Cisco Secure Access notes

Intro to Cisco Secure Access (CSA)

At a high level it works like this:

• Users > CSA > Resources

Ways to connect to CSA

• Remote managed > ZTNA  > CSA
• Remote managed > VPNaaS > CSA
• Remote unmanaged > Clientless ZTNA > CSA
• Branch > IPsec tunnel > CSA
• IOT devices > IPsec tunnel > CSA
• We can also integrate SD-WAN connections into CSA (more on it later)

What we can do inside CSA

• Groups
• firewall rules
• web gateway
• DLP
• CASB (cloud security broker)
• Device posture
• ZTNA
• Monitor and TS

Outbound from CSA

• Connections to Internet and SaaS sites
• Backhaul to private apps hosted in your public or private cloud
• IPsec tunnels to other datacenter/pop/brance

PoP is point of presence. Often user will connect to the closest one for lowest latency 

CSA connection can enter the POP in dublin and etc the POP in France for examle

What problem is cisco secure access trying to solve ?

• Orgs with remote users and 3rd party contractors who need access but also all secure 
• Orgs with users who are mobile (in office / at home / on the road)
• Orgs with hybrid setups (on prem / public cloud / private cloud / SaaS)
• Consolidate all the access policies in one place
• Keep a zero trust mindset

Secure private access (tunnel or proxy)

• Via VPN
• Via ZTNA client 
• Via ZTNA clientless 

Secure Internet Access (s

• VPN full tunnel
• Internet security module
• Branch DIA

We can have SPA and SIA working together

Insights and monitoring

Admins and monitor endpoint performance with thousand eyes

Need an account and agent deployed

Global scale architecture 

User > CSA POP > CSA routing > CSA POP > Resource

Unified cloud architecture 

• Control everything in one cloud dashboard
• Traffic acquisition 
• Collect and augment with extra data (posture etc) 
• Classify traffic (public / private)
• Rules (FWaaS / SWG / CASB / Decryption / IPS / DLP)
• Send via backhaul or internet 

Open APIs

• As well as the cloud dashboard
• Multiple Restful API
• Automate tasks
• Deployment
• Admin
• Policies
• Reports

Talos threat intelligence 

Visibility across the entire threat landscape fusing experts data and gen AI

Talos detect threats and block them for all customers

User connectivity

• VPNaaS
• ZTNA module
• Web roaming module (80/443 only)
• Clientless ZTNA

VPN (DTLS/IPsec) > ZTNA (Wireguard/gRPC) > ZTA (MASQUE/QUIC)

TLS - TCP security

DTLS - UDP (some speed improvement)

QUIC is UDP based (fastest0), a way to speed up TLS connections

MASQUE - Multiplex Application Substrate over QUIC encryption / a streaming protocol. This is an application proxy that runs on top of QUIC. It can have multiple streams active in one MASQ session.

Client connectivity 

Secure client 

VPN > ASA> IPsec / Internet 

ZTNA client > ZTNA proxy > IPsec / Resource connector 

Sec/Roaming module  > DNS/SWG > Internet 

 

Clientless > Rev Proxy > IPsec / Resource connector 

Branch > IPSec > IPsec / Internet 

Cisco Secure Client

You will need to deploy the CSC client with the ZTNA module

Duo desktop will also be deployed if you use posture

Other modules

Secure endpoint (formerly AMP)

Roaming module (Umbrella but this will be replaced)

Thousand Eyes (no UI)

Cloud management module (no UI)

DART

Secure Private Access (client based ZTNA)

ZTNA supports apps via IPsec backhaul

FTD > HA VTI tunnels > CSA

We create two tunnels to CSA for redundancy 

We configure BGP between the two so they can exchange routes

Secure Private Access (clientless)

Only works with web apps

Secure Private Access (VPN)

