CCNP Core > Chap 25 - Secure Network Access Control > Flashcards

Chap 25 - Secure Network Access Control Flashcards

(195 cards)

Study These Flashcards
1
Q

What is Cisco SAFE?

A

Security Architecture For the Enterprise

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are PINs?

A

Places In the Network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are 6 PINs

A
  • Branch
  • Campus
  • Data Center
  • Edge
  • Cloud
  • WAN
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the 4 top threats on PIN Branches?

A
  • Endpoint malware (point-of-sale [POS] malware)
  • Wireless infrastructure exploits such as rogue APs and man-in-the-middle (MitM) attacks
  • Unauthorized/malicious client activity
  • Exploitation of trust
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are 5 things that campuses are easy targets for?

A
  • Phishing
  • Web-based exploits
  • Unauthorized network access
  • Malware propagation
  • Botnet infestations.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are 7 popular threats to data centers?

A
  • Data extraction
  • Malware propagation
  • Unauthorized network access (application compromise)
  • Botnet infestation (scrumping)
  • Data loss
  • Privilege escalation
  • Reconnaissance
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the highest risk PIN

A

Edge

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are 4 popular threats to the Edge Network?

A
  • Web server vulnerabilities
  • Distributed denial-of-service (DDoS) attacks
  • Data loss
  • MitM attacks.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the 4 primary threats in the Cloud?

A
  • Web server vulnerabilities
  • Distributed denial-of-service (DDoS) attacks
  • Data loss
  • MitM attacks.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are 4 typical threats seen in the WAN?

A
  • Malware propagation
  • Unauthorized network access
  • WAN sniffing
  • MitM attacks.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are the 6 Security Concepts used to evaluate each PIN?

A
  • Management
  • Security Intelligence
  • Compliance
  • Segmentation
  • Threat Defense
  • Secure Services
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the Management security concept?

A

Centralized device management is critical for consistent policy deployment, change management, and patching systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the Security Intelligence security concept?

What does Security Intelligence provide?
What does it enable the infrastructure to do?
What 2 things does this enable?

A
  • Security intelligence provides detection of emerging malware and cyber threats
  • It enables an infrastructure to enforce policy dynamically, as reputations are augmented by the context of new threats.
  • This enables accurate and timely security protection.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are 3 examples of the Compliance security concept?

A
  • PCI
  • DSS 3.0
  • HIPAA.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the Segmentation security concept?

What does it reduce?
How does it reduce that?

A
  • Establishing boundaries for both data and users
  • Reduces operational challenges
  • By using identity-aware infrastructure to enforce policies in an automated and scalable manner
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What does the Threat Defense security concept provide?

What 3 things does it use to provide that?

A
  • Visibility into the most dangerous cyber threats
  • Network traffic telemetry
  • File reputation
  • Contextual information
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What 3 technologies does the Secure Services security concept include?

What 3 things does this protect?

A
  • Technologies include
    • access control
    • VPNs
    • Encryption.
  • Applications
  • Collaboration
  • Wireless
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is provided by implementing the Cisco SAFE framework in an organization?

A

Advanced threat defense protection that spans the full attack continuum before, during, and after an attack for all the PINs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What 2 things are required in the ‘Before’ phase?

A
  • Full knowledge of all the assets that need to be protected
  • Identification of the types of threats that could target those assets
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What 3 actions happen during the ‘Before’ phase?

A
  • Control
  • Enhance
  • Harden
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What 5 Cisco solutions are used in the ‘Before’ phase?

A
  • Next-generation firewalls
  • Network access control
  • Network security analysis
  • Identity services
  • Advanced Malware Protection (AMP)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is defined in the ‘During’ phase?

A

The abilities and actions that are required when an attack gets through.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What 5 activities occur in the ‘During’ phase?

A
  • Threat analysis
  • Incident response
  • Detect
  • Block
  • Defend
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What 4 things can organizations leverage in the ‘During’ phase?

