HAPPY BOOKSGIVING
Use code BOOKSGIVING during checkout to save 40%-55% on books and eBooks. Shop now.
Register your product to gain access to bonus material or receive a coupon.
All the CCNA Security 640-554 commands in one compact, portable resource
Preparing for the latest CCNA® Security exam? Here are all the CCNA Security commands you need in one condensed, portable resource. Filled with valuable, easy-to-access information, the CCNA Security Portable Command Guide is portable enough for you to use whether you’re in the server room or the equipment closet.
Completely updated to reflect the new CCNA Security 640-554 exam, this quick reference summarizes relevant Cisco IOS® Software commands, keywords, command arguments, and associated prompts, and offers tips and examples for applying these commands to real-world security challenges. Throughout, configuration examples provide an even deeper understanding of how to use IOS to protect networks.
Topics covered include
• Networking security fundamentals: concepts, policies, strategies, and more
• Securing network infrastructure: network foundations, CCP, management plane and access, and data planes (IPv6/IPv4)
• Secure connectivity: VPNs, cryptography, IPsec, and more
• Threat control and containment: strategies, ACL threat mitigation, zone-based firewalls, and Cisco IOS IPS
• Securing networks with ASA: ASDM, basic and advanced settings, and ASA SSL VPNs
Bob Vachon is a professor at Cambrian College. He has held CCNP certification since 2002 and has collaborated on many Cisco Networking Academy courses. He was the lead author for the Academy’s CCNA Security v1.1 curriculum that aligns to the Cisco IOS Network Security (IINS) certification exam (640-554).
· Access all CCNA Security commands: use as a quick, offline resource for research and solutions
· Logical how-to topic groupings provide one-stop research
· Great for review before CCNA Security certification exams
· Compact size makes it easy to carry with you, wherever you go
· “Create Your Own Journal” section with blank, lined pages allows you to personalize the book for your needs
· “What Do You Want to Do?” chart inside front cover helps you to quickly reference specific tasks
This book is part of the Cisco Press® Certification Self-Study Product Family, which offers readers a self-paced study routine for Cisco® certification exams. Titles in the Cisco Press Certification Self-Study Product Family are part of a recommended learning program from Cisco that includes simulation and hands-on training from authorized Cisco Learning Partners and self-study products from Cisco Press.
CCNA Security Portable Command Guide: Network Foundation Protection
Download the sample pages (includes Chapter 4 and Index)
Introduction xvii
Part I: Networking Security Fundamentals
CHAPTER 1 Networking Security Concepts 1
Basic Security Concepts 2
Assets, Vulnerabilities, Threats, and Countermeasures 2
Confidentiality, Integrity, and Availability 2
Data Classification Criteria 2
Data Classification Levels 2
Classification Roles 3
Threat Classification 3
Preventive, Detective, and Corrective Controls 3
Risk Avoidance, Transfer, and Retention 4
Drivers for Network Security 4
Evolution of Threats 4
Tracking Threats 5
Malicious Code: Viruses, Worms, and Trojan Horses 5
Anatomy of a Worm 6
Mitigating Malware and Worms 6
Threats in Borderless Networks 7
Hacker Titles 7
Thinking Like a Hacker 8
Reconnaissance Attacks 8
Access Attacks 9
Password Cracking 10
Denial-of-Service Attacks 10
Principles of Secure Network Design 11
Defense in Depth 11
CHAPTER 2 Implementing Security Policies Using a Lifecycle Approach 13
Risk Analysis 13
Quantitative Risk Analysis Formula 14
Quantitative Risk Analysis Example 15
Regulatory Compliance 15
Security Policy 17
Standards, Guidelines, and Procedures 18
Security Policy Audience Responsibilities 19
Security Awareness 19
Secure Network Lifecycle Management 19
Models and Frameworks 21
Assessing and Monitoring the Network Security Posture 21
