Any tips on getting through the security section of the ENCOR exam?

Certifications CCNP ENCOR
1

Hello, everyone.

I’m slowly making my way towards the end of ENCOR (I still have yet to cover WiFi, SDN & Automation) and I’m currently on the security chapter of the Official Cert Guide book and it’s… terrible to read.

There are over 50 pages of pure theory about technologies that I unfortunatelly cannot get my hands on or configure them in CML. This wouldn’t be so bad if there weren’t pages such as this:

The architecture of AMP can be broken down into the following components:
■ AMP Cloud (private or public)
■ AMP connectors
■ Cisco Secure Endpoint, formerly FireAMP or AMP for Endpoints—supported on
Microsoft Windows, macOS X, Google Android, Apple iOS, and Linux
■ Cisco Secure Email, formerly AMP for Email or Email Security Appliance (ESA)
■ Cisco Secure Web Appliance, formerly AMP for Web or Web Security Appliance
(WSA)
■ AMP for Networks—supported on Cisco Secure Firewall appliances and Cisco
AMP dedicated appliances
■ AMP for Meraki MX
■ Threat intelligence from Cisco Talos and Cisco Secure Malware Analytics

During an Attack
During an attack, the Secure Web Appliance uses security intelligence from cloud access
security broker (CASB) providers, Talos, and AMP for Networks to identify and block zero-
day threats that managed to infiltrate the network:
■ Cloud access security: The Cisco Secure Web Appliance can protect against hid-
den threats in cloud apps by partnering with leading CASB providers (such as Cisco
CloudLock) to monitor cloud app usage in real time to help combat evolving threats
through intelligent protection powered by data science.
■ Parallel antivirus (AV) scanning: The Cisco Secure Web Appliance enhances malware
defense coverage with multiple anti-malware scanning engines running in parallel on
a single appliance while maintaining high processing speeds and preventing traffic
bottlenecks.
■ Layer 4 traffic monitoring: The Cisco Secure Web Appliance scans all traffic, ports,
and protocols to detect and block spyware “phone-home” communications with an
integrated Layer 4 traffic monitor. Based on this scanning, it identifies infected clients
to help stop malware that attempts to bypass classic web security solutions.
■ File reputation and analysis with Cisco AMP: With the Secure Web Appliance, files
are assessed using the latest threat information from Cisco Talos, which, as mentioned
before, is updated every three to five minutes. The Cisco Secure Web Appliance cap-
tures a fingerprint of each file as it traverses the gateway and sends it to AMP Cloud
for a reputation verdict checked against zero-day exploits.
■ Data loss prevention (DLP): The Cisco Secure Web Appliance uses Internet Content
Adaptation Protocol (ICAP) to integrate with DLP solutions from leading third-party
DLP vendors. When all outbound traffic is directed to the third-party DLP appliance,
content is allowed or blocked based on the third-party rules and policies. Deep con-
tent inspection can be enabled for regulatory compliance and intellectual property
protection. Powerful engines inspect outbound traffic and analyze it for content mark-
ers, such as confidential files, credit card numbers, customer personal data, and so on
25From the Library of David Illes

