Ccna Security 640-554 Official Cert Guide

by ;
  • ISBN13:


  • ISBN10:


  • Edition: 1st
  • Format: Hardcover
  • Copyright: 2012-07-06
  • Publisher: Cisco Press
  • View Upgraded Edition

Note: Supplemental materials are not guaranteed with Rental or Used book purchases.

Purchase Benefits

  • Free Shipping On Orders Over $35!
    Your order must be $35 or more to qualify for free economy shipping. Bulk sales, PO's, Marketplace items, eBooks and apparel do not qualify for this offer.
  • Get Rewarded for Ordering Your Textbooks! Enroll Now
List Price: $49.99 Save up to $48.99
  • Rent Book $4.99
    Add to Cart Free Shipping


Supplemental Materials

What is included with this book?

  • The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.


This is Cisco's official, comprehensive self-study resource for preparing for the newest CCNA Security certification exam. Designed for entry-level readers, it covers every objective concisely and logically, with extensive teaching features designed to promote retention and understanding. Readers will find: * Pre-chapter quizzes to assess knowledge upfront and focus study more efficiently * Foundation topics sections that explain concepts and configurations, and link theory to actual configuration commands * Key topics sections calling attention to every figure, table, and list that candidates must know * Exam Preparation sections with additional chapter review features * Final preparation chapter providing tools and a complete final study plan * Customizable practice test library on CD-ROM This second edition's many updates include new coverage of the Cisco Configuration Professional GUI tool, ASA firewall, Adaptive Security Device Manager (ASDM), IPv6 security, and more. Its comprehensive, fully-updated coverage also includes: * Network security concepts, policies, lifecycles, and strategies * Protecting network infrastructure * Securing management and data planes * Configuring AAA to use Cisco Secure ACS * Planning threat control strategies and implementing ACLs for threat mitigation * Implementing and configuring Cisco firewalls and IPS * Understanding VPNs, PKI, and IPSec * Implementing site-to-site and SSL VPNs with Cisco technologies * And much more

Author Biography

Keith Barker, CCIE No. 6783 (R&S and Security), is a 27-year veteran of the networking industry. He currently works as a network engineer and trainer for Copper River IT. His past experience includes EDS, Blue Cross, Paramount Pictures, and KnowledgeNet, and he has delivered CCIE-level training over the past several years. As part of the original set of Cisco VIPs for the Cisco Learning Network, he continues to give back to the community in many ways. He is CISSP and CCSI certified, loves to teach, and keeps many of his video tutorials at http://www.youtube.com/keith6783. He can be reached at Keith.Barker@CopperRiverIT.com or by visiting http://www.CopperRiverIT.com.


Scott Morris, CCIE No. 4713 (R&S, ISP/Dial, Security, and Service Provider), has more than 25 years in the industry. He also has CCDE and myriad other certifications, including nine expert-level certifications spread over four major vendors. Having traveled the world consulting for various enterprise and service provider companies, Scott currently works at Copper River IT as the chief technologist. He, too, has delivered CCIE-level training and technology training for Cisco Systems and other technology vendors.


Having spent a “past life” (early career) as a photojournalist, he brings interesting points of view from entering the IT industry from the ground up. As part of the original set of Cisco VIPs for the Cisco Learning Network, he continues to give back to the community in many ways. He can be reached at smorris@CopperRiverIT.com or by visiting http://www.CopperRiverIT.com.

