Ch 25: Secure Network Access Control Flashcards

1
Q

The Cisco security architectural framework is known as ______.

  1. Cisco SEAF
  2. Cisco Threat Grid
  3. Cisco SAFE
  4. Cisco Validated Designs
A

C. Cisco SAFE is the Cisco security architectural framework.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of the following are Cisco SAFE’s PINs in the network? (Choose all that apply.)

  1. Internet
  2. Data center
  3. Branch office
  4. Edge
  5. Campus
  6. Cloud
  7. WAN
A

2 through 7. Cisco SAFE places in the network (PINs) are:

  • data center
  • branch office
  • edge
  • campus
  • cloud
  • WAN
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Cisco SAFE includes which of the following secure domains? (Choose all that apply.)

  1. Threat defense
  2. Segmentation
  3. Segregation
  4. Compliance
A

1, 2 and 4.

Cisco SAFE secure domains include management, security intelligence, compliance, segmentation, threat defense, and secure services.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following is the Cisco threat intelligence organization?

  1. Cisco Stealthwatch
  2. Cisco Threat Grid
  3. Cisco Talos
  4. Cisco Threat Research, Analysis, and Communications (TRAC) team
A

C.

Talos is the Cisco threat intelligence organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the Threat Grid?

  1. The Cisco threat intelligence organization
  2. The Cisco sandbox malware analysis solution
  3. The Cisco security framework
  4. An aggregator of network telemetry data
A

2.

Cisco Threat Grid is a solution that performs static and dynamic file analysis by testing files in a sandbox environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which of the following relies on NetFlow data for security analysis?

  1. Cisco WSA
  2. Cisco Stealthwatch
  3. Cisco Talos
  4. Cisco Threat Grid
A

2.

Cisco Stealthwatch relies on telemetry data from NetFlow, IPFIX, and other sources for security analysis.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

T/F: Without Cisco ISE, it would not be possible to implement pxGrid.

A

True.

pxGrid requires a pxGrid controller, and Cisco ISE is the only platform that can perform this role.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which of the following EAP methods supports EAP chaining?

a. EAP-TTLS
b. EAP-FAST
c. EAP-GTC
d. PEAP

A

b.

Cisco EAP-FAST is the only EAP method that can perform simultaneous machine and user authentication, also known as EAP chaining.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

T/F: SGT tags extend all the way down to the endpoints.

A

False.

This is false because endpoints are completely unaware of SGT tags. Only the networking infrastructure can be aware of SGT tags.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which of the following three phases are defined by Cisco TrustSec? (Choose all that apply.)

a. Classification
b. Enforcement
c. Distribution
d. Aggregation
e. Propagation

A

A, B, and E.

TrustSec configuration is divided into three different phases to make it simple to understand and implement: classification, enforcement, and propagation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is Cisco SAFE?

A

Evolving cybersecurity threats such as phishing, malware, ransomware, and web-based exploits are very common. There is no single product in the industry that can successfully secure organizations from all these threats. To address this, Cisco created Cisco SAFE, a security architectural framework that helps design secure solutions for the following places in the network (PINs):

  • Branch: Branches are typically less secure than the campus and data center PINs because the potentially large number of branches makes it cost-prohibitive to try to apply on them all the security controls found in campus and data center PINs.
  • Campus: Campuses contain large numbers of users, including employees, contrac- tors, guests, and partners. Campuses are easy targets for phishing, web-based exploits, unauthorized network access, malware propagation, and botnet infestations.
  • Data center: Data centers contain an organization’s most critical information assets and intellectual capital, and they are therefore the primary goal of all targeted threats. Data centers typically contain hundreds or thousands of servers, which makes it very difficult to create and manage proper security rules to control network access.
  • Edge: The edge is the primary ingress and egress point for traffic to and from the Internet, and for this reason, it is the highest-risk PIN and the most important for e-commerce. Typical threats seen on the edge include web server vulnerabilities, distributed denial-of-service (DDoS) attacks, data loss, and MitM attacks.
  • Cloud: Security in the cloud is dictated by service-level agreements (SLAs) with the cloud service provider and requires independent certification audits and risk assess- ments. The primary threats are web server vulnerabilities, loss of access, data loss, malware, and MitM attacks.
  • Wide area network (WAN): The WAN connects the PINs together. In a large organization with hundreds of branches, managing security on the WAN is very challenging. Typical threats seen in WANs are malware propagation, unauthorized network access, WAN sniffing, and MitM attacks.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Implementing the Cisco SAFE framework in an organization provides advanced threat defense protection that spans the full attack continuum before, during, and after an attack for all the PINs. What happens in each of these:

Before

During

After

A

Before: In this phase, full knowledge of all the assets that need to be protected is required, and the types of threats that could target these assets need to be identified. This phase involves establishing policies and implementing prevention to reduce risk. Cisco solutions for this phase include next-generation firewalls, network access control, network security analysis, and identity services.

During: This phase defines the abilities and actions that are required when an attack gets through. Threat analysis and incident response are some of the typical activities associated with this phase. For this phase, organizations can leverage next-generation intrusion prevention systems, next-generation firewalls, malware protection, and email and web security solutions that make it possible to detect, block, and defend against attacks that have penetrated the network and are in progress.

After: This phase defines the ability to detect, contain, and remediate an attack. After a successful attack, any lessons learned need to be incorporated into the existing security solution. Organizations can leverage Cisco Advanced Malware Protection, next-generation firewalls, and malicious network behavior analysis using Stealthwatch to quickly and effectively scope, contain, and remediate an attack to minimize damage.

Figure 25-2 shows various Cisco products and solutions that work across the attack continuum.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is Cisco Talos?