A
  • Next-gen IPS (NGIPS)
  • Next-gen firewalls (NGFW)
  • AMP
  • Email and web security solutions with AMP
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
What do the systems used in the 'During' phase provide?
They make it possible to detect, block, and defend against attacks that have penetrated the network and are in progress.
26
What is defined in the 'After' phase?
The 'After' phase is defined by the ability to detect, scope, contain, and remediate an attack.
27
In the 'After' phase what needs to be incorporated into the existing security solution?
Any lessons learned
28
What 4 things can organizations leverage in the 'After' phase?
* Cisco Advanced Malware Protection (AMP) * Next-generation firewalls (NGFW) * Malicious network behavior analysis using Stealthwatch * Security Analytics
29
In the 'After' phase what can the leveraged tools accomplish?
The will quickly and effectively scope, contain, and remediate an attack to minimize damage.
30
What is Cisco TALOS? What do they have that supports them? What does it create? What 3 things do they do with it?
* A team of security experts * Sophisticated security systems * Creates threat intelligence * Detects known and emerging threats * Analyzes known and emerging threats * Protects known and emerging threats
31
What 3 teams comprise TALOS?
* IronPort Security Applications (SecApps) * Sourcefire Vulnerability Research Team (VRT) * The Cisco Threat Research, Analysis, and Communications (TRAC) team
32
What 6 intelligence feeds go into TALOS?
* Advanced Microsoft and industry disclosures * AMP community * Honeypots * The Sourcefire Awareness, Education, Guidance, and Intelligence Sharing (AEGIS) program * Private and public threat feeds * Dynamic analysis
33
What 7 user communities does TALOS leverage?
* ClamAV * Snort * Immunet * SpamCop * SenderBase * Threat Grid, and Talos user communities
34
What does TALOS do with the intelligence from their feeds?
It is fed into a wide range of security products and solutions to provide protection against an extensive range of threats.
35
What is Cisco Threat Grid?
A solution the can perform static and dynamic file analysis to determine if the file is malware.
36
What does Cisco Threat Grid do when it identifies a file as malware?
It begins to understand what it is doing or attempting to do, the scope of the threat it poses, and how to defend against it.
37
What are 3 examples of some of the things Threat Grid looks at for static file analysis?
* Filenames * MD5 checksums * File types
38
What 3 ways is Threat Grid made available?
* Appliance * Cloud-based * Integrated into other Cisco security products
39
What are 2 places where Threat Grid get files to analyze?
* Automatic submission from products integrated with Threat Grid * Files can be manually uploaded
40
What is Cisco Advanced Malware Protection (AMP)?
It is a malware analysis and protection solution that goes beyond point-in-time detection.
41
How is AMP leveraged 'Before' an attack?
Global threat intelligence from Cisco Talos and Cisco Threat Grid feeds into AMP to protect against known and new emerging threats.
42
How is AMP leveraged 'During' an attack?
File reputation to determine whether a file is clean or malicious as well as sandboxing are used to identify threats during an attack.
43
How is AMP leveraged 'After' an attack?
Cisco AMP provides retrospection, indicators of compromise (IoCs), breach detection, tracking, analysis, and surgical remediation after an attack, when advanced malware has slipped past other defenses.
44
What are the 3 main components of the AMP architecture?
* AMP Cloud (public or private) * AMP Connectors * Threat intelligence from Cisco Talos and Cisco Threat Grid
45
What are the AMP Connectors?
* AMP for Endpoints (Microsoft Windows, macOS X, Google Android, Apple iOS, and Linux) * AMP for Networks (NGFW, NGIPS, ISRs) * AMP for Email (ESA) * AMP for Web (WSA) * AMP for Meraki MX * Cisco Security Connector (AMP for Apple iOS)
46
What is the most important component of AMP architecture?
The AMP Cloud
47
What does the AMP Cloud contain?
The database of files and their reputations (malware, clean, unknown, and custom), also referred to as file dispositions.
48
What happens if an AMP connector uploads a sample file to AMP Cloud and the file’s reputation is deemed to be malicious?
it is stored in the cloud and reported to AMP connectors that see the same file.
49
What happens if an AMP connector uploads a sample file to AMP Cloud and the file’s reputation is deemed to be unknown?
The file is sent to Threat Grid, where its behavior is analyzed in a secure sandbox environment.
50
How does AMP go beyond point-in-time detection?
AMP Cloud performs decision making in real time, evolving constantly based on the data that is received. AMP Cloud is capable of identifying malware on files that were previously deemed to be clean.
51
How do AMP connectors remain lightweight?