Testing the Security Architecture 22
Incident Response 22
Incident Response Phases 22
Computer Crime Investigation 23
Collection of Evidence and Forensics 23
Law Enforcement and Liability 23
Ethics 23
Disaster-Recovery and Business-Continuity Planning 23
CHAPTER 3 Building a Security Strategy for Borderless Networks 25
Cisco Borderless Network Architecture 25
Borderless Security Products 26
Cisco SecureX Architecture and Context-Aware Security 26
Cisco TrustSec 28
TrustSec Confidentiality 28
Cisco AnyConnect 29
Cisco Security Intelligence Operations 29
Threat Control and Containment 29
Cloud Security and Data-Loss Prevention 30
Secure Connectivity Through VPNs 31
Security Management 31
Part II: Protecting the Network Infrastructure
CHAPTER 4 Network Foundation Protection 33
Threats Against the Network Infrastructure 33
Cisco Network Foundation Protection Framework 34
Control Plane Security 35
Control Plane Policing 36
Management Plane Security 36
Role-Based Access Control 37
Secure Management and Reporting 37
Data Plane Security 37
ACLs 37
Antispoofing 38
Layer 2 Data Plane Protection 38
CHAPTER 5 Protecting the Network Infrastructure Using CCP 39
Cisco Configuration Professional 39
Cisco Configuration Professional Express 40
Connecting to Cisco CP Express Using the GUI 41
Cisco Configuration Professional 44
Configuring an ISR for CCP Support 44
Installing CCP on a Windows PC 45
Connecting to an ISR Using CCP 45
CCP Features and User Interface 47
Application Menu Options 48
Toolbar Menu Options 48
Toolbar Configure Options 49
Toolbar Monitor Options 49
Using CCP to Configure IOS Device-Hardening Features 49
CCP Security Audit 49
CCP One-Step Lockdown 50
Using the Cisco IOS AutoSecure CLI Feature 51
Configuring AutoSecure via the CLI 51
CHAPTER 6 Securing the Management Plane 53
Planning a Secure Management and Reporting Strategy 54
Securing the Management Plane 54
Securing Passwords 55
Securing the Console Line and Disabling the Auxiliary Line 55
Securing VTY Access with SSH 56
Securing VTY Access with SSH Example 57
Securing VTY Access with SSH Using CCP Example 58
Securing Configuration and IOS Files 60
Restoring Bootset Files 61
Implementing Role-Based Access Control on Cisco Routers 62
Configuring Privilege Levels 62
Configuring Privilege Levels Example 62
Configuring RBAC via the CLI 62
Configuring RBAC via the CLI Example 63
Configuring Superviews 63
Configuring a Superview Example 64
Configuring RBAC Using CCP Example 64
Network Monitoring 67
Configuring a Network Time Protocol Master Clock 67
Configuring an NTP Client 67
Configuring an NTP Master and Client Example 67
Configuring an NTP Client Using CCP Example 68
Configuring Syslog 69
Configuring Syslog Example 71
Configuring Syslog Using CCP Example 71
Configuring SNMP 74
Configuring SNMP Using CCP 74
CHAPTER 7 Securing Management Access with AAA 77
Authenticating Administrative Access 78
Local Authentication 78
Server-Based Authentication 78
Authentication, Authorization, and Accounting Framework 79
Local AAA Authentication 79
Configuring Local AAA Authentication Example 80
Configuring Local AAA Authentication Using CCP Example 81
Server-Based AAA Authentication 86
TACACS+ Versus RADIUS 86
Configuring Server-Based AAA Authentication 87
Configuring Server-Based AAA Authentication Example 88
Configuring Server-Based AAA Authentication Using CCP Example 89
AAA Authorization 94
Configuring AAA Authorization Example 94
Configuring AAA Authorization Using CCP 94
AAA Accounting 98
Configuring AAA Accounting Example 98
Cisco Secure ACS 98
Adding a Router as a AAA Client 99
Configuring Identity Groups and an Identity Store 99
Configuring Access Service to Process Requests 100
Creating Identity and Authorization Policies 101
CHAPTER 8 Securing the Data Plane on Catalyst Switches 103
Common Threats to the Switching Infrastructure 104
Layer 2 Attacks 104
Layer 2 Security Guidelines 104
MAC Address Attacks 105
Configuring Port Security 105
Fine-Tuning Port Security 106
Configuring Optional Port Security Settings 107