A

Talos is the Cisco threat intelligence organization, an elite team of security experts who are supported by sophisticated security systems to create threat intelligence that detects, analyzes, and protects against both known and emerging threats for Cisco products.

Cisco Talos was created from the combination of three security research teams:

  • IronPort Security Applications (SecApps)
  • The Sourcefire Vulnerability Research Team (VRT)
  • The Cisco Threat Research, Analysis, and Communications (TRAC) team
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is Cisco Threat Grid?

A

Cisco Threat Grid (acquired by Cisco in 2014) is a solution that can perform static file analysis (for example, checking filenames, MD5 checksums, file types, and so on) as well
as dynamic file analysis (also known as behavioral analysis) by running the files in a con- trolled and monitored sandbox environment to observe and analyze the behavior against millions of samples and billions of malware artifacts to determine whether it is malware or not.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is Cisco AMP?

A

Cisco Advanced Malware Protection (AMP) is a malware analysis and protection solution that goes beyond point-in-time detection. Using targeted, context-aware malware, attackers have the resources, persistence, time, and expertise to compromise any network relying solely on point-in-time detection mechanisms. Point-in-time detection is completely blind to the scope and depth of a breach after it happens.

Cisco AMP provides comprehensive protection for organizations across the full attack continuum:

  • Before: Global threat intelligence from Cisco Talos and Cisco Threat Grid feeds into AMP to protect against known and new emerging threats.
  • During: File reputation to determine whether a file is clean or malicious as well as sandboxing are used to identify threats during an attack.
  • After: Cisco AMP provides retrospection, indicators of compromise (IoCs), breach detection, tracking, analysis, and surgical remediation after an attack, when advanced malware has slipped past other defenses.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

With AnyConnect, what are the VPN Posture (HostScan) and an ISE Posture modules used for?

A

The Cisco AnyConnect Secure Mobility Client is a modular endpoint software product that is not only a VPN client that provides VPN access through Transport Layer Security (TLS)/Secure Sockets Layer (SSL) and IPsec IKEv2 but also offers enhanced security through various built-in modules, such as a VPN Posture (HostScan) module and an ISE Posture module.

These modules enable Cisco AnyConnect to assess an endpoint’s compliance for things like antivirus, antispyware, and firewall software installed on the host. If an end- point is found to be noncompliant, network access can be restricted until the endpoint is in compliance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is Cisco Umbrella?

A

Cisco Umbrella (formerly known as OpenDNS) provides the first line of defense against threats on the Internet by blocking requests to malicious Internet destinations (domains, IPs, URLs) using the Domain Name System (DNS) before an IP connection is established or a file is downloaded. It is 100% cloud delivered, with no hardware to install or software to maintain.

The Umbrella global network includes 30 data centers around the world using Anycast
DNS, which allows it to guarantee 100% uptime. Thanks to its Anycast DNS infrastructure, it doesn’t matter where each site is physically located; DNS traffic is routed to the closest location. Security intelligence is gathered from 175 billion daily DNS requests from more than 90 million users. All this data is fed in real time into Umbrella’s massive graph database, where statistical and machine learning models are continuously run against it. This informa- tion is also constantly analyzed by the Umbrella security researchers and supplemented with intelligence from Cisco Talos.

Setting up Umbrella in the corporate network is as easy as changing the DHCP configuration on all Internet gateways (that is, routers, access points) so that all devices, including guest devices, forward their DNS traffic to Umbrella’s global network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is Cisco WSA?

A

The Cisco Web Security Appliance (WSA) is an all-in-one web gateway that includes a wide variety of protections that can block hidden malware from both suspicious and legitimate websites.

It leverages real-time threat intelligence from Cisco Talos and Cisco AMP Threat Grid that allows it to stay one step ahead of the evolving threat landscape to prevent the latest exploits from infiltrating the network. It also provides multiple layers of malware defense and vital data loss prevention (DLP) capabilities across the full attack continuum, as illus- trated in Figure 25-5.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is Cisco ESA?

A

For business organizations, email is the most important business communication tool, and at the same time, it is one of the top attack vectors for security breaches. The Cisco Email Security Appliance (ESA) enables users to communicate securely via email and helps organizations combat email security threats with a multilayered approach across the attack continuum.

Cisco ESA includes the following advanced threat protection capabilities that allow it to detect, block, and remediate threats across the attack continuum:

  • Global threat intelligence: It leverages real-time threat intelligence from Cisco Talos and Cisco AMP Threat Grid.
  • Reputation filtering: ESA blocks unwanted email with reputation filtering, which is based on threat intelligence from Talos.
  • Spam protection: ESA uses the Cisco Context Adaptive Scanning Engine (CASE) to block spam emails; it delivers a spam catch rate greater than 99%, with a false-positive rate of less than 1 in 1 million.
  • Forged email detection: Forged email detection protects high-value targets such as executives against business email compromise (BEC) attacks.
  • Cisco Advanced Phishing Protection (CAPP): CAPP combines Cisco Talos threat intelligence with local email intelligence and advanced machine learning techniques to model trusted email behavior on the Internet, within organizations, and between individuals. It uses this intelligence to stop identity deception–based attacks such as fraudulent senders, social engineering, and BEC attacks.
  • Cisco Domain Protection (CDP): CDP for external email helps prevent phishing emails from being sent using a customer domains.
  • Malware defense: ESA protects against malware with Cisco AMP for Email.
  • Graymail detection and Safe Unsubscribe: ESA detects and classifies graymail for an administrator to take action on it if necessary. Graymail consists of marketing, social networking, and bulk messages (that is, mailing list emails). This type of email typically comes with an unsubscribe link, which may be used for phishing. Safe Unsubscribe protects against this type of phishing techniques.
  • URL-related protection and control: ESA protects against malicious URLs with URL filtering and scanning of URLs in attachments and shortened URLs.
  • Outbreak filters: Outbreak filters defend against emerging threats and blended attacks by leveraging security intelligence information from Cisco Talos. Outbreak filters can rewrite URLs included in suspicious email messages. When clicked, the new rewritten URLs redirect the email recipient to the WSA. The website content is then actively scanned, and outbreak filters display a block screen to the user if the site contains malware.
  • Web interaction tracking: ESA generates reports that track the end users who click on URLs that have been rewritten by the outbreak filters. The reports include the following information:
    • Top users who clicked on malicious URLs
    • The top malicious URLs clicked by end users
    • Date and time, rewrite reason, and action taken on the URLs
  • Data security for sensitive content in outgoing emails: Confidential outbound mes- sages that match one of the more than 100 expert policies included with ESA are automatically protected by encryption, footers and disclaimers, blind carbon copies (BCCs), notifications, and quarantining.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is a NGIPS?