Connect to secure access cloud

Secure Internet Accesss via VPNaaS

Connect to CSA then on to internet sites / SaaS

Modular policy with magnetic UI

Define apps / resources

define private / public rules

Live demo

https://www.cisco.com/c/en/us/products/security/secure-access/live-demo.html

Cisco have a live demo which you can try it out

First step will be to setup a tunnel group (VPN)

Setup on your peer on the HQ or brance

Connector groups are for the resource connectors

We can add one to AWS Azure and VMware

We can add SAML/SSO for our user ID

Private resources 

We can had a file server here

You can make firewall rules under secure

Zero trust 

• Micro segmentation 
• Network isolation
• Native OS support
• TPM to protect certs and key

Principals 

• Never trust
• Always verify
• Enforce least privilege 

Success factors

• Allow the user to work securely with minimal disruption
• Adjust policy to risk
• Consistency across environments because of shared policy

AI assistant

Helps you create rules but leaves them disabled, a human must enable the rule.

Planning for a CSA project delivery

• Well defined scope and timelines
• Access to sites / network devices etc
• Clear roles and responsibilities
• Single customer point of contact / PM
• Customer involvment and comms
• Clearly defined and agreed use cases
• Pilot and customer validation
• Knowledge transfer
• High level docs
• SOW - statement of work
• BOM - Bill of materials
• Checklist

Secure Access licensing 

Essentials 

• Secure internet access (SIA)
• Secure Private Access (SPA)
• SWG
• ZTNA
• L3/4 firewall
• CASB
• RBI (for risk traffic or high level phishing targets)

Advantage

• Everything in essentials 
• Layer 7 firewall
• IPS
• DLP
• RBI

Licensing subscriptions

based on per user 

1 year

3 year

5 year 

Non standard terms on per contract basis 

Cisco user protection suite

Incorporates related technologies all into one solution

• Posture and auth management 
• Endpoint security 
• Email security 
• Experience insights
• Remote browser isolation
• Security Service Edge 

Client based ZTNA

• Auth and posure per session 
• QUIC tunnel (MASQUE proxy)
• Carry private traffic all ports and protocols
• SAM auth and auti re-new

Where ZTNA fits in the stack

• Application
• Socket intercept/filter happens her (Zero trust access module)
• Packet intercept/filter
• routing table
• packet intercept/filter
• virtual itnerface
• physical interface 

IP packet vs socket streaming 

VPN and legacy ZTNA packet approach

• CGNAT is obfuscation not security
• Firewalls and NAT's
• Attackers can piggyback on UDP flows to continue them in IP packet systems

Streaming approach (modern ZTNA uses socket streams)

• Socket streaming allows any protocol to be tracked by socket call and terminated at the instance the socket is closed
• Socket streaming eliminates timers and is deterministic
• Flows can't be continued or hijacked

Streaming approach intercepts the traffic before it becomes a packet. The traffic only needs to pass through the kernel once. 

App > Socket intercept > MASQ ZTNA > Kernel > Packets on the wire

ZTNA module

A module part of CSC client (previously AnyConnect) 

Enrolment

Press "Enroll" button

CSA issues an authentication cert for the client

Cert is saved in the TPM

This cert is automatically renewed

 Client connections are now streamed

Stream1: data + posture

Stream2: data + posture

Stream3: data + posture

By default everything is dropped (ZTNA). We need to allow traffic in the rules.

Posture levels vary

VPNaaS

• OS
• Antimalware
• Firewall
• Disk encryption
• Cert check
• Browser check
• File check
• Registry check (windows only)
• Process check

Client based

• OS
• Antimalware
• Firewall
• Disk encryption
• System password

ZTA Browsers

• OS
• Browser check

We can set a re-auth timer if needed 

Enrolment more details:

• On the surface for the user they press an enrol button
• On the backend a lot is going on

What is DPOP

DPoP (Demonstrating Proof of Possession) is a security mechanism defined in RFC 9449 that proves a client cryptographically possesses the private key associated with a token or credential — without ever exposing that key.