By sending a hash to the cloud and allowing the cloud to make the intelligent decisions and return a verdict (about reputation or file disposition) of clean, malicious, or unknown.
52
What is Cisco AnyConnect Secure Mobility Client?
* It is a modular endpoint software product * VPN client using Transport Layer Security (TLS)/ Secure Sockets Layer (SSL) and IPsec IKEv2 * Enhanced security through various built-in modules, such as a VPN Posture (HostScan) module and an ISE Posture module.
53
What do the modules do in AnyConnect?
They enable Cisco AnyConnect to assess an endpoint’s compliance for things like antivirus, antispyware, and firewall software installed on the host.
54
What does AnyConnect do if an endpoint is found not to be compliant?
Network access can be restricted until the endpoint is in compliance.
55
Along with the modules what other capabilities does AnyConnect have?
* Web security through Cisco Cloud Web Security * Network visibility into endpoint flows within Stealthwatch * Roaming protection with Cisco Umbrella
56
What platforms does AnyConnect support?
* Windows * macOS * iOS * Linux * Android * Windows Phone/ Mobile * BlackBerry \* ChromeOS.
57
What is SSL/TLS?
SSL has been deprecated so it really means TLS
58
What does Cisco Umbrella do?
Cisco Umbrella provides the first line of defense against threats on the Internet by blocking requests to malicious Internet destinations (domains, IPs, URLs) using the Domain Name System (DNS) before an IP connection is established or a file is downloaded.
59
How is Cisco Umbrella delivered?
It is 100% cloud delivered, with no hardware to install or software to maintain.
60
Where is Cisco Umbrella located?
30 data centers around the world
61
How does Cisco Umbrella maintain 100% uptime?
It uses Anycast DNS
62
How is DNS traffic routed to the closest Cisco Umbrella site?
It has an Anycast Infrastructure
63
What does Cisco Umbrella do with the data it gathers?
It is fed in real time into Umbrella’s massive graph database, where statistical and machine learning models are continuously run against it. \* It's also analyzed by Umbrella researchers and TALOS.
64
How is Cisco Umbrella installed?
By the corporate network changing the DHCP configuration on all Internet gateways (that is, routers, access points) so that all devices, including guest devices, forward their DNS traffic to Umbrella’s global network.
65
How can a laptop off the network use Umbrella?
In the Cisco AnyConnect client, there is an option to enable a roaming security module, which allows for all DNS requests to be sent to Umbrella’s global network even when the VPN is turned off, and it does this without requiring an additional agent.
66
If a laptop is not using AnyConnect can it still access Umbrella?
The other option is to deploy the Umbrella roaming client, which tags, encrypts, and forwards DNS queries bound for the Internet to the Umbrella global network so per-device security policies can be enforced everywhere without latency or complexity.
67
What is Cisco's Web Security Appliance?
(WSA) is an all-in-one web gateway that includes a wide variety of protections that can block hidden malware from both suspicious and legitimate websites by leveraging real-time threat intelligence from Cisco Talos and Cisco AMP Threat Grid
68
What does WSA do Before an attack?
It actively detects and blocks potential threats before they happen by applying web reputation filters and URL filtering and by controlling web application usage
69
What are 3 tools used by WSA Before an attack?
* Web reputation filters (TALOS) * Web Filtering (traditional, also from TALOS) * Cisco Application Visibility and Control (AVC)
70
What does WSA do During an attack?
It uses security intelligence from cloud access security broker (CASB) providers, Talos, and AMP for networks to identify and block zero-day threats that managed to infiltrate the network.
71
What are 5 tools used by WSA during an attack?
* Cloud access security * Parallel antivirus (AV) scanning * Layer 4 traffic monitoring * File reputation and analysis with Cisco AMP * Data loss prevention (DLP)
72
What does WSA do After an attack?
WSA inspects the network continuously for instances of undetected malware and breaches.
73
What 3 tools does WSA use after an attack and what does it do with the information gathered using those tools?
* Global Threat Analytics (GTA) analyzes web traffic * Endpoint data from Cisco AMP for Endpoints * Network data from Cisco Stealthwatch Enterprise. * It then uses machine learning to identify malicious activity before it can exfiltrate sensitive data.
74
How is WSA deployed?
* Cloud * Virtual appliance on-premises, or in a hybrid arrangement.
75
What is the Cisco Email Security Appliance (ESA)?
It enables users to communicate securely via email and helps organizations combat email security threats with a multilayered approach across the attack continuum.