A

A system that passively monitors and analyzes network traffic for potential network intrusion attacks and logs the intrusion attack data for security analysis is known as an intrusion detection system (IDS). A system that provides IDS functions and also automatically blocks intrusion attacks is known as an intrusion prevention system (IPS).

A next-generation IPS (NGIPS), according to Gartner, Inc., should include IPS functionality as well as the following capabilities:

  • Real-time contextual awareness
  • Advanced threat protection
  • Intelligent security automation
  • Unparalleled performance and scalability
  • Application visibility and control (AVC) and URL filtering

With the acquisition of Sourcefire in 2013, Cisco added the Firepower NGIPS to its portfo- lio. Firepower exceeds the requirements defined by Gartner. Following are some of the most important capabilities included with the Cisco Firepower NGIPS:

  • Real-time contextual awareness: Firepower discovers and provides contextual information such as applications, users, endpoints, operating systems, vulnerabilities, services, processes, network behaviors, files, and threats.
  • Advanced threat protection and remediation: Firepower rapidly detects, blocks, contains, and remediates advanced threats through integrated AMP for Networks and Threat Grid sandboxing solutions.
  • Intelligent security automation: Firepower automatically correlates threat events, contextual information, and network vulnerability data to perform the following:
    • Optimizing defenses by automating protection policy updates
    • Quickly identifying users affected by a client-side attack
    • Receiving alerts when a host violates a configuration policy
    • Detecting the spread of malware by baselining normal network traffic and detecting network anomalies
    • Detecting and tagging hosts that might potentially be compromised by malicious means (exploit kit, malware, command-and-control) with an IoC
  • Unparalleled performance and scalability: Purpose-built Firepower and ASA appliances incorporate a low-latency, single-pass design for unprecedented performance and scalability.
  • AVC: Firepower reduces threats through application detection of more than 4000 commercial applications, with support for custom applications.
  • URL filtering: Firepower provides access control to more than 80 categories of websites and covers more than 280 million individual URLs.

In addition, following are some of the capabilities available in the Cisco Firepower NGIPS that exceed the requirements for the definition of NGIPS:

  • Centralized management: Firepower is centrally managed by the Cisco Firepower Management Center (FMC), which is a single pane of glass for event collection and policy management.
  • Global threat intelligence from the Cisco Talos: Firepower integrates with Cisco Talos for up-to-the-minute IPS signature updates as well as URL filtering information to blacklist connections to or from IP addresses, URLs, and/or domain names.
  • Snort IPS detection engine: Firepower’s detection engine is Snort, the world’s most powerful open-source IPS engine.
  • High availability and clustering: Firepower can be deployed as active/standby and intra-chassis clustering and is also supported by the Firepower 9300 series platform.
  • Third-party and open-source ecosystem: Firepower has an open API for integration with third-party products.
  • Integration with Cisco ISE: The FMC can use Cisco ISE to apply remediation on compromised hosts:
    • Quarantine: Limits or blocks an endpoint’s access to the network
    • Unquarantine: Removes the quarantine
    • Shutdown: Shuts down the port that a compromised endpoint is attached to
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is a NGFW?

A

A firewall is a network security device that monitors incoming and outgoing network traffic and allows or blocks traffic by performing simple packet filtering and stateful inspection based on ports and protocols. A firewall essentially establishes a barrier between trusted internal networks and untrusted outside networks such as the Internet.

In addition to providing standard firewall functionality, a next-generation firewall (NGFW) can block threats such as advanced malware and application-layer attacks. According to Gartner, Inc.’s definition, a NGFW firewall must include

  • Standard firewall capabilities such as stateful inspection
  • An integrated IPS
  • Application-level inspection (to block malicious or risky apps)
  • The ability to leverage external security intelligence to address evolving security threats

Cisco integrated existing ASA firewall software with the Firepower NGIPS services soft- ware, and the combination of the two far exceeds the NGFW definition set by Gartner. This integration gave birth to the Cisco Firepower NGFW, which is the industry’s first fully integrated, threat-focused NGFW with unified management.

Firepower NGFW is available on the following hardware appliances:

  • Firepower series appliances
  • All ASA 5500-X appliances (except 5585-X)

The Firepower NGFW appliances support the following software:

  • ASA software image: Turns the appliance into a standard legacy firewall with no Firepower NGIPS services. Supported on all Firepower and ASA appliances.
  • ASA software image with Firepower Services software image (NGIPS): Runs two software images in the same appliance, with each one requiring different management applications. The Firepower services software (NGIPS) enables the ASA to be a NGFW. This type of configuration is supported only on 5500-X appliances (except the 5585-X).
  • Firepower Threat Defense (FTD) software image: Merges the ASA software image and the Firepower Services image into a single unified image. Supported on all Firepower and ASA 5500-X appliances (except the 5585-X).

