Top
Note: Supplemental materials are not guaranteed with Rental or Used book purchases.
Purchase Benefits
Free Shipping On Orders Over $35!
Get Rewarded for Ordering Your Textbooks! Enroll Now
Customer Reviews Read Reviews
Write a Review
What is included with this book?
Keith Barker, CCIE No. 6783 (R&S and Security), is a 27-year veteran of the networking industry. He currently works as a network engineer and trainer for Copper River IT. His past experience includes EDS, Blue Cross, Paramount Pictures, and KnowledgeNet, and he has delivered CCIE-level training over the past several years. As part of the original set of Cisco VIPs for the Cisco Learning Network, he continues to give back to the community in many ways. He is CISSP and CCSI certified, loves to teach, and keeps many of his video tutorials at http://www.youtube.com/keith6783. He can be reached at Keith.Barker@CopperRiverIT.com or by visiting http://www.CopperRiverIT.com.
Scott Morris, CCIE No. 4713 (R&S, ISP/Dial, Security, and Service Provider), has more than 25 years in the industry. He also has CCDE and myriad other certifications, including nine expert-level certifications spread over four major vendors. Having traveled the world consulting for various enterprise and service provider companies, Scott currently works at Copper River IT as the chief technologist. He, too, has delivered CCIE-level training and technology training for Cisco Systems and other technology vendors.
Having spent a “past life” (early career) as a photojournalist, he brings interesting points of view from entering the IT industry from the ground up. As part of the original set of Cisco VIPs for the Cisco Learning Network, he continues to give back to the community in many ways. He can be reached at smorris@CopperRiverIT.com or by visiting http://www.CopperRiverIT.com.
Introduction xxv
Part I Fundamentals of Network Security
Chapter 1 Networking Security Concepts
“Do I Know This Already?” Quiz 5
Foundation Topics 8
Understanding Network and Information Security Basics 8
Network Security Objectives 8
Confidentiality, Integrity, and Availability 8
Cost-Benefit Analysis of Security 9
Classifying Assets 10
Classifying Vulnerabilities 11
Classifying Countermeasures 12
What Do We Do with the Risk? 12
Recognizing Current Network Threats 13
Potential Attackers 13
Attack Methods 14
Attack Vectors 15
Man-in-the-Middle Attacks 15
Other Miscellaneous Attack Methods 16
Applying Fundamental Security Principles to Network Design 17
Guidelines 17
How It All Fits Together 19
Exam Preparation Tasks 20
Review All the Key Topics 20
Complete the Tables and Lists from Memory 20
Define Key Terms 20
Chapter 2 Understanding Security Policies Using a Lifecycle Approach
“Do I Know This Already?” Quiz 23
Foundation Topics 25
Risk Analysis and Management 25
Secure Network Lifecycle 25
Risk Analysis Methods 25
Security Posture Assessment 26
An Approach to Risk Management 27
Regulatory Compliance Affecting Risk 28
Security Policies 28
Who, What, and Why 28
Specific Types of Policies 29
Standards, Procedures, and Guidelines 30
Testing the Security Architecture 31
Responding to an Incident on the Network 32
Collecting Evidence 32
Reasons for Not Being an Attacker 32
Liability 33
Disaster Recovery and Business Continuity Planning 33
Exam Preparation Tasks 34
Review All the Key Topics 34
Complete the Tables and Lists from Memory 34
Define Key Terms 34
Chapter 3 Building a Security Strategy
“Do I Know This Already?” Quiz 37
Foundation Topics 40
Securing Borderless Networks 40
The Changing Nature of Networks 40
Logical Boundaries 40
SecureX and Context-Aware Security 42
Controlling and Containing Data Loss 42
An Ounce of Prevention 42
Secure Connectivity Using VPNs 43
Secure Management 43
Exam Preparation Tasks 44
Review All the Key Topics 44
Complete the Tables and Lists from Memory 44
Define Key Terms 44
Part II Protecting the Network Infrastructure
Chapter 4 Network Foundation Protection
“Do I Know This Already?” Quiz 49