Table of Contents

Introduction xxv

Part I Fundamentals of Network Security

Chapter 1 Networking Security Concepts

“Do I Know This Already?” Quiz 5

Foundation Topics 8

Understanding Network and Information Security Basics 8

    Network Security Objectives 8

    Confidentiality, Integrity, and Availability 8

    Cost-Benefit Analysis of Security 9

    Classifying Assets 10

    Classifying Vulnerabilities 11

    Classifying Countermeasures 12

    What Do We Do with the Risk? 12

Recognizing Current Network Threats 13

    Potential Attackers 13

    Attack Methods 14

    Attack Vectors 15

    Man-in-the-Middle Attacks 15

    Other Miscellaneous Attack Methods 16

Applying Fundamental Security Principles to Network Design 17

    Guidelines 17

    How It All Fits Together 19

Exam Preparation Tasks 20

Review All the Key Topics 20

Complete the Tables and Lists from Memory 20

Define Key Terms 20

Chapter 2 Understanding Security Policies Using a Lifecycle Approach

“Do I Know This Already?” Quiz 23

Foundation Topics 25

Risk Analysis and Management 25

    Secure Network Lifecycle 25

    Risk Analysis Methods 25

    Security Posture Assessment 26

    An Approach to Risk Management 27

    Regulatory Compliance Affecting Risk 28

Security Policies 28

    Who, What, and Why 28

    Specific Types of Policies 29

    Standards, Procedures, and Guidelines 30

    Testing the Security Architecture 31

    Responding to an Incident on the Network 32

    Collecting Evidence 32

    Reasons for Not Being an Attacker 32

    Liability 33

    Disaster Recovery and Business Continuity Planning 33

Exam Preparation Tasks 34

Review All the Key Topics 34

Complete the Tables and Lists from Memory 34

Define Key Terms 34

Chapter 3 Building a Security Strategy

“Do I Know This Already?” Quiz 37

Foundation Topics 40

Securing Borderless Networks 40

    The Changing Nature of Networks 40

    Logical Boundaries 40

    SecureX and Context-Aware Security 42

Controlling and Containing Data Loss 42

    An Ounce of Prevention 42

    Secure Connectivity Using VPNs 43

    Secure Management 43

Exam Preparation Tasks 44

Review All the Key Topics 44

Complete the Tables and Lists from Memory 44

Define Key Terms 44

Part II Protecting the Network Infrastructure

Chapter 4 Network Foundation Protection

“Do I Know This Already?” Quiz 49

Foundation Topics 52

Using Network Foundation Protection to Secure Networks 52

    The Importance of the Network Infrastructure 52

    The Network Foundation Protection (NFP) Framework 52

    Interdependence 53

    Implementing NFP 53

Understanding the Management Plane 55

    First Things First 55

    Best Practices for Securing the Management Plane 55

Understanding the Control Plane 56

    Best Practices for Securing the Control Plane 56

Understanding the Data Plane 57

    Best Practices for Protecting the Data Plane 59

    Additional Data Plane Protection Mechanisms 59

Exam Preparation Tasks 60

Review All the Key Topics 60

Complete the Tables and Lists from Memory 60

Define Key Terms 60

Chapter 5 Using Cisco Configuration Professional to Protect the Network Infrastructure

