Content Security Flashcards

1
Q

Cisco acquired company that created what we know today as the Cisco Web Security Appliance (WSA) and the Cisco Email Security Appliance (ESA)

A

Ironprot

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Cisco WSA and Cisco ESA can be managed by ?
This provides a solution for centralizing the management and reporting functions of multiple Cisco ESA and Cisco WSA devices

A

Cisco Security Management appliance (SMA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

This power Cisco WSA, ESA and SMA. It is based on freeBSD based kernel. This does not have a user UNIX Shell. Administrators can configure the system using a web admin portal (or web based) or a fully scriptable command-line interface (CLI)

A

Cisco Async Operating System (AsyncOS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Different Web Security Appliance (WSA) feature engine

A
  • web reputation engine
  • web filtering
  • application visibility and control (AVC)
  • cloud access security
  • anti virus scanning
  • file reputation
  • data-loss prevention
  • file sandboxing
  • file retrospection
  • cognitive threat analysis
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Cisco WSA typically placed either on the inside of the internet edge firewall or in a demilitarized zone. Cisco WSA have one or more of the following interface types

A
  • M1 : Typically used for management
  • P1/P2 : Typically the interfaces used for web proxy traffic. Each interface must be connected to different subnets
  • T1/T2: Used for layer 4 traffic monitoring to listen to all TCP Ports. They are not configured with IP address because they are promiscuous monitoring ports.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Two modes of deployment for Cisco WSA

A
  • Explicit forward mode (client explicitly use proxy)
  • Transparent mode (client dont know there is a proxy. Network infrastructure device are configured to forward traffic to WSA)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

On WSA traffic redirection can be done using?

A

PBR (policy based routing) on many routers

Cisco’s Web Cache Communication Protocol (WCCP) on Cisco ASA, routers and switches

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Steps in configure WCCP in Cisco ASA to redirect web traffic to Cisco WSA

A
  1. Create ACL to define Http and https
    - access-list HTTP-traffic permit tcp 10.1.1.0 255.255.255.0 any eq www
    - access-list HTTPS-traffic permit tcp 10.1.1.0 255.255.255.0 any eq https
  2. You can also inspect FTP traffic
    - access-list FTP traffic permit tcp 10.1.1.0 255.255.255.0 any eq ftp
    - acecss-list FTP-traffic permit tcp 10.1.1.0 255.255.255.0 ay range 1100 11006
  3. creating an ACL to define where to send the traffic
    - acess-list WAA extended permit ip 10.1.2.3 any
    - wccp web-cache redirect HTTP-traffic group-list wsa
    - wccp 10 redirect-list FTP-traffic group-list WSA
    - wccp 20 redirect-list HTTPS-traffic group-list WSA
  4. configuring traffic redirection on source interface
    - wccp interface inside web-cache redirect in
    - wccp interface inside 10 redirect in
    - wccp interface inside 20 redirect in
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

You can configure WCCP on a Cisco Firepower Threat Defence (FTD) device by using this. It is a container of an ordered list of FlexConfig objects.

A

Cisco Firepower Management Console (FMC) Flexconfig Policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

When Cisco WSA (a s web proxy) forward request, by default it changes the request source iP address to match it own IP. However you can change this by enabling ______ ?

A

Web proxy IP Spoofing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Policy type that you can enable in the Cisco WSA. This policies are configured to identify user behind the web request instead of just IP address

A

Identification policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Cisco WSA provides different options for the AD or LDAP realm authentication. These are the available schemes

A
  • Basic authentication : Done via web browser. Not transparent
  • NTLMSSP : This is transparent authentication. The web browser must be compatible and provide support for NTLMSSP.
  • Kerberos: Primarily use for windows client. Considered as a more secure options
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Authentication surrogates options enable you to configure how web transactions willbe associated with a user after the user has been successfully authenticated. Here are the options

A
  • IP Address : until surroages times out
  • Persistent cookie : until surrogates timeout
  • session cookie: until session timeout or browser is closed
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

This policies in WSA map the identification profile for users. also time-based restrictions

A

Access policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Additional settings and customizations you can configure on WSA:

