HAPPY BOOKSGIVING
Use code BOOKSGIVING during checkout to save 40%-55% on books and eBooks. Shop now.
Register your product to gain access to bonus material or receive a coupon.
This eBook includes the following formats, accessible from your Account page after purchase:
EPUB The open industry format known for its reflowable content and usability on supported mobile devices.
PDF The popular standard, used most often with the free Acrobat® Reader® software.
This eBook requires no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.
Implementing Cisco IOS Network Security (IINS) Foundation Learning Guide Second Edition
Foundation learning for the CCNA Security IINS 640-554 exam
Implementing Cisco IOS Network Security (IINS) Foundation Learning Guide, Second Edition, is a Cisco-authorized, self-paced learning tool for CCNA® Security 640-554 foundation learning. This book provides you with the knowledge needed to secure Cisco® networks. By reading this book, you will gain a thorough understanding of how to develop a security infrastructure, recognize threats and vulnerabilities to networks, and mitigate security threats.
This book focuses on using Cisco IOS routers to protect the network by capitalizing on their advanced features as a perimeter router, firewall, intrusion prevention system, and site-to-site VPN device. The book also covers the use of Cisco Catalyst switches for basic network security, the Cisco Secure Access Control System (ACS), and the Cisco Adaptive Security Appliance (ASA). You learn how to perform basic tasks to secure a small branch office network using Cisco IOS security features available through web-based GUIs (Cisco Configuration Professional) and the CLI
on Cisco routers, switches, and ASAs.
Whether you are preparing for CCNA Security certification or simply want to gain a better understanding of Cisco IOS security fundamentals, you will benefit from the information provided in this book.
Implementing Cisco IOS Network Security (IINS) Foundation Learning Guide, Second Edition, is part of a recommended learning path from Cisco that includes simulation and hands-on training from authorized Cisco Learning Partners and self-study products from Cisco Press. To find out more about instructor-led training, e-learning, and hands-on instruction offered by authorized Cisco Learning Partners worldwide, please visit www.cisco.com/go/authorizedtraining.
-- Develop a comprehensive network security policy to counter threats against information security
-- Secure borderless networks
-- Learn how to use Cisco IOS Network Foundation Protection (NFP) and Cisco Configuration Professional (CCP)
-- Securely implement the management and reporting features of Cisco IOS devices
-- Deploy Cisco Catalyst Switch security features
-- Understand IPv6 security features
-- Plan threat control strategies
-- Filter traffic with access control lists
-- Configure ASA and Cisco IOS zone-based firewalls
-- Implement intrusion prevention systems (IPS) and network address translation (NAT)
-- Secure connectivity with site-to-site IPsec VPNs and remote access VPNs
This volume is in the Foundation Learning Guide Series offered by Cisco Press®. These guides are developed together with Cisco as the only authorized, self-paced learning tools that help networking professionals build their understanding of networking concepts and prepare for Cisco certification exams.
