- Zone-Based Policy Firewall (ZFW) introduces a new firewall configuration model where policies are applied between zones (like inside and outside networks) rather than interfaces. This provides more granular control over traffic.
- ZFW defines zones for networks, zone-pairs to identify traffic flowing between zones, class-maps to classify traffic, policy-maps to apply actions to traffic classes, and service-policies to attach policies to zone-pairs.
- Key benefits of ZFW include subnet-level policies, ability to define separate policies for different zone-pairs, and running ZFW concurrently with legacy Cisco firewall (CBAC).
Zone Based Firewall is the most advanced method of a stateful firewall that is available on Cisco IOS
routers. The idea behind ZBF is that we don’t assign access-lists to interfaces but we will create different
zones. Interfaces will be assigned to the different zones and security policies will be assigned to traffic
between zones.
Cisco's ASA55xx series are adaptive security appliances that provide firewall, IPSec and SSL VPN capabilities. The appliances range from small office/home office models like the ASA550x to data center models like the ASA558x. All models support stateful packet inspection firewalls and VPN endpoints. Optional modules allow for intrusion prevention, content filtering, and additional network interfaces. Licenses determine the number of supported VPN connections and interfaces/VLANs.
Cisco Identity Services Engine (ISE) is a next-generation identity and access control policy platform that enables enterprises to enforce compliance, enhance infrastructure security, and streamline service operations. It determines whether users are accessing the network on authorized devices, establishes user identity and context, and assigns services based on user attributes. ISE provides comprehensive secure access, increases productivity, and reduces operations costs through centralized policy control, visibility, automated provisioning, and guest access management.
The document discusses Access Control Lists (ACLs), which are lists of permit or deny rules that control what traffic can enter or leave a router's interface. There are standard ACLs, which filter traffic based only on the source IP address, and extended ACLs, which can filter traffic based on additional attributes like destination address, protocol, and port numbers. ACL rules are evaluated sequentially, with an implicit "deny all" rule at the end, so ACLs should be placed strategically to filter traffic close to either its source or destination.
This document contains slides from a Cisco presentation on firewall certification. It discusses the CCNP Security Firewall v2.0 exam, including exam details, recommended reading, and high-level topics covered. It also provides an overview of Cisco firewall technology including the Adaptive Security Appliance and its features. Configuration topics like licensing, interfaces, NAT, routing, inspection policies and transparent mode are briefly outlined.
A firewall is a system or group of systems that controls network traffic between trusted and untrusted networks according to pre-configured rules. There are different types of firewalls including packet filtering, stateful packet inspection, application-level gateways, and circuit-level gateways. Firewalls work by examining packets and filtering traffic based on criteria like source/destination addresses and ports to enforce a security policy between networks.
Zone Based Firewall is the most advanced method of a stateful firewall that is available on Cisco IOS
routers. The idea behind ZBF is that we don’t assign access-lists to interfaces but we will create different
zones. Interfaces will be assigned to the different zones and security policies will be assigned to traffic
between zones.
Cisco's ASA55xx series are adaptive security appliances that provide firewall, IPSec and SSL VPN capabilities. The appliances range from small office/home office models like the ASA550x to data center models like the ASA558x. All models support stateful packet inspection firewalls and VPN endpoints. Optional modules allow for intrusion prevention, content filtering, and additional network interfaces. Licenses determine the number of supported VPN connections and interfaces/VLANs.
Cisco Identity Services Engine (ISE) is a next-generation identity and access control policy platform that enables enterprises to enforce compliance, enhance infrastructure security, and streamline service operations. It determines whether users are accessing the network on authorized devices, establishes user identity and context, and assigns services based on user attributes. ISE provides comprehensive secure access, increases productivity, and reduces operations costs through centralized policy control, visibility, automated provisioning, and guest access management.
The document discusses Access Control Lists (ACLs), which are lists of permit or deny rules that control what traffic can enter or leave a router's interface. There are standard ACLs, which filter traffic based only on the source IP address, and extended ACLs, which can filter traffic based on additional attributes like destination address, protocol, and port numbers. ACL rules are evaluated sequentially, with an implicit "deny all" rule at the end, so ACLs should be placed strategically to filter traffic close to either its source or destination.
This document contains slides from a Cisco presentation on firewall certification. It discusses the CCNP Security Firewall v2.0 exam, including exam details, recommended reading, and high-level topics covered. It also provides an overview of Cisco firewall technology including the Adaptive Security Appliance and its features. Configuration topics like licensing, interfaces, NAT, routing, inspection policies and transparent mode are briefly outlined.
A firewall is a system or group of systems that controls network traffic between trusted and untrusted networks according to pre-configured rules. There are different types of firewalls including packet filtering, stateful packet inspection, application-level gateways, and circuit-level gateways. Firewalls work by examining packets and filtering traffic based on criteria like source/destination addresses and ports to enforce a security policy between networks.
This document provides an overview of the Open Shortest Path First (OSPF) routing protocol. It describes OSPF's message encapsulation, packet types, neighbor discovery process using Hello packets, link state database and shortest path first algorithm, metric and cost calculation, and mechanisms for handling multi-access networks like designated router election. The objectives are to describe OSPF configuration and troubleshooting.
This document summarizes a presentation about Cisco's CCNP Enterprise ENCOR and ENARSI certification program. It provides information about the trainer, an overview of the CCNP certification requirements and exams, discussion of exam topics, and a question and answer section. The presentation aims to help attendees learn about the CCNP Enterprise certification track and prepare for the ENCOR and ENARSI exams.
- Access control lists (ACLs) allow or deny network traffic passing through a router based on source and destination IP addresses, protocols, and port numbers.
- There are two main types of ACLs: standard ACLs which filter based on source IP addresses, and extended ACLs which filter on source/destination IP addresses, protocols, and port numbers.
- ACLs can be numbered or named, with named ACLs allowing selective editing of statements not possible with numbered ACLs.
