Chap 25 - Secure Network Access Control Flashcards

Question 1

Q

What is Cisco SAFE?

Answer

A

Security Architecture For the Enterprise

Question 2

Q

What are PINs?

Answer

A

Places In the Network

Question 3

Q

What are 6 PINs

Answer

A

Branch
Campus
Data Center
Edge
Cloud
WAN

Question 4

Q

What are the 4 top threats on PIN Branches?

Answer

A

Endpoint malware (point-of-sale [POS] malware)
Wireless infrastructure exploits such as rogue APs and man-in-the-middle (MitM) attacks
Unauthorized/malicious client activity
Exploitation of trust

Question 5

Q

What are 5 things that campuses are easy targets for?

Answer

A

Phishing
Web-based exploits
Unauthorized network access
Malware propagation
Botnet infestations.

Question 6

Q

What are 7 popular threats to data centers?

Answer

A

Data extraction
Malware propagation
Unauthorized network access (application compromise)
Botnet infestation (scrumping)
Data loss
Privilege escalation
Reconnaissance

Question 7

Q

What is the highest risk PIN

Question 8

Q

What are 4 popular threats to the Edge Network?

Answer

A

Web server vulnerabilities
Distributed denial-of-service (DDoS) attacks
Data loss
MitM attacks.

Question 9

Q

What are the 4 primary threats in the Cloud?

Answer

A

Web server vulnerabilities
Distributed denial-of-service (DDoS) attacks
Data loss
MitM attacks.

Question 10

Q

What are 4 typical threats seen in the WAN?

Answer

A

Malware propagation
Unauthorized network access
WAN sniffing
MitM attacks.

Question 11

Q

What are the 6 Security Concepts used to evaluate each PIN?

Answer

A

Management
Security Intelligence
Compliance
Segmentation
Threat Defense
Secure Services

Question 12

Q

What is the Management security concept?

Answer

A

Centralized device management is critical for consistent policy deployment, change management, and patching systems

Question 13

Q

What is the Security Intelligence security concept?

What does Security Intelligence provide?
What does it enable the infrastructure to do?
What 2 things does this enable?

Answer

A

Security intelligence provides detection of emerging malware and cyber threats
It enables an infrastructure to enforce policy dynamically, as reputations are augmented by the context of new threats.
This enables accurate and timely security protection.

Question 14

Q

What are 3 examples of the Compliance security concept?

Answer

A

PCI
DSS 3.0
HIPAA.

Question 15

Q

What is the Segmentation security concept?

What does it reduce?
How does it reduce that?

Answer

A

Establishing boundaries for both data and users
Reduces operational challenges
By using identity-aware infrastructure to enforce policies in an automated and scalable manner

Question 16

Q

What does the Threat Defense security concept provide?

What 3 things does it use to provide that?

Answer

A

Visibility into the most dangerous cyber threats
Network traffic telemetry
File reputation
Contextual information

Question 17

Q

What 3 technologies does the Secure Services security concept include?

What 3 things does this protect?

Answer

A

Technologies include
- access control
- VPNs
- Encryption.
Applications
Collaboration
Wireless

Question 18

Q

What is provided by implementing the Cisco SAFE framework in an organization?

Answer

A

Advanced threat defense protection that spans the full attack continuum before, during, and after an attack for all the PINs.

Question 19

Q

What 2 things are required in the ‘Before’ phase?

Answer

A

Full knowledge of all the assets that need to be protected
Identification of the types of threats that could target those assets

Question 20

Q

What 3 actions happen during the ‘Before’ phase?

Answer

A

Control
Enhance
Harden

Question 21

Q

What 5 Cisco solutions are used in the ‘Before’ phase?

Answer

A

Next-generation firewalls
Network access control
Network security analysis
Identity services
Advanced Malware Protection (AMP)

Question 22

Q

What is defined in the ‘During’ phase?

Answer

A

The abilities and actions that are required when an attack gets through.

Question 23

Q

What 5 activities occur in the ‘During’ phase?

Answer

A

Threat analysis
Incident response
Detect
Block
Defend

Question 24

Q

What 4 things can organizations leverage in the ‘During’ phase?