76
What threat protection capabilities are used by ESA?
* Global threat intelligence (TALOS and Threat Grid) * Reputation filtering (TALOS) * Spam protection * Forged email detection * Cisco Advanced Phishing Protection (CAPP) * Cisco Domain Protection (CDP) * Malware defense * Graymail detection and Safe Unsubscribe * URL-related protection and control * Outbreak filters * Web interaction tracking * Data security for sensitive content in outgoing emails
77
What is the Cisco Firepower Next Generation Intrusion Prevention System (NGIPS)?
It is a system that provides IDS functions and also automatically blocks intrusion attacks.
78
What are some of the capabilities included with Firepower?
* Real-time contextual awareness * Advanced threat protection and remediation * Intelligent security automation * Unparalleled performance and scalability * Application Visibility and Control (AVC) * URL filtering * Centralized management * Global threat intelligence from the Cisco Talos * Snort IPS detection engine * High availability and clustering * Third-party and open-source ecosystem * Integration with Cisco ISE (Quarantine, Unquarantine, Shutdown)
79
What 3 platforms does Firepower NGIPS come in?
* Appliance * Firepower Threat Defense (FTD) for ISR * NGIPS Virtual (NGIPSv)
80
What is Cisco Firepower NGFW?
* The integration of existing ASA software with Firepower NGIPS * The industry’s first fully integrated, threat-focused NGFW with unified management
81
What 2 hardware appliances support Firepower NGFW?
* Firepower series appliances * All ASA5500-x appliances (except 5585-x)
82
What software does the Firepower NGFW appliances support?
* ASA software image * ASA software image with Firepower Services software image (NGIPS) * Firepower Threat Defense (FTD) software image
83
What platforms is Firepower Threat Defense (FTD) supported?
\* ISR Modules \* Firepower virtual NGFW (NGFWv) appliances, supported in VMware, KVM, Amazon Web Services (AWS), and Microsoft Azure environments
84
What management options are available for NGFW - FTD or Firepower Services software?
* Firepower Management Center (FMC) * Firepower Device Manager (FDM) for small appliances
85
What management options are available for NGFW - ASA software?
* CLI * Cisco Security Manager (CSM) * Adaptive Security Device Manager (ASDM) * Cisco Defense Orchestrator
86
Is CLI supported on FTD or Firepower Services software?
No, only for initial setup and troubleshooting.
87
What is Cisco Firepower Management Center (FMC) ?
A centralized management platform that aggregates and correlates threat events, contextual information, and network device performance data. It can be used to monitor information that Firepower security devices are reporting to each other and examine the overall activity occurring in the network.
88
What Firepower Security Solutions does FMC handle event and policy mgmt for?
* Firepower NGFW and NGFWv * Firepower NGIPS and NGIPSv * Firepower Threat Defense for ISR * ASA with Firepower Services * Advanced Malware Protection (AMP)
89
What is Cisco Stealthwatch?
It is is a collector and aggregator of network telemetry data that performs network security analysis and monitoring to automatically detect threats that manage to infiltrate a network as well as the ones that originate from within a network.
90
What is unique about Stealthwatch?
It is the only product that can detect malware in encrypted traffic and ensure policy compliance without decryption.
91
What are the 2 Stealthwatch products?
* Stealthwatch Enterprise * Stealthwatch Cloud
92
What 3 components does Stealthwatch require?
* Flow rate license * Flow collector (hardware or VM) * Stealthwatch Management Console (hardware or VM)
93
For Stealthwatch Enterprise what are the 3 optional but recommended components?
* Cisco Stealthwatch Threat Intelligence * Cisco Stealthwatch Endpoint * Cisco Stealthwatch Cloud
94
What are 5 benefits of Stealthwatch Enterprise?
* Real-time threat detection * Incident response and forensics * Network segmentation * Network performance and capacity planning * Ability to satisfy regulatory requirements
95
What are 2 optional Stealthwatch Enterprise components?
* Flow Sensor * UDP Director
96
What 2 offerings of Stealthwatch Cloud?
* Public cloud monitoring * Private cloud monitoring
97
What is Cisco Identity Services Engine (ISE)?
(ISE) is a security policy management platform that provides highly secure network access control (NAC) to users and devices across wired, wireless, and VPN connections. It allows for visibility into what is happening in the network, such as who is connected (endpoints, users, and devices), which applications are installed and running on endpoints (for posture assessment), and much more.
98
What are the features/benefits of ISE?
