JacksBlog

Friday, 8 May 2026

Cisco Secure Access notes

Intro to Cisco Secure Access (CSA)

At a high level it works like this:

Users > CSA > Resources
The idea is to secure access from anywhere to anywhere

Ways to connect to CSA

Remote managed > ZTNA > CSA
Remote managed > VPNaaS > CSA
Remote unmanaged > Clientless ZTNA > CSA
Branch > IPsec tunnel > CSA
IOT devices > IPsec tunnel > CSA
We can also integrate SD-WAN connections into CSA (more on it later)

What we can do inside CSA

Groups
firewall rules
web gateway
DLP
CASB (cloud security broker)
Device posture
ZTNA
Monitor and TS

Outbound from CSA

Connections to Internet and SaaS sites
Backhaul to private apps hosted in your public or private cloud
IPsec tunnels to other datacenter/pop/brance

PoP is point of presence. Often user will connect to the closest one for lowest latency

CSA connection can enter the POP in dublin and etc the POP in France for examle

What problem is cisco secure access trying to solve ?

Orgs with remote users and 3rd party contractors who need access but also all secure
Orgs with users who are mobile (in office / at home / on the road)
Orgs with hybrid setups (on prem / public cloud / private cloud / SaaS)
Consolidate all the access policies in one place
Keep a zero trust mindset

Secure private access (tunnel or proxy)

Via VPN
Via ZTNA client
Via ZTNA clientless

Secure Internet Access (s

VPN full tunnel
Internet security module
Branch DIA

We can have SPA and SIA working together

Insights and monitoring

Admins and monitor endpoint performance with thousand eyes

Need an account and agent deployed

Global scale architecture

User > CSA POP > CSA routing > CSA POP > Resource

Unified cloud architecture

Control everything in one cloud dashboard
Traffic acquisition
Collect and augment with extra data (posture etc)
Classify traffic (public / private)
Rules (FWaaS / SWG / CASB / Decryption / IPS / DLP)
Send via backhaul or internet

Open APIs

As well as the cloud dashboard
Multiple Restful API
Automate tasks
Deployment
Admin
Policies
Reports

Talos threat intelligence

Visibility across the entire threat landscape fusing experts data and gen AI

Talos detect threats and block them for all customers

User connectivity

VPNaaS
ZTNA module
Web roaming module (80/443 only)
Clientless ZTNA

VPN (DTLS/IPsec) > ZTNA (Wireguard/gRPC) > ZTA (MASQUE/QUIC)

TLS - TCP security

DTLS - UDP (some speed improvement)

QUIC is UDP based (fastest0), a way to speed up TLS connections

MASQUE - Multiplex Application Substrate over QUIC encryption / a streaming protocol. This is an application proxy that runs on top of QUIC. It can have multiple streams active in one MASQ session.

Client connectivity

Secure client

VPN > ASA> IPsec / Internet

ZTNA client > ZTNA proxy > IPsec / Resource connector

Sec/Roaming module > DNS/SWG > Internet

Clientless > Rev Proxy > IPsec / Resource connector

Branch > IPSec > IPsec / Internet

Cisco Secure Client

You will need to deploy the CSC client with the ZTNA module

Duo desktop will also be deployed if you use posture

Other modules

Secure endpoint (formerly AMP)

Roaming module (Umbrella but this will be replaced)

Thousand Eyes (no UI)

Cloud management module (no UI)

DART

Secure Private Access (client based ZTNA)

ZTNA supports apps via IPsec backhaul

FTD > HA VTI tunnels > CSA

We create two tunnels to CSA for redundancy

We configure BGP between the two so they can exchange routes

Secure Private Access (clientless)

Only works with web apps

Secure Private Access (VPN)

Connect to secure access cloud

Secure Internet Accesss via VPNaaS

Connect to CSA then on to internet sites / SaaS

Modular policy with magnetic UI

Define apps / resources

define private / public rules

Live demo

https://www.cisco.com/c/en/us/products/security/secure-access/live-demo.html

Cisco have a live demo which you can try it out

First step will be to setup a tunnel group (VPN)

Setup on your peer on the HQ or brance

Connector groups are for the resource connectors

We can add one to AWS Azure and VMware

We can add SAML/SSO for our user ID

Private resources

We can had a file server here

You can make firewall rules under secure

Zero trust

Micro segmentation
Network isolation
Native OS support
TPM to protect certs and key

Principals

Never trust
Always verify
Enforce least privilege

Success factors

Allow the user to work securely with minimal disruption
Adjust policy to risk
Consistency across environments because of shared policy

AI assistant

Helps you create rules but leaves them disabled, a human must enable the rule.