Answer

A

Next-gen IPS (NGIPS)
Next-gen firewalls (NGFW)
AMP
Email and web security solutions with AMP

Question 25

Q

What do the systems used in the ‘During’ phase provide?

Answer

A

They make it possible to detect, block, and defend against attacks that have penetrated the network and are in progress.

Question 26

Q

What is defined in the ‘After’ phase?

Answer

A

The ‘After’ phase is defined by the ability to detect, scope, contain, and remediate an attack.

Question 27

Q

In the ‘After’ phase what needs to be incorporated into the existing security solution?

Answer

A

Any lessons learned

Question 28

Q

What 4 things can organizations leverage in the ‘After’ phase?

Answer

A

Cisco Advanced Malware Protection (AMP)
Next-generation firewalls (NGFW)
Malicious network behavior analysis using Stealthwatch
Security Analytics

Question 29

Q

In the ‘After’ phase what can the leveraged tools accomplish?

Answer

A

The will quickly and effectively scope, contain, and remediate an attack to minimize damage.

Question 30

Q

What is Cisco TALOS?

What do they have that supports them?
What does it create?
What 3 things do they do with it?

Answer

A

A team of security experts
Sophisticated security systems
Creates threat intelligence
Detects known and emerging threats
Analyzes known and emerging threats
Protects known and emerging threats

Question 31

Q

What 3 teams comprise TALOS?

Answer

A

IronPort Security Applications (SecApps)
Sourcefire Vulnerability Research Team (VRT)
The Cisco Threat Research, Analysis, and Communications (TRAC) team

Question 32

Q

What 6 intelligence feeds go into TALOS?

Answer

A

Advanced Microsoft and industry disclosures
AMP community
Honeypots
The Sourcefire Awareness, Education, Guidance, and Intelligence Sharing (AEGIS) program
Private and public threat feeds
Dynamic analysis

Question 33

Q

What 7 user communities does TALOS leverage?

Answer

A

ClamAV
Snort
Immunet
SpamCop
SenderBase
Threat Grid, and Talos user communities

Question 34

Q

What does TALOS do with the intelligence from their feeds?

Answer

A

It is fed into a wide range of security products and solutions to provide protection against an extensive range of threats.

Question 35

Q

What is Cisco Threat Grid?

Answer

A

A solution the can perform static and dynamic file analysis to determine if the file is malware.

Question 36

Q

What does Cisco Threat Grid do when it identifies a file as malware?

Answer

A

It begins to understand what it is doing or attempting to do, the scope of the threat it poses, and how to defend against it.

Question 37

Q

What are 3 examples of some of the things Threat Grid looks at for static file analysis?

Answer

A

Filenames
MD5 checksums
File types

Question 38

Q

What 3 ways is Threat Grid made available?

Answer

A

Appliance
Cloud-based
Integrated into other Cisco security products

Question 39

Q

What are 2 places where Threat Grid get files to analyze?

Answer

A

Automatic submission from products integrated with Threat Grid
Files can be manually uploaded

Question 40

Q

What is Cisco Advanced Malware Protection (AMP)?

Answer

A

It is a malware analysis and protection solution that goes beyond point-in-time detection.

Question 41

Q

How is AMP leveraged ‘Before’ an attack?

Answer

A

Global threat intelligence from Cisco Talos and Cisco Threat Grid feeds into AMP to protect against known and new emerging threats.

Question 42

Q

How is AMP leveraged ‘During’ an attack?

Answer

A

File reputation to determine whether a file is clean or malicious as well as sandboxing are used to identify threats during an attack.

Question 43

Q

How is AMP leveraged ‘After’ an attack?

Answer

A

Cisco AMP provides retrospection, indicators of compromise (IoCs), breach detection, tracking, analysis, and surgical remediation after an attack, when advanced malware has slipped past other defenses.

Question 44

Q

What are the 3 main components of the AMP architecture?

Answer

A

AMP Cloud (public or private)
AMP Connectors
Threat intelligence from Cisco Talos and Cisco Threat Grid

Question 45

Q

What are the AMP Connectors?