Cisco Secure Email includes the following advanced threat protection capabilities that allow
it to detect, block, and remediate threats across the attack continuum:
■ Global threat intelligence: It leverages real-time threat intelligence from Cisco Talos
and Cisco Secure Malware Analytics.
■ Reputation filtering: Cisco Secure Email blocks unwanted email with reputation filter-
ing, which is based on threat intelligence from Talos.
■ Spam protection: Cisco Secure Email uses the Cisco Context Adaptive Scanning
Engine (CASE) to block spam emails; it delivers a spam catch rate greater than 99%,
with a false-positive rate of less than 1 in 1 million.
■ Forged email detection: Forged email detection protects high-value targets such as
executives against business email compromise (BEC) attacks.
■ Cisco Advanced Phishing Protection (CAPP): CAPP combines Cisco Talos threat
intelligence with local email intelligence and advanced machine learning techniques
to model trusted email behavior on the Internet, within organizations, and between
individuals. It uses this intelligence to stop identity deception–based attacks such as
fraudulent senders, social engineering, and BEC attacks.
■ Cisco Domain Protection (CDP): CDP for external email helps prevent phishing emails
from being sent using a customer domain.From the Library of David Illes
Chapter 25: Secure Network Access Control 749
■ Malware defense: Cisco Secure Email protects against malware.
■ Graymail detection and Safe Unsubscribe: Cisco Secure Email detects and classifies
graymail for an administrator to take action on it if necessary. Graymail consists of
marketing, social networking, and bulk messages (that is, mailing list emails). This type
of email typically comes with an unsubscribe link, which may be used for phishing.
Safe Unsubscribe protects against this type of phishing technique.
■ URL-related protection and control: Cisco Secure Email protects against malicious
URLs with URL filtering and scanning of URLs in attachments and shortened URLs.
■ Outbreak filters: Outbreak filters defend against emerging threats and blended attacks
by leveraging security intelligence information from Cisco Talos. Outbreak filters can
rewrite URLs included in suspicious email messages. When clicked, the new rewritten
URLs redirect the email recipient to the Secure Web Appliance. The website content is
then actively scanned, and outbreak filters display a block screen to the user if the site
contains malware.
■ Web interaction tracking: Cisco Secure Email generates reports that track the end
users who click on URLs that have been rewritten by the outbreak filters. The reports
include the following information:
■ Top users who clicked on malicious URLs
■ The top malicious URLs clicked by end users
■ Date and time, rewrite reason, and action taken on the URLs
■ Data security for sensitive content in outgoing emails: Confidential outbound mes-
sages that match one of the more than 100 expert policies included with Cisco Secure
Email are automatically protected by encryption, footers and disclaimers, blind carbon
copies (BCCs), notifications, and quarantining.
Cisco Secure Email is available as a hardware appliance or as a cloud offering called Cisco
Secure Email Threat Defense

I cannot of course post more of the book so here is just a snippet. They always bring up a Cisco technology like FirePOWER NGIPS and name 10 different features about it in bullet points. I am not really sure how to process all this information because a lot of this is just memorization which I am not a big fan of.

Do you guys have any tips on how to get through this chapter? How did you study security for the exam?

Thank you.
David

1 Like
2

Hello David

Indeed, this section is not as well written as it could be. When just listing technologies and what they do without any application or labs, it can get quite difficult to grasp. One thing that I can tell you is don’t simply try to memorize it!

There are many approaches to this and there’s no definitive right or wrong answer, it’s a matter of what works best for you. @ReneMolenaar may suggest something else for example.

This is what I would do.

I’d start off by looking at the Cisco ENCOR blueprint to get a high-level overview of what is to be covered. I’d then create some method of containing information within each of those points, either using a mind map program or writing them on paper to make flashcards, whatever works for you. You can get some ideas from this lesson:

Take the concepts written out in those 50 pages and process them. Look it over and decide what concepts go under which section of the security blueprint. It is during this processing time that you must decide what to do. I would take the main concepts from each section and put them into my note-taking method. What you will keep and what you ignore will determine how long it will take, but also how valuable the exercise will be for you.

Ultimately, you want to take the information they have and put it in a format that will be beneficial for you. But during the process, you must focus more on understanding core concepts and how the various solutions fit together in the bigger picture of a secure network.

Also, using AI tools to help summarize concepts can be helpful. You can copy and paste some text into an AI tool, and ask it to summarize the concepts in a useful way. Practice with various prompts to see the best results.

Remember, the exam rewards applying concepts, not memorizing lists. This section is indeed challenging, and I wish you success!

I hope this has been helpful!

Laz

3

I asked DeepSeek - here is what I got :)

Here are the main points extracted from the Network Security.pdf document:

Chapter 25: Secure Network Access Control

1. Network Security Design for Threat Defense

  • Cisco SAFE Framework: A security architectural framework designed to protect networks from evolving cybersecurity threats.
    • Places in the Network (PINs): Branch, Campus, Data Center, Edge, Cloud, WAN.
    • Secure Domains: Management, Security Intelligence, Compliance, Segmentation, Threat Defense, Secure Services.
  • Threat Defense Phases:
    • Before: Prevention through policies, next-generation firewalls, network access control, and identity services.
    • During: Detection and response using intrusion prevention systems, malware protection, and email/web security.
    • After: Remediation using Advanced Malware Protection (AMP) and Stealthwatch.