Putting Firepower Into The Next Generation FirewallCisco Canada
This document discusses Cisco's next generation firewall (NGFW) platforms and capabilities. It provides an overview of the Firepower Threat Defense (FTD) software and its deployment on various Cisco appliances. Key capabilities of FTD include intrusion prevention, application visibility and control, advanced malware protection, URL filtering, and SSL decryption. The document also reviews the feature sets and performance of Cisco's NGFW appliance families, including the ASA 5500-X, Firepower 2100, Firepower 4100, and Firepower 9300 series.
This document discusses different types of firewalls:
- Traditional firewalls filter packets based on source/destination IP/port and protocol but cannot classify applications or inspect encrypted traffic.
- Unified threat management (UTM) firewalls can classify traffic by application rather than just port, and provide intrusion detection/prevention, web filtering, and malware protection.
- Next generation firewalls (NGFW) build on UTM with additional capabilities like inspecting encrypted traffic and advanced threat protection.
In this webinar, we cover how Border Gateway Protocol works. Starting from key concepts, you'll learn about Autonomous Systems, the BGP protocol, AS Path, learning and advertising routes, RIBs and route selection. See the webinar recording at https://www.thousandeyes.com/webinars/how-bgp-works
The document provides an overview of firewalls, including:
- Firewalls emerged in the 1980s and control traffic allowed between networks. They can block traffic by IP, port, or protocol.
- Firewalls are implemented in hardware, software, or a combination. All messages entering or leaving a network pass through the firewall.
- Packet filtering firewalls operate at the network and transport layers and allow or deny traffic based on source/destination, protocol, and ports. Application and circuit gateways function as proxies.
- Common firewall types are packet filtering, application gateways, and circuit gateways. Hardware firewalls include Cisco, D-Link, and Palo Alto routers and filters.
CCNA 2 Routing and Switching v5.0 Chapter 7Nil Menon
This document discusses dynamic routing protocols and provides an overview of how they operate. It explains that dynamic routing protocols automatically share information about remote networks to determine the best path. The document compares static and dynamic routing, and outlines the basic process by which routers using dynamic routing protocols like RIP discover networks, exchange routing information, and update their routing tables. Objectives of the chapter are also listed, such as explaining dynamic routing operation and configuring RIP and OSPF protocols.
OSPF is a link-state interior gateway protocol that uses shortest path first algorithm to calculate routes. It elects a designated router that exchanges link-state advertisements and database information with other routers to choose the best routes. OSPF supports equal cost multi-path routing, uses different types of link-state advertisements, and allows dividing networks into areas to reduce routing overhead. It authenticates messages to prevent routing attacks.
The document discusses Firepower NGFW deployment scenarios at the internet edge. It begins with an introduction to the speaker and overview of the Firepower software and platforms, including the Firepower 2100, 4100, and 9300 appliance families. It then covers deployment options like the Firepower Threat Defense virtual machine and ASA with Firepower Services, comparing their features. The remainder discusses specific Firepower capabilities for network security like application control, URL filtering, intrusion prevention, and file reputation.
This document discusses network security technologies and Cisco solutions. It covers topics like 802.1X authentication, identity management with Cisco ACS, port security, DHCP snooping, and securing the network infrastructure with Network Foundation Protection. The document appears to be slides from a training course on Cisco's SECURE certification that provides an overview of various network security concepts and Cisco products.
Access Control List (ACLs) can be used for two purposes:
1. To filter traffic
2. To identity traffic
Access lists are set of rules, organized in a rule table. Each rules or line in an access-list provides a
condition, either permit or deny.
Cisco ASA Firewall Presentation - ZABTech center HyderabadMehtabRohela
Cisco ASA is a network security appliance that combines firewall, antivirus, intrusion prevention, and VPN capabilities. It provides threat defense by monitoring network traffic and can deny or permit access between internal and external networks. Key features include packet filtering, network address translation, application inspection, VPN support, and high availability options. The ASA can operate in routed or transparent firewall modes and supports authentication, dynamic routing, clustering, and next-generation firewall features like advanced malware protection. It is suitable for both small and large networks due to scalability and modular design.
The document discusses subnetting and provides an example of how to subnet the IP network address 192.168.1.128 into 6 subnets. It explains that subnetting allows a single network number to be shared among multiple physical networks. Each host is configured with an IP address and subnet mask, where the subnet is calculated by performing a bitwise AND of the IP address and subnet mask. The example shows how to determine the subnet mask is 255.255.255.224 when creating 6 subnets, and that each subnet can support up to 30 hosts.
Advanced endpoint - protection - for-dummies-pdf-8-w-1994CMR WORLD TECH
The document provides an overview of modern cybersecurity threats, including exploits, vulnerabilities, and malware. It discusses how exploits target software vulnerabilities to run malicious code on systems. Malware is often used in attacks to achieve objectives like stealing data or disrupting operations. Real-world threats like advanced persistent threats and targeted intrusions pose major risks to organizations. Traditional endpoint security approaches are inadequate against sophisticated modern attacks. An integrated prevention-focused approach is needed to defend against both known and unknown threats.
This document discusses VRF (Virtual Routing and Forwarding) configuration examples on routers. It shows how to create VRF instances, associate interfaces and IP addresses, and configure routing protocols like RIP, EIGRP, OSPF and BGP to operate within VRF contexts. Specific examples demonstrated include VRF-aware static routing, and configuring BGP between VRF instances to enable inter-VRF communication. The goal is to illustrate how to segment routing tables and isolate traffic between different network segments using VRF technology.
This document provides an overview of the Open Shortest Path First (OSPF) routing protocol. It describes OSPF's message encapsulation, packet types, neighbor discovery process using Hello packets, link state database and shortest path first algorithm, metric and cost calculation, and mechanisms for handling multi-access networks like designated router election. The objectives are to describe OSPF configuration and troubleshooting.