Answer

A

AMP for Endpoints (Microsoft Windows, macOS X, Google Android, Apple iOS, and Linux)
AMP for Networks (NGFW, NGIPS, ISRs)
AMP for Email (ESA)
AMP for Web (WSA)
AMP for Meraki MX
Cisco Security Connector (AMP for Apple iOS)

Question 46

Q

What is the most important component of AMP architecture?

Answer

A

The AMP Cloud

Question 47

Q

What does the AMP Cloud contain?

Answer

A

The database of files and their reputations (malware, clean, unknown, and custom), also referred to as file dispositions.

Question 48

Q

What happens if an AMP connector uploads a sample file to AMP Cloud and the file’s reputation is deemed to be malicious?

Answer

A

it is stored in the cloud and reported to AMP connectors that see the same file.

Question 49

Q

What happens if an AMP connector uploads a sample file to AMP Cloud and the file’s reputation is deemed to be unknown?

Answer

A

The file is sent to Threat Grid, where its behavior is analyzed in a secure sandbox environment.

Question 50

Q

How does AMP go beyond point-in-time detection?

Answer

A

AMP Cloud performs decision making in real time, evolving constantly based on the data that is received. AMP Cloud is capable of identifying malware on files that were previously deemed to be clean.

Question 51

Q

How do AMP connectors remain lightweight?

Answer

A

By sending a hash to the cloud and allowing the cloud to make the intelligent decisions and return a verdict (about reputation or file disposition) of clean, malicious, or unknown.

Question 52

Q

What is Cisco AnyConnect Secure Mobility Client?

Answer

A

It is a modular endpoint software product
VPN client using Transport Layer Security (TLS)/ Secure Sockets Layer (SSL) and IPsec IKEv2
Enhanced security through various built-in modules, such as a VPN Posture (HostScan) module and an ISE Posture module.

Question 53

Q

What do the modules do in AnyConnect?

Answer

A

They enable Cisco AnyConnect to assess an endpoint’s compliance for things like antivirus, antispyware, and firewall software installed on the host.

Question 54

Q

What does AnyConnect do if an endpoint is found not to be compliant?

Answer

A

Network access can be restricted until the endpoint is in compliance.

Question 55

Q

Along with the modules what other capabilities does AnyConnect have?

Answer

A

Web security through Cisco Cloud Web Security
Network visibility into endpoint flows within Stealthwatch
Roaming protection with Cisco Umbrella

Question 56

Q

What platforms does AnyConnect support?

Answer

A

Windows
macOS
iOS
Linux
Android
Windows Phone/ Mobile
BlackBerry * ChromeOS.

Question 57

Q

What is SSL/TLS?

Answer

A

SSL has been deprecated so it really means TLS

Question 58

Q

What does Cisco Umbrella do?

Answer

A

Cisco Umbrella provides the first line of defense against threats on the Internet by blocking requests to malicious Internet destinations (domains, IPs, URLs) using the Domain Name System (DNS) before an IP connection is established or a file is downloaded.

Question 59

Q

How is Cisco Umbrella delivered?

Answer

A

It is 100% cloud delivered, with no hardware to install or software to maintain.

Question 60

Q

Where is Cisco Umbrella located?

Answer

A

30 data centers around the world

Question 61

Q

How does Cisco Umbrella maintain 100% uptime?

Answer

A

It uses Anycast DNS

Question 62

Q

How is DNS traffic routed to the closest Cisco Umbrella site?

Answer

A

It has an Anycast Infrastructure

Question 63

Q

What does Cisco Umbrella do with the data it gathers?

Answer

A

It is fed in real time into Umbrella’s massive graph database, where statistical and machine learning models are continuously run against it. * It’s also analyzed by Umbrella researchers and TALOS.

Question 64

Q

How is Cisco Umbrella installed?

Answer

A

By the corporate network changing the DHCP configuration on all Internet gateways (that is, routers, access points) so that all devices, including guest devices, forward their DNS traffic to Umbrella’s global network.

Answer 64

A

In the Cisco AnyConnect client, there is an option to enable a roaming security module, which allows for all DNS requests to be sent to Umbrella’s global network even when the VPN is turned off, and it does this without requiring an additional agent.

