350-401 ENCOR – Cisco CCIE Enterprise – Security part 5
January 27, 2023

16. API Security

Now we know about the API and how we can use it. Let’s discuss about the security concern related to API. What is the problem with the API? So here you can see that you have It infrastructure inside that you may have application recognition engine, that is NBA may have you want actually the location info, your MDM info, your app inventory info, your firewall logs, threat analysis, NetFlow, et cetera. So you have long list of inventory or you have long list of devices or appliances that you want to manage. Correct? And that’s not possible with the single API. So what does it mean? So, if you go and check the traditional API, you’ll find that it’s a single purpose function, it’s very fixed to change the interfaces or configuration. It has predefined data action.

That’s a huge thing. Data exchange, we’ll discuss this about in next slide. They have a very poor pollen technology and they are having loose security. So overall the structure of the traditional API is not that great. That will solve the problem with the It infrastructure. So when you are collecting all the information from the It infrastructure and you want to do the analysis, it’s actually very difficult to do it. And again, we have the security concern as well. So, to solve this problem, we have Pixie Grid.

Cisco has introduced Pixie Grid and it can be integrated, for example, with identity services. We have one service engine or one module there in the eyes for Pixie Grid. What Pixie Grid can do, this is something like multiwelter cross platform supported service. It can do the publisher and the subscriber model. We have the customization option. When we are doing the integration of Pixel Grid with the Ice, then we can go and find who, what, when and where the endpoints has done what. That means that we have the visibility and control to the endpoints. And those endpoints may be anything, maybe wired, wireless, IoT, mobile, et cetera. So that’s the power that Pixie Grid is giving when we are doing the integration with Ice. So here you can see that you have your eyes, you have integrated your eyes with the Pixie Grid. Then you have your It infrastructure.

 Obviously you’re getting the feeds from different different appliances, different different devices. And again, you have your Cisco network as well, where you have different type of wired or wireless devices. So all this information is getting collected with help of Pixel Grid and you can do the analysis inside the Ice. So who, what, when, where, how, that’s the context. We are getting the context and that’s why we are telling this that we have the context aware networking and that’s actually the evolution of DNA as well. If you go and check digital network architecture you’ll find that at the level of networking devices we have programmable chip and then at the level of Ice we have Ice as an identity service that can be integrated with all these devices with help of Pixelate to get the context. And once you have the context, then you can go and derive some output from there. Here you can see that from Pixigate 10 there is a huge change in 20, you don’t have SDK or language dependency, web sockets and rest API over stomp messaging protocol. So it has a robust socket, how it is going to use the socket, how it is going to use the messaging protocol, how it is going to connect with various appliances obviously you have to open socket to connect different appliances. So these things has been drastically improved inside the Pixel grid. Now, while we are building the security architecture, when we are increasing the capability, the risk for the security is also increasing and obviously increase in capability means increase of complexity.

So there are multiple factors that we want to close the gap. So how we can close the gap? Obviously we have one solution with Pixie Grid. But here you can see the overall security picture from Cisco. So in bottom let me try to highlight here in bottom you can see that you have your networking devices, that’s why it’s term as an infrastructure devices. So you have endpoint phones, IoT printers which is routers wireless. Now these endpoints they can go and directly get services from the cloud hosted services like Taos Amp Threat Gateway, CTA Cognitive Threat Analytics engine, cisco umbrella, that is the security.

 So this is the security parameter over the cloud correct and then the wireless devices, if you have wireless user, obviously want to give the DNS security so it can be integrated with the umbrella. And then you have your network devices where you have configured the Netflix. So you still watch Manager connector or steel watch Manager console that can get all the input. So you have the visibility correct. Again you have the perimeter firewall, you have the identity service integrated with all or most of the devices that we have. So in between you can see that we have the Pixie grid and the nice thing about this Pixie grid is that Pixie grid is giving us the capability to do Siem. Now Siem is nothing but the security information event management. So here if you see the diagram will find the Ice FMC WSA, it’s a web security appliance and ESA email security appliances. These devices are connected with Siem infrastructure and all the information that we have again we are giving to the Siem. Now again, if you want to learn more about Siem, cisco has nice documents related to security information event management. There are so many nice available deployment guides as well that we can go and refer. So to provide the overall security related to API we can go and do the integration with generic API, API, firepower API, TG or Amp API etc. And in that way we can go and provide the security at the level of API.