2. Next-Generation Endpoint Security

  • Cisco Talos: Cisco's threat intelligence organization that detects and analyzes emerging threats.
  • Cisco Threat Grid: A sandbox malware analysis solution that performs static and dynamic file analysis.
  • Cisco Advanced Malware Protection (AMP):
    • Provides protection across the attack continuum (before, during, and after an attack).
    • Components include AMP Cloud, AMP connectors, and AMP for Endpoints, Networks, Email, and Web.
  • Cisco AnyConnect: A secure mobility client that provides VPN access, posture assessment, and web security.
  • Cisco Umbrella: A cloud-based DNS security solution that blocks malicious domains and IPs.

3. Network Access Control (NAC)

  • 802.1x: A standard for port-based network access control, using EAP (Extensible Authentication Protocol) for authentication.
    • Components: Supplicant, Authenticator, Authentication Server.
    • EAP Methods: EAP-TLS, PEAP, EAP-FAST, EAP-TTLS.
  • MAC Authentication Bypass (MAB): Fallback mechanism for devices without 802.1x supplicants, using MAC addresses for authentication.
  • Web Authentication (WebAuth): Fallback for endpoints without 802.1x or MAB, using a web portal for user authentication.
  • Cisco TrustSec: A next-generation access control solution using Security Group Tags (SGTs) for policy enforcement.
    • Phases: Ingress Classification, Propagation, Egress Enforcement.
    • Propagation Methods: Inline Tagging, SXP (SGT Exchange Protocol).
  • MACsec: A Layer 2 encryption method for securing traffic between devices.

4. Cisco Security Products

  • Cisco Web Security Appliance (WSA): Provides web gateway security, including URL filtering, malware defense, and data loss prevention.
  • Cisco Email Security Appliance (ESA): Protects against email-based threats like phishing, spam, and malware.
  • Next-Generation Intrusion Prevention System (NGIPS): Combines IPS functionality with advanced threat protection, application visibility, and URL filtering.
  • Next-Generation Firewall (NGFW): Integrates firewall capabilities with IPS, application-level inspection, and threat intelligence.
  • Cisco Stealthwatch: A network security analytics tool that detects threats using flow telemetry data.
    • Stealthwatch Enterprise: Provides real-time visibility and threat detection.
    • Stealthwatch Cloud: Extends visibility to cloud environments.
  • Cisco Identity Services Engine (ISE): A policy management platform for secure network access control, supporting 802.1x, MAB, and WebAuth.

5. Key Technologies

  • EAP Chaining: Combines machine and user authentication in a single TLS tunnel.
  • Enhanced FlexAuth: Allows concurrent authentication methods (802.1x, MAB, WebAuth) for faster endpoint access.
  • Security Group Tags (SGTs): Used in Cisco TrustSec for policy enforcement based on user/device roles.
  • MACsec: Provides Layer 2 encryption for secure communication between devices.

6. Exam Preparation

  • Key topics include Cisco SAFE, AMP, Talos, Threat Grid, NAC technologies (802.1x, MAB, WebAuth), and Cisco security products (WSA, ESA, NGIPS, NGFW, Stealthwatch, ISE).

Summary

This chapter covers Cisco's network security framework, focusing on threat defense, endpoint security, and network access control. Key technologies include Cisco SAFE, AMP, Talos, NAC (802.1x, MAB, WebAuth), and TrustSec. The chapter also highlights Cisco's security products like WSA, ESA, NGIPS, NGFW, Stealthwatch, and ISE, which provide comprehensive protection across the attack continuum.

can you be a bit more elaborate - explaining the technologies

Certainly! Let’s dive deeper into the technologies mentioned in the document and explain them in more detail:

1. Cisco SAFE (Secure Agile Framework for Enterprise)

  • What it is: Cisco SAFE is a security architectural framework designed to help organizations build secure networks by integrating security services across different parts of the network (called Places in the Network (PINs).
  • Key Components:
    • PINs: These are the critical areas in a network that need protection, such as:
      • Branch: Remote offices with limited security controls.
      • Campus: Large networks with many users (employees, contractors, guests).
      • Data Center: Houses critical assets and is a prime target for attacks.
      • Edge: The entry/exit point for internet traffic.
      • Cloud: Cloud environments with shared security responsibilities.
      • WAN: Connects all PINs and is vulnerable to attacks like malware propagation.
    • Secure Domains: Operational areas like ManagementSecurity IntelligenceComplianceSegmentation, and Threat Defense that help protect the PINs.
  • Purpose: SAFE provides a modular approach to security, allowing organizations to tailor their defenses based on their specific needs.