Planning for a CSA project delivery

Well defined scope and timelines
Access to sites / network devices etc
Clear roles and responsibilities
Single customer point of contact / PM
Customer involvment and comms
Clearly defined and agreed use cases
Pilot and customer validation
Knowledge transfer
High level docs
SOW - statement of work
BOM - Bill of materials
Checklist

Secure Access licensing

Essentials

Secure internet access (SIA)
Secure Private Access (SPA)
SWG
ZTNA
L3/4 firewall
CASB
RBI (for risk traffic or high level phishing targets)

Advantage

Everything in essentials
Layer 7 firewall
IPS
DLP
RBI

Licensing subscriptions

based on per user

1 year

3 year

5 year

Non standard terms on per contract basis

Cisco user protection suite

Incorporates related technologies all into one solution

Posture and auth management
Endpoint security
Email security
Experience insights
Remote browser isolation
Security Service Edge

Client based ZTNA

Auth and posure per session
QUIC tunnel (MASQUE proxy)
Carry private traffic all ports and protocols
SAM auth and auti re-new

Where ZTNA fits in the stack

Application
Socket intercept/filter happens her (Zero trust access module)
Packet intercept/filter
routing table
packet intercept/filter
virtual itnerface
physical interface

IP packet vs socket streaming

VPN and legacy ZTNA packet approach

CGNAT is obfuscation not security
Firewalls and NAT's
Attackers can piggyback on UDP flows to continue them in IP packet systems

Streaming approach (modern ZTNA uses socket streams)

Socket streaming allows any protocol to be tracked by socket call and terminated at the instance the socket is closed
Socket streaming eliminates timers and is deterministic
Flows can't be continued or hijacked

Streaming approach intercepts the traffic before it becomes a packet. The traffic only needs to pass through the kernel once.

App > Socket intercept > MASQ ZTNA > Kernel > Packets on the wire

ZTNA module

A module part of CSC client (previously AnyConnect)

Enrolment

Press "Enroll" button

CSA issues an authentication cert for the client

Cert is saved in the TPM

This cert is automatically renewed

Client connections are now streamed

Stream1: data + posture

Stream2: data + posture

Stream3: data + posture

By default everything is dropped (ZTNA). We need to allow traffic in the rules.

Posture levels vary

VPNaaS

OS
Antimalware
Firewall
Disk encryption
Cert check
Browser check
File check
Registry check (windows only)
Process check

Client based

OS
Antimalware
Firewall
Disk encryption
System password

ZTA Browsers

OS
Browser check

We can set a re-auth timer if needed

Enrolment more details:

On the surface for the user they press an enrol button
On the backend a lot is going on

What is a TPM chip

Trusted Platform Module is a dedicated security chip built into a computer's motherboard that provides hardware-based security functions:

Stores cryptographic keys — It securely holds encryption keys, passwords, and certificates in hardware, separate from the main CPU and RAM, making them much harder to steal.
Verifies system integrity — At boot time, it checks that the firmware and OS haven't been tampered with (this is part of "Secure Boot").
Enables full-disk encryption — Windows BitLocker, for example, uses the TPM to store the encryption key for your drive, so the drive can't be unlocked on a different machine.
Supports authentication — Used for multi-factor authentication, smart card functions, and secure login.

What is DPOP

DPoP (Demonstrating Proof of Possession) is a security mechanism defined in RFC 9449 that proves a client cryptographically possesses the private key associated with a token or credential — without ever exposing that key.

The Core Problem DPoP Solves

In traditional OAuth/token flows, a bearer token can be stolen and reused by anyone. DPoP binds a token to a specific key pair, so even if the token is intercepted, it's useless without the corresponding private key (which is stored in the TPM chip on the clients machine).

How DPOP works

Device enrolment is initiated
Key pair is generated. Private key locked in TPM and never leaves the chip. Public key extracted.
CSR created with public key, signed by private key (to prover ownership)
CSR is sent to CSA. The CSR contains the public key and signature
The signature proves we have the private key but we never send the private key. It never leaves the TPM chip.
CSA takes the CSR and issues a signed cert (bound to the public key)
When accessing CSA, a DPOP proof (JWT) is created
Signed by: the TPM held private key
Contains: HTTP method, URL, timestamp, nonce
Proves the caller holds the private key right now

How DPOP and ZTNE enrolment works on the backend

ZTA starts the DPOP process. Generates the public/private keys and the CSR
Private key is stored in the TPM and is never trasmitted
CSR / Public key sent to CSA for enrolment
user > enroll.ztna.sse.com > enrolment broker
enrolment broker asks for email
user > me@address.com > enrolment broker
enrolment broker sends SSO redirect
user > SAML flow > Auth (customer IDP / Duo / AD/entra etc)
Device is registered
ZTA cert issued
From here the cert can be used for all connections and MITM attacks are not possible
The cert automatically updates every 2 weeks

OS native ZTA for apple and adroid devices

Just like having the ZTNA module on the devices

Enroll the device

Clientless zero trust access

Essentially this will be web browsers for 3rd parties

Allows access to web apps only

Can use IPsec tunnels or resource connectors

For unmanaged BYOD devices

For 3rd parties

Limited posture detection

It makes a reverse proxy

VPN as a service (VPNaaS)