Category: Cisco Certification
Covers: CCNA Security IINS exam 640-554
Introduction xxviii
Part I Networking Security Fundamentals
Chapter 1 Network Security Concepts and Policies 1
Building Blocks of Information Security 2
Basic Security Assumptions 2
Basic Security Requirements 2
Data, Vulnerabilities, and Countermeasures 3
Data Classification 4
Vulnerabilities Classifications 7
Countermeasures Classification 8
Need for Network Security 12
Intent Evolution 13
Threat Evolution 14
Trends Affecting Network Security 16
Adversaries, Methodologies, and Classes of Attack 19
Adversaries 20
Methodologies 21
Threats Classification 23
Man-in-the-Middle Attacks 32
Overt and Covert Channels 33
Botnets 37
DoS and DDoS Attacks 37
Principles of Secure Network Design 39
Defense in Depth 41
Evaluating and Managing the Risk 42
Levels of Risks 43
Risk Analysis and Management 44
Risk Analysis 44
Building Blocks of Risk Analysis 47
A Lifecycle Approach to Risk Management 49
Regulatory Compliance 50
Security Policies 53
Security Policy Components 55
Governing Policy 56
End-User Policies 57
Technical Policies 57
Standards, Guidelines, and Procedures 59
Security Policy Roles and Responsibilities 61
Security Awareness 62
Secure Network Lifecycle Management 63
IT Governance, Risk Management, and Compliance 64
Secure Network Life Cycle 64
Initiation Phase 65
Acquisition and Development Phase 65
Implementation Phase 66
Operations and Maintenance Phase 67
Disposition Phase 67
Models and Frameworks 67
Network Security Posture 69
Network Security Testing 70
Security Testing Techniques 70
Common Testing Tools 71
Incident Response 72
Incident Management 73
Computer Crime Investigations 74
Laws and Ethics 75
Liability 76
Disaster Recovery and Business Continuity Planning 77
Business Continuity Concepts 78
Summary 79
References 79
Publications 79
Web Resources 80
Review Questions 80
Chapter 2 Security Strategy and Cisco Borderless Network 85
Borderless Networks 85
Cisco Borderless Network Security Architecture 86
Borderless End Zone 88
Borderless Internet 89
Borderless Data Center 90
Policy Management Layer 91
Borderless Network Services 91
Borderless Security Products 92
SecureX, a Context-Aware Security Approach 93
SecureX Core Components 94
Threat Control and Containment 98
Cisco Security Intelligence Operation 99
Cloud Security, Content Security, and Data Loss Prevention 100
Content Security 101
Data Loss Prevention 101
Cloud-Based Security 101
Web Security 101
Email Security 104
Secure Connectivity Through VPNs 105
Security Management 106
Cisco Security Manager 107
Summary 108
References 108
Review Questions 109
Part II Protecting the Network Infrastructure
Chapter 3 Network Foundation Protection and Cisco Configuration Professional 111
Threats Against the Network Infrastructure 112
Cisco NFP Framework 114
Control Plane Security 118
CoPP 119
CPPr 119
Traffic Classes 120
Routing Protocol Integrity 121
Cisco AutoSecure 122
Management Plane Security 123
Secure Management and Reporting 124
Role-Based Access Control 126
Deploying AAA 127
Data Plane Security 128
Access Control List Filtering 128
Cisco Configuration Professional 131
CCP Initial Configuration 133
Cisco Configuration Professional User Interface and Features 136
Menu Bar 136
Toolbar 138
Navigation Pane 138
Content Pane 142
Status Bar 142
Cisco Configuration Professional Building Blocks 142
Communities 142
Creating Communities 143
Managing Communities 144
Templates 145
User Profiles 147
Using CCP to Harden Cisco IOS Devices 148
Security Audit 149
One-Step Lockdown 152
Cisco IOS AutoSecure 152
Summary 154
References 155
Review Questions 155