2. Cisco Talos

  • What it is: Cisco Talos is Cisco’s threat intelligence organization, composed of security experts who analyze and detect emerging threats.
  • Key Functions:
    • Threat Intelligence: Collects and analyzes data from billions of web requests, emails, and malware samples daily.
    • Integration: Feeds threat intelligence into Cisco security products like AMP, Firepower, and Umbrella.
    • Real-Time Protection: Provides up-to-date information on known and unknown threats, helping organizations stay ahead of attackers.

3. Cisco Threat Grid

  • What it is: A sandbox malware analysis solution that analyzes suspicious files in a controlled environment.
  • Key Features:
    • Static Analysis: Examines file attributes like filenames, checksums, and file types.
    • Dynamic Analysis: Executes files in a sandbox to observe their behavior and detect malware.
    • Integration: Works with Cisco AMP and Talos to provide real-time threat intelligence.
    • Use Case: Helps identify and block advanced malware that evades traditional antivirus solutions.

4. Cisco Advanced Malware Protection (AMP)

  • What it is: A malware protection solution that goes beyond traditional antivirus by providing continuous monitoring and retrospection.
  • Key Features:
    • Before an Attack: Uses threat intelligence from Talos and Threat Grid to block known threats.
    • During an Attack: Detects and blocks malware in real-time using file reputation and sandboxing.
    • After an Attack: Provides retrospection to identify and remediate malware that slipped past initial defenses.
    • Components:
      • AMP Cloud: Centralized database for file reputations.
      • AMP Connectors: Lightweight agents that send file hashes to the cloud for analysis.
      • AMP for Endpoints, Networks, Email, and Web: Provides protection across different parts of the network.

5. Cisco AnyConnect

  • What it is: A secure mobility client that provides VPN access and additional security features.
  • Key Features:
    • VPN Access: Supports TLS/SSL and IPsec for secure remote access.
    • Posture Assessment: Checks endpoints for compliance (e.g., antivirus, firewall status) before granting network access.
    • Web Security: Integrates with Cisco Umbrella to block malicious websites.
    • Roaming Protection: Protects devices even when not connected to the corporate VPN.

6. Cisco Umbrella

  • What it is: A cloud-delivered DNS security solution that blocks access to malicious domains and IPs.
  • Key Features:
    • DNS Filtering: Blocks requests to known malicious domains before a connection is established.
    • Threat Intelligence: Uses data from Talos and billions of daily DNS requests to identify threats.
    • Roaming Client: Protects devices outside the corporate network by routing DNS queries through Umbrella.

7. Cisco Web Security Appliance (WSA)

  • What it is: An all-in-one web gateway that protects against web-based threats.
  • Key Features:
    • Web Reputation Filtering: Blocks access to malicious websites based on real-time threat intelligence.
    • URL Filtering: Controls access to websites based on categories (e.g., social media, gambling).
    • Malware Defense: Uses AMP and Threat Grid to detect and block malware.
    • Data Loss Prevention (DLP): Prevents sensitive data from being uploaded to unauthorized cloud services.

8. Cisco Email Security Appliance (ESA)

  • What it is: A solution that protects against email-based threats like phishing, spam, and malware.
  • Key Features:
    • Reputation Filtering: Blocks emails from known malicious senders.
    • Advanced Phishing Protection: Uses machine learning to detect and block phishing emails.
    • Malware Defense: Integrates with AMP to detect and block malicious attachments.
    • Outbreak Filters: Rewrites URLs in suspicious emails to redirect users to a safe environment for scanning.

9. Next-Generation Intrusion Prevention System (NGIPS)

  • What it is: An intrusion prevention system that goes beyond traditional IPS by providing advanced threat protection.
  • Key Features:
    • Real-Time Contextual Awareness: Identifies applications, users, and devices on the network.
    • Advanced Threat Protection: Detects and blocks advanced threats using AMP and Threat Grid.
    • Application Visibility and Control (AVC): Monitors and controls application usage.
    • Integration with Cisco ISE: Applies remediation policies to compromised hosts.

