The Complete Course from ExamCollection industry leading experts to help you prepare and provides the full 360 solution for self prep including 350-701: Implementing and Operating Cisco Security Core Technologies Certification Video Training Course, Practice Test Questions and Answers, Study Guide & Exam Dumps.

Threat Defense Technologies

1. AAA - Network Security

Overview now stands for authentication, authorization, and accounting. Now, if you go with some basic, general examples, authentication refers to authenticating the user or verifying who the user is. Take any kind of credit card information, for example, if you're using your own credit card, you'll probably want to do some kind of transaction. Now, to do the transaction, you have to provide the credentials. For example, you may need to enter the pin or a card number and a pin on the backside, or you may require any other additional information. Or if you take an example of any specific userin the company is trying to log into his computerand before he actually logged in the computer, he mustprovide his username and the password to make sure thathe can access that particular computer. So that's what authentication is, too. In general, authentication is nothing more than verifying the username and password and ensuring that the username and password he has provided is a valid card. And once the user gets authenticated, or once you log into your card with the proper details, then authorization is going to tell you what resources you can access and what resources you cannot access. When a user attempts to log into a computer on the company network, he will be authenticated, and once authenticated, we must determine what resources he can access. So, if this user belongs to the accounts department, and I want to make sure that this user can only access accounts computers, or if there is any guest user who is coming into a network, say, connecting to my WiFi network, and I want to make sure that this user can only access the Internet, nothing else. So authorization is going to tell what the user can access. As an example, what is the maximum number of transactions you can make using your credit card? So maybe you have a limit of, let's say, $800, but you cannot do more than that. So that's what authorization authorization is restricting the user,what he can do, what he cannot do. Finally, accounting is concerned with keeping track of what is going on in your network and what changes the user made. Like the example of user, whenever he logged inhe will be authenticated, maybe an account user. And once he gets authenticated, he will be authorised to only access the resources specific to that particular department. And then you also need to keep track of when this particular user logged in, what time he logged in, or what changes he made—these kinds of things. So if you want to keep a track of all thesethings, then we also need to enable a service called accounting. So I'll be using this triplet of accounting, authorization, and authentication. These three A's will be used in network security, just as these three S's will be used in network security. As a result, we do this for both device access. Now again, for what device access means, let me just write down device access and device administration. We can say typically, and then we can say for network access as well. Now, device administration means—let's take an example. I feel like in the previous sessions we discussed some telnet or SSH protocols. Now this will allow the user to log into the device remotely. So maybe there is a user who belongs to the ID department, and his job is to manage the router, the switch, or the firewalls. Now, this user actually tries to log into the device by using SSH or Telnet, and I want to make sure that this user should be able to log into the device. So we need to authenticate the user. That's the first step. So we need to make sure that the user is allowed to do device administration. So the first step is to get authenticated, provide the correct username, and create the passwords. And once this user logs in to the device, he also needs to be authorized. Now, in authorization, I want to make sure that if this user is a level one engineer, he or she can only execute basic show commands. And maybe he can do some basic changes, like changing the host name or changing IP addresses, but he cannot make any other changes. He cannot make any changes to the routing configurations, shut down the interface, or something like that. That's what authorization is. And if the user belongs to Level Two and I want to give some additional permissions, he can make all the changes, but he cannot erase the configurations or delete any configurations. So for device administration, we need to authenticate our users for accessing the devices remotely, and we also need to give permissions to what they can do and what they cannot do based on different user accounts. And finally, we also need to keep track of what he did, what changes he made, when he logged in, what time he logged in, what IP address or device he used to log in, and those kinds of things. So these are options relating to device administration that we'll talk about more in detail as we progress with our topics. You must also perform some triple-A, as well as network access. Now, network access refers to a user—let's say, a computer user—who belongs to some accounts department and another user, let's say, who is the guest user. Now, most of the produce productionnetworks, everyone uses their own device. Let's say he's scanning his own laptop, or maybe his mobile phone, and is connecting to a WiFi network. And this user should be authenticated before connecting to any network, whether it's a WiFi network or a wide network. So the first step is that this user must be authenticated, so he will provide his own username and password, and he gets authenticated. And once this user gets authenticated, depending on the username and the password, this user belongs to accounts, and I want to make sure that this user should only be able to access the resources in the accounts department. but not everything. Of course, you can also access the Internet and some resources, even extreme resources. So I want my server, we'll see server, soI want my this user, this user will beautomatically dynamically, should be assigned to my accounts VLAN. And also, you may want to push some ACLs. Probably, you can actually define some restrictions for that particular user if that user is a normal user who is using some guest accounts that we created, and that user will only be able to access the resources on the Internet, but he cannot access anything on my company network. That is what authorization is like: limiting the user's network access. So of course he should be authenticated firstbefore he can access anything in the network. And once he gets authenticated he will berestricted what he can access, what he cannotaccess, the resources on the network. And finally, you need to keep track of when this user logged in, which devices or which IP he used, and when he logged out. Most likely, that information is also important. So Triple A will be seeing these options more in detail as we progress. So we can use Triple A for device administration or network access with just a quick authentication. What we discuss, identify, provides the username identification. We use either username and the password or somedigital certificates we'll talk about more on this. Certificates like PKI, public key infrastructure, are cryptographic topics, and the user needs to be authenticated, not the machine. Machine means maybe you're connecting your printer, and I want the printer to also be authenticated before it can connect to my network. Or maybe a VYP device; that's for network access. It comes with network access for authentication. Now this authentication we can do eitherfor device administration, device administration or fornetwork access, or maybe device access. We can say authorization is, like Isaac said, what resources the user can access. So if you're using device administration or device access We can define some privilege levels and what commands the user can execute once you log into the device. After logging into the ASA or the author router and gaining network access, When an account user connects to the network, Which will actually be assigned. What ACL should be applied to that user. and some encryption. Some advanced authorizations, like security grouptax encryptions, we can apply. And finally accounting. Accounting means keeping a track of whatare the changes they did or what. It's just evidence of what they did. And for device access, we can do some command accounting or something like that. And for Netflix, we can do some kind of statistics, like when they're logged in, maybe for billing purposes.