Foundation Topics 52
Using Network Foundation Protection to Secure Networks 52
The Importance of the Network Infrastructure 52
The Network Foundation Protection (NFP) Framework 52
Interdependence 53
Implementing NFP 53
Understanding the Management Plane 55
First Things First 55
Best Practices for Securing the Management Plane 55
Understanding the Control Plane 56
Best Practices for Securing the Control Plane 56
Understanding the Data Plane 57
Best Practices for Protecting the Data Plane 59
Additional Data Plane Protection Mechanisms 59
Exam Preparation Tasks 60
Review All the Key Topics 60
Complete the Tables and Lists from Memory 60
Define Key Terms 60
Chapter 5 Using Cisco Configuration Professional to Protect the Network Infrastructure
“Do I Know This Already?” Quiz 63
Foundation Topics 65
Introducing Cisco Configuration Professional 65
Understanding CCP Features and the GUI 65
The Menu Bar 66
The Toolbar 67
Left Navigation Pane 68
Content Pane 69
Status Bar 69
Setting Up New Devices 69
CCP Building Blocks 70
Communities 70
Templates 74
User Profiles 78
CCP Audit Features 81
One-Step Lockdown 84
A Few Highlights 84
Exam Preparation Tasks 88
Review All the Key Topics 88
Complete the Tables and Lists from Memory 88
Define Key Terms 88
Command Reference to Check Your Memory 89
Chapter 6 Securing the Management Plane on Cisco IOS Devices
“Do I Know This Already?” Quiz 91
Foundation Topics 94
Securing Management Traffic 94
What Is Management Traffic and the Management Plane? 94
Beyond the Blue Rollover Cable 94
Management Plane Best Practices 95
Password Recommendations 97
Using AAA to Verify Users 97
AAA Components 98
Options for Storing Usernames, Passwords, and Access Rules 98
Authorizing VPN Users 99
Router Access Authentication 100
The AAA Method List 101
Role-Based Access Control 102
Custom Privilege Levels 103
Limiting the Administrator by Assigning a View 103
Encrypted Management Protocols 103
Using Logging Files 104
Understanding NTP 105
Protecting Cisco IOS Files 106
Implement Security Measures to Protect the Management Plane 106
Implementing Strong Passwords 106
User Authentication with AAA 108
Using the CLI to Troubleshoot AAA for Cisco Routers 113
RBAC Privilege Level/Parser View 118
Implementing Parser Views 120
SSH and HTTPS 122
Implementing Logging Features 125
Configuring Syslog Support 125
SNMP Features 128
Configuring NTP 131
Securing the Cisco IOS Image and Configuration Files 133
Exam Preparation Tasks 134
Review All the Key Topics 134
Complete the Tables and Lists from Memory 135
Define Key Terms 135
Command Reference to Check Your Memory 135
Chapter 7 Implementing AAA Using IOS and the ACS Server
“Do I Know This Already?” Quiz 137
Foundation Topics 140
Cisco Secure ACS, RADIUS, and TACACS 140
Why Use Cisco ACS? 140
What Platform Does ACS Run On? 141
What Is ISE? 141
Protocols Used Between the ACS and the Router 141
Protocol Choices Between the ACS Server and the Client (the Router) 142
Configuring Routers to Interoperate with an ACS Server 143
Configuring the ACS Server to Interoperate with a Router 154
Verifying and Troubleshooting Router-to-ACS Server Interactions 164
Exam Preparation Tasks 171
Review All the Key Topics 171
Complete the Tables and Lists from Memory 171
Define Key Terms 171
Command Reference to Check Your Memory 172
Chapter 8 Securing Layer 2 Technologies
“Do I Know This Already?” Quiz 175
Foundation Topics 178
VLAN and Trunking Fundamentals 178
What Is a VLAN? 178
Trunking with 802.1Q 180
Following the Frame, Step by Step 181
The Native VLAN on a Trunk 181
So, What Do You Want to Be? (Says the Port) 182
Inter-VLAN Routing 182
The Challenge of Using Physical Interfaces Only 182
Using Virtual “Sub” Interfaces 182
Spanning-Tree Fundamentals 183
Loops in Networks Are Usually Bad 184
The Life of a Loop 184
The Solution to the Layer 2 Loop 184
STP Is Wary of New Ports 187
Improving the Time Until Forwarding 187
Common Layer 2 Threats and How to Mitigate Them 188
