Cisco Secure Access notes

Intro to Cisco Secure Access (CSA)

At a high level it works like this:

• Users > CSA > Resources

Ways to connect to CSA

• Remote managed > ZTNA  > CSA
• Remote managed > VPNaaS > CSA
• Remote unmanaged > Clientless ZTNA > CSA
• Branch > IPsec tunnel > CSA
• IOT devices > IPsec tunnel > CSA
• We can also integrate SD-WAN connections into CSA (more on it later)

What we can do inside CSA

• Groups
• firewall rules
• web gateway
• DLP
• CASB (cloud security broker)
• Device posture
• ZTNA
• Monitor and TS

Outbound from CSA

• Connections to Internet and SaaS sites
• Backhaul to private apps hosted in your public or private cloud
• IPsec tunnels to other datacenter/pop/brance

PoP is point of presence. Often user will connect to the closest one for lowest latency 

CSA connection can enter the POP in dublin and etc the POP in France for examle

What problem is cisco secure access trying to solve ?

• Orgs with remote users and 3rd party contractors who need access but also all secure 
• Orgs with users who are mobile (in office / at home / on the road)
• Orgs with hybrid setups (on prem / public cloud / private cloud / SaaS)
• Consolidate all the access policies in one place
• Keep a zero trust mindset

Secure private access (tunnel or proxy)

• Via VPN
• Via ZTNA client 
• Via ZTNA clientless 

Secure Internet Access (s

• VPN full tunnel
• Internet security module
• Branch DIA

We can have SPA and SIA working together

Insights and monitoring

Admins and monitor endpoint performance with thousand eyes

Need an account and agent deployed

Global scale architecture 

User > CSA POP > CSA routing > CSA POP > Resource

Unified cloud architecture 

• Control everything in one cloud dashboard
• Traffic acquisition 
• Collect and augment with extra data (posture etc) 
• Classify traffic (public / private)
• Rules (FWaaS / SWG / CASB / Decryption / IPS / DLP)
• Send via backhaul or internet 

Open APIs

• As well as the cloud dashboard
• Multiple Restful API
• Automate tasks
• Deployment
• Admin
• Policies
• Reports

Talos threat intelligence 

Visibility across the entire threat landscape fusing experts data and gen AI

Talos detect threats and block them for all customers

User connectivity

• VPNaaS
• ZTNA module
• Web roaming module (80/443 only)
• Clientless ZTNA

VPN (DTLS/IPsec) > ZTNA (Wireguard/gRPC) > ZTA (MASQUE/QUIC)

TLS - TCP security

DTLS - UDP (some speed improvement)

QUIC is UDP based (fastest0), a way to speed up TLS connections

MASQUE - Multiplex Application Substrate over QUIC encryption / a streaming protocol. This is an application proxy that runs on top of QUIC. It can have multiple streams active in one MASQ session.

Client connectivity 

Secure client 

VPN > ASA> IPsec / Internet 

ZTNA client > ZTNA proxy > IPsec / Resource connector 

Sec/Roaming module  > DNS/SWG > Internet 

 

Clientless > Rev Proxy > IPsec / Resource connector 

Branch > IPSec > IPsec / Internet 

Cisco Secure Client

You will need to deploy the CSC client with the ZTNA module

Duo desktop will also be deployed if you use posture

Other modules

Secure endpoint (formerly AMP)

Roaming module (Umbrella but this will be replaced)

Thousand Eyes (no UI)

Cloud management module (no UI)

DART

Secure Private Access (client based ZTNA)

ZTNA supports apps via IPsec backhaul

FTD > HA VTI tunnels > CSA

We create two tunnels to CSA for redundancy 

We configure BGP between the two so they can exchange routes

Secure Private Access (clientless)

Only works with web apps

Secure Private Access (VPN)

Connect to secure access cloud

Secure Internet Accesss via VPNaaS

Connect to CSA then on to internet sites / SaaS

Modular policy with magnetic UI

Define apps / resources

define private / public rules

Live demo

https://www.cisco.com/c/en/us/products/security/secure-access/live-demo.html

Cisco have a live demo which you can try it out

First step will be to setup a tunnel group (VPN)

Setup on your peer on the HQ or brance

Connector groups are for the resource connectors

We can add one to AWS Azure and VMware

We can add SAML/SSO for our user ID

Private resources 

We can had a file server here

You can make firewall rules under secure

Zero trust 

• Micro segmentation 
• Network isolation
• Native OS support
• TPM to protect certs and key

Principals 

• Never trust
• Always verify
• Enforce least privilege 

Success factors

• Allow the user to work securely with minimal disruption
• Adjust policy to risk
• Consistency across environments because of shared policy

AI assistant

Helps you create rules but leaves them disabled, a human must enable the rule.