The Core Problem DPoP Solves

In traditional OAuth/token flows, a bearer token can be stolen and reused by anyone. DPoP binds a token to a specific key pair, so even if the token is intercepted, it's useless without the corresponding private key (which is stored in the TPM chip on the clients machine).

How DPOP works

• Device enrolment is initiated
• Key pair is generated. Private key locked in TPM and never leaves the chip. Public key extracted.
• CSR created with public key, signed by private key (to prover ownership)
• CSR is sent to CSA. The CSR contains the public key and signature
• The signature proves we have the private key but we never send the private key. It never leaves the TPM chip.
• CSA takes the CSR and issues a signed cert (bound to the public key)
• When accessing CSA, a DPOP proof (JWT) is created
• Signed by: the TPM held private key 
• Contains: HTTP method, URL, timestamp, nonce
• Proves the caller holds the private key right now

How DPOP and ZTNE enrolment works on the backend

• ZTA starts the DPOP process. Generates the public/private keys and the CSR
• Private key is stored in the TPM and is never trasmitted
• CSR / Public key sent to CSA for enrolment
• user > enroll.ztna.sse.com > enrolment broker
• enrolment broker asks for email
• user > me@address.com > enrolment broker
• enrolment broker sends SSO redirect
• user > SAML flow > Auth (customer IDP / Duo / AD/entra etc)
• Device is registered
• ZTA cert issued
• From here the cert can be used for all connections and MITM attacks are not possible
• The cert automatically updates every 2 weeks

OS native ZTA for apple and adroid devices

Just like having the ZTNA module on the devices

Enroll the device

Login via SSO

Clientless zero trust access

Essentially this will be web browsers for 3rd parties

Allows access to web apps only

Can use IPsec tunnels or resource connectors

For unmanaged BYOD devices 

For 3rd parties 

Limited posture detection

It makes a reverse proxy

VPN as a service (VPNaaS)

Auth and posture at connect time

DTLS tunnel

Caryy internet and private traffic (all ports and protocols)

SAML 2.0 auth

ISE integration

CSA Supports SAML and RADIUS auth methods. SAML is new but RADIUS is widely used including in ISE

• client > auth request > VPNaaS > ISE
• Client redirected to ISE
• SSL connection to port 8443, user download network setup assistant
• Network setup assisant discovers ISE, anyconnect agent download/install
• CSC ISE posture discovers ISE
• SSL excvhange on port 8443 > compliance check
• Connection is protected by portal cert
• CoA (change of auth) request, CoA ack
• In VPN use case CoA packet contains the attributes which compliant profile has

ISE SGT support

SGT is a security group tag

CSA can carry SGT's through its networks tunnels

Some sample SGT's

SGT 10 is marketing

SGT 20 IOT

SGT 30 BYOD

SGT 40 Workstations

• This allows for SGT policy across the HQ LAN network and cloud
• maintain micro segmentation
• Identigy devices and traffic based on context from ISE
• Apply policies to SGT based identity 

Radius setup example

Connect > End user connectivity 

VPN profile

Add VPN IP pool

endpoint pool 172.16.0.24

mgmt pool 172.17.0.0/21

dns servers: internal DNS

Radius groups not added yet

You can add your radius server group

Tick AAA options

Assign the radius servers (ISE1 and ISE2)

You can have different server for each region or one radius group for all.

Network tunnels

CSA <> your site

hub1  < > VTI1 > Your FW

hub2  < > VTI2 > Your FW

Makes ECMP group, routes are advertised with BGP

IPsec routing

Static or dynamic routing 

Use static for small network or your devices doesn't support BGP

In most other cases you will want to use BGP

Branch connections

Allow branch connections to let them reach private resources

S2S tunnels  from HQ FW 

Catalyst SD-WAN 

Why enable NAT 

• NAT allows devices to use a single public IP to connect to the internet CSA
• NAT can be used to hide the real LAN IP of users connecting to CSA.
• This can also help if the same networks are used in two of your locations eg 192.168.1.0 used in two places.

