CCIE Security: Theory – Section 5.7 – 5.15

Last bunch of notes!

Lots of this has already been covered (IPSec & PKI for example). It’s a bit brief, most of it it common sense (like knowing what a VPN client is…). Most of the technologies listed are end of life (EoL) anyway.

Feel free to comment with anything useful to flesh it out a bit.

5.7 Cisco Secure ACS Solution Engine

Access policy control platform
Device administration
Remote access

5.8 Cisco Network Admission Control (NAC) Appliance Server

Uses Cisco Clean Access Agent – checks for patches etc. Now EoL.

5.9 Endpoint and client

5.9.a Cisco AnyConnect VPN Client

Uses SSL & IPSec IKEv2

5.9.b Cisco VPN Client

5.9.c Cisco Secure Desktop

– minimizes risks
Establishes clientless SSL VPN or AnyConnect VPN
ASA downloads HostScan to the endpoint
Specified files
Specified registry keys
Digital certificates
IPv4 or IPv6 address wi/in specified range
HostScan gathers AV, firewall, antispyware version information
endpoint does not meet requirements –┬álogin denied, interaction stops
endpoint does meet requirements – prelogin policy assigned, interaction continues
HostScan checks for keystroke loggers & host emulation
AV, firewall, antispyware remediation
User logs in
ASA applies dynamic access policy to session
User terminates, HostScan terminates, cache cleaner cleans up.

5.9.d Cisco NAC Agent

5.10 Secure access gateways (Cisco IOS router or ASA)

5.10.a IPsec

Already covered pretty much.

5.10.b SSL VPN
clientless, thin-client & full-tunnel
Smart tunnels – uses Winsock library
do not support split-tunnelling, Cisco Secure Desktop, private socket libraries and MAPI proxy. cannot start in two web browsers simultaneously

5.10.c PKI

Already covered.

5.11 Virtual security gateway

Multi-tenant, zone-based, context aware. Offloads packet-intensive processing to Nexus 1000V. Supports active/standby, VXLAN

5.12 Cisco Catalyst 6500 Series ASA Services Modules

Already covered ASA.

5.13 ScanSafe functionality and components

Cloud Web Security:
malware protection
LDAP integration
EoL – replaced w/ UTM (ASA, SourceFire & WSA

5.14 Cisco Web Security Appliance and Cisco Email Security Appliance

web security, anti-malware,

5.15 Security management

All much of a muchness.

5.15.a Cisco Security Manager
5.15.b Cisco Adaptive Security Device Manager (ASDM)
5.15.c Cisco IPS Device Manager (IDM)
5.15.d Cisco IPS Manager Express (IME)

Supports up to ten IPS units

5.15.e Cisco Configuration Professional

Smart wizards & advanced configuration support for LAN and WAN, NAT, stateful and application firewall policy, IPS, IPSec, & SSL VPN, QoS & NAC.
One-click router lockdown
Voice & Security auditing capabilities
Monitor router status

Express version lives on flash in ISRs:
Basic configuration of interfaces
Hostname, DNS, DHCp configs
User management
plug-n-play server
dashboard for troubleshooting & CLI

5.15.f Cisco Prime

simplifies network management
improves operational efficiency
delivers predictable services
lower TCO