Answer 65

A

The other option is to deploy the Umbrella roaming client, which tags, encrypts, and forwards DNS queries bound for the Internet to the Umbrella global network so per-device security policies can be enforced everywhere without latency or complexity.

Answer 66

A

(WSA) is an all-in-one web gateway that includes a wide variety of protections that can block hidden malware from both suspicious and legitimate websites by leveraging real-time threat intelligence from Cisco Talos and Cisco AMP Threat Grid

Answer 67

A

It actively detects and blocks potential threats before they happen by applying web reputation filters and URL filtering and by controlling web application usage

Answer 68

A

Web reputation filters (TALOS)
Web Filtering (traditional, also from TALOS)
Cisco Application Visibility and Control (AVC)

Answer 69

A

It uses security intelligence from cloud access security broker (CASB) providers, Talos, and AMP for networks to identify and block zero-day threats that managed to infiltrate the network.

Answer 70

A

Cloud access security
Parallel antivirus (AV) scanning
Layer 4 traffic monitoring
File reputation and analysis with Cisco AMP
Data loss prevention (DLP)

Answer 71

A

WSA inspects the network continuously for instances of undetected malware and breaches.

Answer 72

A

Global Threat Analytics (GTA) analyzes web traffic
Endpoint data from Cisco AMP for Endpoints
Network data from Cisco Stealthwatch Enterprise.
It then uses machine learning to identify malicious activity before it can exfiltrate sensitive data.

Answer 73

A

Cloud
Virtual appliance on-premises, or in a hybrid arrangement.

Answer 74

A

It enables users to communicate securely via email and helps organizations combat email security threats with a multilayered approach across the attack continuum.

Answer 75

A

Global threat intelligence (TALOS and Threat Grid)
Reputation filtering (TALOS)
Spam protection
Forged email detection
Cisco Advanced Phishing Protection (CAPP)
Cisco Domain Protection (CDP)
Malware defense
Graymail detection and Safe Unsubscribe
URL-related protection and control
Outbreak filters
Web interaction tracking
Data security for sensitive content in outgoing emails

Answer 76

A

It is a system that provides IDS functions and also automatically blocks intrusion attacks.

Answer 77

A

Real-time contextual awareness
Advanced threat protection and remediation
Intelligent security automation
Unparalleled performance and scalability
Application Visibility and Control (AVC)
URL filtering
Centralized management
Global threat intelligence from the Cisco Talos
Snort IPS detection engine
High availability and clustering
Third-party and open-source ecosystem
Integration with Cisco ISE (Quarantine, Unquarantine, Shutdown)

Answer 78

A

Appliance
Firepower Threat Defense (FTD) for ISR
NGIPS Virtual (NGIPSv)

Answer 79

A

The integration of existing ASA software with Firepower NGIPS
The industry’s first fully integrated, threat-focused NGFW with unified management

Answer 80

A

Firepower series appliances
All ASA5500-x appliances (except 5585-x)

Answer 81

A

ASA software image
ASA software image with Firepower Services software image (NGIPS)
Firepower Threat Defense (FTD) software image

Answer 82

A

* ISR Modules * Firepower virtual NGFW (NGFWv) appliances, supported in VMware, KVM, Amazon Web Services (AWS), and Microsoft Azure environments

Answer 83

A

Firepower Management Center (FMC)
Firepower Device Manager (FDM) for small appliances

Answer 84

A

CLI
Cisco Security Manager (CSM)
Adaptive Security Device Manager (ASDM)
Cisco Defense Orchestrator

Answer 85

A

No, only for initial setup and troubleshooting.

Answer 86

A

A centralized management platform that aggregates and correlates threat events, contextual information, and network device performance data. It can be used to monitor information that Firepower security devices are reporting to each other and examine the overall activity occurring in the network.

Answer 87

A

Firepower NGFW and NGFWv
Firepower NGIPS and NGIPSv
Firepower Threat Defense for ISR
ASA with Firepower Services
Advanced Malware Protection (AMP)

Answer 88

A

It is is a collector and aggregator of network telemetry data that performs network security analysis and monitoring to automatically detect threats that manage to infiltrate a network as well as the ones that originate from within a network.