2. Cisco Telemetry Services

Now in this video, we'll discuss some of the multiple methods used by the administrator to monitor network activity. Because as an administrator, it's important for you to monitor the network activity and ensure that the network is up and running. So if any device fails, you probably need to get some alerts and reports, and based on that, we can troubleshoot. So probably in this section, we'll talk about some of the multiple options that we will be using to do all these jobs and commands. We call them telemetry methods or score traffic. Telemetry methods: it's a word derived from the Greek roots where "tele" stands for remote and "measure" is nothing but monitoring or calculating. So it's very important for the network administrator to detect what kind of traffic is actually moving into your network. If you find any kind of unusual network traffic,like malicious traffic going on the network, so thatyou can monitor that and you can take anappropriate action to prevent some kind of attacks. Also, if any type of device fails, you should receive alerts or have some information about the device for you, and you can actually fix it if you receive the information that the device is powered off. There are multiple methods we'll be using here,like we'll be using something called NTP. So NTP stands for network and protocol. It is primarily used for all the devices to have a common synchronised time because, at certain dates in the future, you must have accurate and synchronised time across all the devices. So we'll be enabling NTP, which is a common method of time synchronisation between networking devices. And apart from that, we'll be using something called SNMP or SNMP traps. Probably the SNMP feature allows you to monitor the secretization of the device, the memory utilisation of the device, or maybe the interface bandwidth—multiple things. And the SNMP server can collect these statistics, and based on that information, you can actually monitor the device status, connectivity, and many other things. And also, we'll be enabling something called logging. So logging is a feature that allows us to keep track of the events and changes that occur in the network. We can specifically log, and we can tell the device to send some log messages if any of the traffic matching or incidents happen, just like the interface goes down or the EHRP neighbourhood goes down or something like that. Apart from that, we can also use some other features, like Netflix. Netflix is a method used to collect network traffic statistics, and we can export selected traffic and we can export to some Netflix collector software, and based on that, it's going to give you some statistics in a graphical way. So all these options collectively refer to traffic-limited methods, and using these methods, we can ensure that the network operates.