Branch/DC to VPNaaS User

Internal network (pri/sec tunnels) > ECMP > Cloud headend > CSA > tunnel establish > VPN pool IP

Catalyst SD-WAN

VPN1 > SD-WAN > VPN tunnels > CSA

VPNID based policy 

DIA

Direct Internet Access

Going straight out the local branch internet connection

Resource connectors

CSA > Connector group > AWS/Azure/VMware

2x Connectors in HA is recommended

RC gatewa

RC agent

RC group

ZTA > QUIC > ZTA proxy > CSA > Resource gateway > Resource connector > App

Resource connectors can help with overlapping IP's too

RC connectors use TCP 443 and UDP 443

RC status

• Connected - data tunnel is up
• Disconnected - data tunnel is down
• Disabled - admin disabled the connecotr
• Updating - software update in progress
• Expired - Cert has expired
• Ready to use - newly provisional and reach able
• Deleted - deleted by admin
• Revoked - revoked by admihn
• Setup failed - Tunnel failed to come up

There are several FQDN's you need to whitelist: 

TCP 80/443

UDP 443

Gateway: Cisco IP space

Controllers:

Us.controller.acgw.sse.cisco.com

Eu.controller.acgw.sse.cisco.com

Ap.controller.acgw.sse.cisco.com

Will resolve to AWS Static IPs

Repo:

Us.repro.acgw.sse.cisco.com

Eu.repo.acgw.sse.cisco.com 

Ap.repo.acgw.sse.cisco.com 

ACME: Prod.acme.sse.cisco.com    

API Gateway: Api.sse.cisco.com   

PKI: Ssepki.cryptosvcs.cisco.com

Resouce connector redundance

Scaling calculator built in.

2 agents per connector group

All agenst have same connectivity 

Multi region

CSA > RC gateway region 1 > Agent 1 + agent 2 > private resource 

CSA > RC gateway region 2 > Agent 1 + agent 2 > private resource

They can deployed quickly in common virtualisation platforms.

Setting up a connector

Connect > network connection > resource connector groups

Name it 

Select region

Select your connector type for example AWS

Download the image for AWS

View purchase options subscribe to this software

Launch via EC2

Give the EC2 instance a name

Create a new key pair (for connecitn to CSA)
ALlow public IP to be auto assigned 

Conform connection

Copy provision key from CSA to AWS

KEY=xxxxxxx

It should show as connected after a few minutes

Define a private resource

Select out RC connector we just created

can't nat on VTI interface used in a VPN on FTD

 https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/network_address_translation_nat_for_firepower_threat_defense.html

• You cannot write NAT rules for a Virtual Tunnel Interface (VTI), which are used in site-to-site VPN. Writing rules for the VTI's source interface will not apply NAT to the VPN tunnel. To write NAT rules that will apply to VPN traffic tunneled on a VTI, you must use "any" as the interface; you cannot explicitly specify interface names.

palo alto azure VPN issues

Had some issues with palo alto <> azure VPN. The firewall was blocking the VPN traffic due to rule change. Azure gives up after a while and goes into idle mode. Needs to be restarted on azure end

 1 - If Azure VPN starts getting blocked by the firewall after some time Azure gives up and goes into an idle mode, has to be restarted on Azure end for VPN to try again.

2 - The ISAKMP (udp 500) session stays open on the palo even through p1 re-keys. Check session browser for your peer IP on UDP port 500, may need to clear it.

clear session all filter destination x.x.x.x

clear session all filter source x.x.x.x

3 - Related to above if the rule that allows the UDP is set to log at end you won't see the new traffic being initiated, set the rule to log at start.