Configuring Port Security Example 108
Spanning Tree Protocol Attacks 109
STP Enhancement Features 109
Configuring STP Enhancement Features 110
Configuring STP Enhancements Example 111
LAN Storm Attacks 112
Configuring Storm Control 112
Configuring Storm Control Example 113
VLAN Hopping Attacks 113
Mitigating VLAN Attacks 114
Mitigating VLAN Attacks Example 114
Advanced Layer 2 Security Features 115
ACLs and Private VLANs 116
Cisco Integrated Security Features 116
Secure the Switch Management Plane 117
CHAPTER 9 Securing the Data Plane in IPv6 Environments 119
Overview of IPv6 119
Comparison Between IPv4 and IPv6 119
The IPv6 Header 120
ICMPv6 121
Stateless Autoconfiguration 122
IPv4-to-IPv6 Transition Solutions 122
IPv6 Routing Solutions 122
IPv6 Threats 123
IPv6 Vulnerabilities 124
IPv6 Security Strategy 124
Configuring Ingress Filtering 124
Secure Transition Mechanisms 125
Future Security Enhancements 125
Part III: Threat Control and Containment
CHAPTER 10 Planning a Threat Control Strategy 127
Threats 127
Trends in Information Security Threats 127
Threat Control Guidelines 128
Threat Control Design Guidelines 128
Integrated Threat Control Strategy 129
Cisco Security Intelligence Operations 130
CHAPTER 11 Confi guring ACLs for Threat Mitigation 131
Access Control List 131
Mitigating Threats Using ACLs 132
ACL Design Guidelines 132
ACL Operation 132
Configuring ACLs 134
ACL Configuration Guidelines 134
Filtering with Numbered Extended ACLs 134
Configuring a Numbered Extended ACL Example 135
Filtering with Named Extended ACLs 135
Configuring a Named Extended ACL Example 136
Configuring an Extended ACL Using CCP Example 136
Enhancing ACL Protection with Object Groups 140
Network Object Groups 140
Service Object Groups 140
Using Object Groups in Extended ACLs 141
Configuring Object Groups in ACLs Example 142
Configuring Object Groups in ACLs Using CCP Example 144
ACLs in IPv6 149
Mitigating IPv6 Attacks Using ACLs 149
IPv6 ACLs Implicit Entries 149
Filtering with IPv6 ACLs 149
Configuring an IPv6 ACL Example 151
CHAPTER 12 Confi guring Zone-Based Firewalls 153
Firewall Fundamentals 153
Types of Firewalls 154
Firewall Design 154
Firewall Policies 154
Firewall Rule Design Guidelines 155
Cisco IOS Firewall Evolution 155
Cisco IOS Zone-Based Policy Firewall 156
Cisco Common Classification Policy Language 156
ZFW Design Considerations 156
Default Policies, Traffic Flows, and Zone Interaction 157
Configuring an IOS ZFW 157
Configuring an IOS ZFW Using the CLI Example 160
Configuring an IOS ZFW Using CCP Example 161
Configuring NAT Services for ZFWs Using CCP Example 167
CHAPTER 13 Confi guring Cisco IOS IPS 171
IDS and IPS Fundamentals 171
Types of IPS Sensors 172
Types of Signatures 172
Types of Alarms 172
Intrusion Prevention Technologies 173
IPS Attack Responses 174
IPS Anti-Evasion Techniques 175
Managing Signatures 175
Cisco IOS IPS Signature Files 176
Implementing Alarms in Signatures 176
IOS IPS Severity Levels 177
Event Monitoring and Management 177
IPS Recommended Practices 178
Configuring IOS IPS 178
Creating an IOS IPS Rule and Specifying the IPS Signature File Location 179
Tuning Signatures per Category 180
Configuring IOS IPS Example 183
Configuring IOS IPS Using CCP Example 185
Signature Tuning Using CCP 193
Part IV: Secure Connectivity
CHAPTER 14 VPNs and Cryptology 195
Virtual Private Networks 195
VPN Deployment Modes 196
Cryptology = Cryptography + Cryptanalysis 197
Historical Cryptographic Ciphers 197
Modern Substitution Ciphers 198
Encryption Algorithms 198
Cryptanalysis 199
Cryptographic Processes in VPNs 200
Classes of Encryption Algorithms 201
Symmetric Encryption Algorithms 201
Asymmetric Encryption Algorithm 202
Choosing an Encryption Algorithm 202
Choosing an Adequate Keyspace 202
Cryptographic Hashes 203
Well-Known Hashing Algorithms 203
Hash-Based Message Authentication Codes 203
Digital Signatures 204
CHAPTER 15 Asymmetric Encryption and PKI 207
Asymmetric Encryption 207
Public Key Confidentiality and Authentication 207
