CCIE Security: Theory – Section 5.7 – 5.15

Last bunch of notes!

Lots of this has already been covered (IPSec & PKI for example). It’s a bit brief, most of it it common sense (like knowing what a VPN client is…). Most of the technologies listed are end of life (EoL) anyway.

Feel free to comment with anything useful to flesh it out a bit.

5.7 Cisco Secure ACS Solution Engine

Access policy control platform
Device administration
Remote access
Wireless
NAC
RADIUS & TACACS+
LDAP, ODBC, MS AD
PAP, CHAP, MS-CHAP, EAP
dACLs

5.8 Cisco Network Admission Control (NAC) Appliance Server

Uses Cisco Clean Access Agent – checks for patches etc. Now EoL.

5.9 Endpoint and client

5.9.a Cisco AnyConnect VPN Client

Uses SSL & IPSec IKEv2

5.9.b Cisco VPN Client

5.9.c Cisco Secure Desktop

– minimizes risks
Establishes clientless SSL VPN or AnyConnect VPN
ASA downloads HostScan to the endpoint
Checks:
OS
Specified files
Specified registry keys
Digital certificates
IPv4 or IPv6 address wi/in specified range
HostScan gathers AV, firewall, antispyware version information
endpoint does not meet requirements –┬álogin denied, interaction stops
endpoint does meet requirements – prelogin policy assigned, interaction continues
HostScan checks for keystroke loggers & host emulation
AV, firewall, antispyware remediation
User logs in
ASA applies dynamic access policy to session
User terminates, HostScan terminates, cache cleaner cleans up.

5.9.d Cisco NAC Agent

5.10 Secure access gateways (Cisco IOS router or ASA)

5.10.a IPsec

Already covered pretty much.

5.10.b SSL VPN

http://www.cisco.com/c/en/us/td/docs/ios/12_4t/12_4t11/htwebvpn.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_sslvpn/configuration/15-mt/sec-conn-sslvpn-15-mt-book/sec-conn-sslvpn-smart-tunnels-support.pdf
clientless, thin-client & full-tunnel
Smart tunnels – uses Winsock library
do not support split-tunnelling, Cisco Secure Desktop, private socket libraries and MAPI proxy. cannot start in two web browsers simultaneously

5.10.c PKI

Already covered.

5.11 Virtual security gateway

Multi-tenant, zone-based, context aware. Offloads packet-intensive processing to Nexus 1000V. Supports active/standby, VXLAN

5.12 Cisco Catalyst 6500 Series ASA Services Modules

Already covered ASA.

5.13 ScanSafe functionality and components

Cloud Web Security:
malware protection
DLP
LDAP integration
reporting
EoL – replaced w/ UTM (ASA, SourceFire & WSA

5.14 Cisco Web Security Appliance and Cisco Email Security Appliance

web security, anti-malware,

5.15 Security management

All much of a muchness.

5.15.a Cisco Security Manager
5.15.b Cisco Adaptive Security Device Manager (ASDM)
5.15.c Cisco IPS Device Manager (IDM)
5.15.d Cisco IPS Manager Express (IME)

Supports up to ten IPS units

5.15.e Cisco Configuration Professional

Smart wizards & advanced configuration support for LAN and WAN, NAT, stateful and application firewall policy, IPS, IPSec, & SSL VPN, QoS & NAC.
One-click router lockdown
Voice & Security auditing capabilities
Monitor router status
Troubleshooting

Express version lives on flash in ISRs:
Basic configuration of interfaces
Hostname, DNS, DHCp configs
User management
plug-n-play server
dashboard for troubleshooting & CLI

5.15.f Cisco Prime

simplifies network management
improves operational efficiency
delivers predictable services
lower TCO

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.