4 - We saw the Azure IP is showing with a geolocation IP of "EU"  I'm guessing its related to their HA

show location ip x.x.x.x

Cisco Nexus 5K overview

Product details:
www.cisco.com/go/nexus

5K and 6K have similar features but 6K has up to 96 ports on 40GE

5K's are more common in the wild as they have the same features

http://www.cisco.com/c/en/us/products/switches/nexus-5000-series-switches/models-comparison.html


UP means unified ports. The ports can be Ethernet or FC. So the 5K is Ethernet and fiber channel switch.

7K core
1/10/40/100Gbps Ethernet
L2 and L3 LAN swtiching
Highly redundant. multiple cards and links, power etc

5K Aggregation or access layer switch
LAN and SAN switch
1/10/40 Gbps
L2 and L3 Land swtich
FCoE and native FC SAN switching

4K is specifically for IBM blade servers

3K is used for low latency

2K is an extension of another switch (fabric extension)
2K needs an upstream switch to be the brains
Can't work on its own
Acts like a remote line card of a parent
2K does not have a MAC addresses table it has to ask the parent switch
2K aren't so good for a lot of East West traffic moving across your network
You would want a normal switch for lots of East/West traffic
2K are good in North south, traffic coming in at the internet and heading down to servers
They still have 10GigE up and down so it will work for small environments
Fabric extenders can cut down physical platforms and wiring in the network

Unified Fabric Design

End of Row (EoR) design
You have a rack of network equipment (like catalyst 6500)
Terminate all of the links that go to servers etc
Data Center top of tack architecture design under 5K white papers
[srv] [srv] [srv] [network equipment] (at the end of the row)

40 servers usually more than one cable per server
If you keep adding racks of servers you hit distance limitations
EoR design becomes and issue when you scale up to large amount of servers

Alternative is Middle of Row (MoR)
We install network equipment for each block of servers
[srv] <- [network equipment] [network equipment] -> [srv]

NIC ethernet
HBA for storage

Unified wire, send LAN and SAN traffic down the same cable.
Ethertype 8906 FCOE

Top of Rack (ToR)
Switches in the top of the rack
[network equipment]
[srv]
[srv]

Copper runs from servers to top of rack switch
Top of rack switches connect via fiber back to end of row core
Replaces fiber with copper between servers so that's a big saving

Top of rack with unified fabric

2Ks are Top of rack
[2K]
[2K]
[srv]

2K connect back to 5Ks at EoR
[5K]
[5K]

SFP's lets you change what cables you can plug in.
Make sure the SFPs are supported by your line card.
SFP costs can add up quickly.

Virtual device contexts (VDC)
L1 virtualization
Separation of control and data plane
Separation of the management plane
Separate user DB
Create virtual switches separated just like physical switches.
Takes the physical switch and basically makes more physical switches out of on chasis
To connect two VDCs you need to connect them with physical cabling
Physical ports are members of a single VDC

Virtual SAN 
Much like VLAN
separates fiber channel control and data plane
VLAN and VSAN are L2 virtualization techniques

Virtual routing and forwarding (VRF)
Separates the L3 data and control plane
Lets take 4 interfaces
interfaces 1,2 are in VRF A
interfaces 3,4 are in VRF B
We can run OSPF inside each VRF
Use the "switchto" command to change context

Upgrading nexus

The "install all" command will tell us if it will do a disruptive or not upgrade. 

download images from cisco

make note of checksum from cisco site

fciv -md5 filename.bin

compare hash

copy to USB or SCP or HTTP etc

sh ver | i .bin

install all kickstart kickstart.bin system n70001a.bin

EPLD

Electronic programmable logic devices

These are in the line cards 

download epld from cisco

install all epld bootflash://n7000-epld7.img

trace logging for cisco secure client (anyconnect)

 https://www.cisco.com/c/en/us/support/docs/security/umbrella/224921-enable-roaming-client-trace-logs.html#toc-hId--1891865857

1 - Enable trace logging (logs more detail for the dart)

https://www.cisco.com/c/en/us/support/docs/security/umbrella/224921-enable-roaming-client-trace-logs.html

On windows machines in: C:\ProgramData\Cisco\Cisco Secure Client\Umbrella\data

Create a file called loglevel.flag (ensure the file extension is correct)

just have "trace" in the file with no quotes

2 - Once the file is in place restart the CSC services

You may be able to complete these actions with a with GPO/Script etc.