RSA Functions 208
Public Key Infrastructure 208
PKI Terminology 209
PKI Standards 209
PKI Topologies 210
PKI Characteristics 211
CHAPTER 16 IPsec VPNs 213
IPsec Protocol 213
IPsec Protocol Framework 214
Encapsulating IPsec Packets 215
Transport Versus Tunnel Mode 215
Confidentiality Using Encryption Algorithms 216
Data Integrity Using Hashing Algorithms 216
Peer Authentication Methods 217
Key Exchange Algorithms 217
NSA Suite B Standard 218
Internet Key Exchange 218
IKE Negotiation Phases 219
IKEv1 Phase 1 (Main Mode and Aggressive Mode) 219
IKEv1 Phase 2 (Quick Mode) 220
IKEv2 Phase 1 and 2 220
IKEv1 Versus IKEv2 221
IPv6 VPNs 221
CHAPTER 17 Confi guring Site-to-Site VPNs 223
Site-to-Site IPsec VPNs 223
IPsec VPN Negotiation Steps 223
Planning an IPsec VPN 224
Cipher Suite Options 225
Configuring IOS Site-to-Site VPNs 225
Verifying the VPN Tunnel 229
Configuring a Site-to-Site IPsec VPN Using IOS Example 230
Configuring a Site-to-Site IPsec VPN Using CCP Example 232
Generating a Mirror Configuration Using CCP 241
Testing and Monitoring IPsec VPNs 242
Monitoring Established IPsec VPN Connections Using CCP 244
Part V: Securing the Network Using the ASA
CHAPTER 18 Introduction to the ASA 247
Adaptive Security Appliance 247
ASA Models 248
Routed and Transparent Firewall Modes 249
ASA Licensing 249
Basic ASA Configuration 251
ASA 5505 Front and Back Panel 251
ASA 5510 Front and Back Panel 252
ASA Security Levels 253
ASA 5505 Port Configuration 255
ASA 5505 Deployment Scenarios 255
ASA 5505 Configuration Options 255
CHAPTER 19 Introduction to ASDM 257
Adaptive Security Device Manager 257
Accessing ASDM 258
Factory Default Settings 258
Resetting the ASA 5505 to Factory Default Settings 259
Erasing the Factory Default Settings 259
Setup Initialization Wizard 259
Installing and Running ASDM 260
Running ASDM 262
ASDM Wizards 264
The Startup Wizard 264
VPN Wizards 265
Advanced Wizards 266
CHAPTER 20 Confi guring Cisco ASA Basic Settings 267
ASA Command-Line Interface 267
Differences Between IOS and ASA OS 268
Configuring Basic Settings 268
Configuring Basic Management Settings 269
Enabling the Master Passphrase 269
Configuring Interfaces 270
Configuring the Inside and Outside SVIs 270
Assigning Layer 2 Ports to VLANs 271
Configuring a Third SVI 272
Configuring the Management Plane 272
Enabling Telnet, SSH, and HTTPS Access 272
Configuring Time Services 274
Configuring the Control Plane 274
Configuring a Default Route 274
Basic Settings Example 274
Configuring Basic Settings Example Using the CLI 275
Configuring Basic Settings Example Using ASDM 277
CHAPTER 21 Confi guring Cisco ASA Advanced Settings 283
ASA DHCP Services 284
DHCP Client 284
DHCP Server Services 284
Configuring DHCP Server Example Using the CLI 285
Configuring DHCP Server Example Using ASDM 287
ASA Objects and Object Groups 289
Network and Service Objects 289
Network, Protocol, ICMP, and Service Object Groups 291
Configuring Objects and Object Groups Example Using ASDM 293
ASA ACLs 295
ACL Syntax 296
Configuring ACLs Example Using the CLI 297
Configuring ACLs with Object Groups Example Using the CLI 299
Configuring ACLs with Object Groups Example Using ASDM 300
ASA NAT Services 301
Auto-NAT 302
Dynamic NAT, Dynamic PAT, and Static NAT 302
Configuring Dynamic and Static NAT Example Using the CLI 304
Configuring Dynamic NAT Example Using ASDM 306
AAA Access Control 308
Local AAA Authentication 308
Server-Based AAA Authentication 309
Configuring AAA Server-Based Authentication Example Using the CLI 309
Configuring AAA Server-Based Authentication Example Using ASDM 310
Modular Policy Framework Service Policies 313
Class Maps, Policy Maps, and Service Policies 314
Default Global Policies 317
Configure Service Policy Example Using ASDM 318
CHAPTER 22 Confi guring Cisco ASA SSL VPNs 319
Remote-Access VPNs 319
Types of Remote-Access VPNs 319
ASA SSL VPN 320
Client-Based SSL VPN Example Using ASDM 321
Clientless SSL VPN Example Using ASDM 328
APPENDIX Create Your Own Journal Here 335
TOC, 9781587204487, 5/1/2012