Chapter 4 Securing the Management Plane on Cisco IOS Devices and AAA 159
Configuring Secure Administration Access 159
Configuring an SSH Daemon for Secure Management Access 161
Configuring Passwords on Cisco IOS Devices 163
Setting Timeouts for Router Lines 164
Configuring the Minimum Length for Router Passwords 165
Enhanced Username Password Security 166
Securing ROM Monitor 167
Securing the Cisco IOS Image and Configuration Files 168
Configuring Multiple Privilege Levels 170
Configuring Role-Based Command-Line Interface Access 171
Implementing Secure Management and Reporting 174
Planning Considerations for Secure Management and Reporting 175
Secure Management and Reporting Architecture 176
Secure Management and Reporting Guidelines 176
Enabling Time Features 176
Network Time Protocol 177
Using Syslog Logging for Network Security 178
Implementing Log Messaging for Security 179
Using SNMP to Manage Network Devices 182
SNMPv3 Architecture 183
Enabling SNMP Options Using Cisco CCP 185
Configuring AAA on a Cisco Router 186
Authentication, Authorization, and Accounting 186
Authenticating Router Access 188
Configuring AAA Authentication and Method Lists 190
Configuring AAA on a Cisco Router Using the Local Database 191
Configuring AAA Local Authentication 192
AAA on a Cisco Router Using Cisco Secure ACS 198
Cisco Secure ACS Overview 198
Cisco Identity Services Engine 204
TACACS+ and RADIUS Protocols 205
TACACS+ 205
RADIUS 206
Comparing TACACS+ and RADIUS 206
AAA on a Cisco Router Using an External Database 208
Configuration Steps for AAA Using an External Database 208
AAA Servers and Groups 208
AAA Authentication Method Lists 210
AAA Authorization Policies 211
AAA Accounting Policies 213
AAA Configuration for TACACS+ Example 215
Troubleshooting TACACS+ 216
Deploying and Configuring Cisco Secure ACS 218
Evolution of Authorization 219
Before: Group-Based Policies 219
Now: More Than Just Identities 220
Rule-Based Policies 222
Configuring Cisco Secure ACS 5.2 223
Configuring Authorization Policies for Device Administration 224
Summary 230
References 230
Review Questions 231
Chapter 5 Securing the Data Plane on Cisco Catalyst Switches 233
Overview of VLANs and Trunking 234
Trunking and 802.1Q 235
802.1Q Tagging 236
Native VLANs 237
Configuring VLANs and Trunks 237
Step 1: Configuring and Verifying 802.1Q Trunks 238
Step 2: Creating a VLAN 240
Step 3: Assigning Switch Ports to a VLAN 242
Step 4: Configuring Inter-VLAN Routing 243
Spanning Tree Overview 244
STP Fundamentals 245
Verifying RSTP and PVRST+ 248
Mitigating Layer 2 Attacks 249
Basic Switch Operation 249
Layer 2 Best Practices 250
Layer 2 Protection Toolkit 250
Mitigating VLAN Attacks 251
VLAN Hopping 251
Mitigating Spanning Tree Attacks 254
PortFast 255
Mitigating CAM Table Overflow Attacks 259
Mitigating MAC Address Spoofing Attacks 260
Using Port Security 261
Errdisable Recovery 263
Summary 270
References 271
Review Questions 271
Chapter 6 Securing the Data Plane in IPv6 Environments 275
The Need for IPv6 275
IPv6 Features and Enhancements 278
IPv6 Headers 279
Stateless Address Autoconfiguration 280
Internet Control Message Protocol Version 6 281
IPv6 General Features 282
Transition to IPv6 283
IPv6 Addressing 285
IPv6 Address Representation 285
IPv6 Address Types 286
IPv6 Unicast Addressing 286
Assigning IPv6 Global Unicast Addresses 291
Manual Interface Assignment 291
EUI-64 Interface ID Assignment 291
Stateless Autoconfiguration 292
DHCPv6 (Stateful) 292
IPv6 EUI-64 Interface Identifier 292
IPv6 and Cisco Routers 293
IPv6 Address Configuration Example 294
Routing Considerations for IPv6 294
Revisiting Threats: Considerations for IPv6 295
