Ccna Security Ch3 Building Security Strategy

8/9/2019 Ccna Security Ch3 Building Security Strategy

1/6

Chapter 3: Building a Security Strategy

I. Foundation TopicsII.Securing Borderless Networks

1. The Changing Nature of Networks1. Applications and infrastructure are being hosted remotely as a service whereas

before everything was located within the network. All this means is that the

traditional network and associated infrastructure and applications may be hosted invarious locations, however the security principles do not change.

. !ogical Boundaries1. Borderless networks have layers or areas as the Cisco Hierarchical model does and

appropriate security measures for each area, see below for descriptions of thevarious borderless network areas.

Ta"le 3# Borderless Network Components

Co$ponent %&planation

Borderlessend zone

his is where devices connect to the network. !t is here that we are concerned withviruses, malware, and other malicious software. "sing techni#ues such asNetworkAdmissions Control $NAC% andIdentity Services Engine $ISE%, we can properlyinterrogate devices before they are allowed onto the network to verify they meetcertain minimum re#uirements $installations of virus scanning tools, service packs,patch revision levels, and so on%.

Borderlessdata center

his represents a cloud&driven business environment that could provide services. !t isin this borderless data center where we implement firewalls such as theAdaptiveSecurity Appliance$ASA% and intrusion prevention systems $IPS% to protect networkresources there. 'irtual tools can also be used inside virtual environments in the datacenter, such as virtual switches that can enforce policy on virtual devices that areconnected to that virtual switch.

Borderless

!nternet

his represents the biggest !( network on the planet, which we are all familiar with.

)ervice providers and other individuals connected to the !nternet use varioustechni#ues for security, including !()s, firewalls, and protocol inspection $all the wayfrom *ayer + to *ayer of the -)! model%.

(olicymanagementpoint

!n a perfect environment, we would have a single point of control that couldimplement appropriate security measures across the entire network. Cisco SecurityManager $CSM% is an eample of one of these enterprise tools. Another eample isCisco Access Control Server $ACS%, which provides contetual access. /or eample,if we want to allow administrators full access to a router only if they are logging infrom a specific location, you could enforce that with AC) and authentication,authoriation, and accounting $AAA% rules. "nder that same system, administratorscould also potentially gain access from other locations.


2/6


3/6

. Secure Connecti,ity 2sing 0Ns3. Secure 4anage$ent

1. ))H and H()+. A)6; < Adaptive )ecurity 6evice ;anager < "sed for A)A=. CC( < Cisco Configuration 6evice ;anager < "sed for !-) routers>. !6; and !6; 3press < !() 6evice ;anager < "sed for !()s9. C); < Cisco )ecurity ;anager < Can be purchased to configure all devices

including Catalyst switches

I. 5+o I 6now This (lready78 9uiTa"le 3#1 '(o I )now #his Already*+ Sectionto-uestion Mapping

Foundation Topics Section 9uestions

)ecuring Borderless 4etworks 1&=

Controlling and Containing 6ata *oss >&?

1. !n 5hich single area of the borderless network would we be primarily concernedwith things such as viruses and malware@a. Borderless end zoneb. Borderless !nternet

c. Borderless data centerd. Borderless bookstore

+. 5hich of the following methods or resources enable you to #ualify a device $verifythe workstation meets minimum re#uirements% before letting the device access thenetwork@ $Choose all that apply.%a. (ort securityb. 4ACc. !)3d. '(4

=. -n a physical switch, you can use technical controls for traffic flows betweendevices. How can you best implement a similar policy between two virtual devices

that you are running logically in the data center@a. Cannot be doneb. 'irtual switchc. 'irtual AC*sd. 7oute the traffic out of the virtual to a physical switch, enforce the security there,

and then route the traffic back into the virtual environment>. 5hich of the following elements can you use as part of the Cisco )ecure0

architecturestrategy@ $Choose all that apply.%a. !() appliancesb. AnyConnectc. A)A firewalls

d. )!-9. 5hich concept refers to granting access based on multiple conditions, including the

identity of the user, the device the user is connecting from, and how secure theworkstation is the user is connecting from@a. Contet awarenessb. AC)c. !)3d. 4AC


4/6

8. How does AnyConnect provide confidentiality@a. !t encrypts data on the disk, file by fileb. !t encrypts the entire discc. !t implements encryption at *ayer +d. !t implements ))* or !(sec

. rust)ec uses which of the following to identify a specific policy that should beapplied to traffic@a. )ecurity group tagb. roup domain of interpretationc. 6)C(d. !( precedence

?. 5hich cloud&based service could you use as an early&warning system for a threatthat might be coming your way via the !nternet@a. )!-b. !-)c. !)-d. )-!

