Monday, 11 July 2016

Cisco Unveils Three DNA Network Security Technologies

Cisco has announced three new security applications that will form part of its Digital Network Architecture for embedding security software solutions within network infrastructure.

Cisco has announced three new technologies for its Digital Network Architecture (DNA) solution to enable network engineers, application developers, channel partners, and IT customers to embed improved and simplified security within their network infrastructure layer: Umbrella Branch, Stealthwatch Learning Network License, and Meraki MX Security Appliances with Advanced Malware Protection (AMP) and Threat Grid. Passleader 200-120 Exam Question

All three are designed to improve mobility and cloud security threats, according to the networking giant.

The first technology, Cisco's Umbrella Branch cloud-delivered security software, provides businesses with increased control over guest Wi-Fi usage via content filtering. It can be activated on the Cisco Integrated Services Routers (ISR) 4,000 series, and works to filter and block malware, command and control (C2) callbacks, and phishing threats before they reach the network.

The company's second new DNA security technology, the distributed machine-learning Cisco Stealthwatch Learning Network, was acquired as part of Cisco's $452 million Lancope purchase.

It utilises what Cisco labels "adaptive security anomaly detection" to allow its ISR 4,000 series to analyse and identify malicious traffic and data on the network device to provide protection against threats.

"Stealthwatch Learning Networks -- this is the ability to simply upgrade software through branch infrastructure," David Goeckeler, senior vice president and general manager of Cisco's Networking and Security Business, said during the keynote speech by CEO Chuck Robbins at Cisco Live Las Vegas on Monday morning.

"All of your branch routers then work with each other to understand where anomalies are in the network, and search things that shouldn't be there."

Lastly, Cisco Meraki MX Security Appliances with AMP and Threat Grid form an enterprise unified threat-management (UTM) system that enables network administrators to locate, manage, and remediate security threats by combining Meraki cloud management with Cisco's threat-protection software. The solution works through an automated cloud-based system for checking files against cloud databases to locate and block malicious content.

"Organisations need to address the expanding threat landscape across mobility and cloud, while facing increasingly sophisticated security attacks," Jeff Reed, senior vice president of Networking Infrastructure and Solutions at Cisco, said.

"With DNA, Cisco is reinventing how we secure networks for the digital era by embedding advanced security capabilities into a single network architecture. But technology alone isn't enough; we are also preparing IT professionals with new skills, training network-savvy developers, and helping customers navigate the journey to digital-ready networks."

In addition to these three Cisco security services, Nectar Services also announced a quality-of-service (QoS) application for DNA.

The network monitoring, management, and diagnostic software provider optimises voice, video, and collaboration across Cisco Unified Communications Manager and Microsoft Skype for Business, which both run on Cisco-based networks.

"One of the fundamental challenges we consistently see in UC [unified communications] environments is the inconsistent deployment of QoS across the enterprise network that can negatively impact the end-user experience," said Nectar CTO Joseph Fuccillo.

"Nectar Evolution brings simplicity, automation, and repeatability that can ensure consistent end-to-end QoS in Cisco and Microsoft UC environments."

Nectar said it provides UC device agnostic configuration, reduced the total cost of ownership, and improves the overall UC and end-user experience by using its policy engine with a pre-determined QoS policy deployed by DNA.

DNA, first unveiled in March, allows engineers, developers, partners, and customers to build and manage what Cisco calls "digital-ready networks".

Cisco said the DNA announcement is the "most significant change" to its enterprise networking model ever, and flagged its intentions to build out a portfolio of security applications for the network-management solution.

Part of the Cisco One suite, DNA was designed to complement its Application Centric Infrastructure (ACI) for datacentre and connected clouds management. Along with the original announcement, Cisco outlined a new APIC-EM Automation Platform; the Cisco Plug and Play cloud automation service; intelligent WAN; network settings management labelled Easy Quality of Service; an upgraded version of its network operating system, named Cisco IOS XE, including network function virtualistion (NFV) for carriers to offer services; and analytics-as-a-service product CMX Cloud.

During his keynote, Robbins labelled security as being critical to Cisco's overarching strategy, with the company also announcing three other security products -- Cisco Umbrella Roaming, Defense Orchestrator, and Security for Digital Transformation -- also announced on Monday.

Wednesday, 8 June 2016

Pass4sure 200-120 Question Answer

A network interface port has collision detection and carrier sensing enabled on a shared twisted pair network. From this statement, what is known about the network interface port? 

A. This is a 10 Mb/s switch port.
B. This is a 100 Mb/s switch port.
C. This is an Ethernet port operating at half duplex.
D. This is an Ethernet port operating at full duplex.
E. This is a port on a network interface card in a PC.