3. Firewall

See what is a firewall. And then we'll try to understand what the basic reasons are for having a firewall. And then we'll also talk about modem firewall design. So definition-wise, a firewall is a system or a group of systems that manages access between two or more different networks. Now, technically, a firewall is actually a device that manages the traffic between two or more different networks. Technically, if you take an example, here are the wall and the file. Now the wall actually refers to a structure that is going to control what traffic is allowed to pass through. As an example, you go to file here, and I have the user sitting in my LAN. So this is my LAN local network, and it is also connecting to my Internet, which is my outside network. And also there are some DMZ where I'm placingmy FTP or Http service, technically placed here. So my rule is that what I want is to make sure that the user sitting on the land should be able to access the internet. That's what I want. At the same time, the user sitting on the Internet should not be able to access anything on my land. This means that traffic from the internet to a LAN should be limited. At the same time, I want the user sitting on the Internet to also be able to access my service. Perhaps the service's traffic will be routed to the internet, and land users should be able to use the service in this manner. So I want to define some specific rules, and the traffic should flow between these different networks based on the rules. That's what exactly the wall job is going to do to control what traffic is allowed? We are going to define what traffic is allowed and what traffic should not be allowed. We'll control that. At the same time, this wall is actuallyhaving some it's like fire is nothing, butit's technically we say all the traffic whichis actually moving between my land to internetor anything coming from everything is inspected. "Inspected" means based on some policies. So we'll also configure some security policies, and based on the security policies, the traffic is allowed or delivered. So all the traffic is inspected. Like I want to make sure that the user sittingin the land should send a request to my Httpserver, something on the internet, maybe Google, Yahoo. At the same time, traffic should be coming, but at the same time, if an attacker is trying to initiate traffic, it should be denied. So this harbour is going to ensure that, because there are two types of traffic coming from outside, one is initiated by the attacker, and the other is written traffic. So the firewall should have the capability to inspect which traffic is returned and which traffic is initiated by that item. So it's going to do that based on some kind of security policies we will apply. and also maintains some other information. We'll talk about that in detail in the next section. So firewalls are generally configured between trusted and untrusted boundaries, especially from the Lamb to the internet, because any traffic coming from the internet is typically referred to as untrusted traffic because we don't trust anything coming from the internet. And the traffic which is initiated or coming fromthe land is considered as a trusted traffic becausewe trust the traffic in the land. So probably between this traffic—whatever is going, coming, and going—it should be monitored or inspected. So we need a firewall between that and the Internet, and the main scope of the firewall is to control the traffic coming from the Internet. We want to restrict what traffic should be allowed and what traffic should not be allowed into the land or into the DMZ network in general. So the next thing is the reasons. There are multiple reasons for counting the firewalls. Every organisation requires a firewall becausesecurity is the most important thingin general apart from mainstream networks. So all your internal networks must be secured because we need to make sure that any traffic coming from the internet should not be vulnerable. So any attacker should not be able to initiate any kind of traffic or access anything on the land or on the DMZ. Any unauthorised access should be restricted. The firewall restrict that by based on some policies,what we consider and of course because the internetis dangerous where you have all the criminals, competingcompanies or some ex employees or some spies, theseare all the reasons on the internet everyone isthere watching your watching your traffic. So to prevent the attacker from launching any kind of dinner lock service attack onto my server, an attacker can actually initiate some kind of dinner lock service attacks onto my server.Making my server down or maybe my router downor maybe any kind of services may get impactedand also to prevent any illegal or modification ofyour data like something like unauthorised access to preventany unauthorised access into my network. Now, most of the firewall designs, generally the basic design, include three components, like three segments. There are three distinct networks. Like the first one, this is an internal LAN, so where all your end users are connected, everyone is connected to the LAN and accessing some services from the service. And the second one, which typically we call the inside network," We can also refer it as lamb or we cansay just in or we can say trusted network. You can use any name you want; the most common name we use is inside, but it's not required. The Internet, which is an untrusted network, is usually referred to as mandatory as inside and then outside network. So this is referred to as my outside network, and the land is always referred to as your inside network. And the DMG is a place where you're going to place some orders. And because DMG is like a place where you want the user to be on the Internet, Maybe the user sitting here on the Internet should be able to access the service. Or maybe you're hosting some FTP servers orsome kind of mail servers on the Internet. Because technically, it's not good to place your server on foreign soil. Because if you place the server on the land, you want the user to sit on the Internet. to access this server. He must enter the land. which means while accessing the server He can also instil other attacks in the lamb. So it's the best practise always to keep yourservers in a separate network, in a separate VLANor separate network segment, so where the user shouldbe able to access the servers. So if any kind of attack happens, it will impact only this one. So the attacker cannot initiate any attacks against the.

