Endpoint Security for LANs

Questions and Answers

In a modern network security approach, what is the role of Network Admission Control (NAC)?

• To encrypt all data transmitted across the network.
• To provide advanced antimalware protection.
• To authenticate users and enforce network security policies. (correct)
• To filter URLs to prevent access to malicious websites.

What is a key difference between traditional endpoint security and modern endpoint security solutions?

• Traditional security relies on reactive measures, while modern security incorporates proactive threat intelligence and analysis. (correct)
• Traditional security uses hardware encryption, while modern security uses software encryption.
• Traditional security focuses solely on perimeter defense, while modern security includes endpoint protection.
• Traditional security is more effective against zero-day attacks than modern security.

Which of the following is a primary function of Cisco's Email Security Appliance (ESA)?

• Managing and controlling network bandwidth allocation.
• Providing network intrusion detection.
• Blocking spam and providing advanced malware protection for email. (correct)
• Encrypting all web traffic.

What type of security threat is mitigated by implementing DHCP snooping?

DHCP starvation and DHCP spoofing attacks. (C)

What is the primary purpose of using port security on a network switch?

To prevent unauthorized devices from accessing the network through a switch port. (B)

How does a CAM table overflow attack compromise network security?

By causing the switch to forward all traffic to every port, allowing an attacker to capture sensitive data. (B)

What does Cisco's Advanced Malware Protection (AMP) provide in addition to traditional anti-virus software?

Real-time threat intelligence and retrospective security analysis. (D)

Which Layer 2 attack involves manipulating the Spanning Tree Protocol (STP) to become the root bridge and intercept network traffic?

STP manipulation. (A)

What is the function of IP Source Guard in network security?

To prevent IP address spoofing attacks. (B)

What is VLAN hopping and what type of vulnerability does it exploit?

An attack that allows traffic from one VLAN to be seen by another without routing; exploits trunking protocol vulnerabilities. (B)

How does a modern Web Security Appliance (WSA) protect a network from web-based threats?

By inspecting web traffic, filtering malicious URLs, and scanning for malware. (B)

Which of the following is a typical characteristic of a DHCP starvation attack?

An attacker floods the DHCP server with request to exhaust all available IP addresses. (D)

What is the purpose of configuring 'switchport port-security mac-address sticky' on a switchport?

To dynamically learn and add connected MAC addresses to the running configuration. (D)

When configuring port security, what is the 'violation mode' and what options are typically available?

The action taken when a security violation occurs; options are protect, restrict, and shutdown. (B)

How does implementing Dynamic ARP Inspection (DAI) contribute to network security?

By validating ARP packets against a trusted database to prevent ARP poisoning. (D)

What is the role of the Talos team in the context of Cisco's security solutions?

To gather and analyze real-time threat intelligence. (A)

In the context of network security, what does the term 'blacklisting' refer to?

A list of entities (e.g., URLs, IP addresses) that are blocked or denied access. (B)

What is the purpose of configuring a DHCP snooping limit rate on a switch interface?

To prevent DHCP starvation attacks by limiting the rate of DHCP requests. (A)

When implementing port security, which aging type is most appropriate for environments where devices frequently move or change?

Absolute or Inactive aging. (A)

Which of the following best describes the combined function of a Cisco Web Security Appliance (WSA) and Email Security Appliance (ESA) in a comprehensive security strategy?

The WSA protects against web-based threats, while the ESA protects against email-based threats. (A)

What is a common method an attacker might use to initiate a CAM table overflow attack?

Using a tool like 'macof' to flood the switch with bogus MAC addresses. (B)

How does implementing 802.1X authentication improve network security?

By authenticating users and devices before granting network access. (A)

What is the purpose of configuring VLAN trunk security, and what type of attack does it primarily mitigate?

To restrict the VLANs allowed on a trunk link; mitigates VLAN hopping attacks. (C)

What is one key benefit of using hardware-based encryption over software-based encryption for local data?

It generally offers better performance and security due to dedicated processing. (C)

What is the significance of the 'show mac address-table' command on a Cisco switch?

It shows the current MAC address to port mappings within the CAM table. (C)

Traditional endpoint security relies solely on network-based protections, neglecting host-based firewalls and intrusion prevention systems.

False (B)

In a borderless network, limiting security measures to antivirus software is sufficient to protect against the wide array of potential threats.

False (B)

Advanced Malware Protection (AMP) operates only after a malware attack by focusing solely on remediation.