Planning for a CSA project delivery

• Well defined scope and timelines
• Access to sites / network devices etc
• Clear roles and responsibilities
• Single customer point of contact / PM
• Customer involvment and comms
• Clearly defined and agreed use cases
• Pilot and customer validation
• Knowledge transfer
• High level docs
• SOW - statement of work
• BOM - Bill of materials
• Checklist

Secure Access licensing 

Essentials 

• Secure internet access (SIA)
• Secure Private Access (SPA)
• SWG
• ZTNA
• L3/4 firewall
• CASB
• RBI (for risk traffic or high level phishing targets)

Advantage

• Everything in essentials 
• Layer 7 firewall
• IPS
• DLP
• RBI

Licensing subscriptions

based on per user 

1 year

3 year

5 year 

Non standard terms on per contract basis 

Cisco user protection suite

Incorporates related technologies all into one solution

• Posture and auth management 
• Endpoint security 
• Email security 
• Experience insights
• Remote browser isolation
• Security Service Edge 

can't nat on VTI interface used in a VPN on FTD

 https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/network_address_translation_nat_for_firepower_threat_defense.html

• You cannot write NAT rules for a Virtual Tunnel Interface (VTI), which are used in site-to-site VPN. Writing rules for the VTI's source interface will not apply NAT to the VPN tunnel. To write NAT rules that will apply to VPN traffic tunneled on a VTI, you must use "any" as the interface; you cannot explicitly specify interface names.

palo alto azure VPN issues

Had some issues with palo alto <> azure VPN. The firewall was blocking the VPN traffic due to rule change. Azure gives up after a while and goes into idle mode. Needs to be restarted on azure end

 1 - If Azure VPN starts getting blocked by the firewall after some time Azure gives up and goes into an idle mode, has to be restarted on Azure end for VPN to try again.

2 - The ISAKMP (udp 500) session stays open on the palo even through p1 re-keys. Check session browser for your peer IP on UDP port 500, may need to clear it.

clear session all filter destination x.x.x.x

clear session all filter source x.x.x.x

3 - Related to above if the rule that allows the UDP is set to log at end you won't see the new traffic being initiated, set the rule to log at start.

4 - We saw the Azure IP is showing with a geolocation IP of "EU"  I'm guessing its related to their HA

show location ip x.x.x.x

Cisco Nexus 5K overview

Product details:
www.cisco.com/go/nexus

5K and 6K have similar features but 6K has up to 96 ports on 40GE

5K's are more common in the wild as they have the same features

http://www.cisco.com/c/en/us/products/switches/nexus-5000-series-switches/models-comparison.html


UP means unified ports. The ports can be Ethernet or FC. So the 5K is Ethernet and fiber channel switch.

7K core
1/10/40/100Gbps Ethernet
L2 and L3 LAN swtiching
Highly redundant. multiple cards and links, power etc

5K Aggregation or access layer switch
LAN and SAN switch
1/10/40 Gbps
L2 and L3 Land swtich
FCoE and native FC SAN switching

4K is specifically for IBM blade servers

3K is used for low latency

2K is an extension of another switch (fabric extension)
2K needs an upstream switch to be the brains
Can't work on its own
Acts like a remote line card of a parent
2K does not have a MAC addresses table it has to ask the parent switch
2K aren't so good for a lot of East West traffic moving across your network
You would want a normal switch for lots of East/West traffic
2K are good in North south, traffic coming in at the internet and heading down to servers
They still have 10GigE up and down so it will work for small environments
Fabric extenders can cut down physical platforms and wiring in the network

Unified Fabric Design

End of Row (EoR) design
You have a rack of network equipment (like catalyst 6500)
Terminate all of the links that go to servers etc
Data Center top of tack architecture design under 5K white papers
[srv] [srv] [srv] [network equipment] (at the end of the row)

40 servers usually more than one cable per server
If you keep adding racks of servers you hit distance limitations
EoR design becomes and issue when you scale up to large amount of servers

Alternative is Middle of Row (MoR)
We install network equipment for each block of servers
[srv] <- [network equipment] [network equipment] -> [srv]

NIC ethernet
HBA for storage

Unified wire, send LAN and SAN traffic down the same cable.
Ethertype 8906 FCOE

Top of Rack (ToR)
Switches in the top of the rack
[network equipment]
[srv]
[srv]

Copper runs from servers to top of rack switch
Top of rack switches connect via fiber back to end of row core
Replaces fiber with copper between servers so that's a big saving

Top of rack with unified fabric

2Ks are Top of rack
[2K]
[2K]
[srv]

2K connect back to 5Ks at EoR
[5K]
[5K]

SFP's lets you change what cables you can plug in.
Make sure the SFPs are supported by your line card.
SFP costs can add up quickly.

