Security Theory

Question 1

What is the name of the Cisco Security Architectural Framework?

Answer 1

Cisco SAFE

Question 2

What are the PINs (Places In Network) where you would see Cisco SAFE deployed?

Answer 2

• Branch
• Campus
• Data Center
• Edge
• Cloud
• WAN

Question 3

What are the operational domains that Cisco SAFE defines?

Answer 3

• Management
• Security Intelligence
• Compliance
• Segmentation
• Threat Defense
• Secure Services

Question 4

What three intelligence teams make up Cisco Talos?

Answer 4

• Ironport Security Applications
• Sourcefire Vulnerability Research Team (VRT)
• Cisco Threat Research, Analysis, and Communications Team (TRAC)

Question 5

What is Cisco Threat Grid?

Answer 5

A complex virtual sandbox that that observes and analyzes static files for the behavior of malware.

Question 6

What is Cisco AMP?

Answer 6

Advanced Malware Protection - comprehensive malware protection across the full attack continuum: Before, During, and After a breach occurs.

Question 7

What are the key components of the Cisco AMP architecture?

Answer 7

• AMP Cloud
• Threat intelligence from Talos and Threat Grid
• AMP Connectors (Endpoints, Networks, Email, Web, Meraki)

Question 8

What is Cisco Umbrella?

Answer 8

A Cloud-based secure DNS solution that blocks malicious Internet destinations.

Question 9

What is Cisco WSA?

Answer 9

Web Security Appliance - URL filtering, malware-block, Data Loss Prevention, Anti-Virus scanning

Question 10

What is Cisco ESA?

Answer 10

Email Security Appliance - includes global threat intelligence, spam protection, reputation filtering, forged email protection, domain protection, DLP, Phishing protection

Question 11

What is NGIPS?

Answer 11

Next Generation Intrusion Protection System

Question 12

What is the name of Cisco’s NGIPS?

Answer 12

Firepower

Question 13

What are the key characteristics of any NGIPS?

Answer 13

• Real time contextual awareness
• Advanced threat protection
• Intelligent security automation
• Performance and scalability
• Application Visibility and Control (AVC)
• URL filtering

Question 14

What are the key characteristics of a Next Generation Firewall (NGFW)?

Answer 14

• Stateful packet inspection
• Integrated IPS
• Application level packet inspection
• leverages external security intelligence

Question 15

What is Cisco Stealthwatch?

Answer 15

Collector of network telemetry data that can perform security analysis on the network data.

Question 16

What is Cisco ISE?

Answer 16

Identity Services Engine - a security policy management platform that performs Network Access Control (NAC) and 802.1x functions and more.

Question 17

What are some of the key benefits to Cisco ISE?

Answer 17

• Network Access Control
• DNA Center integration
• Device Access Control, onboarding, and profiling
• Cisco TrustSec
• Guest Lifecycle Management
• Internal Certificate Authority
• Endpoint posture service
• Cisco Platform Exchange Grid (pxGrid)

Question 18

What is pxGrid and what role does ISE play in pxGrid?

Answer 18

Platform Exchange Grid - an IETF framework that uses a single API to exchange security information to mitigate and remediate security threats across the network. Cisco ISE acts as the pxGrid Controller (aka server).

Question 19

List the five most prolific types of Network Access Control (NAC)

Answer 19

• 802.1X
• Mac Address Bypass (MAB)
• WebAuth
• TrustSec
• MacSec

Question 20

What are the four main components of 802.1x?

Answer 20

• Extensible Authentication Protocol (EAP)
• EAP Method aka EAP Type
• EAP over LAN (Layer 2)
• RADIUS protocol

Question 21

What is 802.1X?

Answer 21

An IEEE Standard for authenticating devices that are trying to connect to a network. AAA, Radius, WLCs, and/or Cisco ISE are core components in an 802.1X deployment.

Question 22

What are the device roles in an 802.1x deployment?

Answer 22

• Supplicant
• Authenticator
• Authentication Server

Question 23

What is the role of a Supplicant in an 802.1x deployment?

