Network Visibility and Segmentation Flashcards
Is a unidirectional series of packets between a given source and destination
Flow
In a “flow”, source , destination, source port, destination ports and ip protocols are often referred as?
five-tuple
Flexible Netflow, Cisco’s next generation NetFlow can track a wide range of Layer 2, IPv4, and IPv6 flow information, such as?
Source and Destination MAC Source and Destination IPv4/IPv6 Souce and Destination Ports ToS DSCP Packet and byte counts Flow timestamps Input and output interface TCP flags and encapsulated protocol Section of packet for deeper inspection All field in ipv4 and ipv6 routing information
- Type of Netflow Cache
- Default cache type. Entries in the flow are removed (aged out) based on the configured timeout active and timeout inactive seconds settings
Normal Cache
- Type of Netflow Cache
- Flow account for a single packet. Desirable for real-time traffic monitoring and DDOS detection
Immediate Cache
- Type of Netflow Cache
- Used to track a set of flows without expiring the flows from the cache. Entire cache is periodically exported
Permanent Cache
Is a technology created by Cisco that provides comprehensive visibility into all network traffic that traverse a Cisco-supported device.
Netflow
Is a network appliance that functions similarly to a traditional packet capture appliance or IDS in that it connect into a Switch Port Analyzer (SPAN), mirror port or a Test Access port (TAP).
Cisco Stealthwatch Flow Sensor.
What are network telemetry sources that ca also be correlated with Netflow while responding to security incidents and performing forensics
DHCP logs VPN Logs NAT information 802.1x logs server logs web proxy logs spam filter from email security appliance such as Cisco Email Security Appliance (ESA)
is a network flow standard led by the internet engineering task force (IETF). It was created for a common, universal standard of export for the flow information from routers, switches, firewall and other infra devices. Documented thru RFC7011-7015 and 5103
IPFIX(Internet Protocol Flow Information Export)
IPFIX defines different elements that are grouped into the following 12 categories
- identifiers
- metering and exporting process configuraiton
- metering and exporting process statistics
- IP header fields
- transport header fields
- sub-ip header fields
- derived-packet properties
- min/max flow properties
- flow timestamps
- per-flow counters
- miscellaneous flow properties
- padding
- Protocol used by IPFIX
- Refer as simple state machine than feature provided by TCP
- Combines the best effort reliability of UPD while still providing TCP-like congestion control
Stream Control Transmission Protocol (SCTP)
- Cisco Solution
- Is a collection of services available in serveral cisco network infra devices to provide application level classification,monitoring and traffic control. Supported by Cisco ISR, Cisco ASR 1000, WLC.
Cisco Application Visilbility and Control (AVC)
Netflow Deployment scenarios
User access layer Wireless lan Data Centre Internet Edge Netflow site-to-site and remote access VPN Netflow in cloud environments
This solutions allow network administrators and cybersecurity professionals to analyze network telemetry in a timely manner to defend against advance cyber threats
Cisco Stealtwatch
-Components of Cisco Stealtwatch
A physical or virtual appliance that collects Netflow data from infrastructure devices
FlowCollector
-Components of Cisco Stealtwatch
The main management applications that provides detailed dashboards and the ability to correlate network flow and events
Stealtwatch Management Console (SMC)
- Components of Cisco Stealtwatch
- Required to aggregate flows at the stealtwatch management console
Flow licences
-Optional component of stealtwatch
FlowSensor and Flow Replicator
-A Software as a Service (SaaS). Use to monitor many different public cloud environments such ash Amazon AWS, Google, Cloud Platform and Microsoft Azuere
StealtWatch Cloud
Is the concept of proactively and actively searching for advanced threats that may evade your security products and capabilities
Threat Hunting with CiscoStealtwatch
Can identify malicious (malware) communications in encrypted traffic through passive monitoring, the extraction of relevant data elements, and a combination of behavioral modeling and machine learning without decrypting the packet
Cisco Encrypted traffic Analysis(ETA)
Is a cloud based Cisco Solution that uses machine learning and statistical modeling of networks. Creates a baseline of the traffic in your network and identifies anomalies. Can also analyze user and device behavior as well as web traffic to uncover malicious command and control communications and data exfiltration
Cisco Cognitive Threat Analytics (CTA)
4 Steps in creating netflow
- Define a flow record
- Define a flow exporter
- Define a flow monitor
- Apply the monitor to an interface
Configuring a flow record
- config t
- flow record record-1
- match ipv4 destination address (key field use match)
- collect interface input (non key field use collect)
- end
Configuring a flow exporter
-config t
-flow export exporter-1
-export-protocol netflow-v9
-destination 1.1.1.1
-transport udp 9995
end
configuring a flow monitor
- config t
- flow monitor monitor-1
- exporter exporter-1(name of recorder configured)
- end
Applying netflow to interface
- interface gi0/0/1
- ip flow monitor monitor-1 input
- types of network segmentation
- a segment of internal network that requires a higher degree of protection. Internal accessability is further restricted through the use of firewalls, vpns, vlans and network access control
Enclaved network
- -types of network segmentation
- The internal network that is accessible to authorized users. External accessability is restricted thru the use firewalls and ips/ids devices.
Trusted network (wired or wireless)
- types of network segmentation
- A network that is designed to be internet accessible. Host like web-servers, email gateways are generally located
DMZ
- types of network segmentation
- A network that is specifically used by visitors to connect to internet
Guest network
- types of network segmentation
- a network outside your security controls
Untrusted network
-Is a control plane protocol used to convey IP-to-SGT mappings to network devices when you cannot perform inline tagging. user tcp 64999
Scalable Group Tag Exchange Protocol (SXP)
Command to enable netflow in NX-OS
feature netflow
a micro segment in ACI is often reffered to as
uSeg EPGs
Cisco ISE scales by deploying service instances
called “______” in a distributed architecture
personas
Cisco ACI allows organization to automatically assign endpoints to logical security zone called? This is used to group VMs within a tenant and apply filtering and forwarding policies to them
Endpoint Groups (EPGs)
Is the concept of proactivelly or actively searching for advance threats that may evade your security products and capabilities.
Threat Hunting
Physical or virtual appliance that can generate NetFlow data when legacy Cisco network infrastructure components are not capable of producing line-rate,unsampled netflow data
Stealthwatch FlowGenerator
Two minimum required components of Cisco Stealthwatch
SMC and FlowCollector