FTD is also supported on the following platforms:

  • ISR modules
  • Firepower virtual NGFW (NGFWv) appliances, supported in VMware, KVM, Amazon Web Services (AWS), and Microsoft Azure environments

The following management options are available for NGFWs:

  • For FTD or Firepower Services software:
    • Firepower Management Center (FMC)
    • Firepower Device Manager (FDM) for small appliances

For ASA software:

  • The command-line interface (CLI)
  • Cisco Security Manager (CSM)
  • Adaptive Security Device Manager (ASDM)
  • Cisco Defense Orchestrator
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is Cisco StealthWatch?

A

Cisco Stealthwatch is a collector and aggregator of network telemetry data that performs network security analysis and monitoring to automatically detect threats that manage to infiltrate a network as well as the ones that originate from within a network.

Using advanced security analytics, Stealthwatch can quickly and with high confidence detect threats such as command-and-control (C&C) attacks, ransomware, DDoS attacks, illicit cryptomining, unknown malware, and inside threats. It is an agentless solution that brings threat visibility into every part of the network, including the cloud, and the only product that can detect malware in encrypted traffic and ensure policy compliance without decryption.

There are currently two offerings available for Stealthwatch:

  1. Stealthwatch Enterprise
  2. Stealthwatch Cloud
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is Cisco StealthWatch Enterprise? What three components are required for Stealthwatch Enterprise?

A

Stealthwatch Enterprise provides real-time visibility into activities occurring within the network. This visibility can be scaled into the cloud, across the network, to branch locations, in the data center, and down to the endpoints.

At the core of Stealthwatch Enterprise are the Flow Rate License, the Flow Collector, Management Console, and Flow Sensor. Optional but recommended components include the following:

  • Cisco Stealthwatch Threat Intelligence: Enables a feed of threat intelligence from Cisco Talos
  • Cisco Stealthwatch Endpoint: Extends visibility into endpoints
  • Cisco Stealthwatch Cloud: Can be used in combination with Stealthwatch Enterprise to extend visibility into Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure cloud infrastructures

Stealthwatch Enterprise offers the following benefits:

  • Real-time threat detection
  • Incident response and forensics
  • Network segmentation
  • Network performance and capacity planning
  • Ability to satisfy regulatory requirements

Stealthwatch Enterprise requires the following components:

  • Flow Rate License: The Flow Rate License is required for the collection, manage- ment, and analysis of flow telemetry data and aggregates flows at the Stealthwatch Management Console as well as to define the volume of flows that can be collected.
  • Flow Collector: The Flow Collector collects and analyzes enterprise telemetry data such as NetFlow, IP Flow Information Export (IPFIX), and other types of flow data from routers, switches, firewalls, endpoints, and other network devices. The Flow Collector can also collect telemetry from proxy data sources, which can be analyzed by Global Threat Analytics (formerly Cognitive Threat Analytics). It can also pinpoint malicious patterns in encrypted traffic using Encrypted Traffic Analytics (ETA) with- out having to decrypt it to identify threats and accelerate response. Flow Collector is available as a hardware appliance and as a virtual machine.
  • Stealthwatch Management Console (SMC): The SMC is the control center for Stealthwatch. It aggregates, organizes, and presents analysis from up to 25 Flow Collectors, Cisco ISE, and other sources. It offers a powerful yet simple-to-use web console that provides graphical representations of network traffic, identity informa- tion, customized summary reports, and integrated security and network intelligence for comprehensive analysis. The SMC is available as a hardware appliance or a virtual machine.

Optional Stealthwatch Enterprise components include the following:

  • Flow Sensor: Produces telemetry data for segments of the networking infrastructure that can’t generate NetFlow data and also provides visibility into the application layer data. It is available as a hardware appliance or a virtual machine.
  • UDP Director: Receives essential network and security information from multiple locations and then forwards it in a single data stream to one or more destinations.
    • For example, instead of having every router in the network configured with multiple NetFlow exports for multiple destinations such as Stealthwatch Flow Collectors, LiveAction, Arbor, and so on, every router could be configured with a single NetFlow export and send the data to the UDP Director. The UDP Director takes the data and replicates the NetFlow data from all routers to the multiple destinations in single stream of data. It is available as a hardware appliance or a virtual machine.
24
Q

What is Cisco Stealthwatch Cloud?

A

Stealthwatch Cloud provides the visibility and continuous threat detection required to secure the on-premises, hybrid, and multicloud environments. It can accurately detect threats in
real time, regardless of whether an attack is taking place on the network, in the cloud, or across both environments. Stealthwatch Cloud is a cloud-based software-as-a-service (SaaS) solution. It detects malware, ransomware, data exfiltration, network vulnerabilities, and role changes that indicate compromise.

Cisco Stealthwatch Cloud consists of two primary offerings:

  1. Public Cloud Monitoring
  2. Private Network Monitoring

Public Cloud Monitoring

  • Cisco Stealthwatch Cloud Public Cloud Monitoring provides visibility and threat detection in AWS, GCP, and Microsoft Azure cloud infrastructures. It is a SaaS-based solution that can be deployed easily and quickly.
  • Stealthwatch Cloud can be deployed without software agents, instead relying on native sources of telemetry such as its virtual private cloud (VPC) flow logs. Stealthwatch Cloud models all IP traffic inside VPCs, between VPCs, or to external IP addresses generated by an organization’s resources and functions. Stealthwatch Cloud is also integrated with additional AWS services such as Cloud Trail, Amazon CloudWatch, AWS Config, Inspector, Identity and Access Management (IAM), Lambda, and more.