Answer 89

A

It is the only product that can detect malware in encrypted traffic and ensure policy compliance without decryption.

Answer 90

A

Stealthwatch Enterprise
Stealthwatch Cloud

Answer 91

A

Flow rate license
Flow collector (hardware or VM)
Stealthwatch Management Console (hardware or VM)

Answer 92

A

Cisco Stealthwatch Threat Intelligence
Cisco Stealthwatch Endpoint
Cisco Stealthwatch Cloud

Answer 93

A

Real-time threat detection
Incident response and forensics
Network segmentation
Network performance and capacity planning
Ability to satisfy regulatory requirements

Answer 94

A

Flow Sensor
UDP Director

Answer 95

A

Public cloud monitoring
Private cloud monitoring

Answer 96

A

(ISE) is a security policy management platform that provides highly secure network access control (NAC) to users and devices across wired, wireless, and VPN connections. It allows for visibility into what is happening in the network, such as who is connected (endpoints, users, and devices), which applications are installed and running on endpoints (for posture assessment), and much more.

Answer 97

A

Streamlined network visibility
Cisco DNA center integration
Centralized secure NAC
Centralized device access control
TrustSec
Guest lifecycle mgmt
Streamlined device onboarding
Internal certificate authority
Device profiling
Endpoint posture service
Active Directory support
Cisco Platform Exchange Grid (pxGrid) versions 1.0 and 2.0

Answer 98

A

802.1x
MAB
WebAuth
TrustSec
MACSec

Answer 99

A

Dot1x) is a standard for port-based network access control (PNAC) that provides an authentication mechanism for local area networks (LANs) and wireless local area networks (WLANs).

Answer 100

A

Extensible Authentication Protocol (EAP)
EAP Method (or Type)
EAP over LAN (EAPoL)
RADIUS

Answer 101

A

Supplicant
Authenticator
Authentication server

Answer 102

A

When the authenticator notices a port coming up, it starts the authentication process by sending periodic EAP-request/ identify frames. The supplicant can also initiate the authentication process by sending an EAPoL-start message to the authenticator.

Answer 103

A

The authenticator relays EAP messages between the supplicant and the authentication server, copying the EAP message in the EAPoL frame to an AV-pair inside a RADIUS packet and vice versa until an EAP method is selected. Authentication then takes place using the selected EAP method.

Answer 104

A

If authentication is successful, the authentication server returns a RADIUS access-accept message with an encapsulated EAP-success message as well as an authorization option such as a downloadable ACL (dACL). When this is done, the authenticator opens the port.

Answer 105

A

EAP challenge-based authentication method
EAP TLS authentication method
EAP tunneled TLS authentication method
EAP inner authentication methods

Answer 106

A

Extensible Authentication Protocol-Message Digest 5 (EAP-MD5)

Answer 107

A

Extensible Authentication Protocol Flexible Authentication via Secure Tunneling (EAP-FAST)
Extensible Authentication Protocol Tunneled Transport Layer Security (EAP-TTLS)
Protected Extensible Authentication Protocol (PEAP)

Answer 108

A

EAP Generic Token Card (EAP-GTC)
EAP Microsoft Challenge Handshake Authentication Protocol Version 2( EAP-MSCHAPv2)
EAP-TLS

Answer 109

A

This algorithm uses the MD5 message-digest algorithm to hide the credentials in a hash. The hash is sent to the authentication server, where it is compared to a local hash to validate the accuracy of the credentials.

Answer 110

A

It lacks mutual authentication. It can’t authenticate the authentication server.

Answer 111

A

It uses the TLS Public Key Infrastructure (PKI) certificate authentication mechanism to provide mutual authentication of supplicant to authentication server and authentication server to supplicant. With EAP-TLS, both the supplicant and the authentication server must be assigned a digital certificate signed by a certificate authority (CA) that they both trust.

Answer 112

A

EAP-TLS is the most difficult to deploy due to the administrative burden of having to install a certificate on the supplicant side.

Answer 113

A

EAP-TLS because both the supplicant and the authentication server need to have certificates.