3 - Wait for the issue to happen again and collect the DART bundle again. Send DART to cisco for review.

Cisco automation notes

 

Legacy ASA

Can be connected to cisco defence orchestrator

Note when working with ASA in a lab you may need to make ACL to allow ping and/or add "inspect icmp" to the global_policy 

CCNP Security CORE study: 350-701 SCOR (v1.1)

 Study notes for CCNP Security CORE study: 350-701 SCOR (v1.1)

Security principals

Data at rest (on disk) 

Data in motion (traveling across the network)

CIA triangle 

• Confidentially: hide data (encrypt) from unauthorized individuals
• Integrity: Make sure data was not modified (permissions / hashing / immutable backups /modify log)
• Availability:  Ensure the data remains available (HA / systems work and are useable) 

Principle of least privilege (being call ZTNA zero trust network access)

• User has the rights they need to do their job and no more
• Switch port for printer is on printer vlan.
• Firewalls allow access with ACLs
• User privs allow access to files 

Defence in depth

• Multiple layers of security 
• If something fails we have another chance to stop or limit the attack
• We have firewalls / DMZs / ACL's
• Windows user rights
• Segregated VLANs
• MFA
• SIEM/SOC monitoring 
• Backups

Separation of duties

• Make sure to have 2 staff for everything
• 2 helpdesk
• 2 firewall guys
• 2 security guys 
• 2 windows guys

Accounting/auditing

• Logging activities network / file / dns / web

Security terms

• Asset (anything valuable)
• Threat (What we protect against)
• Vulnerability (exploitable weakness)
• Risk (chance for compromising asset)
• Countermeasure (a method of reducing risk)
• Risk management (identify, assess, prioritize and monitor risks)
• The goal of risk management is to eliminate or minimize risk 

Asset classification 

• Needed to distinguish between more/less important assets
• Our customer database is more valuable than a printer but both have value
• Classification helps to better secure them

How to classify assets ?

• Value
• Replacement cost
• Age
• Usefulness 

Lets say we have an old web server (asset). We run a pen test (counter measure) on the www server and find vulnerabilities (exploitable weakness). There is a risk that these vulns could be exploited (threat) and compromise our asset (item of value). 

Gov vs public

Gov sector

• Unclassified 
• Sensitive but unclassified (SBU)
• Confidential
• Secret 
• Top secret

Public sector 

• Public
• Sensitive
• Private
• Confidential

Vulnerability classifications

• To find better countermeasure

Vulnerability categories

• Physical
• Human
• Hardware and software 
• Incorrect designs
• Misconfig 
• Weakness in protocols

Countermeasure categories

• Physical (door locks swipes / guards / cctc)
• Technical/logical (software/hardware
• Administrative (processes and procedures, guidelines and standards)

Security threats

Threats

• Anything that can harm our systems
• A hacker can run a ddos to take down our systems
• A storm could knock out power to take down our systems
• Hackers
• Criminals
• Terrorists
• Disgruntled employees
• Compeditors
• Nation state actors

Common attack methods

• Reconnaissance (network scanning / discovery)
• Social engineering (fooling/tricking people)
• Privilege escalation (getting more access, going from user to admin)
• Code execution (activation malicious code)
• Backdoors (remote access software for attackers)
• Covert channels (hidden comms channel)
• Trust exploitation (Web server in DMZ can talk to DB server on the LAN)
• Man in the middle (proxy to read and/or change data in flight)
• Denial of service attacks (stopping a service from working by overloading it)
• Password guessing and cracking 
• Dictionary attack uses a password list of known passwords
• Brute force is trying every combinations of a password (takes too long if passwords are strong and have rotation policies)

IPS fundamentals

Intrusion detection system (IDS)

Looks at a copy of the real traffic and detects issues

Sends alerts to IT admin but doesn't do anything 

Intrusion prevention system (IPS)

This one looks at the live traffic and can take action like block hosts etc.

