can be monitored:

>Internet Access Points (IAP) - Required for consistent HTTP notifications

> Auth and DHCP Traffic - used to clarify unmanageable/unknown endpoints based on activity

> core switches/datacenterd/sesitive zones

• Traffic that should not be monitored

> BAckup Networks (if segregated)

> Encrypted traffic (tunnels)

Question 5

Channel Configuration

Answer 5

Question 6

High Availability - Single Switch

Answer 6

You need visibility into both switches !!!!!

Question 7

High Availability - Redundant Switch Connectivity

Answer 7

Question 8

Quiz - FSA Refresh

Answer 8

Question 9

Initial Discovery

Answer 9

• Packet Engine parses and analyzes mirrored data

> Builds a real-time contextual database - host profile

> MAC address/IP address

> Default discovery policy (Options>Discovery) defines the rules that instruct the appliance on properties to collect even before policy is enables

• Also uses NMAP, DNS and DHCP for additional host properties
• Policies then use the hostp profile information to

> determine device type - what is it

> Whose is it? - Is it a corporate device or guest? BYOD?

> Is it safe to be on the internal network

> control access

Question 10

Policy Irresolvable

Answer 10

Irresolvable: Means host does not meet conditions. Question cannot answer.

Irresolvable: This is our bitbucket for devices that we could not identify clearly. So we can take time workin through them.

Question 11

Policy Folders

Answer 11

1. See
2. 1 Discover
3. 2 Classify
4. 3 Asses
5. 0 Control
6. 0 Orchestrate
7. 0 Informational
8. 0 Policy Rollout Testing

Question 12

Policy Flow - Groups

Answer 12

Ignored IPs: Devices will be still discovered but thei are not going through a policy evalauation

Passive- Learning: Not actively scanning nmap or credentialed scan

Tenable Scanner:In CounterACT you have to do Threat Protection Exemption!!! It’s the first thing that we did as the first thing in the FSCA class. >> Add it to Legitimate Scan. Counteract creates kind or a reactive honeypot. This is why it creates the ghost devices for Maybe the way switches are queried or admission events for go

Question 13

Discover Policy

• Questions
• Conditions

Answer 13

Question 14

Classify Policy

Answer 14

This is where we can look at network devices and printers. What community strings are they using.

Or we break down mobile devices.

Question 15

Assessment Policy

Answer 15

Think about the logic process. If you already have an answer from the first rule do not ask the question again.

Question 16

Control Policy

Answer 16

Question 17

Quiz 2 - FSA Review

Answer 17

Question 18

Quiz 3 - FSA REview

Answer 18

Question 19

NAC - Connection LIfecycle and Access Control Enforcement

Answer 19

ForeSCout NAC:

Instead of (just) 802.1x ForeScout uses: MAR – MAC … Repository. Is more dynamic in nature

Question 20

NAC Pre-Connect Connection LifeCycle Flow

Answer 20

Both the Pre and Post Connect Paradigms are valid approaches to network access control.

> Depending on which is chosen, the specific policy configuration will vary

> Restrictive Control actions will be taken at different point in the policy set

The NAC paradigm should be decided upon prior to policy creation.

Question 21

Post-Connect Connection Lifecycle Flow

Answer 21

Both the Pre and Post Connect Paradigms are valid approaches to network access control.

> Depending on which is chosen, the specific policy configuration will vary

> Restrictive Control actions will be taken at different point in the policy set

The NAC paradigm should be decided upon prior to policy creation.

Question 22

802.1x : One Flavor or Pre-Connect

Answer 22

Instead of RADIUS server in 802.1x Forescout uses Active Directory for Authentication, done by user directory plugin. Thus you do not need to set up a new RADIUS server

Question 23

NAC Paradigm Implications

Answer 23

Both the Pre and Post connect paradigms are valid approaches to network access control

> Depending on which is chosen the specific policy configuration will vary

> Restrictive Control actions will be take at different points in the policy set

! The NAC paradigm should be decided upon prior to policy creation.

Question 24

What is a Policy?

Answer 24

For a single problem, question or situation, a policy is:

1. A set of rules built to evaluate a group of endpoints (identified by the scope and / or main rule)
2. to determine which of multiple possible configuration scenarios (identified by subrules) of the situation each endpoint matches,
3. and to take various actions upon those endpoints

Question 25

Policy example

Answer 25

!! We can only check the state of encryption if the device is managed. Of course if we cannot login to the device we cannot see whether it is there or not.

Irresolvable: We need this additional sub policy because we want to capture all

Recheck: every x hours and new admission event (something about the state of the host has changed e.g. authentication event, dhcp request, reboot, etc) . An admission event is a good reason to recheck.

Question 26

Sub Rules Best Pracices (1)

Answer 26

Question 27

Sub Rules Best Pracices (2)

Answer 27

Question 28

Sub Rules Best Pracices (3)

Answer 28

Question 29

Conditions - Windows

Answer 29

Last Login Event

Question 30

Meeting Condition Criteria

Answer 30

Conditions may include several criteria, i.e., several sets of Boolean endpoint properties. Each condition provides an option to specify which criteria must be met in order for the endpoint to match the policy. You may decide that a match is acceptable:

• If all criteria are true.
• If one criterion is true.
• If all criteria are false.
• If one criterion is false.

Question 31

Property Expression Types

Answer 31

You may want to detect certain properties on endpoints, but may not be certain of the precise property values, for example, the exact spelling of a vendor or precise version information. To help you deal with these situations, several property expression options are available.

• Contains
• Starts or Ends with
• Greater than
• Matches
• Matches expression
• In List (See Defining and Managing Lists)
• Any Value

Question 32

Properties and Scripts

Answer 32

The following properties use scripts:

• Windows Expected Script Result
• Device Interfaces
• Number of IP Addresses
• External Devices
• Windows File MD5 Signature
• Windows Is Behind NAT
• Microsoft Vulnerabilities
• Scripts are not required if the endpoint is managed by SecureConnector.

Question 33

Quiz - Subrules

Answer 33

Question 34

Groups - General_1

Answer 34

Question 35

Groups - General_2

Answer 35

Question 36

Groups - General_3

Answer 36

Question 37

Type of Groups

Answer 37

ProSErv Groups

Manual Groups

Question 38

Policy Recheck Timers and Admission Events

Answer 38

Question 39

List of all possible Admission Events

Answer 39

Question 40

Policy Recheck Timers and Admission Events - Best Practices

Answer 40

Question 41

ProServ Group Structure Expanded - Classify Groups

Answer 41

Question 42

Manual Groups

Answer 42

Question 43

Triggers for Policy Re-Evaluaiton

Answer 43

Question 44

Windows Conditions - Best Practice

Answer 44

Question 45

Control Policies

Answer 45

Question 46

Discover Policies

Answer 46

Question 47

Quiz - Group Policy

Answer 47

Question 48

Quiz - Policy

Answer 48

Question 49

NAC Time Settings

Answer 49

Question 50

Virtual Firewall settings

Answer 50

Default allow rules in the virtual firewall say something like allow secure connector and any authentication servers, or anything that is part of the forescout functionaliy/communication

Question 51

NAC - Redirect Exceptions

Answer 51

Question 52

Configure HTTP Redirect Exception

Answer 52

1. Configure: Options>NAC> HTTP Redirect
2. Apply Exception in “Exceptions” tab: Action> Notify >Http Redirectio to URL> Ecceptions

Question 53

Threat protection whitelisting / Legitimate Scan

Answer 53

Configure in: Options> Threat Protection> Legitimate Scan

Note: Check is set by default for “Enable Auto learn Email servers

Question 54

Quiz - Threat Protection

Answer 54