Answer 114

A

In PEAP, only the authentication server requires a certificate, which reduces the administrative burden of implementing EAP. PEAP forms an encrypted TLS tunnel between the supplicant and the authentication server. After the tunnel has been established, PEAP uses one of the EAP authentication inner methods to authenticate the supplicant through the outer PEAP TLS tunnel

Answer 115

A

The client’s credentials are sent to the server encrypted within an MSCHAPv2 session. This is the most common inner method, as it allows for simple transmission of username and password, or even computer name and computer password, to the RADIUS server, which can then authenticate them using Microsoft’s Active Directory.

Answer 116

A

This inner method was created by Cisco as an alternative to MSCHAPv2 to allow generic authentications to virtually any identity store, including OTP token servers, LDAP, NetIQ eDirectory, and more.

Answer 117

A

This is the most secure EAP authentication since it is essentially a TLS tunnel within another TLS tunnel. It is rarely used due to its deployment complexity because it requires certificates to be installed on the supplicants.

Answer 118

A

Developed by Cisco Systems as an alternative to PEAP
It allows faster re-authentications and support for faster wireless roaming * Supports EAP chaining

Answer 119

A

EAP-FAST forms a TLS outer tunnel and then transmits the client authentication credentials within that outer TLS tunnel

Answer 120

A

EAP-FAST has the ability to re-authenticate faster by using protected access credentials (PACs).

Answer 121

A

Protected Access Credentials
Similar to a cookie
Stored locally on the host as proof of having been successfully authenticated.

Answer 122

A

PEAP only supports EAP inner authentication methods, while EAP-TTLS can support additional inner methods such as legacy Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), and Microsoft Challenge Handshake Authentication Protocol (MS-CHAP).

Answer 123

A

Similar in functionality to PEAP
Not as widely supported as PEAP.

Answer 124

A

EAP Chaining supports machine and user authentication inside a single outer TLS tunnel. It enables machine and user authentication to be combined into a single overall authentication result. This allows the assignment of greater privileges or posture assessments to users who connect to the network using corporate-managed devices.

Answer 125

A

MAC Authentication Bypass - it enables port-based access control using the MAC address of an endpoint, and it is typically used as a fallback mechanism to 802.1x. A MAB-enabled port can be dynamically enabled or disabled based on the MAC address of the endpoint that connects to it.

Answer 126

A

The switch initiates authentication by sending an EAPoL identity request message to the endpoint every 30 seconds by default. After three timeouts (a period of 90 seconds by default), the switch determines that the endpoint does not have a supplicant and proceeds to authenticate it via MAB.

Answer 127

A

The switch begins MAB by opening the port to accept a single packet from which it will learn the source MAC address of the endpoint. Packets sent before the port has fallen back to MAB (that is, during the IEEE 802.1x timeout phase) are discarded immediately and cannot be used to learn the MAC address. After the switch learns the source MAC address, it discards the packet. It crafts a RADIUS access-request message using the endpoint’s MAC address as the identity. The RADIUS server receives the RADIUS access-request message and performs MAC authentication.

Answer 128

A

The RADIUS server determines whether the device should be granted access to the network and, if so, what level of access to provide. The RADIUS server sends the RADIUS response (access-accept) to the authenticator, allowing the endpoint to access the network. It can also include authorization options such as dACLs, dVLANs, and SGT tags.

Answer 129

A

Disable 802.1x. If 802.1x is not enabled, MAB authentication starts immediately after linkup instead of waiting for IEEE 802.1x to time out.

Answer 130

A

MAC addresses are easily spoofed.

Answer 131

A

Downloadable ACLs (dACLs)
Dynamic VLAN Assignment (dVLAN)
Security Group Tags (SGTs)

Answer 132

A

With WebAuth, endpoints are presented with a web portal requesting a username and password. The username and password that are submitted through the web portal are sent from the switch (or wireless controller, firewall, and so on) to the RADIUS server in a standard RADIUS access-request packet.