Private Network Monitoring

  • Cisco Stealthwatch Cloud Private Network Monitoring provides visibility and threat detec- tion for the on-premises network, delivered from a cloud-based SaaS solution. It is a perfect solution for organizations that want better awareness and security in their on-premises envi- ronments while reducing capital expenditure and operational overhead.
  • A lightweight virtual appliance needs to be installed in a virtual machine or server that can consume a variety of native sources of telemetry data or extract metadata from network packet flow. The collected metadata is encrypted and sent to the Stealthwatch Cloud analyt- ics platform for analysis.
25
Q

What is Cisco ISE?

A

Cisco Identity Services Engine (ISE) is a security policy management platform that provides highly secure network access control (NAC) to users and devices across wired, wireless, and VPN connections. It allows for visibility into what is happening in the network, such as who is connected (endpoints, users, and devices), which applications are installed and running on endpoints (for posture assessment), and much more.

Some of the most important features, benefits, services, and integrations supported by Cisco ISE include the following:

  • Streamlined network visibility: Through a simple web-based interface, ISE stores a detailed attribute history of all the devices, endpoints, and users (guests, employees, and contractors) on the network.
  • Cisco Digital Network Architecture (DNA) Center integration: Cisco DNA Center is the Cisco intent-based network controller and analytics platform. It makes it easy to design, provision, and apply policy across the network. Through its integration with Cisco ISE, it can apply TrustSec software-defined segmentation through SGT tags and Security Group Access Control Lists (SGACLs).
  • Centralized secure network access control: Supports the RADIUS protocol, required 25 to enable 802.1x/EAP, MAB, and local and centralized WebAuth for consistent access control into wired, wireless, and VPN networks.
  • Centralized device access control: Supports the TACACS+ protocol, which is required for AAA device access control services (covered in Chapter 26, “Network Device Access Control and Infrastructure Security”).
26
Q

Which of the following are NAC technologies?

  1. 802.1x
  2. MAB
  3. ISE
  4. WebAuth
  5. Active Directory
  6. TrustSec
  7. MACsec
A

1, 2, 4, 6, 7 are all valid NAC technologies.

Network access control (NAC) technologies, such as 802.1x, MAC Authentication Bypass (MAB), and Web Authentication (WebAuth), as well as next-generation NAC technologies such as TrustSec and MACsec.

For reference:

  • MAB: MAC Authentication Bypass (MAB) is an access control technique that enables port-based access control using the MAC address of an endpoint, and it is typically used as a fallback mechanism to 802.1x.
  • TrustSec: TrustSec is a next-generation access control enforcement solution developed by Cisco to address the growing operational challenges related to maintaining firewall rules and ACLs by using Security Group Tag (SGT) tags
  • MACsec: This is an IEEE 802.1AE standards-based Layer 2 hop-by-hop encryption method this means the traffic is encrypted only on the wire between two MACsec peers and is unencrypted as it is processed internally within the switch.
27
Q

What is PNAC?

A

IEEE 802.1x (referred to as Dot1x) is a standard for port-based network access control (PNAC) that provides an authentication mechanism for local area networks (LANs) and wireless local area networks (WLANs).

28
Q

What are the three roles in EAP network devices?

A

802.1x network devices have the following roles:

Supplicant: Software on the endpoint communicates and provides identity credentials through EAPoL with the authenticator. Common 802.1x supplicants include Windows and macOS native supplicants as well as Cisco AnyConnect. All these supplicants support 802.1x machine and user authentication.

Authenticator: A network access device (NAD) such as a switch or wireless LAN controller (WLC) controls access to the network based on the authentication status of the user or endpoint. The authenticator acts as the liaison, taking Layer 2 EAP-encapsulated packets from the supplicant and encapsulating them into RADIUS packets for delivery to the authentication server.

Authentication server: A RADIUS server performs authentication of the client. The authentication server validates the identity of the endpoint and provides the authenticator with an authorization result, such as accept or deny.

29
Q

Label the attached diagram with the following:

  1. Supplicants (Endpoints)
  2. EAP over LAN (EAPoL)
  3. Authenticators (WLCs or Switches)
  4. RADIUS
  5. Authentication Server (Cisco ISE) (or RADIUS)
A

See attached diagram.

30
Q

The EAP identity exchange and authentication occur between the __________ and the ___________________.

A

The EAP identity exchange and authentication occur between the supplicant and the authentication server.

The authenticator has no idea what EAP type is in use; it simply takes the EAPoL encapsulated frame from the supplicant and encapsulates it within the RADIUS packet sent to the authentication server and then opens up the port if the authentication server directs it to. Therefore, the EAP authentication is completely transparent to the authenticator.

Figure 25-7 illustrates the process flow of a successful 802.1x authentication. These are the steps in the attached image:

EAP Methods

  1. When the authenticator notices a port coming up, it starts the authentication process by sending periodic EAP-request/identify frames. The supplicant can also initiate the authentication process by sending an EAPoL-start message to the authenticator.
  2. The authenticator relays EAP messages between the supplicant and the authen- tication server, copying the EAP message in the EAPoL frame to an AV-pair inside a RADIUS packet and vice versa until an EAP method is selected. Authentication then takes place using the selected EAP method.
  3. If authentication is successful, the authentication server returns a RADIUS access-accept message with an encapsulated EAP-success message as well as an authorization option such as a downloadable ACL (dACL). When this is done, the authenticator opens the port.
31
Q

What are the “outer or tunneled TLS authentication methods” in EAP?