Answer 23

The software on the endpoint that is attempting to authenticate to the network. This could be the Operating system or a Cisco AnyConnect client.

Question 24

What is the role of a Authenticator in an 802.1x deployment?

Answer 24

The network access device (NAD) such as a switch or WLC. The authenticator accepts EAP encapsulated Layer 2 frames from the supplicant and encapsulates them into RADIUS packets before sending them to the Authentication Server.

Question 25

What are the most common methods of EAP?

Answer 25

• EAP-MD5
• EAP-TLS
• EAP-FAST
• EAP-TTLS
• PEAP
• EAP-GTC
• EAP-MSCHAPv2

Question 26

Describe the EAPOL 4-way handshake.

Answer 26

• Step 1 When the authenticator notices a port coming up, it starts the authentication process by sending periodic EAP-request/identify frames. The supplicant can also initiate the authentication process by sending an EAPoL-start message to the authenticator.
• Step 2 The authenticator relays EAP messages between the supplicant and the authentication server, copying the EAP message in the EAPoL frame to an AV-pair inside a RADIUS packet and vice versa until an EAP method is selected. Authentication then takes place using the selected EAP method.
• Step 3 If authentication is successful, the authentication server returns a RADIUS access-accept message with an encapsulated EAP-success message as well as an authorization option such as a downloadable ACL. When this is done, the authenticator opens up the port.

Question 27

What is MAB?

Answer 27

MAC Address Bypass - typically used when 802.1X authentication is unavailable. A port can be enabled or disabled based on the MAC address of the endpoint trying to connect.

Question 28

What is WebAuth?

Answer 28

Endpoints are directed to a web page where they can use the web server to authenticate to the network.

Question 29

What are the two types of WebAuth?

Answer 29

Local Web Auth (LWA) - switch or WLC redirects endpoint to a local web server running IN the switch

Central Web Auth (CWA) using ISE

Question 30

What are dACLs, dVLAN, and SGT

Answer 30

• downloadable Access Control List
• dynamic VLANs
• Security Group Tags

Question 31

What is Cisco TrustSec?

Answer 31

Next generation Access Control solution developed by Cisco based on the use of Security Group Tags (SGT).

Question 32

What are the three phases of TrustSec?

Answer 32

1.) Ingress Classification - assigning the SGT
2.) Propagation - communicates the SGT mappings through the network
3.) Egress Enforcement - enforcing the policy based on the SGT

Question 33

What are the two methods of TrustSec Propagation?

Answer 33

1.) Inline tagging - SGT tags inserted into frames
2.) SXP Propagation - TCP-based peer-to-peer protocol

Question 34

What are the two major methods of TrustSec Enforcement?

Answer 34

• Security Group ACLs (SGACL)
• Security Group Firewall (SGFW)

Question 35

What is MACSec?

Answer 35

An IEEE standards-based Layer 2 encryption method.

Question 36

What is the IEEE Standard designation for MACSec?

Answer 36

802.1AE

Question 37

What are the two keying methods available for MACSec?

Answer 37

• Security Association Protocol (SAP)
• MACSec Key Agreement (MKA) protocol

Question 38

What is the difference between Downlink MACSec and Uplink MACSec?

Answer 38

• Downlink is between and endpoint and switch.
• Uplink is between two switches

Question 39

What does AAA mean?

Answer 39

Authentication, Authorization and Accounting:

Authentication - login
Authorization - privilege
Accounting - logging the activity

Question 40

What is TACACS+?

Answer 40

Terminal Access Controller Access Control System: A security protocol developed by Cisco for Authentication and Authorization to a device. TACACS can give a very granular level of authorization specific to what commands a user can enter on a device.

Question 41

What is Radius?

Answer 41

An industry standard security protocol for centralized network access control (NAC) authentication.

Question 42

When referring to RADIUS, what ports does Cisco use for default compared to industry standards?

