300-515 SPVI | CCNP Service Provider | Syllabus | Questions | Exam Info | All You Need to Know

Cisco 300-515 SPVI Exam Description:

The Implementing Cisco Service Provider VPN Services v1.0 (SPVI 300-515) exam is a 90-minute exam associated with the CCNP Service Provider and Cisco Certified Specialist - Service Provider VPN Services Implementation certifications. This exam tests a candidate's knowledge of implementing service provider VPN services, including Layer 2, Layer 3, and IPv6. The course, Implementing Cisco Service Provider VPN Services, helps candidates to prepare for this exam.

Cisco CCNP Service Provider 300-515 Exam Overview:

• Exam Name- Implementing Cisco Service Provider VPN Services
• Exam Number- 300-515 SPVI
• Exam Price- $300 USD
• Duration- 90 minutes
• Number of Questions- 55-65
• Passing Score- Variable (750-850 / 1000 Approx.)
• Recommended Training- Implementing Cisco Service Provider VPN Services (SPVI)
• Exam Registration- PEARSON VUE
• Sample Questions- Cisco 300-515 Sample Questions
• Practice Exam- Cisco Certified Network Professional Service Provider Practice Test

Must Read:-

Why Should You Try to Pass Cisco 300-515 SPVI Exam?

Continue reading

How Cisco IT is solving multi-cloud management: a single pane of glass

Management of multi-cloud matures

Figure 1. Multi-cloud strategy adoption

For enterprise IT organizations, the public cloud has become a staple at delivering software, infrastructure, security, and other capabilities at scale. Companies primarily adopt public cloud services for greater flexibility, faster time-to-market, and to take advantage of best-of-breed solutions while avoiding vendor lock-in. While SaaS platforms are the lion’s share of services consumed (48%), IaaS and PaaS combined make up 51% of public cloud spending (IDG).

When combined with an organization’s private cloud, the collective services available for business units to spin up applications and services rapidly help drive innovation and decrease the time-to-market. It’s no surprise that 74% of enterprises are now taking the best of both worlds and defining hybrid or multi-cloud strategies. In fact, the Boston-based research firm, IDC, has declared 2021 as the year of multi-cloud.

While cloud offerings have matured and consumption continues to increase, one could argue that how we manage multiple private and public cloud services has lagged consumption and is just now beginning to mature. Most IT organizations are experiencing a common set of challenges in how they and their internal customers manage their cloud services, how they can account for and identify owners of cloud services within their company, and a lack of visibility into the usage and costs for these services. In response, enterprises are now adopting a “deliberate” multi-cloud strategy — up from 49% in 2017 to 75% projected for 2021 by Gartner.

Evolving our multi-cloud management strategy

Like most enterprise organizations, Cisco has seen dramatic growth in the use of public cloud-based services over the past decade or more. In parallel, our internal infrastructure offerings continue to evolve in response to customer demand, and technological and feature advancements. Our challenges — which I’m sure we share with many — have included a lack of visibility into all the cloud services consumed (shadow IT), poor budgeting and cost control, inconsistent governance and security, and disparate user experiences.

Read More: 300-735: Automating and Programming Cisco Security Solutions (SAUTO)

To respond, Cisco IT set out in 2017 to craft a strategy with “single pane of glass” visibility into multi-cloud services. We drafted a blueprint to include a knowledge base about services and how to choose them, methods to ease integration with data- and API-driven capabilities, holistic audit and compliance capabilities with security in mind, and consolidated monitoring and metering capabilities with pay-as-you-go modeling.

“Our goal has been to build a solution that provided a unified experience for all of our customers, regardless of whether they were consuming public or private cloud services,” notes Mayank Jain, Director of Software Engineering at Cisco and a member of the team that has worked on the problem. “We needed a solution that provided the ability for our customers to consume different cloud services and see what it’s costing them over time, all through a single pane of glass.”

Figure 2. Value proposition

From the early stages, we looked to four sources to gain insight and understand how best to craft our solution — the industry for analysis and best practices, our customers for their cloud consumption needs and experiences, our internal service providers for their offerings and product roadmaps, and the solution providers. Our goal was to have a clear understanding of how cloud services are consumed, identify what patterns consumption follows, and gain insight into the best practices for managing multi-cloud, all while maintaining a healthy security and compliance stance. We also worked to understand how what we propose will impact our internal service providers and customers alike.

Not all clouds are alike

Our first challenge: Anyone who has tried to address this challenge knows that there is no single, unified way providers deliver account data and information, and APIs and management interfaces vary. This lack of uniformity makes it difficult to provide a single pane of glass for all cloud services being consumed. When modeling our solution, we worked to develop methodologies at the abstraction layer to pull the data from all providers that is then translated to a uniform display in the user interface.

