CCIE Security v5 Blueprint Update !

CCIE Security v5 Blueprint Update !

Cisco CCIE
Recently, Cisco announced new CCIE Sec v5 blueprint & it was much awaited update . We now have  Unified Exam Topics covering topics for both the written & lab version.   Here's what it looks like : Unified Exam Topics Perimeter Security and Intrusion Prevention Advanced Threat Protection and Content Security Secure Connectivity and Segmentation Identity Management , Information Exchange and Access Infrastructure Security, Virtualization and Automation Evolving Technologies First 5 sections are for Lab exam. Last one being only for the written exam & covers technologies like IoT,SDN, Cloud etc. Lab Exam Equipment Most of the equipment is going virtual so, let's List what we have in new blueprint Virtual Machines Security Appliances Cisco Identity Services Engine (ISE): 2.1.0 Cisco Secure Access Control System (ACS): 5.8.0.32 Cisco Web Security Appliance…
Read More
Cisco ISE 2.1 Updates & New Features !

Cisco ISE 2.1 Updates & New Features !

ISE
Cisco released its latest version of its Access Control and Identity Management software known as Identity Services Engine (ISE) 2.1 , Release Notes can be found here. I'll just post high level information about some of the additional features of ISE 2.1 as its a beefy version & lot of exciting new features to get you started with. Without further ado, lets dive into the features list. Customizable Dashboard You can create a new dashboard and add any of the dashlets that you need to the dashboard. You can customize the tabs, dashlets, and layout. You can drag and drop dashlets, export data from a dashboard as an Excel or PDF file, and provide role-based access control for the dashlets.  There are number of different dashboards i.e .Summary Dashboard ,…
Read More
Cisco IronPort ESA Pipeline

Cisco IronPort ESA Pipeline

PortFolio
Cisco ESA Main Features List : Access control: Controlling access for inbound senders, according to a sender’s IP address, IP address range, or domain name. Anti-spam: Multilayer filters based on Cisco SenderBase reputation and Cisco antispam integration. The antispam reputation and zero-day threat intelligence are fueled by the Cisco security intelligence and research group named Talos. Network Anti-virus: Network antivirus capabilities at the gateway. Cisco partnered with Sophos and McAfee, supporting their antivirus scanning engines. Advanced Malware Protection (AMP): Allows security administrators to detect and block malware and perform continuous analysis and retrospective alerting. Data loss prevention (DLP): The ability to detect any sensitive emails and documents leaving the corporation. The Cisco ESA integrates RSA email DLP for outbound traffic. Email encryption: The ability to encrypt outgoing mail to address…
Read More
How Firepower Policies Examine Traffic For Intrusions

How Firepower Policies Examine Traffic For Intrusions

PortFolio
When the system analyzes traffic as part of your access control deployment, the network analysis (decoding and preprocessing) phase occurs before and separately from the intrusion prevention (intrusion rules and advanced settings) phase The following diagram illustrate, in a simplified fashion, the order of traffic analysis in an inline, intrusion prevention and advanced malware protection (AMP) deployment. It illustrates how the access control policy invokes other policies to examine traffic, and in which order those policies are invoked. In an inline deployment, the system can block traffic without further inspection at almost any step in the illustrated process. Security Intelligence (IP SI , URL SI , DNS SI), the SSL policy, network analysis policies, file policies, and intrusion policies can all either drop or modify traffic. Only the network discovery…
Read More
FlexVPN Remote Access VPN using EAP Authentication via Cisco Identity Services Engine (ISE)

FlexVPN Remote Access VPN using EAP Authentication via Cisco Identity Services Engine (ISE)

ISE, VPN
This is one of the many scenarios covered in Lab technology guides section HERE , we will setup an AnyConnect Client connected to an IOS device using IKEv2 with EAP as an authentication method for Client. Responder or IOS device must use Certificate for authentication. We will perform User Authentication using EAP. AnyConnect Client user will be configured on RADIUS Server (Cisco Identity Services Engine ) in this case & authentication and authorization will be performed accordingly. We will use a Windows XP host with AnyConnect Secure Mobility Client v4 Installed to perform this scenario based on below sample topology diagram Here's the snippet of ISE configuration steps: Setup Network Device in ISE  for HQ RTR Under  Administration -> Network Resources -> Network Devices Create RA VPN user as and…
Read More
CCIE RS v5 IGP Sample Topology

CCIE RS v5 IGP Sample Topology

PortFolio
CCIE RS v5 IGP Sample Topology & Core Topics: •TCP/IP (IPv4/IPv6) •Access, VLAN, Trunking, STP, LACP/PAgP, PPP, CHAP/PAP •Routing (admin, static, default, dynamic, filtering, summarization, redistribution) •RIP, EIGRP, OSPF, ISIS*, BGP and Intra-domain PIM •MPLS VPN, DMVPN, GRE •Device vsNetwork Security (L2/L3) •System management (SNMP, Logging, Lines) •Quality of Services (MQC) •Network Services (FHRP, NTP, DHCP, NAT) •Network Optimization (SLA, Tracking, Netflow, EEM, PfR*)  
Read More
Cisco ACS 5.8 New Features

Cisco ACS 5.8 New Features

ACS
If you are running Cisco Access Control Server in your environment & plan to upgrade to latest 5.8 version, listed below is the sneak peak at the new feature list. Remember these are in addition to the detailed scenarios covered in our Cisco ACS 5.X Deployment guide Active Directory Enhancements ACS 5.8 web interface includes the following new options in the Active Directory page namely Advanced Tuning , Authentication Domains , Diagnostic Tool  , Ambiguous Identity Resolution , Enable Kerberos for PAP authentications to name a few. Authenticating Administrators against RADIUS Identity and RSA SecurID Servers Previous releases of ACS support authenticating ACS administrators only against AD or LDAP external identity stores. But, ACS 5.8 supports authenticating administrators against RADIUS Identity and RSA SecurID servers. This feature is available in…
Read More
ASA FirePOWER Module Traffic Flow in the ASA

ASA FirePOWER Module Traffic Flow in the ASA

PortFolio
Traffic flow illustrating how ASA handles FirePOWER services module traffic flow •Traffic enters the ASA. •Incoming VPN traffic is decrypted (If using VPN). •Firewall policies are applied. •Traffic is sent to the ASA FirePOWERmodule. •The ASA FirePOWERmodule applies its security policy to the traffic, and takes appropriate actions. •Valid traffic is sent back to the ASA; the ASA FirePOWERmodule might block some traffic according to its security policy, and that traffic is not passed on. •Outgoing VPN traffic is encrypted. •Traffic exits the ASA.  
Read More