Endpoint Security CCNA
Endpoint Security CCNA

Endpoint Security

Endpoint Security
5

Summary

This topic explain how to use endpoint security to mitigate attacks. Start learning CCNA 200-301 for free right now!!

Note: Welcome: This topic is part of Module 10 of the Cisco CCNA 2 course, for a better follow up of the course you can go to the CCNA 2 section to guide you through an order.

Network Attacks Today

The news media commonly covers attacks on enterprise networks. Simply search the internet for “latest network attacks” to find up-to-date information on current attacks. Most likely, these attacks will involve one or more of the following:

  • Distributed Denial of Service (DDoS) – This is a coordinated attack from many devices, called zombies, with the intention of degrading or halting public access to an organization’s website and resources.
  • Data Breach – This is an attack in which an organization’s data servers or hosts are compromised to steal confidential information.
  • Malware – This is an attack in which an organization’s hosts are infected with malicious software that cause a variety of problems. For example, ransomware such as WannaCry, shown in the figure, encrypts the data on a host and locks access to it until a ransom is paid.
Network Attacks Today
Network Attacks Today

Network Security Devices

Various network security devices are required to protect the network perimeter from outside access. These devices could include a virtual private network (VPN) enabled router, a next-generation firewall (NGFW), and a network access control (NAC) device.

Click each network security device for more information

A VPN-enabled router provides a secure connection to remote users across a public network and into the enterprise network. VPN services can be integrated into the router.

VPN-Enabled Router
VPN-Enabled Router

An NGFW provides stateful packet inspection, application visibility and control, a next-generation intrusion prevention system (NGIPS), advanced malware protection (AMP), and URL filtering.

NGFW
NGFW

A NAC device includes authentication, authorization, and accounting (AAA) services. In larger enterprises, these services might be incorporated into an appliance that can manage access policies across a wide variety of users and device types. The Cisco Identity Services Engine (ISE) is an example of a NAC device.

NAC device
NAC device

Endpoint Protection

LAN devices such as switches, wireless LAN controllers (WLCs), and other access point (AP) devices interconnect endpoints. Most of these devices are susceptible to the LAN-related attacks that are covered in this module.

But many attacks can also originate from inside the network. If an internal host is infiltrated, it can become a starting point for a threat actor to gain access to critical system devices, such as servers and sensitive data.

Endpoints are hosts which commonly consist of laptops, desktops, servers, and IP phones, as well as employee-owned devices that are typically referred to as bring your own devices (BYODs). Endpoints are particularly susceptible to malware-related attacks that originate through email or web browsing. These endpoints have typically used traditional host-based security features, such as antivirus/antimalware, host-based firewalls, and host-based intrusion prevention systems (HIPSs). However, today endpoints are best protected by a combination of NAC, host-based AMP software, an email security appliance (ESA), and a web security appliance (WSA). Advanced Malware Protection (AMP) products include endpoint solutions such as Cisco AMP for Endpoints.

The figure is a simple topology representing all the network security devices and endpoint solutions discussed in this module.

Endpoint Protection
Endpoint Protection

Cisco Email Security Appliance

Content security appliances include fine-grained control over email and web browsing for an organization’s users.

According to the Cisco’s Talos Intelligence Group, in June 2019, 85% of all email sent was spam. Phishing attacks are a particularly virulent form of spam. Recall that a phishing attack entices the user to click a link or open an attachment. Spear phishing targets high-profile employees or executives that may have elevated login credentials. This is particularly crucial in today’s environment where, according to the SANS Institute, 95% of all attacks on enterprise networks are the result of a successful spear phishing attack.

The Cisco ESA is a device that is designed to monitor Simple Mail Transfer Protocol (SMTP). The Cisco ESA is constantly updated by real-time feeds from the Cisco Talos, which detects and correlates threats and solutions by using a worldwide database monitoring system. This threat intelligence data is pulled by the Cisco ESA every three to five minutes. These are some of the functions of the Cisco ESA:

  • Block known threats.
  • Remediate against stealth malware that evaded initial detection.
  • Discard emails with bad links (as shown in the figure).
  • Block access to newly infected sites.
  • Encrypt content in outgoing email to prevent data loss.

In the figure, the Cisco ESA discards the email with bad links.

Cisco Email Security Appliance
Cisco Email Security Appliance
  1. Threat actor sends a phishing attack to an important host on the network.
  2. The firewall forwards all email to the ESA.
  3. The ESA analyzes the email, logs it, and if it is malware discards it.

Cisco Web Security Appliance

The Cisco Web Security Appliance (WSA) is a mitigation technology for web-based threats. It helps organizations address the challenges of securing and controlling web traffic. The Cisco WSA combines advanced malware protection, application visibility and control, acceptable use policy controls, and reporting.

Cisco WSA provides complete control over how users access the internet. Certain features and applications, such as chat, messaging, video and audio, can be allowed, restricted with time and bandwidth limits, or blocked, according to the organization’s requirements. The WSA can perform blacklisting of URLs, URL-filtering, malware scanning, URL categorization, Web application filtering, and encryption and decryption of web traffic.

In the figure, an internal corporate employee uses a smartphone to attempt to connect to a known blacklisted site.

Cisco Web Security Appliance
Cisco Web Security Appliance
  1. A user attempts to connect to a website.
  2. The firewall forwards the website request to the WSA.
  3. The WSA evaluates the URL and determines it is a known blacklisted site. The WSA discards the packet and sends an access denied message to the user.

Glossary: If you have doubts about any special term, you can consult this computer network dictionary.

Ready to go! Keep visiting our networking course blog, give Like to our fanpage; and you will find more tools and concepts that will make you a networking professional.

how HSRP operates CCNA 200 301
Next
HSRP