How the hardware is connected 

SW1 > span port > IDS

When we have multiple switches we setup remote span

RSPAN 

SW3 > RSPAN vlan > SW2 > RSPAN > SW1 > SPAN port > IDS

IPS generally runs on a firewall

traffic in > firewall (IPS) > traffic out

The IPS inspects traffic passing through and can block. Only allowed traffic makes it out the other side.

Sensor deployment modes

• Promiscuous/passive
• SPAN, RSPAN or network tap
• No deploy, can't become a bottle neck

Inline

• L2 
• L3 (firepower can do this)
• throughput and latenct
• Fail open or fail close (if it fails do we stop all traffic or let it flow)

hosts > SW1 > trunk > IPS > trunk > SW1 > hosts

IPS types

• NIPS (network based)
• HIPS (host based, agent installed)

Old HIPS agents slowed down systems, now we have a light weight client to connect to an engine in the cloud. HIPS can look at encrypted flows, NIPS can't do this without MITM/SSL decryption but even then its not perfect and there are cases where it won't work. EVE has signatures for encrypted traffic.

How IPS sensors detect

• Signatures (Rules/conditions describing an attack)
• Anomaly detection (Learns normal activity and alerts on strange activity)
• Policy based (Standard rules configured by admin) 
• Reputation based (external database has info on attackers like their public IPs/hashes)

How IPS sensors respond

• Alert/alarm
• Drop the packet
• Block this connection 
• Reset close the TCP connection similar to drop/block
• Shun block (block all further traffic from this host)
• Block list - attackers
• Allow list - our known good devices that we trust

Sensor decisions 

• True positive - The sensor detected and took the right action eg dropped it 
• True negative - Normal traffic did not trigger the system. IPS did the right thing.
• False positive - A signature triggered for normal traffic. Blocked good traffic.
• False negative - The sensor did not detect malicious traffic and it was allowed.

Cisco's firepower 

• FMC is the management VM (can be hosted on site or in cloud)
• FTD is the hardware firewall 
• Can deploy as IPS or IDS
• Cisco provide signatures and block lists

Email security

Workers use email everyday so its a common attack vector

The most common being phishing 

• Spam is unsolicited messages usually selling something often scams 
• There are different types of malicious email
• The email attachment contains malware, we ask the user to open the attached pdf
• We ask the user to click a link from our email which could have malware or ask them to enter creds
• Often the link is designed to trick the user into thinking its legitimate like real-microsoft.com
• The code of the email can have something malicious (block pictures loading) 
• Direct phishing acting as a trusted part to get confidential data
• Acting as a trusted supplier and asking them to update payment details, often they will try to create a fake pressure
• Whaling - targeting CEO, head of IT, head of accounting, head of sales etc. They will usually have access to important data
• Vishing - phishing but over the phone/voice call
• smishing - sms phishing

ESA 

• Email security and enforcement 
• Email security 
• Reputation filtering based on sender
• outbreak filtering 
• amp with talos intel and more
• policy enforcment 
• inbound/outbound rate limiting
• Encryption 
• DLP (drop emails that have personal info in them)

ESA has physical boxes available C- and X-

• Internet > FW > DMZ > ESA
• The other setup the ESA has two interfaces so it can talk to the inside server
• Internet > FW > DMZ > ESA > Inside > LAN email server
• Virtual ESAV
• Hybrid - cloud for inbound, on-prem for outbound

Email exchange

• Emails are forwarded based on the destination domain name joe@site.com
• DNS lookup on site.com, specifically a mail exchange (MX lookup) on the domain
• site.com has a MX record created which points to the IP(s) of their mail server
• There may be MX > URL, then A lookup for that URL to IP
• In the end we lookup the IP of where to send the email 