This document summarizes a presentation about Cisco's CCNP Enterprise ENCOR and ENARSI certification program. It provides information about the trainer, an overview of the CCNP certification requirements and exams, discussion of exam topics, and a question and answer section. The presentation aims to help attendees learn about the CCNP Enterprise certification track and prepare for the ENCOR and ENARSI exams.
- Access control lists (ACLs) allow or deny network traffic passing through a router based on source and destination IP addresses, protocols, and port numbers.
- There are two main types of ACLs: standard ACLs which filter based on source IP addresses, and extended ACLs which filter on source/destination IP addresses, protocols, and port numbers.
- ACLs can be numbered or named, with named ACLs allowing selective editing of statements not possible with numbered ACLs.
Putting Firepower Into The Next Generation FirewallCisco Canada
This document discusses Cisco's next generation firewall (NGFW) platforms and capabilities. It provides an overview of the Firepower Threat Defense (FTD) software and its deployment on various Cisco appliances. Key capabilities of FTD include intrusion prevention, application visibility and control, advanced malware protection, URL filtering, and SSL decryption. The document also reviews the feature sets and performance of Cisco's NGFW appliance families, including the ASA 5500-X, Firepower 2100, Firepower 4100, and Firepower 9300 series.
This document discusses different types of firewalls:
- Traditional firewalls filter packets based on source/destination IP/port and protocol but cannot classify applications or inspect encrypted traffic.
- Unified threat management (UTM) firewalls can classify traffic by application rather than just port, and provide intrusion detection/prevention, web filtering, and malware protection.
- Next generation firewalls (NGFW) build on UTM with additional capabilities like inspecting encrypted traffic and advanced threat protection.
In this webinar, we cover how Border Gateway Protocol works. Starting from key concepts, you'll learn about Autonomous Systems, the BGP protocol, AS Path, learning and advertising routes, RIBs and route selection. See the webinar recording at https://www.thousandeyes.com/webinars/how-bgp-works
The document provides an overview of firewalls, including:
- Firewalls emerged in the 1980s and control traffic allowed between networks. They can block traffic by IP, port, or protocol.
- Firewalls are implemented in hardware, software, or a combination. All messages entering or leaving a network pass through the firewall.
- Packet filtering firewalls operate at the network and transport layers and allow or deny traffic based on source/destination, protocol, and ports. Application and circuit gateways function as proxies.
- Common firewall types are packet filtering, application gateways, and circuit gateways. Hardware firewalls include Cisco, D-Link, and Palo Alto routers and filters.
CCNA 2 Routing and Switching v5.0 Chapter 7Nil Menon
This document discusses dynamic routing protocols and provides an overview of how they operate. It explains that dynamic routing protocols automatically share information about remote networks to determine the best path. The document compares static and dynamic routing, and outlines the basic process by which routers using dynamic routing protocols like RIP discover networks, exchange routing information, and update their routing tables. Objectives of the chapter are also listed, such as explaining dynamic routing operation and configuring RIP and OSPF protocols.
OSPF is a link-state interior gateway protocol that uses shortest path first algorithm to calculate routes. It elects a designated router that exchanges link-state advertisements and database information with other routers to choose the best routes. OSPF supports equal cost multi-path routing, uses different types of link-state advertisements, and allows dividing networks into areas to reduce routing overhead. It authenticates messages to prevent routing attacks.
The document discusses Firepower NGFW deployment scenarios at the internet edge. It begins with an introduction to the speaker and overview of the Firepower software and platforms, including the Firepower 2100, 4100, and 9300 appliance families. It then covers deployment options like the Firepower Threat Defense virtual machine and ASA with Firepower Services, comparing their features. The remainder discusses specific Firepower capabilities for network security like application control, URL filtering, intrusion prevention, and file reputation.
This document discusses network security technologies and Cisco solutions. It covers topics like 802.1X authentication, identity management with Cisco ACS, port security, DHCP snooping, and securing the network infrastructure with Network Foundation Protection. The document appears to be slides from a training course on Cisco's SECURE certification that provides an overview of various network security concepts and Cisco products.
Access Control List (ACLs) can be used for two purposes:
1. To filter traffic
2. To identity traffic
Access lists are set of rules, organized in a rule table. Each rules or line in an access-list provides a
condition, either permit or deny.
Cisco ASA Firewall Presentation - ZABTech center HyderabadMehtabRohela
Cisco ASA is a network security appliance that combines firewall, antivirus, intrusion prevention, and VPN capabilities. It provides threat defense by monitoring network traffic and can deny or permit access between internal and external networks. Key features include packet filtering, network address translation, application inspection, VPN support, and high availability options. The ASA can operate in routed or transparent firewall modes and supports authentication, dynamic routing, clustering, and next-generation firewall features like advanced malware protection. It is suitable for both small and large networks due to scalability and modular design.
The document discusses subnetting and provides an example of how to subnet the IP network address 192.168.1.128 into 6 subnets. It explains that subnetting allows a single network number to be shared among multiple physical networks. Each host is configured with an IP address and subnet mask, where the subnet is calculated by performing a bitwise AND of the IP address and subnet mask. The example shows how to determine the subnet mask is 255.255.255.224 when creating 6 subnets, and that each subnet can support up to 30 hosts.
Advanced endpoint - protection - for-dummies-pdf-8-w-1994CMR WORLD TECH
The document provides an overview of modern cybersecurity threats, including exploits, vulnerabilities, and malware. It discusses how exploits target software vulnerabilities to run malicious code on systems. Malware is often used in attacks to achieve objectives like stealing data or disrupting operations. Real-world threats like advanced persistent threats and targeted intrusions pose major risks to organizations. Traditional endpoint security approaches are inadequate against sophisticated modern attacks. An integrated prevention-focused approach is needed to defend against both known and unknown threats.
This document discusses VRF (Virtual Routing and Forwarding) configuration examples on routers. It shows how to create VRF instances, associate interfaces and IP addresses, and configure routing protocols like RIP, EIGRP, OSPF and BGP to operate within VRF contexts. Specific examples demonstrated include VRF-aware static routing, and configuring BGP between VRF instances to enable inter-VRF communication. The goal is to illustrate how to segment routing tables and isolate traffic between different network segments using VRF technology.