* Streamlined network visibility * Cisco DNA center integration * Centralized secure NAC * Centralized device access control * TrustSec * Guest lifecycle mgmt * Streamlined device onboarding * Internal certificate authority * Device profiling * Endpoint posture service * Active Directory support * Cisco Platform Exchange Grid (pxGrid) versions 1.0 and 2.0
99
What are 5 methods of Network Access Control (NAC)?
* 802.1x * MAB * WebAuth * TrustSec * MACSec
100
What is 802.1x?
Dot1x) is a standard for port-based network access control (PNAC) that provides an authentication mechanism for local area networks (LANs) and wireless local area networks (WLANs).
101
What 4 components comprise 802.1x?
* Extensible Authentication Protocol (EAP) * EAP Method (or Type) * EAP over LAN (EAPoL) * RADIUS
102
What are the 3 802.1x roles?
* Supplicant * Authenticator * Authentication server
103
What is Step 1 of the 802.1x authentication flow?
When the authenticator notices a port coming up, it starts the authentication process by sending periodic EAP-request/ identify frames. The supplicant can also initiate the authentication process by sending an EAPoL-start message to the authenticator.
104
What is Step 2 of the 802.1x authentication flow?
The authenticator relays EAP messages between the supplicant and the authentication server, copying the EAP message in the EAPoL frame to an AV-pair inside a RADIUS packet and vice versa until an EAP method is selected. Authentication then takes place using the selected EAP method.
105
What is Step 3 of the 802.1x authentication flow?
If authentication is successful, the authentication server returns a RADIUS access-accept message with an encapsulated EAP-success message as well as an authorization option such as a downloadable ACL (dACL). When this is done, the authenticator opens the port.
106
What are 4 categories of EAP methods?
* EAP challenge-based authentication method * EAP TLS authentication method * EAP tunneled TLS authentication method * EAP inner authentication methods
107
What is an example of the EAP challenge-based authentication method?
Extensible Authentication Protocol-Message Digest 5 (EAP-MD5)
108
What are examples of the EAP TLS authentication methods?
* Extensible Authentication Protocol Flexible Authentication via Secure Tunneling (EAP-FAST) * Extensible Authentication Protocol Tunneled Transport Layer Security (EAP-TTLS) * Protected Extensible Authentication Protocol (PEAP)
109
What are 3 examples of the EAP inner authentication methods?
* EAP Generic Token Card (EAP-GTC) * EAP Microsoft Challenge Handshake Authentication Protocol Version 2( EAP-MSCHAPv2) * EAP-TLS
110
How does EAP-MD5 work?
This algorithm uses the MD5 message-digest algorithm to hide the credentials in a hash. The hash is sent to the authentication server, where it is compared to a local hash to validate the accuracy of the credentials.
111
Why is EAP-MD5 a poor choice?
It lacks mutual authentication. It can't authenticate the authentication server.
112
How does EAP-TLS work?
It uses the TLS Public Key Infrastructure (PKI) certificate authentication mechanism to provide mutual authentication of supplicant to authentication server and authentication server to supplicant. With EAP-TLS, both the supplicant and the authentication server must be assigned a digital certificate signed by a certificate authority (CA) that they both trust.
113
What is the downside to EAP-TLS?
EAP-TLS is the most difficult to deploy due to the administrative burden of having to install a certificate on the supplicant side.
114
What is the most secure authentication method?
EAP-TLS because both the supplicant and the authentication server need to have certificates.
115
How do authentication methods in the PEAP category work?
In PEAP, only the authentication server requires a certificate, which reduces the administrative burden of implementing EAP. PEAP forms an encrypted TLS tunnel between the supplicant and the authentication server. After the tunnel has been established, PEAP uses one of the EAP authentication inner methods to authenticate the supplicant through the outer PEAP TLS tunnel
116
How does EAP-MSCHAPv2 (PEAPv0) work?
The client’s credentials are sent to the server encrypted within an MSCHAPv2 session. This is the most common inner method, as it allows for simple transmission of username and password, or even computer name and computer password, to the RADIUS server, which can then authenticate them using Microsoft’s Active Directory.
117
How does EAP-GTC (PEAPv1) work?
This inner method was created by Cisco as an alternative to MSCHAPv2 to allow generic authentications to virtually any identity store, including OTP token servers, LDAP, NetIQ eDirectory, and more.
118
How does EAP-TLS work?
This is the most secure EAP authentication since it is essentially a TLS tunnel within another TLS tunnel. It is rarely used due to its deployment complexity because it requires certificates to be installed on the supplicants.
119
What is EAP-FAST?