Examples of Possible IPv6 Attacks 298
Recommended Practices 300
Summary 301
References 301
Review Questions 302
Part III Threat Control and Containment
Chapter 7 Planning a Threat Control Strategy 305
Threats Revisited 305
Trends in Network Security Threats 306
Threat Mitigation and Containment: Design Fundamentals 307
Threat Control Design Guidelines 308
Application Layer Visibility 309
Distributed Security Intelligence 309
Security Intelligence Analysis 310
Integrated Threat Control Strategy 311
Cisco Threat Control and Containment Categories 311
Integrated Approach to Threat Control 312
Application Awareness 313
Application-Specific Gateways 313
Security Management 313
Cisco Security Intelligence Operations Site 313
Cisco Threat Control and Containment Solutions Fundamentals 314
Cisco Security Appliances 314
Cisco IPSs 316
Summary 317
References 318
Review Questions 318
Chapter 8 Access Control Lists for Threat Mitigation 319
ACL Fundamentals 320
Types of IP ACLs 324
ACL Wildcard Masking and VLSM Review 325
Subnetting Overview 326
Subnetting Example: Class C 326
Subnetting Example 327
Variable-Length Subnet Masking 328
A Working VLSM Example 329
ACL Wildcard Bits 331
Example: Wildcard Masking Process for IP Subnets 332
Example: Wildcard Masking Process with a Single IP Address 333
Example: Wildcard Masking Process with a Match Any IP Address 334
Using ACLs to Control Traffic 335
Example: Numbered Standard IPv4 ACL–Deny a Specific Subnet 336
Numbered Extended IPv4 ACL 338
Displaying ACLs 342
Enhancing ACLs with Object Groups 343
ACL Considerations 345
Configuring ACLs for Threat Control Using Cisco Configuration Professional 347
Rules in Cisco Configuration Professional 347
Working with ACLs in CCP 348
ACL Editor 349
Adding Rules 350
Associating Rules with Interfaces 352
Enabling Logging with CCP 354
Monitoring ACLs with CCP 356
Configuring an Object Group with CCP 357
Using ACLs in IPv6 Environments 360
Summary 363
References 364
Review Questions 364
Chapter 9 Firewall Fundamentals and Network Address Translation 367
Introducing Firewall Technologies 367
Firewall Fundamentals 367
Firewalls in a Layered Defense Strategy 370
Static Packet-Filtering Firewalls 372
Application Layer Gateways 374
Dynamic or Stateful Packet-Filtering Firewalls 378
Other Types of Firewalls 382
Application Inspection Firewalls, aka Deep Packet Inspection 382
Transparent Firewalls (Layer 2 Firewalls) 383
NAT Fundamentals 384
Example of Translating an Inside Source Address 387
NAT Deployment Choices 389
Firewall Designs 390
Firewall Policies in a Layered Defense Strategy 391
Firewall Rules Design Guidelines 392
Summary 394
References 394
Review Questions 394
Chapter 10 Cisco Firewalling Solutions: Cisco IOS Zone-Based Firewall and Cisco ASA 397
Cisco Firewall Solutions 398
Cisco IOS Zone-Based Policy Firewall 398
Zone-Based Policy Firewall Overview 398
Zones and Zone Pairs 402
Self Zone 402
Zone-Based Topology Examples 403
Introduction to Cisco Common Classification Policy Language 403
Zone-Based Policy Firewall Actions 407
Service Policy Zone Pair Assignments 408
Zone-Based Policy Firewall: Default Policies, Traffic Flows, and Zone Interaction 408
Zone-Based Policy Firewall: Rules for Router Traffic 409
Configuring Basic Interzone Policies Using CCP and the CLI 411
Step 1: Start the Basic Firewall Wizard 412
Step 2: Select Trusted and Untrusted Interfaces 413
Step 3: Review and Verify the Resulting Policies 416
Verifying and Tuning the Configuration 416
Step 4: Enabling Logging 417
Step 5: Verifying Firewall Status and Activity 419
Step 6: Modifying Zone-Based Firewall Configuration Objects 420
Step 7: Verifying the Configuration Using the CLI 421
