CCNP Security 350-701 Cisco Study Notes

Explanation

Stateful failover for IP Security (IPsec) enables a router to continue processing and forwarding IPsec packets

after a planned or unplanned outage occurs. Customers employ a backup (secondary) router that automatically

takes over the tasks of the active (primary) router if the active router loses connectivity for any reason. This

failover process is transparent to users and does not require adjustment or reconfiguration of any remote peer.

Stateful failover for IPsec requires that your network contains two identical routers that are available to be either

the primary or secondary device. Both routers should be the same type of device, have the same CPU and

memory, and have either no encryption accelerator or identical encryption accelerators.

Prerequisites for Stateful Failover for IPsec

Complete, Duplicate IPsec and IKE Configuration on the Active and Standby Devices

This document assumes that you have a complete IKE and IPsec configuration.

The IKE and IPsec configuration that is set up on the active device must be duplicated on the standby device.

That is, the crypto configuration must be identical with respect to Internet Security Association and Key

Management Protocol (ISAKMP) policy, ISAKMP keys (preshared), IPsec profiles, IPsec transform sets, all crypto map sets that are used for stateful failover, all access control lists (ACLs) that are used in match address statements on crypto map sets, all AAA configurations used for crypto, client configuration groups, IP local pools used for crypto, and ISAKMP profiles.

MFA, or multi-factor authentication, is a method of verifying a user’s identity by requiring two or more factors, such as something the user knows (e.g. password), something the user has (e.g. phone), or something the user is (e.g. fingerprint). MFA is an effective deterrent for phishing attacks, which are attempts to trick users into revealing their credentials or other sensitive information by sending them fraudulent emails or websites that impersonate legitimate entities. MFA can prevent phishing attacks by adding an extra layer of security that is not easily compromised by the attackers, even if they manage to obtain the user’s password. For example, if the user receives a phishing email that asks them to log in to their bank account, and they enter their password on the fake website, the attacker will not be able to access the account unless they also have the user’s phone or fingerprint. MFA can also alert the user of a phishing attempt if they receive an unexpected authentication request on their phone or other device. References:

What Type of Attacks Does MFA Prevent? | OneLogin

Multi-Factor Authentication and Cyberattacks - NYU

Explanation

Vendors, security researchers, and vulnerability coordination centers typically assign vulnerabilities an identifier that’s disclosed to the public. This identifier is known as the Common Vulnerabilities and Exposures (CVE).

CVE is an industry-wide standard. CVE is sponsored by US-CERT, the office of Cybersecurity and

Communications at the U.S. Department of Homeland Security.

The goal of CVE is to make it’s easier to share data across tools, vulnerability repositories, and security

services.

Joining Cisco WSAs to an appliance group simplifies the task of patching multiple appliances. An appliance group is a collection of WSAs that share the same configuration settings and software versions. Administrators can use appliance groups to apply configuration changes and software updates to multiple WSAs at once, instead of performing these tasks individually for each appliance12. This reduces the administrative overhead and ensures consistency across the WSAs. References:

Appliance groups, section “Appliance Groups”.

What is the purpose of joining Cisco WSAs to an appliance group?