Enterprise Network Security Architecture

Question 1

Vulnerability

definition

2023.12.28 - new card split from prev card

Answer 1

• a weakness that comprises either the security or the functionality of the system

Question 2

Exploit

definition

2023.12.28 - new card split from prev card

Answer 2

• mechanism used to leverage a vulnerability to compromise the security or functionality of a system

Question 3

Threat

definition

2023.12.28 - new card split from prev card

Answer 3

• any circumstance or event with the potential to cause harm to an asset in the form of destruction, disclosure, adverse modification of data, or DoS

Question 4

Risk

definition

2023.12.29 - new card split from prev card

Answer 4

• the likelihood that a particular threat using a specific attack will exploit a particular vulnerability of an asset that results in a undesirable consequence

Question 5

DOS / DDOS

- define

Answer 5

DoS attacks attempt to consume all a critical computer or network resource to make it unavailable for valid use

Question 6

Spoofing

-define

Answer 6

An attacker injects traffic that appears to be sourced from a legitimate system.

Question 7

Reflection

define

Answer 7

A type of DoS attack where the attacker sends a flood of protocol request packets to various IP hosts. The attacker spoofs the source IP such that each packet has as its src, the IP of the intended target rather than the IP of the attacker. The hosts that receive these packets respond by sending response packets to the spoofed address (the target), thus flooding the unsuspecting target.

Question 8

Social Engineering

define

Answer 8

Manipulating people and capitalizing on expected behaviors.

Question 9

Phishing

define

Answer 9

Pretend to be from a large legitimate organization and request personal information.

Question 10

Password Attacks

define

Answer 10

Access protected resources by obtaining a user’s password. Methods include guessing, brute force, and dictionary attacks.

Question 11

Reconnaissance Attacks

define

Answer 11

An attempt to learn more about the intended victim, often using DNS tools like nslookup

Question 12

Buffer Overflow Attacks

define

Answer 12

An attacker can provide input that is larger than expected, and the service will accept the input and write it to memory, filling up the associated buffer and overwriting adjacent memory.

Question 13

Man-in-the-Middle Attacks

define

Answer 13

A system that has the ability to view the communication between two systems imposes itself in the communication path between those other systems.

Question 14

Malware

define

Answer 14

Malicious software that comes in several forms, including viruses, worms, and Trojan horses

Question 15

Vectors of Data Loss and Exfiltration

define

Answer 15

Refers to the means by which data leaves the organization without authorization.

Question 16

Hacking tools

Answer 16

A penetration test legitimately uses tools to attempt to penetrate an organization’s defenses.

Question 17

IPS Traffic Inspection Methods

Answer 17

1) Signature-based inspection
2) Anomaly-based inspection

Question 18

Signature-based inspection

define

2023.12.29 - new card

Answer 18

• examines the packet headers or data payloads in network traffic and compares the data against a database of known attack signatures

Question 19

Anomaly-based inspection

define

2023.12.29 - new card

Answer 19

observe network traffic and act if a network event outside normal network behavior is detected

Question 20

Anomaly-based Network IPS Types

Answer 20

1) Statistical anomaly detection (network behavior analysis)
2) Protocol verification
3) Policy-based inspection

Question 21

VPN

Answer 21

• defined in RFC 2828
• carries private traffic over a public or shared infrastructure (such as the Internet)

Question 22

Link Encryption

Answer 22

The entire frame is encrypted between two devices. This is used on point-to-point connections of directly connected devices

Question 23

Packet payload encryption

Answer 23

Only the packet payload is encrypted, which allows this form of encryption to be routed across a L3 network, such as the Internet

Question 24

VPN Classification Criteria

Answer 24

1) Deployment mode: Site-to-site VPN and remote-access VPN (e.g. home users)
2) Underlying technology: IPSec VPN, SSL VPN, MPLS VPN, other L2 technologies such as Frame Relay or ATM, and hybrid VPNs combining multiple technologies

Question 25

Cisco Email Security Appliance (ESA)

Answer 25

a type of firewall and threat monitoring appliance for SMTP traffic
1) capability to quickly block new email-based blended attacks
2) capability to control or encrypt sensitive outbound email
3) a rapid spam capture rate and few false positives
4) a proven zero-hour antivirus solution