As we were building our cloud management solution, Cisco IT was building its own private cloud. The new cloud service offerings are API-driven and engineered as an “as-a-Service” offering with faster deployment capabilities. Our goal has been to make these services behave and operate like public cloud offerings, moving away from traditional delivery methods that were customized for every instance. The resulting private cloud model is easily consumable, automated, measured, and based on pay-as-you-go pricing models. In this case, the multi-cloud management strategy influenced our internal provider teams but also allowed us to make public and private cloud models on par with each other for better standardization at the management level.

“We needed to understand better how to cost a service,” noted Kenny Jones, Principal Engineer and a key member of the team. “This change in mindset — one where infrastructure and services are commoditized through cloud-centric models — was one of the biggest challenges for our internal teams and this project. We changed our thinking to that of a service provider and educated our different providers in our private cloud.”

A purpose-built multi-cloud management solution

The Cisco IT MultiCloud Management Platform provides a unified management environment with a consistent experience for customers, regardless of what they’re ordering and managing. It offers automated purchasing and provisioning, reducing delays in getting applications and services to market — often in minutes rather than days or weeks.

“A key feature we felt vital to include in our solution was the ability to meter and measure hybrid cloud services over time,” states Kenny Jones. “This capability also allows our customers to project their cost obligations into the future. That type of visibility is key to maximizing the value of the service while also aiding in maximizing the lifecycle of the service required. That’s a game-changer in avoiding infrastructure sprawl and having assets live beyond their usefulness.”

The MultiCloud Management Platform incorporates a multi-tiered, persona-based administration environment. Based on their role, administrators and users are granted visibility and management capabilities through the same environment for viewing, operating, and administering their cloud service. It also provides key approval processes, including funding approvals and quota approval flows, where a customer wants to order specific services beyond standard levels.

The MultiCloud Management Platform also supports multi-tenancy for different groups. With this capability, business units within Cisco have visibility into and can manage multiple cloud services under one umbrella. These capabilities allow our customers to manage their costs as a single-tenant — an ability many service providers struggle to provide.

What’s next?

Already, the MultiCloud Management Platform has made a tremendous impact on productivity and started us down the road in managing infrastructure lifecycles and costs. In a recent conversation, one of our business unit leads and internal customers, noted to me, “You’re empowering us to make sure that we can oversee our resources correctly, optimize them for our budgets, and do our job the best we can. Through the tools you’ve made available, you’re going to help us a lot — and we’ve made some tremendous strides already.”

This new environment is more than just a new and updated interface. It has changed our strategic thinking by providing data that we didn’t have before or had to generate offline through spreadsheets and manual processes. Now, when spinning up and managing resources, we’re able to get a true picture of our costs, project their costs over time, and do it all faster than we could before.”

To date, the environment incorporates compute platforms, PaaS services, network and storage services, analytics, and other services. We will expand the services in the solution to include more public cloud services, like cloud-based software subscriptions in addition to enrolling private cloud solutions as they become available. Our goal is to continue evolving the solution to reduce the time involved in getting services by automating context-specific areas. Plus, we’re advancing multi-tenant capabilities by developing features that allow organizations to share templated setups and configurations that can straddle a customer group’s service subscriptions while sharing common traits, policies, and structures.

Source: cisco.com

Continue reading

Streamlining Connectivity for a Multi-Region Hybrid World

Multi-region cloud deployments create complexity

The combination of a hybrid cloud migration and the long-term needs of a hybrid workforce are shining a spotlight on the need for consistently secure, high quality access to on-demand compute resources.

Requirements for low latency across geographically distributed workloads, resiliency, and compliance with data privacy regulations are driving organizations towards multi-region deployments in the cloud. While this can be done manually by using VPC peering and static routes, management complexity increases with scale and can be error-prone. To make networks streamlined and scalable, organizations need a dynamic and central way to manage their multi-region deployments.

Multi-region cloud deployments: complex, manual static routes and VPC peering

All the hybrids: cloud and work

Cisco Meraki has a globally-proven cloud platform that unifies secure SD-WAN, Access, and IoT technologies—empowering enterprises to deliver high quality hybrid work experiences. The platform allows secure and optimized SD-WAN connectivity to hybrid cloud environments, including AWS, in just three clicks. This Meraki SD-WAN capability is delivered through MX appliances that are available in physical and virtual (vMX) form factors where the latter can be spun up within AWS. Remote workers can also easily connect to vMX appliances in hybrid clouds with a dedicated teleworker appliance or via Cisco AnyConnect.