A

EAP inner authentication methods are tunneled within PEAP, EAP-FAST, and EAP-TTLS, which are also known as outer or tunneled TLS authentication methods. Tunneled TLS authentication methods establish a TLS outer tunnel between the supplicant and the authentication server; after the encrypted tunnel is established, client authentication credentials are negotiated using one of the EAP inner methods within the TLS outer tunnel.

This tunneling authentication method is very similar to the way an HTTPS session is established between a web browser and a secure website (such as a bank’s website). The HTTPS TLS tunnel is formed after the web browser validates the authenticity of the website’s certificate (one-way trust), and when the TLS tunnel is established, the user can enter the login credentials on the website through the secure TLS tunnel.

32
Q

Why is MD5 a poor authentication choice for EAP?

A

EAP-MD5: Uses the MD5 message-digest algorithm to hide the credentials in a hash. The hash is sent to the authentication server, where it is compared to a local hash to validate the accuracy of the credentials. EAP-MD5 does not have a mechanism for mutual authentication; in other words, the authentication server validates the supplicant, but the supplicant does not validate the authentication server to see if it is trustworthy. This lack of mutual authentication makes it a poor choice as an authentication method.

33
Q

What does EAP-TLS use for auththentication? Is this secure and why? Is Deployment easy or hard?

A

EAP-TLS: Uses the TLS Public Key Infrastructure (PKI) certificate authentication mechanism to provide mutual authentication of supplicant to authentication server and authentication server to supplicant. With EAP-TLS, both the supplicant and the authentication server must be assigned a digital certificate signed by a certificate authority (CA) that they both trust. Because the supplicant also requires a certificate, this is the most secure authentication method; however, it is also the most difficult to deploy due to the administrative burden of having to install a certificate on the supplicant side.

34
Q

In PEAP what entities require a certificate? What is the benefit over TLS?

A

PEAP: In PEAP, only the authentication server requires a certificate, which reduces the administrative burden of implementing EAP.

PEAP forms an encrypted TLS tunnel between the supplicant and the authentication server. After the tunnel has been established, PEAP uses one of the following EAP authentication inner methods to authenticate the supplicant through the outer PEAP TLS tunnel:

  1. EAP-MSCHAPv2 (PEAPv0): Using this inner method, the client’s credentials are sent to the server encrypted within an MSCHAPv2 session. This is the most common inner method, as it allows for simple transmission of username and password, or even computer name and computer password, to the RADIUS server, which can then authenticate them using Microsoft’s Active Directory.
  2. EAP-GTC (PEAPv1): This inner method was created by Cisco as an alternative to MSCHAPv2 to allow generic authentications to virtually any identity store, including OTP token servers, LDAP, NetIQ eDirectory, and more.
  3. EAP-TLS: This is the most secure EAP authentication since it is essentially a TLS tunnel within another TLS tunnel. It is rarely used due to its deployment complexity because it requires certificates to be installed on the supplicants.
  4. EAP-FAST: EAP-FAST, which is similar to PEAP, was developed by Cisco Systems as an alternative to PEAP to allow for faster re-authentications and support for faster wireless roaming. Just like PEAP, EAP-FAST forms a TLS outer tunnel and then transmits the client authentication credentials within that outer TLS tunnel. A major difference between FAST and PEAP is FAST’s ability to re-authenticate faster by using protected access credentials (PACs). A PAC is similar to a secure cookie, stored locally on the host as “proof” of a successful authentication. EAP-FAST also supports EAP chaining, which is explained later in this chapter.
  5. EAP-TTLS: EAP-TTLS is similar in functionality to PEAP but is not as widely supported as PEAP. One major difference between them is that PEAP only sup- ports EAP inner authentication methods, while EAP-TTLS can support additional inner methods such as legacy Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), and Microsoft Challenge Handshake Authentication Protocol (MS-CHAP).
35
Q

What is the auth mechanism for EAP-MSCHAP?

A

EAP-MSCHAPv2 (PEAPv0): Using this inner method, the client’s credentials are sent to the server encrypted within an MSCHAPv2 session. This is the most common inner method, as it allows for simple transmission of username and password, or even computer name and computer password, to the RADIUS server, which can then authenticate them using Microsoft’s Active Directory.

36
Q

What is the most secure EAP auth method?

A

EAP-TLS: This is the most secure EAP authentication since it is essentially a TLS tunnel within another TLS tunnel. It is rarely used due to its deployment complexity because it requires certificates to be installed on the supplicants.

37
Q

What is wrong with the following statement?

EAP-FASTallows for faster re-authentications and provides support for faster wireless roaming by storing a secure cookie known a CAP on the client.

A

EAP-FASTallows for faster re-authentications and provides support for faster wireless roaming by storing a secure cookie known a PAC on the client.

EAP-FAST: EAP-FAST, which is similar to PEAP, was developed by Cisco Systems as an alternative to PEAP to allow for faster re-authentications and support for faster wireless roaming.

Just like PEAP, EAP-FAST forms a TLS outer tunnel and then transmits the client authentication credentials within that outer TLS tunnel. A major difference between FAST and PEAP is FAST’s ability to re-authenticate faster by using protected access credentials (PACs). A PAC is similar to a secure cookie, stored locally on the host as “proof” of a successful authentication. EAP-FAST also supports EAP chaining, which is explained later in this chapter.

