Ch 25: Secure Network Access Control Flashcards
The Cisco security architectural framework is known as ______.
- Cisco SEAF
- Cisco Threat Grid
- Cisco SAFE
- Cisco Validated Designs
C. Cisco SAFE is the Cisco security architectural framework.
Which of the following are Cisco SAFE’s PINs in the network? (Choose all that apply.)
- Internet
- Data center
- Branch office
- Edge
- Campus
- Cloud
- WAN
2 through 7. Cisco SAFE places in the network (PINs) are:
- data center
- branch office
- edge
- campus
- cloud
- WAN
Cisco SAFE includes which of the following secure domains? (Choose all that apply.)
- Threat defense
- Segmentation
- Segregation
- Compliance
1, 2 and 4.
Cisco SAFE secure domains include management, security intelligence, compliance, segmentation, threat defense, and secure services.
Which of the following is the Cisco threat intelligence organization?
- Cisco Stealthwatch
- Cisco Threat Grid
- Cisco Talos
- Cisco Threat Research, Analysis, and Communications (TRAC) team
C.
Talos is the Cisco threat intelligence organization.
What is the Threat Grid?
- The Cisco threat intelligence organization
- The Cisco sandbox malware analysis solution
- The Cisco security framework
- An aggregator of network telemetry data
2.
Cisco Threat Grid is a solution that performs static and dynamic file analysis by testing files in a sandbox environment.
Which of the following relies on NetFlow data for security analysis?
- Cisco WSA
- Cisco Stealthwatch
- Cisco Talos
- Cisco Threat Grid
2.
Cisco Stealthwatch relies on telemetry data from NetFlow, IPFIX, and other sources for security analysis.
T/F: Without Cisco ISE, it would not be possible to implement pxGrid.
True.
pxGrid requires a pxGrid controller, and Cisco ISE is the only platform that can perform this role.
Which of the following EAP methods supports EAP chaining?
a. EAP-TTLS
b. EAP-FAST
c. EAP-GTC
d. PEAP
b.
Cisco EAP-FAST is the only EAP method that can perform simultaneous machine and user authentication, also known as EAP chaining.
T/F: SGT tags extend all the way down to the endpoints.
False.
This is false because endpoints are completely unaware of SGT tags. Only the networking infrastructure can be aware of SGT tags.
Which of the following three phases are defined by Cisco TrustSec? (Choose all that apply.)
a. Classification
b. Enforcement
c. Distribution
d. Aggregation
e. Propagation
A, B, and E.
TrustSec configuration is divided into three different phases to make it simple to understand and implement: classification, enforcement, and propagation.
What is Cisco SAFE?
Evolving cybersecurity threats such as phishing, malware, ransomware, and web-based exploits are very common. There is no single product in the industry that can successfully secure organizations from all these threats. To address this, Cisco created Cisco SAFE, a security architectural framework that helps design secure solutions for the following places in the network (PINs):
- Branch: Branches are typically less secure than the campus and data center PINs because the potentially large number of branches makes it cost-prohibitive to try to apply on them all the security controls found in campus and data center PINs.
- Campus: Campuses contain large numbers of users, including employees, contrac- tors, guests, and partners. Campuses are easy targets for phishing, web-based exploits, unauthorized network access, malware propagation, and botnet infestations.
- Data center: Data centers contain an organization’s most critical information assets and intellectual capital, and they are therefore the primary goal of all targeted threats. Data centers typically contain hundreds or thousands of servers, which makes it very difficult to create and manage proper security rules to control network access.
- Edge: The edge is the primary ingress and egress point for traffic to and from the Internet, and for this reason, it is the highest-risk PIN and the most important for e-commerce. Typical threats seen on the edge include web server vulnerabilities, distributed denial-of-service (DDoS) attacks, data loss, and MitM attacks.
- Cloud: Security in the cloud is dictated by service-level agreements (SLAs) with the cloud service provider and requires independent certification audits and risk assess- ments. The primary threats are web server vulnerabilities, loss of access, data loss, malware, and MitM attacks.