Answer 133

A

Local Web Authentication
Centralized Web Authentication with Cisco ISE

Answer 134

A

Switch or WLC redirects web traffic to web portal hosted on the switch or WLC.
End user enters name/password.
Switch forwards to creds to RADIUS server

Answer 135

A

Not customizable
No support for an Acceptable Use Policy page
No password change capability
No device registration
No self registration
No VLAN assignment
No posture or profiling

Answer 136

A

No, the two are mutually exclusive.

Answer 137

A

The switch performs MAB, sending the RADIUS access-request to Cisco ISE.
ISE sends RADIUS result and redirect to portal on ISE
Endpoint gets IP, DNS and def gtwy from DHCP
End user opens web page located on iSE, enters creds.
ISE sends re-authentication Change of Authorization (CoA-reauth) to the switch.
Switch sends new MAB req with same session ID to ISE.
ISE sends final auth result to switch for end user including an authorization option such as a dowloadable ACL (dACL).

Answer 138

A

With Central WebAuth with ISE ISE stores the credentials and ties the MAC address to the credentials.

Answer 139

A

Central WebAuth supports:

CoA for posture profiling
dACL
VLAN authorization options
Client provisioning
Posture assessments
Acceptable use policies
Password changing
Self registration
Device registration.

Answer 140

A

802.1x authentication first
followed by MAB
and then WebAuth.

Answer 141

A

FlexAuth allows multiple authentication methods concurrently (for example, 802.1x and MAB) so that endpoints can be authenticated and brought online more quickly.

Answer 142

A

Cisco Identity-Based Networking Services (IBNS) 2.0 which offers authentication, access control, and user policy enforcement.

Answer 143

A

It is an integrated solution that offers authentication, access control, and user policy enforcement with a common end-to-end access policy that applies to both wired and wireless networks.

Answer 144

A

Enhanced FlexAuth
Cisco Common Classification Policy Language (C3PL)
Cisco ISE

Answer 145

A

It is a next-generation access control enforcement solution developed by Cisco to address the growing operational challenges related to maintaining firewall rules and ACLs by using Security Group Tag (SGT) tags.

Answer 146

A

Cisco ISE assigns SGT tags to users/devices that are authenticated and authorized through 802.1x, MAB, or WebAuth.
The SGT tag assignment is delivered to the authenticator as an authorization option (in the same way as a dACL).
After the SGT tag is assigned, an access enforcement policy (allow or drop) based on the SGT tag can be applied at any egress point of the TrustSec network.

Answer 147

A

TrustSec uses SGT tags to perform ingress tagging and egress filtering to enforce access control policy.

Answer 148

A

Scalable Group Tag
the context of the user, device, use case, or function

Answer 149

A

No, endpoints are not aware of the SGT tag. The SGT tag is only known and applied in the network infrastructure.

Answer 150

A

Ingress Classification
Propogation
Egress Enforceent

Answer 151

A

Ingress classification is the process of assigning SGT tags to users, endpoints, or other resources as they ingress the TrustSec network.

Answer 152

A

Dynamic assignment
Static assignment

Answer 153

A

The SGT is assigned dynamically and can be downloaded as an authorization option from ISE when authenticating using 802.1x, MAB, or WebAuth.

Answer 154

A

Usually done in data centers. SGT tags can be statically mapped on SGT-capable network devices.

Answer 155

A

IP to SGT tag
Subnet to SGT tag
VLAN to SGT tag
L2 Interface to SGT tag
L3 logical interface to SGT tag
Port to SGT tag
Port Profile to SGT tag

Answer 156

A

Cisco ISE added the ability to centrally configure a database of IP addresses and their corresponding SGT tags
Network devices that are SGT capable can download the list from Cisco ISE

Answer 157

A

The process of communicating the mappings to the TrustSec network devices that will enforce policy based on SGT tags.

Answer 158

A

Tag— inline tagging (also referred to as native tagging)
Cisco-created protocol SGT Exchange Protocol (SXP)

Answer 159

A

With inline tagging, a switch inserts the SGT tag inside a frame to allow upstream devices to read and apply policy. Native tagging is completely independent of any Layer 3 protocol (IPv4 or IPv6), so the frame or packet can preserve the SGT tag throughout the network infrastructure (routers, switches, firewalls, and so on) until it reaches the egress point.

