- 路由器
- traffic storm control behavior 是 Traffic storm control drops all broadcast and multicast traffic if the combined traffic exceeds the level within the interval.
- 交换机
- dot1x system-auth-control 全局启用dot1x
- show authentication sessions
- show dot1x all
- SNMP:define the encryption algorithm to be used by SNMPv3 是管理员要做的
- 防火墙
- CDO 可以管理 FTD ASA Meraki MX
- match ipv4 ttl
- Firepower
- IDS:The module is operating in IDS mode、Traffic continues to flow if the module fails
- IPS:network discovery 用来收集主机信息
- NGIPS应用层预处理器:SIP、SSL、DCE/RPC、DNS 、HTTP Inspect 、Sun RPC 、SIP、IMAP 、POP 、SMTP、SSH预处理器、FTP/Telnet 解码器
- NGIPS inline deployment mode must have inline interface pairs configured.
- Source、Rule 两种是思科下一代入侵防御系统上的有效抑制类型
- protect 的license 在 Cisco Security Intelligence to work on the Cisco Next Generation Intrusion
- a traffic profile on a Cisco Next Generation Intrusion Prevention System:It defines a traffic baseline for traffic anomaly deduction
- Which term describes when the Cisco Firepower downloads threat intelligence updates from Cisco Talos? D. consumption
- network discovery: capture host information
Platform Settings Policy
URL filtering in the access control policy capabilities ASA 不支持
Threat Intelligence Director allows Cisco FMC to push security intelligence observable to its sensors from other products
consumption the Cisco Firepower downloads threat intelligence updates from Cisco Talos
Configure intrusion rules for the DNP3 preprocessor analyze protocol fields and detect anomalies in the traffic from industrial system
Manually change the management port on Cisco FMC and all managed Cisco FTD devices.
Make the priority for the new policy 5 and the primary policy 1.
- 1. impact flags requires a network discovery policy and correlate data about intrusions and vulnerability
- What can be integrated with Cisco Threat Intelligence Director to provide information about security threats, which allows the SOC to proactively automate responses to those threats? External Threat Feeds
- time synchronization 是FP被FMC管理的前提 registration key 是FP添加到FMC必要条件。
- Decoy PortScan :攻击者将伪造的源IP地址与实际的扫描IP地址混合使用
- module:D. inline mode E. passive monitor-only mode
- health policy FMC收集健康信息
- configure manager add<host> <key>
- Security Intelligence policies :URLS 、 IP addresses is blocking based upon
- ASA
- the ASA must be added Certificate Trust List on the Cisco UCI Manager platform
- Certificate Trust List TLS proxy for encrypted Cisco Unified Communications traffic the ASA be added on the Cisco UCI Manager platform。
- NetFlow v9 : flow-create, flow-teardown, and flow-denied events.
- snmp-server host interface { hostname | ip_address } trap | poll version { 1 | 2c | 3 username }
- flow-export destination interface-name ipv4-address | hostname udp-port
- NetFlow Apply NetFlow Exporter to the outside interface in the inbound direction 、 Define a NetFlow collector by using the flow-export command
- A flow-export event type must be defined under a policy.
- ASA bridge group : up to 4 interfaces includes multiple interfaces and access rules between interfaces are customizable.
- managed by Cisco Security Manager
- NetFlow Secure Event Logging Multiple NetFlow collectors are supported.
- Cisco ASA NetFlow v9 Secure Event Logging is true . A flow-export event type must be defined under a policy. It tracks flow-create, flow-teardown, and flow-denied events.
- D。Apply NetFlow Exporter to the outside interface in the inbound direction.E. Define a NetFlow collector by using the flow-export command
- configuring NetFlow 25143
- error-disabled, Enter the shutdown and no shutdown commands on the interfaces. Ensure that interfaces are configured with the error-disable detection and recovery feature.
- Telemetry uses a push method, which makes it faster than SNMP.
- The Cisco ASA denies all traffic by default, Cisco IOS router with Zone-Based Policy Firewall starts out by allowing all traffic, even on untrusted interfaces.
- ASAv在ASW上不支持集群、子墙、ipv6,支持用户部署3层网络
- multiple context mode provide separation of management on a shared appliance
- 一个桥接组可以有4个接口
- ASA 上FP模块 支持inline mode 和passive monitor-only mode 模式
- 1. Full Context Awareness – Policy enforcement based on complete visibility of users andcommunication between virtual machines.
