Identify the types of data provided by these technologies: TCP Dump, NetFlow, Next-Gen firewall, Traditional stateful firewall, Application visibility and control, web content filtering and email content filtering.
Understanding Cisco Cybersecurity Fundamentals (210-250)
TCP Dump
The application tcpdump is a command line packet capture tool. An example of a packet displayed in the default console format is below. You can also direct full packets into a PCAP file which can be analyzed in a tool like Wireshark.
20:04:26.269123 IP ec2-18-211-118-21.compute-1.amazonaws.com.https > 192.168.7.37.54190: Flags [.], ack 128, win 8, options [nop,nop,TS val 1181991327 ecr 416718581], length 0
NetFlow
NetFlow provides a mean for Layer 3 switches and routers to send information about the network flows on an interface. Each flow is recorded with the ingress interface, source IP, source port, destination IP, destination port, IP Protocol and the Type of Service. These records are then sent to a NetFlow collector. This collector then can produce graphs or reports on the data seen.
Next-Gen(eration) Firewall
Next Generation Firewalls use deep packet inspection to perform firewall decisions. By looking at the payload as well as the headers, they are able to understand the applications being used on the network. This allows for greater rule flexibility and the ability to identify traffic by type even if it is not on a standard port.
Traditional Stateful Firewall
Unlike NG Firewalls, stateful firewalls only look at the headers of the packets. It makes decisions based on the protocol, ports and IP addresses in the packet headers. Stateful firewalls keep a table of TCP sessions to allow return traffic through without additional rules.
Application visibility and control
AVC is a collection of services in Cisco network devices to provide classification, monitoring and traffic control. It has the following capabilities:
- Application recognition
- Metrics collection
- Management and reporting
- Network traffic control
AVC uses Cisco NBAR to do deep packet inspection. AVC may be used for QoS.
Web Content Filtering
Web filters such as Cisco Web Security Appliance, are purpose built to filter web traffic. They usually can perform SSL decryption as well to see HTTPS traffic. The filtering is usually done using categories, but can also include blacklists and whitelists. AMP can also be a part of the filtering to prohibit malicious downloads. The logs from web filters can be useful in seeing what has been accessed or downloaded on a machine.
Email Content Filtering
Email content filtering like Cisco Email Security Appliance filter e-mail for malicious attachments, phishing attempts and spam.