Answer 160

A

It is supported only by Cisco network devices with ASIC support for TrustSec.

Answer 161

A

The frame would be dropped.

Answer 162

A

SGT Exchange Protocol (SXP)
Cisco TCP-based peer-to-peer protocol used for network devices that do not support SGT inline tagging in hardware.
Using SXP, IP-to-SGT mappings can be communicated between non-inline tagging switches and other network devices.
Non-inline tagging switches also have an SGT mapping database to check packets against and enforce policy.

Answer 163

A

The speaker.

Answer 164

A

The listener.

Answer 165

A

No, they can be single or multihop.

Answer 166

A

Security Group ACL (SGACL)
Security Group Firewall (SGFW)

Answer 167

A

Provides enforcement on routers and switches. Access lists provide filtering based on source and destination SGT tags.

Answer 168

A

Provides enforcement on firewalls (such as Cisco ASA and NGFW). Requires tag-based rules to be defined locally on the firewall.

Answer 169

A

It is an IEEE 802.1AE standards-based Layer 2 hop-by-hop encryption method.

Answer 170

A

Traffic is encrypted only on the wire between two MACsec peers and is unencrypted as it is processed internally within the switch.

Answer 171

A

It allows the switch to look into the inner packets for things like SGT tags to perform packet enforcement or QoS prioritization.

Answer 172

A

The switch leverages onboard ASICs to perform the encryption and decryption

Answer 173

A

MACsec adds:

An additional 16-byte MACsec Security Tag field (802.1AE header)
A 16-byte Integrity Check Value (ICV) field.

Answer 174

A

Galois Method Authentication Code (GMAC)
Authenticated encryption using Galois/ Counter Mode Advanced Encryption Standard (AES-GCM).

Answer 175

A

Yes, they have to support MACsec so they can recognize and use the fields added to the Ethernet frame.

Answer 176

A

MACsec EtherType (first two octets)
TCI/ AN (third octet)
SL (fourth octet)
Packet Number (octets 5– 8)
SCI (octets 9– 16)

Answer 177

A

Set to 0x88e5, designating the frame as a MACsec frame

Answer 178

A

Tag Control Information/ Association Number field, designating the version number if confidentiality or integrity is used on its own

Answer 179

A

Short Length field, designating the length of the encrypted data

Answer 180

A

The packet number for replay protection and building of the initialization vector

Answer 181

A

Secure Channel Identifier, for classifying the connection to the virtual port

Answer 182

A

Security Association Protocol (SAP)- this is a proprietary Cisco keying protocol used between Cisco switches
MACsec Key Agreement (MKA) protocol

Answer 183

A

MKA provides the required session keys and manages the required encryption keys. The 802.1AE encryption with MKA is supported between endpoints and the switch as well as between switches.

Answer 184

A

It is the term used to describe the encrypted link between an endpoint and a switch.

Answer 185

A

By the MKA keying protocol.

Answer 186

A

MACsec-capable switch and a MACsec-capable supplicant on the endpoint (such as Cisco AnyConnect).

Answer 187

A

The encryption on the endpoint may be handled in hardware (if the endpoint possesses the correct hardware) or in software, using the main CPU for encryption and decryption.

Answer 188

A

The Cisco switch has the ability to force encryption, make encryption optional, or force non-encryption.

Answer 189

A

It can be configured manually per port (which is not very common)
Dynamically as an authorization option from Cisco ISE (which is much more common).

Answer 190

A

The policy issued by ISE overrides anything set using the switch CLI.

Answer 191

A

This is the term for encrypting a link between switches with 802.1AE.

Answer 192

A

MACsec uses Cisco proprietary SAP encryption. The encryption is the same AES-GCM-128 encryption used with both uplink and downlink MACsec.

Answer 193

A

Uplink MACsec may be achieved manually or dynamically. Dynamic MACsec requires 802.1x authentication between the switches.

Answer 194

A

LEAP
EAP-FAST

Brainscape's Knowledge GenomeTM

Chap 25 - Secure Network Access Control Flashcards

Brainscape's Knowledge Genome^TM