Virtual device contexts (VDC)
L1 virtualization
Separation of control and data plane
Separation of the management plane
Separate user DB
Create virtual switches separated just like physical switches.
Takes the physical switch and basically makes more physical switches out of on chasis
To connect two VDCs you need to connect them with physical cabling
Physical ports are members of a single VDC

Virtual SAN 
Much like VLAN
separates fiber channel control and data plane
VLAN and VSAN are L2 virtualization techniques

Virtual routing and forwarding (VRF)
Separates the L3 data and control plane
Lets take 4 interfaces
interfaces 1,2 are in VRF A
interfaces 3,4 are in VRF B
We can run OSPF inside each VRF
Use the "switchto" command to change context

Upgrading nexus

The "install all" command will tell us if it will do a disruptive or not upgrade. 

download images from cisco

make note of checksum from cisco site

fciv -md5 filename.bin

compare hash

copy to USB or SCP or HTTP etc

sh ver | i .bin

install all kickstart kickstart.bin system n70001a.bin

EPLD

Electronic programmable logic devices

These are in the line cards 

download epld from cisco

install all epld bootflash://n7000-epld7.img

trace logging for cisco secure client (anyconnect)

 https://www.cisco.com/c/en/us/support/docs/security/umbrella/224921-enable-roaming-client-trace-logs.html#toc-hId--1891865857

1 - Enable trace logging (logs more detail for the dart)

https://www.cisco.com/c/en/us/support/docs/security/umbrella/224921-enable-roaming-client-trace-logs.html

On windows machines in: C:\ProgramData\Cisco\Cisco Secure Client\Umbrella\data

Create a file called loglevel.flag (ensure the file extension is correct)

just have "trace" in the file with no quotes

2 - Once the file is in place restart the CSC services

You may be able to complete these actions with a with GPO/Script etc.

3 - Wait for the issue to happen again and collect the DART bundle again. Send DART to cisco for review.

Cisco automation notes

 

Legacy ASA

Can be connected to cisco defence orchestrator

Note when working with ASA in a lab you may need to make ACL to allow ping and/or add "inspect icmp" to the global_policy 

CCNP Security CORE study: 350-701 SCOR (v1.1)

 Study notes for CCNP Security CORE study: 350-701 SCOR (v1.1)

Security principals

Data at rest (on disk) 

Data in motion (traveling across the network)

CIA triangle 

• Confidentially: hide data (encrypt) from unauthorized individuals
• Integrity: Make sure data was not modified (permissions / hashing / immutable backups /modify log)
• Availability:  Ensure the data remains available (HA / systems work and are useable) 

Principle of least privilege (being call ZTNA zero trust network access)

• User has the rights they need to do their job and no more
• Switch port for printer is on printer vlan.
• Firewalls allow access with ACLs
• User privs allow access to files 

Defence in depth

• Multiple layers of security 
• If something fails we have another chance to stop or limit the attack
• We have firewalls / DMZs / ACL's
• Windows user rights
• Segregated VLANs
• MFA
• SIEM/SOC monitoring 
• Backups

Separation of duties

• Make sure to have 2 staff for everything
• 2 helpdesk
• 2 firewall guys
• 2 security guys 
• 2 windows guys

Accounting/auditing

• Logging activities network / file / dns / web

Security terms

• Asset (anything valuable)
• Threat (What we protect against)
• Vulnerability (exploitable weakness)
• Risk (chance for compromising asset)
• Countermeasure (a method of reducing risk)
• Risk management (identify, assess, prioritize and monitor risks)
• The goal of risk management is to eliminate or minimize risk 

Asset classification 

• Needed to distinguish between more/less important assets
• Our customer database is more valuable than a printer but both have value
• Classification helps to better secure them

How to classify assets ?

• Value
• Replacement cost
• Age
• Usefulness 

Lets say we have an old web server (asset). We run a pen test (counter measure) on the www server and find vulnerabilities (exploitable weakness). There is a risk that these vulns could be exploited (threat) and compromise our asset (item of value). 