* Developed by Cisco Systems as an alternative to PEAP * It allows faster re-authentications and support for faster wireless roaming \* Supports EAP chaining
120
How does EAP-FAST work?
EAP-FAST forms a TLS outer tunnel and then transmits the client authentication credentials within that outer TLS tunnel
121
what is the major difference between PEAP and EAP-FAST?
EAP-FAST has the ability to re-authenticate faster by using protected access credentials (PACs).
122
What is a PAC?
* Protected Access Credentials * Similar to a cookie * Stored locally on the host as proof of having been successfully authenticated.
123
What is a major difference between PEAP and EAP-TTLS?
PEAP only supports EAP inner authentication methods, while EAP-TTLS can support additional inner methods such as legacy Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), and Microsoft Challenge Handshake Authentication Protocol (MS-CHAP).
124
What is EAP-TTLS?
* Similar in functionality to PEAP * Not as widely supported as PEAP.
125
What is EAP Chaining?
EAP Chaining supports machine and user authentication inside a single outer TLS tunnel. It enables machine and user authentication to be combined into a single overall authentication result. This allows the assignment of greater privileges or posture assessments to users who connect to the network using corporate-managed devices.
126
What is MAB?
MAC Authentication Bypass - it enables port-based access control using the MAC address of an endpoint, and it is typically used as a fallback mechanism to 802.1x. A MAB-enabled port can be dynamically enabled or disabled based on the MAC address of the endpoint that connects to it.
127
What is Step 1 of MAB?
The switch initiates authentication by sending an EAPoL identity request message to the endpoint every 30 seconds by default. After three timeouts (a period of 90 seconds by default), the switch determines that the endpoint does not have a supplicant and proceeds to authenticate it via MAB.
128
What is Step 2 of MAB?
The switch begins MAB by opening the port to accept a single packet from which it will learn the source MAC address of the endpoint. Packets sent before the port has fallen back to MAB (that is, during the IEEE 802.1x timeout phase) are discarded immediately and cannot be used to learn the MAC address. After the switch learns the source MAC address, it discards the packet. It crafts a RADIUS access-request message using the endpoint’s MAC address as the identity. The RADIUS server receives the RADIUS access-request message and performs MAC authentication.
129
What is Step 3 of MAB?
The RADIUS server determines whether the device should be granted access to the network and, if so, what level of access to provide. The RADIUS server sends the RADIUS response (access-accept) to the authenticator, allowing the endpoint to access the network. It can also include authorization options such as dACLs, dVLANs, and SGT tags.
130
What can be done to speed up MAB?
Disable 802.1x. If 802.1x is not enabled, MAB authentication starts immediately after linkup instead of waiting for IEEE 802.1x to time out.
131
What is a downside to MAB?
MAC addresses are easily spoofed.
132
When using MAB if the authenticator is a Cisco switch what authorization options are available?
* Downloadable ACLs (dACLs) * Dynamic VLAN Assignment (dVLAN) * Security Group Tags (SGTs)
133
How does WebAuth work?
With WebAuth, endpoints are presented with a web portal requesting a username and password. The username and password that are submitted through the web portal are sent from the switch (or wireless controller, firewall, and so on) to the RADIUS server in a standard RADIUS access-request packet.
134
What are the 2 types of WebAuth?
* Local Web Authentication * Centralized Web Authentication with Cisco ISE
135
What is Local WebAuth (LWA)?
* Switch or WLC redirects web traffic to web portal hosted on the switch or WLC. * End user enters name/password. * Switch forwards to creds to RADIUS server
136
What cannot be done with Local WebAuth?
* Not customizable * No support for an Acceptable Use Policy page * No password change capability * No device registration * No self registration * No VLAN assignment * No posture or profiling
137
Can Local WebAuth and defaulting to a Guest VLAN be done at the same time?
No, the two are mutually exclusive.
138
How does Central WebAuth with Cisco ISE work?
* The switch performs MAB, sending the RADIUS access-request to Cisco ISE. * ISE sends RADIUS result and redirect to portal on ISE * Endpoint gets IP, DNS and def gtwy from DHCP * End user opens web page located on iSE, enters creds. * ISE sends re-authentication Change of Authorization (CoA-reauth) to the switch. * Switch sends new MAB req with same session ID to ISE. * ISE sends final auth result to switch for end user including an authorization option such as a dowloadable ACL (dACL).
139
What is a difference between LWA and Central WebAuth on ISE?
