CCNA Security Portable Command Guide

Bob Vachon is a professor in the Computer Systems Technology program at Cambrian College in Sudbury, Ontario, Canada, where he teaches networking infrastructure courses. He has worked and taught in the computer networking and information technology field since 1984. He has collaborated on various CCNA, CCNA Security, and CCNP projects for the Cisco Networking Academy as team lead, lead author, and subject matter expert. He enjoys playing the guitar and being outdoors, either working in his gardens or whitewater canoe tripping.

    Introduction xvii

Part I: Networking Security Fundamentals

CHAPTER 1 Networking Security Concepts 1

    Basic Security Concepts 2

        Assets, Vulnerabilities, Threats, and Countermeasures 2

        Confidentiality, Integrity, and Availability 2

        Data Classification Criteria 2

        Data Classification Levels 2

        Classification Roles 3

    Threat Classification 3

        Preventive, Detective, and Corrective Controls 3

        Risk Avoidance, Transfer, and Retention 4

    Drivers for Network Security 4

        Evolution of Threats 4

        Tracking Threats 5

    Malicious Code: Viruses, Worms, and Trojan Horses 5

        Anatomy of a Worm 6

        Mitigating Malware and Worms 6

    Threats in Borderless Networks 7

        Hacker Titles 7

        Thinking Like a Hacker 8

        Reconnaissance Attacks 8

        Access Attacks 9

        Password Cracking 10

        Denial-of-Service Attacks 10

    Principles of Secure Network Design 11

    Defense in Depth 11

CHAPTER 2 Implementing Security Policies Using a Lifecycle Approach 13

    Risk Analysis 13

        Quantitative Risk Analysis Formula 14

        Quantitative Risk Analysis Example 15

        Regulatory Compliance 15

    Security Policy 17

        Standards, Guidelines, and Procedures 18

        Security Policy Audience Responsibilities 19

        Security Awareness 19

    Secure Network Lifecycle Management 19

        Models and Frameworks 21

        Assessing and Monitoring the Network Security Posture 21

        Testing the Security Architecture 22

    Incident Response 22

        Incident Response Phases 22

        Computer Crime Investigation 23

        Collection of Evidence and Forensics 23

        Law Enforcement and Liability 23

        Ethics 23

    Disaster-Recovery and Business-Continuity Planning 23

CHAPTER 3 Building a Security Strategy for Borderless Networks 25

    Cisco Borderless Network Architecture 25

        Borderless Security Products 26

    Cisco SecureX Architecture and Context-Aware Security 26

        Cisco TrustSec 28

        TrustSec Confidentiality 28

        Cisco AnyConnect 29

        Cisco Security Intelligence Operations 29

    Threat Control and Containment 29

    Cloud Security and Data-Loss Prevention 30

    Secure Connectivity Through VPNs 31

    Security Management 31

Part II: Protecting the Network Infrastructure

CHAPTER 4 Network Foundation Protection 33

    Threats Against the Network Infrastructure 33

    Cisco Network Foundation Protection Framework 34

    Control Plane Security 35

        Control Plane Policing 36

    Management Plane Security 36

        Role-Based Access Control 37

        Secure Management and Reporting 37

    Data Plane Security 37

        ACLs 37

        Antispoofing 38

        Layer 2 Data Plane Protection 38

CHAPTER 5 Protecting the Network Infrastructure Using CCP 39

    Cisco Configuration Professional 39

    Cisco Configuration Professional Express 40

        Connecting to Cisco CP Express Using the GUI 41

    Cisco Configuration Professional 44

        Configuring an ISR for CCP Support 44

        Installing CCP on a Windows PC 45

        Connecting to an ISR Using CCP 45

    CCP Features and User Interface 47

        Application Menu Options 48

        Toolbar Menu Options 48

        Toolbar Configure Options 49

        Toolbar Monitor Options 49

    Using CCP to Configure IOS Device-Hardening Features 49

        CCP Security Audit 49

        CCP One-Step Lockdown 50

    Using the Cisco IOS AutoSecure CLI Feature 51

        Configuring AutoSecure via the CLI 51