“Do I Know This Already?” Quiz 63

Foundation Topics 65

Introducing Cisco Configuration Professional 65

Understanding CCP Features and the GUI 65

    The Menu Bar 66

    The Toolbar 67

    Left Navigation Pane 68

    Content Pane 69

    Status Bar 69

Setting Up New Devices 69

CCP Building Blocks 70

    Communities 70

    Templates 74

    User Profiles 78

CCP Audit Features 81

    One-Step Lockdown 84

    A Few Highlights 84

Exam Preparation Tasks 88

Review All the Key Topics 88

Complete the Tables and Lists from Memory 88

Define Key Terms 88

Command Reference to Check Your Memory 89

Chapter 6 Securing the Management Plane on Cisco IOS Devices

“Do I Know This Already?” Quiz 91

Foundation Topics 94

Securing Management Traffic 94

    What Is Management Traffic and the Management Plane? 94

    Beyond the Blue Rollover Cable 94

    Management Plane Best Practices 95

    Password Recommendations 97

    Using AAA to Verify Users 97

        AAA Components 98

        Options for Storing Usernames, Passwords, and Access Rules 98

        Authorizing VPN Users 99

        Router Access Authentication 100

        The AAA Method List 101

    Role-Based Access Control 102

        Custom Privilege Levels 103

        Limiting the Administrator by Assigning a View 103

    Encrypted Management Protocols 103

    Using Logging Files 104

    Understanding NTP 105

    Protecting Cisco IOS Files 106

Implement Security Measures to Protect the Management Plane 106

    Implementing Strong Passwords 106

    User Authentication with AAA 108

    Using the CLI to Troubleshoot AAA for Cisco Routers 113

    RBAC Privilege Level/Parser View 118

    Implementing Parser Views 120

    SSH and HTTPS 122

    Implementing Logging Features 125

        Configuring Syslog Support 125

    SNMP Features 128

    Configuring NTP 131

    Securing the Cisco IOS Image and Configuration Files 133

Exam Preparation Tasks 134

Review All the Key Topics 134

Complete the Tables and Lists from Memory 135

Define Key Terms 135

Command Reference to Check Your Memory 135

Chapter 7 Implementing AAA Using IOS and the ACS Server

“Do I Know This Already?” Quiz 137

Foundation Topics 140

Cisco Secure ACS, RADIUS, and TACACS 140

    Why Use Cisco ACS? 140

    What Platform Does ACS Run On? 141

    What Is ISE? 141

    Protocols Used Between the ACS and the Router 141

    Protocol Choices Between the ACS Server and the Client (the Router) 142

Configuring Routers to Interoperate with an ACS Server 143

Configuring the ACS Server to Interoperate with a Router 154

Verifying and Troubleshooting Router-to-ACS Server Interactions 164

Exam Preparation Tasks 171

Review All the Key Topics 171

Complete the Tables and Lists from Memory 171

Define Key Terms 171

Command Reference to Check Your Memory 172

Chapter 8 Securing Layer 2 Technologies

“Do I Know This Already?” Quiz 175

Foundation Topics 178

VLAN and Trunking Fundamentals 178

    What Is a VLAN? 178

    Trunking with 802.1Q 180

    Following the Frame, Step by Step 181

    The Native VLAN on a Trunk 181

    So, What Do You Want to Be? (Says the Port) 182

    Inter-VLAN Routing 182

    The Challenge of Using Physical Interfaces Only 182

    Using Virtual “Sub” Interfaces 182

Spanning-Tree Fundamentals 183

    Loops in Networks Are Usually Bad 184

    The Life of a Loop 184

    The Solution to the Layer 2 Loop 184

    STP Is Wary of New Ports 187

    Improving the Time Until Forwarding 187

Common Layer 2 Threats and How to Mitigate Them 188

    Disrupt the Bottom of the Wall, and the Top Is Disrupted, Too 188

    Layer 2 Best Practices 189

    Do Not Allow Negotiations 190

    Layer 2 Security Toolkit 190

    Specific Layer 2 Mitigation for CCNA Security 191

        BPDU Guard 191

        Root Guard 192

        Port Security 192

Exam Preparation Tasks 195

Review All the Key Topics 195

Complete the Tables and Lists from Memory 195

Review the Port Security Video Included with This Book 196

Define Key Terms 196

Command Reference to Check Your Memory 196

Chapter 9 Securing the Data Plane in IPv6

“Do I Know This Already?” Quiz 199