A
  • you can use the AVC engine to enforce acceptable use-policy components to block or allow applications
  • configure as web proxy to block file downloads on file chracacteristics
  • define an access policy to apply antimalware and url reputation
  • configure WSA to decrypt and evaluate SSL traffic.
  • create an outbound malware policy on Cisco WSA to block malware upload
  • Cisco WSA support DLP servers.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

This can be deployed as physical or virtual appliance or cloud service. This acts as email gateway to organizations, controlling the transfer of all email connections, accepting messages and relaying messages to appropriate email servers. Can handle all email smtp connections

A

Cisco Email Security Appliance (ESA)

17
Q

Most important email concepts

A
  • Mail transfer agent : know as MTA, responsible for transfering emails from sender to recepient
  • Mail Delivery Agent : MDA, A component of MTA responsible for the final delivery of an email message.
  • Mail user Agent: MUA, email client or email reader installed on user system or mobile devices
  • Mail Submission Agent : MSA, a component of MTA that accepts new mail messages.
  • Internet Message Access Protocol : IMAP, email client communications protocol that allow users to keep messages on the server
  • Post Office Protocol - POP, an application layer protocol used by an email client retrieve or download email from server
18
Q

Used to route the mail traffic on the internet

A

DNS MX records.

19
Q

Example of Cisco ESA deployment. Steps

A
  1. the sender send email to boo@secret.com
  2. the sending mail server lookups the MX record
  3. the sending mail server opens an SMTP connection to Cisco ESA
  4. the Cisco ESA inspect email transaction
  5. the email recepeint retrieves the email from the internal mail server
20
Q

Cisco ESA use this to handle incoming SMTP connection request. Determine the email processing service configured on a Cisco ESA interface

A

Cisco ESA Listeners

21
Q

Is a reputation service that enables you to control the messages that come through the Cisco ESA email gateway based on the sender trustworthiness (reputation)

A

Cisco SenderBase

22
Q

Concept of Cisco ESA. This are enable by default and provide a dynamic quarantine (also called delay quarantine).

A

Outbreak filters

23
Q

Is a Cisco ESA term that defines which recipients are accepted by a public listener

A

Recipient Access Table (RAT)

24
Q

Cisco ESA feature that allows you to secure your sensitive, proprieatry information and intellectual property, preventing this data from leaving your network such ash marketing messages, spam, graymail, malware phishing, confidential data, personally identifiable information (PII)

A

Cisco ESA Data Loss Protection

25
Q

Enable recipients to verify Sender IP Address by looking up DNS records that authorized mail gateways for a particular domain. Also this is a industry standard defined in RFC 4408. Uses DNS TXT resource records

A

Sender Policy Framework (SPF)

26
Q

Is an industry standard defined in RFC 5585. Provides a means for gateway based cryptographic signing of outgoing messages. Allows you to embed verification data in an email header and for recipients to verify the integrity of the email messages

A

DKIM (domain keys identified mail)

27
Q

Dashboard in Cisco SMA

A
  • Cisco SMA Monitoring FLow Summary : can see email message and email categorized as threats
  • Advanced Malware Protection (AMP) Summary Dashboard : show incoming file with email messages. Statistic about disposition of each file is displayed
  • Cisco SMA File Analysis Dashboard : the dashboard shows the time and verdict for each file send to analysis
  • File Retrospection Dashboard : list the file processed by the Cisco ESA for which verdict has change since the message was received
  • DLP Incident dashboard : includes the incidents of DLP policy violation occurring in outgoing email
28
Q

You can use File Analysis view of AMP dashboard to view the following

A
  • the number of outgoing files that are uploaded for file analysis by the File Analysis of the AMP engine
  • a list of incoming and outgoing files that have completed file analysis request
  • A list of incoming and outgoing file the have pending file analysis request
29
Q

DLP incident summary page contains two main sections

A
  • DLP incident trend graphs sumarizing the top DLP incidents by severity (low, medium, high critical) and policy matches
  • DLP incident detail listing
30
Q

Proxy server configuration can be provisioned to clients through what DHCP Options

A

DHCP Options 252