2. NGIPS – Threat prevention and mitigation for known and unknown threats
3. AMP – detection, blocking and remediation to protect the enterprise against targeted malware attacks
4. Collective Security Intelligence – Real time threat intelligence and security protection.
- Fail Over
- The IPsec configuration that is set up on the active device must be duplicated on the standby device.
- The active and standby devices must run the same version of the Cisco IOS software and must be the same type of device.
- preserved with stateful fallover and need to be reestablished with stateless failover
- ESA
- RAT 收件人列表 控制外部地址是接受还是拒绝
- Which list contains the allowed recipient addresses? Host Access Table (HAT) and Recipient Access Table (RAT)
- a user choose an on-premises ESA versus the CES solution: Sensitive data must remain onsite.dictable.
- Mail Transfer Agent is the primary role of the Cisco Email Security Appliance。
- Sophos engine 、 outbreak filters are used to configure Cisco ESA with a multilayer approach to fight viruses
- 混合ESA部署方案中必须在本地部署的是encryption、 DLP
- ESA in hybrid mode:It provides email security while supporting the transition to the cloud
- 发邮件前没病毒:A. Use outbreak filters from SenderBase.D. Scan quarantined emails using AntiVirus signatures.
- 组织希望传递邮件的副本并将邮件添加到 将其标记为DLP违规 quarantine and alter the subject header with a DLP violation
- D. The file has a reputation score that is below the threshold 不会丢弃文件
- WSA
- 透明代理模式和转发代理模式
- the purpose of the Decrypt for Application Detection feature within the WSA Decryption
options is It provides enhanced HTTPS application detection for AsyncOS.
- context Directory Agent reads the Active Directory logs to map IP addresses to usernames.
- WCCP、PBR
- advancedproxyconfig 操作控制存储在 Cisco WSA 日志文件中的 URI 文本量
- An organization recently installed a Cisco WSA and would like to take advantage of the AVC engine to allow the organization to create a policy to control application specific activity. After enabling the AVC engine, what must be done to implement this? A. Use an access policy group to configure application control settings.
- ISE
- Active Directory 需要在Cisco ISE上创建一个影子用户以使管理员登录工作
- 集成AD前要同步时钟
- aaa authorization network default group ise
- Cisco Identity Services Engine and AnyConnect Posture module 安装之后才允许用户接入网络
- It lists the LDAP users from the external identity store configured on Cisco ISE.
- Install and configure the Cisco DUO Authentication Proxy and configure the identity source sequence within Cisco ISE.
- posture module Assignments to endpoint groups are made dynamically, based on endpoint attributes. Patch management remediation is performed.
- 外置portal认证的两种方式:central web auth 和 local web auth
- 为了通过Cisco Identity Services Engine收集连接终端的属性:DHCP、Radius
- ISE posture assessmen:Windows service 、Windows firewall
- RADIUS Live Logs 排查问题
- 端点安全
- Which benefit does endpoint security provide to the overall security posture of an organization. It allows the organization to detect and mitigate threats that the perimeter security devices do。
- EPP focuses on prevention, and EDR focuses on advanced threats that evade perimeter defenses
- 启用NMAP (dhcp)可以将 OUI 的终端自动分配到新的终端节点组
- an endpoint is compliant with a posture policy configured 的好处是 它验证端点是否安装了最新的 Microsoft 安全修补程序
- noncompliant 不合规
- Coa
- An endpoint is deleted on the Identity Service Engine server.
- An endpoint is profiled for the first time.
- CoA Reauth 可以无须中断会话重新认证
- 5个属性RFC5176
- MDM
- MDM(移动设备管理)为组织提供了多种设备管理的优势。以下是两个主要的优势:
A. asset inventory management(资产库存管理) - MDM可以帮助组织追踪和管理其所有移动设备的库存。这包括设备的类型、数量、位置以及使用情况等。
B. allowed application management(允许的应用程序管理) - MDM允许组织控制和限制在其网络上使用的应用程序。这可以确保只有授权的应用程序可以在组织内部使用,从而减少数据泄露和其他安全风险。
- BYOD :supplicant on mobile devices to gain access to network resources
- 端点防护endpoint security
- 减少钓鱼和社会工程的危害:Install a spam and virus email filter \ Protect systems with an up-to-date antimalware program
- A. 在 Cisco Identity Services Engine 中配置姿势策略,以在允许访问网络之前安装 MS17-010 补丁
C. 在 Cisco Identity Services Engine 中配置姿势策略,以检查是否满足端点补丁级别,然后再允许访问网络。
- What is a benefit of conducting device compliance checks?A. lt validates if anti-virus software Installed
- Cisco Umbrella
- destination lists 是指Cisco Umbrella中指定列入黑名单的个别网站
- blocking malicious destinations prior to a connection being established
- Security Category Blocking ensure that domains are blocked when they host malware, command and control, phishing, and more threats
- Cisco Umbrella archive logs to an enterprise-owned storage by being configured to send logs to a self-managed AWS S3 bucket。
- Enable Intelligent Proxy is a required prerequisite to enable malware file scanning for the Secure Internet Gateway
- per policy is Cisco Umbrella configured to log only security events?
