Endpoint Security

Network Attacks Today

The news media commonly covers attacks on enterprise networks. Simply search the internet for “latest network attacks” to find up-to-date information on current attacks. Most likely, these attacks will involve one or more of the following:

  • Distributed Denial of Service (DDoS) – This is a coordinated attack from many devices, called zombies, with the intention of degrading or halting public access to an organization’s website and resources.
  • Data Breach – This is an attack in which an organization’s data servers or hosts are compromised to steal confidential information.
  • Malware – This is an attack in which an organization’s hosts are infected with malicious software that cause a variety of problems. For example, ransomware such as WannaCry, shown in the figure, encrypts the data on a host and locks access to it until a ransom is paid.
screenshot of a Wana Decrypt0r ransomeware attack with the message; Oops, your files have been encrypted!, and directing the victim to pay $300 worth of bitcoin

Network Security Devices

Various network security devices are required to protect the network perimeter from outside access. These devices could include a virtual private network (VPN) enabled router, a next-generation firewall (NGFW), and a network access control (NAC) device.

Click each network security device for more information.

VPN-Enable Router

A VPN-enabled router provides a secure connection to remote users across a public network and into the enterprise network. VPN services can be integrated into the firewall.

NGFW

An NGFW provides stateful packet inspection, application visibility and control, a next-generation intrusion prevention system (NGIPS), advanced malware protection (AMP), and URL filtering.

NAC

A NAC device includes authentication, authorization, and accounting (AAA) services. In larger enterprises, these services might be incorporated into an appliance that can manage access policies across a wide variety of users and device types. The Cisco Identity Services Engine (ISE) is an example of a NAC device.

Endpoint Protection

LAN devices such as switches, wireless LAN controllers (WLCs), and other access point (AP) devices interconnect endpoints. Most of these devices are susceptible to the LAN-related attacks that are covered in this module.

But many attacks can also originate from inside the network. If an internal host is infiltrated, it can become a starting point for a threat actor to gain access to critical system devices, such as servers and sensitive data.

Endpoints are hosts which commonly consist of laptops, desktops, servers, and IP phones, as well as employee-owned devices that are typically referred to as bring your own devices (BYODs). Endpoints are particularly susceptible to malware-related attacks that originate through email or web browsing. These endpoints have typically used traditional host-based security features, such as antivirus/antimalware, host-based firewalls, and host-based intrusion prevention systems (HIPSs). However, today endpoints are best protected by a combination of NAC, host-based AMP software, an email security appliance (ESA), and a web security appliance (WSA). Advanced Malware Protection (AMP) products include endpoint solutions such as Cisco AMP for Endpoints.

The figure is a simple topology representing all the network security devices and endpoint solutions discussed in this module.

Cisco Email Security Appliance

Content security appliances include fine-grained control over email and web browsing for an organization’s users.

According to the Cisco’s Talos Intelligence Group, in June 2019, 85% of all email sent was spam. Phishing attacks are a particularly virulent form of spam. Recall that a phishing attack entices the user to click a link or open an attachment. Spear phishing targets high-profile employees or executives that may have elevated login credentials. This is particularly crucial in today’s environment where, according to the SANS Institute, 95% of all attacks on enterprise networks are the result of a successful spear phishing attack.

The Cisco ESA is a device that is designed to monitor Simple Mail Transfer Protocol (SMTP). The Cisco ESA is constantly updated by real-time feeds from the Cisco Talos, which detects and correlates threats and solutions by using a worldwide database monitoring system. This threat intelligence data is pulled by the Cisco ESA every three to five minutes. These are some of the functions of the Cisco ESA:

  • Block known threats.
  • Remediate against stealth malware that evaded initial detection.
  • Discard emails with bad links (as shown in the figure).
  • Block access to newly infected sites.
  • Encrypt content in outgoing email to prevent data loss.

In the figure, the Cisco ESA discards the email with bad links.

a threat actor sends a phishing email from the cloud intended for a company executive; the firewall forwards it to the ESA which discards it

 

Access Control