Auth and posture at connect time

DTLS tunnel

Caryy internet and private traffic (all ports and protocols)

SAML 2.0 auth

ISE integration

CSA Supports SAML and RADIUS auth methods. SAML is new but RADIUS is widely used including in ISE

client > auth request > VPNaaS > ISE
Client redirected to ISE
SSL connection to port 8443, user download network setup assistant
Network setup assisant discovers ISE, anyconnect agent download/install
CSC ISE posture discovers ISE
SSL excvhange on port 8443 > compliance check
Connection is protected by portal cert
CoA (change of auth) request, CoA ack
In VPN use case CoA packet contains the attributes which compliant profile has

ISE SGT support

SGT is a security group tag

CSA can carry SGT's through its networks tunnels

Some sample SGT's

SGT 10 is marketing

SGT 20 IOT

SGT 30 BYOD

SGT 40 Workstations

This allows for SGT policy across the HQ LAN network and cloud
maintain micro segmentation
Identigy devices and traffic based on context from ISE
Apply policies to SGT based identity

Radius setup example

Connect > End user connectivity

VPN profile

Add VPN IP pool

endpoint pool 172.16.0.24

mgmt pool 172.17.0.0/21

dns servers: internal DNS

Radius groups not added yet

You can add your radius server group

Tick AAA options

Assign the radius servers (ISE1 and ISE2)

You can have different server for each region or one radius group for all.

Network tunnels

CSA <> your site

hub1 < > VTI1 > Your FW

hub2 < > VTI2 > Your FW

Makes ECMP group, routes are advertised with BGP

IPsec routing

Static or dynamic routing

Use static for small network or your devices doesn't support BGP

In most other cases you will want to use BGP

Branch connections

Allow branch connections to let them reach private resources

S2S tunnels from HQ FW

Catalyst SD-WAN

Why enable NAT

NAT allows devices to use a single public IP to connect to the internet CSA
NAT can be used to hide the real LAN IP of users connecting to CSA.
This can also help if the same networks are used in two of your locations eg 192.168.1.0 used in two places.

Branch/DC to VPNaaS User

Internal network (pri/sec tunnels) > ECMP > Cloud headend > CSA > tunnel establish > VPN pool IP

Catalyst SD-WAN

VPN1 > SD-WAN > VPN tunnels > CSA

VPNID based policy

DIA

Direct Internet Access

Going straight out the local branch internet connection

Resource connectors

CSA > Connector group > AWS/Azure/VMware

2x Connectors in HA is recommended

RC gatewa

RC agent

RC group

ZTA > QUIC > ZTA proxy > CSA > Resource gateway > Resource connector > App

Resource connectors can help with overlapping IP's too

RC connectors use TCP 443 and UDP 443

RC status

Connected - data tunnel is up
Disconnected - data tunnel is down
Disabled - admin disabled the connecotr
Updating - software update in progress
Expired - Cert has expired
Ready to use - newly provisional and reach able
Deleted - deleted by admin
Revoked - revoked by admihn
Setup failed - Tunnel failed to come up

There are several FQDN's you need to whitelist:

TCP 80/443

UDP 443

Gateway: Cisco IP space

Controllers:

Us.controller.acgw.sse.cisco.com

Eu.controller.acgw.sse.cisco.com

Ap.controller.acgw.sse.cisco.com

Will resolve to AWS Static IPs

Repo:

Us.repro.acgw.sse.cisco.com

Eu.repo.acgw.sse.cisco.com

Ap.repo.acgw.sse.cisco.com

ACME: Prod.acme.sse.cisco.com

API Gateway: Api.sse.cisco.com

PKI: Ssepki.cryptosvcs.cisco.com

Resouce connector redundance

Scaling calculator built in.

2 agents per connector group

All agenst have same connectivity

Multi region

CSA > RC gateway region 1 > Agent 1 + agent 2 > private resource

CSA > RC gateway region 2 > Agent 1 + agent 2 > private resource

They can deployed quickly in common virtualisation platforms.