4. Intrusion Prevention System – IPS

To try to figure out what intrusion is. An intrusion is simply an attacker or outsider attempting to gain unauthorised access to your network. And the attacker's intention might be to gain access to the network resources so that he can get some databases, or it can be anything. Or perhaps he can send malicious code, such as virus worms or Trojans, which can replicate in the network and degrade network performance. So attacker integration can be used to gain access to resources or obtain information, or it can be used to send malicious traffic that causes your services to become unresponsive to legitimate users. Typically, trackers can send some specially crafted packets, which can be seen as valid packets, and they can use the existing vulnerabilities to gain access to the network. So there are different types of intrusions present that can be used by the attacker to introduce attacks. As a result, it could be similar to web-based or network-based attacks. There are different types, like even some unknown attacks called zero-based attacks or "expert attacks," and some kinds of vulnerabilities like buffer overflow tags. So there are plenty. So, probably, our focus will be on understanding how we can prevent some of the intrusions in the network by confirming and setting up your IPS devices. The intrusion prevention system is a system that can be either hardware or software that detects various types of network intrusions or takes malicious traffic and either stops it before it reaches the target. So the main job of the IPS is to identify the different types of malicious traffic, classify them, and if possible, stop or block that malicious traffic in real time traffic.So how is it going to do that? It will perform repackaging inspections either at the network or at the host level. and it's going to examine the different traffic flows in the network. It's going to detect the possible vulnerabilities or the experts used by the attacker. So the job of the IP is to make sure that whatever protocols are running on the network are running as per the standards. Like, take an example: if you're eating some kind of UDP traffic and there is an excess of UDP traffic, which is something that is not normal, or maybe there is some kind of SNMP traffic that is not working as per the standards or behaving differently than the normal behavior, Or maybe you have a web server. Let's say the user, the attacker, is someone on the Internet who is trying to initiate an FTP session for the web server, which is an unusual activity. So the IPS is capable of monitoring the network traffic, and it's going to detect the unusual traffic on the network. And based on that, it can either stop that particular intrusion because it's not normal or introduce different attacks because attackers will try to use different methods to introduce some attacks.So it's going to report the intrusion, even identify it, and even be capable of logging that information based on that information. Again, IPS can either send an alarm to the administrator, probably to the administrator, or maybe to a firewall, probably. It can either drop malicious traffic if it is in transit, or if it cannot drop the specific traffic, it can either reset the connections or block the specific traffic from that particular.

5. Virtual Private Networks

So mostly, in today's networks, most of these traditional leads and connections are replaced with VPNs. The primary distinction between VPNs is the VPN connection. VPN stands for "Virtual Private Network." Assume I have a customer site; customerA has multiple sites in various locations. Now I want to make sure that these sites should be connected to each other, and what we are going to do is use some service for a transport network. So we have some pre-existing transport network that is built by the service portal, and this transport network can be either a frame delay or an ATM network. It depends upon which technology is used by the service portal; it can be some kind of MPLS or it can be the internet as well. So we can also build some VPNs or internet, and that will be our focus in the security classes. This is like a preexisting network that is built by the service portal, and the service portal has some preexisting devices like routers or switches that are interconnected to each other, and then the service portal network or the transport network allows you to connect the customer sites. Like here, the customer is allowed to connect to the nearest service for a device. So technically we call this a provider edge device that is allowed to connect to the nearest service for any device, and then physically it is connecting to a service for a transport network. But logically, we will be assuming that we will be representing this as if these two sites are virtually connected. So this is like a virtual private network. So we can build some kind of point-to-point connection or point-to-multiple connection, depending on the type of VPN, or some layer-3 networks. It depends on the kind of technology or the transport network we are using. So we can also send some IP addresses to the end point to make it appear as if they are physically connected. But, once again, not in all networks. We can have virtual point-to-point or point-to-multiple connections, for example, if you're using frame relay or ATM networks. Even in some other scenarios, like VM VPN, we can have a point to point to point to point connection that has multiple grey connections. So it depends on what technology we use and what type of VPN we're using. But this all comes under a common umbrella called VPN. But technically, they all work differently from each other. So VPN is going to replace your most dedicated point-to-point lines or lease lines with emulated point-to-point connections or point-to-multipoint connections under a common infrastructure. This is one example of framelit. The only difference is when the packet enters the frame, which uses delc values similar to Mac addresseslayer, whereas in peace, labels are used, and you can also connect over the internet using some IP packets such as public IPS. So the way it works inside the service network is totally different for different types of VPNs. So one of the main goals of the VPNs is to reduce the operational cost because, compared to the leaselines, it will reduce the cost, and it depends upon what kind of VPN we are actually using. All these VPNs come under all these other examples of VPNs, and our major focus will be on IPsec VPNs, which we will be focusing on in the CNN security classes or at the NP level as well, and we'll also be covering some other VPNs like Greg and VPN. Even some other VPNs—probably these are VPNs that come over the Internet—can be used, and this transport network can be the Internet. the basis of the Internet.