Question 26

Cisco Web Security Appilance (WSA)

Answer 26

• provides secure web access, content security, and threat mitigation for web services
  1) Advanced malware protection
  2) Application Visibility and Control
  3) Insightful reporting
  4) Secure mobility

Question 27

Logging Destinations

Answer 27

1) Console
2) Monitor
3) Memory buffer
4) Syslog server
5) SNMP Trap
6) Flash memory

Question 28

ASA posture module vs ISE posture module

2023.12.29 - new card

Answer 28

• ISE is client based; ISE sends requirements to endpoint, and relies on endpoint to assess. remediation based on quarantining the endpoint
• ASA is server-based; ASA asks for a list of endpoint attributes and AnyConnect client gathers info. Remediation is limited to working with software already installed on the endpoint

Question 29

Endpoint Security Products

Answer 29

1) Personal firewalls
2) Antivirus
3) Antispyware
4) Malware analysis and protection (Cisco Advanced Malware Protection (AMP))

Question 30

Cisco AMP Elements

Answer 30

1) Cisco Collective Security Intelligence Cloud
2) Client Connector
3) Cisco AMP for Endpoints Mobile
4) Cisco AMP for Endpoints Mac Connector
5) AMP for Networks

Question 31

Cisco AMP Historical Perspectives

Answer 31

1) File Trajectory - shows you the hosts where files were seen
2) Device Trajectory - shows you the actions that files performed on a given host

Question 32

Retrospective Alerting aka Cloud Recall

Answer 32

• go back to systems where an “unknown” file was previously seen and alert the client to the changed disposition to “malicious” and quarantine the file

Question 33

Cisco Collective Security Intelligence Cloud

Answer 33

• where the various detection and analytics engines reside
  1) Spero is a machine-learning malware detection engine that resides in the cloud
  2) Ethos is a fuzzy logic-based malware detection engine. Ethos also resides in the cloud, and is invoked if the file being checked is not known or returns a neutral position

Question 34

Client Connector

Answer 34

• This is the component that runs on the endpoints. It communicates with the cloud to send information about files and to receive file disposition information.

Question 35

AMP for Networks

Answer 35

• Gives Firepower devices the ability to query the cloud to botain file dispotion information on files that are detected by the Firepower devices

Question 36

Cisco AMP Cloud Functions

Answer 36

1) Detection publishing - signatures are in the cloud
2) Large-scale data processing (Big Data) - data comes to the cloud from many resources
3) Decision making that is performed in real-time
4) Reporting

Question 37

Additional Features on Cisco NextGen FW aka Cisco Secure FW

Answer 37

1) Integrate security functions tightly to provide highly effective threat and advanced malware protection
2) Implement policies that are based on application visibility instead of transport protocols and ports
3) Provide URL filtering and other controls over web traffic
4) Provide actionable indications of compromise to identify malware activity
5) Offer comprehensive network visibility
6) Help reduce complexity
7) Integrate and interface smoothly with other security solutions

Question 38

Cisco Secure Firewall Features

Answer 38

1) Cisco URL Filtering
2) Application Visibility and Control
3) Context Awareness
4) Cisco Intrusion Prevention System
5) Advanced Malware Protection

Question 39

Cisco TrustSec

Answer 39

• defines policies using logical policy groupings
• security group tags (SGT)
• IEEE MAC Security (MACsec)

Question 40

Security Group Tag Features

3 points

Answer 40

1) Classification - assignment of an SGT to an IP; Dynamic done with IEEE 802.1X, MAC authentication bypass, or web authentication. Static usually configured on switch where servers are attached
2) Transport - accomplished either through inline tagging or SGT Exchange Protocol (SXP). SXP is used to transport SGT mappings across devices that don’t support inline tagging
3) Enforcement - permit or deny policies on the src & dst SGTs. Done either with SGACLs on switches, or SGFWs on routers & FWs

Question 41

MACSec

Answer 41

• each packet on the wire is encrypted using symmetric key cryptography
• implementation of 802.1AE and its header is marked with ethertype 0x88E5
• encryption keys managed by MACsec Key Agreement (MKA) Protocol
• protected data is between the MACsec header and the ICV field
• the MTU size increases about 40 bytes bc of the 802.1AE and Cisco TrustSec overhead
• Integrity Check Value (ICV) encrypts and protects MACsec frames