Incoming mail

• Domain is site.com
• Public DNS / Internet > router > ASA > DMZ > ESA > SW > Email server
• Sending to joe@site.com
• We send to our local SMTP server lets say gmail
• That mail server looks up the MX record of site.com
• email.site.com
• This will resolve to the IP of the ESA
• The ESA receives the email and inspects it
• If its all good its forwarded to the inside Email server

Outgoing mail

• PC > SW > Email server > ASA > ESA
• joe wants to send email out to bob@gmail.com
• If it was a local address like it@site.com then the email server could just send direct because its trusted
• Since its external email "gmail.com" the email will be sent to the ESA
• ESA now inspects it 
• Now does MX lookup on gmail.com
• Then sends the email to the IP of the gmail email server
• The key take away here is that inside/LAN mail maybe configured to go direct 

WSA security

• Cisco's web proxy but really replaced by cisco umbrella now
• Fast web proxy with advanced content filtering 
• Designed for https and FTP 
• Strong caching inspection policy enforcment and antimalware
• Relies on multiple technologies and engines
• URL filtering
• AVC - Application visibility and control 
• L4 traffic monitor (like an IDS)
• HTTPs decryption (also available in FTD and cisco umbrella)

Web proxy mode

• L4 traffic monitor 
• Explicit forward mode (client needs config from pac file etc)
• Transparent mode - clients don't need any config. WCCPv2 needs to be setup.
• Traffic is redirected by router/ASA/L4 switch using WCCPv2
• LAN > WSA > ASA > Internet
• L4TM using span port/hub/network tap.

Endpoint protection tools

• AV: Windows defender, 3rd party tools like Sophos, Cisco AMP
• Software firewall 
• Encryption
• Host based IPS (HIPS)

Malware

• Any software that is bad (worms / virus / dropper / adware / spyware etc)
• Adware - show ads to user and generate money for the owner 
• Spyware - Gathers info from the pc and sell the data to databrokers. Some of them may steal bank details etc.
• Ransomware - locks the PC / encrypts file shares and demand a ransome to unlock
• Virus - It may just copy its self, but could destroy your system etc. It depends on the payload
• Worm - self replicating, doesn't need to be executed. 
• Trojan - Usually provides remote access to an attacker. Make the machine part of a botnet

Anti-malware 

• Signatures - can't detect day-0 or often variants 
• Heuristics - sandbox and execute and see if it behaves similar to malware, can find variants.
• Behavioural - command tools / tactics used by attackers. Can catch 0 days but not always.
• Most modern AV's will use a combination of these
• Signatures must always be kept up to take so cloud connected AV is best

Personal or software firewall

• This is a firewall running on the endpoint
• A firewall like ASA / FTD / Palo is protecting multiple endpoints
• Windows its windows firewall (and 3rd parties)
• Linux is iptables

PC > Coffee shop WIFI > Internet > HQ > LAN

PC > VPN > Coffee shop WIFI > Internet > VPN > HQ > LAN

Cisco AMP

• Uses but doesn't rely on signatures
• It's connected to the network firewall too
• It's also logging what actions were taken on a PC
• Suspect files can be uploaded to cisco for analysis and sandboxing
• If a file is discovered to be malicious later AMP has a record and can go back and remove it everywhere
• It offers a before / during / after protection

Encryption 

• Private key and passphrase should be kept safe
• Many modern OS build it in
• Windows has bitlocker
• OS X has some too.
• Many linux distros offer it too
• We can encrypt single files/folders or whole disks
• Whole disk is common in corporate world in case a laptop is lost or stolen

Cisco AMP endpoint client changes

AMP for endpoints became Cisco secure endpoint which has become Cisco secure client  

EDR endpoint detection and response 

EPP endpoint protection platform

XDR Extended detection and response (often adds AI correlation and automation/playbooks)