Cisco 300-710 - Securing Networks with Cisco Firepower (300-710 SNCF)

Based on the Attacks Risk Report, DNS is associated with a high number of impact events (16). DNS traffic is critical for network operations but can also be exploited for malicious activities such as DNS tunneling, DDoS attacks, and data exfiltration. To improve security, the security engineer should focus on inspecting DNS traffic. This involves deploying DNS security solutions and monitoring DNS traffic for anomalies to detect and mitigate potential threats.

Steps:

Implement DNS security tools such as DNS filtering, DNSSEC, and DNS anomaly detection.

Configure the firewall to inspect DNS traffic for malicious activities.

Regularly analyze DNS logs to identify and respond to threats.

This action addresses a significant risk identified in the report and helps to mitigate potential attacks exploiting DNS.

https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/firepower_management_center_high_availability.html

Transparent mode is a firewall configuration in which the firewall acts as a “bump in the wire” or a “stealth firewall” and is not seen as a router hop to connected devices. In transparent mode, the firewall can forward traffic at both layer 2 and layer 3 for the same subnet, as it does not perform any address translation or routing. The firewall inspects the traffic and applies security policies based on the source and destination IP addresses, ports, and protocols. Transparent mode is useful when you want to deploy a firewall without changing the existing network topology or addressing scheme1.

To streamline the process of reviewing events and modifying blocking of specific files across both the firewall console and the endpoint console, the security engineer should initiate the integration between Secure FMC and Cisco Secure Endpoint (formerly AMP for Endpoints) from the Secure FMC using the AMP tab.

Steps:

In the FMC, navigate toDevices > Device Management.

Select the device and go to theAMPtab.

Initiate the integration by configuring the necessary API credentials and linking the FMC to the Cisco Secure Endpoint console.

This integration allows the security engineer to view endpoint events and apply blocking actions directly from the FMC, consolidating the management tasks.

This approach simplifies the workflow by providing a single interface to manage both network and endpoint security, reducing the time and effort required to maintain security across the organization.

Traditionally, a firewall is a routed hop and acts as a default gateway for hosts that connect to one of its screened subnets. A transparent firewall, on the other hand, is a Layer 2 firewall that acts like a “bump in the wire,” or a “stealth firewall,” and is not seen as a router hop to connected devices. However, like any other firewall, access control between interfaces is controlled, and all of the usual firewall checks are in place. Layer 2 connectivity is achieved by using a "bridge group" where you group together the inside and outside interfaces for a network, and the ASA uses bridging techniques to pass traffic between the interfaces. Each bridge group includes a Bridge Virtual Interface (BVI) to which you assign an IP address on the network. You can have multiple bridge groups for multiple networks. In transparent mode, these bridge groups cannot communicate with each other.https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/general/asa-97-general-config/intro-fw.html

To allow access to a specific banking site over HTTPS, the network administrator must use SSL decryption (also known as SSL/TLS inspection) and specify the URL. This is because HTTPS traffic is encrypted, and the firewall needs to decrypt the traffic to inspect the URL and enforce the access rule.

Steps:

Enable SSL Decryption: Configure SSL policies to decrypt the HTTPS traffic.

Specify the URL: Define the URL of the banking site in the access control policy, ensuring that the decrypted traffic is inspected and allowed based on the specified URL.

This method ensures that only the desired banking site is accessed over HTTPS, while other HTTPS traffic can be filtered or blocked according to the organization's security policies.