For customers making this investment into cloud platforms, there are a few ways they can use Meraki to accelerate their cloud journey with AWS. Specifically, for multi-region deployments, Meraki SD-WAN offers deep integration into the newly launched AWS Cloud WAN service and AWS Transit Gateway to significantly streamline workflows to connect users to their cloud resources. For organizations looking to connect their on-prem sites to workloads across regions, we also announced support for AWS Outposts at AWS re:Invent 2021 in December.

Meraki SD-WAN and AWS Transit Gateway

First, the Meraki vMX integration with AWS Transit Gateway lets customers extend their SD-WAN fabric to AWS workloads in an automated manner using AWS Quickstarts.

Dynamic routes and VPC peering with Meraki SD-WAN and AWS Transit Gateway

◉ The architecture consists of a SD-WAN VPC with two vMXs deployed in different availability zones to achieve a highly available architecture.

◉ In addition, a Transit Gateway (TGW) is deployed to extend connectivity to workload resources across different regions. The SD-WAN VPC is linked to the TGW via a VPC and customers can leverage their existing workflows to connect their workload VPCs to the Transit Gateway.

◉ On the Meraki Dashboard, each vMX is configured as a Hub to the branch sites and statically advertises all of the subnets available in Amazon AWS into Auto VPN.

◉ Finally, an AWS Lambda function is used to monitor the state of the vMX instances and update the SD-WAN VPC and the Transit Gateway route tables for the Auto VPN routes with the appropriate vMX as the next hop.

Meraki SD-WAN and AWS Cloud WAN

AWS recently launched AWS Cloud WAN at AWS Re:Invent. Cisco Meraki is one of the first partners to integrate with the new service. Cloud WAN is AWS’s managed wide area networking (WAN) solution that makes it easy for customers to build, manage, and monitor their global networks across the AWS backbone.

Organizations with Meraki SD-WAN can leverage the new AWS Cloud WAN service to extend their SD-WAN fabric across the unified AWS global network.

Meraki vMX integrates with AWS Cloud WAN to allow admins to define a multi-region, segmented, dynamically routed global network with intent-driven policies. This allows organizations to scale across different regions without worrying about managing the complexity of peering.

Dynamically routed global network with Meraki SD-WAN and AWS Cloud WAN

Instead of having to manage peering connections between different AWS Transit Gateways across multiple regions, a single Cloud WAN core network is deployed that spans across multiple regions with the following:

◉ Core Network Edges (CNE), deployed in each region of the core network

◉ Two segments, one for SD-WAN overlay and one for the customer workloads.

◉ Core Network Policy (CNP), which defines the global configuration of the core network

◉ The SD-WAN VPC and the workload VPCs are connected to the core-network as VPC attachments.

Multi-tenancy and Scale using AWS Outposts

Customers also need a secure way to connect their on-prem sites to workloads across different regions in the cloud. Using Meraki’s vMX solution, customers can easily extend their SD-WAN fabric to their public and private cloud environments.

Customers also need a secure way to connect their on-prem sites to workloads across different regions in the cloud. Using Meraki’s vMX solution, customers can easily extend their SD-WAN fabric to their public and private cloud environments.

AWS recently announced new Outposts Server Form Factors at AWS Re:Invent and Cisco Meraki will be one of the first launch partners to support the 2U servers with vMX (coming soon).

Customers looking for edge computing and even datacenter computing can leverage vMX on Outpost with the benefit of a fully managed infrastructure with native AWS APIs and the simplicity and security of Meraki.

Without Outposts, customers need to procure and manage multiple hardware for compute and networking making management cumbersome and difficult.

If you’re investing in a multi-cloud architecture and need a more scalable, flexible, and manageable SD-WAN fabric, we encourage you to learn more about the Meraki platform. Meraki combines SD-WAN with Wi-Fi, access switching, and IoT on a cloud-native platform that reduces the complexity of building a hybrid cloud architecture.

Source: cisco.com

Continue reading

Know All About Cisco 350-801 CLCOR Certification Benefits and Exam Tips

Learning the basics of IT is one of the best decisions one can make to choose a career path. But, acquiring definite certifications in IT can further help you expand your career. Cisco, an IT-based corporation that delivers networking hardware, offers many certifications that can be achieved by passing actual exams such as 350-801 CLCOR: Implementing and Operating Cisco Collaboration Core Technologies. You will be acknowledged as a certified Cisco professional by scoring well in these examinations. Furthermore, having a Cisco certification can lead to stunning advantages, some of which have been mentioned below.