- Wide area network (WAN): The WAN connects the PINs together. In a large organization with hundreds of branches, managing security on the WAN is very challenging. Typical threats seen in WANs are malware propagation, unauthorized network access, WAN sniffing, and MitM attacks.
Implementing the Cisco SAFE framework in an organization provides advanced threat defense protection that spans the full attack continuum before, during, and after an attack for all the PINs. What happens in each of these:
Before
During
After
Before: In this phase, full knowledge of all the assets that need to be protected is required, and the types of threats that could target these assets need to be identified. This phase involves establishing policies and implementing prevention to reduce risk. Cisco solutions for this phase include next-generation firewalls, network access control, network security analysis, and identity services.
During: This phase defines the abilities and actions that are required when an attack gets through. Threat analysis and incident response are some of the typical activities associated with this phase. For this phase, organizations can leverage next-generation intrusion prevention systems, next-generation firewalls, malware protection, and email and web security solutions that make it possible to detect, block, and defend against attacks that have penetrated the network and are in progress.
After: This phase defines the ability to detect, contain, and remediate an attack. After a successful attack, any lessons learned need to be incorporated into the existing security solution. Organizations can leverage Cisco Advanced Malware Protection, next-generation firewalls, and malicious network behavior analysis using Stealthwatch to quickly and effectively scope, contain, and remediate an attack to minimize damage.
Figure 25-2 shows various Cisco products and solutions that work across the attack continuum.
What is Cisco Talos?
Talos is the Cisco threat intelligence organization, an elite team of security experts who are supported by sophisticated security systems to create threat intelligence that detects, analyzes, and protects against both known and emerging threats for Cisco products.
Cisco Talos was created from the combination of three security research teams:
- IronPort Security Applications (SecApps)
- The Sourcefire Vulnerability Research Team (VRT)
- The Cisco Threat Research, Analysis, and Communications (TRAC) team
What is Cisco Threat Grid?
Cisco Threat Grid (acquired by Cisco in 2014) is a solution that can perform static file analysis (for example, checking filenames, MD5 checksums, file types, and so on) as well
as dynamic file analysis (also known as behavioral analysis) by running the files in a con- trolled and monitored sandbox environment to observe and analyze the behavior against millions of samples and billions of malware artifacts to determine whether it is malware or not.
What is Cisco AMP?
Cisco Advanced Malware Protection (AMP) is a malware analysis and protection solution that goes beyond point-in-time detection. Using targeted, context-aware malware, attackers have the resources, persistence, time, and expertise to compromise any network relying solely on point-in-time detection mechanisms. Point-in-time detection is completely blind to the scope and depth of a breach after it happens.
Cisco AMP provides comprehensive protection for organizations across the full attack continuum:
- Before: Global threat intelligence from Cisco Talos and Cisco Threat Grid feeds into AMP to protect against known and new emerging threats.
- During: File reputation to determine whether a file is clean or malicious as well as sandboxing are used to identify threats during an attack.
- After: Cisco AMP provides retrospection, indicators of compromise (IoCs), breach detection, tracking, analysis, and surgical remediation after an attack, when advanced malware has slipped past other defenses.
With AnyConnect, what are the VPN Posture (HostScan) and an ISE Posture modules used for?
The Cisco AnyConnect Secure Mobility Client is a modular endpoint software product that is not only a VPN client that provides VPN access through Transport Layer Security (TLS)/Secure Sockets Layer (SSL) and IPsec IKEv2 but also offers enhanced security through various built-in modules, such as a VPN Posture (HostScan) module and an ISE Posture module.
These modules enable Cisco AnyConnect to assess an endpoint’s compliance for things like antivirus, antispyware, and firewall software installed on the host. If an end- point is found to be noncompliant, network access can be restricted until the endpoint is in compliance.
What is Cisco Umbrella?
Cisco Umbrella (formerly known as OpenDNS) provides the first line of defense against threats on the Internet by blocking requests to malicious Internet destinations (domains, IPs, URLs) using the Domain Name System (DNS) before an IP connection is established or a file is downloaded. It is 100% cloud delivered, with no hardware to install or software to maintain.