Disrupt the Bottom of the Wall, and the Top Is Disrupted, Too 188
Layer 2 Best Practices 189
Do Not Allow Negotiations 190
Layer 2 Security Toolkit 190
Specific Layer 2 Mitigation for CCNA Security 191
BPDU Guard 191
Root Guard 192
Port Security 192
Exam Preparation Tasks 195
Review All the Key Topics 195
Complete the Tables and Lists from Memory 195
Review the Port Security Video Included with This Book 196
Define Key Terms 196
Command Reference to Check Your Memory 196
Chapter 9 Securing the Data Plane in IPv6
“Do I Know This Already?” Quiz 199
Foundation Topics 202
Understanding and Configuring IPv6 202
Why IPv6? 202
The Format of an IPv6 Address 203
Understanding the Shortcuts 205
Did We Get an Extra Address? 205
IPv6 Address Types 206
Configuring IPv6 Routing 208
Moving to IPv6 210
Developing a Security Plan for IPv6 210
Best Practices Common to Both IPv4 and IPv6 210
Threats Common to Both IPv4 and IPv6 212
The Focus on IPv6 Security 213
New Potential Risks with IPv6 213
IPv6 Best Practices 214
Exam Preparation Tasks 216
Review All the Key Topics 216
Complete the Tables and Lists from Memory 216
Define Key Terms 217
Command Reference to Check Your Memory 217
Part III Mitigating and Controlling Threats
Chapter 10 Planning a Threat Control Strategy
“Do I Know This Already?” Quiz 221
Foundation Topics 224
Designing Threat Mitigation and Containment 224
The Opportunity for the Attacker Is Real 224
Many Potential Risks 224
The Biggest Risk of All 224
Where Do We Go from Here? 225
Securing a Network via Hardware/Software/Services 226
Switches 227
Routers 228
ASA Firewall 230
Other Systems and Services 231
Exam Preparation Tasks 232
Review All the Key Topics 232
Complete the Tables and Lists from Memory 232
Define Key Terms 232
Chapter 11 Using Access Control Lists for Threat Mitigation
“Do I Know This Already?” Quiz 235
Foundation Topics 238
Access Control List Fundamentals and Benefits 238
Access Lists Aren’t Just for Breakfast Anymore 238
Stopping Malicious Traffic with an Access List 239
What Can We Protect Against? 240
The Logic in a Packet-Filtering ACL 241
Standard and Extended Access Lists 242
Line Numbers Inside an Access List 243
Wildcard Masks 244
Object Groups 244
Implementing IPv4 ACLs as Packet Filters 244
Putting the Policy in Place 244
Monitoring the Access Lists 255
To Log or Not to Log 257
Implementing IPv6 ACLs as Packet Filters 259
Exam Preparation Tasks 263
Review All the Key Topics 263
Complete the Tables and Lists from Memory 263
Review the NAT Video Included with This Book 263
Define Key Terms 264
Command Reference to Check Your Memory 264
Chapter 12 Understanding Firewall Fundamentals
“Do I Know This Already?” Quiz 267
Foundation Topics 270
Firewall Concepts and Technologies 270
Firewall Technologies 270
Objectives of a Good Firewall 270
Firewall Justifications 271
The Defense-in-Depth Approach 272
Five Basic Firewall Methodologies 273
Static Packet Filtering 274
Application Layer Gateway 275
Stateful Packet Filtering 276
Application Inspection 277
Transparent Firewalls 277
Using Network Address Translation 278
NAT Is About Hiding or Changing the Truth About Source Addresses 278
Inside, Outside, Local, Global 279
Port Address Translation 280
NAT Options 281
Creating and Deploying Firewalls 283
Firewall Technologies 283
Firewall Design Considerations 283
Firewall Access Rules 284
Packet-Filtering Access Rule Structure 285
Firewall Rule Design Guidelines 285
Rule Implementation Consistency 286
Exam Preparation Tasks 288
Review All the Key Topics 288
Complete the Tables and Lists from Memory 288
Define Key Terms 288
Chapter 13 Implementing Cisco IOS Zone-Based Firewalls
“Do I Know This Already?” Quiz 291
Foundation Topics 294
Cisco IOS Zone-Based Firewall 294
How Zone-Based Firewall Operates 294
Specific Features of Zone-Based Firewalls 294
Zones and Why We Need Pairs of Them 295
Putting the Pieces Together 296
Service Policies 297
The Self Zone 300
Configuring and Verifying Cisco IOS Zone-Based Firewall 300
