Chapter 3: Building a Security Strategy

I. Foundation Topics
II. Securing Borderless Networks
1. The Changing Nature of Networks
1. Applications and infrastructure are being hosted remotely as a service whereas
before everything was located within the network. All this means is that the
traditional network and associated infrastructure and applications may be hosted in
various locations, however the security principles do not change.

2. Logical Boundaries
1. Borderless networks have layers or areas as the Cisco Hierarchical model does and
appropriate security measures for each area, see below for descriptions of the
various borderless network areas.
Table 3-2 Borderless Network Components
Component Explanation
Borderless
end zone

This is where devices connect to the network. It is here that we are concerned with
viruses, malware, and other malicious software. Using techniques such as Network
Admissions Control (NAC) and Identity Services Engine (ISE), we can properly
interrogate devices before they are allowed onto the network to verify they meet
certain minimum requirements (installations of virus scanning tools, service packs,
patch revision levels, and so on).

Borderless
data center

This represents a cloud-driven business environment that could provide services. It is

in this borderless data center where we implement firewalls such as the Adaptive
Security Appliance (ASA) and intrusion prevention systems (IPS) to protect network
resources there. Virtual tools can also be used inside virtual environments in the data
center, such as virtual switches that can enforce policy on virtual devices that are
connected to that virtual switch.

Borderless
Internet

This represents the biggest IP network on the planet, which we are all familiar with.
Service providers and other individuals connected to the Internet use various
techniques for security, including IPSs, firewalls, and protocol inspection (all the way
from Layer 2 to Layer 7 of the OSI model).

Policy
management
point

In a perfect environment, we would have a single point of control that could

implement appropriate security measures across the entire network. Cisco Security
Manager (CSM) is an example of one of these enterprise tools. Another example is
Cisco Access Control Server (ACS), which provides contextual access. For example,
if we want to allow administrators full access to a router only if they are logging in
from a specific location, you could enforce that with ACS and authentication,
authorization, and accounting (AAA) rules. Under that same system, administrators
could also potentially gain access from other locations.

3. SecureX and Context-Aware Security

1. SecureX architecture is a strategy:
a. Context awareness This is just what it sounds like: being aware of context.
For example, you might want to confirm a basic set of parameters (who users
are, how they are accessing a network, the condition of the computer they are
using to access the network, and so on) before giving users access. Actual tools
to implement this include ISE, NAC, and AAA.
b. AnyConnect Client With AnyConnect Client, you can establish Secure
Sockets Layer (SSL) or Ipsec VPNs for clients. VPNs provide for confidentiality
of the data in motion and the integrity of that data.
c. TrustSec This creates a distributed access policy enforcement mechanism,
and can also use encryption to provide confidentiality. The intent is to provide
and control end-to-end security, based on who, what, where and how users are
connected to the network. Endpoint systems are analyzed to verify they meet
corporate security requirements. Actual tools to implement this include ISE,
NAC, and AAA. If security group tags (SGT) are used, devices involved in
forwarding the traffic can implement the appropriate security based on the tag.
Data can be encrypted for confidentiality, as well.
d. Security Intelligence Operations Security Intelligence Operations (SIO) is a
cloud-based service that Cisco manages. This service identifies and correlates
real-time threats so that customers can leverage this information to better protect
their networks. An example is learning about an attack that is propagating
through the Internet before it reaches your network, thus enabling you to place
additional security measures in preparation for its arrival at your perimeter.

III. Controlling and Containing Data Loss

1. Tools to implement and maintain CIA (Confidentiality, Integrity, and Availability)
a. ASA firewalls The Cisco ASA provides packet filtering, stateful filtering (all
covered in the firewall section), support for Ipsec remote-access and IPsec siteto-site VPNs, and VPN support for SSL remote-access users. An additional
module can provide intrusion prevention services, as well.
b. Integrated Services Routers (ISR) Building on the routing infrastructure,
you can integrate additional security into the router itself using features such as
zone-based firewalls and IPSs (in software or IPS modules installed through an
available option slot in the chassis). Routers support VPNs, authenticated
routing protocols, packet filtering, and a wide variety of other security features.
c. Intrusion prevention systems (IPS) An IPS is implemented as a standalone
appliance, or you can implement it as a module that goes into a Cisco ASA
firewall or router. In addition, you can place a blade module in a 6500 series
switch. An IPS, using primarily signature matching, can identify malicious
traffic and prevent attacks from being forwarded into the network.
d. IronPort Email Security Appliances and IronPort Web Security Appliances
(WSA) These appliances provide granular control of email and, in the case of
web traffic and WSA, can track thousands of applications and enforce security
policies to protect networks against threats.
e. ScanSafe ScanSafe web security can dynamically categorize search engine
results to prevent access to undesired sites or content, and can also look for
malicious content, thus offering protection for zero-day attacks that have not
been identified through traditional IPS signatures.