The Umbrella global network includes 30 data centers around the world using Anycast
DNS, which allows it to guarantee 100% uptime. Thanks to its Anycast DNS infrastructure, it doesn’t matter where each site is physically located; DNS traffic is routed to the closest location. Security intelligence is gathered from 175 billion daily DNS requests from more than 90 million users. All this data is fed in real time into Umbrella’s massive graph database, where statistical and machine learning models are continuously run against it. This informa- tion is also constantly analyzed by the Umbrella security researchers and supplemented with intelligence from Cisco Talos.
Setting up Umbrella in the corporate network is as easy as changing the DHCP configuration on all Internet gateways (that is, routers, access points) so that all devices, including guest devices, forward their DNS traffic to Umbrella’s global network.
What is Cisco WSA?
The Cisco Web Security Appliance (WSA) is an all-in-one web gateway that includes a wide variety of protections that can block hidden malware from both suspicious and legitimate websites.
It leverages real-time threat intelligence from Cisco Talos and Cisco AMP Threat Grid that allows it to stay one step ahead of the evolving threat landscape to prevent the latest exploits from infiltrating the network. It also provides multiple layers of malware defense and vital data loss prevention (DLP) capabilities across the full attack continuum, as illus- trated in Figure 25-5.
What is Cisco ESA?
For business organizations, email is the most important business communication tool, and at the same time, it is one of the top attack vectors for security breaches. The Cisco Email Security Appliance (ESA) enables users to communicate securely via email and helps organizations combat email security threats with a multilayered approach across the attack continuum.
Cisco ESA includes the following advanced threat protection capabilities that allow it to detect, block, and remediate threats across the attack continuum:
- Global threat intelligence: It leverages real-time threat intelligence from Cisco Talos and Cisco AMP Threat Grid.
- Reputation filtering: ESA blocks unwanted email with reputation filtering, which is based on threat intelligence from Talos.
- Spam protection: ESA uses the Cisco Context Adaptive Scanning Engine (CASE) to block spam emails; it delivers a spam catch rate greater than 99%, with a false-positive rate of less than 1 in 1 million.
- Forged email detection: Forged email detection protects high-value targets such as executives against business email compromise (BEC) attacks.
- Cisco Advanced Phishing Protection (CAPP): CAPP combines Cisco Talos threat intelligence with local email intelligence and advanced machine learning techniques to model trusted email behavior on the Internet, within organizations, and between individuals. It uses this intelligence to stop identity deception–based attacks such as fraudulent senders, social engineering, and BEC attacks.
- Cisco Domain Protection (CDP): CDP for external email helps prevent phishing emails from being sent using a customer domains.
- Malware defense: ESA protects against malware with Cisco AMP for Email.
- Graymail detection and Safe Unsubscribe: ESA detects and classifies graymail for an administrator to take action on it if necessary. Graymail consists of marketing, social networking, and bulk messages (that is, mailing list emails). This type of email typically comes with an unsubscribe link, which may be used for phishing. Safe Unsubscribe protects against this type of phishing techniques.
- URL-related protection and control: ESA protects against malicious URLs with URL filtering and scanning of URLs in attachments and shortened URLs.
- Outbreak filters: Outbreak filters defend against emerging threats and blended attacks by leveraging security intelligence information from Cisco Talos. Outbreak filters can rewrite URLs included in suspicious email messages. When clicked, the new rewritten URLs redirect the email recipient to the WSA. The website content is then actively scanned, and outbreak filters display a block screen to the user if the site contains malware.
-
Web interaction tracking: ESA generates reports that track the end users who click on URLs that have been rewritten by the outbreak filters. The reports include the following information:
- Top users who clicked on malicious URLs
- The top malicious URLs clicked by end users
- Date and time, rewrite reason, and action taken on the URLs
- Data security for sensitive content in outgoing emails: Confidential outbound mes- sages that match one of the more than 100 expert policies included with ESA are automatically protected by encryption, footers and disclaimers, blind carbon copies (BCCs), notifications, and quarantining.