- Browse to http://welcome.umbrella.com/ to validate that the new identity is working is tests the routing 。
- Use MAB with profiling
- Cloudlock
- 识别公有云存储中的铭感数据已减少损失
- Apps Firewall It discovers and controls cloud apps that are connected to a company's corporate environment
- the function of Cisco Cloudlock for data security DLP
- Cisco Cloudlock 是一款云原生云访问安全代理 (CASB) 防止数据泄漏
- An engineer has been tasked with implementing a solution that can be leveraged for securing the cloud users, data, and applications. There is a requirement to use the Cisco cloud-native CASB and cloud cybersecurity platform.
- 3A
- radius
- Radius 认证和授权是在一个包里完成的
ip radius source-interface Only requests that originate from a configured NAS IP are accepted by a RADIUS server.
- C/S模式 UDP协议 1812作为认证端口,1813作为计费端口。
- dot1x
- dotlx pae authenticator
- aaa new-model
- RADIUS 属性主要用于区分 IEEE 802.1x 请求和 Cisco MAB 请求? A. RADIUS Attribute (5) NAS-Port
B. RADIUS Attribute (6) Service-Type
C. RADIUS Attribute (7) Framed-Protocol
D. RADIUS Attribute (61) NAS-Port-Type
- Cisco DNA Center
- design Provision 可以使用思科DNA中心
- AsyncOS API is used for Content Security
- intent-based APIs is a feature of the open platform
- assurance automation are used SDN
- API 可以给程序和DNA GUI 提供接口
- centralized management dashboard provide complete control of the network
- 件定义网络解决方案中使用了 Cisco DNA Center 的哪两项功能:B. assurance C. automation
- intent-based APIs is a feature of the open platform capabilities of Cisco DNA Center
- What are two characteristics of Cisco DNA Center APIs? (Choose two.)B. They view the overall health of the network.C. They quickly provision new devices.
- REST API : put get post delete
- API
- They view the overall health of the network. Most Voted
- They quickly provision new devices. Most Voted
- northbound API :app 和控制器通信
- southbound API:控制器和终端通信
- SDN
- southbound API
- SDN controller and the network elements
- to enable the controller to make changes
- northbound API
- SDN controller and the management solution
- VPN
- IPSEC
- IKEv1协商阶段1支持两种协商模式:主模式6个包(Main Mode)和野蛮模式3个包(Aggressive Mode)
- IKEv1协商阶段2协商模式:快速模式3个包。
- IKEv2支持NAT穿越
- IKEv2支持认证,EAP
- IKEv2使用4个包建立1、2阶段
- The OU of the IKEv2 peer certificate is used as the identity when matching an IKEv2 authorization policy.在匹配IKEv2授权策略时,使用IKEv2对等证书中的OU作为身份标识。这可以帮助您更好地管理和控制VPN连接的访问权限。
- debug crypto isakmp
- DMVPN
- DMVPN and FlexVPN 使用相同技术 NHRP
- GETVPN and IPsec 不同点 GETVPN reduces latency and provides encryption over MPLS without the use of a central hub.
- DMVPN supports dynamic tunnel establishment, whereas sVTI does not.
- GETVPN
- GET VPN private IP
- FlexVPN
- FlexVPN a multivendor environment and secure traffic between sites
- 在规划VPN部署时,工程师选择主动/主动FlexVPN的原因是什么配置而不是DMVPN?Traffic is distributed statically by default.
- using Cisco AnyConnect
- It enables VPN access for individual users from their machines.
- It allows customization of access policies based on user identity.
- FlexVPN because it uses multiple SAs and DMVPN does not.
- In which two ways does Easy Connect help control network access when used with Cisco TrustSec?
A. It allows multiple security products to share Information and work together to enhance securityposture in the network.