CCNA Security 210-260 Official CCNA Security 210-260 Official Cert Guide is a best Cisco exam study guide that focuses specifically on the objectives for the CCNA Security Implementing Cisco Network Security (IINS) 210-260 exam.https://www.pass4sureexam.com/210-260.html
1. Furosemide is a potent diuretic medication used to eliminate excess water and salt from the body by increasing urine output. It works by blocking the reabsorption of sodium, chloride, and water in the kidney tubules.
2. Common side effects include low blood pressure, dehydration, and electrolyte imbalances. It can also cause ringing in the ears, nausea, and dizziness.
3. Furosemide is prescribed to treat edema caused by conditions like heart failure, liver cirrhosis, and kidney disease. It is also sometimes used alone or with other medications to treat high blood pressure.
The document discusses demilitarized zones (DMZs) in computer networks. A DMZ is a small subnetwork located between a company's private network and the outside public network. It contains devices like web, FTP, and email servers that are accessible to internet traffic but isolated from the internal network. DMZs provide enhanced security by separating internal and external networks, and only allowing specific services that need to be accessed from the outside. The document outlines common DMZ architectures, security considerations, and the types of servers and services typically located in a DMZ.
The document describes tasks for configuring a zone-based firewall on Router 1:
1. Create an inside and outside zone on Router 1's interfaces; apply an inspect policy between the zones to allow necessary traffic.
2. Configure R2 to ping R3 by name by adding DNS and host entries.
3. Configure R2 to copy a file from R4's HTTP server using the file path and name.
4. Configure R2 as the NTP server and have the other routers synchronize to it after applying necessary firewall policies.
This document discusses authentication, authorization, and accounting (AAA) security on Cisco devices. It provides an overview of authentication methods including password-only, local database, and remote access. It also covers the configuration of AAA features such as usernames, passwords, and authentication.
CCNA Security 02- fundamentals of network securityAhmed Habib
This document provides an overview of network security. It discusses what network security is, the rationale for it including increases in cybercrime and threats. It covers types of attacks, vulnerabilities, and countermeasures. It also discusses security policies, standards, risk assessment, and careers in network security such as network security administrator and chief information security officer.
Here are the key advantages of a packet-filtering router firewall:
- Simple and fast - Packet filtering is a simple and fast operation as it only examines packet headers. This makes packet filtering routers suitable for high traffic networks.
- Low cost - Packet filtering routers are generally lower in cost compared to other firewall types as they utilize existing router hardware and software.
- Flexible rulesets - Packet filtering allows for flexible rulesets that can block or allow packets based on many header fields like source/destination IP, port, protocol type etc.
- Transparency - Packet filtering operates at the network/transport layers so it is transparent to users and applications.
- Performance - Packet filtering has minimal impact on network performance since
In IT industry – You going to need a security certification
In the US Military or a government contractor- required in most cases
(DoD 8570.01-M) / State Department Skills Incentive Program
Short Video about Security +
Exam Objectives
Exam Content
Taking the exam
Practice Questions
Tips to Prepare
This document describes how to configure an ACI multi-site deployment with two sites, Site A and Site B. Key steps include:
1. Configuring the Multi-Site Controller to discover and register both sites.
2. Configuring infrastructure settings like BGP, OSPF and unicast/multicast TEPs from the MSC for each site.
3. Verifying infrastructure configurations are correctly pushed from the MSC to each APIC controller, including L3Out profiles and BGP/OSPF sessions on the spine switches.
Converged network quality issues include lack of bandwidth, end-to-end delay, variation of delay (jitter), and packet loss. These issues are caused by multiple flows competing for limited bandwidth over network devices and links, resulting in increased processing, queuing, and propagation delays as well as dropped packets during congestion. Implementing quality of service features such as priority queuing, traffic shaping, and dropping can help address these issues by classifying and prioritizing important traffic.
This document contains a summary of 13 questions from a Cisco 350-701 exam about implementing and operating Cisco security core technologies. The questions cover topics like DNS tunneling attacks, dynamic ARP inspection, Cisco AnyConnect vs DMVPN advantages, Cisco Firepower vs Cisco AMP capabilities, Cisco Email Security features, Cisco Stealthwatch deployment, and DHCP snooping configuration. Multiple choice answers are provided for each question, with some questions including additional explanations of the answers.
Here are the answers to the questions in bold red typeface:
1. What is a WAN?
**A WAN (wide area network) is a geographically dispersed telecommunication network that interconnects multiple computer networks and LANs (local area networks).**
2. What are the main components of a WAN?
**The main components of a WAN include routers, switches, firewalls, servers, and transmission media like fiber optic cables, coaxial cables, leased lines, satellites, and microwave links.**
3. What are some common WAN technologies?
**Some common WAN technologies include Frame Relay, ATM, MPLS, DSL, cable modem,
Istio Triangle Kubernetes Meetup Aug 2019Ram Vennam
It's been two years since we introduced the Istio project to the Triangle Kubernetes Meetup group. This presentation will be a brief re-introduction of the Istio project, and a summary of the updates to the Istio project since its 1.0 release.
1) Google has built one of the fastest and most capable network infrastructures over the past 15+ years through innovations like global caching, software defined networking, and virtualizing the physical network.
2) Telemetry and analytics are needed in large data center networks to perform network modeling, configuration verification, and fault isolation given their complexity with thousands of switches and links.
3) Systems are used at Google to continuously verify topology matches intent, detect routing inconsistencies within milliseconds, and measure service level agreements and traffic characteristics across all host pairs.
This document chapter discusses access control lists (ACLs) and how to configure them. It covers the basic purpose and operation of ACLs, including how they filter traffic using wildcard masks. It then provides instructions on how to create standard IPv4 ACLs, both numbered and named, and how to apply them to interfaces. The chapter also discusses best practices for ACL creation and placement, and how to modify existing ACLs using sequence numbers or a text editor.