. -e,iew (ll the 6ey Topics

Ta"le 3#3)ey #opics

6ey Topic%le$ent

+escription 0age Nu$"er

able =&+ Borderless network co$ponents& >1

*ist Secure' and conte&t#aware security& >+

*ist (n ounce of pre,ention& >+

I. 4e$ory Ta"les Chapter 3Ta"le 3#ASA !ocal (.CP Server Con/iguration 0ields

Field +escription

6HC( 3nabled )elect this option to enable the 6HC( server for the specific interfaceyou have chosen to configure your scope for.

6HC( Address (ool 3nter the start and end !( addresses of the subnet or range youwant to use for the purposes of address assignment to your re&mote users.

64) )erver 1 3nter the !( address of a 64) server in use in the network of theinterface you are using or that is available to the !( addresses inthe scope you are configuring.

64) )erver + 3nter the !( address of a secondary 64) server if you have one

available.(rimary 5!4) )erver 3nter the !( address of any 5!4) servers that may be available to

remote 5indows users assigned an !( address in this scope.

)econdary 5!4) )erver 3nter the !( address of a secondary 5!4) servers if available.

6omain 4ame 3nter the default domain name that will be used by your remoteusers to prefi against any devices they might attempt to accessby name.

*ease *ength 3nter the amount of time in seconds that an !( address lease willlast before the 6HC( server can reclaim it back if there is no fur&ther communication with the client. 4ormally, after half of the

lease time, the client should try to increase the lease time again to


5/6

its maimum value. his is a proactive way for the client to try tokeep its !( address assigned.

(ing imeout 3nter an amount of time in milliseconds that the 6HC( servershould wait for a response before assuming the !( address it is at&tempting to offer to a remote user is available $not already assigned%.

3nable Auto&Configurationfrom !nterface

3nable this option if you are retrieving all the information in theprevious fields $that is, 64), 5!4), domain name, and so on%dynamically from a source on the interface selected. his will allowyou to use the dynamically learned information and give this toremote users to use. However, if you have configured any ad&dresses eplicitly using the fields mentioned earlier, this will bepreferred over any dynamically learned information.

"pdate 64) )erver )elect this option if you want to enable dynamic 64) updates.Any remote users assigned an !( address from your 6HC( scopewill also have their corresponding 64) entry information up&dated.


6/6

Ta"le 3# Borderless Network Components

Co$ponent %&planation

Borderless end zone his is where devices connect to the network. !t ishere that we are concerned with viruses, malware,and other malicious software. "sing techni#uessuch as 4etwork Admissions Control $4AC% and!dentity )ervices 3ngine $!)3%, we can properlyinterrogate devices before they are allowed ontothe network to verify they meet certain minimum

re#uirements $installations of virus scanning tools,service packs, patch revision levels, and so on%.

Borderless data center his represents a cloud&driven businessenvironment that could provide services. !t is inthis borderless data center where we implementfirewalls such as the Adaptive )ecurity Appliance$A)A% and intrusion prevention systems $!()% toprotect network resources there. 'irtual tools canalso be used inside virtual environments in thedata center, such as virtual switches that canenforce policy on virtual devices that areconnected to that virtual switch.

Borderless !nternet his represents the biggest !( network on theplanet, which we are all familiar with. )erviceproviders and other individuals connected to the!nternet use various techni#ues for security,including !()s, firewalls, and protocol inspection$all the way from *ayer + to *ayer of the -)!model%.

(olicy management point !n a perfect environment, we would have a singlepoint of control that could implement appropriate

security measures across the entire network. Cisco)ecurity ;anager $C);% is an eample of one ofthese enterprise tools. Another eample is CiscoAccess Control )erver $AC)%, which providescontetual access. /or eample, if you want toallow administrators full access to a router only ifthey are logging in from a specific location, youcould enforce that with AC) and authentication,authorization, accounting $AAA% rules. "nderthat same system, administrators could alsopotentially gain access from other locations.

II. +efine 6ey Ter$s1. )ecure0 &+. contet&aware security &=. A)A &>. !() &9. AnyConnect

Documents

Ccna Security Ch3 Building Security Strategy