Identity management is the practice of making sure that people and entities with digital identities have the right level of access to enterprise resources like networks and databases. User roles and access privileges are defined and managed through an identity management system, such as Cisco Identity Services Engine (ISE)1. Identity management solves two customer problems:
Provides network visibility and security: Identity management allows customers to see who and what is on their network, and to control their access based on policies and context. Identity management also integrates with other security solutions, such as Cisco Firepower, Cisco Stealthwatch, or Cisco Umbrella, to detect and respond to threats, and to enforce adaptive network access policies based on the threat level of the endpoints2.
Achieves dynamic and adaptive network segmentation: Identity management enables customers to segment their network based on the identity and context of the users and devices, rather than the IP addresses and VLANs. This allows customers to implement a zero-trust model, where only trusted users and devices can access the resources they need, and where the access policies can be dynamically updated based on the changing conditions and requirements. Identity management also supports Cisco TrustSec, which is a technology that assigns scalable group tags (SGTs) to endpoints and enforces group-based policies (contracts) across the network3.
References:
1: [What Is Identity Access Management (IAM)? - Cisco
Questions 6
Which two options are SD-WAN solution capabilities? (Choose two.)
Options:
A.
Trust roll branch turn up for easy provisioning and new installations
B.
The separation of management plane, control plane and data plane to enable horizontal scaling
C.
Cloud hosted or on-Premise fully redundant management and control plane functions
D.
Ability to provide and integrate security with complementary products and applications
SD-WAN is a software-defined approach to managing the WAN that offers several capabilities, such as:
The separation of management plane, control plane and data plane to enable horizontal scaling. This means that the SD-WAN solution can decouple the network functions from the underlying hardware and distribute them across different layers and locations. This allows for greater flexibility, scalability, and resilience of the network12
Cloud hosted or on-premise fully redundant management and control plane functions. This means that the SD-WAN solution can provide centralized and cloud-based management and control of the network, as well as the option to deploy them on-premise for more control and security. This enables the SD-WAN solution to offer consistent policies, visibility, and analytics across the network, as well as the ability to automate network operations and orchestration13
The other options are not SD-WAN solution capabilities, but rather features or benefits of specific SD-WAN solutions, such as:
Trust roll branch turn up for easy provisioning and new installations. This is a feature of Cisco Catalyst SD-WAN, which enables zero-touch provisioning and automated configuration of branch devices, as well as the ability to trust the identity and security posture of the devices3
Ability to provide and integrate security with complementary products and applications. This is a benefit of Cisco Catalyst SD-WAN, which offers integrated security capabilities, such as full-stack multilayer security, cloud-delivered security, and SASE-enabled architecture. This enables the SD-WAN solution to provide real-time threat protection and compliance across the network3
References :=
What Is SD-WAN? - Software-Defined WAN (SDWAN) - Cisco
A Digital Network is a network that is based on the Cisco Digital Network Architecture (Cisco DNA), which is an open and extensible, software-driven network architecture designed to rapidly deliver services that enable IT to innovate faster, reduce costs and complexity, lower risk, and comply with regulatory requirements1. A key function of a Digital Network is centralized provisioning, which allows IT to automate the deployment and configuration of network devices and services using a single platform, such as the Cisco DNA Center2. Centralized provisioning simplifies network management, reduces human errors, and accelerates network changes.
References:
2: [Cisco DNA Software - Digital Network Architecture - Cisco] : 1: [Cisco Digital Network Architecture]
Questions 8
Which three services must be enabled under the ISE Admin settings to successfully integrateISE, when integrating ISE with DNA-C? (Choose three.)
Cisco ISE configuration capabilities include the following features:
ISE Deployment Assistant (IDA): This is a built-in application designed to accelerate the deployment of Cisco Identity Service Engine (ISE) by providing a guided workflow for configuring the most common ISE use cases, such as guest access, BYOD, and secure wired and wireless access1. IDA also provides validation checks, best practices, and troubleshooting tips to ensure a successful deployment.
Wireless Setup Wizard and Visibility Wizard: These are two of the several wizards that Cisco ISE provides to simplify the configuration of various ISE functions and features. The Wireless Setup Wizard helps to configure the wireless network settings, such as SSIDs, authentication methods, and policies, for secure wireless access2. The Visibility Wizard helps to enable the ISE profiling service, which collects and analyzes endpoint data to identify, classify, and monitor devices on the network3.
ISE Wizards and Pre-Canned Configurations: These are the tools that ease the ISE roll-out significantly by providing ready-made templates, policies, and settings for common ISE scenarios, such as posture assessment, device administration, and threat-centric NAC. These tools help to reduce the manual configuration efforts and errors, and speed up the time to value.
Cisco ISE is a network access control solution that uses policy-based decision making to determine if a device is allowed access to the network and, if allowed, what level of access this device is given1.Cisco ISE can also provide authentication, authorization, and accounting (AAA) through the RADIUS protocol and device administration through TACACS+ service1.
Some of the use cases of Cisco ISE are:
Access Control: Cisco ISE can grant and control the right level of network access for both wired and wireless devices by employing mainly the 802.1x protocol and EAPoL (EAP over LAN)1.Cisco ISE can also use MAC authentication bypass (MAB) to authenticate devices that are unable to use the EAP protocol1.Additionally, Cisco ISE can integrate with Microsoft Active Directory for confirming user identity1.
Assurance: Cisco ISE can monitor and troubleshoot the various features on ISE and analyze trends of the network activities from a centralized admin node2.Cisco ISE can also provide reports on user andentity behavior analytics (UEBA), enterprise mobility management/mobile device management (EMM/MDM), security incident and event management (SIEM), and segmentation34.
Monitoring: Cisco ISE can provide endpoint visibility with context by collecting and analyzing data from various sources such as endpoints, users, applications, devices, networks, and cloud services4.Cisco ISE can also provide real-time alerts and notifications on security events and anomalies4.
Questions 10
Which Cisco SD WAN component provides a secure data plane with remote vEdge routers?
vEdge is the Cisco SD WAN component that provides a secure data plane with remote vEdge routers. vEdge routers are the devices that sit at the edge of the SD WAN fabric and connect to the WAN transports, such as MPLS, Internet, or LTE. vEdge routers establish secure IPsec tunnels with other vEdge routers in the fabric and exchange routing and policy information with the vSmart controller. vEdge routers also perform application-aware routing, QoS, and security functions on the data plane traffic. vEdge routers can be physical or virtual devices and can be deployed in branch, campus, data center, or cloud environments1.
The other options, vBond, vSmart, and vManage, are not the components that provide a secure data plane with remote vEdge routers. vBond is the orchestrator that performs the initial authentication and authorization of vEdge routers and assigns them to a vSmart controller. vSmart is the controller that distributes the control and data policies and the network topology information to the vEdge routers. vManage is the management platform that provides centralized configuration, monitoring, and troubleshooting of the SD WAN fabric1. References := : 1: Cisco SD-WAN Getting Started Guide - Cisco SD-WAN Overview [Cisco SD-WAN] - Cisco
Exam Code: 500-470
Exam Name: Cisco Enterprise Networks SDA, SDWAN and ISE Exam for System Engineers