This document discusses fog computing, including its need, the OpenFog Consortium, and the OpenFog reference architecture. Fog computing distributes computing and storage closer to users along the cloud-to-thing continuum to address issues with cloud like high latency, costs, and security. The OpenFog Consortium aims to standardize fog computing through an open reference architecture. The architecture has three views - software, system, and node - to satisfy fog deployments. Potential use cases include smart cars, buildings, and video surveillance. Advantages of fog computing include real-time processing, privacy, and costs savings compared to cloud.
Review the steps found in business process engineering. Review the.docxjoellemurphey
Review the steps found in business process engineering. Review the lesson presentation and assigned readings. Post the step you think could be altered and explain why. Respond to the following and, if appropriate, include personal experiences as part of your answer:
• Briefly summarize the steps in business process engineering.
• Identify one step that you think can be altered and describe how you would change it.
• Explain your reasoning for the altering this step and how it would affect the end result of the business process.
(Optional) Use the Internet to research the airline industry. Select an airline company. Be sure to identify where its major activities fall within Porter's generic value chain.
Post at least two activities (processes) of the airline under the correct value chain activity below and justify why it belongs in that activity.
• Inbound Logistics (Primary Activity)
• Operations/Manufacturing (Primary Activity)
• Outbound Logistics (Primary Activity)
• Sales & Marketing (Primary Activity)
• Customer Service (Primary Activity)
• Procurement (Support Activity)
• Technology (Support Activity)
• Human Resources (Support Activity)
• Accounting & Finance (Support Activity)
Network Security
Due date:
Week 6, 14th April
ASSESSMENT
Weighting:
80%
1
Length:
N/A
Question 1 (5 marks)
Note: for this question, you need to download a PCAP file located in the course Moodle web site.
Peter is the Network Security Manager for a small spare parts business. The organisation uses an e-sales application to provide a front-end for its e-sales business. Customers are complaining that in the last two or three days the system has become very slow, taking them longer than normal to place their orders. This information has been corroborated by staff complaining that they are not happy with the slow response of the system to complete their daily activities. Peter suspects that the system has been the target of criminal hands and before he starts responding to the attack, he decides to investigate the issue a little further. First, he reviews the firewall logs and notices something abnormal in the type of traffic directed to a number of internal hosts including the organisation’s web server. Curious about this traffic, Peter uses Wireshark to capture a trace of the traffic. [A section of this trace can be accessed from the course Moodle web site].
Based on the above fictional scenario and the provided PCAP:
(a) Identify the anomaly in the traffic this organisation is going through (1/2 Mark). What sort of evidence do you have to make this claim? (1. 0 Marks).
(b) What sort of utility or tool do you think the “attacker” is using to conduct this attack? (1/2 mark)
(c) Provide the IP address of the host used by the perpetrator (1/2 Mark). Based on this information, what can you tell about the profile of this individual? Explain why (1.5 Marks).
(d) What Wireshark filter do you think Peter used to produce the given PCAP? Explain why (1 Mar ...
This document discusses quality of service (QoS) classification on Cisco IOS routers. It explains that applications like voice have different network requirements than bulk file transfers. To ensure each application gets proper treatment, traffic must be classified. Classification methods on IOS routers include header inspection of fields like ports and IP addresses, and deeper payload inspection using Network-Based Application Recognition (NBAR) which can identify applications regardless of port. The document demonstrates simple classification using an access control list matched to a class map in a policy map applied to an interface. It also shows classification using NBAR to match protocols like Telnet in a class map.
Ike A to LF Edge Akraino Comp Stor Netw & Commun & ETSI MEC AppD Mngmnt Prese...Ike Alisson
The document discusses challenges in adopting cloud-native technologies in distributed and disaggregated mobile network operator (MNO) 5G and beyond 5G (B5G) networks. It notes that today's cloud and communication systems are not capable of capturing, transmitting, storing, and analyzing the large amounts of data that will be generated by trillions of sensors operating continuously. It also says they are not prepared to deliver the compute needed for real-time AI/ML inferencing required to drive demands from various industries and technologies. The document outlines some of the key issues around managing resources and workloads in distributed edge environments and the need for new approaches to discover and deploy resources in real-time across multi-site multi-edge infra
The document outlines guidelines for evaluating 5G network performance. It defines key performance indicators such as user throughput, application data rate, cell throughput, spectral efficiency, traffic volume, error rates, delay, network energy performance, and cost. It also discusses channel and propagation modeling, recommending simplified ray-based models for large-scale effects and stochastic geometric models for small-scale effects. International Telecommunication Union channel models are suggested for small-scale modeling.
Cisco Connect Halifax 2018 Application insight and zero trust policies with...Cisco Canada
This document provides an overview of Cisco Tetration, which is a platform that provides application dependency mapping, segmentation, and security across data centers, public clouds, and hybrid environments. It analyzes network traffic using software sensors to map application dependencies and clusters. It then generates whitelist policies and enforces segmentation policies across workloads to limit communication based on application ownership and intent-based rules. The platform also provides capabilities for compliance monitoring, inventory tracking, performance monitoring, and ecosystem integration. It has various deployment options including on-premises, public cloud, and as a managed service.
Governing Bot-as-a-Service in Sustainability Platforms - Issues and ApproachesPhú Phùng
Presented at the 9th International Conference on Mobile Web Information Systems, MobiWIS 2012, Niagara Falls, Ontario, Canada, August 27-29, 2012 by Phu Phung
More detail: http://www.cs.uic.edu/~phu/
A3: application-aware acceleration for wireless data networksZhenyun Zhuang
This document discusses application-aware acceleration (A3) for improving application performance over wireless networks. It presents results showing that while enhanced transport protocols improve performance for FTP, they provide little benefit for other popular applications like CIFS, SMTP, and HTTP. This is because the behavior of these applications, designed for reliable LANs, negatively impacts their performance over lossy wireless links. The document proposes A3 as a middleware solution that offsets these behavioral problems through application-specific design principles, while remaining transparent to applications.