Benefits of Passing Cisco 350-801 CLCOR Exam

1. Higher Paying Jobs                                       

The salary is a crucial factor when looking for a new job. But, if you hold a Cisco certification, you can rest assured that you’ll receive higher-paying jobs. Network engineering is a skill that is extremely coveted by different hiring managers, which is why these organizations are willing to pay lots of money to hire skilled professionals.

2. Globally Accepted

The best part holding CCNP Collaboration certification is that you can sell your services in the global market. Also, because organizations worldwide demand this position, you can ask for a higher rate you will be paying. And if you’re excelling in your job, your organization will most possibly accept it.

3. High Employment Rate

Cisco specialists are employed almost immediately because most large-scale organizations manage their operations using a Cisco networking system. And because of this, organizations require certified professionals who understand the Cisco platform and can instantly solve any issues within it.

4. Cisco 350-801 CLCOR Exam Acts as a Base for Higher-Level Certifications

By having Cisco certification, you’ll have the option of further promoting your career by earning higher-level certifications in this field. For instance, If you have a CCNA certification, you can pave your way towards achieving the CCNP Security certification or a CCNP service provider, and so on. But, do keep in mind that proceeding to higher-level certifications demands you to enroll in the course/examination ahead.

5. It Makes You Look More Reliable

Reliability is vital in this contemporary times, and organizations are very particular about who they hire. For this reason, having a certification that proves you’re an expert in Cisco networking will make you look more reliable in the eyes of your hiring managers. It also proves that the employer can blindly trust the certified specialist to fulfill his responsibilities effectively and efficiently.

Tips to Pass Cisco 350-801 CLCOR Exam

You may not be too excited to get your Cisco Certification, but you will never know if this could be the best option. So many skills and knowledge can be obtained by passing the Cisco 350-801 CLCOR exam. As you study for the Cisco 350-801 exam, you have to concentrate on two things: On-time studying and taking the highest amount of time. Here are a few tips to pass Cisco 350-801 CLCOR Exam.

• Obtain Relevant Cisco 350-801 Book. Before anything else, make sure that you do not rush into exam preparation. Ensure that you have time to go through the Cisco 350-801 book and understand important information. By all means, you also ought to put aside time for performing Cisco 350-801 CLCOR practice test, and it means that you have to assign time doing lab tests. Of course, you can rely on guides or videos to help your study; and however, you have to go step-by-step and do the test according to the given Cisco 350-801 practice exam.
• Second, create a study plan. Try to study at the same time each day. In this way, you can optimize your time and prevent yourself from feeling rushed. You require to have focus and dedication to pass the exam.
• Third, check if you have any disturbances. Disturbances may be difficult to evade. However, you have to keep in mind that time is still your most substantial resource. You cannot bear to waste time. Even if it takes a lot of time to focus on something, there is no assurance that you will pass if there are disturbances in your way. Learn to manage your time wisely and use it most effectively.
• Fourth, do not leave the room when you wait for the exam to be completed. Do not leave any Cisco 350-801 exam questions unanswered, as there is no negative marking.
• Fifth, take Cisco 350-801 CLCOR practice test. As stated earlier, training yourself is the key to passing the Cisco 350-801 exam. Thus, you should always review what you have studied in the training course, and studying will help you develop a new learning habit.

Cisco 350-801 CLCOR Exam: Brief Description, Tips and the Importance of Practice Test

• Sixth, attempt to find the right answer to every question. For instance, answer one question first, then move on to another question. This method will help you not spend too much time on a question and save time for other important questions. It will also decrease the stress involved since you will be answering multiple questions at the same time.
• Finally, practice a lot. If you cannot pass the exam after just one try, you should rethink your preparation. Some students do not feel that their work has been thoroughly done, so they tend to give up before the end of the exam. Remember that Cisco exams are not easy, and considering the last three tips, even though time is running out, you should still be able to pass with a little extra effort.

You are now ready to ace Cisco 350-801 exam with the tips mentioned above. But, these tips to pass Cisco 350-801 exam are just for newcomers. If you want to outdo the exam, you need plenty of experience. With a lot of experience, you will also learn to evade silly mistakes in taking Cisco exams.

Continue reading

How to Respond to Apache Log4j using Cisco Secure Analytics

IT and Security professionals worldwide are working to assess and mitigate their exposure to Apache Log4j vulnerability (CVE-2021-44228). The following guide has been put together for current Secure Network Analytics and Secure Cloud Analytics customers, providing suggested ways to leverage your deployment to assist in your detection and response efforts. 