B. It allows for managed endpoints that authenticate to AD to be mapped to Security Groups
- AMP
- AMP提供端点保护并允许管理员集中管理部署
- The list of computers, policies, and connector statuses will be received from Cisco AMP.
- Upload the hash for the file into the polic 文件检测中上传文件生效必须提供hash值
- application blocking list 用来阻止可执行文件
- Endpoints Outbreak Control:B. simple custom detections D. allowed applications
- dynamic analysis AMP将文件复制到云端分析
- ETHOS detection engine 是思科公有云AMP独有 检测 families of malware
- The list of computers, policies, and connector statuses will be received from Cisco AMP
- prevalence 显示已在中执行的所有文件的列表环境
- 云服务
- PAAS
- 哪种云服务模型为云消费者开发和部署应用程序提供了环境,无需管理或维护底层云基础架构的应用程序?
- XAAS
- 私有云比公有云、社区云、混合云更安全。
- MFA
- prevented : phishing brute force Mo
- 病毒
- virus : unauthorized access to a computer system
- 漏洞
- unencrypted links for traffic allows the attacker to see the passwords being transmitted in clear text?
- 不修复补丁容易受到恶意软件和漏洞利用
- 网络攻击
- ICMP
- ping of death attack The attack is fragmented into groups of 8 octets before transmission 攻击在传播前被分成8个字节组
- Malformed packets are used to crash systems. 畸形数据包被用来使系统崩溃
- exfiltration technique by encrypting the payload in an ICMP packet to carry out command and control tasks on a compromised host
- C and C++ 造成内存溢出
- DNS攻击
- exfiltrate data it encodes the payload with random characters that are broken into short strings and the DNS server rebuilds the exfiltrated data
- An attacker registers a domain that a client connects to based on DNS records and sends malware through that connection
- 钓鱼
- 预防措施: Implement email filtering techniques \Enable browser alerts for fraudulent websites
- 欺骗性网络钓鱼和鱼叉式网络钓鱼区别是
- 网络钓鱼攻击针对的是广泛的人群
- 鱼叉网络钓鱼诈骗则针对的是特定的个人或群体,或者有时是组织或企业执行复杂的目标攻击以获取未经授权的访问。
- Advanced Phishing Protection
- It uses machine learning and real-time behavior analytics.
- virus 未授权接入计算机
- 拒绝攻击
- SYN flood :receiving too many connection requests
- DDOS using botnets
- SQL注入
- SQL injection vulnerabilities : user input validation in a web page or web application
- 预防措施:输入检查 Check integer, float, or Boolean string parameters to ensure accurate values 预处理Use prepared statements and parameterized queries.
- XSS
- cross-site scripting 攻击形式 alternate encoding,(交替编码)
- as hexadecimal representation 作为16进制
- 预防措施
- Cross-Site Scripting — Web-based Application Security, Part 3 | Spanning
- B. Incorporate contextual output encoding/escaping 结合上下文输出编码/转义
- D. Run untrusted HTML input through an HTML sanitization engine.通过HTML消毒引擎运行不可信的HTML输入
- Rootkit
- 类型
- Kernel rootkit
Hardware or firmware rootkit
Hyper-V rootkits
Bootloader rootkit or bootkit
Memory rootkit
User-mode or application rootkit
- 什么是 Rootkit 攻击?
- 当恶意软件渗透到计算机中,使攻击者能够访问和控制计算机并从中窃取数据时,就会发生 Rootkit 攻击。Rootkit 旨在逃避检测,并且可以在计算机上长时间隐藏。Rootkit通常包含多个工具,例如机器人,击键记录器以及窃取银行详细信息和密码的软件。
- 如何检测 Rootkit?
- Rootkit 可以通过 Rootkit 扫描进行检测,这通常是防病毒解决方案的一部分。它们搜索已知的攻击特征和 Rootkit 行为。
- Rootkit 是病毒吗?