First Things First 301
Using CCP to Configure the Firewall 301
Verifying the Firewall 314
Verifying the Configuration from the Command Line 315
Implementing NAT in Addition to ZBF 319
Verifying Whether NAT Is Working 322
Exam Preparation Tasks 324
Review All the Key Topics 324
Review the Video Bonus Material 324
Complete the Tables and Lists from Memory 324
Define Key Terms 325
Command Reference to Check Your Memory 325
Chapter 14 Configuring Basic Firewall Policies on Cisco ASA
“Do I Know This Already?” Quiz 327
Foundation Topics 330
The ASA Appliance Family and Features 330
Meet the ASA Family 330
ASA Features and Services 331
ASA Firewall Fundamentals 333
ASA Security Levels 333
The Default Flow of Traffic 335
Tools to Manage the ASA 336
Initial Access 337
Packet Filtering on the ASA 337
Implementing a Packet-Filtering ACL 338
Modular Policy Framework 338
Where to Apply a Policy 339
Configuring the ASA 340
Beginning the Configuration 340
Getting to the ASDM GUI 345
Configuring the Interfaces 347
IP Addresses for Clients 355
Basic Routing to the Internet 356
NAT and PAT 357
Permitting Additional Access Through the Firewall 359
Using Packet Tracer to Verify Which Packets Are Allowed 362
Verifying the Policy of No Telnet 366
Exam Preparation Tasks 368
Review All the Key Topics 368
Complete the Tables and Lists from Memory 368
Define Key Terms 369
Command Reference to Check Your Memory 369
Chapter 15 Cisco IPS/IDS Fundamentals
“Do I Know This Already?” Quiz 371
Foundation Topics 374
IPS Versus IDS 374
What Sensors Do 374
Difference Between IPS and IDS 374
Sensor Platforms 376
True/False Negatives/Positives 376
Positive/Negative Terminology 377
Identifying Malicious Traffic on the Network 377
Signature-Based IPS/IDS 377
Policy-Based IPS/IDS 378
Anomaly-Based IPS/IDS 378
Reputation-Based IPS/IDS 378
When Sensors Detect Malicious Traffic 379
Controlling Which Actions the Sensors Should Take 381
Implementing Actions Based on the Risk Rating 382
IPv6 and IPS 382
Circumventing an IPS/IDS 382
Managing Signatures 384
Signature or Severity Levels 384
Monitoring and Managing Alarms and Alerts 385
Security Intelligence 385
IPS/IDS Best Practices 386
Exam Preparation Tasks 387
Review All the Key Topics 387
Complete the Tables and Lists from Memory 387
Define Key Terms 387
Chapter 16 Implementing IOS-Based IPS
“Do I Know This Already?” Quiz 389
Foundation Topics 392
Understanding and Installing an IOS-Based IPS 392
What Can IOS IPS Do? 392
Installing the IOS IPS Feature 393
Getting to the IPS Wizard 394
Working with Signatures in an IOS-Based IPS 400
Actions That May Be Taken 405
Best Practices When Tuning IPS 412
Managing and Monitoring IPS Alarms 412
Exam Preparation Tasks 417
Review All the Key Topics 417
Complete the Tables and Lists from Memory 417
Define Key Terms 417
Command Reference to Check Your Memory 418
Part IV Using VPNs for Secure Connectivity
Chapter 17 Fundamentals of VPN Technology
“Do I Know This Already?” Quiz 423
Foundation Topics 426
Understanding VPNs and Why We Use Them 426
What Is a VPN? 426
Types of VPNs 427
Two Main Types of VPNs 427
Main Benefits of VPNs 427
Confidentiality 428
Data Integrity 428
Authentication 430
Antireplay 430
Cryptography Basic Components 430
Ciphers and Keys 430
Ciphers 430
Keys 431
Block and Stream Ciphers 431
Block Ciphers 432
Stream Ciphers 432
Symmetric and Asymmetric Algorithms 432
Symmetric 432
Asymmetric 433
Hashes 434
Hashed Message Authentication Code 434
Digital Signatures 435
Digital Signatures in Action 435
Key Management 436
IPsec and SSL 436
IPsec 436
SSL 437
Exam Preparation Tasks 439
Review All the Key Topics 439
Complete the Tables and Lists from Memory 439
Define Key Terms 439
Chapter 18 Fundamentals of the Public Key Infrastructure
“Do I Know This Already?” Quiz 441
Foundation Topics 444
Public Key Infrastructure 444
Public and Private Key Pairs 444
RSA Algorithm, the Keys, and Digital Certificates 445
Who Has Keys and a Digital Certificate? 445