CHAPTER 6 Securing the Management Plane 53

    Planning a Secure Management and Reporting Strategy 54

    Securing the Management Plane 54

        Securing Passwords 55

        Securing the Console Line and Disabling the Auxiliary Line 55

        Securing VTY Access with SSH 56

        Securing VTY Access with SSH Example 57

        Securing VTY Access with SSH Using CCP Example 58

        Securing Configuration and IOS Files 60

        Restoring Bootset Files 61

    Implementing Role-Based Access Control on Cisco Routers 62

        Configuring Privilege Levels 62

        Configuring Privilege Levels Example 62

        Configuring RBAC via the CLI 62

        Configuring RBAC via the CLI Example 63

        Configuring Superviews 63

        Configuring a Superview Example 64

        Configuring RBAC Using CCP Example 64

    Network Monitoring 67

        Configuring a Network Time Protocol Master Clock 67

        Configuring an NTP Client 67

        Configuring an NTP Master and Client Example 67

        Configuring an NTP Client Using CCP Example 68

        Configuring Syslog 69

        Configuring Syslog Example 71

        Configuring Syslog Using CCP Example 71

        Configuring SNMP 74

        Configuring SNMP Using CCP 74

CHAPTER 7 Securing Management Access with AAA 77

    Authenticating Administrative Access 78

        Local Authentication 78

        Server-Based Authentication 78

        Authentication, Authorization, and Accounting Framework 79

    Local AAA Authentication 79

        Configuring Local AAA Authentication Example 80

        Configuring Local AAA Authentication Using CCP Example 81

    Server-Based AAA Authentication 86

        TACACS+ Versus RADIUS 86

        Configuring Server-Based AAA Authentication 87

        Configuring Server-Based AAA Authentication Example 88

        Configuring Server-Based AAA Authentication Using CCP Example 89

        AAA Authorization 94

        Configuring AAA Authorization Example 94

        Configuring AAA Authorization Using CCP 94

    AAA Accounting 98

        Configuring AAA Accounting Example 98

    Cisco Secure ACS 98

        Adding a Router as a AAA Client 99

        Configuring Identity Groups and an Identity Store 99

        Configuring Access Service to Process Requests 100

        Creating Identity and Authorization Policies 101

CHAPTER 8 Securing the Data Plane on Catalyst Switches 103

    Common Threats to the Switching Infrastructure 104

        Layer 2 Attacks 104

        Layer 2 Security Guidelines 104

    MAC Address Attacks 105

        Configuring Port Security 105

        Fine-Tuning Port Security 106

        Configuring Optional Port Security Settings 107

        Configuring Port Security Example 108

    Spanning Tree Protocol Attacks 109

        STP Enhancement Features 109

        Configuring STP Enhancement Features 110

        Configuring STP Enhancements Example 111

    LAN Storm Attacks 112

        Configuring Storm Control 112

        Configuring Storm Control Example 113

    VLAN Hopping Attacks 113

        Mitigating VLAN Attacks 114

        Mitigating VLAN Attacks Example 114

    Advanced Layer 2 Security Features 115

        ACLs and Private VLANs 116

        Cisco Integrated Security Features 116

        Secure the Switch Management Plane 117

CHAPTER 9 Securing the Data Plane in IPv6 Environments 119

    Overview of IPv6 119

        Comparison Between IPv4 and IPv6 119

        The IPv6 Header 120

        ICMPv6 121

        Stateless Autoconfiguration 122

        IPv4-to-IPv6 Transition Solutions 122

        IPv6 Routing Solutions 122

    IPv6 Threats 123

        IPv6 Vulnerabilities 124

    IPv6 Security Strategy 124

        Configuring Ingress Filtering 124

        Secure Transition Mechanisms 125

        Future Security Enhancements 125

Part III: Threat Control and Containment

CHAPTER 10 Planning a Threat Control Strategy 127

    Threats 127

        Trends in Information Security Threats 127

    Threat Control Guidelines 128

        Threat Control Design Guidelines 128

    Integrated Threat Control Strategy 129

        Cisco Security Intelligence Operations 130