False (B)

Cisco AMP utilizes threat intelligence gathered from a broad range of sources, analyzing approximately 100 MB of security data daily.

False (B)

A key feature of the Cisco Email Security Appliance is its ability to block spam, provide advanced malware protection, and control outbound messages.

True (A)

When a client initiates a web request, the Cisco Web Security Appliance (WSA) intercepts the request, analyzes it for potential threats, and then forwards it to the internet.

True (A)

Cisco NAC functions do not include policy enforcement; it only focuses on identifying users and devices on the network.

False (B)

Layer 2 vulnerabilities involve exploitation of the Physical and Application layers of the OSI model.

False (B)

In a CAM table overflow attack, the switch floods the network with traffic because it cannot determine the correct destination MAC address.

True (A)

The macof tool is used to mitigate CAM table attacks by preventing attackers from flooding the network with bogus MAC addresses.

False (B)

Port security guarantees network performance by ensuring that only authorized devices can connect to a switch port.

False (B)

Enabling sticky learning on a switch port allows the switch to dynamically learn and permanently store MAC addresses until manually deleted.

False (B)

In port security, the 'restrict' violation mode drops traffic from unauthorized MAC addresses, sends a syslog message, and increments the violation counter.

True (A)

A DHCP starvation attack renders a DHCP server unable to issue IP addresses by overwhelming it with requests, while a DHCP spoofing attack sets up a bogus DHCP server.

True (A)

Configuring DHCP snooping on a switch involves defining ports as either 'trusted' or 'untrusted', with 'trusted' ports being allowed to send DHCP responses.

True (A)

In the context of endpoint security, 'blacklisting' refers to a technique that only permits known good URLs to be accessed, blocking all others.

False (B)

ESA and WSA are legacy systems and offer similar functionaility to Antivirus software.

False (B)

Modern security solutions replaced the need for hardware and software encryption of local data.

False (B)

In DHCP Snooping configurations, DHCP 'trust' is configured on the interfaces connecting to clients, not the DHCP server.

False (B)

Advanced Malware Protection (AMP) can block URLs.

False (B)

Modern security solutions combine NAC, AMP, ESA and WSA functionality.

True (A)

1 TB of security intelligence data is analyzed daily using Cisco's threat defense.

False (B)

The purpose of blacklisting is to ensure only trusted sources can access your server.

False (B)

Once sticky MAC Addreses are learned, they cannot be deleted.

False (B)

Sticky learning requires a manual reboot to take effect.

False (B)

Flashcards

Endpoint Security

Securing individual devices (endpoints) connected to a network.

Traditional Endpoint Security

Traditional security measures on individual devices (e.g., antivirus, host-based firewalls).

Traditional Endpoint Security Components

Host-Based Antivirus/Antimalware, Host-Based IPS, and Host-Based Firewall.

Host-Based Protection

Features include Antivirus/Antimalware, SPAM Filtering, URL Filtering, and Blacklisting

AMP

Advanced Malware Protection is a modern security solution.

NAC

Network Access Control; manages secure network admission.

ESA

Email Security Appliance; blocks spam and malware in emails.

WSA

Web Security Appliance; filters malicious websites and content.

Managed Threat Defense

Talos teams gather threat intelligence from a variety of sources and analyze data to block threats.

Cisco Email Security Appliance

An appliance that blocks spam, provides advanced malware protection and outbound message control.

Cisco Web Security Appliance

An appliance that filters web content, manages web access and web security.

Cisco NAC

A security feature that allows to configure devices to authenticate and authorize network access.

Layer 2 Security Threats

Attacks that exploit vulnerabilities in Layer 2 protocols and devices.

Data Link (Layer 2)

The Ethernet Frames Layer

Switch Attack Categories

CAM Table Attacks, VLAN Attacks, STP Attacks, DHCP Attacks, ARP Attacks, and Address Spoofing Attacks

CAM Table Overflow Attack

An attack that floods the switch's CAM table with fake MAC addresses, causing it to forward traffic to all ports.

show mac-address-table

Command used to display the MAC address table.

Port Security

A switch security feature that limits the MAC addresses that can be learned on a port.

Port Security Violation Mode

Secure-shutdown

Sends Syslog Message

It is a message that is sent after violating parameters configured on a device.

DHCP Spoofing Attack

A rogue DHCP server provides incorrect IP addresses to clients.

DHCP Starvation Attack

Attacker exhausts all IP addresses in the DHCP scope, causing denial of service for legitimate clients.

DHCP Snooping

A security feature that filters DHCP messages to prevent malicious DHCP servers from providing incorrect IP addresses to clients.