Setting up a connector

Connect > network connection > resource connector groups

Name it

Select region

Select your connector type for example AWS

Download the image for AWS

View purchase options subscribe to this software

Launch via EC2

Give the EC2 instance a name

Create a new key pair (for connecitn to CSA)
ALlow public IP to be auto assigned

Conform connection

Copy provision key from CSA to AWS

KEY=xxxxxxx

It should show as connected after a few minutes

Define a private resource

Select out RC connector we just created

Secure Internet Access

Internet app/ SaaS apps

Private apps

Security Service Edge (SSE), secure access from anywhere to anywhere

Features of cisco'sSSE

ZTNA
SWG
DNS security
FWaaS
CASB
RBI
DLP
VPNaaS

Policy enforcement

If you have all modules enabled the traffic will be processed in this order

DNS polices
Firewall (IPS/IDS)
SWG (Web/Casb) 80/443 traffic
DLP

Access rules

In CSA there are two main kinds of rules

Private access rules (for accessing your own resources)
Internet access rules (for access internet and cloud resources)

Anatomy of a rules

Name (description of the rule)
Type (Internet, private)
Action (allow, block, warn(lets user go ahead), isolate (RBI))
Identities (Users, groups, computers, networks, tunnels etc)
Protection profiles (see below)

Protection profiles

Web profile (AAA, decryption, threat protection, file and security controls)
Tennant Control Profile (m365, G-suite, slack, drobox)
IPS profile (Signatures lists, defaults, actions)
Endpoint posture (VPN, ZTNA, browser based)

DNS security

Block malware / phishing / CnC callback URLs
Only proxy risky domains to improve performance
Stop threats at the DNS lookup stage, before a connection is made
Doesn't work for IP based threats

When traffic is proxied it gets further inspection

3 ways to configure DNS security in CSA (you probably need all)

Point DNS at CSA and register public IP (all DNS requests from this public IP are protected
Roaming security, use the module in the CSC client ,
Virtual appliance forwarder - log DNS requests from internal IP's for more identity

CDFW flow

Network > IPsec tunnel > CSA > CDFW > SWG (80/443) > Internet/SaaS

IPS tuning

Start in detection mode

Review results, create exceptions for known good traffic

Enable protection mode, this will start blocking now

SWG and CASB

Secure web gateway full web proxy

SWG allows filtering of all web traffic and detailed information

Enabling SSL decryption allows advanced features

Decryption strategies

Most traffic is encrypted today so decryption is essential

Decryption is resource intensive

Traffic > IPS > SWG >

Advanced features

Decryption
SAML
Content controls
Tennant controls
Granular app controls
File type controls
File scanning
Data loss prevention
Remote browser Isolation

Advanced application controls

For example we can visit Facebook but we can't download/upload files

Revered Egress IP

SaaS apps require allow list (public IP)

We can have a static IP in CSA so our internet traffic comes from the same IP

This public IP can beallow listed by your SaaS app vendors

Cloud Access Security Broker (CASB)

Control SaaS app usage
Alert on risky apps
Secure outbound web traffic with inline and oob DLR
detect and remove malware from cloud storage apps
This will become more important as more SaaS / cloud applications are used

CASB Inline proxy

High impact deploymetn

agent or traffic redirection

No API to app

limited retro

real time enforcement inline

CASB Out of band/API

Low impact deployment

agentless, no user expierence impact

relies on api of cloud apps

retrospective (we can look back in time)

near real time enforcement

universal coverage

sanctioned app coverage

App discovery and controls

Detects cloud apps in use
Organised by category and risk level
You can see number of users inbound/outbound traffic
You can block high risk categories

Application risk override

Modify an apps risk score

Community risk score is the median of all other CSA customers to give you an idea of an app

Tenant controls

Only allow access to the corporate m365. Don't let users into their own personal tenants. This is to help with data exfiltration.

Remote browser isolation

Web browser > SWG > File inspection > Isolated browser (AWS) > Risky Website

The site never loads on the users device

Only works with web apps

DLP can be run on an isolated session too

Multi-faced threat intel

DNS
IP
BGP
SSL
WHOIS
HASH
WEB
ETC

CSA uses all the data it gathers from across the world to categorise and find malware domains and IP's.

Secure malware analytics

Sandbox inspection is done on high risk files

libmagic makes sure a .pdf is actually a .pdf file

DLP data loss prevention

You can block certain data leaving your network

For example credit card numbers can be blocked

Real time DLR

SWG

scans web traffic in line

SaasS API DLR

Cloud API's for data at rest without SWG proxy

scans out of band web traffic

On management interface for both

DLP categories

DLP has categories which can be selected.

Can monitor chatgpt the outbound traffic can be blocked

Can also block inbound generation like source code.

Digital experience monitoring (DEM) / Experience Insights

Today we have users spread across multiple locations

The users are moving between home / office / hotels etc

DEM helps track down issues

availability
performance
quality

Types of questions we can get the answer to in one place with CSA

Is it home network / WIFI

Is it the endpoint ? Is the laptop managed or BYOD

Is the issue office LAN / WIFI

ISP problem ?

Security rule blocking and where DNS / fw / endpoint ?

Client / server application problem ?

VPN gw issue ?