Gov vs public

Gov sector

• Unclassified 
• Sensitive but unclassified (SBU)
• Confidential
• Secret 
• Top secret

Public sector 

• Public
• Sensitive
• Private
• Confidential

Vulnerability classifications

• To find better countermeasure

Vulnerability categories

• Physical
• Human
• Hardware and software 
• Incorrect designs
• Misconfig 
• Weakness in protocols

Countermeasure categories

• Physical (door locks swipes / guards / cctc)
• Technical/logical (software/hardware
• Administrative (processes and procedures, guidelines and standards)

Security threats

Threats

• Anything that can harm our systems
• A hacker can run a ddos to take down our systems
• A storm could knock out power to take down our systems
• Hackers
• Criminals
• Terrorists
• Disgruntled employees
• Compeditors
• Nation state actors

Common attack methods

• Reconnaissance (network scanning / discovery)
• Social engineering (fooling/tricking people)
• Privilege escalation (getting more access, going from user to admin)
• Code execution (activation malicious code)
• Backdoors (remote access software for attackers)
• Covert channels (hidden comms channel)
• Trust exploitation (Web server in DMZ can talk to DB server on the LAN)
• Man in the middle (proxy to read and/or change data in flight)
• Denial of service attacks (stopping a service from working by overloading it)
• Password guessing and cracking 
• Dictionary attack uses a password list of known passwords
• Brute force is trying every combinations of a password (takes too long if passwords are strong and have rotation policies)

IPS fundamentals

Intrusion detection system (IDS)

Looks at a copy of the real traffic and detects issues

Sends alerts to IT admin but doesn't do anything 

Intrusion prevention system (IPS)

This one looks at the live traffic and can take action like block hosts etc.

How the hardware is connected 

SW1 > span port > IDS

When we have multiple switches we setup remote span

RSPAN 

SW3 > RSPAN vlan > SW2 > RSPAN > SW1 > SPAN port > IDS

IPS generally runs on a firewall

traffic in > firewall (IPS) > traffic out

The IPS inspects traffic passing through and can block. Only allowed traffic makes it out the other side.

Sensor deployment modes

• Promiscuous/passive
• SPAN, RSPAN or network tap
• No deploy, can't become a bottle neck

Inline

• L2 
• L3 (firepower can do this)
• throughput and latenct
• Fail open or fail close (if it fails do we stop all traffic or let it flow)

hosts > SW1 > trunk > IPS > trunk > SW1 > hosts

IPS types

• NIPS (network based)
• HIPS (host based, agent installed)

Old HIPS agents slowed down systems, now we have a light weight client to connect to an engine in the cloud. HIPS can look at encrypted flows, NIPS can't do this without MITM/SSL decryption but even then its not perfect and there are cases where it won't work. EVE has signatures for encrypted traffic.

How IPS sensors detect

• Signatures (Rules/conditions describing an attack)
• Anomaly detection (Learns normal activity and alerts on strange activity)
• Policy based (Standard rules configured by admin) 
• Reputation based (external database has info on attackers like their public IPs/hashes)

How IPS sensors respond

• Alert/alarm
• Drop the packet
• Block this connection 
• Reset close the TCP connection similar to drop/block
• Shun block (block all further traffic from this host)
• Block list - attackers
• Allow list - our known good devices that we trust

Sensor decisions 

• True positive - The sensor detected and took the right action eg dropped it 
• True negative - Normal traffic did not trigger the system. IPS did the right thing.
• False positive - A signature triggered for normal traffic. Blocked good traffic.
• False negative - The sensor did not detect malicious traffic and it was allowed.

Cisco's firepower 

• FMC is the management VM (can be hosted on site or in cloud)
• FTD is the hardware firewall 
• Can deploy as IPS or IDS
• Cisco provide signatures and block lists

Email security

Workers use email everyday so its a common attack vector

The most common being phishing 

• Spam is unsolicited messages usually selling something often scams 
• There are different types of malicious email
• The email attachment contains malware, we ask the user to open the attached pdf
• We ask the user to click a link from our email which could have malware or ask them to enter creds
• Often the link is designed to trick the user into thinking its legitimate like real-microsoft.com
• The code of the email can have something malicious (block pictures loading) 
• Direct phishing acting as a trusted part to get confidential data
• Acting as a trusted supplier and asking them to update payment details, often they will try to create a fake pressure
• Whaling - targeting CEO, head of IT, head of accounting, head of sales etc. They will usually have access to important data
• Vishing - phishing but over the phone/voice call
• smishing - sms phishing

ESA 

• Email security and enforcement 
• Email security 
• Reputation filtering based on sender
• outbreak filtering 
• amp with talos intel and more
• policy enforcment 
• inbound/outbound rate limiting
• Encryption 
• DLP (drop emails that have personal info in them)

