Enterprise Network Security Architecture Flashcards

1
Q

Vulnerability

definition

2023.12.28 - new card split from prev card

A
  • a weakness that comprises either the security or the functionality of the system
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Exploit

definition

2023.12.28 - new card split from prev card

A
  • mechanism used to leverage a vulnerability to compromise the security or functionality of a system
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Threat

definition

2023.12.28 - new card split from prev card

A
  • any circumstance or event with the potential to cause harm to an asset in the form of destruction, disclosure, adverse modification of data, or DoS
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Risk

definition

2023.12.29 - new card split from prev card

A
  • the likelihood that a particular threat using a specific attack will exploit a particular vulnerability of an asset that results in a undesirable consequence
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

DOS / DDOS

- define

A

DoS attacks attempt to consume all a critical computer or network resource to make it unavailable for valid use

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Spoofing

-define

A

An attacker injects traffic that appears to be sourced from a legitimate system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Reflection

define

A

A type of DoS attack where the attacker sends a flood of protocol request packets to various IP hosts. The attacker spoofs the source IP such that each packet has as its src, the IP of the intended target rather than the IP of the attacker. The hosts that receive these packets respond by sending response packets to the spoofed address (the target), thus flooding the unsuspecting target.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Social Engineering

define

A

Manipulating people and capitalizing on expected behaviors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Phishing

define

A

Pretend to be from a large legitimate organization and request personal information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Password Attacks

define

A

Access protected resources by obtaining a user’s password. Methods include guessing, brute force, and dictionary attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Reconnaissance Attacks

define

A

An attempt to learn more about the intended victim, often using DNS tools like nslookup

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Buffer Overflow Attacks

define

A

An attacker can provide input that is larger than expected, and the service will accept the input and write it to memory, filling up the associated buffer and overwriting adjacent memory.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Man-in-the-Middle Attacks

define

A

A system that has the ability to view the communication between two systems imposes itself in the communication path between those other systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Malware

define

A

Malicious software that comes in several forms, including viruses, worms, and Trojan horses

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Vectors of Data Loss and Exfiltration

define

A

Refers to the means by which data leaves the organization without authorization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Hacking tools

A

A penetration test legitimately uses tools to attempt to penetrate an organization’s defenses.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

IPS Traffic Inspection Methods

A

1) Signature-based inspection
2) Anomaly-based inspection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Signature-based inspection

define

2023.12.29 - new card

A
  • examines the packet headers or data payloads in network traffic and compares the data against a database of known attack signatures
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Anomaly-based inspection

define

2023.12.29 - new card

A

observe network traffic and act if a network event outside normal network behavior is detected

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Anomaly-based Network IPS Types

A

1) Statistical anomaly detection (network behavior analysis)
2) Protocol verification
3) Policy-based inspection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

VPN

A
  • defined in RFC 2828
  • carries private traffic over a public or shared infrastructure (such as the Internet)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Link Encryption

A

The entire frame is encrypted between two devices. This is used on point-to-point connections of directly connected devices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Packet payload encryption

A

Only the packet payload is encrypted, which allows this form of encryption to be routed across a L3 network, such as the Internet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

VPN Classification Criteria

A

1) Deployment mode: Site-to-site VPN and remote-access VPN (e.g. home users)
2) Underlying technology: IPSec VPN, SSL VPN, MPLS VPN, other L2 technologies such as Frame Relay or ATM, and hybrid VPNs combining multiple technologies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Cisco Email Security Appliance (ESA)

A

a type of firewall and threat monitoring appliance for SMTP traffic
1) capability to quickly block new email-based blended attacks
2) capability to control or encrypt sensitive outbound email
3) a rapid spam capture rate and few false positives
4) a proven zero-hour antivirus solution

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Cisco Web Security Appilance (WSA)

A
  • provides secure web access, content security, and threat mitigation for web services
    1) Advanced malware protection
    2) Application Visibility and Control
    3) Insightful reporting
    4) Secure mobility
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Logging Destinations