17. Section 5.4 Wireless Security

In section five four we have to learn about wireless security feature like EAP, WEBAUTH and PSK. But we’ll start this topic with wireless security basics and then we’ll go and check different type of authentication methodology. Slowly we’ll go to the WLC Wireless security section where we can go and configure these parameters. Okay, so let’s start the wireless security section.

18. Basics of Wireless LAN Security

Let us understand the basics of wireless network security and even the first place that why this basic networking security we need what’s the actual need of the security? That’s the main thing. Now what is happening, whenever we have the wireless network we know that it is broadcasting its network and that’s nothing but the SSID, anyone who knows that particular secret key, he can join that and once he can join then he can go and sniff the other users in the network. So somehow again you can see here that if someone is capturing the data or capturing the packet in between the user or in between the client and the transmitter as is nothing but the AP, then he can take the role and he can go and connect to the AP.

 That’s the one use case we have although there are other use cases as well that someone can hinder the client, someone can do some sort of toss attack etc that so threat is open because once you are in the open year threat is there. Now how to reduce this? That’s the one important question we have and what are the methodologies we have that we are going to see one by one. So one of the method could be that whenever you are getting the network you should do the authentication with the access point so you can tell okay I am this and are you looking for this or do you have the database in yourself with my credentials? If yes then okay you can go and connect with the SSID. Now there are option that your database is something called secure database and it is a store somewhere, maybe in the active directory or maybe in some secure server. That is the one use case that we have.

Now in this case when you are doing the authentication still you should not go and do the authentication in plain text. So there are chance that man in middle attack will happen. Someone will go and intercept your communication and can get the user ID or password or maybe someone can come with the same SSID near to you and then you think he has the same username password et cetera et cetera. And then you can connect with that AP. At the moment you connect that apart communication you will be hacked, correct? So chances are there someone can spoof, someone can do some sort of denial of service attack, someone can intercept and get the messages because again everything is happening in the open air.

 So what we can do to protect from that? We have options. We can go for message privacy, message integrity and intuition protection at all these things we have again in upcoming section we’ll learn more about privacy, authentication, privacy integration and protection. Okay? All right so privacy means that we are going to use some sort of encryption and when we are talking about encryption that means when I am sending my password then that password is in some encrypted form. So if someone tried to intercept the communication, he will not get the key. That what I have. If it is a symmetric encryption, obviously both side, one side you are doing lock, other side will go and unlock it same key in reverse direction they can go and use to open it. That’s the one thing. Second thing is integrating integrity and that will be achieved by some sort of authentication, some sort of actually message digest keys are there. So what is happening in this? That your packet. So whenever you are sending your packet with encrypted key, but still what you are doing that on top of that you can go and put some sort of mechanism. You can think as for this example that you’re going to use massive integrity check M-I-C that is some sort of a stamp and you will send it. Now other side he will go other side who is getting that packet. We’ll go open that. And again if we formulate the same stamp, same thing or same algorithm, they will also run if they get the same output. That means this client is legitimate and accept the communication or accept the username and password. Okay.

So that’s the integrity and that’s the very much same thing that we are using in VPN as well. So in VPN also we are using this message, we’ll see that’s the encryption we are using the hashtag value like MD, five, etcd. In the VPN as well. The third option we have is the intuition protection. Again whenever we are talking about intuition protection at that time we are dealing with the anomaly, we are dealing with the signature, we are dealing with some sort of deviation in the normal behavior, correct? So that means that if you have some known behavior and that is not detected, some anomaly is there. Or if you have some sort of signatures.