10. Next-Generation Firewall (NGFW)

  • What it is: A firewall that combines traditional firewall capabilities with advanced features like IPS, application control, and threat intelligence.
  • Key Features:
    • Stateful Inspection: Monitors and controls traffic based on ports and protocols.
    • Application-Level Inspection: Blocks malicious or risky applications.
    • Threat Intelligence: Uses data from Talos to block evolving threats.
    • Unified Management: Managed through Cisco Firepower Management Center (FMC).

11. Cisco Stealthwatch

  • What it is: A network security analytics tool that detects threats using flow telemetry data.
  • Key Features:
    • Flow Monitoring: Collects and analyzes network traffic data (e.g., NetFlow, IPFIX).
    • Threat Detection: Identifies threats like ransomware, DDoS attacks, and insider threats.
    • Encrypted Traffic Analysis (ETA): Detects threats in encrypted traffic without decrypting it.
    • Integration with Cisco ISE: Provides visibility into endpoints and users.

12. Cisco Identity Services Engine (ISE)

  • What it is: A policy management platform that provides secure network access control.
  • Key Features:
    • 802.1x Authentication: Validates user and device identities before granting network access.
    • MAC Authentication Bypass (MAB): Authenticates devices based on their MAC addresses.
    • Web Authentication (WebAuth): Provides a web portal for guest and contractor access.
    • Posture Assessment: Ensures endpoints comply with security policies (e.g., antivirus, firewall).
    • TrustSec Integration: Assigns Security Group Tags (SGTs) for policy enforcement.

13. Network Access Control (NAC) Technologies

  • 802.1x:
    • What it is: A standard for port-based network access control.
    • Components: Supplicant (endpoint), Authenticator (switch/WLC), Authentication Server (ISE).
    • EAP Methods: EAP-TLS, PEAP, EAP-FAST, EAP-TTLS.
  • MAC Authentication Bypass (MAB):
    • What it is: A fallback mechanism for devices without 802.1x supplicants.
    • Use Case: Authenticates devices based on their MAC addresses.
  • Web Authentication (WebAuth):
    • What it is: A fallback for endpoints without 802.1x or MAB.
    • Use Case: Provides a web portal for user authentication.

14. Cisco TrustSec

  • What it is: A next-generation access control solution that uses Security Group Tags (SGTs) for policy enforcement.
  • Key Features:
    • Ingress Classification: Assigns SGTs to users and devices.
    • Propagation: Communicates SGTs across the network using inline tagging or SXP.
    • Egress Enforcement: Applies policies based on SGTs at the egress point.
    • Security Group ACLs (SGACLs): Enforces access control based on source and destination SGTs.

15. MACsec

  • What it is: A Layer 2 encryption method that secures traffic between devices.
  • Key Features:
    • Hop-by-Hop Encryption: Encrypts traffic between two MACsec peers.
    • Integration with TrustSec: Preserves SGT tags for policy enforcement.
    • Keying Mechanisms: Uses MKA (MACsec Key Agreement) for key management.

Summary

These technologies form the backbone of Cisco’s network security framework, providing comprehensive protection across the attack continuum (before, during, and after an attack). They work together to defend against evolving threats, enforce access control, and ensure compliance with security policies.

3 / 3

 

4

I’m also studying for the Cisco ENCOR. I noticed that you list wireless on your to-do list.
I purchased Cisco’s book on the wlc 9800 to help me with this section - I found it enormously useful particularly for understanding centralized web auth, EAP FAST, and the four-way handshake. Gargano’s 31 Days and the v1.1 supplements for wireless are also excellent.
The wireless section contains a ridiculous amount of material and could be a course on its own. Make sure to take good notes. I use the Cornell notes method. Lastly, get your hands on a WLC9800 image to run as a VM - unless of course you have access to an actual appliance. It’s imperative to have some familiarity with the GUI.

5

Hello Orla

Thanks for sharing this, it is very useful. This is indeed an example of how AI can help to summarize the most important parts of text that can become boring, bland, and difficult to review. Experimentation with different AI tools and prompts can help out in studying.

Thanks again!!

Laz

6

Hello Sandro

Awesome information! Thanks for sharing. This is so helpful to all those striving to do their best in these exams…

Thanks again!

Laz

1 Like