38
Q

Which EAP auth method support the legacy inner methods like:

  • Password Authentication Protocol (PAP)
  • Challenge Handshake Authentication Protocol (CHAP)
  • Microsoft Challenge Handshake Authentication Protocol (MS-CHAP).
A

EAP-TTLS: EAP-TTLS is similar in functionality to PEAP but is not as widely supported as PEAP. One major difference between them is that PEAP only sup- ports EAP inner authentication methods, while EAP-TTLS can support additional inner methods such as legacy Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), and Microsoft Challenge Handshake Authentication Protocol (MS-CHAP).

39
Q

What are most EAP auth methods based on?

A

There are many different EAP authentication methods available, most of them based on Transport Layer Security (TLS). Which one to choose depends on the security requirements and the EAP methods supported by the supplicants and the authentication server.

40
Q

What provides an encapsulated transport for authentication parameters?

A

Extensible Authentication Protocol (EAP): This message format and framework defined by RFC 4187 provides an encapsulated transport for authentication parameters.

41
Q

What is EAPoL? What layer does it operate at? For what network types does it work?

A

EAP over LAN (EAPoL): This Layer 2 encapsulation protocol is defined by 802.1x for the transport of EAP messages over IEEE 802 wired and wireless networks.

42
Q

Which of the following are inner and which are outer(or tunneled TLS) auth methods of EAP?

  1. EAP-MSCHAPv2 (PEAPv0)
  2. PEAP
  3. EAP-GTC (PEAPv1)
  4. EAP-TLS
  5. EAP-FAST
  6. EAP-TTLS
A

Outer methods: (2, 5, 6)

EAP inner authentication methods are tunneled within PEAP, EAP-FAST, and EAP-TTLS, which are also known as outer or tunneled TLS authentication methods.

  • Tunneled TLS authentication methods establish a TLS outer tunnel between the supplicant and the authentication server; after the encrypted tunnel is established, client authentication credentials are negotiated using one of the EAP inner methods within the TLS outer tunnel.
  • PEAP: In PEAP, only the authentication server requires a certificate, which reduces the administrative burden of implementing EAP. PEAP forms an encrypted TLS tunnel between the supplicant and the authentication server.
  • EAP-TTLS: EAP-TTLS is similar in functionality to PEAP but is not as widely supported as PEAP. One major difference between them is that PEAP only supports EAP inner authentication methods, while EAP-TTLS can support additional inner methods such as legacy Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), and Microsoft Challenge Handshake Authentication Protocol (MS-CHAP).
  • EAP-FAST: EAP-FAST, which is similar to PEAP, was developed by Cisco Systems as an alternative to PEAP to allow for faster re-authentications and support for faster wireless roaming. Just like PEAP, EAP-FAST forms a TLS outer tunnel and then transmits the client authentication credentials within that outer TLS tunnel.

Inner methods:

  1. EAP-MSCHAPv2 (PEAPv0): Using this inner method, the client’s credentials are sent to the server encrypted within an MSCHAPv2 session. This is the most common inner method, as it allows for simple transmission of username and password, or even computer name and computer password, to the RADIUS server, which can then authenticate them using Microsoft’s Active Directory.
  2. EAP-GTC (PEAPv1): This inner method was created by Cisco as an alternative to MSCHAPv2 to allow generic authentications to virtually any identity store, including OTP token servers, LDAP, NetIQ eDirectory, and more.
  3. EAP-TLS: This is the most secure EAP authentication since it is essentially a TLS tunnel within another TLS tunnel. It is rarely used due to its deployment complexity because it requires certificates to be installed on the supplicants.
43
Q

What is EAP Chaining?

A

EAP-FAST includes the option of EAP chaining, which supports machine and user authentication inside a single outer TLS tunnel.

It enables machine and user authentication to be combined into a single overall authentication result. This allows the assignment of greater privileges or posture assessments to users who connect to the network using corporate-managed devices.

44
Q

What is MAB?

A

MAC Authentication Bypass (MAB) is an access control technique that enables port-based access control using the MAC address of an endpoint, and it is typically used as a fallback mechanism to 802.1x. A MAB-enabled port can be dynamically enabled or disabled based on the MAC address of the endpoint that connects to it.

45
Q

When the switch sends the login credentials on behalf of the user, it is considered to be what type of authentication?

A

Local Web Authentication (LWA) is the first form of Web Authentication that was created. For this type of WebAuth, the switch (or wireless controller) redirects web traffic (HTTP and/or HTTPS) to a locally hosted web portal running in the switch where an end user can enter a username and a password.

When the login credentials are submitted through the web portal, the switch sends a RADIUS access-request message along with the login credentials to the RADIUS server. It is important to remember that when the switch sends the login credentials on behalf of the user, it is considered to be LWA.

46
Q

What is TrustSec?

A

TrustSec is a next-generation access control enforcement solution developed by Cisco to address the growing operational challenges related to maintaining firewall rules and ACLs by using Security Group Tag (SGT) tags.

TrustSec uses SGT tags to perform ingress tagging and egress filtering to enforce access control policy. Cisco ISE assigns the SGT tags to users or devices that are successfully authenticated and authorized through 802.1x, MAB, or WebAuth. The SGT tag assignment is delivered to the authenticator as an authorization option (in the same way as a dACL). After the SGT tag is assigned, an access enforcement policy (allow or drop) based on the SGT tag can be applied at any egress point of the TrustSec network.

47
Q

What do SGT tags represent?

A

SGT tags represent the context of the user, device, use case, or function. This means SGT tags are often named after particular roles or business use cases.

For example, a corporate user with a Mac that successfully authenticates via 802.1x using EAP chaining could be assigned an SGT by ISE named Mac_Corporate. If the Mac is not compliant with posture requirements because it is not owned by the corporation, then it can be assigned an SGT named Mac_Guest.

48
Q

T/F:

TrustSec configuration occurs in three phases: ingress classification, propagation, and egress enforcement.