What is a NGIPS?
A system that passively monitors and analyzes network traffic for potential network intrusion attacks and logs the intrusion attack data for security analysis is known as an intrusion detection system (IDS). A system that provides IDS functions and also automatically blocks intrusion attacks is known as an intrusion prevention system (IPS).
A next-generation IPS (NGIPS), according to Gartner, Inc., should include IPS functionality as well as the following capabilities:
- Real-time contextual awareness
- Advanced threat protection
- Intelligent security automation
- Unparalleled performance and scalability
- Application visibility and control (AVC) and URL filtering
With the acquisition of Sourcefire in 2013, Cisco added the Firepower NGIPS to its portfo- lio. Firepower exceeds the requirements defined by Gartner. Following are some of the most important capabilities included with the Cisco Firepower NGIPS:
- Real-time contextual awareness: Firepower discovers and provides contextual information such as applications, users, endpoints, operating systems, vulnerabilities, services, processes, network behaviors, files, and threats.
- Advanced threat protection and remediation: Firepower rapidly detects, blocks, contains, and remediates advanced threats through integrated AMP for Networks and Threat Grid sandboxing solutions.
- Intelligent security automation: Firepower automatically correlates threat events, contextual information, and network vulnerability data to perform the following:
- Optimizing defenses by automating protection policy updates
- Quickly identifying users affected by a client-side attack
- Receiving alerts when a host violates a configuration policy
- Detecting the spread of malware by baselining normal network traffic and detecting network anomalies
- Detecting and tagging hosts that might potentially be compromised by malicious means (exploit kit, malware, command-and-control) with an IoC
- Unparalleled performance and scalability: Purpose-built Firepower and ASA appliances incorporate a low-latency, single-pass design for unprecedented performance and scalability.
- AVC: Firepower reduces threats through application detection of more than 4000 commercial applications, with support for custom applications.
- URL filtering: Firepower provides access control to more than 80 categories of websites and covers more than 280 million individual URLs.
In addition, following are some of the capabilities available in the Cisco Firepower NGIPS that exceed the requirements for the definition of NGIPS:
- Centralized management: Firepower is centrally managed by the Cisco Firepower Management Center (FMC), which is a single pane of glass for event collection and policy management.
- Global threat intelligence from the Cisco Talos: Firepower integrates with Cisco Talos for up-to-the-minute IPS signature updates as well as URL filtering information to blacklist connections to or from IP addresses, URLs, and/or domain names.
- Snort IPS detection engine: Firepower’s detection engine is Snort, the world’s most powerful open-source IPS engine.
- High availability and clustering: Firepower can be deployed as active/standby and intra-chassis clustering and is also supported by the Firepower 9300 series platform.
- Third-party and open-source ecosystem: Firepower has an open API for integration with third-party products.
- Integration with Cisco ISE: The FMC can use Cisco ISE to apply remediation on compromised hosts:
- Quarantine: Limits or blocks an endpoint’s access to the network
- Unquarantine: Removes the quarantine
- Shutdown: Shuts down the port that a compromised endpoint is attached to
What is a NGFW?
A firewall is a network security device that monitors incoming and outgoing network traffic and allows or blocks traffic by performing simple packet filtering and stateful inspection based on ports and protocols. A firewall essentially establishes a barrier between trusted internal networks and untrusted outside networks such as the Internet.
In addition to providing standard firewall functionality, a next-generation firewall (NGFW) can block threats such as advanced malware and application-layer attacks. According to Gartner, Inc.’s definition, a NGFW firewall must include
- Standard firewall capabilities such as stateful inspection
- An integrated IPS
- Application-level inspection (to block malicious or risky apps)
- The ability to leverage external security intelligence to address evolving security threats
Cisco integrated existing ASA firewall software with the Firepower NGIPS services soft- ware, and the combination of the two far exceeds the NGFW definition set by Gartner. This integration gave birth to the Cisco Firepower NGFW, which is the industry’s first fully integrated, threat-focused NGFW with unified management.