Record metrics on how connections are working. Then use that data to help the customer TS issues and solve problems

CSA Experience Insights

Give visibility into 3rd party parts of the network like home WIFI / ISP BGP / Cloud services

Uses thousand eyes

part of base package

Local device
Collaboration applications (webex / teams)
Internet and network path (map out network path, latency, jitter, loss etc)
SaaS performance

Integration with thousand eyes

Thousand eyes endpoint (embedded endpoint agent EPA) is included in the CSC

Need to create a token and exchange

Global visibility within the CSA dashboard

Use cases

Remote worker - CSA, we can see the WIFI signal strength is bad

ISP - We can trace the network path, we can see the local WIFI is the problem as other end is reporting fine

Application - For example we can connection is all good, 4 apps working fine, 1 app is an issue this points to an issue on that SaaS app

CSA - We can look inside CSA as well. Is CSA slow or is it blocking ? We can look at endpoint posture. Check the posture status as this may be stopping the user from getting access

Proactive monitoring endpoint

Thousand eyes agent can run synthetic tests

They can be scheduled 1 / 5 / 15 minutes

We should be able to see when connections become unhealthy

Device > GW > Internet > Application

Experience scanner for end users

User can see their own score

For example it might report and issue with the local internet connection

They can reboot their WIFI themselves

If they see the issue is with a SaaS app then they know its out of their hands

AI / experience insights

Cisco AI will bubble up high level alerts to the CSA admin

AI can investigate and generate suggestions

It can pick up the SaaS applications with the worst performance

RA VPN to VPNaaS migration path

Get the current state of existing RA VPAN so we can design CSA
Solution requirements and design
Implementation and testing
Migration plan and execution
Knowledge transfer

RA VPN to VPNaaS

Moving your VPN to the cloud

Old RA VPN headend was on firewall or multiple firewalls

CSA VPN headend is one point in the cloud and get your access to everywhere

Configuration porting > Intent mapping > Data plan transition
Source assessment > Intent analysis > Move to secure access
Often migrations are done like for like but a migration to CSA can bring in new features easily

Migration phases

Scope
Provision
Stage
Go live

Milestones

Configuration porting ( migrating the config )
Intent mapping ( review of rules)
Data plan transition ( moving live traffic from old RA VPN to CSA )

Let's take an example

The customer currently has a legacy RA VPN.
They have local VPN users
They don't use any MFA on this
They don't have any posture checks
Once connected VPN users have access to the full network

You can see migrating like for like in this case would not be good and would not increase security.

In CSA

We can enable identity source from entra / AD to get user identity

We can enable MFA with Duo

We can enable posture checks

We can enable ZTNA so users only get access to what they need

Migration path

Traditional VPN > VPNaaS > Unified ZTNA

Umbrella to CSA

Why upgrade from umbrella to CSA

Safer - Zero trust access, ID intel, adaptive access, always monitoring and blocking

Better - 4x faster SIA, frictionless access to all Apps, monitor and maintain DEM/experience insights

Taking umbrella to the next level

ZTNA
AI for security
Easier connectivity

Umbrella upgrade path

Umbrella DNS > SIG > Secure Access

DNS - DNS only (still very good security)

SIG - SWG and advanced features, for outbound user internet traffic only

CSA - connecting all resources via the cloud and providing all the security of above in one dashboard. Connect from anywhere to anywhere securely.

Wednesday, 29 April 2026

can't nat on VTI interface used in a VPN on FTD

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/network_address_translation_nat_for_firepower_threat_defense.html

You cannot write NAT rules for a Virtual Tunnel Interface (VTI), which are used in site-to-site VPN. Writing rules for the VTI's source interface will not apply NAT to the VPN tunnel. To write NAT rules that will apply to VPN traffic tunneled on a VTI, you must use "any" as the interface; you cannot explicitly specify interface names.

Tuesday, 7 April 2026

palo alto azure VPN issues

Had some issues with palo alto <> azure VPN. The firewall was blocking the VPN traffic due to rule change. Azure gives up after a while and goes into idle mode. Needs to be restarted on azure end

1 - If Azure VPN starts getting blocked by the firewall after some time Azure gives up and goes into an idle mode, has to be restarted on Azure end for VPN to try again.

2 - The ISAKMP (udp 500) session stays open on the palo even through p1 re-keys. Check session browser for your peer IP on UDP port 500, may need to clear it.

clear session all filter destination x.x.x.x

clear session all filter source x.x.x.x

3 - Related to above if the rule that allows the UDP is set to log at end you won't see the new traffic being initiated, set the rule to log at start.

4 - We saw the Azure IP is showing with a geolocation IP of "EU" I'm guessing its related to their HA

show location ip x.x.x.x

Monday, 30 March 2026

Cisco Nexus 5K overview

Product details:
www.cisco.com/go/nexus

5K and 6K have similar features but 6K has up to 96 ports on 40GE

5K's are more common in the wild as they have the same features

http://www.cisco.com/c/en/us/products/switches/nexus-5000-series-switches/models-comparison.html

UP means unified ports. The ports can be Ethernet or FC. So the 5K is Ethernet and fiber channel switch.