Configuring NAT Services for Zone-Based Firewalls 422
Step 1: Run the Basic NAT Wizard 423
Step 2: Select NAT Inside and Outside Interfaces 424
Step 3: Verify NAT with CCP and the CLI 426
Cisco ASA Firewall 427
Stateful Packet Filtering and Application Awareness 427
Network Services Offered by the Cisco ASA 5500 Series 428
Network Address Translation 428
Additional Network Services 431
Cisco ASA Security Technologies 431
Cisco ASA Configuration Fundamentals 432
Cisco ASA 5505 435
Cisco ASDM 436
Preparing the Cisco ASA 5505 for ASDM 437
Cisco ASDM Features and Menus 438
Cisco Modular Policy Framework 443
Class Map: Identifying Traffic on Which a Policy Will Be Enforced 443
Policy Map: Configuring the Action That Will Be Applied to the Traffic 444
Service Policy: Activating the Policy 444
Cisco ASA Modular Policy Framework: Simple Example 445
Basic Outbound Access Control on Cisco ASA Using Cisco ASDM 446
Scenario Configuration Steps Using Cisco ASDM 446
Summary 461
References 462
Cisco.com Resources 462
Other Resources 462
CCP and ASDM Demo Mode Tutorials 462
Review Questions 463
Chapter 11 Intrusion Prevention Systems 467
IPS Fundamentals 467
Introducing IDS and IPS 467
So, IDS or IPS? Why Not Both? 473
Alarm Types 474
Intrusion Prevention Technologies 475
Signature-Based IDS/IPS 476
Policy-Based IDS/IPS 477
Anomaly-Based IDS/IPS 477
Reputation-Based IPS 478
IPS Attack Responses 478
IPS Anti-Evasion Techniques 480
Risk-Based Intrusion Prevention 482
IPv6-Aware IPS 484
Alarms 484
IPS Alarms: Event Monitoring and Management 485
Global Correlation 486
IPS Deployment 488
Cisco IPS Offerings 490
IPS Best Practices 492
Cisco IPS Architecture 494
Cisco IOS IPS 495
Cisco IOS IPS Features 495
Scenario: Protecting the Branch Office Against Inside Attack 497
Signatures 497
Signature Files 498
Signature Management 500
Examining Signature Microengines 500
Signature Tuning 502
Optimal Signature Set 504
Monitoring IPS Alarms and Event Management 505
Configuring Cisco IOS IPS Using Cisco Configuration Professional 507
Step 1: Download Cisco IOS IPS Signature Package 508
Step 2: Launch IPS Policies Wizard 509
Step 3: Verify Configuration and Signature Files 515
Step 4: Perform Signature Tuning 517
Step 5: Verify Alarms 521
Configuring Cisco IOS IPS Using the CLI 524
Summary 529
References 530
Cisco.com Resources 530
General IDS/IPS Resource 530
Review Questions 530
Part IV Secure Connectivity
Chapter 12 Fundamentals of Cryptography and VPN Technologies 533
VPN Overview 534
VPN Types 535
Site-to-Site VPNs 536
Remote-Access VPNs 537
Examining Cryptographic Services 538
Cryptology Overview 538
The History of Cryptography 540
Ciphers 540
Block and Stream Ciphers 547
Block Ciphers 547
Stream Ciphers 548
The Process of Encryption 549
Encryption Application Examples 550
Cryptanalysis 551
Desirable Encryption Algorithm Features 554
Key Management 555
Key Management Components 555
Keyspaces 556
Key Length Issues 556
Example of the Impact of Key Length 557
Symmetric and Asymmetric Encryption Overview 557
Symmetric Encryption Algorithms 558
Comparing Symmetric Encryption Algorithms 560
DES Modes of Operation 561
DES Security Guidelines 561
The Rijndael Cipher 563
AES Versus 3DES 564
Asymmetric Encryption Algorithms 565
Public Key Confidentiality 566
Encryption Algorithm Selection 567
Cryptographic Hashes and Digital Signatures 568
Hashing Algorithms 571
MD5 572
SHA-1 572
SHA-2 573
Hashed Message Authentication Codes 573
Overview of Digital Signatures 575
Digital Signatures = Encrypted Message Digest 578
Diffie-Hellman 579
Diffie-Hellman Example 581
Cryptographic Processes in VPNs 582