With Central WebAuth with ISE ISE stores the credentials and ties the MAC address to the credentials.
140
What can Central WebAuth do that LWA cannot?
Central WebAuth supports: * CoA for posture profiling * dACL * VLAN authorization options * Client provisioning * Posture assessments * Acceptable use policies * Password changing * Self registration * Device registration.
141
By default what is the order in which a Cisco switch attempts authentication?
* 802.1x authentication first * followed by MAB * and then WebAuth.
142
What is Enhanced Flexible Authentication (FlexAuth)?
FlexAuth allows multiple authentication methods concurrently (for example, 802.1x and MAB) so that endpoints can be authenticated and brought online more quickly.
143
What is FlexAuth a key component of?
Cisco Identity-Based Networking Services (IBNS) 2.0 which offers authentication, access control, and user policy enforcement.
144
What is Cisco Identity Based Networking Service (IBNS)?
It is an integrated solution that offers authentication, access control, and user policy enforcement with a common end-to-end access policy that applies to both wired and wireless networks.
145
What 3 components make up IBNS?
* Enhanced FlexAuth * Cisco Common Classification Policy Language (C3PL) * Cisco ISE
146
What is Cisco TrustSec?
It is a next-generation access control enforcement solution developed by Cisco to address the growing operational challenges related to maintaining firewall rules and ACLs by using Security Group Tag (SGT) tags.
147
In general how does TrustSec work?
* Cisco ISE assigns SGT tags to users/devices that are authenticated and authorized through 802.1x, MAB, or WebAuth. * The SGT tag assignment is delivered to the authenticator as an authorization option (in the same way as a dACL). * After the SGT tag is assigned, an access enforcement policy (allow or drop) based on the SGT tag can be applied at any egress point of the TrustSec network.
148
What is the purpose of TrustSec?
TrustSec uses SGT tags to perform ingress tagging and egress filtering to enforce access control policy.
149
What are SGT Tags and what do they represent?
* Scalable Group Tag * the context of the user, device, use case, or function
150
Are endpoints aware of the SGT tag?
No, endpoints are not aware of the SGT tag. The SGT tag is only known and applied in the network infrastructure.
151
What are the 3 phases during which TrustSec is configured?
* Ingress Classification * Propogation * Egress Enforceent
152
What is TrustSec Ingress Classification?
Ingress classification is the process of assigning SGT tags to users, endpoints, or other resources as they ingress the TrustSec network.
153
What are the 2 ways TrustSec Ingress Classification can occur?
* Dynamic assignment * Static assignment
154
What happens during the Dynamic assignment of the SGT tag?
The SGT is assigned dynamically and can be downloaded as an authorization option from ISE when authenticating using 802.1x, MAB, or WebAuth.
155
What is Static assignment of SGT tags?
Usually done in data centers. SGT tags can be statically mapped on SGT-capable network devices.
156
What are the 7 ways to statically assign an SGT to a device?
* IP to SGT tag * Subnet to SGT tag * VLAN to SGT tag * L2 Interface to SGT tag * L3 logical interface to SGT tag * Port to SGT tag * Port Profile to SGT tag
157
What is an alternative to assigning an SGT tag to a port?
* Cisco ISE added the ability to centrally configure a database of IP addresses and their corresponding SGT tags * Network devices that are SGT capable can download the list from Cisco ISE
158
What is SGT tag propagation?
The process of communicating the mappings to the TrustSec network devices that will enforce policy based on SGT tags.
159
What are the 2 methods for propagating an SGT tag?
* Tag— inline tagging (also referred to as native tagging) * Cisco-created protocol SGT Exchange Protocol (SXP)
160
How does inline tagging (native tagging) work?
With inline tagging, a switch inserts the SGT tag inside a frame to allow upstream devices to read and apply policy. Native tagging is completely independent of any Layer 3 protocol (IPv4 or IPv6), so the frame or packet can preserve the SGT tag throughout the network infrastructure (routers, switches, firewalls, and so on) until it reaches the egress point.
161
What is the downside to native tagging of SGT tags?
It is supported only by Cisco network devices with ASIC support for TrustSec.
162
What would happen if a device that didn't support TrustSec received an SGT tagged frame?
The frame would be dropped.
163
What is SXP?
* SGT Exchange Protocol (SXP) * Cisco TCP-based peer-to-peer protocol used for network devices that do not support SGT inline tagging in hardware. * Using SXP, IP-to-SGT mappings can be communicated between non-inline tagging switches and other network devices. * Non-inline tagging switches also have an SGT mapping database to check packets against and enforce policy.