The document discusses quality of service (QoS) concepts including why QoS is needed, QoS architecture models, components, configurations, queuing examples, and IOS commands. Specifically, it provides details on differentiated services (DiffServ) model, classification and marking, traffic conditioning, congestion management using class-based weighted fair queueing (CB-WFQ) and low latency queueing (LLQ), and the modular QoS command-line interface (MQC) for basic QoS configuration.
Configurable Monitoring For Multi-Domain NetworksIJMER
The document proposes a configurable multi-domain network monitoring architecture to address the challenges of monitoring heterogeneous multi-domain networks. It discusses existing monitoring architectures and identifies five key requirements - autonomous management, confidentiality, non-collaborative monitoring, and adaptive measurement and export processes. The proposed architecture features configurable measurement, export, analysis and configuration blocks to support the adaptive measurement and export requirements. It also performs monitoring at domain borders only and can monitor across non-collaborative domains.
Hello and welcome to Zone-based Policy Firewall video on demand session. My name is Piotr Matusiak and I work for Micronics Training as a Technical Instructor. During a next couple of minutes I will be talking about Cisco’s new IOS firewall feature which is a part of CCIE Security lab exam as well as CCIE Routing & Switching lab exam. I hope CCIE candidates for both tracks will find this session useful in their studies. OK, let’s start then and see what’s new Cisco has to offer….
As you might already know a previous version of IOS firewall was called Class-based Access Control (CBAC in short) and was offered interface-based firewall service only. What does it mean “interface-based”? It means that traffic entering or leaving a particular interface is inspected for service conformance; if traffic matches requirements, the return traffic is allowed back through the firewall. See the figure, the i nspection policy is attached to the f0/0 interface and ACL is attached to the returning interface which is f0/1 interface. In this example, only TCP and ICMP packets will be inspected and hence only that traffic is permitted. The CBAC inspection was sufficient for a small network with edge router with only two interfaces. However, multiple inspection policies and ACLs on several interfaces in a router make it difficult to correlate the policies that will be applied to traffic between multiple interfaces. As CBAC relies too heavily on ACLs it is not very flexible and has limited inspection granularity. In addition to that, all traffic through a given interface was subjected to the same inspection. This was enough to start thinking about a new IOS firewall solution which gives more flexibility and can meet today’s users expectations.
And here we go! A Zone-Based Policy Firewall has been developed which uses completely different firewall configuration model. Instead relying on interfaces and ACLs it brings a term of ZONE. What is a zone? A zone defines a boundary where traffic is subjected to policy restrictions. As we can see on the figure, there are 3 zones defined based on different network subnets. Inside-Zone consists internal network; Outside-Zone defines the Internet and DMZ-Zone consists a public Web server which is available from the Internet. To make migration off of CBAC easier, we can configure ZFW and CBAC concurrently on the same router but not on the same interface.
Let see the steps to configure ZFW. First of all we need to configure zones. This is accomplished in router’s global config mode by using command of “zone security <zone name>”. We need to configure one, two, three zones in our example. Inside-zone for internal network, Outside-Zone for the Internet, and DMZ-Zone for DMZ. After creating the Zones, we need to configure something called a zone-pair, which is a pair of two zones where one zone is a source and second zone is a destination. Be careful because order of zones in the zone-pair is important and will dictate router the packet flow direction which will be subjected to inspection. For example, if we want to inspect traffic from the Inside to the Outside the Inside must be source zone and the Outside must be a destination. However, for traffic originated on the outside zone, the Outside-Zone must be a source zone. Firewall policies are unidirectional and this must be considered at the beginning of zones creation. Next three points is a policy creation process. More on this in a minute. The last step is making router interfaces members of an appropriate zone. This should be done as a very last step because if we could assign interface to the zone before creating policy – all traffic will be denied by default. So it is much better to first create zones and policy and then assign the policy to the zone-pair and assign interface to the zone. This will effectively enable ZFW on the router.
OK, we know the steps of ZFW configuration, now it is time to learn some basic rules. As I said on previous slide, a policy applied between zones is Unidirectional. The ZFW is a stateful firewall which means all returning traffic will be allowed automatically on the returning interface. There is no need for ACL. However, if we want to allow traffic to flow in opposite direction we will need a new zone-pair to be created and a new policy attached to it. The default policy for traffic between zones is DENY ALL. Once we create zones and zone-pair, the traffic stops going thru the router. This is because there is no policy attached to the zone-pair and no policy equals deny all. Only traffic explicitly allowed can be passed thru the router. Also, remember to attach zones to the appropriate interface at the very last step. Do not assign interface to the zone before configuring policy because it will effecively drop a legitimate traffic because traffic will never go between two interfaces where one of them is not in the zone. The same is true if two interfaces are in two different zone but there is no policy attached to that zone-pair. The traffic is blocked in this case.
OK, we know now that we need to create zones, configure a zone-pair and attach policy to it in order to pass traffic thru the firewall. Now it’s time to see how to build effective and flexible policy. Aaa Policy building process uses 3 simple steps which are based on Modular Qos CLI framework (MQC in short). Here, it is called C3PL which basically uses “type inspect” components to build the policy. Nothing more!!! First step is to configure a “class-map” to specify interesting traffic. This is not regular class map but “inspection type” class map. We configure it using a command of “class-map type inspect match-all or match –any plus class-name. Second step is to associate an action to the previously “classified” traffic. How to do that? Exactly in the same way as it was in MQC – using policy map, again “type inspect”. And finally, Third step is to apply policy map to the zone-pair. How to do that? Again, nothing new – using „ service - policy type inspect” command. On the next couple of slides I will describing those 3 components in a greater detail. So be vigilant!