Foundation Topics 202

Understanding and Configuring IPv6 202

    Why IPv6? 202

    The Format of an IPv6 Address 203

        Understanding the Shortcuts 205

        Did We Get an Extra Address? 205

        IPv6 Address Types 206

Configuring IPv6 Routing 208

    Moving to IPv6 210

Developing a Security Plan for IPv6 210

    Best Practices Common to Both IPv4 and IPv6 210

    Threats Common to Both IPv4 and IPv6 212

    The Focus on IPv6 Security 213

    New Potential Risks with IPv6 213

    IPv6 Best Practices 214

Exam Preparation Tasks 216

Review All the Key Topics 216

Complete the Tables and Lists from Memory 216

Define Key Terms 217

Command Reference to Check Your Memory 217

Part III Mitigating and Controlling Threats

Chapter 10 Planning a Threat Control Strategy

“Do I Know This Already?” Quiz 221

Foundation Topics 224

Designing Threat Mitigation and Containment 224

    The Opportunity for the Attacker Is Real 224

    Many Potential Risks 224

    The Biggest Risk of All 224

    Where Do We Go from Here? 225

Securing a Network via Hardware/Software/Services 226

    Switches 227

    Routers 228

    ASA Firewall 230

    Other Systems and Services 231

Exam Preparation Tasks 232

Review All the Key Topics 232

Complete the Tables and Lists from Memory 232

Define Key Terms 232

Chapter 11 Using Access Control Lists for Threat Mitigation

“Do I Know This Already?” Quiz 235

Foundation Topics 238

Access Control List Fundamentals and Benefits 238

    Access Lists Aren’t Just for Breakfast Anymore 238

    Stopping Malicious Traffic with an Access List 239

    What Can We Protect Against? 240

    The Logic in a Packet-Filtering ACL 241

    Standard and Extended Access Lists 242

    Line Numbers Inside an Access List 243

    Wildcard Masks 244

    Object Groups 244

Implementing IPv4 ACLs as Packet Filters 244

    Putting the Policy in Place 244

    Monitoring the Access Lists 255

    To Log or Not to Log 257

Implementing IPv6 ACLs as Packet Filters 259

Exam Preparation Tasks 263

Review All the Key Topics 263

Complete the Tables and Lists from Memory 263

Review the NAT Video Included with This Book 263

Define Key Terms 264

Command Reference to Check Your Memory 264

Chapter 12 Understanding Firewall Fundamentals

“Do I Know This Already?” Quiz 267

Foundation Topics 270

Firewall Concepts and Technologies 270

    Firewall Technologies 270

    Objectives of a Good Firewall 270

    Firewall Justifications 271

    The Defense-in-Depth Approach 272

    Five Basic Firewall Methodologies 273

        Static Packet Filtering 274

        Application Layer Gateway 275

        Stateful Packet Filtering 276

        Application Inspection 277

        Transparent Firewalls 277

Using Network Address Translation 278

    NAT Is About Hiding or Changing the Truth About Source Addresses 278

    Inside, Outside, Local, Global 279

    Port Address Translation 280

    NAT Options 281

Creating and Deploying Firewalls 283

    Firewall Technologies 283

    Firewall Design Considerations 283

    Firewall Access Rules 284

    Packet-Filtering Access Rule Structure 285

    Firewall Rule Design Guidelines 285

    Rule Implementation Consistency 286

Exam Preparation Tasks 288

Review All the Key Topics 288

Complete the Tables and Lists from Memory 288

Define Key Terms 288

Chapter 13 Implementing Cisco IOS Zone-Based Firewalls

“Do I Know This Already?” Quiz 291

Foundation Topics 294

Cisco IOS Zone-Based Firewall 294

    How Zone-Based Firewall Operates 294

    Specific Features of Zone-Based Firewalls 294

    Zones and Why We Need Pairs of Them 295

    Putting the Pieces Together 296

    Service Policies 297

    The Self Zone 300

Configuring and Verifying Cisco IOS Zone-Based Firewall 300

    First Things First 301

    Using CCP to Configure the Firewall 301

    Verifying the Firewall 314

    Verifying the Configuration from the Command Line 315

    Implementing NAT in Addition to ZBF 319

    Verifying Whether NAT Is Working 322

Exam Preparation Tasks 324

Review All the Key Topics 324

Review the Video Bonus Material 324

Complete the Tables and Lists from Memory 324