164
What is the SXP peer that sends IP-to-SGT bindings called?
The speaker.
165
What is the IP-to-SGT binding receiver is called ?
The listener.
166
Are SXP connections single hop only?
No, they can be single or multihop.
167
What are the 2 types of SGT egress enforcement?
* Security Group ACL (SGACL) * Security Group Firewall (SGFW)
168
What is Security Group ACL?
Provides enforcement on routers and switches. Access lists provide filtering based on source and destination SGT tags.
169
What is Security Group Firewall?
Provides enforcement on firewalls (such as Cisco ASA and NGFW). Requires tag-based rules to be defined locally on the firewall.
170
What is MACsec?
It is an IEEE 802.1AE standards-based Layer 2 hop-by-hop encryption method.
171
What does MACsec do?
Traffic is encrypted only on the wire between two MACsec peers and is unencrypted as it is processed internally within the switch.
172
What is the purpose of MACsec?
It allows the switch to look into the inner packets for things like SGT tags to perform packet enforcement or QoS prioritization.
173
What does a switch use to encrypt and decrypt MACsec frames?
The switch leverages onboard ASICs to perform the encryption and decryption
174
What does MACsec do to a normal Ethernet frame?
MACsec adds: * An additional 16-byte MACsec Security Tag field (802.1AE header) * A 16-byte Integrity Check Value (ICV) field.
175
What 2 authentication methods are used by MACsec?
* Galois Method Authentication Code (GMAC) * Authenticated encryption using Galois/ Counter Mode Advanced Encryption Standard (AES-GCM).
176
Do all devices in the flow of the MACsec communications need to support MACsec?
Yes, they have to support MACsec so they can recognize and use the fields added to the Ethernet frame.
177
What are the 5 fields in the 16-byte MACsec Security Tag?
* MACsec EtherType (first two octets) * TCI/ AN (third octet) * SL (fourth octet) * Packet Number (octets 5– 8) * SCI (octets 9– 16)
178
What does the MACsec EtherTYpe field do?
Set to 0x88e5, designating the frame as a MACsec frame
179
What does the MACsec TCI/ AN field do?
Tag Control Information/ Association Number field, designating the version number if confidentiality or integrity is used on its own
180
What does the MACsec SL field do?
Short Length field, designating the length of the encrypted data
181
What does the MACsec Packet Number field do?
The packet number for replay protection and building of the initialization vector
182
What does the MACsec SCI field do?
Secure Channel Identifier, for classifying the connection to the virtual port
183
What are the 2 MACsec keying mechanisms?
* Security Association Protocol (SAP)- this is a proprietary Cisco keying protocol used between Cisco switches * MACsec Key Agreement (MKA) protocol
184
What does the keying mechanism MACsec Key Agreement Protocol (MKA) provide?
MKA provides the required session keys and manages the required encryption keys. The 802.1AE encryption with MKA is supported between endpoints and the switch as well as between switches.
185
What is Downlink MACsec?
It is the term used to describe the encrypted link between an endpoint and a switch.
186
How is the encryption between the endpoint and the switch handled?
By the MKA keying protocol.
187
What is required for there to be encryption between endpoint and switch?
MACsec-capable switch and a MACsec-capable supplicant on the endpoint (such as Cisco AnyConnect).
188
How is encryption handled on the endpoint?
The encryption on the endpoint may be handled in hardware (if the endpoint possesses the correct hardware) or in software, using the main CPU for encryption and decryption.
189
What options does a MACsec switch have regarding encryption?
The Cisco switch has the ability to force encryption, make encryption optional, or force non-encryption.
190
What are 2 ways MACsec encryption can be configured?
* It can be configured manually per port (which is not very common) * Dynamically as an authorization option from Cisco ISE (which is much more common).
191
If the MACsec encryption setting on the switch is different than ISE what happens?
The policy issued by ISE overrides anything set using the switch CLI.
192
What is Uplink MACsec?
This is the term for encrypting a link between switches with 802.1AE.
193
What encryption is used between MACsec switches?
MACsec uses Cisco proprietary SAP encryption. The encryption is the same AES-GCM-128 encryption used with both uplink and downlink MACsec.
194
How is Uplink MACsec achieved?
Uplink MACsec may be achieved manually or dynamically. Dynamic MACsec requires 802.1x authentication between the switches.
195
Which 2 authentication methods were developed by Cisco?
* LEAP * EAP-FAST
CCNP Core
flashcards
Decks in class (46)
# Cards
Brainscape helps you reach your goals faster, through stronger study habits.
© 2026 Bold Learning Solutions. Terms and Conditions