Online Sample Chapter
CCNA Exam 640-553 Exam Cram: Implementing Secure Management and Hardening the Router
Sample Pages
Download the sample pages
Table of Contents
Introduction... 1
Organization and Elements of This Book. 1
Contacting the Author.. 4
Self Assessment... 5
Who Is a CCNA Security?.. 5
The Ideal CCNA Security Candidate. 6
Put Yourself to the Test.. 8
Exam Topics for 640-553 IINS (Implementing Cisco IOS Network Security).. 10
Strategy for Using This Exam Cram. 12
Part I: Network Security Architecture
Chapter 1: Network Insecurity... 15
Exploring Network Security Basics and the Need for Network Security.. 16
The Threats.. 16
Other Reasons for Network Insecurity 18
The CIA Triad.. 18
Data Classification.. 21
Security Controls.. 22
Incident Response.. 25
Laws and Ethics.. 26
Exploring the Taxonomy of Network Attacks. 29
Adversaries.. 30
How Do Hackers Think?. 32
Concepts of Defense in Depth. 32
IP Spoofing Attacks.. 34
Attacks Against Confidentiality. 36
Attacks Against Integrity. 38
Attacks Against Availability. 42
Best Practices to Thwart Network Attacks. 45
Administrative Controls. 45
Technical Controls.. 46
Physical Controls.. 46
Exam Prep Questions.. 47
Answers to Exam Prep Questions. 50
Chapter 2: Building a Secure Network Using Security Controls. 51
Defining Operations Security Needs. 52
Cisco System Development Life Cycle for Secure Networks 52
Operations Security Principles. 54
Network Security Testing. 55
Disaster Recovery and Business Continuity Planning 59
Establishing a Comprehensive Network Security Policy 61
Defining Assets.. 62
The Need for a Security Policy. 63
Policies.. 64
Standards, Guidelines, and Procedures 65
Who Is Responsible for the Security Policy? 66
Risk Management.. 67
Principles of Secure Network Design 70
Examining Cisco’s Model of the Self-Defending Network 73
Where Is the Network Perimeter?. 73
Building a Cisco Self-Defending Network 74
Components of the Cisco Self-Defending Network 75
Cisco Integrated Security Portfolio. 79
Exam Prep Questions.. 81
Answers to Exam Prep Questions. 84
Part II: Perimeter Security
Chapter 3: Security at the Network Perimeter.. 87
Cisco IOS Security Features.. 88
Where Do You Deploy an IOS Router? 88
Cisco ISR Family and Features. 90
Securing Administrative Access to Cisco Routers 91
Review Line Interfaces. 92
Password Best Practices. 94
Configuring Passwords. 94
Setting Multiple Privilege Levels. 97
Configuring Role-Based Access to the CLI 98
Configuring the Cisco IOS Resilient Configuration Feature 101
Protecting Virtual Logins from Attack 102
Configuring Banner Messages. 104
Introducing Cisco SDM.. 105
Files Required to Run Cisco SDM from the Router 106
Using Cisco SDM Express. 107
Launching Cisco SDM. 108
Cisco SDM Smart Wizards. 110
Advanced Configuration with SDM. 111
Cisco SDM Monitor Mode. 113
Configuring Local Database AAA on a Cisco Router 114
Authentication, Authorization, and Accounting (AAA) 114
Two Reasons for Implementing AAA on Cisco Routers 114
Cisco’s Implementation of AAA for Cisco Routers 115
Tasks to Configure Local Database AAA on a Cisco Router 116
Additional Local Database AAA CLI Commands 120
Configuring External AAA on a Cisco Router Using
Cisco Secure ACS.. 121
Why Use Cisco Secure ACS?. 123
Cisco Secure ACS Features. 123
Cisco Secure ACS for Windows Installation Requirements 124
Cisco Secure ACS Solution Engine and Cisco Secure
ACS Express 5.0 Comparison. 125
TACACS+ or RADIUS?. 125
Prerequisites for Cisco Secure ACS 126