Customers can research any prior interactions with known indicators such as IP addresses tracked by Cisco Talos intelligence group and should create Custom Security Events and Watchlists to identify any future communication with the known indicators. Customers should keep a close eye on any issued detections that would indicate an attack might be underway, since the activity following this exploit can vary greatly. Potentially related detections include Suspected Cryptocurrency Activity, Watchlist Observations, Unusual Geographic Access, Lateral Movement, Data Hoarding, etc.

Vulnerability Description

Apache Log4j is a java-based logging framework library.  The JNDI (Java Naming and Directory Interface) component in Apache Log4j versions 2.0-beta9 through 2.14.1 improperly handles log messages.  Certain user-supplied log messages are improperly executed prior to being written to log files.  Unauthenticated remote attackers can leverage specially crafted LDAP log messages to download and execute arbitrary code with elevated privileges.  Please note that due to the widespread use of this library that other vectors besides LDAP are possible depending on the implementation.

Exploitation

This vulnerability is being exploited in the wild, first detected on December 9, 2021.  Public proof of concept code is also available from multiple sources, which can be easily weaponized.

Monitoring Indicators of Compromise

Cisco Talos has published a series of Indicators of Compromise (IOC’s) including IP addresses of hosts serving malicious payloads in their blog located at: https://blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html

Please check the Talos blog regularly for updates.

There are several methods to detect evidence of exploitation in your environment using Secure Analytics products.  We’ll start with Secure Network Analytics, followed by the techniques you can use for Secure Cloud Analytics.

Secure Network Analytics

The Secure Network Analytics screen shots below were taking in version 7.4.0, the latest software release.  Older versions of software may look or function slightly differently as we are constantly adding new features and functionality.  The general concept and steps will still apply in older versions even if the screen shots are not an exact match.

Search for Past Evidence of Exploitation using Secure Network Analytics – Method One

Users should perform a Flow Search going back at least 7 days for the IP’s provided by Talos. Exploitation was first detected on December 9, 2021, but it is possible that activity was happening prior to this date. Consider searching back further than 7 days.

1. From the Manager’s web UI click on the Analyze menu then select Flow Search.

2. Select “Last 7 Days” for the Time Range.

3. Select “Inside Hosts” as the Subject host group.

4. Enter the Talos IP’s as Peer Host IP Addresses.

5. Click on Search to return any matches between inside hosts and the Talos IP’s.

The Flow Search criteria should look like the following:

Search for Past Evidence of Exploitation using Secure Network Analytics – Method Two

Users should perform a Host Search for the IP’s provided by Talos. The Host Search will report if Secure Network Analytics has ever seen an IP address, and if so, when it was first seen, last seen, the total bytes, and by which Flow Collector.

1. From the Manager’s web UI click on the Analyze menu then select Host Search.

2. Enter the Talos IP’s in the IP Address field.

3. Click on Search to run the Host Search and view the results. Ideally, the report will read “Never” next to each IP for the First Sent and Last Sent columns and “None” for the Total Bytes column.

The Host Search criteria should look like the following:

Detect Future Malicious Communications using Secure Network Analytics

Users should create an outside host group containing the Talos IP’s.  A Custom Security Event (CSE) can be built to look for traffic to this outside host group.  This CSE will fire on future communications to these IP’s.

1. From the Manager’s web UI click on Configure then select Host Group Management.

2. Click on the ellipses (…) to the right of the Outside Hosts host group and select Add Host Group. (Users may wish to nest this new host group under another parent depending on their host group structure.)

3. Enter “Log4j Talos IP Watchlist” (or similar) as the Host Group Name field.

4. Enter the Talos IP’s in the IP Addresses And Ranges field.

5. Click on Save to create the new host group.

The new host group criteria should look like the following:

5. To create the CSE click on the Configure menu and select Policy Management.

6. Click on Create New Policy near the top-right of the page and select Custom Security Event.

7. Enter “.CSE: Log4j Talos IP Watchlist Traffic” (or similar) into the Name field.

8. Click on the plus (+) sign under the Find field and create the following criteria:

◉ Subject Host Groups: Inside Hosts

◉ Peer Host Groups: Log4j Talos IP Watchlist

9. Toggle the Status to On.

10. Click on Save to create the CSE, which will then fire any time traffic is seen between inside hosts and the Talos IP’s in our watchlist host group. Take note of the description that is built inside the CSE describing when it will fire: When any host within Inside Hosts communicates with any host within Log4j Talos IP Watchlist, an alarm is raised.

The CSE criteria should look like the following:

Detection with the Flow Sensor Payload Data using Secure Network Analytics

Customers with Flow Sensors can search payload data looking for “ldap://” going back at least 7 days in a flow search.  Exploitation was first detected on December 9, 2021, but it is possible that activity was happening prior to this date.  Consider searching back further than 7 days.