A

True.

  1. Ingress classification is the process of assigning SGT tags to users, endpoints, or other resources as they ingress the TrustSec network.
  2. Propagation is the process of communicating the mappings to the TrustSec network devices that will enforce policy based on SGT tags.
  3. Egress enforcement occurs after the SGT tags have been assigned (classification) and are being transmitted across the network (propagation), policies can be enforced at the egress point of the TrustSec network.
49
Q

Ingress classification can happen in one of two ways, what are they?

A

Ingress classification is the process of assigning SGT tags to users, endpoints, or other resources as they ingress the TrustSec network, and it can happen in one of two ways:

  1. Dynamic assignment: The SGT is assigned dynamically and can be downloaded as an authorization option from ISE when authenticating using 802.1x, MAB, or WebAuth.
  2. Static assignment: In environments such as a data center that do not require 802.1x, MAB, or WebAuth authentication, dynamic SGT assignment is not possible. In these cases, SGT tags can be statically mapped on SGT-capable network devices. Static assignment on a device can be one of the following:
  • IP to SGT tag
  • Subnet to SGT tag
  • VLAN to SGT tag
  • Layer 2 interface to SGT tag
  • Layer 3 logical interface to SGT tag
  • Port to SGT tag
  • Port profile to SGT tag
50
Q

T/F: There are two methods available for propagating an SGT tag—inline tagging (also referred to as native tagging) and the Cisco-created protocol SGT Exchange Protocol (SXP).

A

True.

Inline tagging: With inline tagging, a switch inserts the SGT tag inside a frame to allow upstream devices to read and apply policy. Native tagging is completely indepen- dent of any Layer 3 protocol (IPv4 or IPv6), so the frame or packet can preserve the SGT tag throughout the network infrastructure (routers, switches, firewalls, and so on) until it reaches the egress point. The downside to native tagging is that it is supported only by Cisco network devices with ASIC support for TrustSec.

SXP propagation: SXP is a TCP-based peer-to-peer protocol used for network devices that do not support SGT inline tagging in hardware. Using SXP, IP-to-SGT mappings can be communicated between non-inline tagging switches and other network devices. Non-inline tagging switches also have an SGT mapping database to check packets against and enforce policy. The SXP peer that sends IP-to-SGT bindings is called a speaker. The IP-to-SGT binding receiver is called a listener. SXP connections can be single-hop or multi-hop.

51
Q

There are multiple ways to enforce traffic based on the SGT tag, and they can be divided into two major types:

  • Security Group ACL (SGACL)
  • Security Group Firewall (SGFW)

What is the differences between these two?

A

After the SGT tags have been assigned (classification) and are being transmitted across the network (propagation), policies can be enforced at the egress point of the TrustSec network.

There are multiple ways to enforce traffic based on the SGT tag, and they can be divided into two major types:

  1. Security Group ACL (SGACL): Provides enforcement on routers and switches. Access lists provide filtering based on source and destination SGT tags.
  2. Security Group Firewall (SGFW): Provides enforcement on firewalls (such as Cisco ASA and NGFW). Requires tag-based rules to be defined locally on the firewall.
52
Q

What is MACsec?

A

MACsec is an IEEE 802.1AE standards-based Layer 2 hop-by-hop encryption method; this means the traffic is encrypted only on the wire between two MACsec peers and is unencrypted as it is processed internally within the switch.

This allows the switch to look into the inner packets for things like SGT tags to perform packet enforcement or QoS prioritization. MACsec also leverages onboard ASICs to perform the encryption and decryp- tion rather than having to offload to a crypto engine, as with IPsec.

53
Q

MACsec is based on the Ethernet frame format, but differs a little. How so?

A

MACsec is based on the Ethernet frame format; however, an additional 16-byte MACsec Security Tag field (802.1AE header) and a 16-byte Integrity Check Value (ICV) field are added. This means that all devices in the flow of the MACsec communications must support MACsec for these fields to be used and to secure the traffic.

Figure 25-18 illustrates the MACsec frame format and how it encrypts the TrustSec SGT tag.

54
Q

Two MACsec keying mechanisms are available. What are these?

  1. SAP
  2. MKA protocol
A

Two MACsec keying mechanisms are available:

  1. Security Association Protocol (SAP): This is a proprietary Cisco keying protocol used between Cisco switches.
  2. MACsec Key Agreement (MKA) protocol: MKA provides the required session keys and manages the required encryption keys. The 802.1AE encryption with MKA is sup- ported between endpoints and the switch as well as between switches.
55
Q

What is DownLink MACsec and Uplink MACsec?

A

Downlink MACsec is the term used to describe the encrypted link between an endpoint and a switch.

  • The encryption between the endpoint and the switch is handled by the MKA keying protocol. This requires a MACsec-capable switch and a MACsec-capable supplicant on the endpoint (such as Cisco AnyConnect). The encryption on the endpoint may be handled in hardware (if the endpoint possesses the correct hardware) or in software, using the main CPU for encryption and decryption.
  • The Cisco switch has the ability to force encryption, make encryption optional, or force non-encryption; this setting may be configured manually per port (which is not very common) or dynamically as an authorization option from Cisco ISE (which is much more common). If ISE returns an encryption policy with the authorization result, the policy issued by ISE overrides anything set using the switch CLI.

Uplink MACsec is the term for encrypting a link between switches with 802.1AE.

  • By default, uplink MACsec uses Cisco proprietary SAP encryption. The encryption is the same AES-GCM-128 encryption used with both uplink and downlink MACsec.
  • Uplink MACsec may be achieved manually or dynamically. Dynamic MACsec requires 802.1x authentication between the switches.