7K core
1/10/40/100Gbps Ethernet
L2 and L3 LAN swtiching
Highly redundant. multiple cards and links, power etc

5K Aggregation or access layer switch
LAN and SAN switch
1/10/40 Gbps
L2 and L3 Land swtich
FCoE and native FC SAN switching

4K is specifically for IBM blade servers

3K is used for low latency

2K is an extension of another switch (fabric extension)
2K needs an upstream switch to be the brains
Can't work on its own
Acts like a remote line card of a parent
2K does not have a MAC addresses table it has to ask the parent switch
2K aren't so good for a lot of East West traffic moving across your network
You would want a normal switch for lots of East/West traffic
2K are good in North south, traffic coming in at the internet and heading down to servers
They still have 10GigE up and down so it will work for small environments
Fabric extenders can cut down physical platforms and wiring in the network

Unified Fabric Design

End of Row (EoR) design
You have a rack of network equipment (like catalyst 6500)
Terminate all of the links that go to servers etc
Data Center top of tack architecture design under 5K white papers
[srv] [srv] [srv] [network equipment] (at the end of the row)

40 servers usually more than one cable per server
If you keep adding racks of servers you hit distance limitations
EoR design becomes and issue when you scale up to large amount of servers

Alternative is Middle of Row (MoR)
We install network equipment for each block of servers
[srv] <- [network equipment] [network equipment] -> [srv]

NIC ethernet
HBA for storage

Unified wire, send LAN and SAN traffic down the same cable.
Ethertype 8906 FCOE

Top of Rack (ToR)
Switches in the top of the rack
[network equipment]
[srv]
[srv]

Copper runs from servers to top of rack switch
Top of rack switches connect via fiber back to end of row core
Replaces fiber with copper between servers so that's a big saving

Top of rack with unified fabric

2Ks are Top of rack
[2K]
[2K]
[srv]

2K connect back to 5Ks at EoR
[5K]
[5K]

SFP's lets you change what cables you can plug in.
Make sure the SFPs are supported by your line card.
SFP costs can add up quickly.

Virtual device contexts (VDC)
L1 virtualization
Separation of control and data plane
Separation of the management plane
Separate user DB
Create virtual switches separated just like physical switches.
Takes the physical switch and basically makes more physical switches out of on chasis
To connect two VDCs you need to connect them with physical cabling
Physical ports are members of a single VDC

Virtual SAN
Much like VLAN
separates fiber channel control and data plane
VLAN and VSAN are L2 virtualization techniques

Virtual routing and forwarding (VRF)
Separates the L3 data and control plane
Lets take 4 interfaces
interfaces 1,2 are in VRF A
interfaces 3,4 are in VRF B
We can run OSPF inside each VRF
Use the "switchto" command to change context

Upgrading nexus

The "install all" command will tell us if it will do a disruptive or not upgrade.

download images from cisco

make note of checksum from cisco site

fciv -md5 filename.bin

compare hash

copy to USB or SCP or HTTP etc

sh ver | i .bin

install all kickstart kickstart.bin system n70001a.bin

EPLD

Electronic programmable logic devices

These are in the line cards

download epld from cisco

install all epld bootflash://n7000-epld7.img

Wednesday, 25 March 2026

trace logging for cisco secure client (anyconnect)

https://www.cisco.com/c/en/us/support/docs/security/umbrella/224921-enable-roaming-client-trace-logs.html#toc-hId--1891865857

1 - Enable trace logging (logs more detail for the dart)

https://www.cisco.com/c/en/us/support/docs/security/umbrella/224921-enable-roaming-client-trace-logs.html

On windows machines in: C:\ProgramData\Cisco\Cisco Secure Client\Umbrella\data

Create a file called loglevel.flag (ensure the file extension is correct)

just have "trace" in the file with no quotes

2 - Once the file is in place restart the CSC services

You may be able to complete these actions with a with GPO/Script etc.

3 - Wait for the issue to happen again and collect the DART bundle again. Send DART to cisco for review.

Tuesday, 24 March 2026

Cisco automation notes

Legacy ASA

Can be connected to cisco defence orchestrator

Note when working with ASA in a lab you may need to make ACL to allow ping and/or add "inspect icmp" to the global_policy

Wednesday, 18 March 2026

CCNP Security CORE study: 350-701 SCOR (v1.1)

Study notes for CCNP Security CORE study: 350-701 SCOR (v1.1)

Security principals

Data at rest (on disk)

Data in motion (traveling across the network)

CIA triangle

Confidentially: hide data (encrypt) from unauthorized individuals
Integrity: Make sure data was not modified (permissions / hashing / immutable backups /modify log)
Availability: Ensure the data remains available (HA / systems work and are useable)

Principle of least privilege (being call ZTNA zero trust network access)

User has the rights they need to do their job and no more
Switch port for printer is on printer vlan.
Firewalls allow access with ACLs
User privs allow access to files