1. From the Manager’s web UI click on the Analyze menu then select Flow Search.

2. Select “Last 7 Days” for the Time Range.

3. Select “Inside Hosts” as the Subject host group.

4. Select “Outside Hosts” as the Peer host group.

5. At the bottom-center of the flow search criteria, expand the Advanced Connection Options.

6. In the Payload field in the Advanced Connection Options and enter the following: ldap://

7. Click on Search to return any matches for that payload. Please note that legitimate uses of LDAP will appear depending on your environment’s implementation.  Look for any unusual requests to servers that are not domain controllers or LDAP servers.  You may wish to exclude these hosts in revised Flow Searches.  Alternatively, set both the Subject and Peer host groups to Inside Hosts to look for internal exploitation.

The Flow Search criteria should look like the following:

Search for Abnormally Large LDAP Queries using Secure Network Analytics

Users should perform a flow search going back at least 7 days looking for abnormally large LDAP queries between affected servers and outside hosts.  Exploitation was first detected on December 9, 2021, but it is possible that activity was happening prior to this date.  Please note that this vulnerability exists in a library that the attack vectors may vary greatly depending on the implementation.  Customers should adjust flow search criteria to match the ports, protocols, and applications that match their exact implementation.  You may also consider making an Inside Hosts host group of known vulnerable servers and focus on that host group.

1. From the Manager’s web UI click on the Analyze menu then select Flow Search.

2. Select “Last 7 Days” for the Time Range.

3. Select “Inside Hosts” as the Subject host group.

4. Select “Outside Hosts” as the Peer host group.

5. Under the center Connections box, click on Select under Applications. The Applications Selector will appear on the left-side of the page.

6. Either search for or scroll down and select the following applications on the Include tab (this is the default tab):

1. LDAP

2. LDAP (unclassified)

3. LDAPS

4. LDAPS (unclassified)

The selections should look like the following in the Applications Selector:

1. Click on Apply in the bottom-right corner of the Applications Selector to return to the Flow Search.

2. At the bottom-left of the flow search criteria, expand the Advanced Subject Options.

3. In the Subject Bytes field in the Advanced Subject Options enter the following: >100

4. Click on the radio button labeled Client under Orientation at the bottom of the Advanced Subject Options.

5. Click on Search to display any abnormally large LDAP queries from a vulnerable server reaching out to download a malicious payload. Depending on how your environment is configured you may find legitimate large LDAP queries with certain hosts.  You may wish to exclude these hosts in revised Flow Searches.  Alternatively, set both the Subject and Peer host groups to Inside Hosts to look for internal exploitation.

The Flow Search criteria should look like the following:

Detect Future Abnormally Large LDAP Queries using Secure Network Analytics

A Custom Security Event (CSE) can be built to automatically detect abnormally large LDAP queries.  Please note that this vulnerability exists in a library that the attack vectors may vary greatly depending on the implementation.  Customers should adjust flow search criteria to match the ports, protocols, and applications that match their exact implementation.  Users will want to use the refined the search criteria used in the previous Flow Searches and make those criteria match the CSE.  For example, excluding servers which legitimately perform large LDAP queries on a regular basis to avoid generating a lot of noise.  You may also consider making an Inside Hosts host group of known vulnerable servers and focus on that host group.

5. From the Manager’s web UI click on Configure then select Policy Management.

6. Click on Create New Policy near the top-right of the page and select Custom Security Event.

7. Enter “.CSE: Log4j Abnormally Large LDAP Queries” (or similar) into the Name field.

8. Click on the plus (+) sign under the Find field and create the following criteria:

◉ Subject Host Groups: Inside Hosts

◉ Peer Host Groups: Outside Hosts

◉ Subject Applications to Include: LDAP, LDAP (unclassified), LDAPS, LDAPS (unclassified)

◉ Subject Bytes: >100

◉ Subject Orientation: Client

9. Toggle the Status to On.

10. Click on Save to create the CSE, which will then fire any time abnormally large LDAP requests are made from a vulnerable server reaching out to download a malicious payload. Take note of the description that is built inside the CSE describing when it will fire: When any host within Inside Hosts, acting as a client; using any disallowed application; with a total payload of >100 bytes communicates with any host within Outside Hosts, an alarm is raised.