2. Secure Connectivity Using VPNs

3. Secure Management
1.
2.
3.
4.
5.

SSH and HTTPS

ASDM Adaptive Security Device Manager Used for ASA
CCP Cisco Configuration Device Manager Used for IOS routers
IDM and IDM Express IPS Device Manager Used for IPSs
CSM Cisco Security Manager Can be purchased to configure all devices
including Catalyst switches

IV. Do I Know This Already? Quiz

Table 3-1 Do I Know This Already? Section-to-Question Mapping
Foundation Topics Section
Questions
Securing Borderless Networks

1-3

Controlling and Containing Data Loss

4-8

1. In Which single area of the borderless network would we be primarily concerned

with things such as viruses and malware?
a. Borderless end zone
b. Borderless Internet
c. Borderless data center
d. Borderless bookstore
2. Which of the following methods or resources enable you to qualify a device (verify
the workstation meets minimum requirements) before letting the device access the
network? (Choose all that apply.)
a. Port security
b. NAC
c. ISE
d. VPN
3. On a physical switch, you can use technical controls for traffic flows between
devices. How can you best implement a similar policy between two virtual devices
that you are running logically in the data center?
a. Cannot be done
b. Virtual switch
c. Virtual ACLs
d. Route the traffic out of the virtual to a physical switch, enforce the security there,
and then route the traffic back into the virtual environment
4. Which of the following elements can you use as part of the Cisco SecureX
architecture/strategy? (Choose all that apply.)
a. IPS appliances
b. AnyConnect
c. ASA firewalls
d. SIO
5. Which concept refers to granting access based on multiple conditions, including the
identity of the user, the device the user is connecting from, and how secure the
workstation is the user is connecting from?
a. Context awareness
b. ACS
c. ISE
d. NAC

6. How does AnyConnect provide confidentiality?

a. It encrypts data on the disk, file by file
b. It encrypts the entire disc
c. It implements encryption at Layer 2
d. It implements SSL or IPsec
7. TrustSec uses which of the following to identify a specific policy that should be
applied to traffic?
a. Security group tag
b. Group domain of interpretation
c. DSCP
d. IP precedence
8. Which cloud-based service could you use as an early-warning system for a threat
that might be coming your way via the Internet?
a. SIO
b. IOS
c. ISO
d. SOI

V. Review All the Key Topics

Table 3-3 Key Topics
Key Topic Description
Element

Page Number

Table 3-2

Borderless network components -

41

List

SecureX and context-aware security -

42

List

An ounce of prevention -

42

VI. Memory Tables Chapter 3

Table 3-2 ASA Local DHCP Server Configuration Fields
Field
Description
DHCP Enabled

Select this option to enable the DHCP server for the specific interface
you have chosen to configure your scope for.

DHCP Address Pool

Enter the start and end IP addresses of the subnet or range you
want to use for the purposes of address assignment to your remote users.

DNS Server 1

Enter the IP address of a DNS server in use in the network of the

interface you are using or that is available to the IP addresses in
the scope you are configuring.

DNS Server 2

Enter the IP address of a secondary DNS server if you have one

available.

Primary WINS Server

Enter the IP address of any WINS servers that may be available to

remote Windows users assigned an IP address in this scope.

Secondary WINS Server

Enter the IP address of a secondary WINS servers if available.

Domain Name

Enter the default domain name that will be used by your remote
users to prefix against any devices they might attempt to access
by name.

Lease Length

Enter the amount of time in seconds that an IP address lease will

last before the DHCP server can reclaim it back if there is no further communication with the client. Normally, after half of the
lease time, the client should try to increase the lease time again to

its maximum value. This is a proactive way for the client to try to
keep its IP address assigned.
Ping Timeout

Enter an amount of time in milliseconds that the DHCP server

should wait for a response before assuming the IP address it is attempting to offer to a remote user is available (not already assigned).

Enable Auto-Configuration
from Interface

Enable this option if you are retrieving all the information in the
previous fields (that is, DNS, WINS, domain name, and so on)
dynamically from a source on the interface selected. This will allow
you to use the dynamically learned information and give this to
remote users to use. However, if you have configured any addresses explicitly using the fields mentioned earlier, this will be
preferred over any dynamically learned information.

Update DNS Server

Select this option if you want to enable dynamic DNS updates.

Any remote users assigned an IP address from your DHCP scope
will also have their corresponding DNS entry information updated.

Table 3-2 Borderless Network Components

Component

Explanation

Borderless end zone

This is where devices connect to the network. It is

here that we are concerned with viruses, malware,
and other malicious software. Using techniques
such as Network Admissions Control (NAC) and
Identity Services Engine (ISE), we can properly
interrogate devices before they are allowed onto
the network to verify they meet certain minimum
requirements (installations of virus scanning tools,
service packs, patch revision levels, and so on).

Borderless data center

This represents a cloud-driven business

environment that could provide services. It is in
this borderless data center where we implement
firewalls such as the Adaptive Security Appliance
(ASA) and intrusion prevention systems (IPS) to
protect network resources there. Virtual tools can
also be used inside virtual environments in the
data center, such as virtual switches that can
enforce policy on virtual devices that are
connected to that virtual switch.

Borderless Internet

This represents the biggest IP network on the

planet, which we are all familiar with. Service
providers and other individuals connected to the
Internet use various techniques for security,
including IPSs, firewalls, and protocol inspection
(all the way from Layer 2 to Layer 7 of the OSI
model).

Policy management point

In a perfect environment, we would have a single

point of control that could implement appropriate
security measures across the entire network. Cisco
Security Manager (CSM) is an example of one of
these enterprise tools. Another example is Cisco
Access Control Server (ACS), which provides
contextual access. For example, if you want to
allow administrators full access to a router only if
they are logging in from a specific location, you
could enforce that with ACS and authentication,
authorization, accounting (AAA) rules. Under
that same system, administrators could also
potentially gain access from other locations.

VII. Define Key Terms

1.
2.
3.
4.
5.

SecureX context-aware security ASA IPS AnyConnect