How Two Parties Exchange Public Keys 445
Creating a Digital Signature 445
Certificate Authorities 446
Root and Identity Certificates 446
Root Certificate 446
Identity Certificate 448
Using the Digital Certificates to get the Peer’s Public Key 448
X.500 and X.509v3 Certificates 449
Authenticating and Enrolling with the CA 450
Public Key Cryptography Standards 450
Simple Certificate Enrollment Protocol 451
Revoked Certificates 451
Uses for Digital Certificates 452
PKI Topologies 452
Single Root CA 453
Hierarchical CA with Subordinate CAs 453
Cross-Certifying CAs 453
Putting the Pieces of PKI to Work 453
Default of the ASA 454
Viewing the Certificates in ASDM 455
Adding a New Root Certificate 455
Easier Method for Installing Both Root and Identity certificates 457
Exam Preparation Tasks 462
Review All the Key Topics 462
Complete the Tables and Lists from Memory 462
Define Key Terms 463
Command Reference to Check Your Memory 463
Chapter 19 Fundamentals of IP Security
“Do I Know This Already?” Quiz 465
Foundation Topics 468
IPsec Concepts, Components, and Operations 468
The Goal of IPsec 468
The Play by Play for IPsec 469
Step 1: Negotiate the IKE Phase 1 Tunnel 469
Step 2: Run the DH Key Exchange 471
Step 3: Authenticate the Peer 471
What About the User’s Original Packet? 471
Leveraging What They Have Already Built 471
Now IPsec Can Protect the User’s Packets 472
Traffic Before IPsec 472
Traffic After IPsec 473
Summary of the IPsec Story 474
Configuring and Verifying IPsec 475
Tools to Configure the Tunnels 475
Start with a Plan 475
Applying the Configuration 475
Viewing the CLI Equivalent at the Router 482
Completing and Verifying IPsec 484
Exam Preparation Tasks 491
Review All the Key Topics 491
Complete the Tables and Lists from Memory 491
Define Key Terms 492
Command Reference to Check Your Memory 492
Chapter 20 Implementing IPsec Site-to-Site VPNs
“Do I Know This Already?” Quiz 495
Foundation Topics 498
Planning and Preparing an IPsec Site-to-Site VPN 498
Customer Needs 498
Planning IKE Phase 1 500
Planning IKE Phase 2 501
Implementing and Verifying an IPsec Site-to-Site VPN 502
Troubleshooting IPsec Site-to-Site VPNs 511
Exam Preparation Tasks 526
Review All the Key Topics 526
Complete the Tables and Lists from Memory 526
Define Key Terms 526
Command Reference to Check Your Memory 526
Chapter 21 Implementing SSL VPNs Using Cisco ASA
“Do I Know This Already?” Quiz 529
Foundation Topics 532
Functions and Use of SSL for VPNs 532
Is IPsec Out of the Picture? 532
SSL and TLS Protocol Framework 533
The Play by Play of SSL for VPNs 534
SSL VPN Flavors 534
Configuring SSL Clientless VPNs on ASA 535
Using the SSL VPN Wizard 536
Digital Certificates 537
Authenticating Users 538
Logging In 541
Seeing the VPN Activity from the Server 543
Configuring the Full SSL AnyConnect VPN on the ASA 544
Types of SSL VPNs 545
Configuring Server to Support the AnyConnect Client 545
Groups, Connection Profiles, and Defaults 552
One Item with Three Different Names 553
Split Tunneling 554
Exam Preparation Tasks 556
Review All the Key Topics 556
Complete the Tables and Lists from Memory 556
Define Key Terms 556
Chapter 22 Final Preparation
Tools for Final Preparation 559
Pearson IT Certification Practice Test Engine and Questions on the CD 559
Installing the Software from the CD 560
Activating and Downloading the Practice Exam 560
Activating Other Exams 560
Premium Edition 561
The Cisco Learning Network 561
Memory Tables 561
Chapter-Ending Review Tools 561
Videos 562
Suggested Plan for Final Review/Study 562
Using the Exam Engine 562
Summary 563
Part V Appendixes
Appendix A Answers to the “Do I Know This Already?” Quizzes 567
Appendix B CCNA Security 640-554 (IINSv2) Exam Updates 573
Glossary 577
On the CD
Appendix C Memory Tables
Appendix D Memory Tables Answer Key
9781587204463 TOC 6/5/2012
The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.
The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.
Need Help? Copyright © 1999-2024