ESA has physical boxes available C- and X-

• Internet > FW > DMZ > ESA
• The other setup the ESA has two interfaces so it can talk to the inside server
• Internet > FW > DMZ > ESA > Inside > LAN email server
• Virtual ESAV
• Hybrid - cloud for inbound, on-prem for outbound

Email exchange

• Emails are forwarded based on the destination domain name joe@site.com
• DNS lookup on site.com, specifically a mail exchange (MX lookup) on the domain
• site.com has a MX record created which points to the IP(s) of their mail server
• There may be MX > URL, then A lookup for that URL to IP
• In the end we lookup the IP of where to send the email 

Incoming mail

• Domain is site.com
• Public DNS / Internet > router > ASA > DMZ > ESA > SW > Email server
• Sending to joe@site.com
• We send to our local SMTP server lets say gmail
• That mail server looks up the MX record of site.com
• email.site.com
• This will resolve to the IP of the ESA
• The ESA receives the email and inspects it
• If its all good its forwarded to the inside Email server

Outgoing mail

• PC > SW > Email server > ASA > ESA
• joe wants to send email out to bob@gmail.com
• If it was a local address like it@site.com then the email server could just send direct because its trusted
• Since its external email "gmail.com" the email will be sent to the ESA
• ESA now inspects it 
• Now does MX lookup on gmail.com
• Then sends the email to the IP of the gmail email server
• The key take away here is that inside/LAN mail maybe configured to go direct 

WSA security

• Cisco's web proxy but really replaced by cisco umbrella now
• Fast web proxy with advanced content filtering 
• Designed for https and FTP 
• Strong caching inspection policy enforcment and antimalware
• Relies on multiple technologies and engines
• URL filtering
• AVC - Application visibility and control 
• L4 traffic monitor (like an IDS)
• HTTPs decryption (also available in FTD and cisco umbrella)

Web proxy mode

• L4 traffic monitor 
• Explicit forward mode (client needs config from pac file etc)
• Transparent mode - clients don't need any config. WCCPv2 needs to be setup.
• Traffic is redirected by router/ASA/L4 switch using WCCPv2
• LAN > WSA > ASA > Internet
• L4TM using span port/hub/network tap.

Endpoint protection tools

• AV: Windows defender, 3rd party tools like Sophos, Cisco AMP
• Software firewall 
• Encryption
• Host based IPS (HIPS)

Malware

• Any software that is bad (worms / virus / dropper / adware / spyware etc)
• Adware - show ads to user and generate money for the owner 
• Spyware - Gathers info from the pc and sell the data to databrokers. Some of them may steal bank details etc.
• Ransomware - locks the PC / encrypts file shares and demand a ransome to unlock
• Virus - It may just copy its self, but could destroy your system etc. It depends on the payload
• Worm - self replicating, doesn't need to be executed. 
• Trojan - Usually provides remote access to an attacker. Make the machine part of a botnet

Anti-malware 

• Signatures - can't detect day-0 or often variants 
• Heuristics - sandbox and execute and see if it behaves similar to malware, can find variants.
• Behavioural - command tools / tactics used by attackers. Can catch 0 days but not always.
• Most modern AV's will use a combination of these
• Signatures must always be kept up to take so cloud connected AV is best

Personal or software firewall

• This is a firewall running on the endpoint
• A firewall like ASA / FTD / Palo is protecting multiple endpoints
• Windows its windows firewall (and 3rd parties)
• Linux is iptables

PC > Coffee shop WIFI > Internet > HQ > LAN

PC > VPN > Coffee shop WIFI > Internet > VPN > HQ > LAN

Cisco AMP

• Uses but doesn't rely on signatures
• It's connected to the network firewall too
• It's also logging what actions were taken on a PC
• Suspect files can be uploaded to cisco for analysis and sandboxing
• If a file is discovered to be malicious later AMP has a record and can go back and remove it everywhere
• It offers a before / during / after protection

Encryption 

• Private key and passphrase should be kept safe
• Many modern OS build it in
• Windows has bitlocker
• OS X has some too.
• Many linux distros offer it too
• We can encrypt single files/folders or whole disks
• Whole disk is common in corporate world in case a laptop is lost or stolen

Cisco AMP endpoint client changes

AMP for endpoints became Cisco secure endpoint which has become Cisco secure client  

EDR endpoint detection and response 

EPP endpoint protection platform

XDR Extended detection and response (often adds AI correlation and automation/playbooks)