CHAPTER 11 Confi guring ACLs for Threat Mitigation 131

    Access Control List 131

        Mitigating Threats Using ACLs 132

        ACL Design Guidelines 132

        ACL Operation 132

    Configuring ACLs 134

        ACL Configuration Guidelines 134

        Filtering with Numbered Extended ACLs 134

        Configuring a Numbered Extended ACL Example 135

        Filtering with Named Extended ACLs 135

        Configuring a Named Extended ACL Example 136

        Configuring an Extended ACL Using CCP Example 136

    Enhancing ACL Protection with Object Groups 140

        Network Object Groups 140

        Service Object Groups 140

        Using Object Groups in Extended ACLs 141

        Configuring Object Groups in ACLs Example 142

        Configuring Object Groups in ACLs Using CCP Example 144

    ACLs in IPv6 149

        Mitigating IPv6 Attacks Using ACLs 149

        IPv6 ACLs Implicit Entries 149

        Filtering with IPv6 ACLs 149

        Configuring an IPv6 ACL Example 151

CHAPTER 12 Confi guring Zone-Based Firewalls 153

    Firewall Fundamentals 153

        Types of Firewalls 154

    Firewall Design 154

        Firewall Policies 154

        Firewall Rule Design Guidelines 155

        Cisco IOS Firewall Evolution 155

    Cisco IOS Zone-Based Policy Firewall 156

        Cisco Common Classification Policy Language 156

        ZFW Design Considerations 156

        Default Policies, Traffic Flows, and Zone Interaction 157

        Configuring an IOS ZFW 157

        Configuring an IOS ZFW Using the CLI Example 160

        Configuring an IOS ZFW Using CCP Example 161

        Configuring NAT Services for ZFWs Using CCP Example 167

CHAPTER 13 Confi guring Cisco IOS IPS 171

    IDS and IPS Fundamentals 171

        Types of IPS Sensors 172

        Types of Signatures 172

        Types of Alarms 172

    Intrusion Prevention Technologies 173

        IPS Attack Responses 174

        IPS Anti-Evasion Techniques 175

        Managing Signatures 175

        Cisco IOS IPS Signature Files 176

        Implementing Alarms in Signatures 176

        IOS IPS Severity Levels 177

        Event Monitoring and Management 177

        IPS Recommended Practices 178

    Configuring IOS IPS 178

        Creating an IOS IPS Rule and Specifying the IPS Signature File Location 179

        Tuning Signatures per Category 180

        Configuring IOS IPS Example 183

        Configuring IOS IPS Using CCP Example 185

        Signature Tuning Using CCP 193

Part IV: Secure Connectivity

CHAPTER 14 VPNs and Cryptology 195

    Virtual Private Networks 195

        VPN Deployment Modes 196

    Cryptology = Cryptography + Cryptanalysis 197

        Historical Cryptographic Ciphers 197

        Modern Substitution Ciphers 198

        Encryption Algorithms 198

        Cryptanalysis 199

    Cryptographic Processes in VPNs 200

        Classes of Encryption Algorithms 201

        Symmetric Encryption Algorithms 201

        Asymmetric Encryption Algorithm 202

        Choosing an Encryption Algorithm 202

        Choosing an Adequate Keyspace 202

    Cryptographic Hashes 203

        Well-Known Hashing Algorithms 203

        Hash-Based Message Authentication Codes 203

    Digital Signatures 204

CHAPTER 15 Asymmetric Encryption and PKI 207

    Asymmetric Encryption 207

        Public Key Confidentiality and Authentication 207

        RSA Functions 208

    Public Key Infrastructure 208

        PKI Terminology 209

        PKI Standards 209

        PKI Topologies 210

        PKI Characteristics 211

CHAPTER 16 IPsec VPNs 213

    IPsec Protocol 213

        IPsec Protocol Framework 214

        Encapsulating IPsec Packets 215

        Transport Versus Tunnel Mode 215

        Confidentiality Using Encryption Algorithms 216

        Data Integrity Using Hashing Algorithms 216

        Peer Authentication Methods 217

        Key Exchange Algorithms 217

        NSA Suite B Standard 218

    Internet Key Exchange 218

        IKE Negotiation Phases 219

        IKEv1 Phase 1 (Main Mode and Aggressive Mode) 219

        IKEv1 Phase 2 (Quick Mode) 220

        IKEv2 Phase 1 and 2 220

        IKEv1 Versus IKEv2 221