Defence in depth

Multiple layers of security
If something fails we have another chance to stop or limit the attack
We have firewalls / DMZs / ACL's
Windows user rights
Segregated VLANs
MFA
SIEM/SOC monitoring
Backups

Separation of duties

Make sure to have 2 staff for everything
2 helpdesk
2 firewall guys
2 security guys
2 windows guys

Accounting/auditing

Logging activities network / file / dns / web

Security terms

Asset (anything valuable)
Threat (What we protect against)
Vulnerability (exploitable weakness)
Risk (chance for compromising asset)
Countermeasure (a method of reducing risk)
Risk management (identify, assess, prioritize and monitor risks)
The goal of risk management is to eliminate or minimize risk

Asset classification

Needed to distinguish between more/less important assets
Our customer database is more valuable than a printer but both have value
Classification helps to better secure them

How to classify assets ?

Value
Replacement cost
Age
Usefulness

Lets say we have an old web server (asset). We run a pen test (counter measure) on the www server and find vulnerabilities (exploitable weakness). There is a risk that these vulns could be exploited (threat) and compromise our asset (item of value).

Gov vs public

Gov sector

Unclassified
Sensitive but unclassified (SBU)
Confidential
Secret
Top secret

Public sector

Public
Sensitive
Private
Confidential

Vulnerability classifications

To find better countermeasure

Vulnerability categories

Physical
Human
Hardware and software
Incorrect designs
Misconfig
Weakness in protocols

Countermeasure categories

Physical (door locks swipes / guards / cctc)
Technical/logical (software/hardware
Administrative (processes and procedures, guidelines and standards)

Security threats

Threats

Anything that can harm our systems
A hacker can run a ddos to take down our systems
A storm could knock out power to take down our systems
Hackers
Criminals
Terrorists
Disgruntled employees
Compeditors
Nation state actors

Common attack methods

Reconnaissance (network scanning / discovery)
Social engineering (fooling/tricking people)
Privilege escalation (getting more access, going from user to admin)
Code execution (activation malicious code)
Backdoors (remote access software for attackers)
Covert channels (hidden comms channel)
Trust exploitation (Web server in DMZ can talk to DB server on the LAN)
Man in the middle (proxy to read and/or change data in flight)
Denial of service attacks (stopping a service from working by overloading it)
Password guessing and cracking
Dictionary attack uses a password list of known passwords
Brute force is trying every combinations of a password (takes too long if passwords are strong and have rotation policies)

IPS fundamentals

Intrusion detection system (IDS)

Looks at a copy of the real traffic and detects issues

Sends alerts to IT admin but doesn't do anything

Intrusion prevention system (IPS)

This one looks at the live traffic and can take action like block hosts etc.

How the hardware is connected

SW1 > span port > IDS

When we have multiple switches we setup remote span

RSPAN

SW3 > RSPAN vlan > SW2 > RSPAN > SW1 > SPAN port > IDS

IPS generally runs on a firewall

traffic in > firewall (IPS) > traffic out

The IPS inspects traffic passing through and can block. Only allowed traffic makes it out the other side.

Sensor deployment modes

Promiscuous/passive
SPAN, RSPAN or network tap
No deploy, can't become a bottle neck

Inline

L2
L3 (firepower can do this)
throughput and latenct
Fail open or fail close (if it fails do we stop all traffic or let it flow)

hosts > SW1 > trunk > IPS > trunk > SW1 > hosts

IPS types

NIPS (network based)
HIPS (host based, agent installed)

Old HIPS agents slowed down systems, now we have a light weight client to connect to an engine in the cloud. HIPS can look at encrypted flows, NIPS can't do this without MITM/SSL decryption but even then its not perfect and there are cases where it won't work. EVE has signatures for encrypted traffic.

How IPS sensors detect

Signatures (Rules/conditions describing an attack)
Anomaly detection (Learns normal activity and alerts on strange activity)
Policy based (Standard rules configured by admin)
Reputation based (external database has info on attackers like their public IPs/hashes)

How IPS sensors respond

Alert/alarm
Drop the packet
Block this connection
Reset close the TCP connection similar to drop/block
Shun block (block all further traffic from this host)
Block list - attackers
Allow list - our known good devices that we trust

Sensor decisions

True positive - The sensor detected and took the right action eg dropped it
True negative - Normal traffic did not trigger the system. IPS did the right thing.
False positive - A signature triggered for normal traffic. Blocked good traffic.
False negative - The sensor did not detect malicious traffic and it was allowed.