OK, here’s the steps for class-map configuration. As you already know there are two different logical qualifiers available: match-all (which is a default) and match-any. This is so simple, watch out: Match-all – introduces AND logic; traffic must match ALL filters; exit on first NON-match; Match-any – introduces OR logic; traffic must match at least one filter; exit on first match We can match traffic using three types of match statements: match protocol <protocol-name> - it determines which service match the class-map, and how the traffic will be inspected. This is so important because if the policy-map applies the inspect action; the traffic will be expected to behave as the specified service if the traffic matches the protocol filter in the class-map match access-group <number | name> - matches using an access-list. And the last option is match class <class-map-name> - which nesting other class-map and allows defining of more flexible matching criteria. There are 3 different examples of matching filters. The first one matches protocol http and access list 120. Both matches must be true in order to subject the traffic to inspection. In second example one of protocols must be matched to subject it to the inspection. And in the third example all HTTP or FTP or SMTP traffic matched by ACL will be subjected to the inspection.
Let’s take a closer look at match protocol filter. What does it do and how it works? Basically speaking it matches the protocol in the packet headers against the specified protocol. - For Layer 4 protocols - match protocol <tcp | udp | icmp> - For Layer 7 protocols - match protocol <http | smtp | telnet|…> In case of L7 protocols, the ports associated with the protocol are dictated by the existing Port-to-Application-Mapping (PAM) database entry. For example, ‘match protocol http’ will match packets bound for port 8080 (in addition to port 80) if the router has ‘ip port-map http port 8080’ configured. In the following example there are two class-maps configured. Both has the same matching filters but differs in matching qualifiers. The first example has “match-any” and the second example has “match-all”. See how it changes the policy behavior when the same HTTP packet comes to the router. In the first case the packet will be inspected as Layer 4 packet (no application-specific inspection taking place) because of “first match”. In the second case as both matching filters must be checked, the same HTTP packet will be treated as HTTP and will be subjected to application-specific checks.
OK, next option to use is ACL matching. User can specify anything in the ACL; everything is honored (meaning IP addresses/subnets, ports, dscp, IP precedence etc.); However, recommended usage is to specify only IP addresses/subnets (and use additional filter of ‘match protocol’ for protocol information); So, a typical usage is in conjunction with ‘match protocol’ in a match-all class-map Seems easy? Have a look at the following examples. What protocol do we inspect in example 1 ? As there is no port specified in the ACL it is hard to determine protocol. The same problem router must be able to resolve. This is a special case because of insufficient information and therefore the router needs to guessing on the protocol. In such case PAM database is useful. So in that case inspection will be performed for the L7 protocol based on PAM mappings; if no PAM mapping is found, relevant L4 inspection is performed; For example port 80 – http inspection, port 69 – tftp inspection, port 1234 - TCP inspection What about example 2 then? Again, no port specified in the ACL, however there is a filter specified in the class-map f or TCP connections. Hence, we get TCP inspection. Reason – first-match semantics of match-any class-map. OK OK but what if a UDP packet comes to the router, huh? For UDP packets, we again have insufficient information on protocol; so, this is equivalent to the match access-group special case; result – L7 inspection as dictated by PAM, or L4 if there is no PAM mapping for the UDP port in the packet.
OK, so far so good. We have matched our interesting traffic. Now it’s time to perform some actions on that traffic. And again, we have 3 options under policy-map type inspect: We can: Inspect packet – which basically speaking opens a hole for returning traffic. However it is stateful inspection, so that more information about packet are used like for example sequence numbers, ports, messages, methods, etc. We can also: Drop packet – which is self-explanatory And finally we can: Pass traffic. This action does not have any stateful capability, so that it won’t open any dynamic holes for returning traffic. Is it useful, someone could ask? Yes it is – for example in the policy for traffic destined or originated from the router. Will talk about this in a few minutes. If a stateful firewall is not enough for us we can still add additional control using ACL s . However it is worth noticing that inbound ACL is applied before ZFW and outbound ACL is applied after ZFW . This needs to be considered during ACL design. For example, what is a value in the outbound ACL blocking FTP if ZFW policy does not allow that traffic?
Cool, I hope things are getting more interesting now.... We have two class and policy types available: L3/L4 policy and L7 policy. And here a real fun starts. L7 class/policy-maps are protocol specific; the options appearing under them depend on the protocol and the capabilities of the existing application inspection module As the inspection engines of individual protocols are enhanced, more options will be added by Cisco to the corresponding L7 class/policy-maps to provision the new functionality As of now, L7 policies can be configured for the following protocols: HTTP, SMTP, POP3, IMAP , IM (AOL, ICQ, MSN, YAHOO), P2P (eDonkey, FastTrack, Gnutella, kazaa2), Voice traffic (SIP, H323), and Sun RPC . The L7 policy-map is attached to the top-level policy using the “service-policy < protocol-name <policy-name>” command The class in the top-level policy for which an L7 policy-map is configured MUST have a “match protocol” filter. This protocol and the L7 policy-map protocol must be the same. If only ‘match access-group’ filters are present in the class-map, L7 policy cannot be configured for that class OK, you need to remeber two things from this slide: First: you can only apply L3/L4 policy map to the zone-pair, not L7. L7 policy-maps are applied under L3/L4 policy-maps only. Second: L3/L4 class map must be configured with „match protocol” statement in order to apply L7 policy map to that traffic.
There is also a special ZONE called SELF zone. This zones represent a router itself and every interface is a member of that zone by default. This zone is useful when we want to control traffic destined to the router or originated from the router. Then we just put a SELF zone ina zone-pair as a source (if we want to control traffic originated from the router) or as a destination (if we want to control traffic destined to the router). Unfortunately there are some caveats in this solution. First, we can only inspect TCP, UDP, ICMP and H323 packets and second, we can’t use ZFW policing when SELF zone is involved. In this example we match and inspect TCP traffic destined to the router. Instead of inspection we can also Pass traffic without any inspection using „pass” instead of „inspect”. Of course we can use Drop as well.