A

1) Console
2) Monitor
3) Memory buffer
4) Syslog server
5) SNMP Trap
6) Flash memory

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

ASA posture module vs ISE posture module

2023.12.29 - new card

A
  • ISE is client based; ISE sends requirements to endpoint, and relies on endpoint to assess. remediation based on quarantining the endpoint
  • ASA is server-based; ASA asks for a list of endpoint attributes and AnyConnect client gathers info. Remediation is limited to working with software already installed on the endpoint
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Endpoint Security Products

A

1) Personal firewalls
2) Antivirus
3) Antispyware
4) Malware analysis and protection (Cisco Advanced Malware Protection (AMP))

30
Q

Cisco AMP Elements

A

1) Cisco Collective Security Intelligence Cloud
2) Client Connector
3) Cisco AMP for Endpoints Mobile
4) Cisco AMP for Endpoints Mac Connector
5) AMP for Networks

31
Q

Cisco AMP Historical Perspectives

A

1) File Trajectory - shows you the hosts where files were seen
2) Device Trajectory - shows you the actions that files performed on a given host

32
Q

Retrospective Alerting aka Cloud Recall

A
  • go back to systems where an “unknown” file was previously seen and alert the client to the changed disposition to “malicious” and quarantine the file
33
Q

Cisco Collective Security Intelligence Cloud

A
  • where the various detection and analytics engines reside
    1) Spero is a machine-learning malware detection engine that resides in the cloud
    2) Ethos is a fuzzy logic-based malware detection engine. Ethos also resides in the cloud, and is invoked if the file being checked is not known or returns a neutral position
34
Q

Client Connector

A
  • This is the component that runs on the endpoints. It communicates with the cloud to send information about files and to receive file disposition information.
35
Q

AMP for Networks

A
  • Gives Firepower devices the ability to query the cloud to botain file dispotion information on files that are detected by the Firepower devices
36
Q

Cisco AMP Cloud Functions

A

1) Detection publishing - signatures are in the cloud
2) Large-scale data processing (Big Data) - data comes to the cloud from many resources
3) Decision making that is performed in real-time
4) Reporting

37
Q

Additional Features on Cisco NextGen FW aka Cisco Secure FW

A

1) Integrate security functions tightly to provide highly effective threat and advanced malware protection
2) Implement policies that are based on application visibility instead of transport protocols and ports
3) Provide URL filtering and other controls over web traffic
4) Provide actionable indications of compromise to identify malware activity
5) Offer comprehensive network visibility
6) Help reduce complexity
7) Integrate and interface smoothly with other security solutions

38
Q

Cisco Secure Firewall Features

A

1) Cisco URL Filtering
2) Application Visibility and Control
3) Context Awareness
4) Cisco Intrusion Prevention System
5) Advanced Malware Protection

39
Q

Cisco TrustSec

A
  • defines policies using logical policy groupings
  • security group tags (SGT)
  • IEEE MAC Security (MACsec)
40
Q

Security Group Tag Features

3 points

A

1) Classification - assignment of an SGT to an IP; Dynamic done with IEEE 802.1X, MAC authentication bypass, or web authentication. Static usually configured on switch where servers are attached
2) Transport - accomplished either through inline tagging or SGT Exchange Protocol (SXP). SXP is used to transport SGT mappings across devices that don’t support inline tagging
3) Enforcement - permit or deny policies on the src & dst SGTs. Done either with SGACLs on switches, or SGFWs on routers & FWs

41
Q

MACSec

A
  • each packet on the wire is encrypted using symmetric key cryptography
  • implementation of 802.1AE and its header is marked with ethertype 0x88E5
  • encryption keys managed by MACsec Key Agreement (MKA) Protocol
  • protected data is between the MACsec header and the ICV field
  • the MTU size increases about 40 bytes bc of the 802.1AE and Cisco TrustSec overhead
  • Integrity Check Value (ICV) encrypts and protects MACsec frames
42
Q