Firepower NGFW is available on the following hardware appliances:
- Firepower series appliances
- All ASA 5500-X appliances (except 5585-X)
The Firepower NGFW appliances support the following software:
- ASA software image: Turns the appliance into a standard legacy firewall with no Firepower NGIPS services. Supported on all Firepower and ASA appliances.
- ASA software image with Firepower Services software image (NGIPS): Runs two software images in the same appliance, with each one requiring different management applications. The Firepower services software (NGIPS) enables the ASA to be a NGFW. This type of configuration is supported only on 5500-X appliances (except the 5585-X).
- Firepower Threat Defense (FTD) software image: Merges the ASA software image and the Firepower Services image into a single unified image. Supported on all Firepower and ASA 5500-X appliances (except the 5585-X).
FTD is also supported on the following platforms:
- ISR modules
- Firepower virtual NGFW (NGFWv) appliances, supported in VMware, KVM, Amazon Web Services (AWS), and Microsoft Azure environments
The following management options are available for NGFWs:
- For FTD or Firepower Services software:
- Firepower Management Center (FMC)
- Firepower Device Manager (FDM) for small appliances
For ASA software:
- The command-line interface (CLI)
- Cisco Security Manager (CSM)
- Adaptive Security Device Manager (ASDM)
- Cisco Defense Orchestrator
What is Cisco StealthWatch?
Cisco Stealthwatch is a collector and aggregator of network telemetry data that performs network security analysis and monitoring to automatically detect threats that manage to infiltrate a network as well as the ones that originate from within a network.
Using advanced security analytics, Stealthwatch can quickly and with high confidence detect threats such as command-and-control (C&C) attacks, ransomware, DDoS attacks, illicit cryptomining, unknown malware, and inside threats. It is an agentless solution that brings threat visibility into every part of the network, including the cloud, and the only product that can detect malware in encrypted traffic and ensure policy compliance without decryption.
There are currently two offerings available for Stealthwatch:
- Stealthwatch Enterprise
- Stealthwatch Cloud
Label the attached diagram with the following:
- Supplicants (Endpoints)
- EAP over LAN (EAPoL)
- Authenticators (WLCs or Switches)
- RADIUS
- Authentication Server (Cisco ISE) (or RADIUS)
See attached diagram.
The EAP identity exchange and authentication occur between the __________ and the ___________________.
The EAP identity exchange and authentication occur between the supplicant and the authentication server.
The authenticator has no idea what EAP type is in use; it simply takes the EAPoL encapsulated frame from the supplicant and encapsulates it within the RADIUS packet sent to the authentication server and then opens up the port if the authentication server directs it to. Therefore, the EAP authentication is completely transparent to the authenticator.
Figure 25-7 illustrates the process flow of a successful 802.1x authentication. These are the steps in the attached image:
EAP Methods
- When the authenticator notices a port coming up, it starts the authentication process by sending periodic EAP-request/identify frames. The supplicant can also initiate the authentication process by sending an EAPoL-start message to the authenticator.
- The authenticator relays EAP messages between the supplicant and the authen- tication server, copying the EAP message in the EAPoL frame to an AV-pair inside a RADIUS packet and vice versa until an EAP method is selected. Authentication then takes place using the selected EAP method.
- If authentication is successful, the authentication server returns a RADIUS access-accept message with an encapsulated EAP-success message as well as an authorization option such as a downloadable ACL (dACL). When this is done, the authenticator opens the port.
MACsec is based on the Ethernet frame format, but differs a little. How so?
MACsec is based on the Ethernet frame format; however, an additional 16-byte MACsec Security Tag field (802.1AE header) and a 16-byte Integrity Check Value (ICV) field are added. This means that all devices in the flow of the MACsec communications must support MACsec for these fields to be used and to secure the traffic.
Figure 25-18 illustrates the MACsec frame format and how it encrypts the TrustSec SGT tag.