Define Key Terms 325

Command Reference to Check Your Memory 325

Chapter 14 Configuring Basic Firewall Policies on Cisco ASA

“Do I Know This Already?” Quiz 327

Foundation Topics 330

The ASA Appliance Family and Features 330

    Meet the ASA Family 330

    ASA Features and Services 331

ASA Firewall Fundamentals 333

    ASA Security Levels 333

    The Default Flow of Traffic 335

    Tools to Manage the ASA 336

    Initial Access 337

    Packet Filtering on the ASA 337

    Implementing a Packet-Filtering ACL 338

    Modular Policy Framework 338

    Where to Apply a Policy 339

Configuring the ASA 340

    Beginning the Configuration 340

    Getting to the ASDM GUI 345

    Configuring the Interfaces 347

    IP Addresses for Clients 355

    Basic Routing to the Internet 356

    NAT and PAT 357

    Permitting Additional Access Through the Firewall 359

    Using Packet Tracer to Verify Which Packets Are Allowed 362

    Verifying the Policy of No Telnet 366

Exam Preparation Tasks 368

Review All the Key Topics 368

Complete the Tables and Lists from Memory 368

Define Key Terms 369

Command Reference to Check Your Memory 369

Chapter 15 Cisco IPS/IDS Fundamentals

“Do I Know This Already?” Quiz 371

Foundation Topics 374

IPS Versus IDS 374

    What Sensors Do 374

    Difference Between IPS and IDS 374

    Sensor Platforms 376

    True/False Negatives/Positives 376

    Positive/Negative Terminology 377

Identifying Malicious Traffic on the Network 377

    Signature-Based IPS/IDS 377

    Policy-Based IPS/IDS 378

    Anomaly-Based IPS/IDS 378

    Reputation-Based IPS/IDS 378

    When Sensors Detect Malicious Traffic 379

    Controlling Which Actions the Sensors Should Take 381

    Implementing Actions Based on the Risk Rating 382

    IPv6 and IPS 382

    Circumventing an IPS/IDS 382

Managing Signatures 384

    Signature or Severity Levels 384

Monitoring and Managing Alarms and Alerts 385

    Security Intelligence 385

    IPS/IDS Best Practices 386

Exam Preparation Tasks 387

Review All the Key Topics 387

Complete the Tables and Lists from Memory 387

Define Key Terms 387

Chapter 16 Implementing IOS-Based IPS

“Do I Know This Already?” Quiz 389

Foundation Topics 392

Understanding and Installing an IOS-Based IPS 392

    What Can IOS IPS Do? 392

    Installing the IOS IPS Feature 393

    Getting to the IPS Wizard 394

Working with Signatures in an IOS-Based IPS 400

    Actions That May Be Taken 405

    Best Practices When Tuning IPS 412

Managing and Monitoring IPS Alarms 412

Exam Preparation Tasks 417

Review All the Key Topics 417

Complete the Tables and Lists from Memory 417

Define Key Terms 417

Command Reference to Check Your Memory 418

Part IV Using VPNs for Secure Connectivity

Chapter 17 Fundamentals of VPN Technology

“Do I Know This Already?” Quiz 423

Foundation Topics 426

Understanding VPNs and Why We Use Them 426

    What Is a VPN? 426

    Types of VPNs 427

        Two Main Types of VPNs 427

    Main Benefits of VPNs 427

        Confidentiality 428

        Data Integrity 428

        Authentication 430

        Antireplay 430

Cryptography Basic Components 430

    Ciphers and Keys 430

        Ciphers 430

        Keys 431

    Block and Stream Ciphers 431

        Block Ciphers 432

        Stream Ciphers 432

    Symmetric and Asymmetric Algorithms 432

        Symmetric 432

        Asymmetric 433

    Hashes 434

    Hashed Message Authentication Code 434

    Digital Signatures 435

        Digital Signatures in Action 435

    Key Management 436

    IPsec and SSL 436

        IPsec 436

        SSL 437

Exam Preparation Tasks 439

Review All the Key Topics 439

Complete the Tables and Lists from Memory 439

Define Key Terms 439

Chapter 18 Fundamentals of the Public Key Infrastructure

“Do I Know This Already?” Quiz 441

Foundation Topics 444

Public Key Infrastructure 444

    Public and Private Key Pairs 444

    RSA Algorithm, the Keys, and Digital Certificates 445

        Who Has Keys and a Digital Certificate? 445

        How Two Parties Exchange Public Keys 445

        Creating a Digital Signature 445

    Certificate Authorities 446