Question 42

SGT Classification

Answer 42

• 16-bit tag that represents the unique role of the traffic source
• can be dynamically obtained from Cisco ISE, or static
• dynamic tagging deployed with 802.1X, MAB, or web authentication
• static tagging can be configured on ISE and downloaded to NAD, or configured directly on NAD
• embedded in Cisco TrustSec Meta Data header, which uses ethertype 0x8909

Question 43

MACsec Key Agreement (MKA)

Answer 43

• basic requirements defined in 802.1x-REV
• extends 802.1x to allow peer discovery with confirmation of mutual authentication and sharing of MACsec secret keys to protect data

Question 44

Extensible Authentication Protocol (EAP)

Answer 44

• produces a master session key (MSK), shared by both partners in the data exchange

Question 45

Master Session Key (MSK)

Answer 45

produced by EAP authentication, and shared by both partners in the data exchange

Question 46

Connectivity Association Key (CAK)

Answer 46

• entering the EAP session ID generates a secure CAK name

Question 47

Secure Association Key (SAK)

Answer 47

• switch is the authenticator, so it’s also the key server and responsible for selecting and advertising the cipher suite
• switch generates a random 128-bit SAK and sends to client partner to advertise cipher suite
• default cipher suite Galois/Counter Mode Advanced Encryption Standard 128 (GCM-AES-128)
• endpoint must possess the SAK to encrypt traffic, so the switch will send the SAK using MKA
• switch keeps SAK secure by encypting it with some additional CAK that the supplicant possesses

Question 48

Cisco Identity-Based Networking Services (IBNS)

Answer 48

1) Provides authentication of wired and wireless users using IEEE 802.1X, MAB, and web authentication
2) Delivers policy-based authorization based on dACLs or VLAN assignment
3) Offers broad client support for native operating systems and third-party supplicants

Question 49

Cisco ISE Services

Answer 49

1) Strong authentication using IEEE 802.1X, MAB, and web authentication
2) Policy-based authorization via downloadable ACLs (dACLS) or VLAN assignments
3) Broad client supplicatnt support

Question 50

Cisco IBNS Deployment Modes

Answer 50

1) Monitor (open) mode - enable authentication on wired infrastructurewithout affected users. If a device is misconfigured or missing an 802.1X supplicant, access will be allowed and logged. If authentication succeeds, authorization is still applied
2) Low-impact mode - Allows selective access using static port ACLs before authentication, or if authentication fails. Authorization is applied after successful authentication.
3) High-security (closed) mode - No traffic will be permitted on a port before authentication and authorization

Question 51

Supplicant

Answer 51

• endpoint 802.1X-compliant software service.
• communicates with NAD authenticators to request network access

Question 52

Authenticator

Answer 52

• Controls access to the network, based on client authentication status
• NADs act as a proxy between client and authentication server - 802.1X on client side, and RADIUS on backend to authentication server
• Strips Ethernet frame, and re-encapsulates into RADIUS format when going toward auth server
• Strips frame header and encapsulates with EAPOL when goign toward supplicant

Question 53

Authentication server

Answer 53

• performs client authentication
• Cisco ISE does this role

Question 54

802.1X not enabled on Authenticator

Answer 54

• EAPOL frames from the supplicant are dropped
• if the supplicant doesn’t receive an EAP request or identity frame after 3 attempts, the supplicant sends frames as if the port was in the authorized state

Question 55

Authorization Features

Answer 55

1) VLAN assignment
2) ACL assignment
3) Timed-based access
4) Security group access

Question 56

Dynamic VLAN

Answer 56

• after successful 802.1X/EAP authentication, the user can be authorized to be on a specific VLAN
• this dynamic VLAN is configured on ISE RADIUS service, and communicated in a RADIUS Access-Accept message

Question 57

Default VLAN

Answer 57

• when a client successfully authenticates and no dynamic VLAN is assigned by the authentication server, the default VLAN is used
• configured on wired switch port or for wireless SSID