The CSE criteria should look like the following:

Global Threat Alerts

Detect Log4j Scanning and Malware Installation using Global Threat Alerts

Secure Network Analytics customers with Global Threat Alerts (GTA, formerly known as Cognitive Intelligence) have two new Log4j alerts available.  These alerts require enabling the Global Threat Alerts feature, which is included with a Secure Network Analytics license at no additional charge. The Global Threat Alerts integration instructions are available at: https://drive.google.com/file/d/1cMio5EM_6Q_GaQybFxyK4V2aDtHOAHy5/view?usp=sharing

Clicking on either link below will bring you to your GTA console and let you know immediately if the detection has fired and Log4J exploits are in your network

Log4Shell vulnerability scan – this alert checks for outbound scanning which may indicate a vulnerability scan, penetration tests, or exploited devices searching for new vulnerable hosts to exploit.  It can be accessed directly at: https://cognitive.cisco.com/ui/threats/3e494958-8fad-4aea-b540-2d6002886bf6

Malware installation through Log4Shell – this alerts monitors for an outgoing response indicating successful Log4j exploitation. It can be accessed directly at: https://cognitive.cisco.com/ui/threats/69ad2359-dc2b-415a-9a0e-d57b4b7aae79

Secure Cloud Analytics

Search for Past Evidence of Exploitation using Secure Cloud Analytics

Users should search the Event Viewer going back at least 7 days for the IP’s provided by Talos.  Exploitation was first detected on December 9, 2021, but it is possible that activity was happening prior to this date.  Consider searching back further than 7 days.

1. From the Secure Cloud Analytics portal click on the Investigate menu then select Event Viewer.

2. Make sure the Event Viewer is in inline mode by setting the toggle in the top-right of the screen to inline.

3. Change the Start Date to one week ago.

4. Under the Connected_IP field, click on the blue icon to display the filter conditions. Select the third option which reads “In list.”

5. Paste the Talos IP’s in the field under Connected_IP and then click away from the field to accept the list. The query will immediately start running.

The Event Viewer criteria should look like the following:

Detect Future Malicious Communications using Cisco Secure Cloud Analytics

The Talos IP’s are being regularly updated in our threat intelligence feed. Ensure you have the alerting enabled.

1. From the Secure Cloud Analytics portal click on Settings then select Alerts.

2. From the Alert Priorities page, search for “Talos” in the Alert Type field.

3. Set the priority to High and ensure the Alert is “Enabled”

Your alert list should look like the following:

4. We recommend reviewing all alert types, priorities, and whether they are enabled to ensure the detections can be triggered. Because the post-exploit activity could vary greatly, increasing alert priority and sensitivity for many of the tactics and techniques is highly recommended. Delete “Talos” from the search field to return to the complete list of detections for review.

The list of available detections should look like this:

Review Watchlist Observations to ensure any traffic to the Talos IP’s is being investigated in Secure Cloud Analytics

The “Talos Intelligence Watchlist Hit” alert described above is only triggered when a significant amount of traffic is exchanged with the IPs. We suggest you review any interactions with the Talos IPs through our “Watchlist Interaction” observation.

1. From the Secure Cloud Analytics portal click on Monitor then select Observations.

2. Select “Selected Observation” from the left panel

3. Choose “Watchlist Interaction” from the Observation Type Field

4. Set the Time Range to start on December 10th, when the IPs were first added to the Talos watchlists.

Your observation list should look like this:

5. You can investigate internal devices by clicking the down arrow next to device ID and review details on the Device, Alerts associated with the device, and Observations associated with the device.

6. You can investigate the external IP by clicking the down arrow next to the IP address and pivot to a variety of intelligence resources

Detect Suspicious Log4j Activity using Security Analytics and Logging in Secure Cloud Analytics

Secure Cloud Analytics customers with Security Analytics and Logging (SAL) integration can use Confirmed Threat Indicator Match – Hostname observations to detect suspicious Log4j activity.  This functionality does require firewall log data to be sent to SAL.

To check for these observations, follow these steps:

1. Visit https://<tenant-id>.obsrvbl.com/v2/#/observations/selected/type/cts_indicator_match_hostname_v1

2. Users will see the full list of Confirmed Threat Indicator Match – Hostname observations.

3. In the search field, search for “log4j” and click on Apply. If we have seen any suspicious activity related to Log4j starting from November 15, 2021 (15 days before the threat was first detected), there should be an observation.

Impact

The impact of the vulnerability allows attackers to execute arbitrary code from their hosted payload on a vulnerable server. In the event of successful exploitation, Secure Network Analytics and Secure Cloud Analytics will continue to monitor networks for anomalous and malicious activity.  You will have visibility on attacker actions taken, so be on the lookout for an uptick in suspicious behavior from any affected servers.  For example, Cisco Talos has observed attackers exploiting this vulnerability to deploy cryptominers.