    Root and Identity Certificates 446

        Root Certificate 446

        Identity Certificate 448

        Using the Digital Certificates to get the Peer’s Public Key 448

        X.500 and X.509v3 Certificates 449

    Authenticating and Enrolling with the CA 450

    Public Key Cryptography Standards 450

    Simple Certificate Enrollment Protocol 451

    Revoked Certificates 451

    Uses for Digital Certificates 452

    PKI Topologies 452

        Single Root CA 453

        Hierarchical CA with Subordinate CAs 453

        Cross-Certifying CAs 453

Putting the Pieces of PKI to Work 453

    Default of the ASA 454

    Viewing the Certificates in ASDM 455

    Adding a New Root Certificate 455

    Easier Method for Installing Both Root and Identity certificates 457

Exam Preparation Tasks 462

Review All the Key Topics 462

Complete the Tables and Lists from Memory 462

Define Key Terms 463

Command Reference to Check Your Memory 463

Chapter 19 Fundamentals of IP Security

“Do I Know This Already?” Quiz 465

Foundation Topics 468

IPsec Concepts, Components, and Operations 468

    The Goal of IPsec 468

    The Play by Play for IPsec 469

        Step 1: Negotiate the IKE Phase 1 Tunnel 469

        Step 2: Run the DH Key Exchange 471

        Step 3: Authenticate the Peer 471

        What About the User’s Original Packet? 471

        Leveraging What They Have Already Built 471

        Now IPsec Can Protect the User’s Packets 472

        Traffic Before IPsec 472

        Traffic After IPsec 473

    Summary of the IPsec Story 474

Configuring and Verifying IPsec 475

    Tools to Configure the Tunnels 475

    Start with a Plan 475

    Applying the Configuration 475

    Viewing the CLI Equivalent at the Router 482

    Completing and Verifying IPsec 484

Exam Preparation Tasks 491

Review All the Key Topics 491

Complete the Tables and Lists from Memory 491

Define Key Terms 492

Command Reference to Check Your Memory 492

Chapter 20 Implementing IPsec Site-to-Site VPNs

“Do I Know This Already?” Quiz 495

Foundation Topics 498

Planning and Preparing an IPsec Site-to-Site VPN 498

    Customer Needs 498

    Planning IKE Phase 1 500

    Planning IKE Phase 2 501

Implementing and Verifying an IPsec Site-to-Site VPN 502

    Troubleshooting IPsec Site-to-Site VPNs 511

Exam Preparation Tasks 526

Review All the Key Topics 526

Complete the Tables and Lists from Memory 526

Define Key Terms 526

Command Reference to Check Your Memory 526

Chapter 21 Implementing SSL VPNs Using Cisco ASA

“Do I Know This Already?” Quiz 529

Foundation Topics 532

Functions and Use of SSL for VPNs 532

    Is IPsec Out of the Picture? 532

    SSL and TLS Protocol Framework 533

    The Play by Play of SSL for VPNs 534

    SSL VPN Flavors 534

Configuring SSL Clientless VPNs on ASA 535

    Using the SSL VPN Wizard 536

    Digital Certificates 537

    Authenticating Users 538

    Logging In 541

    Seeing the VPN Activity from the Server 543

Configuring the Full SSL AnyConnect VPN on the ASA 544

    Types of SSL VPNs 545

    Configuring Server to Support the AnyConnect Client 545

    Groups, Connection Profiles, and Defaults 552

    One Item with Three Different Names 553

    Split Tunneling 554

Exam Preparation Tasks 556

Review All the Key Topics 556

Complete the Tables and Lists from Memory 556

Define Key Terms 556

Chapter 22 Final Preparation

Tools for Final Preparation 559

    Pearson IT Certification Practice Test Engine and Questions on the CD 559

        Installing the Software from the CD 560

        Activating and Downloading the Practice Exam 560

        Activating Other Exams 560

        Premium Edition 561

    The Cisco Learning Network 561

    Memory Tables 561

    Chapter-Ending Review Tools 561

    Videos 562

Suggested Plan for Final Review/Study 562

    Using the Exam Engine 562

Summary 563

Part V Appendixes

Appendix A Answers to the “Do I Know This Already?” Quizzes 567

Appendix B CCNA Security 640-554 (IINSv2) Exam Updates 573

Glossary 577

On the CD

Appendix C Memory Tables

Appendix D Memory Tables Answer Key



9781587204463   TOC   6/5/2012


Rewards Program

Write a Review