Cisco's firepower

FMC is the management VM (can be hosted on site or in cloud)
FTD is the hardware firewall
Can deploy as IPS or IDS
Cisco provide signatures and block lists

Email security

Workers use email everyday so its a common attack vector

The most common being phishing

Spam is unsolicited messages usually selling something often scams
There are different types of malicious email
The email attachment contains malware, we ask the user to open the attached pdf
We ask the user to click a link from our email which could have malware or ask them to enter creds
Often the link is designed to trick the user into thinking its legitimate like real-microsoft.com
The code of the email can have something malicious (block pictures loading)
Direct phishing acting as a trusted part to get confidential data
Acting as a trusted supplier and asking them to update payment details, often they will try to create a fake pressure
Whaling - targeting CEO, head of IT, head of accounting, head of sales etc. They will usually have access to important data
Vishing - phishing but over the phone/voice call
smishing - sms phishing

ESA

Email security and enforcement
Email security
Reputation filtering based on sender
outbreak filtering
amp with talos intel and more
policy enforcment
inbound/outbound rate limiting
Encryption
DLP (drop emails that have personal info in them)

ESA has physical boxes available C- and X-

Internet > FW > DMZ > ESA
The other setup the ESA has two interfaces so it can talk to the inside server
Internet > FW > DMZ > ESA > Inside > LAN email server
Virtual ESAV
Hybrid - cloud for inbound, on-prem for outbound

Email exchange

Emails are forwarded based on the destination domain name joe@site.com
DNS lookup on site.com, specifically a mail exchange (MX lookup) on the domain
site.com has a MX record created which points to the IP(s) of their mail server
There may be MX > URL, then A lookup for that URL to IP
In the end we lookup the IP of where to send the email

Incoming mail

Domain is site.com
Public DNS / Internet > router > ASA > DMZ > ESA > SW > Email server
Sending to joe@site.com
We send to our local SMTP server lets say gmail
That mail server looks up the MX record of site.com
email.site.com
This will resolve to the IP of the ESA
The ESA receives the email and inspects it
If its all good its forwarded to the inside Email server

Outgoing mail

PC > SW > Email server > ASA > ESA
joe wants to send email out to bob@gmail.com
If it was a local address like it@site.com then the email server could just send direct because its trusted
Since its external email "gmail.com" the email will be sent to the ESA
ESA now inspects it
Now does MX lookup on gmail.com
Then sends the email to the IP of the gmail email server
The key take away here is that inside/LAN mail maybe configured to go direct

WSA security

Cisco's web proxy but really replaced by cisco umbrella now
Fast web proxy with advanced content filtering
Designed for https and FTP
Strong caching inspection policy enforcment and antimalware
Relies on multiple technologies and engines
URL filtering
AVC - Application visibility and control
L4 traffic monitor (like an IDS)
HTTPs decryption (also available in FTD and cisco umbrella)

Web proxy mode

L4 traffic monitor
Explicit forward mode (client needs config from pac file etc)
Transparent mode - clients don't need any config. WCCPv2 needs to be setup.
Traffic is redirected by router/ASA/L4 switch using WCCPv2
LAN > WSA > ASA > Internet
L4TM using span port/hub/network tap.

Endpoint protection tools

AV: Windows defender, 3rd party tools like Sophos, Cisco AMP
Software firewall
Encryption
Host based IPS (HIPS)

Malware

Any software that is bad (worms / virus / dropper / adware / spyware etc)
Adware - show ads to user and generate money for the owner
Spyware - Gathers info from the pc and sell the data to databrokers. Some of them may steal bank details etc.
Ransomware - locks the PC / encrypts file shares and demand a ransome to unlock
Virus - It may just copy its self, but could destroy your system etc. It depends on the payload
Worm - self replicating, doesn't need to be executed.
Trojan - Usually provides remote access to an attacker. Make the machine part of a botnet

Anti-malware

Signatures - can't detect day-0 or often variants
Heuristics - sandbox and execute and see if it behaves similar to malware, can find variants.
Behavioural - command tools / tactics used by attackers. Can catch 0 days but not always.
Most modern AV's will use a combination of these
Signatures must always be kept up to take so cloud connected AV is best

Personal or software firewall

This is a firewall running on the endpoint
A firewall like ASA / FTD / Palo is protecting multiple endpoints
Windows its windows firewall (and 3rd parties)
Linux is iptables

PC > Coffee shop WIFI > Internet > HQ > LAN

PC > VPN > Coffee shop WIFI > Internet > VPN > HQ > LAN

Cisco AMP

Uses but doesn't rely on signatures
It's connected to the network firewall too
It's also logging what actions were taken on a PC
Suspect files can be uploaded to cisco for analysis and sandboxing
If a file is discovered to be malicious later AMP has a record and can go back and remove it everywhere
It offers a before / during / after protection

Encryption

Private key and passphrase should be kept safe
Many modern OS build it in
Windows has bitlocker
OS X has some too.
Many linux distros offer it too
We can encrypt single files/folders or whole disks
Whole disk is common in corporate world in case a laptop is lost or stolen

Cisco AMP endpoint client changes

AMP for endpoints became Cisco secure endpoint which has become Cisco secure client

EDR endpoint detection and response

EPP endpoint protection platform

XDR Extended detection and response (often adds AI correlation and automation/playbooks)