Answer: C                                            Pass4sure 200-120 Exam Question

Monday, 9 May 2016

Pass4sure 200-120 Question Answer

Refer to the exhibit.

After HostA pings HostB, which entry will be in the ARP cache of HostA to support this transmission?

Exhibit A
Exhibit B
Exhibit C
Exhibit D
Exhibit E
Exhibit F

Answer: A

Tuesday, 5 April 2016

Considerations For Patching The Cisco ASA Vulnerability

A critical vulnerability in the Internet Key Exchange (IKE) code used in Cisco Adaptive Security Appliances (ASA) that could allow an attacker to remotely execute code was discovered earlier this year. There are no workarounds to this vulnerability, but Cisco has released a patch. Here are a few points to consider when applying this important patch.

About the Cisco ASA Vulnerability

The Cisco ASA IKE buffer overflow is a critical vulnerability that requires a proactive response. Since this vulnerability affects network perimeter defense mechanisms and could allow an intruder to execute arbitrary code and obtain full control of an affected system, I urge professionals to take a close look at possible Cisco ASA remediation actions.

In general, most people think of installing the vendor’s patch as a first resort. While this is advisable, it may not always be feasible. Sometimes the patch is not yet available; in some cases, it can take a vendor days or weeks to issue a patch. Even when the patch is available, some systems might not be able to accommodate it due to limited resources (e.g., memory, processing or HDD space) or other constraints. For example, Cisco ASA appliances may require memory upgrades before installing the patch.

In instances where a patch is not available or cannot be installed, there are other approaches to remediation — such as secondary control patching or configuration setting modification — that organizations may consider.

Let’s take a look at the most common mitigation approaches, starting with the vendor patch.

Installing the Vendor Patch

When possible, a vendor’s patch should be installed on the affected systems to mitigate the vulnerability. But this requires some due diligence before applying the patch; carefully review the requirements and prerequisites for successful patching below.

  • Patch Analysis: Have you reviewed the requirements and prerequisites for the patch? (For example, does the device have enough memory to support the patch?)
  • Change Management: Do you have a change record? It is useful to review the recent configuration settings on the firewall before installing patches.
  • Patch Testing: Have you tested the patch before deploying it to production servers? In a testing environment, perform the following activities:
Use a vulnerability scanner or Nessus Scanner (Plugin ID: 88713) to identify whether the system is vulnerable. 
Validate that patches were installed properly by reviewing patch logs.
Use a testing kit such as Core Impact to confirm whether the patch effectively mitigated the vulnerability.
Disaster Recovery and Business Continuity: What if the device fails during the patch installation? Is there a firewall backup in case a rollback is required? Are the ASAs deployed in a high-availability design to keep the network and business running during the patching?

Deployment Time Frame

If you are patching many ASA firewalls, it might take some time. If you are unable to patch all your firewalls at once, or if a vendor patch is not yet available, consider one of the below options to help protect your network while the process is completed.

Even before a vendor’s patch is available, many intrusion prevention system (IPS) vendors update their IPS signatures to detect and block zero-day exploits and particular vulnerabilities. This mechanism has been used in IBM for more than a decade and is known as virtual patch technology.

Virtual patching can provide an additional layer of protection in front of affected Cisco ASA firewalls and help ensure exploits targeting firewalls are detected and blocked before impact. Many vendors released IPS definitions for the ASA IKE vulnerability:

  • IBM X-Force has published XPU 36.021 for the Cisco ASA Software IKEv1 and IKEv2 buffer overflow vulnerability. The signature is: ISAKMP_CiscoASA_Fragmentation_Overflow.
  • Cisco has an IPS signature 7169-0 and Snort ID: 36903 for this vulnerability.

Configuration Settings Modifications

When a vendor’s patch is not available, configuration changes can be useful and effective — if used properly. For example, disabling the affected service (e.g., IKE),will result in losing the virtual private network (VPN) capability from this firewall. But in return, you have reduced the likelihood of someone exploiting the vulnerability.

Disabling IKEv1 and IKEv2 will limit the exposure until the patch is deployed. Disable them using the following commands:
  •     no crypto ikev1 enable; and
  •     no crypto ikev2 enable.
If the VPN service is mandatory, you could add an access control list on the Internet-facing interfaces to block UDP 4500/500 from all except selected trusted ASA peers. This will ensure that incoming IKE transactions are only accepted from trusted sources.

Pass4sure 200-120 Question Answer

A network administrator is verifying the configuration of a newly installed host by establishing an FTP connection to a remote server. What is the highest layer of the protocol stack that the network administrator is using for this operation? 

A. application
B. presentation
C. session
D. transport
E. internet
F. data link

Answer: A                                                                    Examcollection 200-120 VCE