Trusted port

A port where DHCP messages are trusted.

Untrusted port

A port where DHCP messages are not trusted.

Securing LAN Elements

Ensuring security at the entry points of a network, where devices connect.

Post-Malware Questions

Questions to ask after a malware attack to learn from the incident.

Advanced Malware Protection

Provides protection before, during, and after a malware attack.

Enabling Port Security

The first step when implementing Port Security.

Maximum MAC Addresses

Limits the maximum number of MAC addresses on a port.

Basic Switch Operation

The CAM Table

ip dhcp snooping limit rate

A command to configure the rate limit for DHCP Snooping.

Study Notes

Endpoint Security

• Designed to secure local area networks

Endpoint Security Technologies

• Endpoint security encompasses enabling technologies to protect LANs
• Cisco AMP is leveraged to ensure end-point security
• Cisco NAC authenticates and enforces network security policies

Securing LAN Elements

• VPN
• Firewall
• ESA/WSA
• IPS
• ACS

Traditional Endpoint Security

• Host-based IPS
• Antivirus/Antimalware Software
• Host-Based Firewall

Securing Endpoints in Borderless Networks

• Key questions after a malware attack include determining the source, threat method, affected systems, the threat's actions, containment strategies, recovery, and prevention
• Host-Based Protection includes antivirus/antimalware, SPAM filtering, URL filtering, and blacklisting

Modern Endpoint Security Solutions

• AMP
• NAC
• ESA
• WSA

Antimalware Protection Phases

• Before: Discover, Enforce, Harden
• During: Detect, Block, Defend
• After: Scope, Contain, Remediate

AMP and Managed Threat Defense

• Talos teams gather real-time threat intelligence from sources:
  • 1.6 million deployed security devices (firewall, IPS, web, and email appliances)
  • 150 million endpoints.
• Talos analyzes 100 TB of security intelligence daily, 13 billion web requests per day, and 35% of the world's enterprise email traffic

Cisco Email Security Appliance Features

• Spam blocking
• Advanced malware protection
• Outbound message control

Cisco Web Security Appliance Operation

• Client initiates web request
• WSA forwards the request
• Reply sent to WSA and then to client

Cisco NAC Functions

• NAC = Network Admission Control
• NAC authenticates and enforces network security policies.
• Components: hosts attempting network access, network access devices, policy server decision points, and vendor servers

Layer 2 Security Considerations

• Aims to address Layer 2 vulnerabilities
• Includes mitigation techniques of CAM table overflow attacks, VLAN hopping attacks, DHCP attacks, ARP attacks, and address spoofing attacks
• Also includes implementing Dynamic Arp Inspection to mitigate ARP attacks
• Another mitigation technique is implementing IP Source Guard to mitigate address spoofing attacks

Layer 2 Vulnerabilities

• Can be initially compromised in the Data Link layer
• This can propagate up through the Network, Transport, Session, Presentation, and Application layers

Switch Attack Categories

• CAM Table Attacks
• STP Attacks
• Address Spoofing Attacks
• ARP Attacks
• DHCP Attacks
• VLAN Attacks

CAM Table Attacks

• Intruder runs attack tool (macof), filling CAM table with bogus addresses

CAM Table Attack Outcomes

• Switch floods all traffic
• Attacker captures traffic

CAM Table Attack Tools

• macof

CAM Table Attack Countermeasures

• Port Security

Port Security

• Port Security allows only the specified MAC addresses, such as A, B and C

Port Security Options

• Port-security aging commands
• Secure MAC address
• Max secure addresses
• Security violation mode

Security Violation Modes

• Protect: Forwards traffic, doesn't send Syslog message, and doesn't increment violation counter and doesn't shuts down the port
• Restrict: Doesn't forwards traffic, sends Syslog message, increments violation counter and doesn't shuts down the port
• Shutdown: Doesn't forwards traffic, sends Syslog message, increments violation counter and shuts down the port

DHCP Spoofing Attack

• Rogue DHCP server provides incorrect IP configuration information to clients

DHCP Starvation Attack

• Attacker floods DHCP server with requests, exhausting available IP addresses

Configuring DHCP Snooping

• Involves configuring trusted and untrusted ports, typically with the DHCP server port as trusted

DHCP Snooping Configuration

• Limit the rate of DHCP traffic on untrusted ports and limiting the number of MAC Addresses
• Verify DHCP Snooping showing the MacAddress, IpAddress, Lease, Type, VLAN and Interface