OK, now we go thru really useful bunch of commands. The „parameter maps” are used to specify inspection behavior and prevent Denial-of-Service attacks. Also, the parameter-map can be used to define matching criteria in the class map in more flexible way – using regex. There is a couple of parameter map types but only three of them are really useful in ZFW. The „inspect” type where we configure some anti-DOS stuff and logging, the „regex” type for configuring regex expressions finally used in the class map and „urlfpolicy” which is useful in URL Filtering. As we can see in the example, there is a parameter-map named PARAM1 which defines some anti-DOS parameters. This parameter map is attached to the „inspect” command under L3/L4 policy map. The second parameter-map defines regex expression which matches all strings with „delete” keyword and then it is used in the L7 class map to match this string in the HTTP URL. This kind of parameter-map cannot be directly attached to the policy-map – there must be a L7 class map and L7 policy map configured first and then it can be assigned under L3/L4 policy map using „service-policy” command.
OK, thats enough theory. Let’s do something useful with our knowledge about ZFW. A real world scenario is a best example to work on. See the figure. We have a typical small-business Internet edge connection. We have internal users who are spending their worktime on surfing the Internet. We have Internet connection and some web servers there. And finally we have DMZ where our corporate Web Server is located serving content to the internet users via HTTP. Let’s configure the following policy on our ZFW: First, allow our internal users connecting to their favorit web sites using HTTP. We will also want other TCP-based traffic to go out. And finally ICMP traffic for troubleshooting. As our corporate policy does not allow using of external mailboxes, we will block our users from accessing „mail.google.com” and „mail.yahoo.com”. Our Web server needs to be accessibe from the Internet, so that we need to configure HTTP inspection for that as well. And finally, as we are security experts we want to protect our Web Server from DOS attacks by limiting half-open connections from the internet to 500. We should delete the oldest 200 connections when this limit is reached. OK, let’s do that in a professional way!!!
Step ONE is to configure our policy. We will be using small blocks and then those blocks will be puting together to build up our policy. OK, we will be inspecting TCP, ICMP and HTTP traffic originated from our internal network. So, we need some L3 class map to match that traffic. And here is the catch! Watch out. We cannot match all three protocols in the one class-map. Why? Because we will be performing Deep Packet Inspection at Layer 7 of HTTP protocol to disallow our users from reaching some webmail servers. So, we are configuring two clas-maps one for matching TCP and ICMP and second for matching HTTP only. Next small block is a Deppe packet inspection policy for HTTP traffic. As we need to block some websites a regex matching domain names string will be useful. How to configure that regex? Using parameter-map type rexec of course. And again, be careful here. As you can see in the example, there is a dot and asterisk before the domain name of the webmail servers. Why do we do that? This two characters mean „whatever is before the string” – which basically matches domain name with any charactes which can be included before that name. This is because IOS FW matches HTTP header fields as a string containing two regex-s: one is a regex for HTTP header field and second is a regex configured by the user. In HTTP protocol specification there is a space between header field name and header field value and this needs to be addressed by the user when configuring parameter-map. You can see an example of the string which needs to be matched by the „match header host” command marked green. OK, as we know already, L7 class-map cannot be assigned to L3 policy-map, so we need to configure L7 policy-map first and specify „reset” as an action for matched packets. This will effectively keep users from accessing thse two websites. OK, finally, L3 policy map is configured, L3 class-map for HTTP is attached to it and the inspection enabled. In addition to that, we wanted to perform Deep packet inspection for HTTP L7, so we attach L7 policy map here using service-policy command. ICMP and TCP traffic is using another L3 class map so we are attaching it separaetly inder the same L3 policy map. Remeber that this L3 policy map will be attached as a policy under a zone-pair.
OK, time to create a policy for our Web Server. This policy will be applied to the traffic from the Internet destined to the Web Server. First, we create an ACL specifying our Web Server as a destination. That ACL is applied under L3 class-map along with matching HTTP protocol. Be careful here as there are two match statements which must be met at the same time, so we need a „match-all” class-map here. Then we need to protect our Web Server againt DOS attacks so we need to configure a p arameter -map allowing maximum of 500 half-open connections. Th is p arameter -map will be attached under L3 policy-map just by adding parameter-map name after “inspect” action.
OK, we have our two policies ready. Now it’s time to configure Zones, zone-pairs and attach our policies to them. In our example three zones are required. Inside-Zone for internal network, Outside-Zone for the Internet and DMZ zone for DMZ subnet where our Web Server is located. Then create zone-pairs: one for traffic between Inside network (nad Inside-Zone) and the Internet (which is Outside-Zone) And second between the Internet (which is Outside-Zone) and DMZ network (which is DMZ-ZONE). We should attach our policies to the zone-pairs. Again, remeber that only L3 policy map can be assigned as a policy to the zone-pair. OK, not it’s time to mess up by enabling ZFW. This should be a very last step and it is nothing more than assigning physical interfaces to the appropriate zones. And, that’s it! Our ZFW is up and running.
After successful implementation we should check if everything is OK and our configuration works the way we wanted. There are a couple of show commands available. Most powerful command for checking almost all things is :sow policy-map type inspect zone-pair”. We can specify a zone-pair name to narrow the command output. Anyway, this command displays the policy and counters for our inspected traffic. If we configured Deep packet inspection, an useful command would be „show policy-map type inspect <protocol-name>” where L7 policy for specified protocol is displayed. To see our zones and policies attached to the zone-pairs use :show zone security” and „show zone-pair security” commands.
OK, this is it! The end. I would like to thank you for virewing this video on demand session and I hope it was informative and useful in your studies. This session was an excerpt from our CCIE Security bootcamp and do not cover every aspect of ZFW technology. During a CCIE Security bootcamp we will be cover ZFW technology in grater detail to help our students master that subject and use this technology in a real world scenarios. For more information about our offer please go to WWW.MicronicsTraining.com or simply send your inqueries to sales@micronicstraining.com. Thanks again for your time and good luck on CCIE exam.