Question 58

802.1X Named ACLs

Answer 58

• configured locally on the WLC
• reference in ISE authorization policy
• after user authenticates, RADIUS tells WLC which configured ACL to use for authorization

Question 59

802.1X Downloadable ACLs

Answer 59

• RADIUS server authenticates the 802.1X user, retrieves ACL attributes, and sends to the (wired) switch
• switch applies port attributes during the user session, configured on ISE
• switch removes port attributes when the session ends, authentication fails, or a link-down condition occurs

Question 60

Vendor-Specific Attributes (VSA)

Answer 60

• octet string format
• pass to the switch line-by-line as a result of the authorization process
• VSAs used for per-user ACLs re in the form “inacl#<n>"</n>
• example: ip:inacl#100=permit ip any 12.23.34.45 255.255.255.255

Question 61

802.1X Host Modes

Answer 61

1) Single Host Mode - only one device (MAC addr) can connect and 2nd client causes unauthorized port state
2) Multiple Host Mode - first MAC addr is authenticated, and all subsequent devices get same access as first
3) Multiple Domain Authentication (MDA) Mode - allows an IP phone and a single host behind the IP phone to authenticate separately. Only one MAC allowed per domain (voice and data).
4) Multiple Authentication Mode - allows once client on the voice VLAN and multiple on the data VLAN. Each connected client is required to authenticate.

Question 62

Change of Authorization (CoA) Process

Answer 62

1) endpoint performs authentication
2) successful authentication allows the port to become authorized
3) posture of the endpoint is unknown, so an initial authorization policy is chosen to allow posture discovery
4) initial authorization profile for posture assessment, include dACL and redirect, is sent to NAD
5) Posture compliance is verified
6) ISE sends a CoA message to the authenticator and supplies extended access privileges, which are typically described in the form of a dACL

Question 63

Unsupported 802.1X Port Types

Answer 63

1) Trunk ports
2) Dynamic ports
3) Dynamic access ports
4) Etherchannels - before globally enabling 802.1X on a switch, remove EtherChannel configs from the interfaces on which 802.1X and EtherChannel are configured

Question 64

MAC Authentication Bypass (MAB)

Answer 64

• often used when the end device doesn’t support the 802.1X supplicant
• can act as a fallback mechanism
• must have a database of pre-approved MACs
• MAC addr is used as username and password
• no authentication or encryption, easily spoofed

Question 65

MAB Benefits

Answer 65

1) Visibility
2) Identity-based services
3) Access control at the edge
4) Fallback or standalone authentication
5) Device authentication

Question 66

MAB Limitations

Answer 66

1) MAC database
2) Delay
3) No user authentication, only devices
4) Weak authentication

Question 67

Web Authentication

Answer 67

• typically used to allow guest network access via HTTP or HTTPS authentication
• user’s initial attempt to browse would be redirected to an authentication web page

Question 68

Web Authentication Scenarios

Answer 68

1) NAD with Central WebAuth
2) WLC with Local WebAuth
3) Wired NAD with Local WebAuth
4) Device Registration WebAuth

Question 69

NAD with Central WebAuth

Answer 69

• applies to wired and wireless NADs
• the user is redirected to ISE web services for authentication
• ISE sends a Change of Authorization (CoA) to the NAD after authentication

Question 70

WLC with Local WebAuth

Answer 70

• the user logs in and is directed to the WLC
• the WLC redirects the user to the Guest portal
• Guest portal prompts for username/password and requires the signing of a Acceptable Use Policy (AUP)
• When this is complete, the user’s browser is redirected back to the WLC to log in again
• WLC authenticates the user via RADIUS and then redirects the client browser back to the original destination

Question 71

Wired NAD with Local WebAuth

Answer 71

• the Guest User Login portal redirects the guest login to the switch. The login request is an HTTPS URL that is posted to the switch and contains the user creds
• The switch receives the user login request and authenticates the user through a RADIUS server that points to Cisco ISE

Question 72

Device Registration WebAuth

Answer 72

• the user connects to the network with a wireless connection
• an initial MAB request is sent to ISE
• if the user MAC addr is not in the endpoint identity store, ISE responds with a URL redirection authorization profile. The URL redirection presents the user with an AUP acceptance page