Answer 42

• Cisco: UDP-1645 for authorization and authentication; UDP-1646 for accounting
• Industry Standard: UDP-1812 for authentication and authorization; UDP-1813 for accounting

Question 43

Why is RADIUS typically chose over TACACS+ for AAA deployments?

Answer 43

TACACS does not support EAP

Question 44

When configuring TACACS+ in a Cisco environment, what is typically the best choice for a TACACS server?

Answer 44

Cisco ISE (2.0)

Question 45

What is ZBFW?

Answer 45

Zone Based Firewall - an integrated stateful firewall now included on IOS.

Question 46

What are the two “automatic” zones used in ZBFW?

Answer 46

• Self-Zone
• Default Zone

Question 47

What is the command to verify ZBFW zone configurations on a Cisco router?

Answer 47

show policy-map type inspect zone-pair PAIR_NAME

Question 48

What is the Windows Server role that allows a domain controller to be used as a RADIUS server?

Answer 48

Network Policy and Access Services

Question 49

When configuring privilege levels for a user account, what do the built-in privilege levels 0, 1, and 15 mean?

Answer 49

0 - only allows five commands: logout, enable, disable, help and exit.
1 - read only and “ping”
15 - full access to all commands

Question 50

When configuring privilege levels for a user account, what do levels 2 through 14 do?

Answer 50

Privilege 2 through 14 are custom configurable levels. In theory the higher levels would have more access but this depends on what was configured.

Question 51

What is CoPP?

Answer 51

Control Plane Policing - the concept of controlling what and how much traffic is handled by a routing device’s CPU so it does not get overloaded. (and DDoS prevention)

Question 52

What is MQC?

Answer 52

Modular Quality of Service Command Line Interface - the basic structure of QoS configuration from the command line. This model fits well for CoPP.

Question 53

What is Cisco EPC?

Answer 53

Embedded Packet Capture

Question 54

What are the general steps to create a CoPP policy on a Cisco device?

Answer 54

1.) Create ACLs to match traffic for treatment. Note: some traffic like ICMP may want to be allowed but rate limited
2.) Create class-maps to match on all the ACLs
3.) Create policy maps to police/treat the traffic
4.) Apply the policy map to the control-plane

Question 55

In wireless security, what is PSK?

Answer 55

Pre-Shared Key - essentially it is like a password that an endpoint device will use to gain access to an SSID over a wireless AP

Question 56

In wireless security, what is EAP?

Answer 56

Extensible Authentication Protocol - a set of protocols and functions that leverage backend databases, user accounts, and device IDs to authenticate an endpoint to a wireless network. This is a common 802.1X framework (supplicant, authenticator, authentication server)

Question 57

In a Wireless LAN Controller GUI, how would you go to configure a Pre-Shared Key?

Answer 57

WLANs (Node) > Create New (Go) > Set Name; SSID; ID > Apply (Button)

WLAN > NAME > Security (Tab) > Layer 2 (Tab) > Layer 2 Security > WPA + WPA2

Select Policy; Enable PSK; Set Key > Apply (Button)

Question 58

In a Wireless LAN Controller GUI, how would you go to configure EAP?

Answer 58

Security (Node) > Radius > New (Button) > Set Radius Server Details

WLAN (Node) > New (or existing) > Security (Tab) > Layer 2 (Tab) > Set WAP+WPA2; Enable 802.1X; Set AES; Set WPA2 Policy

WLAN > Security (Tab) > AAA Servers (Tab) > Set Server Defined in Step 1

Question 59

In a Wireless LAN Controller GUI, how would you go to configure Web Auth?

Answer 59

Security (Node) > (Left Navigation) Web Auth > Web Login Page: choose Internal, Custom, or External Page

WLANs > WLAN_ID > Security (Tab) > Layer 2 (Tab) > Set to None
WLANs > WLAN_ID > Security (Tab) > Layer 3 (Tab) > Layer 3 Security Set to “Web Policy”; Set options as needed {Passthrough, Authentication, etc)

NOTE: If using “Authentication” then AAA Server needs to be configured from AAA Servers (Tab)