 Signatures are again any type of protocol and they have some format in terms of signature or they are actually written in the signature. Suppose Http or Https, those protocols, if there is deviation, if there is some boosted or we can say that some sort of dispermation inside the signature, remember what firewall is doing, it’s a perimeter, it will check source, IP destination, IP et cetera, et cetera. It will not go deep inside the application and check this application. Up to this point it was okay. After that there is some virus, there is some malicious code, et cetera. So it can go deep up to 17 different type of signature that the wireless WLC can detect. And then it can take action like the ideas are doing now. Here you can see that the security threat if you go and categorize. So we may have threat with rogue devices, ad hoc network client association, the association problem active or passive attacks like Dos and etc. Those attacks. Now what is rogue device, some device which is in your network and who is going to connect it with your wired network somehow our WLC has capability that they can detect the rogue devices as well, so they can discover actually both the devices. So these are the challenges we have and these are theoretical options for the USA security. Later on we’ll go and check that what type of protection mechanism we have inside the wireless network.

19. Wireless Client Authentication Method

Let us understand the wireless client authentication method and what type of methods we have. We will go and check in the upcoming sessions as well. Now we know that AP is broadcasting its network, that’s the SSID, there are twofold. One is that we have open authentication and we have done now what is open authentication. And you may have seen this thing, for example in the coffee shops or maybe in the airport, that if you go and open your mobile phone or your laptop you will find that you are getting some network. But if you check that network you will find that it is pointing that okay, although this network is there but it is unsecured.

 And if you go and click there and if you try to join the network, then it will redirect you towards some sort of web authentication means one web page will get open where you have to put the username and password and then you’ll get the access to that particular network. Now this is the example related to open authentication. Now the second example we have here is related to web. WEP wired equivalent privacy. Now in this case we are using the encryption bit here you can see that we have the RC four as a cipher algorithm and we’re using the encryption and that encryption is for example symmetric encryption, means encryption decryption, decryption encryption. Web is known for shared key security method and the key length for web is here.

You can see that will be in between 40 to one four bits. Okay, so that is still okay that you are using as an authentication method but still there are problem. So what problem you have that at this point of time when you are doing the authentication with say for example with AP and then say for example authentication happened and then what about authorization? Means you have done the authentication and then you have the full access to the network or anyone has the full access to the network? So we are still away from the methodology where we can authenticate with the network device and then that network device will go behind the scene in the back. We’ll authenticate with the secure server secure database and from that database some sort of authorization piece will come and then my network device will get the authority to access the network or whatever network access you want to do.

Okay, so still we are away with open authentication and web and that’s why Cisco and other vendors, they have introduced EAP. EAP as name suggests that this is the extensible authentication protocol. And why Cisco and other vendors have chose extensible authentication protocol is because of its extensibility. And already this protocol is used in the wired realm. So wired network, they are using e and it’s a common standard EP eight, two, one, x. We used to have that but in wireless also we can use the EP. So how EAP is working to understand EP better and properly, we should understand these three terms. So the user is the Supplicant or the end machine is the Supplicant. Then you have the authenticator.

So for example WLC in our case and then we have the authentication server that may be integrated with the local database or the external database. It’s up to the use case, correct. So what this EAP is going to do here, we can see that the client uses open authentication to associate with AP and then the actual client authentication process occurs at dedicated authentication server. So what is happening here that first of all client will go and authenticate. So your Supplicant will go and do the authentication with the network devices. These are NAD or Nas. So you have first level of authentication here, but still you are not authorized to do everything in the network.

So in between this WLC and the Radius server or authentication server, we have Radius protocol going on in between. Okay, so the exchange of the access. So again WLC will bypass those user credentials to the ACS or the I server or any type of server who is going to do the authentication. And then the authority things will come and then the Supplicant or the user will be authorized for that particular network access. So that’s the common term we have and the common standard we have that 8021 x is using the EAP framework. So what we are going to do now that in next section we’ll go and study that what different type of EAP methodologies we have in the wireless network.

Leave a Reply

How It Works

img
Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
img
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
img
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!