Asymmetric Encryption: Digital Signatures 583
Asymmetric Encryption Overview 583
Public Key Authentication 584
RSA and Digital Signatures 585
Public Key Infrastructure 587
PKI Terminology and Components 589
Certificate Classes 590
Certificate Authorities 590
PKI Standards 593
Certificate Revocation 599
Certificate Use 600
Digital Certificates and CAs 601
Summary 602
References 603
Books and Articles 603
Standards 603
Encryption Regulations 603
Review Questions 604
Chapter 13 IPsec Fundamentals 609
IPsec Framework 609
Suite B Cryptographic Standard 611
Encryption Algorithms 612
Key Exchange: Diffie-Hellman 613
Data Integrity 614
Authentication 615
IPsec Protocol 616
Authentication Header 618
Encapsulating Security Payload 619
IPsec Modes of Operations 620
Transport Mode 621
Tunnel Mode 621
IKE Protocol 622
IKEv1 Modes 624
IKEv1 Phases 625
IKEv1 Phase 1 625
IKEv1 Phase 1 Example 626
IKEv1 Phase 2 631
IKE Version 2 632
IKEv1 Versus IKEv2 633
IPv6 VPNs 635
IPsec Services for Transitioning to IPv6 636
Summary 637
References 637
Books 637
Cisco.com Resources 637
Review Questions 637
Chapter 14 Site-to-Site IPsec VPNs with Cisco IOS Routers 641
Site-to-Site IPsec: Planning and Preparation 641
Site-to-Site IPsec VPN Operations 642
Planning and Preparation Checklist 643
Building Blocks of Site-to-Site IPsec 643
Interesting Traffic and Crypto ACLs 643
Mirrored Crypto ACLs 644
Cipher Suite 645
Crypto Map 646
Configuring a Site-to-Site IPsec VPN Using CCP 647
Initiating the VPN Wizard 647
VPN Connection Information 649
IKE Proposals 652
Transform Set 653
Traffic to Protect 654
Configuration Summary 656
Creating a Mirror Configuration for the Peer Site 657
Verifying the IPsec Configuration Using CCP and CLI 658
Verifying IPsec Configuration Using CLI 658
Verifying IKE Policy Using the CLI 659
Verifying IKE Phase 2 Policy Using the CLI 660
Verifying Crypto Maps Using the CLI 660
Monitoring Established IPsec VPN Connections 661
IKE Policy Negotiation 662
VPN Troubleshooting 662
Monitoring IKE Security Association 664
Monitoring IPsec Security Association 664
Summary 665
References 666
Review Questions 666
Chapter 15 SSL VPNs with Cisco ASA 669
SSL VPNs in Borderless Networks 670
Cisco SSL VPN 671
SSL and TLS Protocol Framework 672
SSL and TLS 673
SSL Cryptography 674
SSL Tunnel Establishment 675
SSL Tunnel Establishment Example 676
Cisco SSL VPN Deployment Options and Considerations 679
Cisco SSL VPN Client: Full Network Access 681
SSL VPN on Cisco ASA in Clientless Mode 683
Clientless Configuration Scenario 683
Task 1: Launch the Clientless SSL VPN Wizard from ASDM 684
Task 2: Configure the SSL VPN Interface 684
Task 3: Configure User Authentication 686
Task 4: Configure User Group Policy 686
Task 5: Configure a Bookmark List 687
Task 6: Verify the Clientless SSL VPN Wizard Configuration 690
Log In to the VPN Portal: Clientless SSL VPN 690
SSL VPN on ASA Using the Cisco AnyConnect VPN Client 692
Cisco AnyConnect Configuration Scenario 693
Phase 1: Configure Cisco ASA for Cisco AnyConnect 693
Task 1: Connection Profile Identification 694
Task 2: VPN Protocols and Device Certificate 695
Task 3: Client Image 696
Task 4: Authentication Methods 697
Task 5: Client Address Assignment 698
Task 6: Network Name Resolution Servers 700
Task 7: Network Address Translation Exemption 700
Task 8: AnyConnect Client Deployment Summary 702
Phase 2: Configure the Cisco AnyConnect VPN Client 702
Phase 3: Verify VPN Connectivity with Cisco AnyConnect VPN Client 706
Verifying VPN Connectivity from Cisco ASA 706
Summary 707
References 708
Review Questions 708
Appendix A Answers to Chapter Review Questions 711
9781587142727 TOC 10/16/2012