Three Main Tasks for Setting Up External AAA 127
Troubleshooting/Debugging Local AAA, RADIUS, and TACACS+.. 140
AAA Configuration Snapshot. 141
Exam Prep Questions.. 142
Answers to Exam Prep Questions. 145
Chapter 4: Implementing Secure Management and Hardening the Router 147
Planning for Secure Management and Reporting 148
What to Log.. 149
How to Log.. 150
Reference Architecture for Secure Management and Reporting.. 151
Secure Management and Reporting Guidelines 153
Logging with Syslog.. 153
Cisco Security MARS. 154
Where to Send Log Messages. 154
Log Message Levels. 155
Log Message Format. 156
Enabling Syslog Logging in SDM. 156
Using SNMP.. 157
Configuring the SSH Daemon. 161
Configuring Time Features. 165
Using Cisco SDM and CLI Tools to Lock Down the Router 167
Router Services and Interface Vulnerabilities 167
Performing a Security Audit. 172
Exam Prep Questions.. 180
Answers to Exam Prep Questions. 182
Part III: Augmenting Depth of Defense
Chapter 5: Using Cisco IOS Firewalls to Implement a Network Security Policy 185
Examining and Defining Firewall Technologies 187
What Is a Firewall?.. 188
Characteristics of a Firewall. 189
Firewall Advantages.. 189
Firewall Disadvantages. 190
Role of Firewalls in a Layered Defense Strategy 190
Types of Firewalls.. 190
Cisco Family of Firewalls. 201
Firewall Implementation Best Practices 202
Creating Static Packet Filters with ACLs. 203
Threat Mitigation with ACLs. 203
Inbound Versus Outbound. 203
Identifying ACLs.. 205
ACL Examples Using the CLI. 205
ACL Guidelines.. 208
Using the Cisco SDM to Configure ACLs 209
Using ACLs to Filter Network Services 212
Using ACLs to Mitigate IP Address Spoofing Attacks 213
Using ACLs to Filter Other Common Services 216
Cisco Zone-Based Policy Firewall Fundamentals 218
Advantages of ZPF.. 220
Features of ZPF.. 221
ZPF Actions.. 221
Zone Behavior.. 221
Using the Cisco SDM Basic Firewall Wizard to
Configure ZPF.. 224
Manually Configuring ZPF with the Cisco SDM 233
Monitoring ZPF.. 238
Exam Prep Questions.. 241
Answers to Exam Prep Questions. 244
Chapter 6: Introducing Cryptographic Services.. 245
Cryptology Overview.. 246
Cryptanalysis.. 249
Encryption Algorithm (Cipher) Desirable Features 251
Symmetric Key Versus Asymmetric Key
Encryption Algorithms.. 251
Block Versus Stream Ciphers. 254
Which Encryption Algorithm Do I Choose? 255
Cryptographic Hashing Algorithms. 256
Principles of Key Management. 256
Other Key Considerations. 257
SSL VPNs.. 259
Exploring Symmetric Key Encryption. 261
DES... 263
3DES.. 264
AES... 265
SEAL.. 266
Rivest Ciphers (RC).. 267
Exploring Cryptographic Hashing Algorithms and Digital Signatures.. 268
HMACs.. 270
Message Digest 5 (MD5). 271
Secure Hashing Algorithm 1 (SHA-1) 272
Digital Signatures.. 272
Exploring Asymmetric Key Encryption and Public Key Infrastructure.. 275
Encryption with Asymmetric Keys. 276
Authentication with Asymmetric Keys 277
Public Key Infrastructure Overview. 277
PKI Topologies.. 278
PKI and Usage Keys. 279
PKI Server Offload and Registration Authorities (RAs) 280
PKI Standards.. 280
Certificate Enrollment Process. 282
Certificate-Based Authentication. 283
Certificate Applications. 284
Exam Prep Questions.. 286
Answers to Exam Prep Questions. 289
Chapter 7: Virtual Private Networks with IPsec.. 291
Overview of VPN Technology.. 292
Cisco VPN Products. 293
VPN Benefits.. 293
Site-to-Site VPNs.. 294
Remote-Access VPNs. 295
Cisco IOS SSL VPN. 296
Cisco VPN Product Positioning. 297
VPN Clients.. 299