SGT Classification

A
  • 16-bit tag that represents the unique role of the traffic source
  • can be dynamically obtained from Cisco ISE, or static
  • dynamic tagging deployed with 802.1X, MAB, or web authentication
  • static tagging can be configured on ISE and downloaded to NAD, or configured directly on NAD
  • embedded in Cisco TrustSec Meta Data header, which uses ethertype 0x8909
43
Q

MACsec Key Agreement (MKA)

A
  • basic requirements defined in 802.1x-REV
  • extends 802.1x to allow peer discovery with confirmation of mutual authentication and sharing of MACsec secret keys to protect data
44
Q

Extensible Authentication Protocol (EAP)

A
  • produces a master session key (MSK), shared by both partners in the data exchange
45
Q

Master Session Key (MSK)

A

produced by EAP authentication, and shared by both partners in the data exchange

46
Q

Connectivity Association Key (CAK)

A
  • entering the EAP session ID generates a secure CAK name
47
Q

Secure Association Key (SAK)

A
  • switch is the authenticator, so it’s also the key server and responsible for selecting and advertising the cipher suite
  • switch generates a random 128-bit SAK and sends to client partner to advertise cipher suite
  • default cipher suite Galois/Counter Mode Advanced Encryption Standard 128 (GCM-AES-128)
  • endpoint must possess the SAK to encrypt traffic, so the switch will send the SAK using MKA
  • switch keeps SAK secure by encypting it with some additional CAK that the supplicant possesses
48
Q

Cisco Identity-Based Networking Services (IBNS)

A

1) Provides authentication of wired and wireless users using IEEE 802.1X, MAB, and web authentication
2) Delivers policy-based authorization based on dACLs or VLAN assignment
3) Offers broad client support for native operating systems and third-party supplicants

49
Q

Cisco ISE Services

A

1) Strong authentication using IEEE 802.1X, MAB, and web authentication
2) Policy-based authorization via downloadable ACLs (dACLS) or VLAN assignments
3) Broad client supplicatnt support

50
Q

Cisco IBNS Deployment Modes

A

1) Monitor (open) mode - enable authentication on wired infrastructurewithout affected users. If a device is misconfigured or missing an 802.1X supplicant, access will be allowed and logged. If authentication succeeds, authorization is still applied
2) Low-impact mode - Allows selective access using static port ACLs before authentication, or if authentication fails. Authorization is applied after successful authentication.
3) High-security (closed) mode - No traffic will be permitted on a port before authentication and authorization

51
Q

Supplicant

A
  • endpoint 802.1X-compliant software service.
  • communicates with NAD authenticators to request network access
52
Q

Authenticator

A
  • Controls access to the network, based on client authentication status
  • NADs act as a proxy between client and authentication server - 802.1X on client side, and RADIUS on backend to authentication server
  • Strips Ethernet frame, and re-encapsulates into RADIUS format when going toward auth server
  • Strips frame header and encapsulates with EAPOL when goign toward supplicant
53
Q

Authentication server

A
  • performs client authentication
  • Cisco ISE does this role
54
Q

802.1X not enabled on Authenticator

A
  • EAPOL frames from the supplicant are dropped
  • if the supplicant doesn’t receive an EAP request or identity frame after 3 attempts, the supplicant sends frames as if the port was in the authorized state
55
Q

Authorization Features

A

1) VLAN assignment
2) ACL assignment
3) Timed-based access
4) Security group access

56
Q

Dynamic VLAN

A
  • after successful 802.1X/EAP authentication, the user can be authorized to be on a specific VLAN
  • this dynamic VLAN is configured on ISE RADIUS service, and communicated in a RADIUS Access-Accept message
57
Q

Default VLAN

A
  • when a client successfully authenticates and no dynamic VLAN is assigned by the authentication server, the default VLAN is used
  • configured on wired switch port or for wireless SSID
58
Q

802.1X Named ACLs

A
  • configured locally on the WLC
  • reference in ISE authorization policy
  • after user authenticates, RADIUS tells WLC which configured ACL to use for authorization
59
Q