CVSS Scoring

◉ https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

◉ Base Score – 10.0

◉ Severity Rating – Critical

Solution

Apache has released an updated version of Log4j and a workaround to address this vulnerability. Affected users of Log4j should upgrade to version 2.16.0 or apply the mitigation described in Apache’s advisory located at: https://logging.apache.org/log4j/2.x/security.html

Apache Log4j version 2.15.0 was found to have an incomplete fix to address CVE-2021-44228. Version 2.16.0 was released to address this incomplete fix and is described in CVE-2021-45046.

Source: cisco.com

Continue reading

Cisco 300-920 | DEVNET Specialist Exam | Free DEVWBX Exam Questions

Cisco DEVWBX Exam Description:

The Developing Applications for Cisco Webex and Webex Devices v1.0 (DEVWBX 300-920) exam is a 90-minute exam associated with the Cisco Certified DevNet Professional and Cisco Certified DevNet Specialist - Webex certifications. This exam tests a candidate's Webex development knowledge as it pertains to Webex API foundations, Webex Meetings, WebEx Devices, messaging, embedding Webex, and administration and compliance. The course, Developing Applications for Cisco Webex and Webex Devices, helps candidates to prepare for this exam.

Cisco 300-920 Exam Overview:

• Exam Name- Developing Applications for Cisco Webex and Webex Devices
• Exam Number- 300-920 DEVWBX
• Exam Price- $300 USD
• Duration- 90 minutes
• Number of Questions- 55-65
• Passing Score- Variable (750-850 / 1000 Approx.)
• Recommended Training- Developing Applications for Cisco Webex and Webex Devices (DEVWBX)
• Exam Registration- PEARSON VUE
• Sample Questions- Cisco 300-920 Sample Questions
• Practice Exam- Cisco Certified DevNet Specialist Webex Practice Test
  

Unlock New Careers with Cisco 300-920 DEVWBX Exam by means of Practice Test

Continue reading

How Cybersecurity Leads to Improved Sustainability

After managing the sudden switch to remote work in 2020, organizations are making a more permanent transition into the flexible hybrid workforce. The Federal Bureau of Investigation (FBI) found that cybersecurity attacks rose by 3-4 times from the transition to remote work in 2020. In addition, experts predict that ransomware will cost the world up to $20 billion in 2021 and is expected to be a greater concern with the hybrid work model. As a result, you’ll need to rapidly scale your security to account for the massive influx of remote and hybrid workers while simplifying and unifying your IT systems.

While implementing security controls is increasingly important, this also means more hardware appliances and virtual instances to secure different parts of the infrastructure. All this extra equipment and instances means more power consumption and heat dissipation, leading to adverse impacts on the environment. We’re taking steps to address this situation. There are a couple of ways we’re approaching this. Cisco products have security features which are built into our switches to prevent the need for separate security appliances.

Innovative methods to detect malware within encrypted layers

As an example, let’s look at the scenario where a traditional method of securing the deployment is used for decryption and identification of malware. As shown in Figure 1, you would first need to decrypt the traffic, then apply analysis (inspection / anti-malware), and finally encrypt the traffic again. The resulting power consumption is shown in Table 1.

Figure 1. Traditional deployment using Secure Sockets Layer (SSL) inspection

Table 1. Power consumption in a traditional deployment

As displayed in Table 1, the total power consumption for all the devices is close to 9500W. In the sustainable method we offer, the Cisco Secure Network Analytics (Cisco Stealthwatch) components like Stealthwatch Management Console (SMC) and Flow Collector (FC) are virtualized, which can be deployed on the existing X86 servers without needing the additional devices as shown in Figure 2.

Figure 2. Innovative and sustainable option using Cisco Secure Network Analytics (Stealthwatch)

In this scenario, Stealthwatch’s patented technology allows analysis of encrypted traffic without decryption. The ETA module in the catalyst switch provides Stealthwatch with the extra information for the analysis of the encrypted traffic without decryption.

Table 2. Power consumption using Cisco Secure Network Analytics with Catalyst switches

As the Stealthwatch components are virtual, they can be deployed in an existing X86 server, and the power consumption is minimal as compared to the dedicated appliances.

Another way Cisco caters to sustainable cybersecurity is by ensuring that the functionalities such as load balancing, packet broker functions, switching, and routing are all included in a single appliance.

Tables 3-4 highlight the difference between the traditional method and innovative new method for total power consumed for identifying malware in encrypted traffic:

Table 3. Traditional method power consumption

All the functionalities listed in Table 3 are now available in a single switch such as the Nexus NX 9300, which has the following power consumption:

Table 4. Power consumption using Cisco Nexus

This shows that there are alternate methods to detect malware within encrypted layers which are more sustainable, efficient, and less expensive compared to traditional deployments.

Source: cisco.com

Continue reading