Hardware-Accelerated Encryption. 300
IPsec Compared to SSL. 301
Conceptualizing a Site-to-Site IPsec VPN. 302
IPsec Components.. 302
IPsec Strengths.. 306
Constructing a VPN: Putting it Together 307
Implementing IPsec on a Site-to-Site VPN Using the CLI 315
Step 1: Ensure That Existing ACLs Are Compatible with the IPsec VPN.. 315
Step 2: Create ISAKMP (IKE Phase I) Policy Set(s) 316
Step 3: Configure IPsec Transform Set(s) 318
Step 4: Create Crypto ACL Defining Traffic in the IPsec VPN.. 319
Step 5: Create and Apply the Crypto Map (IPsec Tunnel Interface).. 320
Verifying and Troubleshooting the IPsec VPN Using the CLI.. 321
Implementing IPsec on a Site-to-Site VPN Using Cisco SDM 325
Site-to-Site VPN Wizard Using Quick Setup 325
Site-to-Site VPN Wizard Using Step-by-Step Setup 329
Exam Prep Questions.. 337
Answers to Exam Prep Questions. 339
Chapter 8: Network Security Using Cisco IOS IPS. 341
Exploring IPS Technologies.. 342
IDS Versus IPS.. 342
IDS and IPS Categories. 343
IPS Attack Responses. 347
Event Management and Monitoring. 349
Host IPS.. 351
Network IPS.. 354
HIPS and Network IPS Comparison 355
Cisco IPS Appliances. 356
IDS and IPS Signatures. 357
Signature Alarms.. 359
Best Practices for IPS Configuration 360
Implementing Cisco IOS IPS.. 362
Cisco IOS IPS Feature Blend. 362
Cisco IOS IPS Primary Benefits. 362
Cisco IOS IPS Signature Integration 363
Configuring Cisco IOS IPS with the Cisco SDM 364
Cisco IOS IPS CLI Configuration. 377
Configuring IPS Signatures. 378
SDEE and Syslog Logging Protocol Support 381
Verifying IOS IPS Operation. 384
Exam Prep Questions.. 387
Answers to Exam Prep Questions. 390
Part IV: Security Inside the Perimeter
Chapter 9: Introduction to Endpoint, SAN, and Voice Security. 395
Introducing Endpoint Security. 396
Cisco’s Host Security Strategy. 397
Securing Software.. 397
Endpoint Attacks.. 399
Cisco Solutions to Secure Systems and Thwart Endpoint Attacks.. 403
Endpoint Best Practices. 407
Exploring SAN Security.. 407
SAN Advantages.. 407
SAN Technologies.. 408
SAN Address Vulnerabilities. 408
Virtual SANs (VSANs). 409
SAN Security Strategies. 409
Exploring Voice Security.. 411
VoIP Components.. 411
Threats to VoIP Endpoints. 413
Fraud... 414
SIP Vulnerabilities.. 414
Mitigating VoIP Hacking. 415
Exam Prep Questions.. 418
Answers to Exam Prep Questions. 420
Chapter 10: Protecting Switch Infrastructure.. 421
VLAN Hopping Attacks.. 422
VLAN Hopping by Rogue Trunk. 423
VLAN Hopping by Double-Tagging. 424
STP Manipulation Attack.. 425
STP Manipulation Attack Mitigation: Portfast 426
STP Manipulation Attack Mitigation: BPDU Guard 427
STP Manipulation Attack Mitigation: Root Guard 428
CAM Table Overflow Attack.. 428
CAM Table Overflow Attack Mitigation: Port Security 429
MAC Address Spoofing Attack. 429
MAC Address Spoofing Attack Mitigation: Port Security 429
Configuring Port Security.. 429
Port Security Basic Settings. 430
Port Security Optional Settings. 430
Port Security Verification. 433
Miscellaneous Switch Security Features. 434
Intrusion Notification.. 434
Switched Port Analyzer (SPAN). 435
Storm Control.. 436
Switch Security Best Practices. 438
Exam Prep Questions.. 439
Answers to Exam Prep Questions. 440
Part V: Practice Exams and Answers
Practice Exam 1... 443
Answers to Practice Exam 1.. 461
Practice Exam 2... 471
Answers to Practice Exam 2.. 487
Part VI: Appendixes
Appendix A: What’s on the CD-ROM.. 499
Appendix B: Need to Know More?... 503
TOC, 0789738007, 10/3/08