    IPv6 VPNs 221

CHAPTER 17 Confi guring Site-to-Site VPNs 223

    Site-to-Site IPsec VPNs 223

        IPsec VPN Negotiation Steps 223

        Planning an IPsec VPN 224

        Cipher Suite Options 225

    Configuring IOS Site-to-Site VPNs 225

        Verifying the VPN Tunnel 229

        Configuring a Site-to-Site IPsec VPN Using IOS Example 230

        Configuring a Site-to-Site IPsec VPN Using CCP Example 232

        Generating a Mirror Configuration Using CCP 241

        Testing and Monitoring IPsec VPNs 242

        Monitoring Established IPsec VPN Connections Using CCP 244

Part V: Securing the Network Using the ASA

CHAPTER 18 Introduction to the ASA 247

    Adaptive Security Appliance 247

        ASA Models 248

        Routed and Transparent Firewall Modes 249

        ASA Licensing 249

    Basic ASA Configuration 251

        ASA 5505 Front and Back Panel 251

        ASA 5510 Front and Back Panel 252

        ASA Security Levels 253

        ASA 5505 Port Configuration 255

        ASA 5505 Deployment Scenarios 255

        ASA 5505 Configuration Options 255

CHAPTER 19 Introduction to ASDM 257

    Adaptive Security Device Manager 257

        Accessing ASDM 258

        Factory Default Settings 258

        Resetting the ASA 5505 to Factory Default Settings 259

        Erasing the Factory Default Settings 259

        Setup Initialization Wizard 259

    Installing and Running ASDM 260

        Running ASDM 262

    ASDM Wizards 264

        The Startup Wizard 264

        VPN Wizards 265

        Advanced Wizards 266

CHAPTER 20 Confi guring Cisco ASA Basic Settings 267

    ASA Command-Line Interface 267

        Differences Between IOS and ASA OS 268

    Configuring Basic Settings 268

        Configuring Basic Management Settings 269

        Enabling the Master Passphrase 269

    Configuring Interfaces 270

        Configuring the Inside and Outside SVIs 270

        Assigning Layer 2 Ports to VLANs 271

        Configuring a Third SVI 272

    Configuring the Management Plane 272

        Enabling Telnet, SSH, and HTTPS Access 272

        Configuring Time Services 274

    Configuring the Control Plane 274

        Configuring a Default Route 274

    Basic Settings Example 274

        Configuring Basic Settings Example Using the CLI 275

        Configuring Basic Settings Example Using ASDM 277

CHAPTER 21 Confi guring Cisco ASA Advanced Settings 283

    ASA DHCP Services 284

        DHCP Client 284

        DHCP Server Services 284

        Configuring DHCP Server Example Using the CLI 285

        Configuring DHCP Server Example Using ASDM 287

    ASA Objects and Object Groups 289

        Network and Service Objects 289

        Network, Protocol, ICMP, and Service Object Groups 291

        Configuring Objects and Object Groups Example Using ASDM 293

    ASA ACLs 295

        ACL Syntax 296

        Configuring ACLs Example Using the CLI 297

        Configuring ACLs with Object Groups Example Using the CLI 299

        Configuring ACLs with Object Groups Example Using ASDM 300

    ASA NAT Services 301

        Auto-NAT 302

        Dynamic NAT, Dynamic PAT, and Static NAT 302

        Configuring Dynamic and Static NAT Example Using the CLI 304

        Configuring Dynamic NAT Example Using ASDM 306

    AAA Access Control 308

        Local AAA Authentication 308

        Server-Based AAA Authentication 309

        Configuring AAA Server-Based Authentication Example Using the CLI 309

        Configuring AAA Server-Based Authentication Example Using ASDM 310

    Modular Policy Framework Service Policies 313

        Class Maps, Policy Maps, and Service Policies 314

        Default Global Policies 317

        Configure Service Policy Example Using ASDM 318

CHAPTER 22 Confi guring Cisco ASA SSL VPNs 319

    Remote-Access VPNs 319

        Types of Remote-Access VPNs 319

    ASA SSL VPN 320

        Client-Based SSL VPN Example Using ASDM 321

        Clientless SSL VPN Example Using ASDM 328

APPENDIX Create Your Own Journal Here 335

TOC, 9781587204487, 5/1/2012

The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.

The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.