802.1X Downloadable ACLs

A
  • RADIUS server authenticates the 802.1X user, retrieves ACL attributes, and sends to the (wired) switch
  • switch applies port attributes during the user session, configured on ISE
  • switch removes port attributes when the session ends, authentication fails, or a link-down condition occurs
60
Q

Vendor-Specific Attributes (VSA)

A
  • octet string format
  • pass to the switch line-by-line as a result of the authorization process
  • VSAs used for per-user ACLs re in the form “inacl#<n>"</n>
  • example: ip:inacl#100=permit ip any 12.23.34.45 255.255.255.255
61
Q

802.1X Host Modes

A

1) Single Host Mode - only one device (MAC addr) can connect and 2nd client causes unauthorized port state
2) Multiple Host Mode - first MAC addr is authenticated, and all subsequent devices get same access as first
3) Multiple Domain Authentication (MDA) Mode - allows an IP phone and a single host behind the IP phone to authenticate separately. Only one MAC allowed per domain (voice and data).
4) Multiple Authentication Mode - allows once client on the voice VLAN and multiple on the data VLAN. Each connected client is required to authenticate.

62
Q

Change of Authorization (CoA) Process

A

1) endpoint performs authentication
2) successful authentication allows the port to become authorized
3) posture of the endpoint is unknown, so an initial authorization policy is chosen to allow posture discovery
4) initial authorization profile for posture assessment, include dACL and redirect, is sent to NAD
5) Posture compliance is verified
6) ISE sends a CoA message to the authenticator and supplies extended access privileges, which are typically described in the form of a dACL

63
Q

Unsupported 802.1X Port Types

A

1) Trunk ports
2) Dynamic ports
3) Dynamic access ports
4) Etherchannels - before globally enabling 802.1X on a switch, remove EtherChannel configs from the interfaces on which 802.1X and EtherChannel are configured

64
Q

MAC Authentication Bypass (MAB)

A
  • often used when the end device doesn’t support the 802.1X supplicant
  • can act as a fallback mechanism
  • must have a database of pre-approved MACs
  • MAC addr is used as username and password
  • no authentication or encryption, easily spoofed
65
Q

MAB Benefits

A

1) Visibility
2) Identity-based services
3) Access control at the edge
4) Fallback or standalone authentication
5) Device authentication

66
Q

MAB Limitations

A

1) MAC database
2) Delay
3) No user authentication, only devices
4) Weak authentication

67
Q

Web Authentication

A
  • typically used to allow guest network access via HTTP or HTTPS authentication
  • user’s initial attempt to browse would be redirected to an authentication web page
68
Q

Web Authentication Scenarios

A

1) NAD with Central WebAuth
2) WLC with Local WebAuth
3) Wired NAD with Local WebAuth
4) Device Registration WebAuth

69
Q

NAD with Central WebAuth

A
  • applies to wired and wireless NADs
  • the user is redirected to ISE web services for authentication
  • ISE sends a Change of Authorization (CoA) to the NAD after authentication
70
Q

WLC with Local WebAuth

A
  • the user logs in and is directed to the WLC
  • the WLC redirects the user to the Guest portal
  • Guest portal prompts for username/password and requires the signing of a Acceptable Use Policy (AUP)
  • When this is complete, the user’s browser is redirected back to the WLC to log in again
  • WLC authenticates the user via RADIUS and then redirects the client browser back to the original destination
71
Q

Wired NAD with Local WebAuth

A
  • the Guest User Login portal redirects the guest login to the switch. The login request is an HTTPS URL that is posted to the switch and contains the user creds
  • The switch receives the user login request and authenticates the user through a RADIUS server that points to Cisco ISE
72
Q

Device Registration WebAuth

A
  • the user connects to the network with a wireless connection
  • an initial MAB request is sent to ISE
  • if the user MAC addr is not in the endpoint identity store, ISE responds with a URL redirection authorization profile. The URL redirection presents the user with an AUP acceptance page