Modular Policy Framework

The Main or Primary Function of the Cisco Security or Any Security Appliance is to stop and protect internal host form the malicious attacks from outside network. Therefore, The security administrator manipulate and control the flow of traffic in pieces and with more flexibility. Rate limiting the traffic, deep inspection of the traffic flow, blocking the unauthorized traffic flow, are some of the important responsibility of the network security administrator.

In Cisco Security appliance MPF was included with software version 7.0. MPF stands for Modular policy framework. MPF can segment traffic flows into traffic classes and can assign 1 or more then 1 action on that class. Class segregate the network traffic flow within the network at the packet level. Each packet is identified and matched to attribute listed in the class map.

CCIE-Security LAB V4 topic/checklist

Topic you should know before going to CCIE-Security Lab exam.
1 System Hardening and Availability

• Implement, Optimize, Troubleshoot, IPv4/IPv6 Content
• Understanding Four Types of Traffic Planes on a Cisco Router (Control, Management, Data, and Services)
• Understanding Control Plane Security Technologies and Core Concepts Covering Security Features Available to Protect the Control Plane
• Understanding Management Plane Security Technologies and Core Concepts Covering Security Features Available to Protect the Management Plane
• Configuring Control Plane Policing (CoPP)
• Control Plane Rate Limiting

DMVPN Basic...

            The Dynamic Multipoint VPN (DMVPN) feature allows users to better scale large and small IP Security (IPsec) Virtual Private Networks (VPNs) by combining generic routing encapsulation (GRE) tunnels, IPsec encryption, and Next Hop Resolution Protocol (NHRP).


Benefits of Dynamic Multipoint VPN (DMVPN)

Hub Router Configuration Reduction

•Currently, for each spoke router, there is a separate block of configuration lines on the hub router that define the crypto map characteristics, the crypto access list, and the GRE tunnel interface. This feature allows users to configure a single mGRE tunnel interface, a single IPsec profile, and no crypto access lists on the hub router to handle all spoke routers. Thus, the size of the configuration on the hub router remains constant even if spoke routers are added to the network.

Encryption Technology Overview

Today, Major problems for network administrators include the following:
  • Packet snooping (eavesdropping)—When intruders capture and decode traffic obtaining usernames, passwords, and sensitive data, such as salary increases for the year.
  • Theft of data—When intruders use sniffers, for example, to capture data over the network and steal that information for later use.
  • Impersonation—When an intruder assumes the role of a legitimate device but, in fact, is not legitimate.

Security Context:

Security Context:-

                Cisco Security appliance which have version 7.0 or above support Security context which allow them to Create multiple virtual firewall. Each virtualized partition is an independent device & have its own set of security policies.

                Multiple context modes do not support VPN, Dynamic routing and multicasting. Although it support static routing. It support both Routed and Transparent mode, but at a time only one mode can be used.

ASA failover......

Failover

The security appliance offers a failover function that provides a safeguard mechanism in the event of unit failure. When a unit fails, anther immediately takes its place. The failover configuration requires two identical security appliances connected to each other through a dedicated failover link and, optionally, a stateful failover link. The health of the active interfaces and units is monitored to determine if specific failover conditions are met. If those conditions are met, failover occurs.