- 不,Rootkit 不是病毒。计算机病毒是通过损坏文件、破坏数据或浪费资源来损坏计算机的程序或代码片段。Rootkit 是一种恶意软件,可感染计算机并使攻击者能够执行操作或窃取数据
- DOS攻击
- teardrop、Synflood、Smurf、Land-based、Ping of Death
- DevSecOps
- DevSecOps 定义:**DevSecOps是将安全实践集成到DevOps流程中的理念。DevSecOps 涉及通过发布工程师和安全团队之间持续、灵活的协作来创建“安全即代码”文化。 development security is an attribute of the DevSecOps process
- the IT environment does DevSecOps focus <b>application development</b>
- 加密算法
- 对称算法主要有DES算法,3DES算法,TDEA算法,Blowfish算法,RC5算法,IDEA算法, AES。
- 非对称算法主要有ESA DSA ECC DH
- DTLSv1 IKEv2 比TLS更强
- AES
- AES的区块长度固定为128位,密钥长度则可以是128,192或256位
对称/分组密码一般分为流加密(如OFB、CFB等)和块加密(如ECB、CBC等)。对于流加密,需要将分组密码转化为流模式工作。对于块加密(或称分组加密),如果要加密超过块大小的数据,就需要涉及填充和链加密模式。
GCM是认证加密模式中的一种,它结合了上述两者的特点(GCM中的G就是指GMAC,C就是指CTR),
- 对称算法-数据机密 非对称-提供认证 散列-数据完整
- CA
- profile PKI enrollment method allows the user to separate authentication and enrollment actions and also provides an option to specify HTTP/TFTP commands to perform file retrieval from the server?
- It provides the server information so a certificate can be created and signed 自签发证书的目的
- PKI
- 分发节点 HTTP LADP
- CA的作用:B. to issue and revoke digital certificates.
- 态势感知/监控
- Talos reputation center
- IP and Domain Reputation Center allows you to track the reputation of IP addresses for email and web traffic。
- Cisco Umbrella 与Talos 集成,以确定 URL 是否为恶意
- model-driven telemetry
- 模型驱动遥测解决了传统监控功能的许多不足,并提供了一个额外的接口,现在可以从该接口发布遥测数据。
- Telemetry provides visibility and awareness into what is currently occurring on the network
- interpacket variation 哪些遥测数据捕获流中出现的变化,例如数据包 TTL、IP/TCP 标志和有效负载长度?
- Cisco Stealthwatch
- It delivers visibility and threat detection provide security for cloud environments
- 监控本地网络需要部署探针将数据发送到云上Deploy a Cisco Stealthwatch Cloud sensor on the network to send data to Cisco StealthwatchCloud.
- 网络威胁情报
- 什么是STIX和TAXII?
- STIX(结构化威胁信息抑制)是一种标准化语言,由MITRE以协作方式开发,用于表示有关网络威胁的结构化信息。它的开发是为了可以以一致的方式共享,存储和以其他方式使用,从而促进自动化和人工辅助分析。
TAXII(指标信息的可信自动交换)是服务和消息交换的集合,用于跨产品,服务和组织边界共享有关网络威胁的信息。它是STIX结构化威胁信息的运输工具,也是广泛交换的关键推动因素。
TAXII 支持功能:推送消息传递、拉取消息传递和发现、查询
- Cognitive Threat Analytics
- Engine
- Data exfiltratio
Domain-generationalgorithm (DGA)
Exploit kit
Tunneling through HTTPand HTTPS requests
Command-and-control(C2) communication
- Cisco Application Visibility and Contro
- 它使管理员能够识别应用程序,收集和发送网络指标到Cisco Prime和其他第三方管理工具,并优先处理应用流量
- Tetration
- 思科推出的一个平台,它旨在通过收集网络上的所有流量来分析网络中正在发生的一切,包括谁正在尝试与系统进行通信、谁正在尝试访问系统以及他们正在做什么。Tetration平台提供了应用程序的可见性和分段,可以帮助保护混合云部署的工作负载。
- Cisco Secure Workload
- An organization is trying to implement micro-segmentation on the network and wants to be able to gain visibility on the applications within the network. The solution must be able to maintain and force一个组织正在尝试在网络上实施微分段,并希望能够获得网络内应用程序的可见性。解决方案必须能够维持和强制 合规compliance
- • Privilege Escalation – Tetration platform watches for movement in the process lineage tree.
• User login suspicious behavior – Tetration platform watches user access failures and methods
• Interesting file access – Tetration platform is armed to look at sensitive files.
• File access from a different user – Tetration platform learns the normal behavior of users.
- 其他
- Common Vulnerabilities and Exposures :Cisco and other industry organizations publish and inform users of known security findings and vulnerabilities
External Threat Feeds can be integrated with Cisco Threat Intelligence Director to provide information about security threats, which allows the SOC to proactively automate responses to those threats?
- AppDynamics监控Amazon Web Services (AWS)中的EC2实例:配置-安装-更新-重启